Auditing and Assurance Standards

PCAOB
(Public Company Accounting Oversight Board, pcaobus.org)

Standard Title Text Chapter

AS 1015 Due Professional Care in the Performance of Work Chapter 3
AS 1101 Audit Risk Chapter 3
AS 1105 Audit Evidence Chapters 5, 7, 13
AS 1201 Supervision of the Audit Engagement Chapter 14
AS 1205 Part of the Audit Performed by Other Independent Auditors Chapters 5, 15
AS 1210 Using the Work of a Specialist Chapters 5, 12
AS 1215 Audit Documentation Chapters 5, 8, 14
AS 1220 Engagement Quality Review Chapter 14
AS 1301 Communications with Audit Committees Chapters 3, 4, 14
AS 2101 Audit Planning Chapter 3
AS 2105 Consideration of Materiality in Planning and Performing an Audit Chapter 3
AS 2110 Identifying and Assessing Risks of Material Misstatement Chapters 3, 4, 5, 6, 8
AS 2201 An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Chapters 1, 6, 8, 15
Statements
AS 2301 The Auditor’s Responses to the Risks of Material Misstatement Chapters 3, 9
AS 2305 Substantive Analytical Procedures Chapter 9
AS 2310 The Confirmation Process Chapters 5, 11
AS 2315 Audit Sampling Chapter 10
AS 2401 Consideration of Fraud in a Financial Statement Audit Chapters 3, 14
AS 2405 Illegal Acts by Clients Chapter 4
AS 2410 Related Parties Chapter 4
AS 2415 Consideration of an Entity’s Ability to Continue as a Going Concern Chapters 14, 15
AS 2501 Auditing Accounting Estimates Chapter 9
AS 2502 Auditing Fair Value Measurements and Disclosures Chapter 9
AS 2505 Inquiry of a Client’s Lawyer Concerning Litigation, Claims, and Assessments Chapter 14
AS 2605 Consideration of the Internal Audit Function Chapter 5
AS 2610 Initial Audits—Communication Between Predecessor and Successor Auditors Chapter 3
AS 2801 Subsequent Events Chapter 14
AS 2805 Management Representations Chapter 14
AS 2810 Evaluating Audit Results Chapters 9, 14
AS 2820 Evaluating Consistency of Financial Statements Chapter 15
AS 2905 Subsequent Discovery of Facts Existing at the Date of the Auditor’s Report Chapter 15
AS 3101 The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Chapters 1, 15
Unqualified Opinion
AS 3105 Departures from Unqualified Opinions and Other Reporting Circumstances Chapter 15
Ethics and Independence Rules:
3501 Definition of Terms Employed in Section 3, Part 5 of the Rules Chapter 2
3502 Responsibility to Not Knowingly or Recklessly Contribute to Violations Chapter 2
3520 Auditor Independence Chapter 2
3521 Contingent Fees Chapter 2
3522 Tax Transactions Chapter 2
3523 Tax Services for Persons in Financial Reporting Oversight Roles Chapter 2
3524 Audit Committee Pre-approval of Certain Tax Services Chapter 2
3525 Audit Committee Pre-approval of Non-audit Services Related to Internal Control over Financial Chapter 2
Reporting
3526 Communication with Audit Committees Concerning Independence Chapter 2
Auditing Standards Board
(AICPA, American Institute of Certified Public Accountants, aicpa.org)

Standard Title Text Chapter

AICPA Audit Guide: Audit Sampling Chapter 10
AICPA Code of Professional Conduct Chapter 2
AICPA Guide to Audit Data Analytics Chapter 7
AU-C 200 Overall Objectives of the Independent Auditor and Conduct of an Audit in Accordance with Chapters 1, 3
Generally Accepted Auditing Standards
AU-C 210 Terms of Engagement Chapter 3
AU-C 220 Quality Control for an Engagement Conducted in Accordance with Generally Accepted Auditing Chapter 14
Standards
AU-C 230 Audit Documentation Chapters 5, 7, 8, 14
AU-C 240 Consideration of Fraud in a Financial Statement Audit Chapters 3, 9, 14
AU-C 250 Consideration of Laws and Regulations in an Audit of Financial Statements Chapters 4, 14
AU-C 260 The Auditor’s Communication with Those Charged with Governance Chapters 4, 14
AU-C 265 Communicating Internal Control Related Matters Identified in an Audit Chapters 6, 8
AU-C 300 Planning an Audit Chapter 3
AU-C 315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement Chapters 3, 4, 5, 6, 7, 8, 9
AU-C 320 Materiality in Planning and Performing an Audit Chapter 3
AU-C 330 Performing Audit Procedures in Response to Assessed Risks and Evaluating Audit Evidence Chapters 3, 9
Obtained
AU-C 450 Evaluation of Misstatements Identified During the Audit Chapters 9, 14
AU-C 500 Audit Evidence Chapters 5, 7, 13
AU-C 501 Audit Evidence—Specific Considerations for Selected Items Chapters 13, 14
AU-C 505 External Confirmations Chapters 5, 11
AU-C 510 Opening Balances—Initial Audit Engagements, Including Reaudit Engagements Chapter 9
AU-C 520 Analytical Procedures Chapters 9, 14
AU-C 530 Audit Sampling Chapter 10
AU-C 540 Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Chapter 9
Disclosures
AU-C 550 Related Parties Chapter 4
AU-C 560 Subsequent Events and Subsequently Discovered Facts Chapters 14, 15
AU-C 570 The Auditor’s Consideration of an Entity’s Ability to Continue as a Going Concern Chapters 14, 15
AU-C 580 Written Representations Chapter 14
AU-C 600 Special Considerations—Audits of Group Financial Statements (Including the Work of Component Chapters 5, 15
Auditors)
AU-C 610 Using the Work of Internal Auditors Chapter 5
AU-C 620 Using the Work of an Auditor’s Specialist Chapters 5, 12
AU-C 700 Forming an Opinion and Reporting on Financial Statements Chapters 1, 15
AU-C 705 Modifications to the Opinion in the Independent Auditor’s Reports Chapter 15
AU-C 706 Emphasis-of-Matter Paragraphs and Other-Matter Paragraphs in the Independent Auditor’s Chapter 15
Report
AU-C 708 Consistency of Financial Statements Chapter 15
AU-C 940 An Audit of Internal Control That Is Integrated with an Audit of Financial Statements Chapter 15
QC 10 A Firm’s System of Quality Control Chapter 3
WileyPLUS gives you the freedom and
flexibility to tailor curated content and
easily manage your course to keep students
engaged and on track.

When course materials are presented in an organized way, students

are more likely to stay focused, develop mastery, and participate in
class. WileyPLUS gives students a clear path through the course
material.

Starting with Wiley’s quality curated content, you can customize

your course by setting the pacing of content and even integrating
videos, files, or links to relevant material. The easy-to-use, intuitive
interface saves you time getting started, managing day-to-day class
activities, and helping individual students stay on track.

Customized Interactive Drag-and-Drop

Content
Using the content editor,
you can add videos,
documents, pages, or
relevant links to keep
students motivated.
eTextbook Customization
Students can easily search Quick reordering of
content, highlight and take chapters lets you match
notes, access instructor’s content to your needs.
notes and highlights, and
read offline.

Linear Design Calendar Instructor App

and Organization
Chapters include eTextbook
content, videos, and practice
questions.
The drag-and-drop You can modify due dates,
calendar syncs with other monitor assignment
features in WileyPLUS— submissions, change
like assignments, syllabus, grades, and communicate
and grades—so that one with your students all from
change on the calendar your phone.
shows up in all places.

Wileyplus.com/instructors
 Auditing
A Practical Approach with Data Analytics

First Edition

Raymond N. Johns on PhD, CPA

Portland State University
Portland, Oregon

Laura D . Wiley PhD, CPA

Louisiana State University
Baton Rouge, Louisiana

Adapted from Robyn Moroney, Fiona Campbell,

and Jane Hamilton, Auditing: A Practical Approach,
Third Edition (Wiley, 2016)
Director AND VICE PRESIDENT Michael McDonald
SENIOR Acquisitions Editor Emily Marcoux
Instructional Design Lead Ed Brislin
SENIOR PRODUCT DESIGNER Matt Origoni
Marketing Manager Jenny Geiler
Editorial Supervisor Terry Ann Tatro
EDITORIAL Assistant Kirsten Loose
Senior Content Manager Dorothy Sinclair
Senior Production Editor Valerie Vargas
SENIOR DESIGNER Wendy Lai
Cover Image © nikkytok/Shutterstock

This book was set in Source Sans Pro by Aptara®, Inc. and printed and bound by Quad Graphics/
Versailles. The cover was printed by Quad Graphics/Versailles.

Founded in 1807, John Wiley & Sons, Inc. has been a valued source of knowledge and understand-
ing for more than 200 years, helping people around the world meet their needs and fulfill their
aspirations. Our company is built on a foundation of principles that include responsibility to the
communities we serve and where we live and work. In 2008, we launched a Corporate Citizenship
Initiative, a global effort to address the environmental, social, economic, and ethical challenges we
face in our business. Among the issues we are addressing are carbon impact, paper specifications
and procurement, ethical conduct ­within our business and among our vendors, and community and
charitable support. For more information, please visit our website: www.wiley.com/go/citizenship.

Copyright © 2019 John Wiley & Sons, Inc. All rights reserved. No part of this publication may be
reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic,
mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections
107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of
the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright
Clearance Center, Inc. 222 Rosewood Drive, Danvers, MA 01923, website www.copyright.com.
Requests to the Publisher for permission should be addressed to the Permissions Department, John
Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, (201)748-6011, fax (201)748-6008,
website http://www.wiley.com/go/permissions.

ISBN-13: 978-1-119-40181-0

The inside back cover will contain printing identification and country of origin if omitted from this
page. In addition, if the ISBN on the back cover differs from the ISBN on this page, the one on the
back cover is correct.

Printed in America.

10 9 8 7 6 5 4 3 2 1
 Brief Contents
1 Introduction and Overview of Audit and Assurance   1-1

2 Professionalism and Professional Responsibilities   2-1

3 Risk Assessment Part I: Audit Risk and Audit Strategy   3-1

4 Risk Assessment Part II: Understanding the Client   4-1

5 Audit Evidence   5-1

6 Gaining an Understanding of the Client’s System of Internal

Control  6-1

7 Audit Data Analytics   7-1

8 Risk Response: Performing Tests of Controls   8-1

9 Risk Response: Performing Substantive Procedures   9-1

10 Risk Response: Evaluating Audit Data Analytics and Audit

Sampling for Substantive Tests   10-1

11 Auditing the Revenue Process   11-1

12 Auditing the Purchasing and Payroll Processes   12-1

13 Auditing Various Balance Sheet Accounts (and Related Income

Statement Accounts)   13-1

14 Completing the Audit   14-1

15 Reporting on the Audit   15-1

Appe nd ix A   Cloud 9 Inc. Audit  A-1

GLOSS ARY    G-1

I n d e x   I -1

v
From the Authors
Auditing is about earning the public trust. Auditors serve that public trust by being indepen-
dent of the companies they audit—in mental attitude and in fact. You will find that auditing
is about developing an inquisitive mind and mastering decision-making; you must master an
audit logic (the audit risk model) and develop audit strategies. To help you develop both skills,
we have taken a very practical approach in this text, as follows:

•  Provided a variety of audit reasoning examples, which demonstrate

Auditing is about developing an inquisitive
mind and mastering decision-making. To help
you develop both skills, we have taken a very
practical approach in this text, as well as incor-
porated audit data analytics (ADA) to help you
embrace an increasing variety of fascinating
technologies being used by auditors.
the practical application of auditing skills and concepts through brief
real-world scenarios, in each chapter.
•  Included an audit decision-making example at the end of each
chapter. Each example illustrates a process of identifying the issue,
gathering information and evidence, analyzing and evaluating infor-
mation and evidence, and drawing conclusions.
•  Added professional environment examples that illustrate issues
that auditors deal with on a day-to-day basis.
•  Written the text in a conversational writing style that you should
enjoy.

In addition, you must also embrace an increasing variety of fascinating technologies being
used by auditors. To help you do this, we have:

•  Included a separate chapter on audit data analytics, including an overview of the

most popular audit data analytics (ADA) software applications currently used.
•  Integrated the use of audit data analytics into many chapters.
•  Offered IDEA-based cases available in WileyPLUS.

The accounting and auditing skills you build in this course will serve you for the rest of your
life as you develop an independence of thought and action. Your journey of developing a
questioning mindset, developing an investigative intuitiveness, and learning how to recognize
accounting issues that do not pass the “smell test” will open many opportunities. If you keep
asking questions, continue to explore the application of new technologies, and stay true to the
importance of integrity and independent thought and actions that will earn the public trust,
you should have a rich and rewarding career.

We are excited and honored to lead you on this “auditing” journey. We hope you dive into the
material and explore the resources provided in this text and WileyPLUS. Above all else, we
wish you great success!

Raymond N. Johnson, PhD, CPA

Laura D. Wiley, PhD, CPA

vi

©The National Association of State Boards of
Accountancy
Raymond N. Johnson
Raymond N. Johnson, PhD, CPA, has taught auditing con-
cepts and practices, financial statement analysis, and a case
course focused on developing students’ critical thinking skills
at Portland State University for 35 years. He was the first re-
cipient of Harry C. Visse Excellence in Teaching Fellowship
and is currently a professor emeritus from Portland State
University. He has also taught auditing and accounting at
Bond University, The University of Queensland, the Aus-
tralian National University, and Southampton University.
Dr.  Johnson is Chair of the International Accounting
Education Standards Board’s Consultative Advisory Group.
Previously, he served on the NASBA board of directors for
seven years, and he previously chaired NASBA’s Education
Committee and the NASBA Ethics Committee. He also served
on an AACSB Task Force that was responsible for the most
recent update to AACSB Accounting Accreditation rules.
Dr. Johnson served a three-year term on the AICPA Profession-
al Ethics Executive Committee which sets ethical standards for
CPAs in the United States. He is a former member of NASBA’s
Standard Setting Advisory Committee and served for seven
years on the NASBA/AICPA International Qualifications
Appraisal Board. Previously, Dr. Johnson served on the Oregon
Board of Accountancy for seven years and was Chair of the
Board for two years. Dr. Johnson is a past president of the Oregon
Society of CPAs. He has previously served as staff to the U.S.
Auditing Standards Board, and he has written numerous
academic and professional articles.
About the Authors
©Aaron Hogan, Eye Wander Photo
Laura D. Wiley
Laura Wiley, PhD, CPA, is the Assistant Department Chair
and senior instructor in the Department of Accounting at
the E. J. Ourso College of Business, Louisiana State Uni-
versity (LSU). She came to LSU in 1996 and teaches finan-
cial accounting and auditing courses. She also leads a study-
abroad excursion in the Master of Accountancy program,
taking students on educational business trips to Central and
South American countries. Dr. Wiley is active in the Socie-
ty of Louisiana CPAs (LCPA) and has served as the chair
of the Accounting Education Issues committee since 2014.
She received the LCPA’s Distinguished Achievement in Ed-
ucation award in 2015 and the Outstanding Teacher Award
from the E. J. Ourso College of Business in 1999 and 2014.
Dr. Wiley has consulted with large and small companies on
accounting-related matters and conducted onsite training ses-
sions for company employees. Over her career, she has also
been a presenter at numerous CPE events and published in
the Journal of Accounting Education. Prior to coming to LSU,
she was an auditor with PricewaterhouseCoopers in Atlanta,
Georgia. She earned her bachelor’s degree in accounting from
The University of Alabama, her master’s degree in accounting
from LSU, and her doctorate in human resource education
and workforce development from LSU. Her research interests
are accounting education and financial literacy. She is an
active licensed CPA in the state of Louisiana.
vii
Unique Pedagogical Framework
Auditing provides key learning aids to help students master the content and prepare them for
c07AuditDataAnalytics.indd Page 1 06/03/19 3:36 PM F-0590 a successful career in accounting. /208/WB02435/9781119401810/ch07/text_s

ChApter 7 Each chapter begins with a flowchart de-

tailing exactly what section of the audit
process students are about to learn. The
Audit Data Analytics chart helps students see the big picture of
the audit process.
Special thanks to Dr. Adrian Gepp of Bond University, Queensland, Australia, for his invaluable
assistance in co-authoring this chapter.

The Audit Process

Overview of Audit and Assurance

(Chapter 1)

Professionalism and Professional Responsibilities

(Chapter 2)

Client Acceptance/Continuance and Risk Assessment

(Chapters 3 and 4)

Gaining an Identify Significant

Set Planning
Understanding of Accounts and
Materiality
the Client Transactions

Gaining an Understanding
Make Preliminary Risk
of the System of Internal Control
Assessments
(Chapter 6)

Develop Responses to Risk and an Audit Strategy

Audit Data Analytics
Audit Evidence
(Chapter 5)

(Chapter 7)

Performing Tests of Controls Performing Substantive Procedures

(Chapter 8) (Chapter 9)

Audit Sampling for Substantive Tests

(Chapter 10)

Auditing the Auditing the Purchasing Auditing the Balance Sheet

c03RiskAssessmentPartI.indd Page 3-2 24/01/19 9:35 PM F-0590 /208/WB02435/9781119401810/ch03/text_s
Revenue Process and Payroll Processes and Related Income Accounts
(Chapter 11) (Chapter 12) (Chapter 13)

Completing and Reporting on the Audit

(Chapters 14 and 15) 3-2 CH A PT E R 3 Risk Assessment Part I

Procedures Performed Near

the End of the Audit
c05AuditEvidence.indd Page 2 04/03/19 8:37 PM F-0590
Drawing Audit
Conclusions
Reporting
/208/WB02435/9781119401810/ch05/text_s
LearningLearning
Objectives Objectives have been carefully craft-
ed to reflect the Bloom’s
LO 1 Evaluate client acceptance and continuance Taxonomy
LO 5 Explain framework,
how auditors determine their audit
decisions. strategy and how audit strategy affects audit decisions.
5-2 Chapt e r 5 audit evidence LO 2 Identifyas well
the diff asofreinforce
erent phases an audit. the practical
LO 6 Explain auditing
the fraud risk assessment skills
process and

that students will develop.

analyze fraud risk.
LO 3 Explain and apply the concept of materiality.
Learning Objectives 7-1 LO 4 Explain professional skepticism and apply the
audit risk model.
LO 1 Define management assertions about classes of LO 4 evaluate when it is appropriate for auditors to use
transactions, account balances, and presentation and the work of others.
disclosure. LO 5 Document the details of evidence gathered in Auditing and Assurance Standards
LO 2 Discuss the characteristics of audit evidence. working papers.
LO 3 apply the procedures for gathering audit evidence,
P C AO B AUDIT ING STA NDA R D S B OA R D
including the use of audit data analytics.
AS 1015 Due Professional Care in the Performance of Work AU-C 200 Overall Objectives of the Independent
Auditor and the Conduct of an Audit in Accordance With
AS 1101 Audit Risk
Generally Accepted Auditing Standards
AS 1301 Communications with Audit Committees
Auditing and Assurance Standards AS 2101 Audit Planning
AU-C 210 Terms of Engagement
AU-C 240 Consideration of Fraud in a Financial
AS 2105 Consideration of Materiality in Planning and Statement Audit
PCAOB
Auditing and Assurance
AS 1105 audit evidence Standards
audit Documentation that are dis-
Au d i t i n g StA n dA rd S B OArd
Au-C 230
Performing an Audit
AU-C 300 Planning an Audit
AS 2110 Identifying and Assessing Risk of Material
cussed are listed
AS 1205 part of the audit performed by Other
Independent auditors
at the beginning the risks of of each chapter
Au-C 315 Understanding the entity and Its environment
and assessing Material Misstatement
Misstatement
AU-C 315 Understanding the Entity and Its Environment
and Assessing the Risks of Material Misstatement
AS 2301 The Auditor’s Responses to the Risks of
AS 1210 for
Using thequick reference. AAu-C
Work of a Specialist complete
500 audit evidence
overview of all Material Misstatement
AU-C 320 Materiality in Planning and Performing an
Au-C 505 external Confirmations Audit
AS 1215 audit Documentation
AS 2110 standards isrisksavailable at
Au-Cthe front of the text.
AS 2401 Consideration of Fraud in a Financial
600 Special Considerations—audits of Group AU-C 330 Performing Audit Procedures in Response to
Identifying and assessing of Material Statement Audit
Financial Statements (Including the Work of Component Assessed Risks and Evaluating Audit Evidence Obtained
Misstatementc03RiskAssessmentPartI.indd Page 3-40 24/01/19 9:35 PMauditors)
F-0590 /208/WB02435/9781119401810/ch03/text_s AS 2610 Initial Audits—Communication Between
QC10 A Firm’s System of Quality Control
AS 2310 the Confirmation process Predecessor and Successor Auditors
Au-C 610 Using the Work of Internal auditors
AS 2605 Consideration of the Internal audit Function Au-C 620 Using the Work of an auditor’s Specialist

3-40 C HAPT E R 3 Risk Assessment Part I

Cloud 9 - Continuing Case
Sharon and Josh have already discussed some specific client accep- and is part of professional ethics. Sharon also gives Josh the task
Cloud 9 - Continuing
Cloud 9 - Continuing Case
Case Page 5-6
c05AuditEvidence.indd 1/15/19 9:44 PM f-1241 /208/WB02435/9781119401810/ch05/text_s
A Cloud 9 Continuing Case exercise
tance issues, such as independence threats and safeguards. Sharon
explains they also must consider the overall integrity of the client
of researching Cloud 9’s press coverage, with special focus on any-
thing that may indicate poor management integrity.

applies concepts introduced in each

W&S Partners has just won the January 31, 2023, audit for W&S Partners use the following percentages as starting (that is, management of Cloud 9). This means they need to perform Sharon emphasizes they must perform and document proce-
At the next planning meeting for the
Cloud Cloud
9. The 9 audit,
audit teamSuzie Pickering
assigned handle
to this client is: the accounts receivable pointsandforinventory
the variousthemselves.
bases: Second, and document procedures that are likely to provide information dures to determine whether W&S Partners is competent to per-
presents the results of the analytical procedures performed so far Sharon is worried about how they will gather evidence regarding a about the client’s integrity. Josh is a little skeptical. “Do you mean form the engagement and has the capabilities, time, and resources

chapter, concludes each chapter, and is

and a working draft of the audit program. The audit manager, subsidiary of Cloud 9 located in Vietnam.Base W&S Partners does Threshold (%)
not that we should ask them if they are honest?” Sharon suggests it is to do so. For example, they must make sure they have audit team
• Partner, Jo Wadley
Sharon Gallagher, and the audit senior, Josh Thomas, are5-6 C H APT
also in- E R an
have 5 office
AuditinEvidence
Vietnam, so they mustIncome determine before
the tax
most effec- 5.0 probably more useful to ask others, and the key people to ask are members who understand the clothing and footwear business.
• Audit Manager, Sharon Gallagher
volved in the planning, with special responsibility for the internal Total revenue
tive and efficient way to gather evidence regarding the subsidiary. 0.5 the existing auditors. Josh is still skeptical. “The existing auditors They also must have enough staff to complete the audit on time.
control assessment. • Audit Senior, Josh Thomas
The meeting’s agenda is to• discuss
IT AudittheManager,
availableMark
sources of ev-
Batten
In the planning meeting,
questions:
• the
An team Gross
auditor
down ifTotal
profites
considers
verifi
it isassets
Equity
thethat
following
equipment 2.0 used in operations has been appropriately
0.5
impaired (risk of overstatement).
1.0
marked
are Ellis
available as an assessment question.
& Associates. Are they going to help us take one of their
clients from them?” Sharon says the client must give permission
In addition, Sharon and Josh must perform and document
procedures to show that W&S Partners can comply with all parts
idence at Cloud 9 and specify these in the detailed audit program. first, and, if that is given, the existing auditor will usually state of the code of professional conduct, not just those that focus on
• Experienced staff, Suzie Pickering •  What evidence is available?
The team members also must ensure they have enough evidence whether or not there were any issues that the new auditor should independence threats and safeguards. Finally, they can draft the
• First-year These starting points
•  What criteria will the team use to choose among alternative can be increased or decreased by taking
to conduct the audit. Two specific issues staff
worry, Ian Harper of the
members be aware of before accepting the work. This type of communica- engagement letter to cover the contractual relationship between
team. First, there are three very large asset balances on Cloud Cloud
9’s 9 - sources
Continuingof evidence? Case
into account qualitative client factors, which could be:
tion is covered by AS 2610 (AU-C 210 for private company clients) W&S Partners and Cloud 9.
trial balance that have particularAsvaluation
a part of the risk Josh
issues. assessment
suggestsphase for• the Whatnewareaudit,
the the
implications • The naturethe
of using of the
workclient’s business and industry (for example,
of specialists
audit team needs to gain an Ian and Suzie have9’salready talked in general terms about the • No accounts receivables were omitted when calculating the
that a specialist will be required for the derivatives, butunderstanding
they can of Cloud
and other structure
auditors? rapidly changing, either through growth or downsizing, or
and its business environment, determine errors that could occur
materiality, in Cloud 9’s accounts receivable. For
and assess total—completeness.
an unstable environment).
the risk of material misstatement.example,
This will basic
assist mathematical
the team in de-mistakes• and other clerical errors
Whether the client is a public •company
Accounts(orreceivables
subsidiaryincluded
of) in the total do exist at year-
veloping an audit strategy and designingcould afftheectnature,
the customer’s total in either
extent, and direction. Suzie em- end—existence.
phasizes that Cloud 9’s management asserts subjectthis
to regulations.
error did not
timing of audit procedures.
exist when they prepared the fi •
nancial The knowledge
statements—i.e., of or high
they risk of• fraud.
Accounts receivables belong to Cloud 9 and have not been
One task during the planning phase is to consider the con-
Chapter Preview—Audit Process in Focus
cept of materiality as it applies to assert that accounts
the client. Auditorsreceivable
will de- areTypically,
valued correctly. Auditors sold or factored—rights and obligations.
income before tax is used; however, it cannot be used
sign procedures to identify and correct must gather
errorsevidence about each assertion for each transaction
or irregularities • Bad debts have been provided for—valuation and allocation.
if reporting a loss for the year or if profi tability is not consistent.
In Chapters 3 and 4, we
that would have a material effect
considered
class, account,
on the
audit riskinand
and statements
financial note the risk assessment.
financial statements.Those Now chapters
that focused
When calculating PM based on interim • Salesfifrom
gures,the
it may
nextbeperiod
nec- are not included in the earlier
and affecton the
the decision-making
importance of risk Ian identification
understands
of the users of this thetofinancial
helpbetter,
idea ensure he the auditor’sthe
can identify desired level of risk is the auditors to plan
assertions
essary to annualize the results. This allows period—cutoff. Ian is a bit confused about this because cut-
statements. Materiality is used inthat relate to audit
determining the potential
procedures errors in accounts receivable that
the audit properly based on an approximate off is anprojected
assertionyear-end
for transactions, not assets. Suzie agrees
and sample selections, and evaluating they discussed
differences earlier:
from client balance. Then, at year-end, the figure isitadjusted, if necessary,
is a special to
sort of assertion that relates to transactions or
records to audit results. Materiality •is No the mathematical
maximum amount of or other
mistakes reflectclerical
the actual results.
errors exist that events, but also gives evidence about balance sheet accounts
misstatement, individually or in aggregate, couldthat canthe
affect betotal
accepted
receivables in either direction—valua- (e.g., an overstatement of revenue is also an overstatement
in the financial statements. In selecting Required
tion the
andbase figure to be
allocation. of receivables).
used to calculate materiality, the auditors should consider the Answer the following questions based on the information pre-
key drivers of the business. They should ask, “What are the end sented for Cloud 9 in the appendix to this text and in the current
users (that is, stockholders, banks, etc.) of the accounts going chapter and previous chapters.
viii to be looking at?” For example, will stockholders be interested
in profit figures that can be used to pay dividends and increase
The last category of assertions focuses on presentation and disclosure in the financial
statements
a. Using the andOctober
the notes. You’ve
31, 2022, trialprobably
balance (innoticed that most
the appendix to of the assertions in this category
this listed
are also text), calculate
in one or planning
both of materiality
the other and include theThat
categories. justi-makes sense considering the note
share price?
fication and
disclosures for the basis that youin
presentation have
theused for yourstatements
financial calculation. are inherently tied with a client’s
W&S Partners’ audit methodology dictates that one plan-
ning materiality (PM) amount is to be used for the financial transactions
b. Discuss how andthe year-end
planningbalances.
materiality Auditors
would begather
used toevidence
deter- that disclosed items represent
statements as a whole. The basis selected for determining events mineandperformance
transactions materiality.
that occurred and pertain to the entity, (10) occurrence and rights
materiality is the one determined to be the key driver of the and obligations,
c. If the planningand that allamount
materiality itemsisthat should increased
subsequently have been or disclosed are included in the fi-
business. nancial statements,
decreased later in which is how
the audit, (11) would
completeness. Auditors
that impact ensure items included in the finan-
the audit?
cial statements are appropriately presented and disclosures are clearly expressed, which is
 controls continue to be strong, she will also perform substantive procedures on the existence of
inventory at an interim date.

Illustration 3.12 provides a diagram of the process used when developing the audit strat-
egy for an account or assertion. Notice that the left side of the diagram provides an overview
  UN I Q UE P E DAG OG I C A L FRA MEWORK   ix
of the reliance on controls approach described in this section.

c05AuditEvidence.indd Page 5-27 1/15/19 9:44 PM f-1241 /208/WB02435/9781119401810/ch05/text_s

ILLUSTRATION
4 04/03/19 3.12
Detailed illustrations help students visualize
c06GainingAnUnderstandingOfTheClientsSystemOfInternalControl.indd Page 5:48 PM F-0590 /208/WB02435/9781119401810/ch06/text_s
Identify inherent risks at the account or assertion level Process used when developing
an audit strategy at the

complex processes and important concepts.

account or assertion level
Documentation—Audit Working Papers 5-27
Determine whether an6-4
internal control(s)
C h apt e r 6 canGaining an Understanding of the Client’s System of Internal Control
mitigate the risk factor
alternative for environmentally conscientious customers. NME operates from three locations
and produces a wide range of household products that it sells to supermarkets and specialty
the COSO Frameworkstores.
YES NO The COSO framework has global acceptance and At the most
is the front commonly
of every audit file is a copy
recognized frame- of the client’s trial balance that supports the fi-
work for understanding and evaluating a system nancial statements.
of internal TheIttrial
control. balance
has three is then referenced into the appropriate lead and support-
dimensions,
as shown in Illustration 6.1. First, the COSO ing schedules
framework in the audit
discusses file whereofaudit
the objectives work is documented for each account in the trial
internal
balance. At Bell & Bowerman,
control. Second, the COSO framework discusses important components of internal control. LLP, the trial balance is referenced using the letter “A”; cash
Does the control(s)
NOF-0590
c03RiskAssessmentPartI.indd Page 3-15 24/01/19 9:35 PM Third, the COSO framework discusses how these andobjectives
cash equivalents in variousfit
and components
/208/WB02435/9781119401810/ch03/text_s
banks
into are referenced into the C Lead; accounts receivable are
an orga-
exist? referenced into the E Lead; inventory accounts are referenced into the F Lead; property, plant
nizational structure.
Reliance on Controls Approach

and equipment are referenced into the K Lead; and so on.

The first working paper example is the cash and cash equivalents lead schedule

Substantive Approach
iLLuStrAtiOn 6.1 Objectives
(see Illustration 5.8). The purpose of this lead is to summarize all general ledger accounts
YES

Organizational structure
The relationship among the that are combined into the cash and cash equivalents account on the financial statements.

ce
s
Professional Skepticism and Audit Risk 3-15

ng

n
three dimensions of internal

io

ia
The lead schedule also has adjusting journal entries, if any, that are proposed by the auditor.

rti
at

pl
po
er
control: objectives, components,

m
In the top-left corner of the lead schedule are the client name, period-end, and currency

Op

Co
Re
and organizational structure
Professional Skepticism unit (in this example, balances are rounded to the nearest thousand dollars). In the top

Function
Test the

Operating unit
Control environment
control(s) center of the lead schedule is section identification (C). In the top-right corner, details of
Auditors have a responsibility to plan and perform an audit with professional skepticism. the working paper preparer and reviewers are documented. Next, details of the cash and

Division
Components
Risk assessment
Professional skepticism is an attitude adopted by auditors when conducting all phases of the cash equivalents balance are listed. For each item listed in the lead schedule, the following

Entity
audit. It means that auditors remain independentIncrease
of the extent
entity,ofitsdetailed
management, and its staff are noted:
Control activities
Is the control(s)
when completing the audit work.NO In a practical sense, professional skepticism means au- professional skepticism an
substantive procedures
effective? Does it work?
ditors maintain a questioning mind and thoroughly investigate
performed all evidence presented by the Information
at year-end attitude that
andincludes a• question-
communication General ledger account number, per the client records.
client (AS 1015.07). For example, AU-C 200.A22 states auditors should be skeptical if any of ing mind, being alert to condi-
the following arise during the audit: tionsMonitoring indicate• possible
that may activities General ledger account name, per the client records.
misstatement due to fraud or
• Preadjusted balance, any adjustments, and the audit-adjusted current-year balance per
YES error, and a critical assessment of
• Audit evidence recently gathered that is contradictory to other evidence previously gathered. the client’s trial balance (TB).
audit evidence
• New information that brings into question the reliability of clientObjectives of Internal Control
documents or responses • The prior-year balance, per the prior-year audit file (PY).
to auditor inquiries.
Perform less extensive The COSO framework depicted in Illustration 6.1 identifies three objectives of internal control
• Conditions
detailed substantivethat may provide evidence of possible fraud.
that allow organizations to focus on the differing purposes of internal control. These three
Many illustrations, such as work- procedures at interim
• Situations that indicate the need for additional audit procedures objectives
by generally accepted auditing standards.
beyond what are:is required ILLUSTRATION 5.8 Working paper example: Cash lead schedule

ing papers and confirmations,

• Operations objectives. These pertain to the Client:
effectiveness and efficiency
New Millennium of the entity’s op-
Ecoproducts Bell & Bowerman, LLP Prepared by: KM 1/21/2023
Does maintaining professional skepticism mean auditors should assume clientincluding
erations, manage-operational and financial performance
Period-end: goals, and safeguarding assetsC–LEAD
12/31/2022 Reviewed by: SO 1/22/2023
ment is being dishonest? The answer is no. Auditors should not assume management
against loss. is dis- Currency unit: $000 Reference: C-Lead Reviewed by: MM 1/24/2023

present documents that students

honest, but at the same time, auditors should not assume management
correct. Using professional skepticism means that even if auditors believe
is always honest
• Reporting
management
reporting and may
or These pertain to internal and external financial and nonfinancial
objectives.
andencompass reliability, timeliness,
Lead schedule:
transparency, or other terms as set
those charged with governance are being honest, they should gather reliable evidence to sup- recognized standard setters, or the entity’s policies.
will encounter in a real-world
forth by regulators, Pre- Adjusted
port management’s responses to auditor inquiries and to support amounts and disclosures
• Compliance objectives. These pertain to adherence to laws and regulations to which adjusted the current-year Prior-year
in the
c03RiskAssessmentPartI.indd financial
Page statements.
3-28 24/01/19 9:35 PMThroughout
F-0590 all phases of the audit, auditors should keep these /208/WB02435/9781119401810/ch03/text_s
Account balance balance balance %

audit.
entity is subject.
questions in mind when gathering audit evidence: Is this information reliable? Do we need to no. Account name 12/31/2022 Adjustments 12/31/2022 12/31/2021 Variance Variance Ref
perform more audit procedures? When auditors exercise professional skepticism during the (COSO, Internal
10100 Control—Integrated Framework,
Cash in Bank: Wells Fargo 2013)
$ 11,000 $0 $ 11,000 TB $ 10,500 PY $500 5% C01
risk assessment phase, it helps to ensure they are using appropriate assumptions when devel-
10200 Cash in Bank: U.S. Bank 134 0 134 TB 134 PY 0 0% C02
oping their audit strategy that will be used in the risk response phase.These
In thethree
reporting phase,of internal control help the
objectives auditor understand why the controls are
3-28 CHAPTE auditors
R 3 Riskuse Assessment
professional skepticism
Part I when evaluating the evidence gathered
important and forming
and an
the problems they are designed 10300
to prevent.
CashWithout understanding the
in Bank: Barclays 126in- 0 126 TB 126 PY 0 0% C03
opinion that the financial statements are presented fairly. tention of management in implementing internal controls,
10400 CashitinisBank:
harder to understand 56
Citigroup how 0 56 TB 50 PY 6 12% C04
• Ongoing losses. controls prevent, or detect and correct, financial statement misstatements. Management
10500 Short-Term Deposits 5,796 0 5,796 TB 5,600 PY 196 4% C05
and those charged with governance are concerned about adequately controlling the entity’s
• Rapid growth.
Audit Reasoning Examples apply chapter
operations, its financial reporting, and its compliance with laws
Total and
Cash andregulations.
Cash The exter-
$17,112 $0 $17,112 $16,410 $702 4%
Audit Reasoning• Example Poor cash flowsProfessional
combined withSkepticism
high earnings.
nal auditor, on the other hand, is primarily concerned withEquivalentsthe reporting objectives and the
• Pressure to meet market expectations and operations objectives related to safeguarding ofKey
profit targets. assets.
to audit tick marks (TM):
An auditor was auditing• aPlanning
recreational vehicle
to list on a(RV) dealership.
stock exchange. The auditor had obtained some
initial financial information from the client showing unaudited results for
• Planning to raise debt or renegotiate a loan.
the end of the third
Components of Internal Control
TB Agrees to client’s trial balance.
PY Agrees to prior-year audit file. concepts in brief real-world scenarios that
students might encounter in a professional
quarter. Sales were up and profit margins were up, making it the best year so far for the client. Background: No significant changes in banks or bank accounts from the prior period. Note: Analytical review on movements in the cash flows has
Interim records showed •that The client being
inventory was alsoabout to enter
up, and into ainventory
the client’s signifi
Thecant newshowed
second
records contract.
dimension
over of the COSO framework depicted
been performedin on
Illustration
the cash flow6.1 identifies
schedule — seefive
A1.1.
300 RVs on hand at the •end A of the third
signifi quarter. Theofaudit
cant proportion remuneration tointegrated
senior wenttied talk to the components
to earnings audit man-
(that of internal
is, bonuses control:
or stock options).
ager about the good news and the client’s performance. The audit manager asked the senior a key
question. “You did the inventory observation last year. How many RVs did the • Control
client haveenvironment.
then?” environment. They also provide real-world
Comments: Cash and cash equivalents: In line with budget and change consistent with level of activity for the period (see also our review of the
statement of cash flows referenced in A1.1). Short-term deposits: Although the balance is very consistent with previous period, inclusion of
short-term deposits within cash and cash equivalents is acceptable (refer to C5).
“I think it was about 210,” the senior replied. Then the audit manager asked, “How • Riskfull was the lot

company examples of chapter concepts.

assessment.
last year?” The senior replied that it was “almost overflowing” the year before. The manager then
• Control activities.
Audit
said, “Let’s look at this more Reasoning
skeptically. Example
I don’t think they have storage
Fraud capacity for another
at Toshiba: Part90 I
RVs even though sales are up. There could be an error in the inventory records. This information
makes me believe that the existence of inventory is a very high inherent risk.”
You may be familiar with Toshiba Corporation, a publicly traded Japanese company headquar-
tered in Tokyo that makes consumer electronics, household electronics, office equipment, and
more. In July 2015, the CEO of Toshiba announced he was resigning amid an accounting scandal
in which profits had been overstated for the past seven years by approximately $1.9 billion (224.8
Audit Risk billion yen). What incentives and pressures were involved that led to the fraud? The technology
industry is extremely competitive and Toshiba’s upper management set aggressive profit targets.
Audit risk is the risk that The home electronics and appliances division was showing losses and the memory chip division
an auditor expresses an inappropriate audit opinion when financial
was feeling pressure because of decreasing demand from Chinese electronics companies.6 As an
statements are materially misstated (AU-C 200 Overall Objectives of the Independent Auditor
example, in September 2012, the head of the digital products and service division was told by the
and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards and
CEO to improve a 24.8 billion yen loss into a 12 billion yen profit in just three days!7 Think about
AS 1101 Audit Risk). Thishow meansthe the audit
external reportwould
auditor stateslearn
the about
financial statements
the incentives aretopresented
given lower-level management. How
fairly, in all material respects,
might when in actuality
an internal the fiabout
auditor learn nancial
thesestatements
incentives?contain a material
error or fraud. While it is impossible to eliminate audit risk, auditors aim to reduce it to an c05AuditEvidence.indd Page 5-20 1/15/19 9:44 PM f-1241 /208/WB02435/9781119401810/ch05/text_s

Opportunities to Perpetrate a Fraud 5-20 CH A PT E R 5 Audit Evidence

After identifying one or more incentives or pressures to commit a fraud, auditors assess

Professional Environment boxes

whether a client’s employees have an opportunity to perpetrate a fraud. Auditors utilize their
knowledge of how other frauds have been perpetrated to assess whether the same opportuni-
Professional Environment Working with IT Auditors
ties exist at the client. While the examples below of opportunities to commit a fraud suggest
provide in-depth discussions of
a fraud may have been committed, their existence does not mean a fraud has definitely oc-
curred. Auditors must use professional judgment to assess each opportunity in the context of
Specialist IT auditors are often used in audits of clients with com-
plex information technology (IT) environments because the effec-
Finally, Brazel argues that the research findings demon-
strated that auditors need to consider the implications of finding
tive audit of the IT systems contributes to overall audit quality. a balance between greater software-assisted audit techniques

how concepts in a chapter are ap-

other risk indicators and consider available evidence thoroughly.
Examples of opportunities that increase the risk that a fraud may have been perpetrated
Large audit firms usually have such specialists within the firm, but
smaller audit firms could engage external IT consultants for this
training for financial statement auditors and greater use of IT
specialists for overall audit efficiency and effectiveness.
include:
plied in the business world.
part of the financial statement audit. In general, reliance on an The role of IT audit specialists could grow to become even
IT specialist is appropriate when the financial statement auditor more than a support function for auditors. Some researchers
• Accounts that rely on estimates and judgment (discussed further in Chapter 9). complies with the conditions of AU-C 620. suggest that in e-businesses, the external financial statement
c03RiskAssessmentPartI.indd Page 3-32 24/01/19• 9:35
A high volume of
PM F-0590 transactions close to year-end. /208/WB02435/9781119401810/ch03/text_s If the IT expert and the financial statement auditor do not auditor’s authority will be challenged by IT audit specialists be-
work well together, audit quality can be impaired. For this rea- cause of technological change and its impact on auditing.13 In
• Significant adjusting entries and reversals after year-end.
son, researchers have investigated the factors that affect the way e-businesses, economic transactions are captured, measured,
• Significant related-party transactions (discussed further in Chapter 4). that financial statement auditors work with specialist IT auditors. and reported on a real-time basis without either internal human
• Poor corporate governance mechanisms. Brazel12 reviewed this research evidence and drew the following intervention or paper documentation.14 Auditing is likely to be-
conclusions. First, responses from financial statement auditors in come more real-time and continuous to reflect the pattern of the
3-32 CHAPT E R 3 • Poor
Risk Assessment Part system
I of internal control (discussed further in Chapters 6 and 8).
the United States who were surveyed about their experiences with transactions. If traditional auditors are unwilling or unable to
• A high turnover of staff with accounting or internal control responsibilities. IT auditors indicated that they believe IT auditors’ competence adapt to the new environment, their role could be taken over by
levels vary in practice. Financial statement auditors also said that IT specialists.
Audit Decision-Making Example IT auditors appear to be overconfident in their abilities in some Other developments such as reporting using XBRL (eXten-
settings, and questioned the value provided by IT auditors to the sible Business Reporting Language) provide challenges for au-
6
E. Pfanner and M. Fujikawa, M. “Toshiba Slashes Earnings for be
Past Seven Years,”locations
The Walldue
Street financial statement audit. ditors as they have to adapt their techniques and approaches to
Background Information • Fraud risk may high in some to Journal,
the opportu-
September 7, 2015. https://www.wsj.com/articles/toshiba-slashes-earnings-for-past-7-years-1441589473 Second, Brazel suggests the research shows that both finan- audit financial information that is disaggregated and tagged. Us-
You have been assigned to the7 audit of inventory for a private nity offered by weak internal controls.
K. Nagata. “Pressure to show a profit led to Toshiba’s accounting scandal,” The Japan Times, September 18, cial statement auditors’ IT ability and experience and the IT audi- ers can extract and analyze XBRL data directly without re-entry
company that owns and operates a chain
2015. of retail jewelers. The • The auditor needs to determine how internal controls afft-ect
http://www.japantimes.co.jp/news/2015/09/18/business/corporate-business/pressure-to-show-a-profi tor’s competence affect how these two professions interact on an and the tag provides additional information about the calculation
company’s sales revenue has grown by 300% in the last two years,
led-to-toshibas-accounting-scandal/#.WNJjNmQrLjAaudit strategy, and whether the auditor wants one audit strat- audit engagement. This indicates that audit firms need to ensure and source of the data. This means auditors have to recognize that
primarily by acquisitions. Seventy-eight percent of the value of the egy for part of the inventory and another audit strategy for that staff training and scheduling produce appropriate combi- their clients are reporting financial data with different levels of
company’s inventory is in wedding rings, diamonds, gold neck- another part of the inventory. nations of financial statement auditors and IT auditors on an information and users might have greater expectations of the data.
laces, and high-end watches. Because the company has grown engagement. Learn more about XBRL at www.xbrl.org.
through acquisition, the company has not yet brought two ac- Analysis and Evaluation of Alternatives
quired companies (representing 35% of sales) under the company’s Analysis of risk:
inventory system. As a result, the company is currently operating
• Inherent risk factors include valuable inventory that is sub-
with three different inventory-control systems. The core inventory
ject to theft and misappropriation.
system being used by retail stores represents 65% of sales. Sixty
• Internal controls are not uniform. Based on prior year’s evi-
percent of inventory was tested in the prior year and controls over Cloud 9 - Continuing Case
the existence of inventory were effective. dence and a preliminary understanding of the system in the
The CFO’s top priority is to put all retail operations under this current year, strong internal controls appear to operate over Josh will take responsibility for obtaining a specialist’s opinion on has some experience of using a derivatives specialist on prior audits,
one inventory-control system by the end of the fiscal year (Janu- only 60% of the inventory. the derivatives. He knows that W&S Partners has other staff (who and he also plans to ask Jo Wadley (the partner) to recommend a
ary 31). He is particularly concerned about lower than expected • It may be more efficient to physically inspect inventory as of are not part of the audit team) who can provide additional expertise. suitable specialist.
gross margins at some of the acquired stores, and he expects that one date and use one audit strategy for all inventory testing. However, because he believes the accounts are so material to the Josh plans to investigate any possible connections between
better inventory control will improve this situation. In addition, audit and derivatives have become such a big issue in audits in recent the specialist and Cloud 9 that could adversely impact the special-
• Fraud risk is considered to be high at locations where inven-
gold prices have risen 15% in the last 12 months, and the company years, he deems an external specialist’s opinion is also required. He ist’s objectivity before engaging him for this audit.
tory controls are not strong.
is making sure it is not selling “conflict diamonds” illegally traded
to fund conflict in war-torn areas of Africa. Your responsibility is
Conclusions Regarding Audit Strategy for the Existence
to develop an audit strategy for testing the existence of inventory.
of Inventory

Each chapter concludes Usingwiththean

Identify the Audit Issue
The focus of attention in this instance is to develop an audit strat-
egy for testing the existence of inventory. The auditor may develop
a different audit strategy for testing the valuation of that inventory.
Work of Internal Auditors
Audit
• Inherent risk is set at the maximum because inventory is
high in value and susceptible to theft and misappropriation.
• Control risk is set at high, as 40% of inventory may not have internal auditors employees The role of the internal audit function was introduced in Chapter 1. Internal auditors are

Gather Information and Evidence

sufficient internal controls.
• Fraud risk is considered high due to the opportunity offered
Decision-Making Example that takes students of the client who perform assur-
ance and consulting activities
employees of the client who perform assurance and consulting activities designed to evaluate
and improve the effectiveness of the entity’s governance, risk management, and internal con-

through specific steps of the audit process

by weak internal controls. designed to evaluate and improve trol processes. Not every client will have an internal audit function. For example, small and
Important information includes: the effectiveness of the entity’s
• This results in setting detection risk at low. medium-sized companies, especially private companies, may not have the resources to staff
• A significant portion of the inventory is high in value, small governance, risk management,
an internal audit function. But if the client does have an internal audit function, what role,
while offering solutions to issues presented
• Low detection risk impacts the nature, timing, and extent of and internal control processes
in size, and susceptible to theft. if any, do the internal auditors play in the financial statement audit? According to AU-C 610
substantive testing. For example, the auditor will plan test-
• A good system of internal controls may not be operating ing of the physical existence of inventory at year-end, select

throughout the example.

effectively and uniformly. a larger number of locations to visit, and vary the extent of
12
• The weak gross margins in some stores may be evidence of inventory testing at each location depending on internal con- J. F. Brazel. “How do financial statement auditors and IT auditors work together?” The CPA Journal,
inventory shrinkage or theft. trols over the counting of inventory at each location. November, 2008, pages 38–41.
13
A. Kotb, C. Roberts, & S. Sian. “E-business Audit: Advisory Jurisdiction or Occupational Invasion?” Critical
Perspectives on Accounting 23, no. 6 (2012), pages 468–82.
14
Kotb et al., 2012.

CPAexcel
CPAexcel questions and other resources are available in WileyPLUS.
Engaging Students with WileyPLUS
Auditing is completely integrated with WileyPLUS, featuring a suite of teaching and learning
resources developed under the close review of the authors. Driven by the same basic beliefs
as the text, WileyPLUS allows students to practice their understanding of concepts and access
the content and resources needed to master the material. Features of the WileyPLUS course
include the following:

Student Practice
Each chapter includes practice questions
for each learning objective that students
can review to assess their understanding
of chapter topics.

Tableau Homework
Assignments
Tableau visualizations accompa-
nied by questions are available
with most chapters. Tableau vi-
sualizations allow students to in-
terpret visualizations and think
critically about data.

IDEA Cases
Select chapters include IDEA cases that allow stu-
dents to use IDEA software to analyze data. An IDEA
casebook and accompanying data sets, provided by
Audimation Data Analytic Software and Services, is
also available.

Real-World Videos
 loomberg videos accompany each chapter,
B
providing students with relevant examples of
auditing practices in the professional world.

x
    ENGAGING STUDENTS WITH WILEYPLUS  xi

Relevant Accounting
Articles
Up-to-date accounting articles are post-
ed to the Wiley accounting update site,
www.wileyaccountingupdates.com.
Many of these news updates direct
students to news-related videos and
articles that address auditing-related
topics.

Adaptive Practice
Adaptive practice is a tool students can use to
understand the essentials of auditing. Students
can answer a multiple-choice question and,
based on their response, the adaptive practice
software will recommend another question
to help students assess their understanding
of a topic. Detailed reports also help students
identify where they need to focus their studies.
There are hundreds of adaptive questions for
students to answer in the Auditing course.
Preparing for the CPA Exam
For each chapter in the WileyPLUS course, students can access CPAexcel videos, CPA Exam
Practice Questions in the PrometricTM Testing Interface, and Task-Based Simulations (TBSs),
which are the primary form of assessment used by the American Institute of Certified Public
Accountants (AICPA). These resources:

1. Reinforce understanding of course topics.

2. Demonstrate relevance to show students how the auditing content they are learning will be
assessed on the CPA exam.
3.  Build student confidence with early exposure to CPA exam questions.

CPA Exam Practice Questions in

the Prometric™ Testing Interface
Wiley partners with CPAexcel to provide pre-created
CPA exam practice questions for each chapter that
recreate the environment students will encounter on
the CPA exam.

Task-Based Simulation in the

Prometric™ Testing Interface
CPA simulations recreate the simulation envi-
ronment students will see on the CPA exam.
Similar to the CPAexcel multiple-choice home-
work questions, instructors can assign a simu-
lation as a gradable assignment.

CPA Exam Video Lessons

Each chapter includes CPA exam text discus-
sions and videos that provide students with
insight into auditing topics commonly ad-
dressed on the CPA exams.

CPA Exam Assignment

Each chapter includes one pre-created CPA
exam assignment that allows instructors to
assign multiple-choice questions adapted
from prior CPA exams. Student performance
is tied to the WileyPLUS gradebook.

xii
 Student Assessment
Each chapter of Auditing in WileyPLUS has over 300 assessment questions that can help keep
your students engaged and on track.

End-of-Chapter Assessment
Questions and Problems
Each Auditing text chapter concludes with over 40 gradable assessment questions and problems
you can use to gauge students’ understanding and ability to apply auditing concepts, as follows:

•  Multiple-Choice Questions—Available to quickly and effectively test students’ under-

standing of the chapter material.
•  Short Answer Questions—Open-ended questions that require students to begin
thinking critically about the auditing process.
•  Analysis Problems—Designed after scenarios students might encounter as auditors in
the business world, analysis problems assess how well students understand specific topics
in a chapter.

Cases
Because no two audits are alike, Auditing uses a practical, case-based approach to help stu-
dents develop professional judgment, think critically about the auditing process, and develop
the decision-making skills necessary to perform a real-world audit. The best way for a student
to learn auditing is to actually do auditing. To help provide real-world application, we have
developed the following cases:

•  Audit Decision Cases—Three cases run through most of the text chapters and provide
a broad review of the audit process (King Companies, Inc., Mobile Security, Inc., and
Brookwood Pines Hospital). In addition, chapter-specific cases help you assess students’
understanding of topics that are the focus of a particular chapter.
•  Cloud 9 Continuing Case—Requires students to apply chapter concepts to the ongoing
Cloud 9 case that is highlighted in the chapter.

To help you more easily identify what questions you want to assign, questions are tagged
with learning objectives, professional AICPA and AACSB outcome standards, Bloom’s
Taxonomy, level-of-difficulty, and a recommended time of completion. You can track student
performance in the WileyPLUS gradebook.

Test Bank
Each chapter of the test bank has between 130–175 questions that you can assign to students
in an exam or as graded practice. Question types include true/false, multiple-choice, fill-in-
the blank, and short answer questions. To help you more easily identify what questions you
want to assign, questions are tagged with learning objectives, professional AICPA and AACSB
outcome standards, Bloom’s Taxonomy, level-of-difficulty, and a recommended time of com-
pletion. You can track student performance in the WileyPLUS gradebook.

xiii
Acknowledgments
Auditing has benefited tremendously from the input of students who have used this text’s ma-
terial in class, manuscript reviewers, and those who have supported the writing. We are very
appreciative of all the suggestions and comments received. The thoughts, ideas, and recom-
mendations of reviewers, editorial staff, and ancillary authors is deeply appreciated.

Anne Albrecht Walied Keshk Dwayne Powell

Texas Christian University California State University—Fullerton Arkansas State University
Matthew Anderson Katherine Kinkela Matthew Reidenbach
Michigan State University Iona College Pace University—New York
Marie Blouin Milton Krivokuca Gary Schneider
Ithaca College California State University—Dominguez Hills California State University—Monterey Bay
A. Faye Borthick Ellen L. Landgraf Dan Schrag
Georgia State University Loyola University—Chicago Baldwin Wallace University
Billy Brewster Betsy Lin Edward B. Seibert
Texas State University Montclair State University Wesley College
Jeffrey R. Cohen Cathy Liu Jamie L. Seitz
Boston College University of Houston—Downtown University of Southern Indiana
Laurence DeGaetano Joe Looney Suzanne Seymoure
Montclair State University Hofstra University Saint Leo University, University Campus
Kristina Demek Roger Martin Philip Slater
University of Central Florida University of Virginia Forsyth Technical Community College
Lisa Derouin Linda McCann Vicki Stewart
Wisconsin Lutheran College Metropolitan State University Texas A&M University—Commerce
Raymond Elson Karen McDougal Paula Thomas
Valdosta State University Pennsylvania State University—Brandywine Middle Tennessee State University
Reza Espahbodi Linda McKeag Andrea Tietjen
Washburn University of Topeka University of Dubuque Caldwell College
Magdy Farag Mary Mindak Patricia Timm
California Polytechnic University—Pomona DePaul University Northwood University—Michigan
Dale Flesher Paula Mooney Madeline Trimble
University of Mississippi Savannah State University Illinois State University
Scott Fulkerson Grace Mubako Richard Turpen
University of California—Santa Barbara California Stata University—Sacramento University of North Carolina—Asheville
Lori Fuller Christine Noel Lisa Victoravich
West Chester University Metropolitan State University of Denver University of Denver
Abo-El-Yazeed Habib Connie O’Brien Jim Vogt
Minnesota State University—Manka Minnesota State University—Mankato University of Colorado—Denver
James Hansen Aimee Pernsteiner Rick Warne
Weber State University University of Wisconsin—Eau Claire University of Cincinnati
Julia Higgs Rossen Petkov Amanda Warren
Florida Atlantic University Lehman College University of Tennessee—Knoxville
Karen Hooks Lincoln Pinto Barrett Wheeler
Florida Atlantic University Concordia University Chicago Tulane University
Carol Jessup Marshall Pitman Fengyun Wu
University of Illinois—Springfield University of Texas—San Antonio Manhattan College
Bill Joyce
Bemidji State University

xiv
   Acknowledgments   xv

Ancillary Authors, Eric Johnson Margaret B. Shackell-Dowell

University of Wyoming Ithaca College
Contributors, Proofreaders,
Joe Johnston Philip J. Slater
and Accuracy Checkers Illinois State University Forsyth Technical Community College
Sanaz Aghazadeh Brett Kawada Vicki Stewart
Louisiana State University San Diego State University Texas A & M University—Commerce
LuAnn Bean Jason MacGregor Jaclyn Strauss
Florida Institute of Technology Baylor University Purdue Global
Joe Brazel Linda McKeag Floran Syler
North Carolina State University University of Dubuque Azusa Pacific University
Rich Brody Anita Morgan Andrea Tietjen
The University of New Mexico Indiana University Caldwell College
Emily Cokeley Byron Pike Jim Vogt
Rochester Institute of Technology Minnesota State University—Mankato San Diego State University
Sheila Coomes Sridhar Ramamoorti Rick Warne
Kansas State University University of Dayton—Ohio University of Cincinnati
Kel-Ann Eyler Matthew Sargent Gail E. Wright
Georgia College and State University University of Texas—Arlington Ally Zimmerman
Paul Franklin Edward Seibert Northern Illinois University
Purdue Global Wesley College
Amber Gray Tim Seidel
Adrian College Brigham Young University
Frederick Harmon Jamie Seitz
University of Bridgeport University of Southern Indiana

We also want to thank several individuals for their help in
moving this text from concept to publication. This work would
not have come to fruition without the extensive support and
guidance of Emily Marcoux, Michael McDonald, Joel Hollen-
beck, Ed Brislin, Matt Origoni, Valerie Vargas, Sandra Rigby,
Kirsten Loose, Terry Ann Tatro, Nicola Smith, and Jackie Henry
at Aptara.
We appreciate suggestions and comments from users—
instructors and students alike. Please send us your thoughts
and ideas about the text.
Raymond Johnson Laura Wiley
Portland, Oregon Baton Rouge, Louisiana
Table of Contents
1 Introduction and Overview of Audit
and Assurance  1-1
Assurance, Attestation, and Audit Services  1-3
Different Assurance Services  1-6
Financial Statement Audits  1-6
Compliance Audits  1-7
Operational (Performance) Audits  1-7
Internal Audits  1-8
Demand for Audit and Assurance Services  1-8
Financial Statement Users  1-9
Sources of Demand for Audit and Assurance Services  1-10
Preparers and Auditors  1-11
Preparer Responsibility  1-11
Auditor Responsibility  1-11
Assurance Providers  1-12
The Role of Regulators and Regulations  1-13
Securities and Exchange Commission (SEC)  1-13
Public Company Accounting Oversight Board (PCAOB)  1-13
American Institute of Certified Public Accountants
 (AICPA) 1-15
Financial Accounting Standards Board (FASB)  1-17
Committee on Sponsoring Organizations of the Treadway
  Commission (COSO)  1-18
National Association of State Boards of Accountancy
  (NASBA) and State Boards of Accountancy  1-18
Audit Report on Financial Statements  1-19
Reasonable Assurance and the Financial Statements  1-19
Materiality and the Financial Statements  1-20
The Auditorʼs Report on Financial Statements  1-20
Audit Report on Internal Controls over
  Financial Reporting  1-25
Reasonable Assurance and Internal Controls  1-25
The Auditor’s Report on Internal Control over Financial
 Reporting 1-26
The Audit Expectation Gap  1-28
2 Professionalism and Professional
Responsibilities  2-1
Professionalism and Accounting  2-3
The Structure of the AICPA Code of Professional
  Conduct  2-5
Conceptual Framework for Members
  in Public Practice  2-7
Integrity and Objectivity  2-11
xvi
Independence  2-12
Key Individuals and Independence Requirements  2-13
Employment or Association with an Attest Client  2-17
Nonattest Services  2-18
SEC and PCAOB Independence Rules  2-20
General Standards  2-23
Other Rules of Conduct for Members in
  Public Practice  2-24
Accounting Principles Rule  2-25
Fees and Other Types of Remuneration  2-25
Confidential Information  2-26
Auditor Liability Under Common Law  2-26
Liability to Clients  2-27
Contract Law  2-27
Tort Law  2-28
Cases Illustrating Liability to Clients  2-28
Liability to Third Parties  2-29
Burden of Proof and Common Law Defenses  2-32
Auditor Liability Under Statutory Law  2-33
The Securities Act of 1933  2-34
The Securities Act of 1934  2-35
The Foreign Corrupt Practices Act of 1977  2-36
The Private Securities Litigation Reform Acts of 1995 and
 1998 2-36
The Sarbanes-Oxley Act of 2002  2-37
Criminal Liability  2-39
3 Risk Assessment Part I: Audit Risk
and Audit Strategy  3-1
Client Acceptance and Continuance Decisions  3-3
Phases of an Audit  3-8
Risk Assessment Phase  3-9
Risk Response Phase  3-9
Concluding and Reporting on an Audit  3-10
Materiality  3-10
Qualitative and Quantitative Materiality  3-11
Setting Materiality  3-11
Professional Skepticism and Audit Risk  3-14
Professional Skepticism  3-15
Audit Risk  3-15
The Audit Risk Model and Its Components  3-17
Audit Strategy  3-21
Reliance on Controls Approach  3-22
Substantive Approach  3-24
Fraud Risk  3-25
Incentives and Pressures to Commit a Fraud  3-27
   Table of Contents   xvii

Opportunities to Perpetrate a Fraud  3-28

Attitudes and Rationalization to Justify a Fraud  3-29
6 Gaining an Understanding of
Fraud Risk Assessment Process  3-30 the Client’s System of Internal
Control  6-1
4 Risk Assessment Part II: Internal Control Defined  6-3
Understanding the Client  4-1 The COSO Framework  6-4
Inherent Limitations  6-6
Understanding the Client  4-3 Entity-Level Internal Controls  6-7
Gain an Understanding of the Entity  4-3 The Control Environment  6-7
Gain an Understanding of the Industry and Business Risk Assessment  6-10
 Environment 4-8 Control Activities  6-11
Compliance with Laws and Regulations  4-10 Information and Communication  6-14
Client Approaches to Measuring Performance  4-12 Monitoring Activities  6-16
Profitability  4-12 Internal Control in Small Entities  6-17
Liquidity, Solvency, and Cash Flow  4-13 Transaction-Level Internal Controls  6-19
Analytical Procedures  4-14 Example Transaction Flows—Sales Process  6-19
Comparisons  4-14 Example Transaction Flows—Cash Receipts  6-21
Trend Analysis  4-15 Information Technology (IT) Controls  6-23
Common-Size Analysis  4-15 Benefits and Risks of IT Systems  6-23
Ratio Analysis  4-16 IT General Controls  6-24
Audit Data Analytics  4-20 IT Application Controls  6-25
Factors to Consider When Conducting IT-Dependent Manual Controls  6-27
  Analytical Procedures  4-20 Documenting Internal Controls  6-29
Related Parties  4-22 Identifying Strengths and Weaknesses in a
Corporate Governance  4-23   System of Internal Controls  6-31
Internal Control and Information Technology  4-26 Management Letters  6-33
Closing Procedures  4-27

5 Audit Evidence  5-1 7 Audit Data Analytics  7-1

Management Assertions  5-3 Steps in Performing Audit Data Analytics  7-3

Characteristics of Audit Evidence  5-7
Sufficient Audit Evidence  5-7
Appropriate Audit Evidence  5-8
Audit Risk and Sufficient Appropriate Audit Evidence  5-9
Procedures for Gathering Audit Evidence  5-10
Inspection of Documents and Assets  5-11
Observation  5-12
Inquiry  5-12
Confirmation  5-13
Recalculation  5-15
Reperformance  5-16
Analytical Procedures  5-16
Scanning  5-16
Audit Data Analytics (ADA)  5-16
Using the Work of Others  5-18
Using the Work of a Specialist  5-18
Using the Work of Internal Auditors  5-20
Using the Work of Another Auditor  5-23
Documentation—Audit Working Papers  5-24
Permanent File  5-25
Current File  5-26
Step 1: Plan the Audit Data Analytics  7-5
Step 2: Access and Prepare the Data for Audit Data
 Analytics 7-6
Step 3: Consider the Relevance and Reliability of the
  Data Used  7-6
Step 4: Perform the Audit Data Analytics  7-7
Step 5: Evaluate the Results and Draw Conclusions  7-8
Audit Documentation  7-9
Steps Associated with Accessing and Preparing Data for
  Audit Data Analytics  7-11
Is the Data Complete?  7-11
Does the Data Need to Be Cleaned?  7-11
Key Questions to Be Addressed in Evaluating the Relevance
  and Reliability of Data Used in Audit Data Analytics  7-12
Using Audit Data Analytics as a Risk Assessment
  Procedure  7-13
Understanding the Risk Analysis Decision Tree  7-14
What Do We Mean by Notable Items?  7-15
Tools for Searching for Notable Items  7-15
What to Do When ADA Identifies a Large Number of Items
  for Further Consideration  7-16
xviii  Table of Contents  
Applying Audit Data Analytics as a Risk Assessment
  Procedure  7-17
Cluster Analysis  7-18
Matching Information in Key Data Fields  7-25
Regression Analysis  7-30
Visualization  7-34
Using Audit Data Analytics as a Substantive Test  7-37
Applying Audit Data Analytics as a Substantive Test  7-38
Validating Sales Revenue and Accounts Receivable with
  Subsequent Cash Receipts  7-38
8 Risk Response: Performing Tests
of Controls  8-1
Steps in Assessing Control Risk  8-3
Understand Entity-Level Controls  8-3
Understand the Flow of Transactions  8-3
Identify What Can Go Wrong (WCGW)  8-4
Identify Relevant Controls to Test  8-5
Determine Preliminary Audit Strategy  8-5
Perform Tests of Controls  8-5
Evaluate Evidence and Assess Control Risk  8-5
Reporting Findings  8-5
Types of Controls  8-7
Preventive and Detective Controls  8-7
Manual and Automated Controls  8-10
Procedures for Testing Controls  8-13
Inquiry  8-13
Observation  8-14
Inspection of Physical Evidence  8-14
Reperformance  8-14
Software-Based Audit Techniques  8-14
Selecting and Designing Tests of Controls  8-15
Which Controls Should Be Selected for Testing?  8-16
The Extent of Tests of Controls  8-17
Timing of Tests of Controls  8-21
Benchmarking  8-22
Selecting and Designing Tests of Controls—A Summary  8-23
Results of the Auditor’s Testing  8-26
Documenting Conclusions  8-29
9 Risk Response: Performing
Substantive Procedures  9-1
Audit Risk and Substantive Procedures  9-3
Risk Response at the Financial Statement Level  9-5
Nature of Substantive Procedures  9-7
Initial Procedures  9-8
Substantive Analytical Procedures  9-9
Tests of Details  9-13
ADA and Substantive Procedures  9-13
Timing of Substantive Procedures  9-14
Extent of Substantive Procedures  9-16
Auditing Accounting Estimates  9-19
Nature of Accounting Estimates  9-19
Risk Assessment Procedures for
  Accounting Estimates  9-21
Risk Response Procedures for Accounting Estimates  9-22
Example of Auditing Accounting Estimates  9-24
Documenting Results of Substantive Procedures  9-26
10 Risk Response: Evaluating Audit
Data Analytics and Audit Sampling
for Substantive Tests  10-1
Using Audit Data Analytics versus Audit Sampling  10-3
When to Use Audit Data Analytics  10-3
When to Use Audit Sampling  10-3
Audit Sampling Defined  10-5
Sampling Risk and Nonsampling Risk  10-6
Statistical and Nonstatistical Sampling  10-8
Sampling Methods  10-9
Random Selection  10-9
Systematic Selection  10-10
Haphazard Selection  10-11
Professional Judgment in Selecting and Evaluating
  Sample Items  10-11
Factors That Influence the Sample Size—Substantive
  Testing  10-11
A Basic Framework for Audit Sampling  10-14
Step 1: Determine the Objectives of the Substantive
 Test 10-14
Step 2: Determine the Substantive Audit Procedures to
 Perform 10-14
Step 3: Determine Whether to Audit a Sample
  or the Entire Population  10-15
Step 4: Define the Population and Sampling Unit  10-16
Applying Probability-Proportionate-to-Size Sampling
  for Substantive Testing  10-16
Step 5: Choose the Audit Sampling Technique  10-17
Step 6: Determine Sample Size Using Professional
 Judgment 10-18
Step 7: Select a Representative Sample  10-21
Step 8: Apply Audit Procedures  10-22
Step 9: Evaluate Sample Results  10-22
Applying Nonstatistical Sampling for Substantive
  Testing  10-28
Step 5: Choose the Audit Sampling Technique  10-28
Step 6: Determine Sample Size Using
  Professional Judgment  10-29
Step 7: Select a Representative Sample  10-29
Step 8: Apply Audit Procedures  10-30
Step 9: Evaluate Sample Results  10-30
Step 10: Document Conclusions  10-32

Appendix 10A: Applying Classical Variables
  Sampling for Substantive Testing  10-33
Step 5: Apply Classical Variables Sampling  10-33
Step 6: Determine the Sample Size  10-34
Step 7: Select a Random Sample  10-37
Step 8: Apply Audit Procedures  10-37
Step 9: Evaluate the Sample Results  10-38
Step 10: Document Results  10-39
11 Auditing the Revenue Process  11-1
Nature of the Revenue Process  11-3
Understanding the Entity and Its Environment  11-4
Understanding the Client’s Revenue Process  11-4
Analytical Procedures  11-6
Other Considerations Regarding the Entity
  and Its Environment  11-8
Inherent Risks in the Revenue Process  11-9
Control Activities for Credit Sales  11-12
Example Transaction Flows—Sales Process  11-13
Identify What Can Go Wrong (WCGW) and Identify
  Key Controls—Credit Sales and Accounts
 Receivable 11-16
Control Activities for Cash Receipts  11-18
Example Transaction Flows—Cash Receipts  11-19
Identify WCGW and Identify Key Controls—Cash
 Receipts 11-21
Control Activities for Sales Adjustments
  and Revenue Process Disclosures  11-23
Granting Sales Returns and Allowances  11-23
Determining Uncollectible Accounts  11-24
Other Controls in the Revenue Process  11-24
Tests of Controls in the Revenue Process and
  Audit Strategy  11-25
Tests of Controls in the Revenue Process  11-25
Fraud Risk Assessment  11-26
Audit Data Analytics as a Risk Assessment Procedure  11-27
The Risk of Material Misstatement and Audit Strategy  11-27
Substantive Tests for the Revenue Process  11-28
Initial Procedures  11-30
Substantive Analytical Procedures  11-31
Audit Data Analytics as a Substantive Test  11-31
Tests of Details of Transactions  11-32
Tests of Details of Balances  11-33
Tests of Details of Presentation and Disclosure  11-38
12 Auditing the Purchasing and
Payroll Processes  12-1
Nature of Purchase Transactions and Balances  12-3
Understanding the Entity and Its Environment  12-4
Understanding the Client’s Purchasing Process  12-4
Analytical Procedures  12-7
  Table of Contents   xix
Other Considerations Regarding the Entity
  and Its Environment  12-7
Inherent Risks in the Purchasing Process  12-8
Control Activities for Purchases  12-11
Example Transaction Flows—Credit Purchases  12-12
Identify What Can Go Wrong (WCGW) and Identify Key
  Controls—Purchases and Accounts Payable  12-15
Control Activities for Cash Disbursements  12-18
Example Transaction Flows—Cash Disbursements  12-18
Identify What Can Go Wrong (WCGW) and
  Identify Key Controls—Cash Disbursements  12-19
Evaluated Receipt Settlement (ERS)  12-21
Initiating an ERS Transaction  12-21
Receiving Goods  12-22
Recording Payables  12-22
Electronic Payment  12-22
Internal Controls in an ERS System  12-23
Control Activities for Purchase Adjustments and
  Purchasing Process Disclosures  12-24
Purchase Returns and Allowances  12-24
Other Controls in the Purchasing Process  12-25
Tests of Controls in the Purchasing Process and
  Audit Strategy  12-26
Tests of Controls in the Purchasing Process  12-26
Fraud Risk Assessment  12-27
Audit Data Analytics as a Risk Assessment Procedure  12-27
The Risk of Material Misstatement and Audit
 Strategy 12-28
Substantive Procedures for the Purchasing
  Process  12-28
Initial Procedures  12-30
Substantive Analytical Procedures  12-30
Audit Data Analytics as a Substantive Test  12-31
Tests of Details of Transactions  12-31
Tests of Details of Balances  12-32
Tests of Details of Presentation and Disclosure  12-33
Appendix 12A: Auditing Payroll  12-34
Explain the Nature of Payroll Transactions and
  Balances  12-34
Understanding the Entity and Its Environment  12-35
Understanding the Client’s Payroll Process  12-35
Analytical Procedures  12-36
Other Considerations Regarding the Entity and Its
 Environment 12-36
Inherent Risks Related to Payroll  12-37
Control Activities for Payroll  12-38
Example Transaction Flows—Payroll  12-38
Identify What Can Go Wrong (WCGW) and Identify Key
 Controls—Payroll 12-40
Tests of Controls in the Payroll Process and Audit
  Strategy  12-42
Tests of Controls for Payroll  12-43
Fraud Risk Assessment  12-43
Audit Data Analytics Used in Fraud Risk Assessment  12-44
xx  Table of Contents
The Risk of Material Misstatement and Audit
 Strategy  12-44
Substantive Tests for the Payroll Process  12-45
Initial Procedures  12-46
Substantive Analytical Procedures  12-47
Audit Data Analytics as a Substantive Test  12-47
Tests of Details of Transactions  12-47
Tests of Details of Balances  12-48
Tests of Disclosures  12-48
13 Auditing Various Balance Sheet
Accounts (and Related Income
Statement Accounts)  13-1
Auditing Cash and Cash Equivalents  13-3
Understanding the Flow of Transactions  13-3
Understanding the Entity and Its Environment  13-3
Understanding the Results of Analytical Procedures  13-4
Assessing Inherent Risk  13-4
Assessing Control Risk and Fraud Risk  13-4
Determining an Audit Strategy  13-4
Substantive Tests of Cash Balances  13-5
Auditing Inventory on the Balance Sheet  13-11
Understanding the Flow of Transactions  13-12
Understanding the Entity and Its Environment  13-12
Understanding the Results of Analytical
 Procedures 13-13
Assessing Inherent Risk  13-14
Assessing Control Risk and Fraud Risk  13-15
Determining an Audit Strategy  13-18
Substantive Tests of Inventory  13-19
Auditing Property, Plant, and Equipment  13-28
Understanding the Flow of Transactions  13-28
Understanding the Entity and Its Environment  13-29
Understanding the Results of Analytical Procedures  13-30
Assessing Inherent Risk  13-31
Assessing Control Risk and Fraud Risk  13-31
Determining an Audit Strategy  13-32
Substantive Tests for Property, Plant, and Equipment  13-32
Auditing Financing Activities  13-37
Understanding the Flow of Transactions  13-38
Understanding the Entity and Its Environment  13-38
Understanding the Results of Analytical
 Procedures 13-39
Assessing Inherent Risk  13-39
Assessing Control Risk and Fraud Risk  13-40
Determining an Audit Strategy  13-41
Substantive Tests of Long-Term Debt  13-41
Substantive Tests of Stockholders’ Equity  13-44
14 Completing the Audit  14-1
Audit Procedures for Loss Contingencies  14-3
Subsequent Events  14-7
Engagement Wrap-Up  14-10
Final Analytical Procedures  14-11
Final Evaluation of Audit Findings  14-11
Completion of Working Paper Review  14-16
Engagement Quality Review  14-17
Completion of Documentation  14-17
Going Concern  14-18
Management Representation and Communication
  with Those Charged with Governance  14-21
Management Representation Letter  14-21
Communication with Those Charged with Governance  14-24
15 Reporting on the Audit  15-1
Standard Unmodified/Unqualified Audit Report  15-3
Additional Paragraph for the Standard Unmodified
  Report  15-7
Going Concern Paragraph  15-7
Consistency of Financial Statements  15-8
Emphasis Added at Discretion of the Auditor  15-10
Opinion Based in Part on the Report of Another
  Auditor  15-12
Modifying the Audit Opinion  15-14
Departure from Applicable Financial Reporting
 Framework 15-15
Scope Limitation  15-17
Subsequently Discovered Facts  15-22
Subsequently Discovered Facts That Become Known
  Before the Report Release Date  15-22
Subsequently Discovered Facts That Become Known After
  the Report Release Date  15-24
Reports on the Audit of icfr  15-26
Standard Unqualified Opinion on ICFR  15-26
Modified Opinion on ICFR  15-27
Compilation and Review Engagements  15-30
Compilation of Financial Statements  15-30
Review of Financial Statements  15-32
Cloud 9 Inc. Audit  A-1
Appendix A  
Cloud 9 Inc. Company Background  A-1
Personnel  A-2
Financial Information  A-2
Transcript of Meeting with David Collier  A-4
Glossary  G-1
Index   I-1
 Chapter 1
Introduction and
Overview of Audit
and Assurance
The Audit Process

Overview of Audit and Assurance

(Chapter 1)

Professionalism and Professional Responsibilities

(Chapter 2)

Client Acceptance/Continuance and Risk Assessment

(Chapters 3 and 4)

Gaining an Identify Significant

Set Planning
Understanding of Accounts and
Materiality
the Client Transactions

Gaining an Understanding
Make Preliminary
of the System of Internal Control
Risk Assessments
(Chapter 6)

Develop Responses to Risk and an Audit Strategy

Audit Data Analytics

Audit Evidence
(Chapter 5)

(Chapter 7)
Performing Tests of Controls Performing Substantive Procedures
(Chapter 8) (Chapter 9)

Audit Sampling for Substantive Tests

(Chapter 10)

Auditing the Auditing the Purchasing Auditing the Balance Sheet

Revenue Process and Payroll Processes and Related Income Accounts
(Chapter 11) (Chapter 12) (Chapter 13)

Completing and Reporting on the Audit

(Chapters 14 and 15)

Procedures Performed Near Drawing Audit

Reporting
the End of the Audit Conclusions

1-1
1-2  Ch a pte r 1   Introduction and Overview of Audit and Assurance
Learning Objectives
LO 1  Differentiate among assurance, attestation, and
audit services.
LO 2  Describe the different types of assurance
services.
LO 3 Explain the demand for audit and assurance
services.
LO 4  Discuss the different roles of the financial
statement preparer and the auditor.
LO 5  Identify the roles of different regulators and
organizations that affect the audit profession.
Auditing and Assurance Standards
PCAOB
Framework for Audits of Public Companies
AS 2201 An Audit of Internal Control Over Financial
Reporting That Is Integrated with An Audit of Financial
Statements
AS 3101 The Auditor’s Report on an Audit of Financial
Statements When the Auditor Expresses an Unqualified
Opinion
Cloud 9 - Continuing Case
This text is designed to provide you with the opportunity to learn
about auditing by using a practical, problem-based approach.
Each chapter begins with some information about an example
audit client—Cloud 9 Inc. (Cloud 9). The chapter then provides
the underlying concepts and background information needed to
deal with this client’s situation and the problems facing its auditor.
As you work through the chapters, you will gradually build your
knowledge of auditing by studying how the contents of each chap-
ter are applied to Cloud 9. The end-of-chapter exercises and prob-
lems also provide you with the opportunity to study other aspects
of Cloud 9’s audit, in addition to applying the knowledge gained in
the chapter to other practical examples.
Cloud 9 Inc., a listed company (publicly traded) in the United
States (U.S.), is looking to expand. McLellan’s Shoes was seen as a
potential target.
In 1985, Ron McLellan started McLellan’s Shoes in Seattle,
Washington, manufacturing and retailing customized basketball
shoes. Ron borrowed from the bank to start the company, using his
LO 6 Explain the concepts of reasonable assurance,
materiality, and the nature of an unqualified/
unmodified report on the audit of financial statements.
LO 7 Explain the concept of reasonable assurance and
the nature of an unqualified report on internal controls
over financial reporting.
LO 8  Discuss the audit expectation gap.
Auditing Standards Board
Framework for Audits of Private Companies
AU-C 200  Overall Objectives of the Independent
Auditor and the Conduct of an Audit in Accordance with
Generally Accepted Auditing Standards
AU-C 700  Forming an Opinion and Reporting on
Financial Statements
house as security, and over the years he worked very hard to estab-
lish a profitable niche in the highly competitive sport shoe market.
Ron repaid the bank in 1999, and he vows to never borrow again.
As the business grew, Ron’s wife and three adult children
started to work with him, with responsibility for administration,
marketing and sales, production, and distribution. By the early
2000s, Ron’s business employed 20 people full-time, most of whom
work in production. There are also several casual employees and
part-time staff in the retail outlet in Seattle, particularly during
busy periods.
In February 2020, Ron received a call from Chip Masters,
the senior vice president of Cloud 9. Chip expressed an interest
in buying McLellan’s Shoes. Ron wants to retire, and his children
are starting to fight among themselves about who is going to take
over their father’s business. Ron is looking for an exit strategy, but
he does not want Chip to know that. He asks if Chip is ready to
talk about the price. Chip says he is, but first he needs to see the
audited financial statements for McLellan’s Shoes.
  Assurance, Attestation, and Audit Services  1-3

Ron asks for some time. He tells Chip that he first needs to
talk to his family and will then get back to him. When Ron puts
the phone down, he immediately calls his friend from the golf club,
Ernie Black, who is a CPA. For years, Ernie has been suggesting to Ron
that his business affairs need attention. Ron is good at making deals
and working hard, but he has never bothered with sophisticated
financial arrangements. He is still running his business as a sole
proprietor (not a corporation), and his wife does all the tax returns.
Ron is in a panic—he wants to sell McLellan’s Shoes, but what is he
going to do about Chip’s request for audited financial statements?

Chapter Preview: Audit Process in Focus

The purpose of this chapter is to provide an overview of assurance, attestation, and audit
services. While the focus of this text is the audit of financial statements, in this chapter we
define assurance and attest engagements and differentiate among the types of assurance en-
gagements. The assurance engagements explained in this chapter include financial statement
audits, compliance audits, operational (performance) audits, and internal audits. We also dis-
cuss why there is a demand for audit and assurance services and then discuss the separate
roles of the financial statement preparer and the auditors.
Regulatory bodies and other organizations that impact the audit profession are intro-
duced in this chapter. Also, the audit reports issued by auditors at the completion of the audit
are discussed with the goal of explaining what is communicated in the auditor’s report. We
discuss the audit expectation gap in the last section of this chapter.

Cloud 9 - Continuing Case

Chip Masters has asked Ron McLellan for audited financial state- all the same thing? Ernie explains to Ron that there are several
ments of McLellan’s Shoes. Ron has never had an audit and is not services that people call “audits” that are different from financial
sure what it involves. He has heard about tax audits, safety audits, statement audits. However, all these services, including financial
efficiency audits, as well as financial statement audits. Are they statement audits, can be defined as assurance services.

Assurance, Attestation, and Audit Services

Lea rning Objective 1
Differentiate among assurance, attestation, and audit services.

The terms assurance, attestation, and auditing are sometimes used interchangeably, but they
actually represent different types of services. They are similar in that they all represent a com-
mon process of an independent accounting firm taking information prepared by someone else
and comparing that information to an established set of criteria. At the end of the service, the
independent accounting firm provides a written report about the results of the service per-
formed. This process is important because it adds credibility, or integrity, to the information,
which makes it more useful for decision making. An everyday example of this process would
be needing a physical exam from a medical doctor before joining a sports team. The doctor
would be the independent professional. The doctor would conduct the physical exam and
compare your results to standards considered acceptable for someone of your age and height.
At the completion of the physical exam, the doctor would provide you with written documen-
tation stating that you were in good physical condition to play on the sports team. The service
provided by the doctor improves the “integrity” of your claim that you are in good condition
to participate on the team.
The relationship of assurance, attestation, and auditing services is shown in Illustration
1.1 and resembles overlapping umbrellas. We will refer to Illustration 1.1 as we discuss the
three services in more detail.
1-4  Ch a pte r 1   Introduction and Overview of Audit and Assurance
illustration 1.1  
Relationship of assurance,
attestation, and auditing
services
audit services  services by an
independent CPA that provide
financial statement users with
(1) an opinion on whether the
financial statements are presented
fairly, in all material respects, in
accordance with an applicable
financial reporting framework
and, in some cases, (2) an opinion
on the effectiveness of ICFR,
which enhance the degree of con-
fidence that intended users can
place in the financial statements
attestation services  services
performed when an independent
practitioner, or CPA, is engaged
to issue a report on subject matter
that is the responsibility of an-
other party
Assurance Services
Website
Attestation Services security
Risk advisory Review of historical
services financial statements
Data
Audit Services
Examination integrity
Historical Internal
of financial Agreed-upon
financial controls
forecast procedures
statements
Audit services are the most specific and narrow of the three services; therefore, it is the
smallest umbrella in Illustration 1.1. Two primary types of audit services are an audit of
financial statements and an audit of internal controls over financial reporting (ICFR). The
purpose of an audit of financial statements is to provide financial statement users with an
opinion by the auditor on whether the financial statements are presented fairly in accor-
dance with an applicable financial reporting framework. The purpose of an audit of ICFR
is to provide financial statement users with an opinion by the auditor on the design and
operating effectiveness of ICFR. These audit services enhance the degree of confidence that
intended users can place in the financial statements (AU-C 200.04). Some key concepts in
these descriptions require further explanation. The financial statements refer to historical
financial statements of either a public or private company. The auditor refers to an indepen-
dent certified public accountant, or CPA, who is qualified to perform the auditing service.
The only professional who can sign an audit report on historical financial statements and
internal controls for a public or private company is a CPA. The applicable financial reporting
framework refers to the set of standards used in preparing the historical financial statements,
such as generally accepted accounting principles (GAAP) in the United States, International
Financial Reporting Standards (IFRS), or governmental accounting standards for govern-
mental entities. The intended users refer to any group that will be using the financial state-
ments to make decisions, such as investors and creditors.
Companies produce financial information that goes beyond historical financial state-
ments. Examples include financial forecasts and detailed schedules for specific accounts.
When CPAs are hired to report on the integrity of this type of financial information, it is
called an attestation service. Attestation services are performed when an independent prac-
titioner, or CPA, is engaged to issue a report on subject matter that is the responsibility of an-
other party. As depicted in Illustration 1.1, audit services fall under the umbrella of attestation
services, but so do other services that involve a CPA reporting on other financial information.
Note the use of the term practitioner in the definition of attestation services. The term practi-
tioner is used rather than auditor because attestation services encompass more than just the
audit of historical financial statements and internal controls.
Another example of an attestation service is a review of historical financial statements.
Small private companies often do not want or need a service as extensive as an audit of the
financial statements in which the auditor has to express an opinion on the fair presentation
of the financial statements. In a review engagement, the practitioner expresses limited assur-
ance that no material modifications need to be made to the financial statements. So a review
of historical financial statements is a less extensive and, therefore, less expensive service that
  Assurance, Attestation, and Audit Services  1-5

can be very useful for smaller private companies. A more detailed discussion of a review is
presented in Chapter 15.
The largest umbrella in Illustration 1.1 represents assurance services. Assurance ser- assurance services  indepen-
vices are independent professional services that improve the quality of information, or its dent professional services that
context, for decision makers. Some key concepts are included in this definition. The term improve the quality of informa-
independent is common to audit, attestation, and assurance services. Independent implies tion, or its context, for decision
that the service is performed by someone who was not involved with the creation of the makers
information and who is objective in the evaluation of the information. (Chapter 2 covers
the concept of independence in more depth.) The term quality refers to the relevance and
reliability of the information. The term information refers to subject matter that can be fi-
nancial or nonfinancial, historical or prospective, standalone data or entire systems of data,
internal or external to a company. Essentially, the concept of assurance services encompasses
any service that a professional provides that involves improving the quality of information
that was prepared by someone else. Both attestation and audit services fall under the broad
term of assurance services, and therefore are depicted under the assurance umbrella in
Illustration 1.1.
While the audit of a company’s historical financial statements and internal controls is
the focus of this text, there are other types of audit and assurance services that warrant some
discussion. The next section provides a description of these different types of services.

Professional Environment  Becoming a CPA

Certified public accountants (CPA) are the only licensed accounting
professionals in the United States. CPA licenses are not issued at the
national level but at the state level. To become a licensed CPA, an in-
dividual must earn the three Es – Education, Exam, and Experience.1
The first step is meeting the education requirements set by a state
board of accountancy, which vary from state to state. All states re-
quire a bachelor’s degree and completion of 150 hours of total col-
lege credit to be a licensed CPA. Within the 150 hours, some states
require completion of courses in specific subject areas in accounting,
business, or ethics. (See the discussion in this chapter on National
Association of State Boards of Accountancy (NASBA) and State
Boards of Accountancy.)
The second step is passing the Uniform CPA Examination,
or CPA exam. The CPA exam is accepted for CPA licensure by all
states, which is why it is called the “uniform” CPA exam. The CPA
exam consists of four sections: Auditing and Attestation (AUD),
Business Environment and Concepts (BEC), Financial Accounting
and Reporting (FAR), and Regulation (REG). The testing time for
each section is four hours for a total test time of 16 hours. Each
part of the exam consists of multiple-choice items and task-based
simulations, and the BEC section also contains written communi-
cation items. Exam candidates can take one part of the exam at a
time and have 18 months to pass all four parts once the first part
has been successfully passed.
The final step is work experience. Work experience require-
ments also vary by state. In general, states require one to two years
of work experience under the supervision of a licensed CPA. The
work experience can be earned either before, during, or after sit-
ting for the CPA exam, but some restrictions may apply for when
the experience can be earned.
A state board of accountancy will only issue a license to prac-
tice after all three Es have been earned. The purpose of the entire
licensure process is to ensure that individuals possess the level of
knowledge and the skills necessary to perform the duties of a CPA
and to protect the public interest.

Before You Go On
1.1  Who are intended users of assurance services?
1.2  What does “independent” mean in the context of assurance services?
1.3  What is an example of an “applicable financial reporting framework”?

1
American Institute of Certified Public Accountants, The Uniform CPA Examination: Purpose and Structure
(2018), www.aicpa.org/becomeacpa/cpaexam/examoverview.
1-6  Ch a pte r 1   Introduction and Overview of Audit and Assurance

Different Assurance Services

Lea rning O bjective 2
Describe the different types of assurance services.

In this section, we provide an overview of the most common types of assurance services that
a practitioner can provide. We will discuss financial statement audits, compliance audits, op-
erational (performance) audits, and internal audits.

Financial Statement Audits

As stated earlier, the purpose of an audit of financial statements is to provide financial statement
users with an opinion by the audit firm on whether the financial statements are presently fairly
in accordance with an applicable financial reporting framework, which enhances the degree of
confidence that intended users can place in the financial statements (AU-C 200.04). Within a
U.S. context, the applicable financial reporting framework is typically GAAP. Public companies,
or issuers, in the United States are required by the federal government to have an annual finan-
cial statement audit. Private companies, or non-issuers, are not required by the U.S. government
to have an annual financial statement audit, but often other interested users request that a pri-
vate company provide audited financial statements. A good example would be a lender (bank or
other financial institution) requesting audited financial statements when considering whether
to lend money to the private company. Audited financial statements add a degree of confidence
that helps the lender make an informed lending decision.

Cloud 9 - Continuing Case

Ron is not running a corporation. He operates his customized
basketball shoe business as a sole proprietor. He is aware that
big corporations have to be audited. However, because his busi-
ness is not a publicly traded company, Ron does not believe that
he has to have an audit. Ernie agrees that Ron does not have to
follow the same rules, but he also tells him that there are au-
diting standards in place that apply to a company like his. This
means that although all the attention is usually on corporations,
sole proprietors can, and may be required to, have their financial
statements audited, too.

integrated audit  an audit that
combines the financial statement
audit with an audit of the effec-
tiveness of ICFR
Certain public companies in the United States are also required to have an audit of ICFR. The
objective in an audit of ICFR is to express an opinion on the effectiveness of the company’s sys-
tem of internal controls over financial reporting (AS 2201.03). The reason for requiring an audit
of internal controls is because effective internal control provides reasonable assurance regard-
ing the reliability of financial reporting and the preparation of financial statements for external
purposes (AS 2201.02). Therefore, public companies are required to have two audits every year,
one on the financial statements and one on the effectiveness of the company’s internal controls.
For efficiency purposes, these two audits are performed at the same time. This is referred to as
an integrated audit. The objectives of the audits are not identical, however, and the auditor
must plan and perform the work to achieve the objectives of each audit (AS 2201.06). Private
companies are not required by the government to have an audit of ICFR. As mentioned above,
other interested users, such as a lender, may require a private company to have an audit of ICFR
along with an audit of the financial statements as a condition for being approved for a loan.

Limitations of an Audit
A financial statement audit is conducted to enhance the reliability and credibility of the
information included in the financial statements. It is not a guarantee that the financial
   Different Assurance Services  1-7

statements are free from error or fraud. The limitations of an audit are caused by (1) the nature
of financial reporting, (2) the nature of audit procedures, and (3) the need for the audit to be
conducted within a reasonable period of time at a reasonable cost (AU-C 200.A49).
The nature of financial reporting refers to the use of judgment when preparing financial
statements due to the subjectivity required when arriving at accounting estimates. Judgment
is also required when selecting and applying accounting methods. For example, depreciating
a piece of equipment is an estimate that requires judgment in selecting a depreciation method
and determining a useful life and salvage value.
The nature of audit procedures refers to the reliance on evidence provided by the client
and its management. For example, what if client management withholds or hides important
documents from the auditors? If auditors are unaware of this situation, they may arrive at an
inappropriate conclusion based on incomplete facts. Evidence may be withheld or modified
by perpetrators of fraud. It can be difficult for an auditor to determine whether a fraud has
occurred because documents altered by those committing the fraud generally hide evidence.
Also, auditors often use sampling techniques when testing some transactions and account
balances. If a sample is not representative of all items available for testing, an auditor may
arrive at an incorrect conclusion.
The nature of audit procedures also refers to the concept of materiality. The Financial materiality  the ability of infor-
Accounting Standards Board (FASB) defines materiality as follows: mation to influence decisions that
users make on the basis of the
Information is material if omitting it or misstating it could influence decisions that financial information of a specific
users make on the basis of the financial information of a specific reporting entity. reporting entity
(SFAC No. 8, para QC11)

In other words, an error or misstatement in the financial statements is considered material

if it impacts, or changes, the decision-making process of those individuals or groups who
are using the financial statements. Therefore, when planning an audit, auditors select audit
procedures that are designed to discover material misstatements. Because of time and cost
constraints, it would be impractical for an audit to focus on finding all misstatements.
The timeliness and cost of a financial statement audit refer to the pressures auditors face
to complete their audit within a certain time frame at a reasonable cost. While it is important
that auditors do not omit procedures in an effort to meet time and cost constraints, they may
be under some pressure to do so. This pressure will come from clients wanting to issue their fi-
nancial statements by a certain date, from clients refusing to pay additional fees for additional
audit effort, and from within the accounting firm where there are pressures to complete all
audits on a timely basis to avoid incurring costs that may not be recovered. By taking the time
to plan the audit properly, auditors can ensure that adequate time is spent where the risks of
a material error or fraud are greatest.

Compliance Audits
A compliance audit involves gathering evidence to determine whether the person or entity compliance audit  an audit
under review has followed the rules, policies, procedures, laws, and regulations with which to determine whether the entity
they must conform. One of the best examples of a compliance audit is an income tax audit. has conformed with regulations,
The Internal Revenue Service (IRS) may conduct an audit of an individual or a company to rules, or processes
determine if tax laws have been followed and the correct amount of tax paid.

Operational (Performance) Audits

Operational (performance) audits are concerned with the economy, efficiency, and effec- operational (performance)
tiveness of an organization’s activities. Economy refers to the cost of inputs, including wages audit  an assessment of
and materials. Efficiency refers to the relationship between inputs and outputs, or the use the economy, efficiency and
of the minimum amount of inputs to achieve a given output. Finally, effectiveness refers to effectiveness of an organization’s
the achievement of certain goals or the production of a certain level of outputs. From an operations
organization’s perspective, it is important to perform well across all three dimensions and not
1-8  Ch a pte r 1   Introduction and Overview of Audit and Assurance

allow one to dominate. For example, if buying cheap inputs results in an inefficient produc-
tion process, efficiency is sacrificed to achieve economic goals. Operational audits are gener-
ally conducted by an organization’s internal auditors (discussed in the next section), or they
may be outsourced to an external accounting firm.

internal audit  a function
within an entity which gener-
ally evaluates and improves risk
management, internal control
procedures and elements of the
governance process
those charged with
governance  persons with
responsibility for overseeing the
strategic direction of the entity
and the obligations related to the
accountability of the entity
Internal Audits
Internal audits are conducted to provide assurance about various aspects of an organiza-
tion’s activities. The internal audit function is typically conducted by employees of the orga-
nization being audited, but can be outsourced to an external accounting firm. The function
of an internal audit is determined by those charged with governance and management
within the organization. While the functions of internal audits vary widely from one orga-
nization to another, they are often concerned with evaluating and improving risk manage-
ment, internal control procedures, and elements of the governance process. The internal
­auditors often conduct operational audits, compliance audits, internal control assessments,
and ­reviews. Many internal auditors are members of the Institute of Internal Auditors (IIA).
The IIA is an international organization with more than 120,000 members that provides guid-
ance and standards to aid internal auditors in their work. When conducting the financial
statement audit, the external auditor may rely on the work done by internal auditors when
evaluating the evidence needed to form an opinion on the financial statements or on ICFR.
A more detailed discussion of how internal auditors may assist with the audit is provided in
Chapter 5.

Cloud 9 - Continuing Case

Ron is not concerned about internal audits—his business is too ­ oment is to close the deal with Chip Masters, and he still does
m
small for a separate internal audit function. He is also not wor- not know what he will do about the financial statement audit.
ried about compliance and operational audits. His priority at the

Before You Go On
2.1  What is the objective of a financial statement audit?
2.2  Explain the inherent limitations of a financial statement audit.
2.3  What are the three elements of an operational audit?
2.4  What are the most common functions of the internal auditors?

Demand for Audit and Assurance Services

Lea rning O bjective 3
Explain the demand for audit and assurance services.

In this section, we provide an overview of the primary financial statement users followed by a
description of why these users may demand an audit of the financial statements.
   Demand for Audit and Assurance Services  1-9

Cloud 9 - Continuing Case

Ron believes that his business has good, reliable financial records.
Ron’s wife helps him keep tight control of the cash and other as-
sets, and together they prepare some simple reports on a regular
basis. Ron believes he knows exactly what is happening in the
business and monitors the business’s cash flow and profit very
closely. However, he has not prepared financial statements that
comply with U.S. GAAP. Is this a problem? Ernie explains to Ron
that many businesses must apply the accounting standards, even
if they are not corporations. It all depends on whether there are
individuals or groups who are using the financial statements for
decision-making purposes. Ron is a bit worried now—how does
he know if he has these users?

Financial Statement Users

Financial statement users include current and potential investors, suppliers, customers, lend-
ers, employees, governments, and the general public. Each of these groups will read the finan-
cial statements for a slightly different reason as described below.

Investors
Investors generally read financial statements to determine whether they should invest in the
company. They are interested in the return on their investment and are concerned that the
entity will remain a going concern (continue operating) into the foreseeable future. Investors
may also be interested in the capacity of the company to pay a dividend. Prospective investors
read financial statements to determine whether they should buy shares in the entity.

Suppliers
Suppliers may read financial statements to determine whether the company can pay for goods
or services supplied. They are also interested in whether the company is likely to remain a
going concern (is likely to continue to be a customer of the supplier) and continue to pay its
debts when they come due.

Customers
In many business-to-business transactions, customers may read financial statements to de-
termine whether a company they rely on is likely to remain a going concern and meet their
needs.

Lenders
Lenders may read financial statements to determine whether an entity is sufficiently credit-
worthy to qualify for a loan and whether it can pay the interest and principal as they come due.

Employees
Employees may read financial statements to determine whether the entity can pay their wages
or salaries and other benefits (for example, pensions). They may also be interested in assessing
the future stability and profitability of the entity, as these affect job security.

Governments
Governments may read financial statements to determine whether the company is com-
plying with regulations, to evaluate if the company is paying a fair amount of taxes given
its reported earnings, and to gain a better understanding of the company’s activities. A
company in receipt of government grants often must provide a copy of its audited financial
statements when applying for a grant and when reporting on how grant funds have been
spent.
1-10  C h a pte r 1   Introduction and Overview of Audit and Assurance

The General Public

The general public may read financial statements to determine whether they should associate
with the company (for example, as a future employee, customer, or supplier), and to gain a
better understanding of the company, what it does, and its plans for the future.

Sources of Demand for Audit and

Assurance Services
Financial statement users and their needs are many and varied. There are a number of rea-
sons why some or all of these users would demand an audit of financial statements. These
include remoteness, complexity, competing incentives, and reliability. Each of these concepts
is explained below.

Remoteness
Most financial statement users do not have access to the company under review. This makes it
difficult to determine whether the information contained in the financial statements is a fair
presentation of the entity and its activities for the relevant period.

Complexity
Financial statements are complex, the amounts are often affected by significant estimates, and
the disclosures often require significant knowledge and experience to evaluate. Most financial
statement users do not have the accounting and legal knowledge to assess the reasonableness
of complex accounting and disclosure choices being made by the company.

Competing Incentives
Company managers have an incentive to disclose the information contained in the financial
statements in a way that presents their performance in the best possible light. Users may find
it difficult or impossible to identify when management is presenting biased information.

Reliability
Financial statement users are concerned with the reliability of the information contained in
the financial statements. Since they use that information to make decisions that have real
consequences, it is very important that users can rely on the information contained in the
financial statements.
An independent third-party review of the financial statements by a team of auditors, who
have the knowledge and expertise to assess the fairness of the information being presented by
the preparers, helps users address all these issues. Auditors have access to company records, so
they are not remote. Auditors are trained accountants and have detailed knowledge about the
complex technical accounting and disclosure issues required to evaluate the choices made by the
financial statement preparers. Independent auditors, whose work is regularly reviewed by regu-
lators, have little incentive to aid the company in presenting its results in the best possible light.
Auditors are concerned with verifying the information contained in the financial statements is
reliable and free from any material misstatements. The audit service plays a vital role in main-
taining the stability of the U.S. capital markets. Investors in public companies consider audited
information reliable, which facilitates the trading of stocks and other financial instruments.

Cloud 9 - Continuing Case

Ron tells Ernie that he has no remote users, such as sharehold- need to purchase an audit to assure users of the reliability of his
ers or lenders, and his business is not very complex. He is the business’s financial information. Ernie agrees but points out that
owner and the manager of McLellan’s Shoes and therefore has no there is now a user who is very interested in the reliability of the
competing incentives. For all these reasons, he has never felt the financial information: Chip Masters.
  Preparers and Auditors  1-11

Before You Go On
3.1  Who are the main users of company financial statements?
3.2  Why might financial statement users demand an audit?
3.3  Explain why auditors, or CPAs, are the appropriate professionals to conduct an audit.

Preparers and Auditors

Lea rning Objective 4
Discuss the different roles of the financial statement preparer and the auditor.

In this section, we explain and contrast the different responsibilities of financial statement
preparers and auditors. We provide details of the role that each group plays in ensuring the
financial statements are an accurate representation of the company. Following this discussion
is an overview of the different firms that provide assurance services.

Preparer Responsibility
As you know from your financial accounting courses, the financial statements include the bal-
ance sheet (statement of financial position), income statement (statement of comprehensive
income), statement of cash flows, statement of changes in equity, and accompanying notes. It
is the responsibility of management, with oversight from those charged with governance (gen-
erally the board of directors), to prepare the financial statements. Specifically, management is
responsible for the following:
1. Ensuring the information included in the financial statements is presented fairly and
complies with the applicable financial reporting framework, which in the United States
is most often GAAP.
2. Designing, implementing, and maintaining internal control relevant to the preparation
and fair presentation of the financial statements.
3. Providing the auditors with access to all records, documentation, and personnel relevant
to the preparation and fair presentation of the financial statements, and any additional
information the auditors may consider relevant to complete the audit.
The preparation of financial statements requires the use of knowledge and judgment on the
part of management. Management is responsible for making estimates for some financial
statement items (e.g., allowance for doubtful accounts or a goodwill impairment) and select-
ing appropriate accounting policies within the applicable financial reporting framework, usu-
ally GAAP (AU-C 200.A2–A3).

Auditor Responsibility
The auditor’s responsibility is to provide an opinion on whether the financial statements are
presented fairly in accordance with the applicable financial reporting framework. It is im-
portant to emphasize the auditor is not responsible for preparing the financial statements.
Preparation of financial statements is management’s responsibility. Auditors are responsible
for the following:
1.  Conducting the audit in accordance with the appropriate auditing standards. Auditing stan-
dards provide minimum requirements and guidance for the performance of an audit. Later
in this chapter, we discuss the auditing standards that apply to financial statement audits.
1-12  C h a pte r 1   Introduction and Overview of Audit and Assurance

professional skepticism  an 2. Planning and performing the audit with professional skepticism. Professional skepti-
attitude that includes a question- cism is an attitude adopted by auditors when conducting an audit. It means auditors re-
ing mind, being alert to condi- main independent of the entity, its management, and its staff when completing the audit
tions that may indicate possible work. In a practical sense, it means auditors maintain a questioning mind and thoroughly
misstatement due to fraud or investigate all evidence presented by their client. Auditors must seek independent evi-
error, and a critical assessment of
dence to corroborate, or confirm, information provided by their client. Auditors must be
audit evidence
suspicious when evidence contradicts documents held by their client or inquiries made
of client personnel, including management and those charged with governance.
professional judgment  the 3. Planning and performing the audit with professional judgment. Professional judgment
application of relevant training, relates to the application of relevant training, knowledge, and experience that auditors
knowledge, and experience in use while making informed audit decisions in conducting an audit. Auditors must use
making informed decisions about their judgment throughout the entire audit. For example, auditors must use judgment
the courses of action that are when determining if an information source is reliable. They must also use judgment
appropriate in the circumstances
when deciding if enough audit evidence has been gathered to support the audit opinion.
of the audit engagement
The concepts of professional skepticism and professional judgment will be addressed through-
out this text as we learn about the process used by auditors to arrive at their opinion. It is
important to note that the auditor’s opinion on the financial statements is not meant to be
a predictor of the future success of the company. Also, the opinion is not a reflection of how
effectively management is performing its role of running the company. The auditor’s opinion
is simply a report on whether the financial statements are fairly presented in accordance with
the applicable financial reporting framework (AU-C 200.A1).

Assurance Providers
Assurance services are provided by accounting and other consulting firms. The largest ac-
counting firms in the United States are known collectively as the “Big 4” firms: Deloitte,
Ernst & Young (EY), KPMG, and PricewaterhouseCoopers (PwC). These four firms op-
erate internationally through a network of affiliate companies, and dominate the assurance
market throughout the world.
The next tier of accounting firms is known as the mid-tier. The firms that comprise the
mid-tier have a significant presence nationally and most have international affiliations. The
mid-tier firms in the United States include, among others, Grant Thornton, BDO USA,
RSM, CBIZ/Mayer Hoffman McCann, and Crowe. These firms service medium-sized and
smaller clients.
The next tier of accounting firms are regional and local accounting firms. Regional firms
have a significant presence across multiple states in a geographical region. For example, a re-
gional firm might have offices located in the southeastern states of Georgia, Florida, Alabama,
and Mississippi. The regional offices could be as large as some of the national firms, with just
as many partners and professional staff. Like the national firms, the regional firms service
medium-sized and smaller clients. Local accounting firms service clients in their local areas
and range in size from a single-partner firm to several-partner firms. Local firms primarily
service small-company clients and individuals.
Many of these accounting firms provide non-assurance (or non-audit) services as well as
assurance services. Independence is not required to provide non-assurance services. These
non-assurance services include management consulting, business valuation, mergers and ac-
quisitions, tax, and accounting. In Chapter 2, we will discuss rules regarding what types of
non-assurance services, if any, can be provided to audit clients.
Accounting firms are not the only providers of assurance services. A number of con-
sulting firms provide assurance services in areas such as website security and environmental
sustainability reporting. Consulting firms employ staff with a variety of expertise including,
for example, engineers, accountants, IT professionals, scientists, and economists.

Cloud 9 - Continuing Case

Ernie stresses to Ron that any financial statements prepared for Ron in the financial statements. These claims include, for exam-
McLellan’s Shoes are Ron’s responsibility, even if they are au- ple, that the assets shown on the balance sheet exist and are val-
dited. The auditor must be skeptical about the claims made by ued correctly, and that the balance sheet contains a complete list
  The Role of Regulators and Regulations  1-13

of the business’s liabilities. In other words, the auditor is not just
going to believe whatever Ron tells him or her. Auditors must
gather evidence about the financial statements before they can
give an audit opinion. Ernie also explains to Ron that because
his business is relatively small, he has a choice between large
and small audit firms. Very large companies must choose a Big 4
auditor because often the other auditors are too small to do the
work and still maintain their independence. If a small audit firm
audits a large company, it is open to the criticism that it will not
be sufficiently skeptical because it does not want to lose the fees
from that client. A large audit firm has many other clients, so the
fees from any one client are a relatively small part of its revenue.
Ron likes the idea that the smaller audit firms are generally less
expensive.

Before You Go On
4.1  Describe management’s responsibilities in terms of the financial statement audit.
4.2  What is professional skepticism?
4.3 What are non-audit services? Provide several examples of non-audit services provided by
accounting firms.

The Role of Regulators and Regulations

Lea rning Objective 5
Identify the roles of different regulators and organizations that affect the audit
profession.

In this section, we discuss the regulators and other organizations that impact the audit process
and the profession.

Securities and Exchange Commission (SEC)

The SEC is a federal government agency whose mission is to protect investors, maintain
fair and efficient markets, and facilitate capital formation (www.sec.gov). A primary task
of the SEC is to enforce and interpret securities laws. Some of the key laws that impact the
audit profession are the Securities Act of 1933, the Securities Exchange Act of 1934, and the
Sarbanes-Oxley (SOX) Act of 2002. The Securities Act of 1933 regulates the disclosure of
financial information in a company’s initial public offering of stock and requires that the
financial information be audited. The Securities Exchange Act of 1934 regulates the ongoing
trading of securities after the initial public offering and requires the annual audit of a public
company’s financial statements. The SOX Act of 2002 was passed to help restore investor
confidence after a series of corporate accounting scandals were revealed in the late 1990s and
early 2000s. The SOX Act enhanced financial disclosures for public companies and placed
more emphasis on corporate responsibility. It also created the Public Company Accounting
Oversight Board, or PCAOB, which oversees the audits of public companies.

Public Company Accounting Oversight

Board (PCAOB)
The PCAOB is a non-profit corporation established through the SOX legislation in 2002.
Its mission is to oversee the audits of public companies to protect the interests of investors
1-14  C h a pte r 1   Introduction and Overview of Audit and Assurance

(www.pcaobus.org). Prior to the creation of the PCAOB, the audit profession was self-regulated.
This means that audit professionals, through their own professional organization, created the
auditing standards to be followed in the conduct of an audit. The audit profession also created
a system of peer review for inspecting audit work to ensure auditors were following the stan-
dards, and would take enforcement action for auditors who did not perform audits according
to the standards. The audit profession is still self-regulated with respect to the audits of private
companies, but when the PCAOB was created, it took over the regulation and standard setting
for the audits of public companies.
Standards issued by the PCAOB are called Auditing Standards (AS), which provide min-
imum requirements and guidance for auditing services. When the PCAOB was created, it ad-
opted the audit profession’s standards in 2003 as its interim standards, providing a starting
point for the audits of public companies. Since then the PCAOB has issued its own standards
that supersede, or replace, some of the interim standards. In 2015, the PCAOB reorganized its
auditing standards using a topical structure and a single, integrated numbering system. The
current topical organization of the PCAOB standards is listed in Illustration 1.2. Throughout
the text, you will be learning some of the specific PCAOB auditing standards in the different
topical categories. The beginning of each chapter will list which PCAOB standards will be dis-
cussed in that particular chapter. You will also see references to the PCAOB standards within
each chapter. The reference will begin with “AS” followed by the standard number, a decimal,
and then a paragraph number, such as “AS 2201.06.”

ILLUSTRATION 1.2   General Auditing Standards (1000)

PCAOB Auditing Standards
topical organization 1000 General Principles and Responsibilities
1100 General Concepts
1200 General Activities
1300 Auditor Communications
Audit Procedures (2000)
2100 Audit Planning and Risk Assessment
2200 Auditing Internal Control Over Financial Reporting
2300 Audit Procedures in Response to Risks – Nature, Timing, and Extent
2400 Audit Procedures for Specific Aspects of the Audit
2500 Audit Procedures for Certain Accounts or Disclosures
2600 Special Topics
2700 Auditor’s Responsibilities Regarding Supplemental and Other Information
2800 Concluding Audit Procedures
2900 Post-Audit Matters
Auditor Reporting (3000)
3100 Reporting on Audits of Financial Statements
3300 Other Reporting Topics
Matters Relating to Filings Under Federal Securities Laws (4000)
Other Matters Associated with Audits (6000)

Source: www.pcaobus.org/standards/auditing.

Accounting firms that want to audit public companies must register with the PCAOB.
Registration involves paying fees to the board, complying with the PCAOB’s Auditing Stan-
dards, and having their audit work inspected by the board. The PCAOB has disciplinary
authority over registered firms and can impose punishment on accounting firms that do not
adhere to standards. Punishments can include revoking a firm’s registration, imposing mone-
tary fines, and banning an individual within a firm from auditing public companies.
  The Role of Regulators and Regulations  1-15

American Institute of Certified Public

Accountants (AICPA)
The AICPA is a private professional membership organization of CPAs representing the ac-
counting profession. There are over 400,000 members in 145 countries (www.aicpa.org).
Some key activities of the AICPA include representing the profession before rule-making bod-
ies, acting as an advocate for the profession before legislative bodies, providing educational
materials to its members, and setting ethical standards for the profession. The AICPA is also
responsible for creating and grading the Uniform CPA Exam.
The AICPA accomplishes many of its activities through its system of committees. One of
the standing committees is the Auditing Standards Board, or ASB. Prior to the creation of the
PCAOB, the ASB was responsible for issuing auditing standards used for the audits of public
and private companies. Since 2003, the task of the ASB has been to issue audit standards
for the audits of private companies and not-for-profit organizations only. Audit standards is-
sued by the ASB are called Statements on Auditing Standards (SAS). In an effort to improve
the clarity of auditing standards, the ASB approved new clarity standards that were effective
for audit periods ending after December 15, 2012. The new clarity standards include a more
comprehensive set of principles underlying an audit conducted in accordance with generally
accepted auditing standards (GAAS), which are presented in Illustration 1.3. These princi-
ples explicitly address the concepts of materiality and professional skepticism. The principles
describe the responsibilities of management, and those charged with governance of an entity,
for the financial statements. The auditor responsibilities also address the important concepts
of compliance with ethical requirements (including independence requirements) and the fact
that an auditor must use professional judgment. Take a few minutes to read the principles in
Illustration 1.3.

illustration 1.3  
Purpose of an Audit Principles underlying an audit
The purpose of an audit is to provide financial statement users with an opinion by the auditor on conducted in accordance with
whether the financial statements are presented fairly, in all material respects, in accordance with generally accepted auditing
the applicable financial reporting framework. An auditor’s opinion enhances the degree of confi- standards (GAAS)
dence that intended users can place in the financial statements.

Premise Upon Which an Audit Is Conducted

An audit in accordance with generally accepted auditing standards is conducted on the premise
that management, and where appropriate, those charged with governance, have responsibility:
a. for the preparation and fair presentation of the financial statements in accordance with the
applicable financial reporting framework; this includes the design, implementation, and
maintenance of internal control relevant to the preparation and fair presentation of financial
statements that are free from material misstatements, whether due to fraud or error.
b. to provide the auditor with:
i. all information, such as records, documentation, and other matters that are relevant to
the preparation and fair presentation of the financial statements;
ii. any additional information that the auditor may request from management, and where
appropriate, those charged with governance; and
iii. unrestricted access to those within the entity from whom the auditor determines it
necessary to obtain audit evidence.

Responsibilities of the Auditor

Auditors are responsible for having appropriate competence and capabilities to perform the audit;
complying with relevant ethical requirements; and maintaining professional skepticism and exer-
cising professional judgment, throughout the planning and performance of the audit.

Performing the Audit

To express an opinion, the auditor obtains reasonable assurance about whether the financial
statements as a whole are free of material misstatement, whether due to fraud or error.
1-16  C h a pte r 1   Introduction and Overview of Audit and Assurance

illustration 1.3   To obtain reasonable assurance, which is a high, but not absolute, level of assurance, the auditor:
(continued) • plans the work and properly supervises any assistants.
• determines and applies appropriate materiality level or levels throughout the audit
• identifies and assesses risks of material misstatement, whether due to fraud or error, based
on an understanding of the entity and its environment, including the entity’s internal control.
• o
 btains sufficient appropriate audit evidence about whether material misstatements exist,
through designing and implementing appropriate responses to the assessed risks.

The auditor is unable to obtain absolute assurance that the financial statements are free of
material misstatement because of inherent limitations, which arise from:

• the nature of financial reporting;

• the nature of audit procedures; and
• t he need for the audit to be conducted within a reasonable period of time and so as to achieve
a balance between benefit and cost.

Reporting the Results of an Audit

Based on an evaluation of the audit evidence obtained, the auditor expresses, in the form of a
written report, an opinion in accordance with the auditor’s findings, or states that an opinion can-
not be expressed. The opinion states whether the financial statements are presented fairly, in all
material respects, in accordance with applicable financial reporting framework.

Source: AU-C Preface.

The SASs are interpretations of the principles underlying an audit conducted in accor-
dance with GAAS. The SASs explain the nature and extent of an auditor’s responsibility and
offer guidance to an auditor in performing the audit of a private company. Compliance with
the SASs is mandatory for AICPA members, who must justify any departures from the stan-
dards. The SASs are numbered in the order in which they are issued by the ASB. Then the
standards are organized by topical content using the AU numbering system. (Note that the
“AU” stands for auditing standards, but these are not to be confused with the Auditing Stan-
dards (AS) from the PCAOB.) The AU-C topical order (the “C” denotes the clarified standards)
is listed in Illustration 1.4. Throughout the text, we will be learning some of the specific ASB
auditing standards in the different topical categories. The beginning of each chapter will list
which ASB standards will be discussed in that respective chapter. You will also see references
to the ASB standards within the text. The reference will begin with “AU-C” followed by the
standard number, a decimal, and then a paragraph number, such as “AU-C 200.05.”
The ASB also issues Statements on Standards for Attestation Engagements (SSAE) and
Statements on Quality Control Standards (SQCS) for AICPA member firms. Another standing
committee of the AICPA is the Accounting and Review Services Committee. This committee
is tasked with issuing Statements on Standards for Accounting and Review Services (SSARS).
The SSARS provide guidance for services provided on historical financial statements that are
less extensive than an audit. An example that we discussed earlier is a review of historical

ILLUSTRATION 1.4  
Auditing Standards Board AU-C Section General Topic
AU-C topical content AU-C 200–299 General Principles and Responsibilities
AU-C 300–499 Risk Assessment and Response to Assessed Risks
AU-C 500–599 Audit Evidence
AU-C 600–699 Using the Work of Others
AU-C 700–799 Audit Conclusions and Reporting
AU-C 800–899 Special Considerations
AU-C 900–999 Special Considerations in the United States

Source: AICPA.
  The Role of Regulators and Regulations  1-17

financial statements. A more detailed discussion of accounting and review services is pro-
vided in Chapter 15.
To help summarize the audit standard-setting environment in the United States,
Illustration 1.5 provides a diagram of the current audit standard setting-structure for the
audits of public and private companies.

Audit standard setting ILLUSTRATION 1.5  

Auditing standard setting in
the United States

Private company Public company

(non-issuer) (issuer)

AICPA’S Auditing Public Company Accounting

Standards Board Oversight Board
(ASB) (PCAOB)

Statements on
Statements on Statements on
Standards for Auditing Standards
Auditing Standards Quality Control
Attestation (AS)
(SAS) Standards (SQCS)
Engagements (SSAE)

Staff audit practice

Interpretive publications from the ASB to provide guidance to alerts from the PCAOB
CPAs and auditors to provide guidance to
CPAs and auditors

Professional Environment  International Auditing and Assurance Standards Board (IAASB)

In 1977, 63 accountancy bodies (including the AICPA) represent-
ing 51 countries signed an agreement creating the International
Federation of Accountants (IFAC). The mission of IFAC is to
serve the public interest and strengthen the accountancy pro-
fession by supporting the development and implementation of
high-quality international standards.2 Toward this end, IFAC has
established, as a standing subcommittee, the International Au-
diting and Assurance Standards Board (IAASB) with the respon-
sibility and authority to issue International Standards on Audit-
ing (ISA). The mission of the IAASB is to establish high-quality
auditing, assurance, quality control, and related services stan-
dards and to improve the uniformity of practice by professional
accountants throughout the world, thereby strengthening public
confidence in the global auditing profession and serving the pub-
lic interest.3
Today, auditing has become a global profession. Many coun-
tries adopt IAASB standards as their own. Other countries have
auditing standards that closely resemble the IAASB standards (for
example, the SAS in the United States). Where differences exist
between the international standards and local standards, the local
member body, such as the AICPA’s ASB, is expected to give prompt
consideration to such differences with a view to achieving harmo-
nization. In recent years, the U.S. ASB and the IAASB have worked
jointly in creating auditing standards that have global acceptance.
Most of the auditing principles and practices discussed in this text
are consistent with IAASB standards.

Financial Accounting Standards Board (FASB)

The FASB is a privately funded organization whose mission is to establish financial accounting
and reporting standards for nongovernmental entities with the goal of providing information

2
International Federation of Accountants website (accessed June 5, 2018), www.ifac.org.
3
International Auditing and Assurance Standards Board website (accessed June 5, 2018), www.iaasb.org.
1-18  C h a pte r 1   Introduction and Overview of Audit and Assurance

that is useful for decision making (www.fasb.org). You are probably familiar with the FASB
from your financial accounting courses. The FASB maintains the Accounting Standards Codi-
fication (ASC), which represents the authoritative standards of financial reporting recognized
by the SEC, the PCAOB, and the AICPA. We commonly refer to the authoritative standards
as GAAP. There are seven full-time members of the FASB who have diverse backgrounds
in accounting, finance, business, and research. Members of the FASB work closely with the
AICPA, SEC, and the PCAOB when researching and drafting financial accounting and report-
ing standards.

Committee on Sponsoring Organizations of the

Treadway Commission (COSO)
COSO is an independent private-sector group that focuses on providing guidance to man-
agement and expertise in the areas of internal control, enterprise risk management, and
fraud deterrence (www.coso.org). COSO was organized in 1985 and is sponsored by the fol-
lowing organizations: the American Accounting Association (AAA), the AICPA, Financial
Executives International (FEI), the Institute of Internal Auditors (IIA), and the National
Association of Accountants, which is now the Institute of Management Accountants (IMA).
The first chairman of the commission was James C. Treadway, Jr., a former commissioner
of the SEC. The group is often referred to as the “Treadway Commission.” In 1992, COSO is-
sued a landmark report titled Internal Control—Integrated Framework. This report provided
a comprehensive definition of internal controls and a framework that companies could use
to design their own internal control systems. In 2013, the framework went through a com-
prehensive update and was reissued. This updated framework will be covered in depth in
Chapter 6.

National Association of State Boards of

Accountancy (NASBA) and State Boards of
Accountancy
CPAs are professionals who are licensed by state governments. Each state legislature has
established a state board of accountancy to license and regulate CPAs to protect the public
interest. Some of the functions of a state board of accountancy include:

•  Issuing CPA licenses to individuals who meet all the requirements.

•  Adopting and enforcing rules of professional conduct for CPAs.
•  Adopting and enforcing rules regarding continuing professional education requirements.
•  Investigating complaints, conducting hearings, and taking appropriate disciplinary ac-
tions, such as suspension or revocation of the CPA license.

NASBA is a professional organization whose mission is to enhance the effectiveness and

advance the common interests of its members, which are the state boards of accountancy
(www.nasba.org). There are actually 55 jurisdictions with boards of accountancy. They in-
clude the 50 states, the District of Columbia, the Commonwealth of the Northern Mariana
Islands, Guam, Puerto Rico, and the Virgin Islands. NASBA acts as a collective voice for the
boards of accountancy and works to promote the interests of the state boards with legislative
and regulatory bodies. NASBA also provides education and development opportunities for
its members, provides technology support, and promotes ethical behavior in the profession.
One of the services NASBA provides to state boards is that it serves as the application center
for individuals applying to sit for the CPA exam. When you are ready to apply to take the CPA
exam, you may be asked to apply through NASBA’s website.
  Audit Report on Financial Statements  1-19

Cloud 9 - Continuing Case

Ernie explains that, in general, the regulators and regulations engagement when auditing a small business. Since McLellan’s
that apply to publicly traded corporations are not relevant to Shoes is a private company, the auditors would follow the auditing
McLellan’s Shoes. However, any auditor Ron engages would apply standards of the ASB when conducting the audit.
the auditing and accounting standards that are relevant to an audit

Before You Go On
5.1  What is the SEC and what is its role?
5.2 Which organization sets the standards for the audits of public companies? For the audits of
private companies?
5.3  What are the main functions of a state board of accountancy?

Audit Report on Financial Statements

Lea rning Objective 6
Explain the concepts of reasonable assurance, materiality, and the nature of an
unqualified/unmodified report on the audit of financial statements.

In this section, we introduce you to the independent auditor’s report, which is the “end prod-
uct” of the financial statement audit. The independent auditor’s report is used to communi-
cate the audit firm’s opinion about a company’s financial statements to interested users. We
will revisit the independent auditor’s report in more depth in Chapter 15, but it is helpful to
understand this report from the perspective of a financial statement reader as you begin to
learn the audit process.

Reasonable Assurance and the Financial

Statements
We have explained how the responsibility of the auditor is to provide an opinion on whether the
financial statements are presented fairly in accordance with the applicable financial reporting
framework. An opinion is defined as a judgment about matters that are subjective. The prepa-
ration of financial statements is considered somewhat subjective because management must
make some estimates and choose between different accounting methods. Therefore, the audi-
tor is only required to obtain reasonable assurance about whether the financial statements reasonable assurance  a high,
as a whole are free from material misstatement, whether due to fraud or error. Reasonable but not absolute, level of assurance
assurance is a high, but not absolute, level of assurance (AU-C 200.06). In other words, the au-
ditor does not “guarantee” or “certify” that the financial statements are 100% accurate because
that is considered absolute assurance, which is not possible with content that is subjective.
In addition, an audit could not be completed in a reasonable amount of time if auditors
had to provide absolute assurance. For some accounts and transactions, auditors use sampling
techniques when gathering audit evidence and therefore do not examine 100% of a company’s
transactions for the period under audit. So, how do auditors know when they have gathered
enough evidence? Ultimately, that is a matter of professional judgment. Since judgment is
1-20  C h a pte r 1   Introduction and Overview of Audit and Assurance

audit risk  the risk that an au-
ditor expresses an inappropriate
audit opinion when the finan-
cial statements are materially
misstated
involved, there will always be a risk the auditors will give the wrong opinion. This is called
audit risk. Audit risk is affected by client characteristics as well as actions of the auditor. For
example, when a client implements a new accounting standard, audit risk increases because
there is increased risk for error when implementing a new process. The internal control sys-
tem of the client also impacts audit risk. If the client has strong internal controls, it is more
likely the internal controls will prevent, or detect and correct, material misstatements, which
decreases audit risk. Auditors impact audit risk by the decisions made in how to conduct the
audit. For example, using a larger sample size versus a smaller sample size, in general, will
decrease audit risk. The concept of audit risk is covered in depth in Chapter 3. We will devote
considerable attention throughout the text to the concept of audit risk and determining how
auditors make important professional judgments about collecting sufficient, appropriate evi-
dence to achieve reasonable assurance and support the audit opinion.

Materiality and the Financial Statements

Although financial statements contain approximations, they must reflect a reasonable degree
of precision. However, accounting is not precise, or accurate, the way we might think of
Newtonian physics as being precise. If a potential misstatement of the financial statements is
significant enough to influence or make a difference in the judgment or consequential activi-
ties of a financial statement user, it is considered material.
Materiality is a relative concept, and it differs from company to company and from year to
year for a given company. For example, a $25,000 misstatement of revenues may be material
to a company with $200,000 of net income, while a $25,000 misstatement for a company with
$5,000,000 in net income may be immaterial. In addition, qualitative characteristics influence
materiality. For example, an error in the financial statements may be a small percentage of an
account balance. This small error, however, may be considered material because it could cause
an entity to breach a loan covenant, which could result in a misclassification of current and
noncurrent debt.
Auditors design an audit to provide reasonable assurance that the financial statements
are free of material misstatement. However, auditors do not design an audit to look for imma-
terial misstatements because they would not influence a financial statement user. A deeper
discussion of how auditors make materiality decisions can be found in Chapter 3.

Professional Environment  Materiality

In the audit of a very large company, the amount of misstatement
that would be considered immaterial might be quite large. Con-
sider the audit of The Boeing Company for the year ended De-
cember 31, 2017, when Boeing had total revenues of $93.392 bil-
lion, earnings before income taxes of $10.047 billion, net income
of $8.197 billion, and total assets of $92.333 billion at December
31, 2017. Boeing rounds its financial statement amounts to the
nearest $1 million. For the year ended December 31, 2017, Boeing
had a return on assets of 8.99%.
As an investor, would you consider a return on assets of
8.99% or 9.00% to be substantially the same? It would take approx-
imately a $10 million misstatement to change return on assets by
only 1/100 of 1% for Boeing for the year ended December 31, 2017.
Alternatively, as an investor, would you consider a return on as-
sets of 8.99% or 8.89% to be substantially the same? It would take
approximately a $100 million misstatement to change return on
assets by only 1/10 of 1% for Boeing for the year ended December
31, 2017.

The Auditorʼs Report on Financial Statements

When the audit firm has determined that it has gathered sufficient, appropriate evidence to form
an opinion, then it is ready to issue the audit report. Auditing standards require a standard for-
mat of the audit report be used for all audits. In other words, all accounting firms use the same
standard format and standard wording for reporting their audit opinions. Using a standard for-
mat makes it easier for financial statement users to navigate the audit report. There is a standard
  Audit Report on Financial Statements  1-21

report for the audit of public company financial statements and a standard report for the audit
of private company financial statements. The actual process of auditing the financial statements
of public and private companies is similar, but there are also some differences, which will be
discussed throughout the text. One of the key differences is the format of the audit reports.
Illustration 1.6 provides an example of an unmodified audit report on the financial
statements of McLellan’s Shoes, a private company. If auditors have determined the financial
statements are presented fairly in accordance with the applicable financial reporting frame-
work, they issue the standard unmodified report. Take a moment to read over the report. You
will see some of the key concepts we have already discussed in this chapter. Sections of the
report are numbered so we can further explain each component. Explanations of each num-
bered component follow Illustration 1.6.

illustration 1.6  
[1] Independent Auditor’s Report Example of an unmodified
audit report on the financial
[2] To the owners of McLellan’s Shoes: statements of McLellan’s
Shoes, a private company
[3] Report on the Financial Statements
We have audited the accompanying financial statements of McLellan’s Shoes, which comprise
the balance sheets as of December 31, 2022 and 2021, and the related statements of income,
changes in equity, and cash flows for the years then ended, and the related notes to the financial
statements.

[4] Management’s Responsibility for the Financial Statements

Management is responsible for the preparation and fair presentation of these financial statements
in accordance with accounting principles generally accepted in the United States of America; this
includes the design, implementation, and maintenance of internal control relevant to the prepa-
ration and fair presentation of financial statements that are free from material misstatement,
whether due to fraud or error.

[5] Auditor’s Responsibility

Our responsibility is to express an opinion on these financial statements based on our audits. We
conducted our audits in accordance with auditing standards generally accepted in the United
States of America. Those standards require that we plan and perform the audit to obtain reason-
able assurance about whether the financial statements are free from material misstatement.
An audit involves performing procedures to obtain audit evidence about the amounts and dis-
closures in the financial statements. The procedures selected depend on the auditor’s judgment,
including the assessment of the risks of material misstatement of the financial statements,
whether due to fraud or error. In making those risk assessments, the auditor considers internal
control relevant to the entity’s preparation and fair presentation of the financial statements in
order to design audit procedures that are appropriate in the circumstances, but not for the pur-
pose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly,
we express no such opinion. An audit also includes evaluating the appropriateness of accounting
policies used and the reasonableness of significant accounting estimates made by management,
as well as evaluating the overall presentation of the financial statements.
We believe that the audit evidence we have obtained is sufficient and appropriate to provide a
basis for our audit opinion.

[6] Opinion
In our opinion, the financial statements referred to above present fairly, in all material respects,
the financial position of McLellan’s Shoes as of December 31, 2022 and 2021, and the results of its
operations and its cash flows for the years then ended in accordance with accounting principles
generally accepted in the United States of America.

[7] Bell & Bowerman, LLP

Seattle, Washington

[8] February 15, 2023

Source: AU-C 700.A63 Exhibit—Illustration 1.

1-22  C h a pte r 1   Introduction and Overview of Audit and Assurance

1. Title—The term independent is in the title of the report to emphasize the auditors are
external to the company, unbiased, and therefore can provide an objective opinion.
2. Address—The report is addressed to the owners or shareholders of the company and to
the board of directors, if applicable.
3. Introductory paragraph—This paragraph explains that an audit was conducted and iden-
tifies the financial statements and the date of the financial statements.
4. Management’s responsibility paragraph—This paragraph explains that management is
responsible for the preparation and fair presentation of the financial statements and for
the design, implementation, and maintenance of ICFR.
5. Auditor’s responsibility paragraphs—These paragraphs explain the auditors are responsi-
ble for expressing an opinion on the financial statements, for following auditing standards,
for assessing the risk of material misstatement, and for obtaining reasonable assurance
about the fair presentation of the financial statements. The appropriate auditing standards
would be those issued by the ASB since the company is a private company. In a private
company audit, auditors state they do not evaluate internal control for the purpose of ex-
pressing an opinion on internal control. The audit firm concludes with a statement that it
believes it has obtained sufficient and appropriate evidence to provide a basis for its audit
opinion.
6. Opinion paragraph—This paragraph clearly states the auditor’s opinion that the financial
statements are fairly presented, in all material respects, in accordance with the applicable
financial reporting framework, which in this example is GAAP.
7.  Signature—The firm name and location are used as the signature.
8. Date—The date represents the end of fieldwork, which is the conclusion of gathering and
evaluating evidence, and drawing all conclusions for the audit.

Illustration 1.7 provides an example of an unqualified audit report on the financial state-
ments of The Boeing Company, a public company. If auditors have determined the financial
statements are presented fairly in accordance with the applicable financial reporting frame-
work, they issue the standard unqualified report. The PCAOB standards use the term unqual-
ified report. The term unqualified is equivalent to the term unmodified used for the private
company audit report. The terms are sometimes used interchangeably.
Take a moment to look over the report in Illustration 1.7 and note some of the sim-
ilarities and differences with the private company audit report. Again, you will see some
of the key concepts discussed in this chapter. Sections of the report are numbered so we
can further explain each component. Explanations of each numbered component follow
Illustration 1.7.

illustration 1.7  
Example of an unqualified
audit report on the financial
statements of The Boeing
Company, a public company
[1] REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM
[2] To the shareholders and the Board of Directors of The Boeing Company
Opinion on the Financial Statements
[3] We have audited the accompanying consolidated statements of financial position of The Boeing
Company and subsidiaries (the “Company”) as of December 31, 2017 and 2016, the related consol-
idated statements of operations, comprehensive income, equity, and cash flows, for each of the
three years in the period ended December 31, 2017, and the related notes (collectively referred to
as the “financial statements”). In our opinion, the financial statements present fairly, in all material
respects, the financial position of the Company as of December 31, 2017 and 2016, and the results
of its operations and its cash flows for each of the three years in the period ended December 31,
2017, in conformity with accounting principles generally accepted in the United States of America.

[4] We have also audited, in accordance with the standards of the Public Company Accounting
Oversight Board (United States) (PCAOB), the Company’s internal control over financial reporting
as of December 31, 2017, based on criteria established in Internal Control – Integrated Framework
(2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission and
our report dated February 12, 2018, expressed an unqualified opinion on the Company’s internal
control over financial reporting.
  Audit Report on Financial Statements  1-23

Basis for Opinion

[5] These financial statements are the responsibility of the Company’s management. Our responsi-
bility is to express an opinion on the Company’s financial statements based on our audits. We are a
public accounting firm registered with the PCAOB and are required to be independent with respect
to the Company in accordance with the U.S. federal securities laws and the applicable rules and
regulations of the Securities and Exchange Commission and the PCAOB.

[6] We conducted our audits in accordance with the standards of the PCAOB. Those standards
require that we plan and perform the audit to obtain reasonable assurance about whether the
financial statements are free of material misstatement, whether due to error or fraud. Our audits
included performing procedures to assess the risks of material misstatement of the financial state-
ments, whether due to error or fraud, and performing procedures that respond to those risks. Such
procedures included examining, on a test basis, evidence regarding the amounts and disclosures
in the financial statements. Our audits also included evaluating the accounting principles used
and significant estimates made by management, as well as evaluating the overall presentation of
the financial statements. We believe that our audits provide a reasonable basis for our opinion.

[7] /s/ Deloitte & Touche LLP

Chicago, Illinois
[8] February 12, 2018

[9] We have served as the Company’s auditor since at least 1934; however, an earlier year cannot
be reliably determined.

1. Title—The term independent is also in the title of this report to emphasize the auditors are
external to the company, unbiased, and therefore can provide an objective opinion. In addi-
tion, the term registered is included to emphasize the firm is registered with the PCAOB.
2. Address—The report is addressed to the shareholders and board of directors of the company.
3. Opinion paragraph—The first sentence explains that an audit was conducted and iden-
tifies the financial statements and the dates of the financial statements. The second sen-
tence states the auditor’s opinion. Note the opinion sentence is virtually identical to the
opinion paragraph for the private company audit report.
4. Paragraph referencing the audit of internal control—This paragraph is unique to the public
company audit report. Public companies are required to have an audit of ICFR and auditors
issue a separate opinion for that audit, which is discussed in the next section.
5. Basis for opinion paragraph—This paragraph states the differing responsibilities of man-
agement and auditors. It is similar to the responsibility paragraphs of the report for pri-
vate company audits, but the private company report goes into more detail regarding the
responsibilities of management and auditors. One key difference is that this paragraph
references registration with the PCAOB and independence requirements of the SEC and
other federal securities laws.
6. Scope paragraph—This paragraph explains, in brief terms, the process of conducting an
audit. It mentions the concept of reasonable assurance about whether the financial state-
ments are free of material misstatement. It includes an explicit statement that PCAOB
auditing standards were followed since it is a public company. The scope paragraph also
includes a brief discussion of the professional judgments made during the audit. Finally,
it concludes with a statement that the audit firm believes that its audit provides a reason-
able basis for its opinion.
7. Signature—The firm name and location is used as the signature.
8. Date—The date represents the end of fieldwork, which is the conclusion of gathering and
evaluating evidence, and drawing all conclusions for the audit.
9. Auditor tenure—The final component of the report is a sentence that states the year in
which the firm began serving consecutively as the company’s auditor.

After reviewing the standard audit reports, you may be wondering what happens if
auditors conclude the financial statements are not presented fairly in accordance with the
1-24  C h a pte r 1   Introduction and Overview of Audit and Assurance

applicable financial reporting framework? Or what happens if auditors cannot gather enough
evidence to form an opinion? When situations such as these occur, auditors may have to mod-
ify their opinion. Auditing standards have established three types of modified audit opinions:
a qualified opinion, an adverse opinion, and a disclaimer of opinion. Illustration 1.8 provides
a brief summary of situations that could cause auditors to issue a modified opinion. It is im-
portant to note that only material situations would cause auditors to modify the opinion. The
discovery of immaterial errors would not prevent the issuance of an unmodified/unqualified
opinion. The different types of modified reports will be covered in depth in Chapter 15, so
consider Illustration 1.8 a basic introduction to the modified reports.

ILLUSTRATION 1.8  
Situation Type of Modified Opinion
Situations that cause a
modified opinion Material departure(s) from the applicable finan- •  Qualified – financial statements are presented
cial reporting framework and the client refuses to fairly, except for the uncorrected departure(s)
make corrections •  Adverse – financial statements are not
presented fairly and should not be relied upon
(pervasively material departures)
Material limitation on the auditor’s ability to •  Qualified – financial statements are presented
gather sufficient appropriate evidence, referred to fairly, except for the auditor’s inability to gather
as a scope limitation evidence for a material item
•  Disclaimer of opinion – auditor was not able to
gather sufficient appropriate evidence and cannot
express an opinion on the financial statements
(pervasively material scope limitations)
Auditor is not independent •  Disclaimer of opinion – auditor is not
independent and cannot express an opinion

Professional Environment  PCAOB Releases New Audit Report

Prior to 2017, the standard unqualified auditor’s report had re-
mained substantially unchanged since the 1940s. Over the years,
there had been much debate about the relevance of continuing to
use the same standard report, particularly in the modern infor-
mation age in which investors and other users demand better and
faster information. Since 2011, the PCAOB has encouraged open
discussion, comments, and feedback on various proposals for mak-
ing the auditor’s report more relevant to the public. Finally, on June
1, 2017, the PCAOB adopted a new auditor reporting standard, AS
3101 The Auditor’s Report on an Audit of Financial Statements
When the Auditor Expresses an Unqualified Opinion. The standard
was approved by the SEC on October 23, 2017. The standard in-
cludes two significant changes to the existing auditor’s report.
The first significant change is the communication of critical
audit matters, or CAM, in the audit report. A CAM is any audit
matter that was communicated to or required to be communicated
to the audit committee. The rationale is that if a matter is being
communicated to the audit committee, it must be important and
should be made available to users of the financial statements. The
standard states that a CAM “relates to accounts or disclosures that
are material to the financial statements and involves especially chal-
lenging, subjective, or complex auditor judgement” (AS 3101.11).
For each CAM that is included in the auditor’s report, the auditor
must identify the CAM, describe why the auditor considered the
item a CAM and how it was addressed during the audit, and refer to
the relevant accounts or disclosures that relate to the CAM.
The second significant change is the inclusion of auditor ten-
ure in the auditor’s report. After the signature of the firm at the
conclusion of the report, there is a statement that says, “We have
served as the Company’s auditor since [year]” (AS 3101 Appen-
dix B). The firm includes the year in which it began serving con-
secutively as the company’s auditor.
The PCAOB recognizes that including CAM in the auditor’s
report is a significant change. Therefore, the requirement to in-
clude CAM will go into effect for fiscal years ending on or after
June 30, 2019. The other changes to the auditor’s report, including
the disclosure of auditor tenure, went into effect for fiscal years
ending on or after December 15, 2017.4 The audit report for The
Boeing Company in Illustration 1.7 reflects the new audit report
and includes the statement about auditor tenure.

4
PCAOB Release No. 2017-001, The Auditor’s Report on an Audit of Financial Statements When the Auditor
Expresses an Unqualified Opinion.
  Audit Report on Internal Controls over Financial Reporting   1-25

Before You Go On
6.1  Why do auditors provide reasonable assurance and not absolute assurance?
6.2 Explain the concept of materiality. How does the concept of materiality relate to reasonable
assurance?
6.3  What are the meanings of the terms unqualified and unmodified in the context of an audit of
financial statements?

Audit Report on Internal Controls over

Financial Reporting
Lea rning Objective 7
Explain the concept of reasonable assurance and the nature of an unqualified
report on internal controls over financial reporting.

Next, we will discuss the audit report for the audit of ICFR. Recall from earlier in the chapter
that only certain public companies are required to have an audit on the effectiveness of ICFR.
The SEC classifies public companies into three categories based on worldwide market value
(in U.S. dollars) of outstanding voting and non-voting common equity:

1.  Large accelerated filer: $700 million or more.

2.  Accelerated filer: $75 million or more but less than $700 million.
3.  Non-accelerated filer: less than $75 million.

Public companies categorized as non-accelerated filers are not required to have an audit of
ICFR. Therefore, when we discuss the audit of ICFR for public companies, we are referring to
public companies categorized as accelerated filers and large accelerated filers.

Reasonable Assurance and Internal Controls

Section 404 of the SOX legislation requires that management accept responsibility for the
design and maintenance of internal controls. It also requires that management issue a report
each year asserting whether internal controls over financial reporting were effective. Further,
management’s claims about the effectiveness of ICFR must be audited by the independent
external auditor. The reason for requiring an audit of internal controls is because effec-
tive ICFR provides reasonable assurance regarding the reliability of financial reporting and
the preparation of financial statements for external purposes (AS 2201.02). Here again we see
the phrase reasonable assurance. If internal controls are effective, then it is more likely that the
financial statements will be free of material misstatements and errors. Even though internal
controls may be considered effective, it does not mean they will prevent all misstatements
or errors from affecting the financial statements. There is still some risk that a material error
could occur on the financial statements. Even an effective system of internal controls over
financial reporting will only provide reasonable assurance, not absolute assurance, that finan-
cial statements are free from material misstatement.
PCAOB Auditing Standard 2201 An Audit of Internal Control Over Financial Reporting
That Is Integrated with An Audit of Financial Statements states that auditors must conduct
an integrated audit for public companies. This means auditors must plan and perform their
work to achieve the objectives of both the financial statement audit and the audit of the ef-
fectiveness of ICFR simultaneously. For efficiency purposes, auditors will select audit proce-
dures that allow them to gather evidence that is useful to both of the audits. Auditors are only
1-26  C h a pte r 1   Introduction and Overview of Audit and Assurance

required to obtain reasonable assurance about whether the company maintained effective
ICFR for the period under audit. Auditors cannot provide absolute assurance about the effec-
tiveness of internal controls for the same reasons they cannot provide absolute assurance on
the fair presentation of the financial statements. The design and implementation of controls
is somewhat subjective and there is not enough time for auditors to test the effectiveness of all
of the entity’s internal controls. Using professional judgment, auditors select the most critical
internal controls over financial reporting and test the effectiveness of those controls. This will
be discussed further in Chapters 6 and 8.

The Auditor’s Report on Internal Control over

Financial Reporting
When auditors have determined they have gathered sufficient, appropriate evidence to form
an opinion on the effectiveness of ICFR, then they are ready to issue the audit report. Similar
to the financial statement audit report, AS 2201 requires a standard format of the audit report
be used for all audits of effectiveness of ICFR. Illustration 1.9 provides an example of an
audit report on the effectiveness of ICFR for a public company. If auditors have determined
the company has maintained effective ICFR for the period under audit, then they issue the
standard unqualified report. Take a moment to read over the report and you will see some
similarities to the financial statement audit report for a public company.

illustration 1.9  
Example of an unqualified
audit report on the effective-
ness of ICFR for The Boeing
Company, a public company
[1] REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM
[2] To the Shareholders and Board of Directors of The Boeing Company
[3] Opinion on Internal Control over Financial Reporting
We have audited the internal control over financial reporting of The Boeing Company and subsid-
iaries (the “Company”) as of December 31, 2017, based on criteria established in Internal Control –
Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Tread-
way Commission (COSO). In our opinion, the Company maintained, in all material respects, effec-
tive internal control over financial reporting as of December 31, 2017, based on criteria established
in Internal Control – Integrated Framework (2013) issued by COSO.

[4] We have also audited, in accordance with the standards of the Public Company Accounting
Oversight Board (United States) (PCAOB), the consolidated financial statements as of and for the
year ended December 31, 2017, of the Company and our report dated February 12, 2018, expressed
an unqualified opinion on those financial statements.

[5] Basis for Opinion

The Company’s management is responsible for maintaining effective internal control over financial
reporting and for its assessment of the effectiveness of internal control over financial reporting,
included in the accompanying Management’s Report on Internal Control Over Financial Reporting.
Our responsibility is to express an opinion on the Company’s internal control over financial reporting
based on our audit. We are a public accounting firm registered with the PCAOB and are required to
be independent with respect to the Company in accordance with the U.S. federal securities laws and
the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.

[6] We conducted our audit in accordance with the standards of the PCAOB. Those standards
require that we plan and perform the audit to obtain reasonable assurance about whether effec-
tive internal control over financial reporting was maintained in all material respects. Our audit
included obtaining an understanding of internal control over financial reporting, assessing the
risk that a material weakness exists, testing and evaluating the design and operating effective-
ness of internal control based on the assessed risk, and performing such other procedures as we
considered necessary in the circumstances. We believe that our audit provides a reasonable basis
for our opinion.

[7] Definition and Limitations of Internal Control over Financial Reporting

A company’s internal control over financial reporting is a process designed to provide reason-
able assurance regarding the reliability of financial reporting and the preparation of financial
  Audit Report on Internal Controls over Financial Reporting   1-27

statements for external purposes in accordance with generally accepted accounting principles.
A company’s internal control over financial reporting includes those policies and procedures that
(1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect
the transactions and dispositions of the assets of the company; (2) provide reasonable assurance
that transactions are recorded as necessary to permit preparation of financial statements in ac-
cordance with generally accepted accounting principles, and that receipts and expenditures of the
company are being made only in accordance with authorizations of management and directors
of the company; and (3) provide reasonable assurance regarding prevention or timely detection
of unauthorized acquisition, use, or disposition of the company’s assets that could have a mate-
rial effect on the financial statements. Because of its inherent limitations, internal control over
financial reporting may not prevent or detect misstatements. Also, projections of any evaluation
of effectiveness to future periods are subject to the risk that controls may become inadequate
because of changes in conditions, or that the degree of compliance with the policies or procedures
may deteriorate.

[8] /s/Deloitte & Touche LLP

Chicago, Illinois
[9] February 12, 2018

The key components of the unqualified report in Illustration 1.9 are as follows:

1. Title—The term independent is also in the title of this report to emphasize the auditors
are external to the company, unbiased, and therefore can provide an objective opinion.
In addition, the term registered is required to indicate that the firm is registered with the
PCAOB.
2. Address—The report is addressed to the shareholders and board of directors of the
­company.
3. Opinion paragraph—The first sentence explains that an audit of ICFR was conducted
and references the COSO Internal Control—Integrated Framework as the criteria used as
the basis for determining if ICFR are effective. The second sentence states the auditor’s
opinion.
4. Paragraph referencing the financial statement audit—This paragraph is a reference to
the financial statement audit report and states the type of opinion that was given on the
financial statements.
5. Basis for opinion paragraph—This paragraph states the different responsibilities of man-
agement and auditors. Like the audit report on the financial statements, this paragraph
references registration with the PCAOB and independence requirements of the SEC and
other federal securities laws.
6. Scope paragraph—This paragraph explains that auditors conducted their audit in accor-
dance with the standards of the PCAOB. In brief terms, it explains the process of con-
ducting an audit of the effectiveness of ICFR. It mentions that auditors are only required
to obtain reasonable assurance about whether the company maintained, in all material
respects, effective ICFR. It concludes with a statement that the audit firm believes its
audit provides a reasonable basis for its opinion.
7. Definition and inherent limitations paragraph—This paragraph provides a defini-
tion of ICFR that is taken directly from AS 2201. This is helpful for users of the
financial statements in case they are not familiar with the concept of internal con-
trols. Also note the use of reasonable assurance in the definition to clarify that an
internal control system does not eliminate all risk associated with the preparation of
financial statements. The final sentence cautions not to use the current-year opinion
to assume that future internal controls will be effective. Circumstances may change
in the future that could render controls ineffective if the controls are not modified
appropriately.
8. Signature—The audit firm’s name and location are used as the signature.
1-28  C h a pte r 1   Introduction and Overview of Audit and Assurance
material weakness  a
deficiency, or combination of
deficiencies, in ICFR, such that
there is a reasonable possibility
that a material misstatement of
the financial statements will not
be prevented or detected on a
timely basis
The Audit Expectation Gap
9. Date—The date represents the end of fieldwork, which is the conclusion of gathering and
evaluating evidence for the audit. Since the audits are integrated, the date on both the
financial statement audit report and the audit report on the effectiveness of ICFR will be
the same.
What happens if auditors conclude the company did not maintain effective ICFR over the
period under audit? That would mean the auditors discovered a material weakness in the
client’s ICFR. The PCAOB defines a material weakness as follows:
A deficiency, or combination of deficiencies, in ICFR, such that there is a reasonable
possibility that a material misstatement of the financial statements will not be
prevented or detected on a timely basis. (AS 2201.A7)
If one or more material weaknesses are discovered during the audit, then auditors issue an ad-
verse opinion on the effectiveness of ICFR that explicitly states the company did not maintain
effective ICFR during the period under audit. AS 2201 dictates how auditors would modify the
audit report to express an adverse opinion. If auditors encounter a material limitation in the
scope of their work, they may consider disclaiming an opinion. We will cover these modifica-
tions in greater detail in Chapter 15.
Before You Go On
7.1 Explain the concept of reasonable assurance as it applies to a system of internal controls and
to the audit of the effectiveness of internal controls.
7.2 What is management’s responsibility for internal controls as stated in the audit report on the
effectiveness of internal controls?
7.3 What date is used on the audit report on the effectiveness of internal controls, and what does
the date represent?
LEA RNING OBJE CTIVE 8
Discuss the audit expectation gap.
The overall audit expectation gap occurs when there is a difference between the expectations of
auditors and financial statement users. The gap occurs when user beliefs do not align with an
auditor’s professional responsibilities. In particular, the gap is caused by unrealistic user expec-
tations such as:
•  The auditor is providing absolute assurance.
•  The auditor is guaranteeing the future viability of the entity.
•  An unmodified audit opinion is an indicator of complete accuracy of the financial
statements.
•  The auditor will definitely find any and all fraud.
•  The auditor has checked all transactions.
The reality is that:
•  An auditor provides reasonable assurance.
•  The audit does not guarantee the future viability of the entity.
•  An unmodified opinion indicates the auditor believes there are no material misstate-
ments in the financial statements.
  The Audit Expectation Gap  1-29

•  The auditor will assess the risk of fraud and conduct tests to try to uncover any fraud, but
there is no guarantee the auditor will find all material fraud, should one have occurred.
•  The auditor tests a sample of transactions.

The overall audit expectation gap is graphically represented in Illustration 1.10. In this
figure, note the performance gap, which is the difference between auditor performance and
auditing standards and regulations. There is also an expectation gap, which is the difference
between a financial statement user’s expectations and auditing standards and regulations.

illustration 1.10   Audit expectation and performance gaps

Auditing Standards and Financial Statement

Auditor Performance Performance Gap Regulations Expectation Gap User’s Expectations
•  Auditor failure to Auditor performance impacted by: Financial statement user’s
follow firm policy, •  Auditing standards expectations impacted by:
standards, and •  Audit firm reputation
regulations •  Ethical standards
•  Regulations •  Audit firm independence
•  Legislation •  Reader’s knowledge of
auditing
•  F irm policy and procedures
•  Economic conditions

The performance gap can be reduced by:

•  Auditors performing their duties appropriately, complying with auditing standards, and
meeting the minimum standards of performance that should be expected of all auditors.
•  Inspections of audits to ensure that auditing standards have been correctly applied.
•  Assurance providers reporting accurately the level of assurance being provided.

The audit expectation gap can be reduced by:

•  Auditing standards being reviewed and updated on a regular basis to enhance the work
being done by auditors.
•  Education of financial statement users as to the responsibilities of preparers and auditors
of financial statements.

As described in this chapter, financial statement users rely on audited financial state-
ments to make a variety of decisions. Financial statement users demand access to reliable
information to help ensure the stability of financial markets. The audit profession is dedicated
to providing reliable assurance services in the interest of protecting the public trust.

Cloud 9 - Continuing Case

Ron believes that Chip Masters would know what an audit can
provide, and what it cannot, because Chip is an experienced vice
president of a large international company. He deals with auditors
on a regular basis.
Ron thanks Ernie for his time. Ernie has helped him to un-
derstand that preparing more detailed financial statements and
engaging an auditor to perform a financial statement audit would
not be as bad as he first thought. Ron now understands why Ernie
thinks audits are valuable, and not just another business expense.
If Chip Masters thinks that Ron’s financial statements are more
credible with an audit, then it is likely he will be prepared to pay a
higher price for Ron’s business.

Before You Go On
8.1 Define the audit expectation gap. Define the audit performance gap.
8.2 What has caused the audit expectation gap?
8.3 What can be done to reduce the audit expectation gap? What can be done to reduce the audit
performance gap?
1-30  C h a pte r 1   Introduction and Overview of Audit and Assurance
Learning Objectives Review
1  Differentiate among assurance, attestation, and audit-
ing services.
An assurance engagement involves an assurance provider arriving at
an opinion about some information being provided by their client to
a third party. Attestation and auditing services are types of assurance
services. A financial statement audit involves an audit firm obtain-
ing evidence to support an opinion about the fair presentation of the
financial statements, in all material respects, in accordance with an
applicable financial reporting framework.
2  Describe the different types of assurance services.
Assurance services include financial statement audits, audits of ef-
fectiveness over internal control of financial reporting, compliance
audits, operational/performance audits, and internal audits.
3  Explain the demand for audit and assurance services.
Financial statement users include investors (shareholders), suppliers,
customers, lenders, employees, governments, and the general public.
These groups of users demand audited financial statements due to
their remoteness from the entity, accounting complexity, competing
incentives between them and the entity’s managers, and their need
for reliable information on which to base decisions.
4  Discuss the different roles of the financial statement
preparer and the auditor.
It is the responsibility of the company’s management to prepare the
financial statements in accordance with the applicable financial re-
porting framework. Management is also responsible for the design,
implementation, and maintenance of internal control over financial
reporting and for providing the auditors with access to all documenta-
tion needed to complete the audit. It is the responsibility of the audi-
tor to form an opinion on the fair presentation of the financial state-
ments. In doing so the auditor must utilize professional skepticism
and professional judgment in the planning and performance of the
audit and must adhere to the appropriate auditing standards.
5  Identify the roles of different regulators and orga-
nizations that affect the audit profession.
Regulators and organizations that impact the audit profession include
the Securities and Exchange Commission (SEC), the Public Company
Key Terms Review
Assurance services Integrated audit
Attestation services Internal audit
Audit risk Materiality
Audit services Material weakness
Compliance audit Operational (performance) audit
Accounting Oversight Board (PCAOB), the American Institute of Cer-
tified Public Accountants (AICPA), the Financial Accounting Stan-
dards Board (FASB), the Committee on Sponsoring Organizations
of the Treadway Commission (COSO), and the National Association
of State Boards of Accountancy (NASBA). Auditors must follow the
PCAOB’s Auditing Standards (AS) when auditing public companies
and follow the Auditing Standards Board’s Statements on Auditing
Standards (SAS) when auditing private companies.
6  Explain the concepts of reasonable assurance,
materiality, and the nature of an unqualified/unmodified
report on the audit of financial statements.
Auditors are only required to provide reasonable assurance about
whether the financial statements as a whole are free from material
misstatement, whether due to error or fraud. In a private company
audit, if auditors determine the financial statements are presented
fairly in accordance with the applicable financial reporting frame-
work, then auditors issue the standard unmodified audit report. In
a public company audit, if auditors determine the financial state-
ments are presented fairly in accordance with the applicable finan-
cial reporting framework, then they issue the standard unqualified
audit report.
7  Explain the concept of reasonable assurance and the
nature of an unqualified report on internal controls over
financial reporting.
An effective system of ICFR provides reasonable assurance the finan-
cial statements will be free of material misstatements. Only public
companies are required to have an audit of the effectiveness of ICFR.
In the audit of the effectiveness of ICFR, auditors provide reasonable
assurance regarding whether or not there is a material weakness in
ICFR for the period under audit. If auditors have determined the
company has maintained effective ICFR, then they issue the standard
unqualified audit report on ICFR.
8  Discuss the audit expectation gap.
The difference between what assurance providers provide and
what financial statement users expect consists of two components:
(1) the expectation gap, which is the difference between a financial
statement user’s expectations and professional standards and regu-
lations, and (2) a performance gap, which occurs when assurance
providers do not follow professional standards. The total gap occurs
when user beliefs do not align with what an auditor has actually
done.
Professional judgment
Professional skepticism
Reasonable assurance
Those charged with governance

CPAexcel
CPAexcel questions and other resources are available in WileyPLUS.
Multiple-Choice Questions
1. (LO 1)  Which of the following is not a characteristic of an assur-
ance service?
a.  T he engagement is conducted by an independent pro-
fessional.
b.  The service lends credibility to information.
c.  The subject matter is limited to financial information.
d.  T
 he service is useful for decision makers.
2. (LO 2)  An assurance service that determines whether the entity
has conformed with regulations, rules or processes is a (an):
a.  compliance audit.
b.  financial statement audit.
c.  internal audit.
d.  o
 perational audit.
3. (LO 2)  Operational (performance) audits are useful because they:
a.  include a comprehensive audit.
b.  are concerned with the economy, efficiency, and effectiveness
of an organization’s activities.
c.  i nvolve gathering evidence to determine whether the
entity under review has followed the rules, policies,
procedures, laws, or regulations with which they must
conform.
d.  ensure companies pay appropriate taxes.
4. (LO 2)  The function of internal audit is determined by:
a.  the external auditor.
b.  the IIA.
c.  those charged with governance and management.
d.  the government.
5. (LO 3)  All of the following are reasons why users would demand
an audit of financial statements except:
a.  complexity.
b.  remoteness.
c.  cost.
d.  r eliability.
6. (LO 4)  Management is responsible for which of the following?
a.  Preparing financial statements in accordance with the appro-
priate auditing standards.
b.  Designing, implementing, and maintaining internal control
relevant to the preparation of the financial statements.
c.  Using professional skepticism in the preparation of the finan-
cial statements.
d.  Issuing an opinion on whether the financial statements are
presented fairly in accordance with the appropriate financial
reporting framework.
  Multiple-Choice Questions  1-31
7. (LO 5)  Which of the following organizations issues auditing stan-
dards for the audits of public companies?
a.  P
 CAOB.
b.  SEC.
c.  ASB.
d.  COSO.
8. (LO 5)  The role of COSO is to:
a.  establish financial accounting and reporting standards.
b.  establish auditing standards for private companies.
c.  prepare and grade the CPA exam.
d.  provide guidance in the area of internal control and risk man-
agement.
9. (LO 6)  Auditors can only provide reasonable assurance that the
financial statements are presented fairly because:
a.  sampling techniques are used to gather evidence.
b.  some items in the financial statements are subjective.
c.  an audit must be completed in a reasonable amount of
time.
d.  All of these answer choices are correct.
10. (LO 6)  What is the appropriate date for an audit report?
a.  The date the auditors were hired.
b.  The date of the balance sheet.
c.  The conclusion of the gathering of evidence for the audit.
d.  The date required by regulators.
11. (LO 7)  Auditors of publicly traded companies are required to per-
form a(an) ________ for their clients.
a.  compliance audit
b.  integrated audit
c.  internal audit
d.  operational audit
12. (LO 8)  The audit expectation gap occurs when:
a.  auditors perform their duties appropriately and satisfy users’
demands.
b.  user beliefs do not align with what professional standards and
regulations expect of auditors.
c.  inspections of audits ensure that auditing standards have
been applied correctly and the standards are at the level that
satisfy users’ demands.
d.  the public is well educated about auditing.
1-32  C h a pte r 1   Introduction and Overview of Audit and Assurance

Review Questions
R1.1  (LO 1)  What does assurance mean in the financial report-
ing context? Who are the three parties relevant to an assurance
engagement?
R1.2  (LO 1)  An assurance engagement involves evaluation or
measurement of subject matter against criteria. What criteria are used
in a financial statement audit?
R1.3  (LO 2)  Discuss some limitations of a financial statement audit.
R1.4  (LO 2)  Who would request an operational (performance)
audit? Why?
R1.5  (LO 3)  Why would investors in a company demand an audit of
financial statements?
R1.6  (LO 4)  Compare and contrast the responsibilities of preparers
and auditors regarding a financial statement audit.
R1.7  (LO 5)  Describe the relationship between the SEC and the
PCAOB.
R1.8  (LO 5)  Compare and contrast the functions of a state board of
accountancy and of NASBA.
R1.9  (LO 5)  Briefly describe the principles underlying an audit con-
ducted in accordance with GAAS that are issued by the ASB.
R1.10  (LO 6)  Discuss the similarities and differences in the audi-
tor’s reports for a public company client and a private company client.
R1.11  (LO 7)  List and briefly describe the components of the audi-
tor’s report on internal controls over financial reporting for a public
company.
R1.12  (LO 8)  Debate the audit expectation gap. Why do you think
professional auditing standard do not give users what they want? Why
do you think auditors sometimes do not meet professional standards?

Analysis Problems
AP1.1  (LO 1, 2)  Basic   Research   Types of assurance engagements  A friend knows that you are
studying auditing and asks you what the difference is between internal and external auditing.

Required
Using what you learned in this chapter and from information from the AICPA website (www.aicpa.org)
and the IIA website (www.theiia.org), compare and contrast the duties and characteristics of internal and
external auditors.
AP1.2  (LO 3)  Challenging   Demand for assurance  In 2002, the audit firm Arthur Andersen col-
lapsed following charges brought against it in the United States relating to the failure of its client, Enron.
Some other clients announced they would be dismissing Arthur Andersen as their auditor even before it
was clear that Arthur Andersen would not survive.

Required
Using the discussion in this chapter on the demand for audits, explain some reasons why these clients
took this action.
AP1.3  (LO 3, 4)  Moderate   Big 4 versus non-Big 4 assurance providers  Most audit firms main-
tain a website that explains the services offered by the firm and provides resources to their clients and
other interested parties. The services offered by most firms include both audit and non-audit services.

Required
Find the websites for a Big 4 audit firm and a mid-tier audit firm. Compare them on the following:
a. The range of services provided.
b. Geographic coverage (i.e., where their offices are located).
c. Staff numbers and special skills offered.
d. Industries in which they claim specialization.
e. Publications and other materials provided to their clients or the general public.
f. Marketing message.

AP1.4  (LO 3, 4)  Challenging   Big 4 versus non-Big 4 assurance providers  Economic changes
can affect how clients select their assurance providers.

Required
a. In times of economic recession, would you expect the demand for audits to increase or decrease?
b. Would you expect clients to shift from large (Big 4) auditors to mid-tier auditors, or from mid-tier
auditors to Big 4 auditors in times of economic recession? Why or why not?
  Analysis Problems  1-33

AP1.5  (LO 5)  Basic   Research   Requirements to become a CPA  Each state has the power to
determine the education and experience requirements to be a licensed CPA in that state. The power is
delegated to the state board of accountancy in each state.

Required
Visit the state board of accountancy website for the state in which you are attending college. What are
the education and experience requirements? If you intend to begin your career in another state, also re-
search the education and experience requirements for that state. What are the similarities and differences
between the two states?

AP1.6  (LO 5)  Basic   Research   Accounting firm registration  Since the creation of the PCAOB
in 2003, accounting firms that wish to audit public companies must be registered with the PCAOB. Visit
the PCAOB’s website (www.pcaobus.org) and browse the information.

Required
Explain what is required for an accounting firm to be registered with the PCAOB.

AP1.7  (LO 6, 7)  Basic   Audit reports  Auditor’s reports for The Boeing Company are provided
in Illustrations 1.7 and 1.9 in this chapter. Both reports are signed by Deloitte & Touche LLP. Deloitte
& Touche also audits Starbucks Corporation. Visit the Starbucks investor relations website to access
the most recent annual report and 10-K. Find the auditor’s reports on the financial statements and the
effectiveness of ICFR.

Required
a. Compare the audit reports of The Boeing Company and Starbucks. What type of opinion did Star-
bucks receive on its financial statements and on the effectiveness of ICFR?
b. What are the advantages of having a standard report format for all clients?

AP1.8  (LO 4, 6, 8)  Moderate   Being an auditor  You have recently graduated from your university
and started work with an accounting firm. You meet an old school friend, Kim, for dinner—you haven’t
seen each other for several years. Kim is surprised that you are now working as an auditor because your
childhood dream was to be a ballet dancer. Unfortunately, your knees were damaged in a fall and you
can no longer dance. The conversation turns to your work and Kim wants to know how you do your job.
Kim cannot understand why an audit is not a guarantee the company will succeed. Kim also thinks that
company managers will lie to you to protect themselves, and as an auditor you would have to assume that
you cannot believe anything a company manager says to you.

Required
Compose a letter to Kim explaining the concept of reasonable assurance, and how reasonable assurance
is determined. Explain why an auditor cannot offer absolute assurance. Describe the concept of pro-
fessional skepticism and how it is not the same as assuming that managers are always trying to deceive
auditors. Explain to Kim why her perceptions are a perfect example of the expectations gap.

AP1.9  (LO 2, 4, 6, 7, 8)  Challenging   Limitations of an audit  You are an intern at a Big 4 account-
ing firm and have just finished your internship training. You feel a little overwhelmed with all of the
information from the training session, and you are wondering if you are qualified to perform work that is
of high-enough quality to meet the firm’s and the profession’s standards. What if you miss something or
forget to do something? What if it takes you too long to complete your tasks? What if you spend time on
something that is trivial and miss something that is important? You decide to review your notes from the
training session and from your undergraduate audit course.

Required
a. Discuss the limitations of an audit.
b. Refer to the audit reports in Illustrations 1.6, 1.7, and 1.9. What are some key terms and phrases
included in the reports that address these limitations?

AP1.10  (LO 6)  Challenging   Research   Audit reports  On an international level, other countries
have also discussed and implemented expanding the audit report to include more detail from auditors
about critical audit matters (CAM). The United Kingdom (UK) has already moved to using an expanded
1-34  C h a pte r 1   Introduction and Overview of Audit and Assurance

audit report. An example of the new audit report format can be found in the annual report of GlaxoSmith-
Kline plc (GSK). Visit GSK’s investor website and download the most recent annual report. Find the
auditor’s report in the Financial Statements section of the annual report.

Required
a. Who are the auditors for GSK?
b. What are some differences in the U.K. auditor’s report model compared with the current U.S. audi-
tor’s report model for public companies?
c. Which report model do you prefer and why? Would your answer change based on the type of user
you are (lender, customer, investor)? Would your answer change if you were the preparer or auditor
of the financial statements?

Cloud 9 - Continuing Case

Ron McLellan established his business, McLellan’s Shoes, in 1985.
Since then, he has run his business as a sole proprietor. Ron keeps
records and his wife helps him prepare basic accounting records.
As McLellan’s Shoes has no outside owners, Ron has never seen
the need to have his accounts audited.
When Chip Masters from Cloud 9 Inc. expressed an interest
in buying McLellan’s Shoes in 2020, Ron was asked to provide
audited financial statements. Ron discussed his concerns about
having an audit with his friend Ernie Black. Ernie is concerned
that Ron may forget their conversations and has asked you to pre-
pare a summary of the issues listed below for Ron.
Required
a. What are the main differences between a financial statement
audit, a compliance audit, and an operational audit?
b. What is the difference between reasonable assurance and
absolute assurance?
c. Why would Chip ask that Ron have the financial statements
for McLellan’s Shoes audited rather than reviewed?
d. What factors should Ron consider when selecting an ac-
counting firm to complete the McLellan’s Shoes audit?
 Chapter 2
Professionalism
and Professional
Responsibilities
The Audit Process

Overview of Audit and Assurance

(Chapter 1)

Professionalism and Professional Responsibilities

(Chapter 2)

Client Acceptance/Continuance and Risk Assessment

(Chapters 3 and 4)

Gaining an Identify Significant

Set Planning
Understanding of Accounts and
Materiality
the Client Transactions

Gaining an Understanding
Make Preliminary
of the System of Internal Control
Risk Assessments
(Chapter 6)

Develop Responses to Risk and an Audit Strategy

Audit Data Analytics

Audit Evidence
(Chapter 5)

(Chapter 7)
Performing Tests of Controls Performing Substantive Procedures
(Chapter 8) (Chapter 9)

Audit Sampling for Substantive Tests

(Chapter 10)

Auditing the Auditing the Purchasing Auditing the Balance Sheet

Revenue Process and Payroll Processes and Related Income Accounts
(Chapter 11) (Chapter 12) (Chapter 13)

Completing and Reporting on the Audit

(Chapters 14 and 15)

Procedures Performed Near Drawing Audit

Reporting
the End of the Audit Conclusions

2-1
2-2  Ch a pte r 2  Professionalism and Professional Responsibilities

Learning Objectives

LO1  Explain what it means to be a professional and
how these traits apply to auditors.
LO2  Explain the structure of the AICPA Code of
Professional Conduct.
LO3  Apply the conceptual framework approach to
ethical decision making for members in public practice.
LO4  Evaluate the ethical behavior needed to comply
with rules of conduct on integrity and objectivity.
LO5  Evaluate the ethical behavior needed to comply
with rules of conduct on independence.
LO6  Evaluate the ethical behavior needed to comply
with rules of conduct on general standards.
LO7  Evaluate the ethical behavior needed to comply
with other rules of conduct for members in public
practice.
LO8  Evaluate an auditor’s legal liability under common
law.
LO9  Evaluate an auditor’s legal liability under statutory
law.

Auditing and Assurance Standards

pcaob Eth ics And Inde pendenc e R ules AICPA Ethica l Sta ndards
3501  Definitions of Terms Employed in Section 3, Part 5 AICPA  Code of Professional Conduct
of the Rules
3502 Responsibility to Not Knowingly or Recklessly
Contribute to Violations
3520 Auditor Independence
3521  Contingent Fees
3522 Tax Transactions
3523 Tax Services for Persons in Financial Reporting
Oversight Roles
3524 Audit Committee Pre-approval of Certain Tax
Services
3525 Audit Committee Pre-approval of Non-audit
Services Related to Internal Control over Financial
Reporting
3526  Communication with Audit Committees
Concerning Independence

Cloud 9 - Continuing Case

Ron McLellan came to an arrangement with Chip Masters and The accounting firm W&S Partners is bidding for the
sold McLellan’s Shoes to Cloud 9 Inc. (Cloud 9) in 2021. As part January 31, 2023, audit of Cloud  9. The partner responsible for
of the sale agreement, Ron McLellan was appointed to the Cloud writing the proposal, Jo Wadley, asks Sharon Gallagher and Josh
9 board of directors. Thomas to assist. Sharon will be the audit manager if the proposal
  Professionalism and Accounting  2-3

is successful. Her task is to help write the proposal documents and
win the job for the firm. However, even more importantly, she must
make sure that there are no surprises for the audit team once they
win the audit. Sharon knows how crucial this is. She still has night-
mares about an audit she worked on when she was a new graduate
at another audit firm. The client in that case threatened to dismiss
the auditor when the auditor wanted him to recognize an impair-
ment loss on some assets. The client was the firm’s largest account,
and the partner was under a lot of pressure to keep the client.
Josh is an audit senior. He has not been involved in the pro-
posal process before and needs the experience so he can be pro-
moted to audit manager. Sharon and Josh do not know anything
about Cloud 9 except that it manufactures and retails customized
basketball and other sports shoes, and it is a publicly listed U.S.
company. Sharon stresses to Josh that they want to know that the
client is not going to be difficult to deal with and that W&S Part-
ners can do a good job on the audit. Josh asks how they can know
that now, before they start the audit.

Chapter Preview: Audit Process in Focus

The purpose of this chapter is to provide an overview of professionalism and the professional
responsibilities of a certified public accountant and auditor.
We begin this chapter with a discussion of what it means to be a professional. The term
professional is often used in a number of contexts. This introductory section discusses the var-
ious uses of the term and focuses on the relevance of the term for certified public accountants
(CPAs) and auditors.
A code of professional ethics is a critical part of any profession’s commitment to serve the
public interest. A significant portion of this chapter focuses on the Code of Professional Con-
duct of the American Institute of Certified Public Accountants (AICPA). This section begins
with a discussion of the organization of the AICPA Code of Professional Conduct, followed
by a discussion of how to use the Code’s conceptual framework for ethical decision making.
It then explores the Code’s rules related to (1) integrity and objectivity, (2) independence,
(3) general standards, and (4) other rules of conduct for members in public practice. Since you
are studying to be an accountant or a CPA, you should develop the ability to evaluate various
situations and to appropriately apply the rules of conduct as circumstances dictate.
An overview of the auditor’s legal responsibilities and liability is discussed next. An auditor’s
legal responsibilities fall into two broad categories. The first is an auditor’s responsibilities under
common law. Common law is a general law, such as law related to contracts, and it is derived from
principles based on justice, reason, and common sense rather than absolute, fixed, or inflexible
rules. The principles of common law are determined by the social needs of the community or the
state. Second, the chapter discusses the auditor’s responsibilities under securities law. Securities
laws have been written to address the auditor’s responsibilities related to the new issue of a secu-
rity, or related to the trading of securities on various exchanges. All auditors should understand
their legal obligations to clients and the third-party investors who rely on their reports.

Professionalism and Accounting

LEAR NING OBJECTI VE 1
Explain what it means to be a professional and how these traits apply to auditors.

Is public accounting a recognized profession? If so, what does it mean to be part of a recognized
profession? What rights come with being part of a recognized profession? Further, what respon-
sibilities come with being part of a recognized profession? Is being a professional about expertise
and about quality of work in a chosen occupation, or is it something more? These are important
questions, and the answers are often misunderstood by many. These issues were covered well by
Robert K. Mautz in a 1988 editorial in Accounting Horizons,1 and his views are summarized below.

1
Robert K. Mautz, “Public Accounting: What Kind of Professionalism?” Accounting Horizons 2, no. 3/4
(1998), pp. 121–125.
2-4  Ch a pte r 2  Professionalism and Professional Responsibilities

One way that professionals are commonly defined is by level of expertise. Professional
athletes are often referred to as “pros” because of their skill and level of expertise. The same
term may be used related to virtually any occupation as a way of recognizing an individual’s
high level of skill. In the competitive world, the high level of skill is usually well rewarded,
and the public often measures success of competitors in monetary terms. Robert Mautz refers
to this definition of a professional as an expert competitor (EC professional). In the context of
an EC professional, the profession is usually defined by the line of work or occupation (e.g.,
football, basketball, coaching, or consulting).
Another way to define a professional, or a profession, relates to a profession’s respon-
sibility and concern for the public interest. Such professions include medicine, architec-
ture, and public accounting. Robert Mautz refers to this definition of a professional by its
concern for the public interest (CPI professional). CPI professions are often recognized by
a specialized body of knowledge, a formal education process, standards governing admis-
sion to the profession, a code of ethics, recognized status indicated by a license, a public
interest in the work that practitioners perform, and the recognition by practitioners of an
obligation to society.
The cornerstone of the public accounting profession is recognized in the public interest
in the work done by CPAs. State governments (through state boards of accountancy) grant a
CPA license to individuals who complete the required education, pass a professional exam-
ination (the CPA exam), and complete an experience requirement. Upon obtaining a CPA
license, a CPA has the unique right to sign an audit or attest report, and to sign tax returns as
a tax preparer (a right that is also granted to licensed tax preparers). Upon becoming licensed
as a CPA, individuals also agree to accept the responsibility to follow professional standards
(e.g., accounting and auditing standards) and a code of professional conduct (usually written
into state rules or law). CPAs also have an obligation to keep their education current by taking
continuing professional education. This chapter will cover the AICPA Code of Professional
Conduct that is recognized by many state boards of accountancy.
Chapter 1 summarized the demand for auditing and the need for auditors to be indepen-
dent of management when serving the public interest by reporting on financial statements.
The accounting profession has also seen firsthand the consequences of not fully meeting the
demand from the public of providing reasonable assurance that financial statements are free of
material misstatement. During the late 1990s and the first few years of the twenty-first century,
auditors failed to find many material misstatements on a timely basis, and many times man-
agement had to restate earnings due to material misstatements. The public was not satisfied
with the quality of audits of public companies. The result was the Sarbanes-Oxley Act of 2002
(SOX) and the creation of the PCAOB to provide oversight of the auditors of public companies.
However, the events that led to additional regulation of the accounting profession need
some perspective. When there were significant restatements of earnings, about 8% of all public
companies had to restate their earnings. Eight percent was sufficient to shake the confidence
of the securities markets in reported financial statements. For all that the accounting profes-
sion did right, the view was that the profession needed to do better. That said, it is important
to understand that many CPAs who work as chief financial officers put fair presentation of the
financial statements, and their obligation to society, ahead of their obligation to their employ-
ers. Further, many CPAs in public practice think about their responsibility to the public first
and their responsibility to their clients second; they expect their own well-being will work out
if they take these other responsibilities seriously.

Professional Environment The Ethics of WorldCom: Misplaced Motives, Weaknesses,

and Heroism

In July 2002, WorldCom announced that it had understated ex-
penses by over $3.8 billion (the number eventually was adjusted to
over $11 billion) and the company filed for bankruptcy. This was
one of the largest accounting frauds in U.S. history and the size of
the accounting fraud and bankruptcy at WorldCom shook investor
confidence already weakened by the prior restatement of financial
statements by companies like Enron, Waste Management, and
Sunbeam. The misstatement at WorldCom propelled Congress to
pass SOX.
WorldCom was led by CEO Bernie Ebbers, who was fo-
cused on delivering growth through acquisitions. The ac-
quisition strategy reached new heights when WorldCom
acquired MCI Communications in 1998. Continued growth
through merger demanded increasing stock prices. In 2000,
  The Structure of the AICPA Code of Professional Conduct  2-5

the company’s stock experienced a decline and, in an effort to
bolster stock prices, Scott Sullivan, WorldCom CFO, asked ac-
countants in the corporate headquarters to begin a scheme of
booking quarter-end journal entries that resulted in capitaliz-
ing costs that should have been expensed. After being fired in
2002, Scott Sullivan was indicted by the Justice Department.
He subsequently pleaded guilty to fraud and acknowledged
that he willingly deceived investors. He also testified against
CEO Bernie Ebbers and stated that Ebbers was fully aware of
the accounting fraud. Scott Sullivan was sentenced to 5 years
in prison and Bernie Ebbers was sentenced to, and is serving,
25 years in prison.
Some of the accountants at WorldCom who participated
in the fraud included Buford Yates, Jr., Betty Vinson, and Troy
Normand. Mr. Normand was a CPA who worked at WorldCom
from 1997 to 2002. While he questioned CFO Scott Sullivan
about the journal entries that he was asked to write, during
testimony Mr. Normand was asked if he ever conducted any
analysis to determine whether the accounting was accurate.
He answered that he did not perform any such analysis and
that he never obtained any accounting justification for the
entries he was asked to make. In short, Troy Norman, Betty
Vinson, and Buford Yates, Jr., did not find a way to stand up to
Scott Sullivan and investigate the proper accounting treatment.
Rather, they subordinated their judgment to the judgment of
others (mainly Scott Sullivan).
However, there were those at WorldCom who did not sub-
ordinate their professional judgment. The public learned about
WorldCom’s financial fraud through the hard work of several “au-
diting heroes” led by Cynthia Cooper, then aged 38 and World-
Com’s vice president for internal auditing, who took her public
interest responsibilities seriously. What did Cynthia Cooper and
her staff of internal auditors do to uncover the financial fraud?
The internal audit team:
•  Followed up on an email from a local newspaper article about
a former employee in WorldCom’s Texas office who had been
fired after he raised questions about a minor accounting mat-
ter involving capital expenditures.
•  Recognized that $2 billion in capital expenditures had not
been authorized as part of the capital budget process.
•  Did not settle for glib answers from the director of financial
planning who described the $2 billion in capital expendi-
tures as “prepaid capacity” but could not explain the nature
of “prepaid capacity.”
•  Uncovered over $500 million in capitalized computer costs
that were not supported by vendor’s invoices.
•  Demonstrated their independence by continuing to investi-
gate the capitalization of line costs (fees paid to lease por-
tions of other companies’ telephone networks) even when
instructed by CFO Scott Sullivan to delay this particular in-
ternal audit until the third quarter.
The issue came to a head when Cynthia Cooper and her audit
team brought evidence of the improper capitalization of expense
to the chairman of WorldCom’s audit committee. The audit com-
mittee instructed the internal auditors to work with WorldCom’s
new external auditor, KPMG. Within a week, the internal and ex-
ternal auditors compiled evidence of financial fraud for the audit
committee and the external auditors concluded that the account-
ing treatment was not in accordance with generally accepted ac-
counting principles. CFO Scott Sullivan was given the opportunity
to make his case to the audit committee, but the committee mem-
bers were not persuaded. The next day, the audit committee and
the board of directors made public the $3.8 billion restatement of
earnings due to the fact that costs had been capitalized that should
have been expensed. The audit committee and board of directors
also fired Scott Sullivan.

Before You Go On
1.1  Do EC professionals exist in public accounting firms? Explain.
1.2  Explain the concept of the CPI professional and how it applies to auditors.
1.3  Would you call a plumber an EC professional or a CPI professional? Explain your reasoning.

The Structure of the AICPA Code of Professional Conduct

LEAR NING OBJECTI VE 2
Explain the structure of the AICPA Code of Professional Conduct.

Professional ethics represent a commitment by a profession to abide by ethical principles and

rules of conduct. A commitment to ethical behavior is a key element that separates recognized
professions from other occupations. A code of ethics usually represents standards of behavior
that are both idealistic and practical in purposes. Although codes of ethics may be designed
2-6  Ch a pte r 2  Professionalism and Professional Responsibilities
principles  express the basic
tenets of ethical conduct and
provide the framework for the
rules that govern the performance
of the member’s professional
responsibilities
rules of conduct  establish
minimum standards of acceptable
conduct in the performance of
professional services
interpretations  provide
additional guidance regarding
the scope and applicability of the
rules of conduct
ILLUSTRATION 2.1   Preface: Applicable to All Members
Structure of the AICPA Code
of Professional Conduct
in part to encourage ideal behavior, they must also be both practical and enforceable. To be
meaningful they must strike a balance of being above the law but below the ideal. The adher-
ence of professionals to a code of ethics significantly affects the reputation of the profession
and the confidence in which it is held.
The AICPA Code of Professional Conduct (the Code) provides guidance to all members
of the AICPA with respect to performance of their professional responsibilities. The AICPA
is an organization (discussed in Chapter 1) that represents the accounting profession, and
membership is voluntary. However, CPAs must be licensed by state boards of accountancy.
The state boards of accountancy and the AICPA work together on many professional issues.
Further, many state boards of accountancy have incorporated the AICPA Code of Professional
Conduct in state rules so that it applies to all CPAs in the state. The Code consists of principles,
rules, interpretations, and other guidance for AICPA members. Each of these components is
described below.
•  Principles express the basic tenets of ethical conduct and provide the framework for
the rules that govern the performance of a member’s professional responsibilities. The
principles are not enforceable.
•  Rules of conduct establish minimum standards of acceptable conduct in the perfor-
mance of professional services. The AICPA bylaws require that members adhere to the
rules of the code. The rules of conduct are enforceable and members must be prepared to
justify departures from the rules of conduct.
•  Interpretations provide additional guidance regarding the scope and applicability of
the rules of conduct. A member who departs from the interpretations shall have the bur-
den of justifying such departure in any disciplinary hearing.
The AICPA Code of Professional Conduct can be found online at the AICPA website
(www.aicpa.org). The Code is searchable using key words. There are also a series of hyper-
links within the Code that make it easy to find related topics. The Code can also be down-
loaded in PDF format.
The Code is organized in four major sections as presented in Illustration 2.1: (1) a pref-
ace applicable to all AICPA members; (2) Part 1, which includes ethical rules for members
  .100  Overview of the Code of Professional Conduct
  .200  Structure and Application of the Code of Professional Conduct
  .300  Principles of the Code of Professional Conduct
  .400  Definitions
  .500  Nonauthoritative Guidance
  .600  New, Revised and Pending Interpretations and Other Guidance
  .700  Deleted Interpretations and Other Guidance
Part 1: Members in Public Practice
1.000  Introduction and Conceptual Framework for Members in Public Practice
1.100  Integrity and Objectivity
1.200  Independence
1.300  General Standards
1.310  Compliance with Standards
1.320  Accounting Principles
1.400  Act Discreditable
1.500  Fee and Other Types of Remuneration
1.600  Advertising and Other Forms of Solicitation
1.700  Confidential Information
1.800  Form of Organization and Name
   Conceptual Framework for Members in Public Practice   2-7

Part 2: Members in Business ILLUSTRATION 2.1   (continued)

2.000  Introduction and Conceptual Framework for Members in Business

2.100  Integrity and Objectivity
2.310  Compliance with Standards
2.320  Accounting Principles
2.400  Act Discreditable
Part 3: Other Members
3.000  Introduction
3.400  Act Discreditable

in public practice (usually CPAs in CPA firms); (3) Part 2, which includes ethical rules for
members in business (such as a CFO, a controller, or an accountant working in industry or
government); and (4) Part 3, which includes ethical rules for other members (e.g., non-CPA
members of the AICPA). If an individual has a good understanding of this structure, it is eas-
ier to search and determine appropriate solutions to ethical dilemmas.
The remainder of the discussion of the Code will focus on explaining the Conceptual
Framework for Members in Public Practice as well as some key rules that are relevant to
members in public practice.

Before You Go On
2.1  What is the purpose of the AICPA ethical principles? Explain their enforceability.
2.2  What is the purpose of the AICPA ethical rules? Explain their enforceability.
2.3  What is the purpose of the AICPA ethical interpretations? Explain their enforceability.

Conceptual Framework for Members

in Public Practice
lear ning objecti ve 3
Apply the conceptual framework approach to ethical decision making for members
in public practice.

The rules in the AICPA Code of Professional Conduct and related interpretations seek to
address many situations for members in public practice. However, the rules and interpre-
tations cannot address every possible relationship or circumstance that might arise. Thus,
in the absence of a rule or an interpretation, a CPA should use the conceptual framework
to evaluate what to do. The Code and the conceptual framework relate to all work performed
by CPAs in public practice, audit engagements, tax engagements, accounting services per-
formed for clients, or consulting engagements. Ultimately, a CPA should evaluate whether
a relationship or circumstance would lead a reasonable and informed third party, who is
aware of the relevant information, to conclude there is a threat to the CPA’s compliance with
the rules and the threat is not capable of being reduced to an acceptable level.
2-8  Ch a pte r 2  Professionalism and Professional Responsibilities

In situations where there is not a specific rule or interpretation that relates to a rela-
tionship or circumstance, the CPA should follow the steps outlined in Illustration 2.2. The
following discussion explains each of these steps.

ILLUSTRATION 2.2   Threats Threats

Step 2 Step 3
Conceptual framework Step 1 Identified Evaluate Significant Identify
flowchart Identify Significance and Apply
Threats of Threats Safeguards

Step 4
Evaluate the
Effectiveness
of Safeguards
No Threats Threats Not
Identified Significant
STOP
Are Threats NO Decline or
at an Acceptable Terminate
Level? Engagement

YES

Step 5
Proceed
Document
with
Threats and
Engagement Safeguards
Applied

Step 1: Identify threats. CPAs interact with clients in a number of circumstances. CPAs need
to be alert to a possible relationship or situation that might cause a threat to their compliance
with ethical rules. Following is a discussion of seven common threats that CPAs in public
practice should be alert to, irrespective of the services the CPA is engaged to perform:

adverse interest threat  the
threat that a CPA will not act
with objectivity because the
CPA’s interests are opposed to the
client’s interests
advocacy threat  the threat that
a CPA will promote a client’s
interests or position to the point
that his or her objectivity or
independence is compromised
familiarity threat  the threat
that, due to a long or close
relationship with a client, a CPA
will become too sympathetic
to the client’s interests or too
accepting of the client’s work or
product
management participation
threat  the threat that a CPA
will take on the role of client
management or otherwise assume
management responsibilities
•  Adverse interest threat. An adverse interest threat is the threat that a CPA will not
act with objectivity because the CPA’s interests are opposed to the client’s interests. For
example, an adverse interest threat exists if a client has expressed an intention to begin
litigation against the CPA regarding the quality of tax work previously performed.
•  A
 dvocacy threat. An advocacy threat is the threat that a CPA will promote a client’s
interests or position to the point that his or her objectivity or independence is com-
promised. For example, an advocacy threat exists if the CPA provides expert witness
services to a client in litigation or dispute with a customer regarding a licensing
arrangement. Once the CPA is advocating for a client, the CPA is no longer objective.
An advocacy threat would also exist if a firm acts as an investment adviser to an officer
or director of a client.
•  Familiarity threat. A familiarity threat is the threat that, due to a long or close rela-
tionship with a client, a CPA will become too sympathetic to the client’s interests or too
accepting of the client’s work or product. For example, a familiarity threat would exist if
a CPA’s immediate family member were employed by the client in a key position (such
as the CFO). A familiarity threat would also exist if a former partner or professional
employee of an audit firm joined the client as its CFO and had knowledge of the firms’
policies and practices for the audit engagement.
•  Management participation threat. A management participation threat is the
threat that a CPA will take on the role of client management or otherwise assume man-
agement responsibilities. For example, a CPA may have a small business client, and the
owner asks the CPA’s firm to do various bookkeeping services for the client. Providing
bookkeeping services may cause the CPA to make various management decisions, which
   Conceptual Framework for Members in Public Practice   2-9

is a threat to the firm’s objectivity and independence. This may also put an accounting
firm in a position of auditing its own work.
•  Self-interest threat. A self-interest threat is the threat that a CPA could benefit, fi- self-interest threat  the threat
nancially or otherwise, from an interest in, or relationship with, a client or persons asso- that a CPA could benefit, financially
ciated with the client. For example, a self-interest threat exists when a CPA has a financial or otherwise, from an interest in,
interest in the client, or a CPA’s spouse enters into employment negotiations for a key or a relationship with, a client or
position with a client. A self-interest threat also exists if a firm has an excessive reliance persons associated with the client
on the revenues from a single client.
•  Self-review threat. A self-review threat is the threat that a CPA will not appropriately self-review threat  the threat
evaluate the results of a previous judgment made by, or service performed by, an individual that a CPA will not appropriately
in the CPA’s firm, and that the CPA will rely on that work in forming a judgment as part evaluate the results of a previous
of an engagement. For example, a self-review threat exists if a CPA performs bookkeeping judgment made by, or service
services for a private company client and that work needs to be evaluated by the same firm performed by, an individual in the
member’s firm, and that the CPA
in the course of an attest engagement. (Attest engagements are explained in Chapter 1.)
will rely on that work in forming a
•  U
 ndue influence threat. An undue influence threat is the threat that a CPA will judgment as part of an engagement
subordinate his or her judgment to an individual associated with a client or any relevant undue influence threat  the
third party due to that individual’s reputation or expertise, aggressive or dominant per- threat that a CPA will subordinate
sonality, or attempts to coerce or exercise excessive influence over the CPA. For example, his or her judgment to an
an undue influence threat exists if a client threatens to dismiss a firm from the current individual associated with a client
engagement, or if the client indicates that it will not award additional engagements, if the or any relevant third party due
firm continues to disagree with the client on an accounting or tax matter. to that individual’s reputation or
expertise, aggressive or dominant
Step 2: Evaluate the significance of threats. If a CPA has identified a threat resulting from a personality, or attempts to coerce
relationship or circumstance, he or she should evaluate the significance of the threat. CPAs or exercise excessive influence
should evaluate identified threats both individually and in aggregate. The standard a CPA over the CPA
should use to determine if the threat is at an acceptable level is whether a reasonable and
informed third party, who is aware of the relationship or circumstance, would conclude that
a CPA is in compliance with the rules of the Code. If a CPA concludes the threat is not at an
acceptable level, the CPA should proceed to Step 3, identify and apply safeguards.

Cloud 9 - Continuing Case

Familiarity is usually a greater issue for existing clients than for
new clients, such as Cloud 9 for W&S Partners. However, there
could be personal familiarity issues in any audit engagement. Josh
is worried about asking the partners and management of the firm
to declare their relationships with the management of Cloud 9.
He thinks they might regard that question as impertinent. Sharon
tells Josh that she knows that the partners and managers at W&S
Partners are very committed to ethical behavior. If they were not to
ask this question as part of the process of accepting the new client,
Sharon and Josh would be disciplined for poor performance.

Step 3: Identify and apply safeguards. There are three basic types of safeguards. The first
is safeguards created by the profession (e.g., the safeguards suggested in the rules of the
Code), legislation, or regulation. A CPA should be familiar with both the Code and regulatory
rules that might apply. Safeguards are often suggested in these rules to guide a CPA. Second
are safeguards implemented by a client. For example, a board of directors might take steps
to remove a familiarity threat by reassigning a key person. However, it is not possible for
an accounting firm to rely solely on safeguards implemented by the client to eliminate or
reduce significant threats to an acceptable level. Finally, an accounting firm can implement
safeguards within the firm. In a large accounting firm, safeguards might involve rotating
someone off the engagement, or conducting an independent review of the work by another
CPA. In a small accounting firm, appropriate safeguards might include the involvement of
another firm.
Step 4: Evaluate the effectiveness of safeguards. If a CPA concludes that threats are at an
acceptable level after applying the identified safeguards, then the CPA may proceed with the
professional service. However, if there are no safeguards that would eliminate the threat or
reduce it to an acceptable level, or the CPA is unable to implement effective safeguards, the
CPA should decline or terminate the engagement.
2-10  C h a pte r 2  Professionalism and Professional Responsibilities

Step 5: Document threats and safeguards applied. When safeguards are applied to reduce a
threat to an acceptable level, best practice calls for the CPA to document the identified threats,
the safeguards applied, and the CPA’s evaluation of the effectiveness of the safeguards.
Consider the following example. An accounting firm is attempting to grow its audit prac-
tice and make inroads in several industries where it wants to increase its concentration of
practice. In the process, it obtains a new audit client by submitting a bid for the audit below
the expected cost to the firm to perform the audit. In the long run, the firm hopes to gain other
clients at increased fees, and over time increase the fee for work with the new audit client.
In Step 1, the CPA understands there is a self-interest threat to exercising due professional
care when performing the audit. The firm understands there may be an incentive to cut cor-
ners when doing audit work in order to make a profit in performing the engagement.
In Step 2, the CPA determines the threat is significant and the firm should put a safeguard
in place to ensure the firm uses due professional care and follows auditing standards when
performing the engagement.
In Step 3, the CPA discusses the low bid with the audit team during audit planning, sets
an expectation of following professional standards, and confirms that the team’s budget for
the engagement will not be influenced by the low fee. In addition, the firm decides to have
the work reviewed by a second audit partner to ensure compliance with firm policy and pro-
fessional standards. (Note: a sole practitioner might engage another auditor to review the sole
practitioner’s work.)
In Step 4, the CPA determines that setting an appropriate tone at the top regarding com-
pliance with professional standards, and the second partner review, is sufficient to mitigate
the self-interest threat, and the CPA accepts the engagement.
Finally, in Step 5, the CPA writes a memo to the audit engagement file explaining the
threat identified, safeguards applied, and the CPA’s reasoning that the safeguards are suffi-
cient to counter balance the self-interest threat.

Ethics Reasoning Example  A Familiarity Threat

Maria is a partner in a medium-sized CPA practice, and she and her firm are bidding on a con-
sulting engagement with Western Construction Company. Before Maria and her firm are able to
make the proposal to Western Construction, Maria’s husband, Robert, comes home to share good
news. Robert has just been offered his dream job as CFO of Western Construction. Maria is happy
for her husband, but now she must consider the ethics of bidding on the consulting engagement.
Upon searching the AICPA Code of Professional Conduct, Maria does not find a specific rule or
ethics interpretation that addresses this circumstance so she applies the conceptual framework.
Maria approaches her partners with the problem and the following proposed solution. Maria
identifies that if her husband accepts the job, a familiarity threat is present as Maria could be
viewed as too sympathetic to Western Construction’s interests. She suggests the CPA firm should
disclose the conflict of interest to Western Construction and the firm replace Maria on the con-
sulting engagement during the interview process. She would remain off the consulting engage-
ment if her husband accepts the job. This allows the CPA firm to maintain an appropriate level of
integrity and objectivity.
Source: Based on the AICPA Conceptual Framework Toolkit for Members in Public Practice (2015).

The next sections address the ethical rules for members in public practice (see Illustra-
tion 2.3).

ILLUSTRATION 2.3  
Rules for Members in Public Practice
Ethical rules for members in
public practice

Integrity Other Rules for

General
and Independence Members in
Standards
Objectivity Public Practice
   Integrity and Objectivity  2-11

Before You Go On
3.1  Explain each of the seven threats to compliance with the AICPA Code of Professional Conduct.
3.2 What is the basis for determining that a threat is at an acceptable level after the application
of safeguards?
3.3 Assume that you have been the tax manager on the tax engagement of XYZ Company. Your
spouse has just been offered the job of chief financial officer for XYZ Company. Is there a
threat to ethical behavior? What would be an appropriate safeguard, if any, that might be
applied if your spouse accepts the position with XYZ Company?

Integrity and Objectivity

LEAR NING OBJECTI VE 4
Evaluate the ethical behavior needed to comply with rules of conduct on integrity
and objectivity.

The integrity and objectivity rule, AICPA codification section 1.100.001, reads as follows: integrity and objectivity  in the
performance of any professional
In the performance of any professional service, a member shall maintain objectivity service, a member shall maintain
and integrity, shall be free of conflicts of interest, and shall not knowingly misrepresent objectivity and integrity, shall be
facts or subordinate his or her judgment to others. free of conflicts of interest, and
shall not knowingly misrepresent
The rule on integrity and objectivity applies to all services performed by CPAs (e.g., tax, au- facts or subordinate his or her
dit, bookkeeping, or consulting services). The following discussion addresses two common judgment to others
issues that arise related to integrity and objectivity: conflicts of interest and subordination of
judgment.
A conflict of interest occurs when a CPA or accounting firm provides a professional ser-
vice related to a particular matter involving two or more clients whose interests, with respect
to that matter, are in conflict. In a tax matter this may occur when a CPA represents two clients
(e.g., husband and wife) at the same time, who are in a legal dispute (e.g., a divorce) with each
other. A larger firm may still provide tax services to the husband and to the wife, and safeguard
this conflict of interest by using separate engagement teams who are provided clear policies
and procedures on maintaining confidentiality. In a small firm, it is normal practice for a firm
to resign providing tax services to one of the two parties in a divorce to remain free of any con-
flict of interest. Additional details about conflicts of interest are discussed in the AICPA Code
of Professional Conduct, section 1.110.
The integrity and objectivity rule also prohibits a CPA from subordinating his or her judg-
ment when performing professional services for a client. Self-interest, familiarity, and undue
influence threats to a CPA’s compliance with the integrity and objectivity rule may exist when
a CPA and his or her supervisor, or another person within the accounting firm, have a dif-
ference of opinion related to the application of accounting principles, auditing standards, or
other relevant professional standards. The subordination of judgment threat is at an accept-
able level if the CPA concludes the position taken by the firm does not result in a material
misrepresentation of fact or a violation of applicable standards, laws, or regulations. If the
CPA concludes the difference of opinion may result in a material misrepresentation of fact or
a violation of professional standards, then the CPA should discuss his or her concerns with the
supervisor. If the difference of opinion is not resolved after discussing the concerns with the
supervisor, the CPA should discuss his or her concerns with the appropriate higher level(s) of
management within the CPA’s firm. Most accounting firms have specific policies for resolving
these differences to ensure the firm does not violate professional standards and to protect a
CPA from subordination of judgment to a supervisor.
2-12  C h a pte r 2  Professionalism and Professional Responsibilities
Independence
independence  a member
in public practice shall be
independent in the performance
of professional services
as required by standards
promulgated by bodies designated
by Council
independent in fact  acting with
integrity and objectivity, being
honest, and not subordinating the
public trust to personal gain and
advantages
Ethics Reasoning Example  Potential Subordination of Judgment
James, a senior on the audit of Woodland Industries (a private company), has been discussing
the adequacy of the allowance for doubtful accounts with the CFO. The CFO thought the allow-
ance was adequate, and James thought there was evidence to support raising the allowance by
$300,000. Eventually, the audit partner and the owner of Woodland Industries discussed each
questionable account, and the partner and owner agreed to an adjustment of $175,000. After the
meeting, the audit partner talked to James, and told James he did not want James to change any of
his documentation. The audit partner told James, “I don’t want you to subordinate your judgment
to mine. You document your reasoning, and I will document why I reached a different conclusion
on a matter of professional judgment. That is the way we do things in our audit firm.”
Before You Go On
4.1  Define integrity and objectivity. Illustrate with an example.
4.2 Develop an example of a conflict of interest and explain a safeguard that would provide rea-
sonable assurance that the conflict of interest does not result in a violation of the integrity
and objectivity rule.
LEAR NIN G OBJECTI VE 5
Evaluate the ethical behavior needed to comply with rules of conduct on
independence.
Independence is the cornerstone of the auditing profession. It is so important that every audi-
tor’s report is entitled “Independent Auditor’s Report.” Financial statement users need to know
that auditors are unbiased and independent of the entities they audit. The independence
rule, AICPA codification section 1.200.001, reads as follows:
A member in public practice shall be independent in the performance of professional
services as required by standards promulgated by bodies designated by Council.
A CPA must be independent of the client when performing attest services. Attest services
include:
•  Performing audits.
•  Performing reviews under Statements on Standards for Accounting and Review Services
(SSARS).
•  Performing examinations, reviews, and agreed-upon procedures under Statements
on Standards for Attestation Engagements (SSAE).
CPAs performing tax services or consulting services do not need to be independent of their
client. Also, CPAs who compile financial statements for a client with no assurance provided
do not need to be independent. However, they need to disclose that they are not independent
in the compilation report. Compilation and review services are discussed further in Chapter 15.
CPAs frequently think about independence in two ways, independence in fact and inde-
pendence in appearance. These facets of independence are depicted in Illustration 2.4. Being
independent in fact can be defined as acting with integrity and objectivity. Independence
in fact is about being honest, about not subordinating the public trust to personal gain and
  Independence 2-13

advantages, and about being unbiased and impartial when performing attest services. Inde-
pendence in fact is difficult for others to observe, but it is nevertheless the cornerstone upon
which attest services provide value.

ILLUSTRATION 2.4  
Independent in Fact Independent In Appearance
Independent in fact versus
independent in appearance
Apparent Conflict Avoid Threats to
State of Mind
of Interest Independence

Unbiased and Impartial; Not Follow the Rules Follow Conceptual

Subordinating the Public Trust (Minimum) Framework

Being independent in appearance addresses a number of potential conflicts of interest independent in

that can be observed or factually determined by others. For example, an auditor (or immediate appearance  avoiding potential
family member) having an ownership interest in an attest client, participating in a joint venture conflicts of interest that can be
with an attest client, having litigation threatened by an attest client, or having a loan from an observed by others
attest client are examples of the types of activities that impair the appearance of independence
for an accounting firm. Having a financial interest in the outcome of an attest engagement may
also influence independence in fact. The appearance of independence is observable and subject
to enforcement under the rules of conduct. Section 1.200 of the AICPA Code of Professional
Conduct specifies a number of circumstances that can impair the appearance of independence
to guide CPAs in observable aspects of ethical conduct.
The common factor of the issues raised in Code section 1.200 is that they are targeted to
situations where CPAs appear to have a conflict of interest, such as having loans from clients
or providing certain consulting services to clients. In some situations, the Code identifies safe-
guards that can preserve auditor independence. In other situations, the threat to independence
is so significant that no safeguards are appropriate, and the relationship or circumstance is
prohibited. Numerous examples are included in the following discussion. CPAs must then use
common sense and be aware of apparent threats to a CPA’s independence, such as an adverse
interest threat, an advocacy threat, a familiarity threat, a management participation threat, a
self-interest threat, a self-review threat, or an undue influence threat. A CPA should evaluate
these threats from the point of view of an independent third party, and take steps to preserve
the CPA’s independence. In some cases, no safeguard may preserve independence, and the
existence of the threat may require resigning from the attest engagement.

Cloud 9 - Continuing Case

Sharon tells Josh about her experience at another accounting firm
in which the client tried to pressure the audit partner into dropping
a request to write down the asset values. It was an example of an
undue influence threat to the auditor’s independence. Although it
is difficult to stop a client from asking for a favor, the accounting
firm needs to have safeguards to prevent a simple request turning
into unreasonable pressure on the audit team to meet that request.
Sharon and Josh agree they need to consider the specific indepen-
dence threats and safeguards for the audit of Cloud 9. The account-
ing firm must be independent, as well as be seen to be independent.

The following discussion explains the AICPA rule on independence and addresses some
common threats to independence, such as investments in attest clients, loans to or from an
attest client, taking on management responsibilities, family relationships, and performing
nonattest services for an attest client.

Key Individuals and Independence Requirements

Today, accounting firms have many professionals all over the globe, along with their family mem-
bers, who have no influence over attest engagements of the firm. Accounting firms have also seen
an increase in the number of dual-career families who potentially have independence problems
when an accounting professional’s spouse works for an attest client, or receives compensation
2-14  C h a pte r 2  Professionalism and Professional Responsibilities
covered member  a person in a
position to potentially influence
attest decisions or the outcome of
an attest engagement
ILLUSTRATION 2.5  
Definition of a covered
member and activities that
impair independence
through stock options or other stock ownership arrangements from an employer who is also an
attest client. As a result, a CPA must think both about how his or her own activities could cause a
threat to independence, as well as how the activities of his or her spouse or other family members
threaten independence. The growth of non-audit services also raises questions about the ability of
accounting firms to remain independent while providing services that may result in professional
fees that are larger than those provided by performing an independent audit.
The independence rules follow an engagement-based approach and define a level of ac-
counting professional, a covered member, who is a person in a position to potentially influ-
ence attest decisions or the outcome of an attest engagement. While every professional in an
accounting firm does not need to be independent of every attest client, the independence rules
are particularly strict for accounting professionals who are defined as covered members.
Illustration 2.5 summarizes the definition of a covered member and activities that impair
the independence of a covered member (and his or her accounting firm) and would be prohib-
ited under the independence rules (as they cannot be safeguarded). With respect to investments
in an attest client, a covered member cannot have a direct investment in the attest client, irre-
spective of the materiality (or immateriality) of the investment. Therefore, a covered member
cannot own one share of an attest client.
Covered Members Prohibited Activities
•  A
 ny member of the engagement team •  Cannot have a direct, or a material indirect,
•  P
 artners and managers with consultation, investment in the attest client
oversight, or review responsibilities related to •  Cannot have a joint, closely held investment
the engagement with an attest client that is material to the
•  D
 irect supervisors of the engagement partner, covered member
including all successive senior levels •  Cannot have loans to or from the attest client
•  A
 ccounting firm professionals who perform (there are some very limited exceptions)
(or expect to perform) more than 10 hours of •  Cannot be a trustee of a trust or executor of an
nonattest services for the client estate who invests directly in an attest client
•  P
 artners who are in the same office as the lead (the AICPA and SEC permit an exception
partner on the engagement for a trustee who lacks authority to make
investment decisions)
•  T
 he firm, its benefit plans, and entities
controlled by covered members
•  T
 hose who evaluate partners’ performance
and compensations, including members of
compensation committees
•  A
 ccounting firm professionals who consult
with the attest team regarding technical
or industry-related issues specific to the
engagement; this is intended to include
individuals who are authorized to give advice
to the attest team and there is no hours test
•  I ndividuals who participate in quality-control
activities for the firm
A question often comes up about owning shares in a mutual fund (where the covered
member does not control the investment decisions), and the mutual fund owns shares of the
attest client. This is considered an indirect investment in the attest client. A covered member
can own a mutual fund where the mutual fund owns shares in the attest client, as long as the
investment in the mutual fund is not material to the covered member. If the investment in the
mutual fund is material to the covered member, and the mutual fund owns any shares in an
attest client, independence is impaired.
Covered members must also take care not to engage in joint investments with attest clients.
For example, an attest partner and an attest client should not jointly own a business, or real
property, together. In addition, a covered member cannot have a loan to or from an attest client.
While there are some very limited exceptions (e.g., having a home mortgage from a bank who
is an attest client), covered members must be very careful about making loans to, or accepting
loans from, an attest client. A covered member also cannot be a trustee of a trust, or executor of
an estate, that invests in an attest client. Being a trustee of a trust, or an executor of an estate,
  Independence 2-15

involves holding a key management position over the trust or estate. A covered member should
not be in a management position to exercise authority over a direct investment in an attest cli-
ent. Finally, the accounting firm as an entity is prohibited from the same activities as a covered
member of the firm.
Covered members must also be aware of potential conflicts of interest that may be raised
by the activities of immediate family members and close relatives. Illustration 2.6 sum- immediate family member  a
marizes the definition of both immediate family members and close relatives, and activities covered member’s spouse, spouse
of an immediate family member or close relative that impair the independence of the covered equivalent, or dependent
member (and his or her accounting firm) and would be prohibited under the independence close relative  a covered
rules. An immediate family member is one where the relationship is considered to be so close member’s parents, nondependent
that any relationship between an immediate family member and an attest client is equivalent children, brothers and sisters, or
to the relationship between a covered member and the attest client. An immediate family stepbrothers or stepsisters
member would be prohibited from making any investment, making or having a loan, or serv-
ing as a trustee of a trust or an executor of an estate that invests in an attest client.
Further, as noted above, an immediate family member cannot work for an attest client in a
key position. A key position would include a position where an immediate family member key position  a position with an
could exercise influence over the financial statements, such as CEO, CFO, member of the board attest client where an individual
of directors, or treasurer. In addition, a key person would be someone who prepares, or super- can exercise influence over the
vises others who prepare, (1) the financial statements or (2) material accounting records, or is financial statements
involved in accounting decision making. Also, if a close relative held a key position with an
attest client it would impair the independence of the covered member. Finally, if a close relative
had a direct investment in an attest client that is material to the close relative, or had significant
influence over an attest client, the covered member’s independence would be impaired.

ILLUSTRATION 2.6  
Covered Members’ Immediate Family Prohibited Activities
Definitions of an immediate
•  Spouse •  Exactly the same as for a covered member. family member and close
•  Spousal equivalent •  Cannot be employed in a “key position” with relatives and activities that
•  Dependents an attest client. A key position would be a impair independence
position where the individual would:
•  Exercise influence over the financial
statements, such as CEO, CFO, member of
the board of directors, or treasurer.
•  Prepare, or supervise others who prepare,
(1) the financial statements or (2) material
accounting records.
•  Be involved in accounting decision making.

Covered Members’ Close Relatives Prohibited Activities

•  Parents
•  Nondependent children or stepchildren
•  Brothers and sisters or stepbrothers and
stepsisters
•  May not hold a key position with an attest
client.
•  May not hold a material financial interest in
an audit client, or have significant influence
over an attest client (ASC 323–10).

An important issue for many spouses is their ability to participate in stock compensation
plans. Today, it is common for many employees to be compensated with equity securities in
addition to cash. If an accounting firm professional is not a covered member (e.g., a tax pro-
fessional who does no work for the attest client), the spouse can work for the attest client and
can participate in an employee benefit plan that includes employee stock ownership plans or
employee stock option plans as long as the benefits are offered equitably to all similar employ-
ees. The same benefits are also extended to a limited group of covered members, nonattest
partners and managers, and other partners in the office of the lead engagement partner that
may have an immediate family member who works for an attest client as long as the immedi-
ate family member is not in a key position.
Finally, an accounting firm does need to consider when the activities of professional
­employees, who are not covered members for a particular audit client, might impair the
2-16  C h a pte r 2  Professionalism and Professional Responsibilities

i­ ndependence of the firm. As a general rule, professional employees in an accounting firm

who are not covered members, and their immediate family members, cannot:
•  Have a direct investment of more than 5% in an attest client.
•  Hold a key position with an attest client.
•  Be a trustee, director or officer of an attest client, or of the client’s pension or profit-sharing
trust.

Ethics Reasoning Example 

Investments of an Immediate Family
Member

Janice is an audit manager in a large public accounting firm with 35 offices on the East Coast.
Janice has been dating Keith, a CFO of a company that is not a client of Janice’s firm. Keith
has a significant investment portfolio of his own. After dating for about 4 months, Janice
and Keith decide to get married. However, Janice tells Keith it is important for him to take a
careful review of his investment portfolio. The policy in Janice’s firm is that she cannot have
a direct investment, of any size, in any audit client of the firm. Further, she cannot have a
material indirect investment in the audit client. This is so the firm is independent of its clients
and can assign any staff member to any audit client. Given their relationship, Keith cannot
have any investment that would be prohibited for Janice. As a result, Keith has to sell several
investments and invest them in other ways.

Since independence is critical to the performance of attest services, the AICPA has pub-
lished a number of interpretations of the independence rule. Illustration 2.7 summarizes
these interpretations. Two key issues are discussed further next: employment or association
with an attest client and nonattest services.

ILLUSTRATION 2.7  
AICPA Code
Interpretations of the of Professional
independence rule Conduct Section Interpretation
1.210 Conceptual Framework Approach
1.220 Accounting Firms
1.224 Affiliates, Including Governmental Units
1.228 Engagement Contractual Terms
1.230 Fees and Other Types of Remuneration
1.240 Financial Interests
1.250 Participation in Employee Benefit Plants
1.255 Depository, Brokerage, and Other Accounts
1.257 Insurance Products
1.260 Loans
1.265 Business Relationships
1.270 Family Relationship with Attest Clients
1.275 Honorary Director or Trustee of a Not-for-Profit Organization
1.277 Former Employment or Association with an Attest Client
1.279 Considering or Subsequent Employment or Association with an Attest Client
1.280 Memberships
1.285 Gifts and Entertainment
1.290 Actual or Threatened Litigation
1.295 Nonattest Services
1.297 Independence Standards for Engagements Performed in Accordance with
Statements on Standards for Attestation Engagements
  Independence 2-17

Cloud 9 - Continuing Case

Josh and Sharon know that they will have to put together an
audit team where each member is independent with respect to
Cloud 9. Jo Wadley, the partner, will discuss this matter with
other partners in the office, and with other offices, to ensure
that there will be no independence problems. Sharon and Josh
both discuss their own independence with Jo, to confirm that
there are no independence problems associated with either their
investments or relationship with Cloud 9, or the investments
or relationships associated with immediate family members
or close relatives. Further, W&S Partners has every member
of the professional staff complete an independence question-
naire that covers direct stock ownership and spouse employ-
ment, and which serves as a basis for quality control related to
independence.
Jo advises them to discuss independence with all potential
members of the audit team. Jo wants Sharon and Josh to make
sure that every member of the audit team knows his or her re-
sponsibility to be independent, and to advise the firm of any
investments in Cloud 9 or of immediate family members or close
relatives who may work for Cloud 9.

Before You Go On
5.1 Explain what is meant by “independence in fact.” Explain what is meant by “independence
in appearance.” Give an example of each.
5.2 An audit manager in another office from the audit client has quality control responsibili-
ties in the same region as the audit engagement. Is the audit manager a covered member?
Explain.
5.3 An audit staff person has been with the firm for only 6 months. Her spouse works for an audit
client in an accounting position and makes material accounting decisions in the corporate
accounting office. Are there safeguards that can be implemented to preserve the audit firm’s
independence? Explain.
5.4 A partner works on the audit engagement of XYZ Company. After her husband died from
a heart attack, she has had dinner a couple of times with a major shareholder in XYZ Com-
pany. The shareholder is not part of management. What are the implications if the personal
relationship becomes serious between the partner and the shareholder?

Employment or Association with an Attest Client

When a partner or professional employee of an accounting firm leaves the firm and is subse-
quently employed by the firm’s attest client, independence can be impaired inasmuch as the
partner or professional employee may have continuing relationships, such as the payout of a
pension plan, with the accounting firm. Furthermore, if a professional employee goes to work
for an attest client, that employee may be familiar with the audit plan and/or staff working on
the engagement, and there is a familiarity and undue influence risk that the former employee
could influence the engagement. These are important risks that may impair an accounting
firm’s independence.
The rules are different for public company audit clients than for private company audit cli-
ents. With respect to public company clients, Section 206 of SOX states that the CEO, controller,
CFO, chief accounting officer, or person in an equivalent position cannot have been employed
by the company’s audit firm during the one-year period preceding the period under audit.
With respect to private company clients, a firm’s independence will be considered im-
paired with respect to a client if a partner or professional employee leaves the accounting firm
and is subsequently employed by the client in a key position, unless a series of safeguards dis-
cussed in Code section 1.279.02 are met. The general purpose of these safeguards is to ensure
that the amounts due to the former partner or professional employee (e.g., retirement bene-
fits) are not material to the firm, and the partner or professional employee is not in a position
to influence the firm’s operations or does not participate or appear to participate in the firm’s
business. The firm should also consider whether the former partner or professional employee
has sufficient knowledge of the firm’s attest engagement such that the firm should consider
whether to modify engagement procedures. If the former partner or professional ­employee
2-18  C h a pte r 2  Professionalism and Professional Responsibilities

joins the attest client in a key position within one year of disassociating from the firm, and
has significant interaction with the engagement team, an appropriate professional in the firm
should review the subsequent attest engagement to determine whether the engagement team
members maintained the appropriate level of skepticism when evaluating the former part-
ner’s or professional employee’s representations and work.
A partner or professional employee merely seeking employment with an attest client may
also impair independence. When a member of the attest engagement team or an individual in
a position to influence the attest engagement intends to seek or discuss potential employment
or association with an attest client, or is in receipt of a specific offer of employment from an
attest client, independence will be impaired with respect to the client unless the person:

a. Promptly reports such consideration or offer to an appropriate person in the firm.

b. Removes himself or herself from the engagement until the employment offer is rejected
or employment is no longer being sought.

The purpose of this rule is to avoid situations where a CPA’s integrity or objectivity might
be compromised. If a professional is seeking a job from an attest client, it is important to avoid
a situation where the person might be tempted to take an aggressive stance in favor of the client
on a matter of professional judgment while seeking the favor of a client by way of a job offer.
Further, when any covered member becomes aware that a member of the attest engagement
team or an individual in a position to influence the attest engagement is considering employ-
ment or association with a client, the covered member should notify an appropriate person in
the accounting firm. Finally, the appropriate person in the accounting firm should consider what
additional safeguards, such as additional review of any work performed by the individual consid-
ering employment with the attest client, may be necessary to provide reasonable assurance that
any work performed for the client by that person was performed with objectivity and integrity.

Nonattest Services
A major issue that continues to face the auditing profession is whether the performance of non-
attest services (such as accounting services or internal control design and implementation) im-
pairs an auditor’s integrity and objectivity. Critics wonder whether an auditor can be objective
with respect to audit issues when fees from nonattest services exceed fees from attest services.
When an auditor considers the rules related to nonattest services and independence, the
auditor needs to understand that a different set of rules apply to auditors of public companies
than auditors of private companies. Both the SEC and SOX set out the independence guidelines
for public company audits that will be discussed in SEC and PCAOB Independence Rules. The
AICPA and state boards of accountancy have rules appropriate to audits of private companies.
The AICPA and many state boards of accountancy allow activities for private companies that
are not allowed for public companies because many private companies (e.g., owner-managed
business and small not-for-profit organizations that require audits) do not have the resources
to internalize services that are often performed within public companies, such as bookkeeping,
preparing financial statements, or payroll services. The demand for these services from smaller
entities often causes a management participation threat. The following discussion outlines the
appropriate rules for nonattest services as they relate to private company audits.
AICPA independence rules (1.295) allow a member of a firm to perform nonattest ser-
vices for private company attest clients under certain conditions. In each case, the CPA must
evaluate the effect of nonattest services on independence. In general, a CPA should not per-
form management functions or make management decisions for the attest client. However,
the CPA may provide advice, research materials, and make recommendations to assist the cli-
ent’s management in performing its functions and making its decisions. In addition, the client
must agree to perform the following functions in connection with the CPA’s engagement to
perform nonattest services (safeguards implemented by the client):

•  Make all management decisions and perform all management functions.

•  Designate a competent employee, preferably within senior management, to oversee the
services.
  Independence 2-19

•  Evaluate the adequacy and results of the services performed.

•  Accept responsibility for the results of the services.
•  Establish and maintain internal controls, including monitoring ongoing activities.

If management cannot perform these functions (establish these safeguards), the firm’s
independence is impaired.
Interpretation 1.295 also indicates that before performing nonattest services, the CPA
should establish, and document in writing, an understanding with the client regarding (1) the
objectives of the engagement, (2) the services to be performed, (3) the client’s acceptance of its
responsibilities, (4) the CPA’s responsibilities, and (5) any limitations of the engagement. It is
preferable that this understanding be documented in an engagement letter (explained further
in Chapter 3). In addition, the CPA should be satisfied that the client is in a position to have
an informed judgment on the results of the nonattest services and the client’s management
understands its responsibilities.
The purpose of the AICPA rule is to allow CPAs to assist many small business clients who
may not have a CPA within the entity. These entities often need outside professional expertise
that the accounting firm can provide. Nevertheless, a number of general activities would be
considered to impair a CPA firm’s independence when auditing non-public companies. These
are summarized in Illustration 2.8, which also provides examples of how the performance
of these general activities would impair an accounting firm’s independence, or how the client
could take appropriate responsibilities to allow the accounting firm to assist the client without
impairing the accounting firm’s independence with regard to the audit.
Interpretation 1.295 provides additional specific examples of activities that would or
would not impair independence. For example, CPAs can perform various accounting and
bookkeeping services for an attest client. However, independence would be impaired if an
accounting firm determined or changed journal entries, account codings or classification for
transactions, or other accounting records without obtaining client approval; and authorized
or approved transactions, prepared source documents, or made changes to source documents
without client approval. Independence would not be impaired if the CPA recorded transac-
tions for which management had determined or approved the appropriate account classifica-
tion, or posted coded transactions to a client’s general ledger; prepared financial statements
based on information in the trial balance; posted client-approved entries to a client’s trial
balance; or proposed standard, adjusting, or correcting journal entries or other changes af-
fecting the financial statements to the client, provided the client reviewed the entries and the
CPA was satisfied management understood the nature of the proposed entries and the impact
of the entries on the financial statements. You can read the actual Interpretation 1.295 for
additional discussions related to payroll and other disbursements; appraisal, valuation and
actuarial services; benefit plan administration; business risk consulting; corporate finance
consulting; executive or employee recruiting; forensic accounting; information system de-
sign, implementation, or integration; internal audit; investment advisory or management
services; and tax services.

Ethics Reasoning Example  Nonattest Services

Fred Holland is a CPA in rural Wisconsin. Fred has a tax practice; he does payroll work for several
businesses in the area and performs compilation and review services for some of his business
clients. Fred has been careful with respect to performing payroll services as he wants to be in-
dependent of his clients. While independence is not required for compilations, Fred knows it
is required for reviews and at times Fred has been requested to increase the level of assurance
from a compilation to a review. As a result, whenever Fred performs payroll services for a client,
he implements the following safeguards: (1) he requires the client to maintain all original time
records for employees, (2) he does not sign checks on any client accounts, and (3) while Fred’s
payroll system prepares checks and payroll tax returns, all of these documents are reviewed and
signed by the client. Fred does not undertake a payroll engagement unless he believes the client
has sufficient competence to review Fred’s work.
2-20  C h a pte r 2  Professionalism and Professional Responsibilities

illustration 2.8   Independence and nonattest services for non-public clients

Examples Where Independence Is
Impaired
A CPA accepts responsibility to authorize
payment of client funds, or accepts
responsibility to sign or cosign client checks,
even if only in emergency situations.
In a consulting engagement, a CPA acts as
a promoter, underwriter, broker-dealer, or
guarantor of client securities, or distributor
of private placement memoranda or offering
documents.
In an accounting service engagement for
a non-public client, a CPA determines or
changes journal entries, account codings
or classification for transactions, or other
accounting records without obtaining client
approval. A CPA prepares source documents,
originates data, or makes changes to source
documents without client approval.
When performing payroll services, benefit plan
administration, or other financial advisory
services, a CPA has custody of client assets or
maintains custody of client securities.
In an IT engagement, a CPA supervises client
personnel in the daily operation of a client’s
information system.
In an investment advisory engagement
with an attest client, a CPA makes investment
decisions on behalf of client management or
otherwise has discretionary authority over a
client’s investments.
In an attest engagement, a CPA presents
business proposals to the board on the behalf
of management.
In an investment advisory engagement, a
CPA executes a transaction to buy or sell a
client’s investment or has custody of client
assets, such as taking temporary possession
of securities purchased by a client.
General Activities That Will Impair
Independence
Authorizing, executing, or
consummating a transaction, or
otherwise exercising authority on
behalf of a client or having the
authority to do so
Preparing source documents or
originating data, in electronic
or other form, evidencing the
occurrence or a transaction (for
example, purchase orders, payroll
time records, and customer orders)
Having custody of client assets
Supervising client employees in
the performance of their normal
recurring activities
Determining which recommendations In an investment advisory engagement with
of the CPA should be implemented an attest client, a CPA can recommend the
Reporting to the board of directors
on behalf of management
Serving as a client’s stock transfer
or escrow agent, registrar, general
counsel, or its equivalent
Examples Where Independence Is Not
Impaired
When assisting a small business client with
payroll using payroll time records provided
and approved by the client, the CPA can
generate unsigned checks or process the
client’s payroll.
In a consulting engagement, a CPA may
assist in identifying or introducing the client
to possible sources of capital that meet the
client’s specifications or criteria.
In an accounting service engagement for
a non-public client, a CPA may record
transactions for which management has
determined or approved the appropriate
account classification, or post coded
transactions to a client’s general ledger
and prepare financial statements based on
information in the trial balance.
Another accounting firm has custody of assets
and performs payroll services, benefit plan
administration, or other financial advisory
services.
In an IT engagement, a CPA may design, install,
or integrate a client’s information system,
provided the client makes all management
decisions.
allocation of funds that a client should invest
in various asset classes, depending upon
the client’s desired rate of return and risk
tolerance.
In an attest engagement, provide
recommendations for improving the system
for monitoring business risks.
In an investment advisory engagement, a CPA
may review the manner in which a client’s
portfolio is being managed by investment
account managers, including determining
whether the managers are (1) following the
guidelines of the client’s investment policy
statement; (2) meeting the client’s investment
objectives; and (3) conforming to the client’s
stated investment styles.

SEC and PCAOB Independence Rules

audit committee  a committee
of the board of directors
responsible for oversight of
internal controls, financial
reporting and disclosure in the
financial statements, regulatory
compliance, and the company’s
independent auditors
Illustration 2.9 provides the full listing of the PCAOB’s Ethics and Independence Rules.
In a number of ways, the SEC and PCAOB rules related to auditor independence for pub-
lic companies are stricter than the AICPA rules that apply to non-public entity audits.
SOX mandates that a committee of the board of directors, called the audit committee,
be directly responsible for oversight of the company’s independent auditors. (Chapter 4
provides further discussion on the role of an audit committee.) The SEC’s general standard
of auditor independence is that an audit firm’s independence is impaired if a reasonable
investor with knowledge of all the facts and circumstances would conclude that the firm
  Independence 2-21

ILLUSTRATION 2.9  
PCAOB Ethics
Rule Number PCAOB Ethics Rule Title PCAOB ethics and
independence rules
3501 Definitions of Terms Employed in Section 3, Part 5 of the Rules
3502 Responsibility Not to Knowingly or Recklessly Contribute to Violations
3520 Auditor Independence
3521 Contingent Fees
3522 Tax Transactions
3523 Tax Services for Persons in Financial Reporting Oversight Roles
3524 Audit Committee Pre-approval of Certain Tax Services
3525 Audit Committee Pre-approval of Non-audit Services Related to Internal
Control Over Financial Reporting
3526 Communication with Audit Committees Concerning Independence

Source: https://pcaobus.org/Standards/EI/Pages/default.aspx.

is not capable of exercising objective and impartial judgment on all issues encompassed
within the audit engagement. The SEC developed some general rules for an audit committee
to consider when evaluating an audit firm’s independence. A public company’s audit com-
mittee should consider whether a relationship with the accounting firm or service provided
by the accounting firm:

•  Creates a mutual or conflicting interest between the company and the accounting firm.
•  Places the accounting firm in a position of auditing its own work.
•  Places the accounting firm in a position of acting as management or an employee of the
company.
•  Places the accounting firm in a position of being an advocate for the company.

To encourage the independence of audit partners, Section 203 of SOX mandates rotation of the
lead audit partner and the audit partner having responsibility for reviewing the audit every five
years. Additionally, SEC rules prohibit the audit firm from providing the following nonattest
services to an audit client:

•  Bookkeeping.
•  Financial information system design and implementation.
•  Appraisal or valuation series, fairness opinions, or contribution-in-kind reports.
•  Actuarial services.
•  Internal audit outsourcing services.
•  Management functions or human resources functions.
•  Broker-dealers, investment advisor, or investment banking services.
•  Legal services and expert services unrelated to the audit.

SEC rules also prohibit certain relationships between audit firms and the public companies
they audit. The prohibited relationships include:

•  Employment relationships. A one-year “cooling-off period” is required before a company

can hire certain individuals formerly employed by its auditor in a financial reporting
oversight role for the company. For example, an audit manager on a public company
audit cannot go to work directly for a public company as its CFO or controller unless
there has been at least a one-year period from the time the audit manager last worked on
the audit to the time he or she is hired by that client. SEC rules ask the public company’s
audit committee to consider whether the hiring of personnel who are or were formerly
employed by the audit firm might affect the audit firm’s independence.
2-22  C h a pte r 2  Professionalism and Professional Responsibilities

•  Contingent fee. Accounting firms are prohibited from performing work for public com-
panies where the accounting firm is paid on either a contingent fee or a commission
basis. The AICPA rules for auditors of non-public entities are also clear that when a firm
is compensated on a commission or contingent fee basis, independence is violated. If the
compensation for an accounting firm is tied to the outcome of the engagement, the firm
becomes an advocate for the client with these compensation arrangements, violating a
general principle of independence.
•  Direct or material indirect business relationships. Accounting firms may not have any
direct or material indirect business relationships with the company, its officers, directors,
or significant shareholders. For example, an accounting firm may not enter into a joint
venture with a public company audit client. It would be inappropriate for an auditor of a
software company to enter into a business relationship with the same software company
to develop accounting software to market to the public.
•  Certain financial relationships. Certain financial relationships between the company and
the independent auditor are prohibited. These include creditor–debtor relationships, bank-
ing relationships, broker–dealer relationships, futures commission merchant account
relationships, insurance product relationships, and joint interests in investment companies.

As a matter of strengthening corporate governance, the SEC rules require accounting

firms to disclose to their client’s audit committee, in writing, all relationships between the
accounting firm and the company that may reasonably be thought to bear on the account-
ing firm’s independence. SEC rules also require the auditor to confirm and discuss its inde-
pendence with the client’s audit committee. As part of its responsibilities, the client’s audit
committee should consider discussing the following issues with the auditor in regards to
the firm’s independence disclosure:

•  The processes the accounting firm uses to ensure complete disclosure of all relationships
with the company and its affiliates.
•  The relationships the accounting firm may have with officers, board members and signif-
icant shareholders.
•  The relationships not included in the communication because they were deemed
immaterial.

Professional Environment  Non-Audit Fees

Prior to the passage of SOX, many accounting firms received sig-
nificant fees from offering consulting services to audit clients. In
some cases, the size of the consulting fee was larger than the au-
dit fee, creating a potential conflict of interest for the audit firm.
This was true for both Waste Management and Enron. The fact
was also not lost on chief financial officers, who would use the
size of the consulting engagement as leverage to get the auditor to
go along with accounting decisions that were not black and white.
Ultimately, the delivery of non-audit services to audit clients led to
a public concern about audit independence. As noted above, the
SEC stepped in and now prohibits the delivery of many non-audit
services to audit clients.
As a result, it is common for large audit clients to use
more than one accounting firm for various services. It is likely
that a global audit client might use one firm for audit services,
another firm for tax services, another firm for internal control
consulting, and yet another firm to assist in merger and acqui-
sition services.

Cloud 9 - Continuing Case

Josh and Sharon do not know of any current work being done
for Cloud 9 by W&S Partners, or any other relationships between
members of the audit team and the client’s staff. However, they
will check with all other departments, particularly the consulting
department, and other offices of W&S Partners. They will also ask
any new members of the audit team to disclose their interests and
relationships with the client before they join the team.
Subsequently, the partner, Jo Wadley, advises Sharon and
Josh that she has reached out to other offices and discussed the
proposal with the other partners in her office. The firm is not
working for Cloud 9 on any other matter. Jo, Sharon, and Josh
want to make sure that there are no potential independence
issues when their proposal is discussed with Cloud 9’s audit
committee.
   General Standards  2-23

Before You Go On
5.5 The audit manager on an audit engagement of a large private company has been asked by the
company to consider becoming the company’s CFO. What are the independence implications
of this situation? What are the appropriate safeguards to preserve the firm’s independence?
5.6 An audit firm serves only private companies. It also provides tax services and investment ad-
visory services to its clients. Can a partner in the firm advise an audit client on the allocation
of funds in the client’s investment portfolio, based on the client’s desired rate of return and
risk tolerances? Explain your reasoning.
5.7 Explain the general rules that an audit committee of a public company should consider when
evaluating the potential services that it might request of its audit firm.

General Standards

lear ning objecti ve 6

Evaluate the ethical behavior needed to comply with rules of conduct on general
standards.

The general standards of the AICPA Code of Professional Conduct apply to all CPAs in public
practice. For example, the independence standards apply only to accounting firms that per-
form attest engagements, and the professionals in those firms who are in a position to influ-
ence the outcome of an attest engagement (e.g., covered members, their immediate family
members, and close relatives). The general standards apply to any CPA performing any profes-
sional service for a client (e.g., tax services, consulting services, or nonattest services). Further,
the same standards are found in the section of the Code related to members in business. The
general standards (1.300.001) read as follows:

A member shall comply with the following standards and with any interpretations
thereof by bodies designated by Council:

a.  Professional Competence. Undertake only those professional services that professional competence 
the member or the member’s firm can reasonably expect to be completed with undertaking only those
professional competence. professional services that a CPA
or a CPA’s firm can reasonably
b.  Due Professional Care. Exercise due professional care in the performance of expect to complete with
professional services. professional competence
c.  Planning and Supervision. Adequately plan and supervise the performance of due professional care 
professional services. exercising due professional care
d.  Sufficient Relevant Data. Obtain sufficient relevant data to afford a reasonable expected of other CPAs in the
basis for conclusions or recommendations in relation to any professional services performance of professional
services
performed.
planning and supervision 
The standard on professional competence is clear that a CPA, or an accounting firm, adequately plan and supervise
should only undertake professional services that he or she reasonably expects to complete the performance of professional
with professional competence. While a CPA does not assume infallibility of knowledge or services
judgment, a normal part of providing professional services involves performing additional sufficient relevant data  obtain
research or consulting with others to gain sufficient competence. If a CPA is unable to gain sufficient relevant data to afford
sufficient competence, a CPA should suggest, in fairness to the client and the public, the en- a reasonable basis for conclusion
or recommendation in relation
gagement of a competent person to perform the needed professional service. For example,
to any professional services
a tax practitioner might be approached by a tax client that needs an audit or a review of the
performed
company’s financial statements for the bank. If the tax practitioner does not have experience
2-24  C h a pte r 2  Professionalism and Professional Responsibilities

performing audits or reviews, the practitioner should refer the engagement to another CPA
with the appropriate qualifications. Alternatively, if the tax practitioner chooses to accept
the engagement, he or she should take appropriate continuing professional education (CPE)
courses, and consider consulting the experienced colleagues to ensure that the engagement is
performed in accordance with professional standards.
The due care standard expects CPAs to exercise the professional care that would be ex-
pected of other CPAs performing the same work. In particular, CPAs should follow all pro-
fessional standards that relate to providing services. For example, in a tax engagement, this
would include following tax practice standards.
All engagements should be adequately planned and supervised. Further, in the performance
of nonattest services, CPAs should obtain sufficient, relevant data to afford a reasonable basis
for a conclusion or recommendation. Note that this is different than the expectation in an audit.
In performing an audit, a CPA should obtain sufficient appropriate evidence, which is a higher
standard. The standard of sufficient appropriate evidence is discussed further in Chapter 5.
Adherence to these requirements contributes to the quality of performance of professional
engagements for the benefit of clients, the public, and the overall reputation of the profession.

Ethics Reasoning Example  Professional Competence

Dana Moore is a CPA in Georgia. Dana has a modestly sized tax practice, and she performs a num-
ber of audits of local school districts as well as of a few cities and counties. Dana is also on the
board of directors of several charities where she interacts with some of the business people in the
area. One day, a local technology entrepreneur in the area walks into her office and says, “I have
worked with you on the board of directors of a local charity, and I like the perspectives you bring
to the board. My company is growing and needs an audit. I know you do audits, and I am wonder-
ing if you would give me a bid on doing my company’s audit.” Dana was not expecting this, but
she knows what her response should be. “I appreciate your interest in my work and my services.
However, not all audits are the same. I understand the accounting and auditing issues with local
governments and school districts, but I am not well-versed in the accounting, internal control,
and auditing issues for technology companies. This is beyond the scope of my expertise, and I only
want to consider an engagement that I can expect to complete with professional competence and
due care. However, through the State Society of CPAs, I know some other auditors who might
have the skills you need. Let me give you their names.”

Before You Go On
6.1 Identify two types of engagements that would be covered by the general standards in the
AICPA Code of Professional Conduct.
6.2 If a CPA does not have the professional competence to complete an investment advisory en-
gagement, what steps should the firm take to ensure that the engagement is completed with
professional competence?
6.3 When evaluating whether an engagement was completed with due professional care, how
might a state board of accountancy judge the due care that was used in completing an
engagement?

Other Rules of Conduct for Members in Public Practice

LEAR NIN G OBJECTI VE 7

Evaluate the ethical behavior needed to comply with other rules of conduct for
members in public practice.
   Other Rules of Conduct for Members in Public Practice  2-25

It is not possible in the scope of this chapter to discuss all of the rules of conduct for CPAs in
public practice. The following discussion addresses three additional rules of conduct that you
should understand: Rule 1.320 on Accounting Principles, Rule 1.500 on Fees and Other Types
of Remuneration, and Rule 1.700 on Confidential Information.

Accounting Principles Rule

It is imperative that CPAs, who are experts in accounting principles, follow accounting prin-
ciples in the performance of their duties. This is made clear in Rule 1.320. Further, a similar
rule exists for members in business, Rule 2.320. Rule 1.320 on accounting principles reads as
follows:

A member shall not (1) express an opinion or state affirmatively that the financial
statements or other financial data of any entity are presented in conformity with
generally accepted accounting principles or (2) state that he or she is not aware of
any material modifications that should be made to such statements or data in order
for them to be in conformity with generally accepted accounting principles, if such
statements or data contain any departure from an accounting principle promulgated
by bodies designated by Council to establish such principles that has a material effect
on the statements or data taken as a whole. If, however, the statements or data contain
such a departure and the member can demonstrate that due to unusual circumstances
the financial statements or data would otherwise have been misleading, the member
can comply with the rule by describing the departure, its approximate effects, if
practicable, and the reasons why compliance with the principle would result in a
misleading statement.

The bodies that are designated by the AICPA Council to promulgate accounting prin-
ciples are (1) the Financial Accounting Standards Board (FASB), (2) the Federal Account-
ing Standards Advisory Board (FASAB), (3) the Governmental Accounting Standards Board
(GASB), and (4) the International Accounting Standards Board (IASB). Financial statements
prepared using other accounting principles would be considered financial reporting frame-
works other than generally accepted accounting principles (GAAP). For example, CPAs often
prepare financial statements for small businesses on a cash basis of accounting or a federal
income tax basis of accounting. In these situations, the client’s financial statements, and the
CPA’s report thereon, should not purport that the financial statements are in accordance with
GAAP, and the financial statements and the CPA’s report should clarify the financial reporting
framework used.
Finally, there is a strong presumption that adherence to GAAP would, in nearly all cir-
cumstances, result in financial statements that are not misleading. The question of what
constitutes unusual circumstances, referred to in the rule above, is a matter of professional
judgment. In considering that judgment, a CPA must consider whether a reasonable person
reading the financial statements would consider the adherence to the promulgated accounting
principle to be misleading. In practice, these circumstances are extremely rare.

Fees and Other Types of Remuneration

The rule on fees and other types of remuneration address two circumstances that are particu-
larly important: Rule 1.510 on Contingent Fees and Rule 1.520 on Commissions and Referral
Fees. In general, entering into a contingent fee arrangement or accepting a commission or a
referral fee associated with an attest client impairs independence due to the advocacy threat
associated with these types of fees. For example, if a CPA accepted a contingent fee associ-
ated with helping an attest client sell the business, the CPA would become an advocate for
the client, and independence would be impaired. Further, it is particularly important that
commission arrangements be disclosed to the client. For example, a CPA might be paid a
commission by a software company for recommending its accounting software to a nonattest
client. It is important for the client considering the accounting software to know that the
2-26  C h a pte r 2  Professionalism and Professional Responsibilities

CPA is being paid a commission if the business purchases the software, so that the client
fully evaluates the product and incentives involved. It is appropriate for CPAs to perform en-
gagements on a contingent fee basis, or to accept a commission or a referral fee, with respect
to nonattest clients. However, these fee arrangements are prohibited for attest clients as they
impair independence.

Confidential Information
In general, a CPA in public practice shall not disclose confidential client information without
the specific consent of the client.
However, there are some well-known exceptions to this rule. First, the rule on confiden-
tial client information should not be construed as relieving a CPA of his or her professional
obligation to comply with accounting principles. Therefore, a client cannot claim that infor-
mation should not be disclosed in financial statements due to client confidentiality if the in-
formation is required by GAAP. Second, the rule on confidential client information allows a
CPA to comply with a validly issued and enforceable subpoena or summons, or allows a CPA
to comply with applicable laws and government regulations. For example, in certain circum-
stances an auditor might have to report confidential information to regulators such as the SEC
if the information is not reported by management or those charged with governance of the
entity. Third, the confidential client information rule does not prohibit a review of a CPA’s
professional practice under the AICPA, state society, or state board of accountancy authori-
zation. This exception allows for peer review of a CPA’s practice and allows the peer reviewer
to become knowledgeable of confidential client information. However, there is an obligation
on the part of the peer reviewer to respect the confidential client information rule. Finally,
the confidential client information rule does not preclude a CPA from initiating a complaint
with, or responding to any inquiry made by, the professional ethics division of the AICPA, a
duly constituted investigative or disciplinary body of a state CPA society, or a state board of
accountancy.

Before You Go On
7.1 Do the rules of conduct on accounting principles prevent a CPA from preparing financial
statements for a client on a cash basis of accounting, which is not GAAP? Explain your
reasoning.
7.2 Explain why accepting an engagement on a contingent fee arrangement impairs independence.
7.3 After work, can a member of an audit team discuss confidential information about a client’s
business with his or her spouse, who works for the client’s competitor? Has the member vio-
lated the AICPA Code of Professional Conduct? Explain your reasoning.

Auditor Liability Under Common Law

learnin g OBJECTI VE 8
Evaluate an auditor’s legal liability under common law.

The previous sections have focused on an auditor’s ethical responsibilities to society (respon-
sibilities to the client and to the public that relies on financial statements). The legal system
plays an important role in supporting the quality of work performed by auditors. It provides
an important framework for accountability regarding the behavior of CPAs in society.
  Auditor Liability Under Common Law  2-27

Auditors need to understand the legal impacts affecting the environment in which they
work. Specifically, they need to know who can sue them, the allegations typically made in
lawsuits against auditors, and defenses the auditor can use in court. Exposure to legal liability
is also an incentive for auditors to conduct high-quality audits.
The following discussion is broken into two sections: (1) the auditor’s liability under com-
mon law, which may vary from state to state, and (2) the federal statutes regarding an auditor’s
responsibility to financial statement users.
Common law is frequently referred to as unwritten law. It is based on judicial precedent
rather than legislative rule. Common law is derived from principles based on justice, reason, common law  law based on
and common sense rather than absolute, fixed, or inflexible rules. The principles of common justice, reason, and common
law are determined by the social needs of the community. Therefore, common law changes in sense, rather than on absolute
response to society’s needs. In a specific case, the accountant’s liability is determined by a state rules
or federal court that attempts to apply case law precedents that it feels are controlling. Because
there are 51 such independent jurisdictions in the United States (50 states and the District of
Columbia), different decisions may result with respect to relatively similar factual circum-
stances. In a common law case, the judge has the flexibility to consider social, economic, and
political factors as well as prior case law doctrines (precedents). Under common law, a CPA’s
legal liability extends principally to two classes of parties: clients and third parties.
Illustration 2.10 outlines the discussion of an auditor’s liability under common law. An au-
dit firm may be liable to clients either under contract law or under tort law, as discussed below. An
audit firm is also concerned about its exposure to liability to clients. This liability will vary from
state to state depending on state laws and legal precedent. The discussion of third-party liability
will address whether an audit firm is liable to primary beneficiaries of the audit, to a foreseen
class of third-party users of financial statements, or to foreseeable users of financial statements.

ILLUSTRATION 2.10  
Common Law
Auditor liability under
common law

Liability to Clients Liability to Third Parties

Primary Foreseen Class Foreseeable

Contract Law Tort Law
Beneficiaries of Third Parties Third Parties

Liability to Clients
A CPA is in a direct contractual relationship with clients. In agreeing to perform services for
clients, the CPA assumes the role of an independent contractor. The specific service(s) to be
rendered should preferably be set forth in an engagement letter, as described in Chapter 3.
The term privity of contract refers to the contractual relationship that exists between two privity of contract  a contractual
or more contracting parties. In the typical auditing engagement, it is assumed that the audit is relationship that exists between
to be made in accordance with professional standards (i.e., generally accepted auditing stan- two or more contracting parties
dards) unless the contract contains specific wording to the contrary. A CPA may be held liable
to a client under either contract law or tort law. Each of these is explained below.

Contract Law
An auditor may be liable to a client for breach of contract when the audit firm: breach of contract  a binding
agreement is not honored by one
•  Issues a standard audit report when he or she has not made an audit in accordance with or more parties to a contract
generally accepted auditing standards (GAAS).
•  Does not deliver the audit report by the agreed-upon date.
•  Violates the client’s confidential relationship.
2-28  C h a pte r 2  Professionalism and Professional Responsibilities

A CPA’s liability for breach of contract extends to subrogees. A subrogee is a party who
has acquired the rights of another by substitution. For example, the bonding of the client’s em-
ployees is considered an important part of a company’s system of internal control. When an
embezzlement occurs, the bonding company reimburses the insured (the client) for its losses.
Then, under the right of subrogation to the insured’s contractual claim, the bonding company
can bring suit against the CPA for failing to discover the fraud.
When a breach of contract occurs, the client usually seeks one or more of the follow-
ing remedies: (1) specific performance of the contract by the defendant (the CPA), (2) direct
monetary damages for losses incurred due to the breach, or (3) incidental and consequential
damages that are an indirect result of nonperformance.

Tort Law
tort  a wrongful act that injures A CPA may also be liable to a client under tort law. A tort is a wrongful act that injures an-
another person’s property, body, other person’s property, body, or reputation. A tort action may be based on any one of the
or reputation following causes:

ordinary negligence  failure •  Ordinary negligence. Failure to exercise the degree of care a person of ordinary pru-
to exercise the degree of care a dence (a reasonable person) would exercise under the same circumstances
reasonable person would exercise •  Gross negligence. Failure to use even slight care in the circumstances
under the same circumstances
•  Fraud. Intentional deception, such as misrepresentation, concealment, or nondisclosure
gross negligence  failure
of a material fact, that results in injury to another. In some cases a distinction has been
to use even slight care in the
circumstances made between fraud and constructive fraud. Constructive fraud may be inferred from
gross negligence or reckless disregard for the truth.
fraud  intentional deception,
such as misrepresentation,
Under tort law, the injured party normally seeks monetary damages. The auditor’s
concealment, or nondisclosure
documentation is vital in refuting charges for breach of contract and breach of duty in a
of a material fact, that results in
injury to another tort action.

Cases Illustrating Liability to Clients

Two cases pertaining to liability to clients are considered below. The first case involves negli-
gence, and the second relates to breach of contract.

1136 Tenants’ Corp. v. Max Rothenberg & Co. (1971)

In this case the plaintiff was a corporation owning a cooperative apartment house that sued
Max Rothenberg, an accounting firm, for damages resulting from the failure of the CPA to dis-
cover the embezzlement of over $110,000 by the plaintiff’s managing agent, Riker. Riker had
orally engaged Rothenberg at an annual fee of $600. The plaintiff maintained that Rothenberg
had been engaged to perform all necessary accounting and auditing services. The CPA claimed
he was only engaged to prepare financial statements without assurance as well as related tax
returns. As evidence of their respective contentions, the plaintiff booked the accountant’s fee
as auditing expenses, and the CPA defendant marked each page of the financial statements
as “unaudited.” In addition, the CPA’s letter of transmittal to the financial statements stated
that (1) the statements were prepared from the books and records of the corporation and
(2) no independent verifications were undertaken thereon.
The trial court found that the defendant was engaged to perform an audit because
Rothenberg admitted that he had performed some limited auditing procedures such as ex-
amining bank statements, invoices, and bills. In fact, the CPA’s own worksheets included
one entitled “Missing Invoices,” which showed over $40,000 of disbursements that did not
have supporting documentation. The CPA did not inform the plaintiff of these invoices, and
no effort was made to find them. The trial court also found that the CPA was negligent in
the performance of the service and awarded damages totaling $237,000. The appellate court
affirmed, saying:
  Auditor Liability Under Common Law  2-29

•  Regardless of whether the CPA was conducting an audit or drafting financial statements,
there was a duty to inform the client of known wrongdoing or other suspicious actions
by the client’s employees.
•  The defendant’s worksheets indicate that the defendant did perform some audit
procedures.

The 1136 Tenants’ case has frequently been used to demonstrate the importance of having
a written contract (engagement letter) for each professional engagement. A written contract is
important, but it was not the only issue in this case. The critical issue was the CPA’s failure to
inform the client of employee wrongdoing, regardless of the type of service rendered.

Fund of Funds, Ltd. v. Arthur Andersen & Co. (1982)

In this case, the plaintiff sued the auditors for breach of contract because the auditors failed to dis-
close fraud to the client when the auditors’ engagement letter contained a specific representation
that any fraud would be revealed. The fraud, totalling over $120 million, resulted from overcharges
on a contract between the plaintiff and King Resources, both audited by Andersen. Andersen ad-
mitted discovery of the violation of the contract in auditing King, but declined to disclose the fraud
to Fund of Funds because the AICPA’s Rule on Confidential Client Information prohibits disclo-
sure of confidential information. The court ruled for the plaintiff on the grounds that the defen-
dants failed to comply with the terms of their engagement letter, a breach of contract.

Liability to Third Parties

The common law liability of the auditor to third parties is important in any discussion of the
auditor’s legal liability. A third party may be defined as an individual who is not in privity third party  an individual or
with the parties to a contract. From a legal standpoint, there are two classes of third parties: collective group who is not in
(1) a primary beneficiary and (2) other beneficiaries. A primary beneficiary is anyone privity with the parties to a
identified to the auditor by name prior to the audit who is to be the primary recipient of the contract
auditor’s report. For example, if at the time the engagement letter is signed, the client informs primary beneficiary  anyone
the auditor that the report is to be used to obtain a loan at the Second National Bank, the bank identified to the auditor by
becomes a primary beneficiary. In contrast, other beneficiaries are unnamed third parties, name prior to the audit who is a
such as creditors and potential investors. recipient of the auditor’s report
An auditor is liable to all third parties for gross negligence and fraud under tort law. other beneficiaries  unnamed
In contrast, the auditor’s liability for ordinary negligence has traditionally been different be- third parties, such as creditors,
tween the two classes of third parties. The following discussion explains the importance of stockholders, and potential
investors, who use the auditor’s
how the case law has defined an auditor’s liability to third parties for the auditor’s negligence.
report

Ultramares Corp. v. Touche (1931)

This decision extended the concept of privity of contract to the primary beneficiary of the
auditor’s work. In this landmark case, the defendant auditors, Touche, failed to discover ficti-
tious transactions that overstated assets and stockholders’ equity by $700,000 in the audit of
Fred Stern & Co. Subsequent to the audit, Ultramares loaned Stern large sums of money that
Stern was unable to repay because the company was actually insolvent. Ultramares sued the
accounting firm for negligence and fraud. The court found the auditors guilty of negligence
but ruled that accountants should not be liable to any third party for negligence except to a
primary beneficiary. Judge Cardozo said:

If liability for negligence exists, a thoughtless slip or blunder, the failure to detect a theft
or forgery beneath the cover of deceptive entries may expose accountants to a liability in
indeterminate amounts, for an indeterminate time, to an indeterminate class. The hazards
of a business conducted on these terms are so extreme as to enkindle doubt whether a flaw
may not exist in the implication of a duty that exposes to these consequences.

The court also ruled that the finding on negligence does not emancipate accountants from
the consequences of fraud. It concluded that gross negligence may constitute fraud. Ultramares
Corp. v. Touche upheld the privity of contract doctrine under which third parties cannot sue
2-30  C h a pte r 2  Professionalism and Professional Responsibilities
foreseen class  a limited class of
third parties known to be relying
on the financial statements
foreseeable parties  individuals
or entities who the auditor either
knew, or should have known,
would rely on the audit report
auditors for ordinary negligence. However, Judge Cardozo’s decision extended to primary ben-
eficiaries the rights of one in privity of contract. Therefore, Ultramares as a primary beneficiary
could sue and recover for losses suffered because of the auditor’s ordinary negligence.
Rusch Factors v. Levin (1968)
The Ultramares decision remained virtually unchallenged for 37 years, and it still is followed
today in many jurisdictions. However, since 1968, several court decisions have served to ex-
tend the auditor’s liability for ordinary negligence beyond the privity of contract doctrine. The
following environmental factors contributed to this development:
•  The concept of liability evolved significantly to include consumer protection from the
wrongdoing of both manufacturers (product liability) and professionals (service liability).
•  Businesses and accounting firms grew in size, making them better able to shoulder the
new threshold of responsibility.
•  The number of individuals and groups relying on audited financial statements grew steadily.
In Rusch Factors v. Levin, the plaintiff had asked the defendant accountant to audit the fi-
nancial statements of a corporation seeking a loan. The certified statements indicated that the
potential borrower was solvent when, in fact, it was insolvent. Rusch Factors sued the auditor
for damages resulting from its reliance on negligent and fraudulent misrepresentations in the
financial statements. The defendant accountant asked for dismissal on the basis of lack of privity
of contract. The court ruled in favor of the plaintiff. While the decision could have been decided
on the basis of the primary beneficiary rule set forth in Ultramares, the court instead said:
The accountant should be liable in negligence for careless financial misrepresentation
relied upon by actually foreseen and limited classes of persons. In this case, the
defendant knew that his certification was to be used for potential financiers of the …
corporation (emphasis added).
This decision extended the auditor’s liability from known specific primary beneficia-
ries, to an actually foreseen limited class of third parties known to be relying on the financial
statements.
Restatement (Second) of Torts § 552 (1977)
The shift away from Ultramares occurred in the form of judicial acceptance of the specifically
foreseen class concept. Subsection (2) of the Restatement (second) of Torts § 552 extends the
auditor’s liability to “a limited group of persons for whose benefit the CPA intends to supply
the information.” Thus, if the client informs the CPA that the audit report is to be used to
obtain a bank loan, all banks are foreseen parties, but trade creditors and potential stockhold-
ers would not be part of the foreseen class. However, a CPA would not be liable if the audit
report were used by a bank to invest capital in the client’s business in exchange for common
stock instead of granting a loan.
The foreseen class concept does not extend to all present and future investors, stockhold-
ers, or creditors. Court decisions have not required that the injured party be specifically iden-
tified, but the class of persons to which the party belonged had to be limited and known at the
time the auditor provided the information.
Rosenblum v. Alder (1983)
The Rosenblum case extended an auditor’s liability to foreseeable parties, individuals, or en-
tities whom the auditor either knew or should have known would rely on the audit report in
making business and investment decisions, and it extended the auditor’s duty of due care to any
foreseeable party who suffers a pecuniary loss from relying on the auditor’s representation. Fore-
seeable parties include all creditors, stockholders, and present and future investors. The courts
use foreseeability extensively in cases involving physical injury. For example, foreseeability is
almost universally used in product liability cases when the manufacturer’s negligence causes
the physical injury. This concept was first applied in an audit negligence case in the early 1980s.
  Auditor Liability Under Common Law  2-31

In reaching its decision in Rosenblum, the New Jersey Supreme Court cited the following
public policy factors that appear, in part, aimed at countering Judge Cardozo’s arguments in
upholding the privity doctrine in Ultramares: (1) insurance is available to accountants to cover
these risks, (2) the CPA has a moral responsibility to anyone relying on his or her opinion, and
(3) more rigid standards will cause accountants to do better work. The foreseeability standard
was subsequently embraced by similar rulings in Wisconsin, California, and Mississippi.

Credit Alliance Corp v. Arthur Andersen & Co. (1985)

In 1985, the New York Court of Appeals expressly rejected the foreseeability standard in Credit
Alliance Corp. v. Arthur Andersen & Co. Instead, the court reverted to a “near privity rule,”
establishing three criteria for determining whether a plaintiff can bring a claim against an audi-
tor for ordinary negligence: (1) the plaintiff did in fact rely on the auditor’s report, (2) the audi-
tor knew that the plaintiff intended to rely on the report, and (3) the auditor, through some
actions on his or her own part, evidenced understanding of the plaintiff’s intended reliance.

Bily v. Arthur Young & Co. (1992)

In 1992, in yet another landmark case known as Bily v. Arthur Young & Co., the California
Supreme Court ended the foreseeability standard in that state. After perhaps the most thor-
ough analysis by any court of the purpose and effects of audits and audit reports, and follow-
ing a thorough review of approaches taken by other courts as well as the basic principles of
tort liability announced in the California court’s own prior cases, it stated:

We conclude that an auditor owes no general duty of care regarding the conduct of
an audit to persons other than the client. An auditor may, however, be held liable
for negligent misrepresentations in an audit report to those persons who act in
reliance upon those misrepresentations in a transaction which the auditor intended
to influence, in accordance with the rule of section 552 of the Restatement Second of
Torts. . . . Finally, an auditor may also be held liable to reasonably foreseeable third
persons for intentional fraud in the preparation and dissemination of an audit report.

A summary of the auditor’s liability under common law is presented in Illustration 2.11.

Rosenblum decision ILLUSTRATION 2.11  

extends liability to Liability to third parties under
foreseeable third parties common law

Rusch Bily
Factors decision
decision Forseen returns
extends class California to
liability to concept Restatement
Relative exposure

foreseen adopted in (Second)

class Restatement of Torts
of third (Second) for negligent
parties of Torts misrepresentation
Credit Some states
Alliance adopt privity
decision legislation
Ultramares restricts restricting
decision liability liability to
extends to users users
liability to acknowledged acknowledged
Liability primary by the by the
excluded beneficiaries auditor auditor
by privity
of contract
doctrine
Pre-1931 1931 1968 1977 1983 1985 1992 1993
2-32  C h a pte r 2  Professionalism and Professional Responsibilities
due care defense  the auditor’s
documentation should provide
evidence that the audit was
performed in accordance with
auditing standards generally
accepted in the United States
Although the extent of the auditor’s exposure to liability to third parties for ordinary negligence
has been subject to the court decisions in various jurisdictions, it now appears that all but three
states (Mississippi, New Jersey, and Wisconsin) either embrace the Restatement (Second) of
Torts, or the stricter Credit Alliance or privity legislation rules.
Burden of Proof and Common Law Defenses
In general, the plaintiff must prove the following when suing an auditor:
•  The auditor owed a duty of care to the plaintiff.
•  The auditor breached the duty by failing to act with due care (negligence).
•  The auditor’s negligence was the proximate cause of the plaintiff’s damage.
•  The plaintiff had actual damages.
A key issue is whether the auditor owed a duty of care to the plaintiff. As noted in the previous
discussion, most states extend the auditor’s duty of care to foreseen third parties under the
Restatement (Second) of Torts standard.
The auditor’s defenses generally include:
•  The auditor was not negligent and performed an audit in accordance with professional
standards.
•  No duty of care was owed to the plaintiff.
•  The plaintiff had no loss.
•  The loss was caused by other events.
•  The plaintiff’s negligence (contributory negligence) contributed to the auditor’s failure
to perform.
•  The claim was invalid because the statute of limitations had expired.
The auditor must generally use the due care defense in breach of contract suits involving
negligence. Under a due care defense, the auditor’s documentation should provide evidence
that the audit was performed in accordance with auditing standards generally accepted in the
United States. The due care defense is also a primary defense against tort actions, along with
contributory negligence.
In a contributory negligence defense, the plaintiff must have contributed to his or her
own injury (loss) by his or her own negligence. Therefore, the law considers the plaintiff to
be as responsible as the defendant for the injury. In such a case, there is no basis for recovery
because the negligence of one party nullifies the negligence of the other party. For example,
the plaintiff may have withheld vital information from the CPA during the audit, contributing
to the audit firm’s failure to follow professional standards.
If a plaintiff wants to prove the auditor was guilty of gross negligence or fraud, it is a
much higher burden of proof. In this instance, the plaintiff must prove:
•  A false representation was made by the auditor.
•  The auditor knew the representation was false.
•  The auditor intended to induce the plaintiff to rely on the false representation.
•  The plaintiff relied on the misrepresentation.
•  The plaintiff suffered damages.
This is a high burden of proof and an audit firm with good quality controls would not let this sit-
uation happen. If the plaintiff can make the case that an audit firm was guilty of gross negligence
or fraud, the plaintiff may be entitled to both compensatory damages and punitive damages.
Legal Reasoning Example  Duty of Care
Grace Chermak is the audit partner on the audit of Price Construction LLC, a private com-
pany that manufacturers small tools. Both Grace and Price are located in a state that follows
  Auditor Liability Under Statutory Law  2-33

the restatement of torts laws. When planning the audit Grace knew the financial statements
were primarily intended to be used by Last National Bank in evaluating debt covenants. After
completing the audit and unbeknown to Grace, the financial statements are given to two
other users: (1) another bank, and (2) a purchaser of 50% of Price Construction that was
unforeseen at the time of the audit. To whom does Grace owe a duty of care under the restate-
ment of torts law?
Under restatement of torts Grace owes a duty of care to a specific class of foreseen third par-
ties, which would include the two banks that used the financial statements. Grace does not owe
the same duty of care to the purchaser of the 50% ownership interest in Price Construction. Had
Grace known the financial statements would have been used in buying and selling the business,
Grace might have planned the audit differently.

Before You Go On
8.1 Explain each of the two primary situations in which a CPA may be liable to his or her client.
8.2 Distinguish between foreseen and foreseeable third parties. Give an example of each.
8.3 Explain the significance of the Ultramares, Rusch Factors, Rosenblum, Credit Alliance, and
Bily cases on the auditor’s liability to third parties for negligence.
8.4 What is the plaintiff’s burden of proof under common law?
8.5 Explain the due care defense as it applies to an audit.

Auditor Liability Under Statutory Law

LEAR NING OBJECTI VE 9

Evaluate an auditor’s legal liability under statutory law.

Statutory law is established by state and federal legislative bodies and specifically addresses statutory law  law established by
auditor’s liability under certain circumstances. The following discussion addresses a num- state and federal legislative bodies
ber of statutory laws that address an auditor’s responsibility and liability to third-party users that specifically addresses the
of financial statements. Some of these statutes also address management’s responsibility for auditor’s liability under certain
preparing financial statements that are free of material misstatement. The discussion also ad- circumstances
dresses key cases that have set precedence under these statutes. Finally, the section concludes
with a discussion of the auditor’s exposure to criminal liability under these statutes.
Illustration 2.12 outlines the auditor’s liability under statutory law. The key elements
of statutory law that are discussed in this section include the SEC Act of 1933, the SEC Act
of 1934, the Foreign Corrupt Practices Act of 1977, the Private Securities Litigation Reform

ILLUSTRATION 2.12  
Statutory Law
Auditor liability under
statutory law

Private
Foreign Securities
Sarbanes–
SEC Act SEC Act Corrupt Litigation Criminal
Oxley Act
of 1933 of 1934 Practices Reform Acts Liability
of 2002
Act of 1977 of 1995 and
1998
2-34  C h a pte r 2  Professionalism and Professional Responsibilities
due diligence defense  an audit
firm must show that it made a
reasonable investigation, that the
firm followed auditing standards,
and accordingly had reasonable
grounds to believe, and did
believe, that the statements
certified were true at the date of
the statements and as of the time
the registration statement became
effective
Acts of 1995 and 1998, the Sarbanes-Oxley Act of 2002, and the auditor’s exposure to criminal
liability under statutory law.
The Securities Act of 1933
The 1933 Act is known as the Truth in Securities Act. It is designed to regulate the offering of a
new security to the public through the mails or in interstate commerce. Suits against auditors
under this Act are usually based on Section 11, Civil Liabilities on Account of False Registra-
tion Statement, which allows “any person” purchasing or otherwise acquiring the securities to
sue when the financial statements are materially misstated. The Act makes the auditor liable
for losses to third parties resulting from ordinary negligence, as well as from fraud and gross
negligence, to the effective date of the registration statement.
The principal effects of this Act on the parties involved in a suit may be summarized as
follows.
The plaintiff (e.g., investors):
•  May be any person acquiring securities described in the registration statement, whether
or not he or she is a client of the auditor.
•  Must base the claim on an alleged material false or misleading financial statement con-
tained in the registration statement.
•  Does not have to prove reliance on the false or misleading statement or that the loss suf-
fered was the proximate result of the statement if purchase was made before the issuance
of an income statement covering a period of at least 12 months following the effective
date of the registration statement.
•  Does not have to prove that the auditors were negligent or fraudulent in certifying the
financial statements involved.
The defendant (e.g., the auditor) must prove one of the following:
•  The audit firm made a reasonable investigation, that the firm followed auditing stan-
dards, and accordingly, had reasonable grounds to believe, and did believe, that the state-
ments certified were true at the date of the statements and as of the time the registration
statement became effective (a due diligence defense).
•  The plaintiff’s loss resulted in whole or in part from causes other than the false or mis-
leading statements.
Therefore, there is a significant burden of proof that rests upon the auditor to show that the
audit firm used due diligence in conducting the audit.
Escott v. BarChris Construction Corp (1968)
BarChris was a company that was in constant need of cash. Purchasers of bonds filed suit
under Section 11 when the company filed for bankruptcy, alleging that the registration state-
ment pertaining to the sale of the bonds contained material false statements and material
omissions. One of the defendants was Peat, Marwick, Mitchell & Co. (now KPMG), which
pleaded the due diligence defense. The case revolved around the effectiveness of the audit
firm’s subsequent events review (discussed in Chapter 14), called an S-1 review by the SEC.
The purpose of the review was to determine whether, subsequent to the certified balance
sheet, any material changes had occurred that needed to be disclosed to prevent the balance
sheet from being misleading.
The court concluded that Peat Marwick’s written audit program for the subsequent events
review was in conformity with generally accepted auditing standards. However, it also found
that the work done by the auditor who was performing his first S-1 review was unsatisfactory.
The court concluded that the auditor did not meet the standards of the profession because he
did not take some of the steps prescribed in the audit firm’s written program, the auditor did
not spend an adequate amount of time on a task of this magnitude, and, most important of all,
the auditor was too easily satisfied with glib answers given by the client.
  Auditor Liability Under Statutory Law  2-35

This case is important in that the court determined that following auditing standards
generally accepted in the United States would meet the due diligence defense. The courts also
determined that the subsequent events review by Peat Marwick did not meet professional
standards, or the firm’s own standards.

The Securities Act of 1934

Congress passed this Act to regulate the public trading of securities in the secondary market
(in contrast to the new issue of securities in the primary market covered by the 1933 Act). The
1934 Act requires companies included under the Act to (1) file a registration statement when
the securities are publicly traded on a national exchange or over the counter for the first time
and (2) keep the registration statement current through the filing of annual reports, quarterly
reports, and other information with the SEC. Certain financial information, including the
financial statements, must be audited by independent public accountants. The principal lia-
bility provisions of the 1934 Act are set forth in Sections 18 and 10.
Under Section 18(a), the plaintiff:

•  May be any person buying or selling the securities.

•  Must prove the existence of a material false or misleading statement.
•  Must prove reliance on such statement and damage resulting from such reliance.

The defendant (the auditor) in a Section 18 suit must prove that he or she:

•  Acted in good faith.

•  Had no knowledge of the false or misleading statement.

This means that the minimum basis for liability is gross negligence, not ordinary negligence. Ac-
cordingly, the auditor’s position under Section 18 is the same as under the common law doctrine
of Ultramares, in which the auditor may also be held liable to third parties for gross negligence.
Under Section 10(b) and the SEC-promulgated Rule 10b-5, it is unlawful for any person,
directly or indirectly, to:

•  Employ any device, scheme, or artifice to defraud.

•  Make any untrue statement of a material fact or omit to state a material fact necessary
to make the statements made, in the light of the circumstances under which they were
made, not misleading.
•  Engage in any act, practice, or course of business that operates, or would operate, as a
fraud or deceit on any person in connection with the purchase or sale of any security.

Section 10(b) and Rule 10b-5 are often referred to as the antifraud provisions of the 1934 Act.
These antifraud provisions were made clear by the Ernst and Ernst v. Hochfelder decision, as
discussed below.
The securities acts apply to different situations. The 1933 Act applies to the initial distribu-
tion of securities (capital stock and bonds) to the public by the issuing corporation (primary mar-
ket), whereas the 1934 Act applies to trading of securities in national security markets (secondary
market). Differences between Section 11 of the 1933 Act and Sections 10 and 18 of the 1934 Act
exist as to (1) the plaintiff, (2) proof of reliance on the false or misleading financial statements,
and (3) the auditor’s liability for ordinary negligence, as summarized in Illustration 2.13.

ILLUSTRATION 2.13  
Item 1933 Act 1934 Act
Summary of differences in
Plaintiff Any person acquiring the Either the buyer or seller of the key sections of the 1933 and
security security 1934 Acts
Plaintiff must prove reliance No Yes
Defendant liability for ordinary Yes No
negligence
2-36  C h a pte r 2  Professionalism and Professional Responsibilities

Ernst & Ernst v. Hochfelder (1976)

Lawsuits against auditors under the 1934 Act are usually based on Section 10(b) and Rule
10b-5. The plaintiffs (Hochfelder) were investors in an escrow account allegedly kept by the
president (Lester K. Nay) of First Securities Co., a small brokerage firm, audited by Ernst &
Ernst (now Ernst & Young). The escrow account, in which a high rate of return was promised,
was a ruse perpetrated by Mr. Nay. To prevent detection, all investors were instructed to make
their checks payable to Nay and to mail them directly to him at First Securities. Within the
brokerage house, Nay imposed a “mail rule” that such mail was to be opened only by himself.
The escrow account was not recorded on First Securities’ books.
Plaintiffs sued Ernst for damages under Rule 10b-5 for aiding and abetting the embezzle-
ment. They based their claim entirely on the premise that the auditors were negligent in their
audit because they had not challenged or investigated the “mail rule.” Following conflicting
lower court decisions, the U.S. Supreme Court ruled in favor of Ernst & Ernst, saying:

When a statute speaks so specifically in terms of manipulation and deception, and of

implementing devices and contrivances—the commonly understood terminology of
intentional wrongdoing—and when its history reflects no more expansive intent, we
are quite unwilling to extend the scope of the statute to negligent conduct.

Based on this decision, an auditor is no longer liable to third parties under Section 10(b)
and Rule 10b-5 of the 1934 Act for ordinary negligence. That is, the auditor has no liability in
the absence of any intent to deceive or defraud (legally called scienter).
Therefore, a plaintiff filing a lawsuit against an auditor under Rule 10(b)-5 of the 1934
Act must prove:

•  The financial statements contain a material, factual misrepresentation or omission.

•  The plaintiff relied on the financial statements.
•  Damages were suffered as a result of the reliance on the financial statements.
scienter  the auditor either had •  Scienter, that the auditor either had actual knowledge of the falsity of the representa-
actual knowledge of the falsity tion, or had a reckless disregard for the truth or falsity of the representation.
of the representation, or had a
reckless disregard for the truth or
falsity of the representation
The Foreign Corrupt Practices Act of 1977
The Foreign Corrupt Practices Act (FCPA), passed by Congress in 1977, makes bribing for-
eign officials illegal. The FCPA also addresses records retention required under the Securities
Exchange Act of 1934. Through the FCPA, Congress increased the bookkeeping and account-
ing records requirement of those corporations bound by the 1934 Act. The major change was
that the FCPA requires companies to maintain reasonable records and to have an adequate
system of internal control. For records to be reasonable, they must be both complete and ac-
curate. The FCPA applies to the work of auditors when an integrated audit reports on internal
control over financial reporting. If the auditor concludes that internal control over financial
reporting is effective, and it is proved otherwise, the auditor may be liable under the FCPA.

The Private Securities Litigation Reform Acts

of 1995 and 1998
As a result of the Hochfelder decision, many lawsuits against auditors moved to state court
under common law actions, and audit firms experienced an increase in both frivolous and
abusive lawsuits. In response to this environment, Congress passed the Private Securities
Litigation Reform Act of 1995 (Reform Act) to reduce frivolous litigation risk for audi-
tors, publicly traded companies, and those parties affiliated with security issuers, such as
officers, directors, and other professional advisors (e.g., underwriters and lawyers). The
Reform Act substantially revised the Securities Act of 1933 and the Securities Exchange
Act of 1934.
  Auditor Liability Under Statutory Law  2-37

The Reform Act instituted a system of proportionate liability whereby defendants proportionate liability 
who are not found to have “knowingly committed a violation” of securities laws are liable defendants who are not found to
based on the defendant’s percentage of responsibility. This is intended to reduce the coercive have “knowingly committed a
pressure for innocent parties to settle meritless claims out of court rather than risk exposing violation” of the securities law are
themselves to liability for a grossly disproportionate share of the damages in a case. Defen- liable based on the defendant’s
percentage of responsibility
dants who “knowingly committed a violation” continue to be jointly and severally liable for
all damages that may be assessed. For example, assume that a company has gone bankrupt,
investors successfully claim the audited financial statements were materially misstated, and a
jury determines that the auditor was 35% responsible for damages incurred by investors and
the company was 65% responsible for the damages. Under proportionate liability, the auditor
would be responsible for 35% of the damages. However, under joint and several liability, inves-
tors can recover damages from any of the defendants. If the company is bankrupt and unable
to pay any damages, the auditor could potentially be responsible for 100% of the damages.
If a defendant does not knowingly commit a violation of the securities acts, the Reform
Act also places a cap on the proportionate share of damages that can be collected from other
defendants. If another defendant’s share cannot be collected from that defendant, or from
jointly and severally liable defendants, each proportionately liable defendant is then liable
for a proportionate share of the uncollectible amount, only up to an amount equal to an addi-
tional 50% of such defendant’s initial share.
The Reform Act imposed new reporting requirements on auditors who detect or other-
wise become aware of illegal acts by issuers of securities. If an auditor concludes that an illegal
act has a direct and material effect on the financial statements, and senior management has
not taken appropriate action, and the failure warrants a departure from a standard report or a
resignation from the engagement, the auditor should report these conclusions directly to the
board of directors. The board should then notify the SEC within one day. If the board does not
file a timely report with the SEC, the auditor should make a report to the SEC. The Reform
Act explicitly states that the auditor will not be held liable in a private action for any finding,
conclusions, or statements made in such reports.
Three years later, Congress passed the Securities Litigation Uniform Standards Act of
1998. This was passed to prevent plaintiffs from evading federal courts by taking abusive law-
suits to state courts. Large class action lawsuits alleging securities fraud against auditors must
now be filed in federal court. Only smaller class action lawsuits of fewer than 50 people can
be filed in state court.

The Sarbanes-Oxley Act of 2002

The Sarbanes-Oxley Act of 2002 (SOX) had a number of provisions that influenced the au-
diting environment. SOX made it illegal for auditors to provide certain nonattest services to
clients, and it changed the regulation of the auditing profession. It also significantly changed
the audit environment by imposing increased penalties for management of public companies
who engage in fraudulent financial reporting, as discussed below.

Changes for Auditors

As discussed previously in SEC and PCAOB Independence Rules, SOX makes it “unlawful” to
perform audit services for a public company and also perform the following nonattest services
for audit clients:

•  Bookkeeping or other services related to the accounting records or financial statements

of the audit client.
•  Financial information systems design and implementation.
•  Appraisal or valuation services, fairness opinions, or contribution-in-kind reports.
•  Actuarial services.
•  Internal audit outsourcing services.
•  Management functions or human resources.
•  Broker or dealer, investment adviser, or investment banking services.
2-38  C h a pte r 2  Professionalism and Professional Responsibilities

•  Legal services and expert services unrelated to the audit.

•  Any other service that the PCAOB determines, by regulation, is impermissible.

Further, Section 203 of SOX mandates rotation of the lead audit partner and the audit partner
having responsibility for reviewing the audit every five years.
SOX also changed the regulatory environment. The Act gave the PCAOB authority to
establish auditing standards, quality control standards, and independence standards for au-
ditors of public companies. Prior to SOX, the auditing profession was responsible for these
functions through the self-regulatory functions of the American Institute of CPAs.

Changes for Management of Public Companies

SOX strengthened penalties imposed on management of public companies who were respon-
sible for false and misleading financial statements. Following is an overview of key provisions
of the Act that affect management of public companies.
Section 302 requires a public company’s CEO and CFO to prepare a statement to accom-
pany the audit report to certify the “appropriateness of the financial statements and disclo-
sures contained in the periodic report, and that those financial statements and disclosures
fairly present, in all material respects, the operations and financial condition of the issuer.”
It also creates a liability for the CEO and CFO who knowingly and intentionally make false
certifications.
Section 303 makes it unlawful for any officer or director of an issuer to take any action
to fraudulently influence, coerce, manipulate, or mislead any auditor engaged in the perfor-
mance of an audit for the purpose of rendering the financial statements materially misleading.
Section 305 requires the CEO and CFO of a company that restates financial statements
due to “material noncompliance” with financial reporting requirements to “reimburse the
company for any bonus or other incentive-based or equity-based compensation received”
during the 12 months following the issuance or filing of the noncompliant document and
“any profits realized from the sale of securities of the issuer” during that period. Furthermore,
this section of the Act authorizes the federal courts to “grant any equitable relief that may be
appropriate or necessary for the benefit of investors” for any action brought by the SEC for
violation of the securities laws.
A provision within SOX is the Corporate and Criminal Fraud Accountability Act of 2002.
Illustration 2.14 summarizes the key provisions of this act.

ILLUSTRATION 2.14   Key provisions of the Corporate and Criminal Fraud Accountability Act of 2002

Title VIII of the Corporate and Criminal Fraud
Accountability Act of 2002
•  Makes it a felony to “knowingly” destroy or create documents
to “impede, obstruct or influence” any existing or contemplated
federal investigation.
•  Requires auditors to maintain “all audit or review work papers”
for five years.
•  Extends the statute of limitations on securities fraud claims to
the earlier of five years from the fraud or two years after the
fraud was discovered.
•  Extends “whistleblower protection” to employees of public
companies and their auditors, which would prohibit the employer
from taking certain actions against employees who lawfully
disclose private employer information to, among others, parties
in a judicial proceeding involving a fraud claim. Whistleblowers
are also granted a remedy of special damages and attorney’s fees.
•  Creates a new crime for securities fraud that has penalties of
fines and up to 10 years imprisonment.
Title IX of the Corporate and Criminal Fraud
Accountability Act of 2002
•  The maximum penalty for mail and wire fraud under the 1933
and 1934 Acts was increased from 5 to 10 years.
•  Financial statements filed with the SEC must be certified by the
CEO and CFO. The certification must state that the financial
statements and disclosures fully comply with provisions of the
Securities Exchange Acts and that they fairly present, in all
material respects, the operations and financial condition of the
issuer. Maximum penalties for willful and knowing violations
of this section are a fine of not more than $500,000 and/or
imprisonment of up to five years.
•  The SEC was given authority to seek a court freeze of
extraordinary payments to directors, offices, partners, controlling
persons, and agents of employees and to prohibit anyone
convicted of securities fraud from being an officer or director of
any publicly traded company.
•  Makes it a criminal offense to tamper with a record or otherwise
impede any official proceeding and asks the U.S. Sentencing
Commission to review sentencing guidelines for securities and
accounting fraud.
  Auditor Liability Under Statutory Law  2-39

Criminal Liability
The only entities that can bring charges for criminal causes of action are governments (fed-
eral and state). Auditors can be subject to criminal liability under both the 1933 and 1934
Securities Acts. Criminal liability subjects auditors to penalties of fines or imprisonment criminal liability  subjects
or both. Criminal penalties are provided under Sections 17 and 24 of the Securities Act of auditors to penalties of fines or
1933. For example, Section 24 provides for penalties on conviction of no more than $10,000 imprisonment or both; the only
in fines or imprisonment of not more than 10 years, or both, for willfully making an un- entities that can bring charges
true statement or omitting a material fact in a registration statement. Further, Section 32(a) for criminal causes of action are
federal or state governments
of the Securities Act of 1934 establishes criminal liability for “willfully” and “knowingly”
making false or misleading statements in reports filed under the Act. This section also pro-
vides for criminal penalties for violating the antifraud provisions of Section 10(b) consisting
of fines of not more than $100,000 or imprisonment for not more than five years, or both.
Further, state boards of accountancy will usually revoke CPA licenses for findings of crim-
inal violations.
In addition, SOX prohibits the destruction of documents and increases the prison penalty
for such actions to 20 years. SOX also increases penalties under criminal statutes of the 1933
and 1934 Securities Act from 5 years to 10 years. Following is a summary of several key cases
related to criminal liability for auditors.

United States v. Simon (1969)

This was a criminal case brought under Section 24 of the 1933 Securities Act. The case in-
volved the adequacy of disclosure about loans made by Continental Vending to its affiliated
company, Valley Commercial Corporation, which subsequently lent the money to the pres-
ident of Continental (Roth). The loans to Roth were secured primarily by the pledging of
Continental common stock owned by Roth. Valley, in turn, pledged this stock as collateral
against the loans from Continental. The government charged that the disclosure was false and
misleading. The defendants (two partners and an audit senior) argued that the disclosure was
in conformity with GAAP and that such compliance was a conclusive defense against criminal
charges of misrepresentation.
The trial judge rejected this argument and instructed the jury that the “critical test” was
whether the balance sheet fairly presented financial position without reference to generally
accepted accounting principles. The jury concluded that the balance sheet did not present
fairly, and the three defendants were convicted of the criminal charges. The U.S. Court of
Appeals refused to reverse the decision and held that

We do not think the jury was . . . required to accept the accountants’ evaluation

whether a given fact was material to overall fair presentation, at least not when the
accountant’s testimony was not based on specific rules and prohibitions to which they
could point, but only on the need for the auditor to make an honest judgment and their
conclusion that nothing in the financial statements themselves negated the conclusion
that an honest judgment had been made. Such evidence may be highly persuasive, but
it is not conclusive, and so the trial judge correctly charged.

The defendants were found guilty. They were fined $17,000 and their licenses to prac-
tice as CPAs were revoked because of the criminal conviction. The defendants did not re-
ceive jail time.

United States v. Natelli (1975)

This was a landmark case because the auditors were convicted and sentenced to time in
prison. Anthony Natelli, a Peat, Marwick, Mitchell & Company (now KPMG) partner, and
audit supervisor Joseph Scansaroli were involved in the audit of National Student Marketing
Corporation. The financial statements for fiscal year ended August 31, 1968, were misstated
because the company reported as actual sales amounts that were really only commitments.
A material amount of the commitments were known to be uncollectible and were written off
in the next fiscal year, but were still shown as income in the financial statements used in the
2-40  C h a pte r 2  Professionalism and Professional Responsibilities

September 30, 1969, proxy statement. The two auditors were convicted of willingly and know-
ingly making false and misleading statements in the proxy statements under the Securities
Act of 1934. Both received fines in addition to prison sentences. Scansaroli’s conviction was
later reversed.

United States v. Weiner (1978)

This case was associated with the audit of Equity Funding Corporation of America. Equity
Funding sold insurance. To maintain the value of the company’s stock, management directed
that fraudulent sales of insurance policies, and related receivables, be recorded in the com-
pany’s records. Eventually the fraud evolved to a reissuance scheme in which fraudulent
insurance policies were resold to other insurers. The scheme required a massive amount of
fictitious document creation and recordkeeping to maintain appearances. The auditors were
found guilty because the fraud was so extensive that they should have known about it. One
public accounting firm partner and two managers received criminal convictions and over
$40 million of civil penalties were paid.

ESM Government Securities v. Alexander Grant & Co. (1987)

The ESM case involved a fraud perpetrated by ESM management that was voluntarily revealed
to the Alexander Grant (now Grant Thornton) audit partner responsible for the engagement.
The audit partner, Joe Gomez, chose to remain silent about the fraud with the expectation
that management would be able to reverse the problems if given time. In addition, the fraud
had been going on for years, and Gomez did not want to admit and report to his firm that he
had missed finding the fraud in prior audits. Because of his silence, which helped the fraud
to continue, Gomez was charged with knowingly filing false and misleading audit reports. In
addition, he was charged with having received secret payments from ESM officers totaling
$125,000. Gomes was sentenced to 12 years in prison.

HealthSouth (2003)
HealthSouth made its name as a provider of outpatient surgery, diagnostic, imaging, and
rehabilitation health-care services. In 2003, the company and CEO Richard M. Scrushy were
charged with accounting fraud and overstating earnings. The fraud dealt with intentional
manipulation of corporate accounts to increase earnings so that the company would meet
analyst’s expectations. Scrushy was accused of managing the company in such a way that it
influenced employees to participate in the fraud. He placed extreme emphasis on meeting
earnings expectations. The entire senior management team was relatively young and inexpe-
rienced, enabling Scrushy to manage the team through fear. HealthSouth’s CFO, William T.
Owens, admitted to accounting fraud and instructing subordinates to make phony account-
ing entries. He turned himself in to authorities in 2003 and testified against Scrushy. Scrushy
was eventually acquitted of criminal wrongdoing in 2005. Nevertheless, he settled with the
SEC in 2007 for $77.5 million plus $3.5 million in civil penalties. In 2009, Scrushy was sued
for fraud by HealthSouth investors, and he was ordered to repay his company $2.8 billion.

Cloud 9 - Continuing Case

Sharon, Josh, and Ian Harper (a first-year audit staff) are having
lunch and talking about Cloud 9, a potential audit client. Ian asks,
“Cloud 9 is a public company and has operations in a number of
states, as well as internationally. I remember from my auditing
class that an auditor’s legal liability may differ from state to state,
and that federal laws, which are different, may take precedence
over state laws. In this litigious environment, how does the firm
plan to adequately protect itself with this apparent patchwork of
different laws?” Sharon turns to Josh, asking him what he thinks
about this question. Josh answers that one defense that is virtually
universal is the due diligence defense. W&S Partners has invested
significant time and effort in developing a strong system of quality
control. If the firm’s working papers show that the auditors have
used due diligence in carrying out their audit, the firm should be
able to fend off legal liability. Sharon agrees with Josh. “It is very
important that we follow professional standards at all times.”
   Learning Objectives Review  2-41

Before You Go On
9.1 What transactions are covered by the Securities Act of 1933? Develop examples of transactions
that are, and are not, covered by this Act.
9.2 What is the burden of proof for the plaintiff and the defendant auditor under the Securities
Act of 1933? Explain in the context of the BarChris case.
9.3 Explain the conditions of auditor liability under Rule 10(b)-5 of the 1934 Securities Exchange
Act. What were the findings under this section as they related to the Hochfelder case?
9.4 What is proportionate liability under the Private Securities Reform Act of 1995? What finding
is important for a defendant to obtain the benefits of proportionate liability?
9.5 Explain how SOX significantly changed the audit environment for auditors.
9.6 Explain how criminal liability is different from civil liability. Illustrate your discussion with
the results of actual cases.

Learning Objectives Review

1  Explain what it means to be a professional and how
these traits apply to auditors.
The term professional is often used loosely in various contexts. Robert
Mautz talked articulately about the difference between the expert
competitor (EC) professional and the concern for the public interest
(CPI) professional. Auditors fall into the category of CPI profession-
als. CPI professions are often recognized by a specialized body of
knowledge, a formal education process, standards governing admis-
sion to the profession, a code of ethics, recognized status indicated
by a license, a public interest in the work that practitioners perform,
and the recognition by practitioners of an obligation to society. Audi-
tors are granted an exclusive license to perform audits in exchange for
their responsibility to the public to provide reasonable assurance that
financial statements are free of material misstatements.
2  Explain the structure of the AICPA Code of Profes-
sional Conduct.
The AICPA Code of Professional Conduct applies to all AICPA mem-
bers as well as to all CPAs in many states. The Code consists of princi-
ples, rules, and interpretations. Rules of conduct are enforceable and
a CPA must be prepared to justify departures from the rules. Further,
members whose conduct departs from interpretations have the bur-
den of justifying the departure in a disciplinary hearing. The Code is
also structured into four parts: a preface applicable to all members;
Part I, which includes ethical rules for members in public practice;
Part II, which includes ethical rules for members in business; and Part III,
which includes ethical rules for other members (e.g., non-CPA mem-
bers of the AICPA).
Code of Professional Conduct. Illustration 2.2 depicts the five steps a
CPA should apply when considering evaluating an ethical situation:
(1) identify threats to compliance with rules, (2) evaluate the signifi-
cance of the threat, (3) identify and apply safeguards, (4) evaluate the
effectiveness of the safeguards, and (5) document the threats and safe-
guards applied. A CPA should judge his or her ethical conduct from
the perspective of a reasonable and informed third party.
4  Evaluate the ethical behavior needed to comply with
rules of conduct on integrity and objectivity.
The ethical rule on integrity and objectivity requires a CPA to (1) be
free of conflicts of interest, (2) not knowingly misrepresent facts, and
(3) not subordinate his or her judgment to others.
5  Evaluate the ethical behavior needed to comply with
rules of conduct on independence.
A CPA should be both independent in fact (act with integrity and ob-
jectivity) and independent in appearance in the eyes of reasonable and
informed third parties. It is important for CPAs to understand how
independence rules apply to covered members, immediate family
members, close relatives, and other professionals in an audit firm.
CPAs also need to understand what is prohibited or allowed in terms
of investments in an attest client, loans to or from an attest client,
employment relationship with an attest client, or the performance of
nonattest services for an attest client.
6  Evaluate the ethical behavior needed to comply with
rules of conduct on general standards.

The general standards apply to any CPA performing any professional

3  Apply the conceptual framework approach to ethical
decision making for members in public practice.
The conceptual framework is designed to assist CPAs in situations
that are not addressed in the rules or interpretations of the AICPA
engagement for a client. At a minimum a CPA must have the appro-
priate professional competence to complete the engagement, use
due professional care, adequately plan and supervise the engage-
ment, and obtain sufficient relevant data to support conclusions or
recommendations.
2-42  C h a pte r 2  Professionalism and Professional Responsibilities
7  Evaluate the ethical behavior needed to comply with
other rules of conduct for members in public practice.
It is not possible to cover all the remaining rules of conduct for mem-
bers in public practice. Illustration 2.1 provides a general outline of
the rules of conduct for members in public practice. In particular,
you should understand a CPA’s responsibility for complying with ac-
counting principles and the types of engagements and the situations
in which it is appropriate for a CPA to accept a commission, a referral
fee, or a contingent fee. A CPA must also take care not to disclose con-
fidential client information without the specific consent of the client,
and a CPA must be cognizant of specific situations where confidential
client information may be disclosed.
8  Evaluate an auditor’s legal liability under common law
Auditors are liable to clients for their negligent actions that result in
either breach of contract or tort actions. Auditor liability to third parties
under common law varies from state to state. Three important doctrines
that address common law to third parties are (1) the primary beneficia-
ries doctrine, (2) the restatement of torts doctrine, and (3) the foreseeable
third parties doctrine. These doctrines explain when an auditor would
be liable to third parties for ordinary negligence. Illustration 2.11 identi-
fies important cases discussed in the chapter that address liability to third
parties under common law. The auditor’s primary defense under com-
mon law is the due care defense, where the auditor’s working papers and
documentation show that an audit was performed in accordance with
auditing standards generally accepted in the United States.
9  Evaluate an auditor’s legal liability under statutory
law.
The auditor’s liability to financial statement users under the
Securities Acts of 1933 and 1934 are significantly different, as
Key Terms Review
Adverse interest threat Fraud
Advocacy threat Gross negligence
Audit committee Immediate family member
Breach of contract Independence
Close relative Independent in appearance
Common law Independent in fact
Covered member Integrity and objectivity
Criminal liability Interpretations
Due care defense Key position
Due diligence defense Management participation threat
Due professional care Ordinary negligence
Familiarity threat Other beneficiaries
Foreseeable parties Planning and supervision
Foreseen class Primary beneficiary
summarized in Illustration 2.13. Under the 1933 Securities Act,
auditors are liable for their negligence to persons who purchased
or otherwise acquired a new issue of securities covered by a reg-
istration statement that included a material misstatement of fact
in the financial statements. Under the 1934 Act, the auditor must
be found to intend to deceive or defraud or be guilty of gross neg-
ligence to be found liable. Today, investors who suffer damages
due to material misstatements in financial statements often find
it easier to sue auditors under common law than under the 1934
Securities Act.
The two most important reforms under the Private Securities
Litigation Reform Act of 1995 include instituting a system of propor-
tionate liability and a cap on damages into the federal securities laws.
In addition, the law imposed new reporting requirements on auditors
who detect or otherwise become aware of illegal acts that have a mate-
rial effect on the financial statements by issuers of securities. The law
also instituted a number of other reforms, making it difficult to bring
frivolous lawsuits against auditors.
SOX significantly changed the audit environment for both audi-
tors and management. This section of the chapter discusses both non-
attest services that are now unlawful for auditors to perform for audit
clients, and the PCAOB’s responsibility for setting auditing standards,
quality control standards, and independence standards for auditors of
public companies. In addition, the section describes the legal liability
of management, particularly the CEO and CFO. Knowing and willful
violation of SOX can result in fines and imprisonment. Finally, im-
proved systems of internal control are designed to improve the audit
environment.
The federal government can bring criminal charges against au-
ditors under the 1933 and 1934 Securities Act for willfully and know-
ingly making false or misleading statements in reports filed under the
Acts. Criminal penalties include fines and imprisonment. Also, state
boards of accountancy have the ability and will usually revoke CPA
licenses for criminal violations.
Principles
Privity of contract
Professional competence
Proportionate liability
Rules of conduct
Scienter
Self-interest threat
Self-review threat
Statutory law
Sufficient relevant data
Third party
Tort
Undue influence threat

Audit Decision-Making Example
Background Information
Lisa Cole is a tax partner in the mid-sized CPA firm of Cole and
Bayless LLP. Cole and Bayless LLP has been doing significant tax
work and advising the owners of Aiwa Hardware on business re-
structuring over the last two years. Lisa’s husband, Perry, is one
of six investors and owners of Aiwa Hardware. As a result, a con-
flict of interest was identified and disclosed to the owners of Aiwa
Hardware. Lisa has not been allowed to have any connection to,
or influence on, the tax or business restructuring engagements
for Aiwa Hardware, and a second partner reviewed these engage-
ments to ensure the firm acted with integrity and objectivity. Aiwa
Hardware owes Cole and Bayless LLP $200,000 in fees for the tax
and restructuring work.
On December 1, 2021, after significant discussions between
Fifth State Bank and the owners of Aiwa Hardware, the bank will
require audited financial statements from Aiwa Hardware for the
year ended December 31, 2022. Aiwa Hardware has not been au-
dited before and the only financial information used by the bank
have been tax returns.
After discussions on December 3, 2021, involving Aiwa Hard-
ware’s owners and the accounting firm’s managing partner Rick
Bayless, the following conclusions are reached: (a) Perry Cole will
sell his share to the other five investors and owners of Aiwa Hard-
ware for cash as of December 15, 2021, and will discontinue any
participation in the business as of that date and (b) Rick Bayless
will accept an offer from the remaining owners of Aiwa Hardware
to give Cole and Bayless, LLP a secured, interest-bearing note
dated December 15, 2021, in settlement of the outstanding account
receivable to the CPA firm with repayment terms over 3 years.
On May 1, 2022, Rick Bayless and Lee Aiwa sign an engage-
ment letter for Cole and Bayless LLP to do the audit of Aiwa Hard-
ware for the year ended December 31, 2022.
Identify the Ethics Issue(s)
Identify any threats to ethical behavior on the part of Cole and
Bayless LLP. Also address the significance of the threats and any
safeguards that can be put in place to reduce the threat to an ac-
ceptable level.
Gather Information and Evidence
Ethical threats include:
•  A familiarity threat presents a conflict of interest and a threat
to acting with integrity and objectivity (ET 1.110.010.04)—
exists because Lisa Cole is a partner in the CPA firm and her
husband is an owner in Aiwa Hardware through December
15, 2021.
•  A self-interest threat presents a conflict of interest and a threat
to acting with integrity and objectivity (ET 1.110.010.04)—
CPAexcel
CPAexcel questions and other resources are available in WileyPLUS.
 Audit Decision-Making Example  2-43
exists because Lisa Cole is a partner in the CPA firm and her
husband is an owner in Aiwa Hardware through December
15, 2021.
•  A self-interest threat presents a conflict of interest and a threat
to acting with integrity and objectivity (ET 1.110.010.04)—
exists because Cole and Bayless LLP has a direct investment
in Aiwa Hardware in the form of a secured debt instrument
as of December 15, 2021.
•  A self-interest threat presents a conflict of interest and a threat
to independence (ET 1.120.010.16)—exists because Cole and
Bayless LLP has direct investment in Aiwa Hardware in the
form of a secured debt instrument, as of December 15, 2021.
Analysis and Evaluation of Alternatives
•  Cole and Bayless LLP does not need to be independent to do
tax work or consulting work (advising on business restructur-
ing). It does need to be independent to do any attest work, in-
cluding auditing the financial statements of Aiwa Hardware.
•  The fact that Lisa Cole’s conflict of interest is disclosed to the
client; she is not allowed to perform any work, or influence
the work for Aiwa Hardware; and a second partner reviews
the work for Aiwa Hardware is sufficient to ensure the integ-
rity and objectivity of the firm with respect to performing tax
and consulting services for Aiwa Hardware (ET 1.110.010).
•  Lisa’s husband sells his ownership interest in Aiwa Hardware
and discontinues any participation in the Aiwa Hardware
business prior to the period under audit beginning January 1,
2022. This eliminates the familiarity and self-interest threats
associated with his ownership interest for periods beginning
after January 1, 2022.
•  A self-interest threat presents a conflict of interest, and a
threat to independence exists because Cole and Bayless LLP
has a direct investment in Aiwa Hardware in the form of a
secured debt instrument. No safeguard (ET 1.210.010.02) can
be put in place to safeguard this threat and Cole and Bayless
LLP is not independent with respect to performing any attest
work for Aiwa Hardware, including an audit. The indepen-
dence of Cole and Bayless LLP is impaired. The fact that the
relationship is known by Aiwa Hardware does not eliminate
the threat to independence.
Ethical Conclusions
Cole and Bayless can continue to perform tax and consulting en-
gagements for Aiwa Hardware. However, the firm cannot perform
any attest engagements because the firm is not independent. There
is no safeguard to the self-interest threat created by the direct in-
vestment in Aiwa Hardware.
2-44  C h a pte r 2  Professionalism and Professional Responsibilities
Multiple-Choice Questions
1.  (LO 1)  A key aspect of the “concern for the public interest” defi-
nition of a professional is:
a.  the level of professional expertise of the professional.
b.  t he fact that there are situations where professionals must put
the interest of society ahead of the interest of their clients or
their own well-being.
c.  t he incorporation of this definition into the Sarbanes-Oxley
Act of 2002.
d.  the unique ability of CPAs to sign attest reports.
2.  (LO 2)  Which of the following statements is true about interpre-
tations of the AICPA Code of Professional Conduct?
a.  Interpretations are not enforceable by the AICPA in a disci-
plinary matter.
b.  I nterpretations are strictly enforceable by the AICPA in a dis-
ciplinary matter.
c.  I nterpretations are strictly enforceable by the AICPA and all
state boards of accountancy in a disciplinary matter.
d.  An AICPA member who departs from an interpretation has the
burden of justifying a departure in any disciplinary hearing.
3.  (LO 3)  In the conceptual framework to the AICPA Code of Profes-
sional Conduct, a self-interest threat is:
a.  the threat that a CPA could benefit, financially or otherwise,
from an interest in, or a relationship with, a client or persons
associated with the client.
b.  t he threat that a CPA will not act with objectivity because the
CPA’s interests are opposed to the client’s interests
c.  t he threat that a CPA will take on the role of client manage-
ment or otherwise assume management responsibilities.
d.  the threat that a CPA will promote a client’s interests or po-
sition to the point that the CPA’s objectivity or independence
is compromised.
4.  (LO 4)  A CPA would violate the AICPA rule on integrity and ob-
jectivity if:
a.  a CPA in industry knowingly misrepresented the earnings of
the company he worked for.
b.  a CPA in public practice represented both the buyer and seller in
helping the parties negotiate the sale (purchase) of a business.
c.  a CPA who was an audit staff member subordinated his or her
judgment to that of the audit partner.
d.  All of the answers are violations of the AICPA rule on
­integrity and objectivity.
5.  (LO 5)  According to the profession’s ethical standards, an auditor
would be considered independent in which of the following instances?
a.  A professional employee, who does not work on the audit,
has a spouse who is a marketing manager for an audit client.
b.  The auditor is also an attorney who advises the client as its
general counsel.
c.  An employee of the auditor donates service as treasurer of a
charitable organization that is a client.
d.  The client owes the auditor fees for two consecutive annual
audits.
6.  (LO 5)  A CPA who is a “covered person” purchased stock in a cli-
ent corporation and placed it in a trust as an educational fund for the
CPA’s minor child. The trust securities were not material to the CPA
but were material to the child’s personal net worth. Would the inde-
pendence of the CPA be considered impaired with respect to the client?
a.  Yes, because the stock would be considered an indirect finan-
cial interest that is material to the CPA’s child.
b.  No, because the CPA would not be considered to have a direct
financial interest in the client.
c.  Y
 es, because the stock would be considered a direct financial
interest and, consequently, materiality is not a factor.
d.  No, because the CPA would not be considered to have a mate-
rial indirect financial interest in the client.
7.  (LO 5)  Under the AICPA ethics rules on independence, which of
the following individuals would not be a covered member?
a.  A consulting manager in another office who provides 100
hours of non-audit services to the audit client.
b.  A partner in the same office as the lead partner who provides
no services to the audit client.
c.  A
 partner in another office who evaluates partner perfor-
mance and compensation, but provides no services to the
audit client.
d.  A tax partner in another office who provides 9 hours of tax
services to the audit client.
8.  (LO 5)  Which of the following best describes the independence
requirements for a close relative of a covered member?
a.  A close relative cannot have an immaterial, direct investment
in an audit client.
b.  A close relative cannot have a loan from an audit client.
c.  A close relative cannot hold a key position with an audit client.
d.  A close relative cannot have an immaterial, indirect invest-
ment in an audit client.
9.  (LO 6)  The essence of the due care standard is that the auditor
should not be guilty of:
a.  bias.
b.  errors in judgment.
c.  fraud.
d.  negligence.
10.  (LO 7)  Without the consent of the client, a CPA should not disclose
confidential client information contained in working papers to a:
a.  voluntary quality control review board.
b.  CPA firm that is a likely successor auditor.
c.  f ederal court that has issued a valid subpoena.
d.  disciplinary body created under state statute.
11.  (LO 8)  If a stockholder sues a CPA for common law fraud based
on false statements contained in the financial statements audited by
the CPA, which of the following is the CPA’s best defense?
a.  The CPA did not financially benefit from the alleged fraud.
b.  There was contributory negligence of the client.
c.  T
 he stockholder lacks privity to sue.
d.  The auditor followed GAAS.

12.  (LO 8)  Starr Corp. approved a plan of merger with Silo Corp.
One of the determining factors in approving the merger was the
strong financial statements of Silo, which were audited by Cox &
Co., CPAs. Starr had engaged Cox to audit Silo’s financial statements.
While performing the audit, Cox failed to discover material fraud,
which subsequently caused Starr to suffer substantial losses. For Cox
to be liable under common law under the Ultramares decision, Starr,
at a minimum, must prove that Cox:
a.  was a party to the fraud.
b.  acted recklessly or with a lack of reasonable grounds for belief.
c.  failed to exercise due care.
d.  w
 as grossly negligent.
13.  (LO 9)  When a plaintiff is suing the auditor for damages under
Rule 10(b)-5 of the 1934 Securities Act, which of the following is not
part of the plaintiff’s burden of proof?
a.  The financial statements contained a material, factual mis-
representation or omission.
b.  The auditor was negligent.
Review Questions
R2.1  (LO 1)  Explain the “public interest” in the work performed by
auditors.
R2.2  (LO 1)  There are a series of characteristics associated with CPI
professionals. Explain how they apply to architecture and to public
accounting.
R2.3  (LO 2)  Explain the differences between Parts 1, 2, and 3 of the
AICPA Code of Professional Conduct.
R2.4  (LO 2, 3)  Assume that a CPA has an opportunity to bid on a
new audit client. The accounting firm is being considered because the
CPA’s best friend from college is the CFO of the potential client. Apply
the conceptual framework for members in public practice to this sit-
uation. Explain any threats involved and whether any safeguards can
be applied to reduce the threat to an acceptable level.
R2.5  (LO 2, 3)  Assume that a CPA has just received a new audit
client. The client will be the firm’s largest audit client, and the firm
will have to hire one new staff member to staff the engagement. The
fees will represent 25% of the firm revenues. Apply the conceptual
framework for members in public practice to this situation.
R2.6  (LO 4)  Explain the rule on integrity and objectivity. Give ex-
amples of conflicts of interest, knowingly misrepresenting facts, or
subordinating judgment.
R2.7  (LO 5)  Is it appropriate for an audit firm to ask questions of
an employee about his or her investments or the investments of his or
her spouse? Why or why not?
R2.8  (LO 3, 5)  What independence problems are created when an au-
dit manager is approached by a private company audit client, which he
or she audits, to become the company’s CFO? Are there appropriate safe-
guards that can be put in place to protect the audit firm’s independence?
 Review Questions  2-45
c.  The plaintiff relied on the financial statements.
d.  Damages were suffered as a result of reliance on the financial
statements.
14.  (LO 9)  One of the elements necessary to recover damages if
there has been a material misstatement in a registration statement
filed pursuant to the Securities Act of 1933 is that:
a.  t here was a material false or misleading statement in the
financial statements.
b.  the plaintiff knew the auditor.
c.  issuer and plaintiff were in privity of contract with each other.
d.  issuer failed to exercise due care in connection with the sale
of the securities.
R2.9  (LO 5)  List three situations in which the SEC and PCAOB in-
dependence rules are stricter than the AICPA rules. Give an example
of each.
R2.10  (LO 6)  The AICPA rule on general standards identifies four
aspects of professional behavior. Identify each of the four aspects and
develop an example illustrating the violation of each aspect.
R2.11  (LO 7)  Henry Owens, CPA works in a local accounting firm.
He is the tax manager on a major client in the office. The firm pre-
pares compiled financial statements for the client on a quarterly basis.
The client was impacted by the BP oil spill off the Gulf coast, and
the client would like to engage Henry to help the business prepare a
claim for damages from BP. The client would like to pay Henry on a
contingent fee basis where Henry and his firm would receive 15% of
any amounts recovered in a settlement with BP. Henry would receive
no fee unless amounts are recovered. Can Henry accept this engage-
ment? Why or why not?
R2.12  (LO 8)  What does a third-party user of financial statements
have to prove under common law in a suit against an auditor for the
auditor’s negligence? Illustrate each item with an example.
R2.13  (LO 8)  John Rodrigeuz purchased newly issued bonds
of Fly By Night Airlines in the primary market. Subsequently Fly
By Night went bankrupt. What statutory law applies to this trans-
action? What does John have to prove in a lawsuit against Fly By
Night’s auditors?
R2.14  (LO 9)  Mary Chen purchased shares of Fly By Night
Airlines in the secondary market. Subsequently Fly By Night
went bankrupt. What statutory law applies to this transaction?
What does Mary have to prove in a lawsuit against Fly By Night’s
auditors?
2-46  C h a pte r 2  Professionalism and Professional Responsibilities

Analysis Problems
AP2.1  (LO 2, 3)  Basic   Framework for ethical decision making  Assume that you are the audit
partner on an engagement for a client that has had a string of operating losses. You know the CFO, who
is a former audit manager of your firm. The company still has a positive net worth, but you are worried
that the company might have to close down within the next year or so. When you tell the CFO that the
company should make full disclosure in the notes concerning substantial doubt about the company’s
ability to continue as a going concern, your colleague says, “Hogwash! There’s no substantial doubt. The
probability of our having to close down is remote. We’ll make no such disclosure. To do so would only
make our customers and creditors nervous, possibly making such a disclosure a self-fulfilling prophecy.
Our competitors are as bad off as we are, and their auditors aren’t making them send out a distress
signal.” You agree that the determination of “substantial doubt” is a judgment call.

Required
Apply the five-step Conceptual Framework for Members in Public Practice to this dilemma.

AP2.2  (LO 5)  Moderate   Independence  The attribute of independence has been traditionally asso-
ciated with the CPA’s function of auditing and expressing opinions on financial statements.

Required
a. What is meant by “independence” as applied to the CPA’s function of auditing and expressing opin-
ions on financial statements? Discuss.
b. The Wallydrug Company is indebted to a CPA for unpaid fees and has offered to issue to the CPA
unsecured interest-bearing notes. Would acceptance of these notes have any bearing on the CPA’s
independence with respect to Wallydrug Company? Discuss.
c. The Rocky Hill Corporation was formed on October 1, 2021, and its fiscal year will end on September
30, 2022. You audited the corporation’s opening balance sheet and rendered an unqualified opinion
on it. A month after rendering your report, you are offered the position of secretary of the board of
directors because of the need for a complete set of officers and for convenience in signing various
documents. You will have no financial interest in the company through stock ownership or other-
wise, will receive no salary, will not keep the books, and will not have any influence on its financial
matters other than occasional advice on income tax matters and similar advice normally given a
client by a CPA.
1. Assume that you accept the offer but plan to resign the position prior to conducting your annual
audit, with the intention of again assuming the office after rendering an opinion on the state-
ments. Can you render an independent opinion on the financial statements? Discuss.
2. Assume that you accept the offer on a temporary basis until the corporation has gotten under way
and can find a replacement for secretary of the board of directors. In any event, you would perma-
nently resign the position before conducting your annual audit. Can you render an independent
opinion on the financial statements? Discuss.

AP2.3  (LO 5)  Challenging   Public Company   Research   Independence  Jones and Jones,
CPA, has a manufacturing client, Widgit Technologies, Inc. (WTI), that is a small, owner-managed busi-
ness with annual revenues of approximately $8 million. WTI employs a bookkeeper but is not large
enough to employ a CPA in-house. WTI regularly asks Margaret Jones, the partner on the engagement,
for advice on accounting issues, and Jones and Jones drafts the financial statements for the company. The
client reviews the financial statements before they are printed by Jones and Jones with an audit opinion
attached.
During the current year, WTI asked Jones and Jones to assist the company by rendering a business
valuation service. WTI is asking Jones and Jones to (1) estimate the value of WTI and (2) consult with
WTI in the form of making recommendations on steps that WTI can take that will grow the value of the
business.

Required
a. Since Jones and Jones is preparing the financial statements for WTI, is Jones and Jones independent
with respect to WTI? What conditions, if any, must Jones and Jones meet in order to be independent
with respect to WTI?
b. Would Jones and Jones be independent if WTI were a public company subject to SEC rules and
regulations? Explain your reasoning.
  Analysis Problems  2-47

c. Can Jones and Jones take on the business valuation services and consulting engagement and remain
independent with respect to WTI? Explain your reasoning.
d. Can Jones and Jones take on the business valuation services and consulting engagement if WTI
were a public company subject to SEC rules and regulations? Explain your reasoning.

AP2.4  (LO 4, 5, 6, 7)  Moderate   Research   Rules of conduct  In the practice of public account-
ing, an auditor who is a member of the AICPA is expected to comply with the rules of the AICPA Code
of Professional Conduct. Listed below are circumstances that raise a question about an auditor’s ethical
conduct.

  1. The auditor has a bank loan with a bank that is an audit client.
  2. An unqualified opinion is expressed when the financial statements of a county are prepared in con-
formity with principles established by the Governmental Accounting Standards Board.
  3. An auditor retains the client’s records as a means of enforcing payment of an overdue audit fee.
  4. The auditor makes retirement payments to individuals who formerly were members of his firm.
  5. An auditor sells her shares of stock in a client company in April prior to beginning work on the audit
for the year ending December 31.
  6. An auditor accepts an engagement knowing that he does not have the expertise to do the audit.
  7. The auditor quotes a client an audit fee but also states that the actual fee will be contingent on the
amount of work done.
  8. The auditor’s firm states in a newspaper advertisement that it has had fewer lawsuits than its prin-
cipal competitors.
  9. The auditor resigns her position as treasurer of the client on May 1, prior to beginning the audit for
the year ending December 31.
10. The auditor discloses confidential information about a client to a successor auditor.
11. The auditor accepts an audit engagement when he has a conflict of interest.
12. An auditor prepares a small brochure containing testimonials from existing clients that he mails to
prospective clients.
13. An auditor complies with the technical standards of the Accounting and Review Services Commit-
tee in reviewing the financial statements of a non-public entity.
14. An auditor audits the financial statements of a local bank and also serves on the bank’s committee
that approves loans.
15. An auditor pays a commission to an attorney to obtain a client.

Required
a. Identify the rule of the AICPA Code of Professional Conduct that applies to each circumstance
(available at the AICPA website, www.aicpa.org).
b. Indicate for each circumstance whether the effect on the rule is (1) a violation, (2) not a violation, or
(3) indeterminate. Give the reason(s) for your answer.

AP2.5  (LO 4, 5, 6, 7)  Moderate   Research   Ethical issues  Gilbert and Bradley formed a corpora-
tion called Financial Services, Inc., each taking 50% of the authorized common stock. Gilbert is a CPA
and a member of the American Institute of CPAs. Bradley is a CPCU (Chartered Property Casualty
Underwriter). The corporation performs auditing and tax services under Gilbert’s direction and insur-
ance services under Bradley’s supervision. The opening of the corporation’s office was announced by a
three-inch, two-column ad in the local newspaper.
One of the corporation’s first audit clients was the Grandtime Company. Grandtime had total assets
of $600,000 and total liabilities of $270,000. In the course of the audit, Gilbert found that Grandtime’s
building with a book value of $240,000 was pledged as security for a 10-year term note in the amount of
$200,000. The client’s statements did not mention that the building was pledged as a security for the note.
However, as the failure to disclose the lien did not affect either the value of the assets or the amount of
the liabilities and the audit was satisfactory in all other respects, Gilbert rendered an unqualified opinion
on Grandtime’s financial statements. About two months after the date of the opinion, Gilbert learned that
an insurance company was planning a loan to Grandtime of $150,000 in the form of a first-mortgage note
on the building. Realizing that the insurance company was unaware of the existing lien on the building,
Gilbert had Bradley notify the insurance company of the fact that Grandtime’s building was pledged as
security for the term note.
Shortly after the events described above, Gilbert was charged with a violation of professional ethics.
2-48  C h a pte r 2  Professionalism and Professional Responsibilities

Required
Identify and discuss the ethical implication of those acts by Gilbert that were in violation of the AICPA
Code of Professional Conduct (available at the AICPA website, www.aicpa.org).

AP2.6  (LO 4, 5, 6, 7)  Challenging   Research   Ethical issues  The following situations involve
Herb Standard, staff accountant with the regional accounting firm of Cash & Green:
1. The bookkeeper of Ethical Manufacturing Company resigned two months ago and has not yet been
replaced. As a result, Ethical’s transactions have not been recorded and the books are not up to date.
To comply with terms of a loan agreement, Ethical needs to prepare interim financial statements but
cannot do so until the books are posted. Ethical looks to Cash & Green, its independent auditors, for
help and wants to borrow Herb Standard to perform the work. Ethical wants Herb because he did its
audit last year.
2. Herb Standard discovered that his client, Ethical Manufacturing Company, materially understated
net income on last year’s tax return. Herb informs his supervisor about this and the client is asked
to prepare an amended return. The client is unwilling to take corrective measures. Herb informs the
Internal Revenue Service.
3. While observing the year-end inventory of Ethical Manufacturing Company, the plant manager of-
fers Herb Standard a fishing rod, which Ethical manufactures, in appreciation for a job well done.
4. Herb Standard’s acquaintance, Joe Lender, is chief loan officer at Local Bank, an audit client of Cash
& Green. Herb approaches Joe for an unsecured loan from Local Bank and Joe approves the loan.
5. Herb Standard is a member of a local investment club composed of college fraternity brothers. The
club invests in listed stocks and is fairly active in trading. Last week the club purchased the stock of
Leverage Corp., a client of another Cash & Green office. Herb has no contact with the members of
this office.

Required
For each situation, (a) identify the ethical issues that are involved and (b) discuss whether there has or
has not been any violation of ethical conduct. Support your answers by reference to the rules of the
AICPA Code of Professional Conduct, available at the AICPA website (www.aicpa.org).

AP2.7  (LO 8)  Moderate   Common law  Tyler Corp. is insolvent. It has defaulted on the payment
of its debts and does not have assets sufficient to satisfy its unsecured creditors. Slade, a supplier of raw
materials, is Tyler’s largest unsecured creditor and is suing Tyler’s auditors, Field & Co., CPAs. Slade
had extended $2 million of credit to Tyler based on the strength of Tyler’s audited financial statements.
Slade’s complaint alleges that the auditors were either (1) negligent in failing to discover and disclose
fictitious accounts receivable created by management or (2) committed fraud in connection with Tyler.
Field believes that Tyler’s financial statements were prepared in accordance with GAAP and, therefore,
its opinion was proper. Slade has established that:
•  The accounts receivable were overstated by $10 million.
•  Total assets were reported as $24 million, of which accounts receivable were $16 million.
•  The auditors did not follow their own audit program, which required that confirmation requests
be sent to an audit sample representing 80% of the total dollar amount of outstanding receivables.
Confirmation requests were sent to only 45%.
•  The responses that were received represented only 20% of the total dollar amount of outstanding
receivables. This was the poorest response in the history of the firm, the next lowest being 60%. The
manager in charge of the engagement concluded that further inquiry was necessary. This recom-
mendation was rejected by the partner in charge.
•  F
 ield had determined that a $300,000 account receivable from Dion Corp. was nonexistent. Tyler’s
explanation was that Dion had reneged on a purchase contract before any products had been shipped.
At Field’s request, Tyler made a reversing entry to eliminate this overstatement. However, Field ac-
cepted Tyler’s explanation as to this and several similar discrepancies without further inquiry.
Slade asserts that Field is liable as a result of both negligence and fraud in conducting the audit.

Required
Discuss Slade’s assertions and the defenses that might be raised by Field, setting forth reasons for any
conclusions stated.

AP2.8  (LO 8)  Challenging   Common law  Astor Inc. purchased the assets of Bell Corp. A condition
of the purchase agreement required Bell to retain a CPA to audit Bell’s financial statements. The purpose
of the audit was to determine whether the unaudited financial statements furnished to Astor fairly pre-
sented Bell’s financial position. Bell retained Winston & Co., CPAs, to perform the audit.
  Analysis Problems  2-49

While performing the audit, Winston discovered that Bell’s bookkeeper had embezzled $500. Winston
had some evidence of other embezzlements by the bookkeeper. However, Winston decided that the $500 was
immaterial and that the other suspected embezzlements did not require further investigation. Winston did
not discuss the matter with Bell’s management. Unknown to Winston, the bookkeeper had, in fact, embez-
zled large sums of cash from Bell. In addition, the accounts receivable were significantly overstated. Winston
did not detect the overstatement because of Winston’s inadvertent failure to follow its audit program.
Despite the foregoing, Winston issued an unqualified opinion on Bell’s financial statements and fur-
nished a copy of the audited financial statements to Astor. Unknown to Winston, Astor required financing
to purchase Bell’s assets and furnished a copy of Bell’s audited financial statements to City Bank to obtain
approval of the loan. Based on Bell’s audited financial statements, City loaned Astor $600,000.
Astor paid Bell $750,000 to purchase Bell’s assets. Within six months, Astor began experiencing
financial difficulties resulting from the undiscovered embezzlements and overstated accounts receivable.
Astor later defaulted on the City loan.
City has commenced a lawsuit against Winston based on the following causes of action:
•  Constructive fraud.
•  Negligence.

Required
In separate paragraphs, discuss whether City is likely to prevail on the causes of action it has raised, set-
ting forth reasons for each conclusion.

AP2.9  (LO 9)  Moderate   Public Company   Statutory law—1933 Act  Dandy Container Cor-
poration engaged the accounting firm of Adams and Adams to audit financial statements to be used in
connection with a public offering of securities. The audit was completed, and an unqualified opinion was
expressed on the financial statements that were submitted to the Securities and Exchange Commission
along with the registration statement. Two hundred thousand shares of Dandy Container common stock
were offered to the public at $11 a share. Eight months later, the stock fell to $2 a share when it was disclosed
that several large loans to two “paper” corporations owned by one of the directors were worthless. The loans
were secured by the stock of the borrowing corporation that was owned by the director. These facts were not
disclosed in the financial statements. The director involved and the two corporations are insolvent.

1. The Securities Act of 1933 applies to the above-described public offering of securities in interstate
commerce.
2. The accounting firm has potential liability to any person who acquired the stock in reliance on the
registration statement.
3. The accountants could avoid liability if they could show they were neither negligent nor fraudulent.
4. The accountants could avoid or reduce the damages asserted against them if they could establish
that the drop in price was due in whole or in part to other causes.
5. The Dandy investors would have to institute suit within one year after discovery of the alleged un-
true statements or omissions.
6. The SEC would defend any action brought against the accountants in that the SEC examined and
approved the registration statement.
7. Although Adams and Adams knew of the loans, and related collateral, and concluded that they did
not need to be disclosed, they can still sustain the claim that they are only proportionally liable for any
damages suffered by shareholders because the financial statements are management’s responsibility.

Required
Indicate whether each of the above statements is true or false under statutory law. Give the reason(s) for
your answer.

AP2.10  (LO 8, 9)  Challenging   Public Company   Statutory law; common law

Part I:
The common stock of Wilson, Inc. is owned by 10,000 stockholders who live in several states. Wilson’s
financial statements as of December 31, 2021, were audited by Doe & Co., CPAs, who rendered an unqualified
opinion on the financial statements. In reliance on Wilson’s financial statements, which showed net income
for 2021 of $1.5 million, Peters, on April 10, 2022, purchased 10,000 shares of Wilson stock for $200,000. The
purchase was from a shareholder who lived in another state. Wilson’s financial statements contained material
misstatements. Because Doe did not carefully follow GAAS, it did not discover that the statements failed to
reflect unrecorded expenses that reduced Wilson’s actual net income to $800,000. After disclosure of the cor-
rected financial statements, Peters sold his shares for $100,000, which was the highest price he could obtain.
Peters has brought an action against Doe under federal securities law and state common law.
2-50  C h a pte r 2  Professionalism and Professional Responsibilities

Required
Answer the following, setting forth reasons for any conclusions stated:
a. Will Peters prevail on his federal securities law claims?
b. Will Peters prevail on his state common law claims?
Part II:
Able Corporation decided to make a public offering of bonds to raise needed capital. On June 30, 2022,
it publicly sold $2.5 million of 12% debentures in accordance with the registration requirements of the
Securities Act of 1933.
The financial statements filed with the registration statement contained the unqualified opinion
of Baker & Co., CPAs. The statements overstated Able’s net income and net worth. Through negligence
Baker did not detect the overstatements. As a result, the bonds, which originally sold for $1,000 per bond,
have dropped in value to $700.
Ira is an investor who purchased $10,000 of the bonds. He promptly brought an action against Baker
under the Securities Act of 1933.

Required
Setting forth reasons for any conclusions, determine if Will should prevail on his claim under the Securities
Act of 1933.

AP2.11  (LO 8, 9)  Challenging   Public Company   Statutory law; common law  To expand its
operations, Dark Corp. raised $4 million by making a private interstate offering of $2 million in com-
mon stock and negotiating a $2 million loan from Safe Bank. The common stock was properly offered
pursuant to the Securities Act of 1933.
In connection with this financing, Dark engaged Crea & Co., CPAs, to audit Dark’s financial state-
ments. Crea knew that the sole purpose for the audit was so that Dark would have audited financial state-
ments to provide to Safe and the purchasers of the common stock. Although Crea conducted the audit
in conformity with its audit program, Crea failed to detect material acts of embezzlement committed by
Dark’s president. Crea did not detect the embezzlement because of its inadvertent failure to exercise due
care in designing its audit program for this engagement.
After completing the audit, Crea rendered an unqualified opinion on Dark’s financial statements.
The purchasers of the common stock relied on the financial statements in deciding to purchase the
shares. In addition, Safe Bank approved the loan to Dark based on the audited financial statements.
Within 60 days after the sale of the common stock and the making of the loan by Safe, Dark was in-
voluntarily petitioned into bankruptcy. Because of the president’s embezzlement, Dark became insolvent
and defaulted on its loan to Safe. Its common stock became virtually worthless.

•  A
 ctions have been commenced against Crea by the purchasers of the common stock who have as-
serted that Crea is liable for damages under Section 10(b) and Rule 10b-5 of the Securities Exchange
Act of 1934.
•  Safe Bank filed suit against Crea & Co. under common law based on Crea’s negligence.

Required
In separate paragraphs, discuss the merits of the actions commenced against Crea, indicating the likely
outcomes and the reasons therefore.

AP 2.12  (LO 2, 3, 4, 5)  Challenging   Research   Independence  Johnson and Wiley, CPAs ac-
quires Fritz and Rufner, CPAs as of January 1, 2022. Johnson and Wiley have audited the financial state-
ments of Matthews Grocery for the last 5 years. Fritz and Rufner provided nonattest services to Matthews
Grocery that would have been prohibited for Johnson and Wiley. Fritz and Rufner resigned performing
the nonattest services for Matthews Grocery as of December 1, 2021. Matthews Grocery has a calendar
year end of December 31. Do any independence problems exist for Johnson and Wiley for the audits
of Matthews Grocery as of December 31, 2021 and 2022? If so, can safeguards be applied to preserve
Johnson and Wiley’s independence? Explain your answer and cite any professional standards that apply.

Ethical Decision Case

King Companies, Inc.
Question C2.1 is based on the following case.

King Companies, Inc. (KCI) is a private company that owns five auto parts stores in urban Los Angeles,
California. King Companies has gone from two auto parts stores to five stores in the last three years,
  Ethical Decision Case  2-51

and it plans continued growth. Eric and Patricia King own the majority of the shares in KCI. Eric is the
chairman of the board of directors of KCI and CEO, and Patricia is a director as well as the CFO. Shares
not owned by Eric and Patricia are owned by friends and family who helped the Kings get started. Eric
started the company with one store after working in an auto parts store. To date, he has funded growth
from an inheritance and investments from a few friends.
Their accounting firm, Thornson & Danforth LLP, has done tax returns for the company, as well as
for the King family, for the last 10 years. Thornson & Danforth is a CPA firm with 55 professionals, which
performs audit and tax services for a number of clients. James Danforth, a tax partner in the CPA firm, is
a long-time friend of Eric and owns 5% of KCI.
In October 2021, Eric opens a conversation with James about upcoming expansion and the plan
to open three to five more stores. Eric has learned this will mean taking on significant debt to fund the
growth. Every lender that Eric has talked with has been impressed with the growth to date with equity,
but the lenders will require an annual audit. Eric asks James if his firm can perform the annual audit.
James explains his concerns about the independence of Thornson & Danforth. Because the expan-
sion is still in the early planning stages, Eric agrees to purchase James’ 5% stake in KCI in November 2021.
James expects that the first audited financial statements that KCI will need will be for the year ended
December 31, 2022.

C2.1  (LO 3, 5)  Challenging   Research   Application of the conceptual framework  Thornson
& Danforth plans to continue to prepare tax returns for KCI and the King family. The firm also plans to
perform the audit for the year ended December 31, 2022.
a.  Identify any ethics issues that exist.
b.  Gather appropriate information for each ethical issue.
c.  Analyze the relevant information for each ethical issue and evaluate the alternatives.
d.  Draw a conclusion about each ethical issue and explain your reasoning. Cite appropriate references
from the AICPA Code of Professional Conduct (available at the AICPA website, www.aicpa.org).

Cloud 9 - Continuing Case

Sharon Gallagher, Josh Thomas, and Jo Wadley work for the audit •  Fifteen employees of W&S Partners, ranging from partners
firm W&S Partners. Sharon is an audit manager, Josh is an audit to entry-level staff, own shares in retailers that sell Cloud 9
senior, and Jo is an audit partner. They meet to discuss the results shoes.
of a survey of other offices of W&S Partners, as well as their own •  A survey shows that 23% of professional staff working for
office. The survey was directed toward determining if W&S Part- W&S Partners have purchased Cloud 9 shoes in the past.
ners had any independence problems with respect to a new pro-
spective client, Cloud 9 Inc. Based on the survey, they learn the Required
following:
Evaluate each of the items above and their impact on the inde-
pendence of W&S Partners with respect to Cloud 9. If relevant,
•  J o Wadley and David Collier (Cloud 9’s CFO) both serve on
list any additional actions you might take before making your
the board of directors of the local chapter of Special Olympics.
independence recommendation to Jo Wadley.
•  A
 tax senior in another office has a sister that consults with
Cloud 9 on shoe design. Cloud 9 is her largest client.
 Chapter 3
Risk Assessment Part I
Audit Risk and Audit Strategy

The Audit Process

Overview of Audit and Assurance

(Chapter 1)

Professionalism and Professional Responsibilities

(Chapter 2)

Client Acceptance/Continuance and Risk Assessment

(Chapters 3 and 4)

Gaining an Identify Significant

Set Planning
Understanding of Accounts and
Materiality
the Client Transactions

Gaining an Understanding
Make Preliminary
of the System of Internal Control
Risk Assessments
(Chapter 6)

Develop Responses to Risk and an Audit Strategy

Audit Data Analytics

Audit Evidence
(Chapter 5)

(Chapter 7)
Performing Tests of Controls Performing Substantive Procedures
(Chapter 8) (Chapter 9)

Audit Sampling for Substantive Tests

(Chapter 10)

Auditing the Auditing the Purchasing Auditing the Balance Sheet

Revenue Process and Payroll Processes and Related Income Accounts
(Chapter 11) (Chapter 12) (Chapter 13)

Completing and Reporting on the Audit

(Chapters 14 and 15)

Procedures Performed Near Drawing Audit

Reporting
the End of the Audit Conclusions

3-1
3-2  Ch apt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy
Learning Objectives
LO 1 Evaluate client acceptance and continuance
decisions.
LO 2  Identify the different phases of an audit.
LO 3 Explain and apply the concept of materiality.
LO 4 Explain professional skepticism and apply the
audit risk model.
Auditing and Assurance Standards
PCAOB
AS 1015  Due Professional Care in the Performance of Work
AS 1101  Audit Risk
AS 1301  Communications with Audit Committees
AS 2101  Audit Planning
AS 2105  Consideration of Materiality in Planning and
Performing an Audit
AS 2110  Identifying and Assessing Risks of Material
Misstatement
AS 2301 The Auditor’s Responses to the Risks of
Material Misstatement
AS 2401  Consideration of Fraud in a Financial
Statement Audit
AS 2610  Initial Audits—Communication Between
Predecessor and Successor Auditors
Cloud 9 - Continuing Case
Sharon and Josh have already discussed some specific client accep-
tance issues, such as independence threats and safeguards. Sharon
explains they also must consider the overall integrity of the client
(that is, management of Cloud 9). This means they need to perform
and document procedures that are likely to provide information
about the client’s integrity. Josh is a little skeptical. “Do you mean
that we should ask them if they are honest?” Sharon suggests it is
probably more useful to ask others, and the key people to ask are
the existing auditors. Josh is still skeptical. “The existing auditors
are Ellis & Associates. Are they going to help us take one of their
clients from them?” Sharon says the client must give permission
first, and, if that is given, the existing auditor will usually state
whether or not there were any issues that the new auditor should
be aware of before accepting the work. This type of communica-
tion is covered by AS 2610 (AU-C 210 for private company clients)
LO 5 Explain how auditors determine their audit
strategy and how audit strategy affects audit decisions.
LO 6 Explain the fraud risk assessment process and
analyze fraud risk.
Auditing Standards Board
AU-C 200  Overall Objectives of the Independent
Auditor and the Conduct of an Audit in Accordance With
Generally Accepted Auditing Standards
AU-C 210 Terms of Engagement
AU-C 240  Consideration of Fraud in a Financial
Statement Audit
AU-C 300 Planning an Audit
AU-C 315  Understanding the Entity and Its Environment
and Assessing the Risks of Material Misstatement
AU-C 320  Materiality in Planning and Performing an
Audit
AU-C 330 Performing Audit Procedures in Response to
Assessed Risks and Evaluating Audit Evidence Obtained
QC 10  A Firm’s System of Quality Control
and is part of professional ethics. Sharon also gives Josh the task
of researching Cloud 9’s press coverage, with special focus on any-
thing that may indicate poor management integrity.
Sharon emphasizes they must perform and document proce-
dures to determine whether W&S Partners is competent to per-
form the engagement and has the capabilities, time, and resources
to do so. For example, they must make sure they have audit team
members who understand the clothing and footwear business.
They also must have enough staff to complete the audit on time.
In addition, Sharon and Josh must perform and document
procedures to show that W&S Partners can comply with all parts
of the code of professional conduct, not just those that focus on
independence threats and safeguards. Finally, they can draft the
engagement letter to cover the contractual relationship between
W&S Partners and Cloud 9.
   Client Acceptance and Continuance Decisions  3-3

Chapter Preview: Audit Process in Focus

This chapter marks the beginning of our overview of how an audit is conducted. First, we
consider the factors that impact an auditor’s client acceptance/continuation decision. The first
step for any audit is the decision to accept a company as a new audit client or to continue as
the auditor of an existing client.
Risk assessment is an important topic that we will cover in this and the next chapter.
This chapter begins with a discussion of the different phases (or stages) of the audit: (1) the risk
assessment phase, (2) the risk response phase (where the detailed work is conducted), and
(3) the reporting phase (where the audit opinion is formed). In the risk assessment phase,
auditors adopt a broad view of the client as a whole and the industry in which it operates. In
this context, auditors obtain a more detailed understanding of the client in the early stages of
each audit; that knowledge drives the audit planning decisions about the nature, extent, and
timing of audit evidence to collect. Auditors cannot economically audit everything; therefore,
the concepts of materiality, professional skepticism, and audit risk guide auditors in deciding
which areas of the financial statements are most important to examine. Ultimately, auditors
will develop a detailed audit strategy for the execution of the audit.
This chapter concludes with a discussion of the assessment of fraud risk, which is part
of the risk assessment phase of the audit. We will cover the remainder of the risk assessment
procedures in Chapter 4.

Client Acceptance and Continuance Decisions

Lea rning Objective 1
Evaluate client acceptance and continuance decisions.

The first stage of any audit is the client acceptance or continuance decision. While the deci-
sion to take on a new client is more detailed than the decision to continue with an existing
client, they have much in common. QC 10 A Firm’s System of Quality Control provides guid-
ance on the procedures used when making the client acceptance or continuance decision.
Illustration 3.1 summarizes factors that influence client acceptance and retention decisions
and these factors are discussed below.

illustration 3.1   Factors that influence client acceptance and retention

Positive Factors Influencing Client
Acceptance and Retention Decisions
Management shows integrity in business and
accounting decisions.
Management places a premium on
representational faithfulness of accounting
information.
The firm has expertise to perform services
requested by the client or has access to
specialists that can meet client needs.
No independence problems exist, or
independence problems can be resolved prior
to client acceptance.
Factors That Influence Client
Acceptance and Retention
Integrity of management
Competence issues
Independence issues
Negative Factors Influencing Client
Acceptance and Retention Decisions
Concerns exist about the integrity of management
in business and accounting decisions.
Management is preoccupied with meeting specific
accounting numbers.
The firm does not have expertise needed to
provide the full scope of services requested by the
client, or does not have affiliation with specialists to
meet client needs.
Independence and conflict of interest issues exist
that cannot be resolved prior to client acceptance.

(continued)
3-4  Ch apt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

illustration 3.1   (continued)

Positive Factors Influencing Client
Acceptance and Retention Decisions
There are minimal regulatory reporting
requirements.
The client is financially stable and profitable,
with no significant concerns about debt
covenants.
No scope limitations exist.
The entity has a strong accounting system
with good internal controls.
Factors That Influence Client
Acceptance and Retention
Special circumstance and
unusual risks
Negative Factors Influencing Client
Acceptance and Retention Decisions
There are significant regulatory reporting
requirements with close monitoring by regulators.
The client is experiencing profitability issues, weak
cash flows, and is close to violation of debt covenants.
The client voices significant concerns about the
scope of audit work.
The entity has a weak accounting system with few
internal controls.

You may be wondering why the decision to take on a new client or continue with an
existing client is such a big deal. More clients mean more revenue for the accounting firm, so
why not accept all client engagement opportunities? The answer is because being associated
with a “bad client” can damage the firm’s reputation, which causes the public to lose trust
in the firm. A good example of this situation is the accounting firm Arthur Andersen LLP
(“Andersen”), formerly one of the largest firms in the world. In the 1990s and early 2000s,
several of Andersen’s clients were investigated by the Securities and Exchange Commission
(SEC) for accounting fraud, the most well-known being Enron and WorldCom. Andersen
was convicted of a felony (obstruction of justice) in the Enron case, but that was reversed by
the Supreme Court in 2005.1 With the felony conviction overturned, Andersen could resume
operations and audit public company clients. That has not happened. Why? The damage to
the Andersen reputation was so severe that companies do not want to be associated with the
Andersen name.
One of the key factors that influences the client acceptance decision is the assessment of
the integrity of the client’s management. When assessing management integrity, the auditor
will consider the following factors:

•  The reputation of the client, its management, directors, and key stakeholders.
•  Client’s reasons for switching audit firms, if the company was previously audited.
•  Management’s attitude to risk exposure.
•  Management’s attitude to the implementation and maintenance of adequate internal
controls.
•  The appropriateness of management’s interpretation of accounting rules.
•  Management’s willingness to allow the auditors full access to client personnel, records,
and information required to form their opinion.

How do auditors gather information on these factors? Information is gathered primarily

through communication with individuals internal and external to the prospective client. Some
of the key communications are as follows:

•  Communication with the previous auditor, if the company was previously audited.
(AU-C 210 Terms of Engagement and AS 2610 Initial Audits—Communications Between
Predecessor and Successor Auditors require that the auditor obtain permission from the
prospective client before communicating with the predecessor, or previous, auditor. If
that permission is not granted, the auditor should consider the implications of that re-
fusal when deciding whether to accept the engagement (AU-C 210.11). Illustration 3.2
lists the types of inquiries the auditor should make of the predecessor auditor.)
•  Communication with client personnel.
•  Communication with third parties such as client bankers and lawyers.

1
Arthur Andersen LLP vs. United States (04-368) 544 U.S. 696 (2005).
   Client Acceptance and Continuance Decisions  3-5

•  Communication with the client’s industry peers.

•  Review of newspaper and magazine articles about the client, or articles in industry trade
journals.

illustration 3.2  
Inquiries of the predecessor auditor may be oral or written and should include: Communication with the
1. Information that might bear on the integrity of management. predecessor auditor

2. Disagreements with management about accounting policies, auditing procedures, or other

significant matters.
3. Communications to those charged with governance regarding fraud and noncompliance with
laws or regulations by the entity.
4. Communications to management and those charged with governance regarding significant
deficiencies and material weaknesses in internal control.
5. The predecessor auditor’s understanding about the reasons for the change of auditors.

Source: AU-C 210.A31 and AS 2610.09.

Before accepting a new client, consideration must be given to any threats to compli-
ance with the fundamental principles of professional ethics, such as integrity, objectivity,
independence, professional competence, and due care, as discussed in Chapter 2. Threats
to the fundamental principles of professional ethics will occur if the prospective client is
dishonest, involved in illegal activities, or aggressive in its interpretations of accounting
rules. An accounting firm should not accept a new client if the firm is concerned about any
of these issues. Potential threats to compliance with the fundamental principles of pro-
fessional ethics for existing clients should be considered regularly as part of continuation
decisions.
To ensure professional competence and due care, a firm must be certain it has the staff
available for the time required to complete the audit. The firm must ensure its audit staff has
the knowledge and competence required to conduct the audit. The firm must have access to
independent specialists, if required. The use of specialists will be discussed in Chapter 5.
To ensure that it is independent of prospective and continuing clients, the accounting
firm must review the threats to independence, described in Chapter 2, and make certain that
safeguards are put in place to limit or remove those threats. If an independence threat appears
insurmountable, a firm should decline an offer to be the auditor of a prospective client or
resign from the audit of an existing client. An example of such a threat is fee dependence,
where the fees from a client would form a significant proportion of the firm’s total fees. This
can occur if a prospective client is much larger than a firm’s current clients or if an existing
client has grown significantly.
The firm should also consider any special circumstances or unusual risks that could be
unique to a prospective or continuing client. For example, is the client financially stable, or is
it experiencing profitability issues? Another issue is the regulatory environment for the client.
Auditors should be aware of any issues being raised by regulators or whether the client may
be close to violating regulatory requirements. These and other special circumstances should
be carefully considered by the firm.

Audit Reasoning Example  Acceptance of New Client

A software company is looking for a new auditor. The company has grown through an acqui-
sition and needs an auditor that can handle its additional requirements. The new auditor sees
no independence issues. Discussions with the predecessor auditor, the audit committee, and
management indicate a good tone at the top and provide a consistent story about the company
and its reasons for changing auditors. The new firm, with national and international offices
and many clients in the software industry, sees this as a client with good potential for the firm.
3-6  Ch apt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy
engagement letter  sets out the
terms of the audit engagement,
to avoid any misunderstandings
between the auditor and the client
illustration 3.3  
Example of an audit
engagement letter for a
private company client
Audit Reasoning Example  Refusal of New Client
A firm has been asked to submit a bid on a new engagement. An individual with experience in
the investment industry is starting a new hedge-fund company. The company is looking for an
auditor so that audited financial statements can be provided to potential investors. While the firm
has 15 offices in the United States, the firm has very limited experience auditing investment com-
panies or hedge funds. A background check on the CEO indicates he had allegations of improper
business dealings and possible fraud with a company he ran five years before. The firm chooses
not to bid on the audit because of concerns about possible management integrity issues, as well as
concerns about its own expertise.
The final stage in the client acceptance or continuance decision process involves the
preparation of an engagement letter. AU-C 210 Terms of Engagement and AS 1301 Commu-
nications with Audit Committees provide guidance on the preparation of engagement letters.
An engagement letter is prepared by an auditor and acknowledged by a client before the audit
begins. It is a contract between an auditor and the client. According to auditing standards, it
is not necessary to send a new engagement letter each year for a continuing client unless the
terms of the engagement change. In practice, most audit firms have clients sign a new engage-
ment letter each year to avoid any misunderstandings.
The purpose of an engagement letter is to set out the terms of the audit engagement to
avoid any misunderstandings between the auditor and the client. The engagement letter in-
cludes an explanation of the scope of the audit, the timing of the completion of various aspects
of the audit, an overview of the client’s responsibility for the preparation of the financial state-
ments, the requirement that the auditor have access to all information required to perform the
audit, and independence considerations and fees. An example of an engagement letter for a
private company client is provided in the appendix to AU-C 210 and is reproduced in Illustra-
tion 3.3. (Appendix C of AS 1301 details matters that should be included in the engagement
letter for a public company client.)
To the appropriate representative of those charged with governance of ABC Company:
[The objective and scope of the audit]
You have requested that we audit the financial statements of ABC Company, which comprise
the balance sheet as of December 31, 2022, and the related statements of income, changes
in stockholders’ equity, and cash flows for the year then ended, and the related notes to the
financial statements. We are pleased to confirm our acceptance and our understanding of this
audit engagement by means of this letter. Our audit will be conducted with the objective of our
expressing an opinion on the financial statements.
[The responsibilities of the auditor]
We will conduct our audit in accordance with auditing standards generally accepted in the
United States of America (GAAS). Those standards require that we plan and perform the audit
to obtain reasonable assurance about whether the financial statements are free from material
misstatement. An audit involves performing procedures to obtain audit evidence about the
amounts and disclosures in the financial statements. The procedures selected depend on the
auditor’s judgment, including the assessment of the risks of material misstatement of the financial
statements, whether due to fraud or error. An audit also includes evaluating the appropriateness
of accounting policies used and the reasonableness of significant accounting estimates made by
management, as well as evaluating the overall presentation of the financial statements.
Because of the inherent limitations of an audit, together with the inherent limitations of internal
control, an unavoidable risk that some material misstatements may not be detected exists, even
though the audit is properly planned and performed in accordance with GAAS.
   Client Acceptance and Continuance Decisions  3-7

In making our risk assessments, we consider internal control relevant to the entity’s preparation illustration 3.3  
and fair presentation of the financial statements in order to design audit procedures that are (continued)
appropriate in the circumstances but not for the purpose of expressing an opinion on the
effectiveness of the entity’s internal control. However, we will communicate to you in writing
concerning any significant deficiencies or material weaknesses in internal control relevant to the
audit of the financial statements that we have identified during the audit.

[The responsibilities of management and identification of the applicable financial reporting

framework]

Our audit will be conducted on the basis that [management and, when appropriate, those charged
with governance] acknowledge and understand that they have responsibility
a. for the preparation and fair presentation of the financial statements in accordance with
accounting principles generally accepted in the United States of America;
b. 
for the design, implementation, and maintenance of internal control relevant to the
preparation and fair presentation of financial statements that are free from material
misstatement, whether due to fraud or error; and
c.  to provide us with
i. access to all information of which [management] is aware that is relevant to the
preparation and fair presentation of the financial statements such as records,
documentation, and other matters;
ii. additional information that we may request from [management] for the purpose of the
audit; and
iii. unrestricted access to persons within the entity from whom we determine it necessary to
obtain audit evidence.

As part of our audit process, we will request from [management and, when appropriate, those
charged with governance], written confirmation concerning representations made to us in
connection with the audit.

[Other relevant information]

[Insert other information, such as fee arrangements, billings, and other specific terms, as
appropriate.]

[Reporting]
[Insert appropriate reference to the expected form and content of the auditor’s report. Example
follows:]

We will issue a written report upon completion of our audit of ABC Company’s financial statements.
Our report will be addressed to the board of directors of ABC Company. We cannot provide
assurance that an unmodified opinion will be expressed. Circumstances may arise in which it is
necessary for us to modify our opinion, add an emphasis-of-matter or other-matter paragraph(s),
or withdraw from the engagement.

We also will issue a written report on [Insert appropriate reference to other auditor’s reports
expected to be issued.] upon completion of our audit.
Please sign and return the attached copy of this letter to indicate your acknowledgment of,
and agreement with, the arrangements for our audit of the financial statements including our
respective responsibilities.

XYZ Partners
Acknowledged and agreed on behalf of ABC Company by

___________________________
[Signed]
[Name and Title]
[Date]

Source: AU-C 210.A42.

3-8  Ch apt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Cloud 9 - Continuing Case

“Great news!” announces Sharon at the weekly team meeting. “We
just received word that the audit engagement letter for Cloud 9
has been signed. We are now officially the auditors and the risk
assessment phase starts now!”
Later, at the first planning meeting, Sharon and Josh focus
on assigning the tasks for gaining an understanding of Cloud 9.
Ian Harper, a first-year staff, is not happy. He grumbles to another
member of the team, Suzie Pickering, as he leaves the room. “This
is such a waste of time. Why did we sign an engagement letter if
we don’t understand the client? Why don’t we just get on with the
audit? What else is there to know?”
“Oh boy, are you missing the point!” Suzie says. “If you don’t
understand where the risks are greatest, where are you going to
start ‘getting on with it’?”
“The same place you always start,” replies Ian.
Ian thinks that all audits are pretty much the same and that
W&S Partners must have an audit plan they can use for the Cloud 9
audit. Suzie explains that if they tailor the plan to the client, the audit
is far more likely to be efficient and effective. That is, they will get
the job done without wasting time and ensure that quality evidence
is gathered for the accounts that are most at risk of being misstated.
If they can do this, W&S Partners will not only issue the right audit
report, but they will make a profit from the audit as well. In other
words, if the plan is good, performing the audit properly will be easier.
Suzie realizes it will be a big job explaining this to Ian and
invites him for a coffee in the staff room so they can talk. Suzie
is an experienced staff and has worked with other clothing and
footwear clients.

Before You Go On
1.1 What will an auditor consider in assessing the integrity of a client’s management, board, and
other personnel?
1.2  How does an auditor gather information about management integrity?
1.3 What are the key components of an engagement letter?

Phases of an Audit
Lea rning O bjective 2
Identify the different phases of an audit.

risk assessment phase  gaining
an understanding of the client,
identifying risk factors, develop-
ing an audit strategy, and setting
planning materiality
risk response phase  perform-
ing tests of controls and detailed
substantive testing of transactions
and accounts, concentrating
effort where the risk of material
misstatement is greatest
reporting phase  evaluation of
the results of the detailed testing
in light of the auditor’s under-
standing of the client and forming
an opinion on the fair presen-
tation of the client’s financial
statements
Before we begin the discussion of the different phases of an audit, it is important to emphasize
that each audit is unique. For example, risks associated with the audit of a grocery store will
not be the same as the risks associated with an audit of a jewelry store, even though both are
retailers. Risks associated with the oil and gas industry will be different from risks associated
with the computer technology industry because of different laws and regulations that apply to
each industry. Auditors must tailor their audit to be specific to each client, but broadly speak-
ing, once the client acceptance or continuance decision has been made, there are three general
phases of every audit, as shown in Illustration 3.4:
1. The risk assessment phase involves gaining an understanding of the client, identifying
factors that may impact the risk of a material misstatement occurring in the financial state-
ments, performing a risk and materiality assessment, and developing an audit strategy.
2. The risk response phase of the audit involves the performance of detailed tests of con-
trols and detailed testing of transactions and account balances, called substantive testing.
3. The reporting phase involves an evaluation of the results of the detailed testing in light
of the auditor’s understanding of the client and forming an opinion on the fair presenta-
tion of the client’s financial statements.
An overview of each phase of the audit follows.
  Phases of an Audit  3-9

illustration 3.4   Overview of the audit

Risk Assessment Risk Response Reporting

Phase Phase Phase

Risk Risk and Conclusion

Understanding Tests of Substantive
Identification Materiality and Forming
the Client Controls Testing
and Strategy Assessment an Opinion

Risk Assessment Phase

AU-C 300 Planning an Audit and AS 2101 Audit Planning require auditors to plan the au-
dit by assessing risk to reduce audit risk to an acceptably low level. Audit risk is the risk audit risk  the risk that
that an auditor expresses an inappropriate audit opinion when the financial statements are an auditor expresses an
materially misstated (AU-C 200.14). An auditor will perform various risk assessment pro- inappropriate audit opinion
cedures to ensure that appropriate attention is paid to the accounts and transactions most when the financial statements
at risk of being materially misstated. For example, the inventory account at The Boeing are materially misstated
Company has a higher risk of material misstatement than the prepaid expenses account.
Why is that? First, think about the difference in the dollar amount of the two accounts. In-
ventory will most likely be the largest current asset and prepaid expenses will be one of the
smallest. Also, the number and complexity of transactions in the inventory account will be
much higher than the number of transactions in the prepaid expenses account. Therefore,
auditors should plan to devote more audit time to the inventory account than to the prepaid
expenses account. This Boeing example illustrates that the risk assessment phase of the
audit provides the opportunity to optimize efficiency and effectiveness when conducting an
audit. Efficiency refers to the amount of time spent gathering audit evidence. Effectiveness
refers to minimizing audit risk.
You should also understand that the risk assessment process is an iterative process. Auditors
make preliminary risk assessments while planning the audit. Those risk assessments are
later confirmed, or refuted, when auditors perform tests of internal controls, or tests of ac-
count balances, transactions, or disclosures. On occasion, auditors might obtain information
in the risk response phase that causes them to revise their preliminary conclusions drawn
during the risk assessment phase. Auditors must be open to evaluating evidence obtained at
any phase of the audit and to considering its implications for risk assessments made earlier
in the audit.
Illustration 3.5 provides a graphical depiction of the risk assessment phase of the audit
and some key concepts that are applied during risk assessment and the other phases of the
audit. The key concepts of materiality, professional skepticism, and audit risk are discussed in
this chapter. The section “Audit Strategy” in this chapter discusses how, once the elements of
risk assessment have been considered, auditors can develop their audit strategy. The section
“Fraud Risk” closes this chapter. The remaining elements of risk assessment will be discussed
in Chapter 4.

Risk Response Phase

The risk response phase of the audit involves detailed testing of internal controls, transac-
tions, account balances, and disclosures the auditors have determined to be at high risk of
material misstatement. Auditors determine whether they plan to rely on the client’s system
of internal controls. If so, they will test the effectiveness of internal controls, which is
discussed in the section “Audit Strategy” and further in Chapter 8. Auditors will also
make decisions about the extent and timing of detailed testing of account balances and
transactions, which is discussed in “Audit Strategy” and further in Chapters 9 through 13.
This detailed testing provides the evidence needed by auditors to determine if the finan-
cial statements are fairly presented.
3-10  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

illustration 3.5   Risk assessment

Materiality Professional Skepticism Audit Risk

Understand the entity

and the industry
Compliance with
Fraud risk
laws and regulations

Client performance
Closing procedures Risk Assessment measurement

Understand internal Analytical procedures

controls and IT

Corporate governance Related parties

Audit Strategy

Concluding and Reporting on an Audit

The final phase of the audit involves drawing conclusions based upon the evidence gathered and
arriving at an opinion regarding the fair presentation of the financial statements. The auditor’s
opinion is expressed in the audit report (see Chapter 15). At this stage of the audit, auditors draw
on their understanding of the client, their detailed knowledge of the risks faced by the client,
and the conclusions drawn when testing the client’s controls, transactions, and account balances.

Before You Go On
2.1 What are the three main phases of the audit?
2.2  Briefly discuss why auditors must treat every audit as unique.
2.3 Explain how the risk assessment phase helps to improve the efficiency and effectiveness of
the audit.

Materiality
Lea rning O bjective 3
Explain and apply the concept of materiality.

materiality  the ability of infor-

mation to influence decisions that The concept of materiality is used to guide audit testing and assess the validity of informa-
users make on the basis of the tion contained in the financial statements and the notes. Information is considered material if
financial information of a specific it impacts the decision-making process of users of the financial statements. PCAOB AS 2105
reporting entity includes the definition stated by the U.S. Supreme Court that “information is material if
  Materiality 3-11

there is a substantial likelihood that the . . . fact would have been viewed by a reasonable
investor as having significantly altered the total mix of information made available (para 2).”
This includes information that is misstated and information that is omitted but should be
disclosed.
Materiality is a key auditing concept that is first assessed during the risk assessment phase
of every audit. This overall or planning materiality guides audit planning and testing for the
financial statements as a whole. Before explaining how auditors arrive at their planning ma-
teriality assessment, it is important to differentiate between the qualitative and quantitative
considerations of materiality.

Qualitative and Quantitative Materiality

Information can be considered material because of its nature and/or its magnitude. An item
that is considered material due to its nature is referred to as being qualitatively material. An
item that is considered material due to its magnitude is referred to as being quantitatively
material. While these concepts are not mutually exclusive, we explain them separately to help
you differentiate between the two.

Qualitative Materiality Factors

Information is considered qualitatively material if it affects a user’s decision-making pro- qualitative materiality 
cess for a reason other than its magnitude. For example, a fraud, by its nature, is considered information or misstatements that
significant no matter how small it may be. Fraud that is small today could grow to a massive impact a user’s decision-making
fraud in the future. Throughout the audit, auditors use their understanding of the client to be process for a reason other than its
alert to qualitative factors that reflect on the client’s financial position, results of operations, magnitude
and/or cash flows.
When reading the notes to the financial statements, an auditor will assess accounting
disclosure accuracy and compliance with any regulations and legislation and ensure any legal
matters that should be disclosed are disclosed correctly. If any of these disclosures are inaccu-
rate or omitted in error, the auditor will consider the potential impact on users. If the auditor
believes an inaccurate disclosure or omission will affect a user’s decision-making process, it
is considered qualitatively material, and the auditor will request that the client correct the
disclosure or include any omitted information. Examples include a change in an accounting
method, a change in operations that affects the level of risk faced by the client, or the client
being in danger of breaching a debt covenant. AU-C 320 and AS 2105 refer to other items that
may be considered material due to their nature rather than their size.

Quantitative Materiality Factors

Information is considered quantitatively material if it exceeds the magnitude of an audi- quantitative materiality ­
tor’s planning materiality assessment. Auditors use their professional judgment to arrive at information or misstatements
an appropriate planning materiality amount for each client. Planning materiality is typically that exceed the magnitude of an
a percentage of an appropriate benchmark from the financial statements. AU-C 320 provides auditor’s preliminary materiality
guidance for determining an appropriate benchmark. An auditor will select a benchmark, assessment, which is a percentage
of an appropriate benchmark
as discussed next, and then decide on the percentage to use, depending upon the client’s
circumstances.

Setting Materiality
When determining planning materiality, auditors will use professional judgment and are
mindful of the primary users of the financial statements. For publicly traded companies, the
primary users are the stockholders. For private companies, the primary users are generally
the owners and/or major lenders. Accounting firms may vary in the method they use to set
planning materiality in the risk assessment phase, but common practice is to calculate a per-
centage of an appropriate benchmark. In selecting an appropriate benchmark, auditors can
choose an item from the balance sheet or the income statement. Balance-sheet benchmarks
3-12  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

are generally total assets or equity. Income-statement benchmarks are typically profit before
tax or total revenue. Auditors select an appropriate benchmark using their professional judg-
ment based on their knowledge of the client, the client’s industry, and the needs of financial
statement users for their decision making. For example, if a client is listed on the securities
exchange, profit before tax is an appropriate benchmark because it drives dividends and re-
turn-on-investment decisions. However, if a client is a not-for-profit organization, either total
assets or total revenue are more generally used as a benchmark.
Auditing standards mention benchmarks the auditor can use, but the standards do not
recommend any specific percentages that should be applied to these benchmarks. Therefore,
auditors rely heavily on their professional judgment to determine an appropriate percentage
of the selected benchmark. The discussion in the following Professional Environment box
provides more detail of percentages that firms use when determining planning materiality.
The auditing standards do require auditors to reevaluate their overall level of materiality
throughout the audit. If new information comes to light that would cause the auditors to
establish a different level of planning materiality, then they should examine the information
and make adjustments to materiality as needed.

Professional Environment  Materiality Practices of the Major Public Accounting Firms

Since auditing standards provide no guidance to auditors about
what percentage to apply to benchmarks for determining planning
materiality, what are public accounting firms doing? And more im-
portantly, is there consistency among the major public accounting
firms regarding the determination of planning materiality? These
are important research questions that were studied by Eilifsen and
Messier (2015) in their article titled “Materiality Guidance of the
Major Public Accounting Firms.”2
For their study, Eilifsen and Messier asked the eight largest U.S.
public accounting firms to provide them with a copy of the firm’s
materiality guidance. The eight firms, in alphabetical order, were
BDO USA, Crowe Horwath (now Crowe), Deloitte & Touche,
EY, Grant Thornton, KPMG, McGladrey (now RSM), and
PwC. An analysis of the eight firms’ materiality guidance revealed
that for public company audits, seven of the eight firms use “income
before income taxes” as the primary benchmark for determining
planning materiality. One of the firms uses “income after income
taxes” as the primary benchmark. For private company audits, in ad-
dition to income before income taxes, other acceptable benchmarks
are total assets and total revenues. Firms will use other benchmarks if
appropriate for unusual circumstances. For example, if the company
is experiencing a loss or very poor operating results, another measure
such as total equity may be a more reliable benchmark for determin-
ing planning materiality.
Once a benchmark has been selected, what percentage
should be used for determining planning materiality? Six of the
eight firms “expect, suggest, or require the use of 5% of income
before taxes, while one firm allows 5–10%.”3 As an example, as-
sume you are the auditor for The Boeing Company. At De-
cember 31, 2017, Boeing had income (earnings) before income
tax of $10.047 billion. To determine planning materiality, you
would multiply 5% by $10.047 billion, which results in planning
materiality of $502,350,000. In addition, you would also consider
any qualitative factors in making your final assessment of plan-
ning materiality.
For the benchmarks of total assets and total revenues, seven
of the eight firms used ranges of 0.25% to 2%. Using The Boeing
Company example, at December 31, 2017, Boeing had total reve-
nues of $93.392 billion. If you use 1% of total revenues, then plan-
ning materiality would be $933,920,000. This results in a higher
planning materiality than using 5% of income before income tax.
Ultimately, the auditors must use their professional judgment to
decide on the planning materiality amount.
Overall, the research by Eilifsen and Messier indicate there
is significant agreement among the large firms regarding both the
benchmarks used and the percentages applied to the benchmarks
for determining planning materiality.

Using the Boeing example from the Professional Environment box discussion above,
assume that planning materiality is $502 million. Does this mean auditors will only look for
errors or misstatements that are $502 million or larger? If an account balance is less than
$502 million, will auditors not perform any audit procedures on that account? The answer to
both of these questions is no. Auditors plan the audit to detect material misstatements, but
they must also consider the effects of smaller misstatements that may be immaterial on their
own but, when added with other immaterial misstatements, may be material to the financial
statements as a whole. In addition, what about misstatements that may not be detected during
the audit? Auditors need to consider some margin of error for misstatements that may not be

2
A. Eilifsen and W. F. Messier, Jr., “Materiality Guidance of the Major Public Accounting Firms,”Audit-
ing: A Journal of Practice & Theory 34, no. 2 (2015), pp. 3–26.
3
Ibid.
  Materiality 3-13

detected due to the sampling procedures used in an audit. Therefore, after determining plan-
ning materiality, auditors must determine performance materiality at the account or disclo-
sure level. Performance materiality is an amount set by the auditor that is less than plan- performance materiality 
ning materiality and is used to make decisions about the extent of audit procedures for a amount or amounts set by the
particular class of transaction, account balance, or disclosure. auditors at less than the materi-
Performance materiality at the individual account level should be less than the planning ality level for particular classes of
materiality. For example, if the planning materiality for Boeing is $502 million, auditors may transactions, account balances, or
disclosures
decide that one-third that amount, $167 million, is an appropriate performance materiality
at the account level. Auditors would then plan and perform their audit procedures using
the performance materiality amount of $167 million to determine if individual accounts or
transactions were materially misstated. If any account balances are less than the performance
materiality amount, auditors may decide not to perform detailed audit procedures on the ac-
count because the entire account balance is considered immaterial. For example, in Note 9 of the
December 31, 2017, Boeing financial statements, the “other investments” account has a balance
of $30 million. Since $30 million is well below the performance materiality of $167 million,
auditors would spend minimal time performing detailed audit testing on that account.
As we have discussed, auditors also consider qualitative factors when deciding if an
account is material. For example, in Note 5 of the December 31, 2017, Boeing financial
statements, the “valuation allowance” account for accounts receivable has a balance of
$62 million. At first glance this account balance may seem immaterial. However, the related
account, accounts receivable, is a material amount ($10.516 billion) so the valuation allow-
ance will be audited in conjunction with accounts receivable. In addition, since the valuation
allowance is an estimate, there is risk that management may be biased when determining the
amount of the allowance. Management might be overly optimistic about collection of receiv-
ables and underestimate the allowance, which would lead to overstated net accounts receivable.
Therefore, because of these qualitative factors, auditors will perform detailed audit testing on
the valuation allowance even though the balance is less than performance materiality.
The use of performance materiality should reduce the probability that the sum of imma-
terial and/or undetected misstatements in the financial statements is greater than materiality
for the financial statements as a whole. The auditing standards do not provide any guidelines
for the determination of performance materiality. As stated in AU-C 320 Materiality in Plan-
ning and Performing an Audit:

The determination of performance materiality is not a simple mechanical calcula-

tion and involves the exercise of professional judgment. It is affected by the auditor’s
understanding of the entity, updated during the performance of the risk assessment
procedures, and the nature and extent of misstatements identified in previous audits
and, thereby, the auditor’s expectations regarding misstatements in the current
period. (para. A14)

Overall, the determination of both planning and performance materiality is a subjective

process that will vary across firms and across clients, and it may change during the perfor-
mance of an audit. The materiality level is a starting point for auditors to do the following:

1.  Determine the type and extent of risk assessment procedures to be performed.
2. Identify and assess the risk of material misstatements occurring at the financial state-
ment level and the account balance level.
3.  Begin development of an audit strategy.

This discussion of materiality can be concluded with an example of how the concept of
materiality impacts the planning of the audit. If auditors determine a higher planning ma-
teriality level (higher dollar amount) is appropriate, then they will plan to gather less exten-
sive audit evidence. A lower materiality level (lower dollar amount) will translate to auditors
performing more extensive audit procedures to ensure that material misstatements will be
detected. In other words, holding everything else constant, as the auditor’s evaluation of ma-
teriality decreases, the auditor is looking to obtain a more precise conclusion about the finan-
cial statements. The increased precision of the audit will cause the auditor to perform more
extensive audit procedures.
3-14  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Audit Reasoning Example  Materiality

Consider the following information (amounts in millions):

2022 2021 2020

Revenues $1,810.0 $1,941.0 $1,916.0
Total assets 1,600.0 1,721.0 1,774.0
Pretax income 1.5 45.2 31.9

In 2020 and 2021, the auditor used 5% of pretax income as a base for planning materiality.
However, in 2022 pretax income was abnormally low while revenues and total assets had not
shown the same level of change. Because pretax income was less than eight-tenths of 1% of revenue
(the company basically broke even for the year), the auditor decided to use ½ of 1% of the lesser of
total revenues or total assets as the base for determining planning materiality. Both revenues and
assets showed more stability than pretax income in 2022.

Cloud 9 - Continuing Case

Throughout their conversation, Suzie and Ian have been discuss-
ing “material” misstatements in financial statements. Ian asks,
“Isn’t materiality just a number? Companies of about the same
size would have the same materiality level, right?” Suzie explains
that they will use a percentage of a benchmark, such as income
before taxes or total revenue, as a starting place for determining
materiality. Then, they will consider increasing or decreasing that
amount based on qualitative factors specific to the Cloud 9 audit.
For example, since Cloud 9 is a public company subject to reg-
ulation and more public scrutiny, the audit team may decide to
decrease materiality, which means the team will perform more
extensive audit procedures.
“Knowledge of the client’s industry is important for determin-
ing materiality,” continues Suzie. “We must be familiar with the cli-
ent’s operations and the industry to understand what is important,
or material, to the users of the client’s financial statements.”
Ian is worried about getting the materiality level right. “What
if we set it too low or too high?” Suzie explains that all parts of the
audit plan, including the materiality decisions, will be reviewed
throughout the audit and revised, if necessary.

Before You Go On
3.1 What is qualitative materiality?
3.2  What is quantitative materiality?
3.3 What is performance materiality?

Professional Skepticism and Audit Risk

Lea rning O bjective 4
Explain professional skepticism and apply the audit risk model.

As depicted in Illustration 3.5, two more key concepts that apply to all phases of the audit are
professional skepticism and audit risk. These concepts were first introduced in Chapter 1 and
will be explained in more detail next.
  Professional Skepticism and Audit Risk  3-15

Professional Skepticism
Auditors have a responsibility to plan and perform an audit with professional skepticism.
Professional skepticism is an attitude adopted by auditors when conducting all phases of the
audit. It means that auditors remain independent of the entity, its management, and its staff
when completing the audit work. In a practical sense, professional skepticism means au- professional skepticism  an
ditors maintain a questioning mind and thoroughly investigate all evidence presented by the attitude that includes a question-
client (AS 1015.07). For example, AU-C 200.A22 states auditors should be skeptical if any of ing mind, being alert to condi-
the following arise during the audit: tions that may indicate possible
misstatement due to fraud or
•  Audit evidence recently gathered that is contradictory to other evidence previously gathered. error, and a critical assessment of
audit evidence
•  New information that brings into question the reliability of client documents or responses
to auditor inquiries.
•  Conditions that may provide evidence of possible fraud.
•  Situations that indicate the need for additional audit procedures beyond what is required
by generally accepted auditing standards.

Does maintaining professional skepticism mean auditors should assume client manage-
ment is being dishonest? The answer is no. Auditors should not assume management is dis-
honest, but at the same time, auditors should not assume management is always honest or
correct. Using professional skepticism means that even if auditors believe management and
those charged with governance are being honest, they should gather reliable evidence to sup-
port management’s responses to auditor inquiries and to support amounts and disclosures
in the financial statements. Throughout all phases of the audit, auditors should keep these
questions in mind when gathering audit evidence: Is this information reliable? Do we need to
perform more audit procedures? When auditors exercise professional skepticism during the
risk assessment phase, it helps to ensure they are using appropriate assumptions when devel-
oping their audit strategy that will be used in the risk response phase. In the reporting phase,
auditors use professional skepticism when evaluating the evidence gathered and forming an
opinion that the financial statements are presented fairly.

Audit Reasoning Example  Professional Skepticism

An auditor was auditing a recreational vehicle (RV) dealership. The auditor had obtained some
initial financial information from the client showing unaudited results for the end of the third
quarter. Sales were up and profit margins were up, making it the best year so far for the client.
Interim records showed that inventory was also up, and the client’s inventory records showed over
300 RVs on hand at the end of the third quarter. The audit senior went to talk to the audit man-
ager about the good news and the client’s performance. The audit manager asked the senior a key
question. “You did the inventory observation last year. How many RVs did the client have then?”
“I think it was about 210,” the senior replied. Then the audit manager asked, “How full was the lot
last year?” The senior replied that it was “almost overflowing” the year before. The manager then
said, “Let’s look at this more skeptically. I don’t think they have storage capacity for another 90
RVs even though sales are up. There could be an error in the inventory records. This information
makes me believe that the existence of inventory is a very high inherent risk.”

Audit Risk
Audit risk is the risk that an auditor expresses an inappropriate audit opinion when financial
statements are materially misstated (AU-C 200 Overall Objectives of the Independent Auditor
and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards and
AS 1101 Audit Risk). This means the audit report states the financial statements are presented
fairly, in all material respects, when in actuality the financial statements contain a material
error or fraud. While it is impossible to eliminate audit risk, auditors aim to reduce it to an
3-16  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy
inherent risk  the susceptibility
of an assertion to a misstatement
that could be material, either indi-
vidually or when aggregated with
other misstatements, before con-
sideration of any related controls
assertions  statements or rep-
resentations, explicit or implied,
made by management regarding
the recognition, measurement,
presentation, and disclosure of
items included in the financial
statements
ILLUSTRATION 3.6  
Examples of inherent risk
traits for accounts or
assertions
significant risk  an identified
and assessed risk of material mis-
statement that, in the auditor’s
judgment, requires special audit
consideration
control risk  the risk that a
client’s system of internal controls
will not prevent or detect a
material misstatement on a
timely basis
acceptably low level. During the risk assessment phase, auditors will perform audit proce-
dures to identify transactions and accounts where the risk of material misstatement is highest.
The first stage in audit risk assessment involves the identification of accounts and related
assertions most at risk of material misstatement, referred to as inherent risk. An asser-
tion is a statement or representation, explicit or implied, made by management regarding
the recognition, measurement, presentation, and disclosure of items included in the financial
statements and notes. Assertions help guide the procedures conducted by auditors and are
discussed in more depth in Chapter 5. Inherent risk assessment is affected by factors both
internal and external to the client. For example, if a client sells valuable goods (e.g., jewelry),
there is a risk of overstatement of inventory as goods may be stolen but remain recorded in the
client’s books. Therefore, there is a risk that management’s assertion, or claim, that recorded
inventory exists is not valid. In this example, the auditor may spend more time testing the exis-
tence assertion of recorded inventory than in the case of a client that sells lower-valued goods
(e.g., office supplies). Illustration 3.6 provides examples of traits that would indicate higher
or lower inherent risk for accounts or assertions.
Higher Inherent Risk Traits Lower Inherent Risk Traits
Transactions or account balances derived from Transactions or account balances easily
significant estimates confirmed with reliable sources
Technological developments in the client’s industry Technological developments a minimal factor
increase the risk of obsolescence of certain assets in the valuation of the client’s assets
Client location at risk of natural disasters such as Client location has minimal risk of being
hurricanes and flooding affected by a natural disaster
Client’s industry experiencing a period of decline Client’s industry is thriving
Client has insufficient working capital and is at Client has sufficient working capital and is not
risk of violating loan contracts at risk of violating loan contracts
When identifying accounts and related assertions at risk of material misstatement, some
risks are classified as being more significant than others. A significant risk is an identified
and assessed risk of material misstatement that, in the auditor’s judgment, requires special
audit consideration (AU-C 315 Understanding the Entity and Its Environment and Assessing
the Risks of Material Misstatement and AS 2110 Identifying and Assessing Risks of Material
Misstatement). When classifying risks as being significant, consideration is given to whether
the risk involves:
•  Fraud.
•  Significant economic or accounting developments.
•  Complex transactions.
•  Significant related-party transactions (discussed further in Chapter 4).
•  Significant subjectivity in measurement of financial information.
•  Significant transactions outside the client’s normal course of business.
The second stage in audit risk assessment involves gaining an understanding of the cli-
ent’s system of internal controls. Auditors assess control risk, which is the risk that a client’s
internal controls will not prevent or detect a material misstatement on a timely basis. Auditors
are interested in whether the client has controls in place that are designed to minimize the risk
of material misstatement for each account and related assertion identified as being high risk
by the auditors. In the above example, if a client sells jewelry, auditors will assess whether the
client has controls in place, such as a security system, to reduce the risk that inventory may
be stolen.
Finally, the assessed level of inherent and control risk for each assertion will guide audi­
tors in developing their audit strategy to gather appropriate audit evidence. This final assess-
ment will depend upon the assessed risks of the account and related assertion and the deemed
effectiveness of the client’s system of internal controls.
  Professional Skepticism and Audit Risk  3-17

Cloud 9 - Continuing Case

Ian is still struggling with the idea of risk. He knows that audit
risk is the risk that the auditor issues the wrong audit report, or
gives an inappropriate audit opinion, and that audit risk is related
to the client’s circumstances. But how does that actually work in
practice? What does an auditor do differently for each audit?
“Let’s break this down,” Suzie advises. “Auditors face the risk
of stating that in their opinion the financial statements are not ma-
terially misstated, when in fact they are. So, how does a material
misstatement get into the published financial statements?”
Ian works through the logic. “First, the error has to be cre-
ated, either by accident or on purpose. Second, the client’s internal
control system must fail to either prevent the error getting into the
accounts or detect the error once it is in the system. And, finally,
the auditor has to fail to find the error during the audit.”
“Correct!” says Suzie. “Now, before we go on, I want to break
down the idea of ‘financial statements,’ too. The financial state-
ments are the balance sheet (statement of financial position), in-
come statement (statement of comprehensive income), cash flow
statement (statement of cash flows), statement of changes in eq-
uity, and all the notes. So when we talk of the risk of misstate-
ments, we are referring to the risk of misstatement in every line
item in each of these statements. If we focus on just one line in
a balance sheet—say, accounts receivable—what are the possible
misstatements that could occur?”
Ian tries to work through the logic again. “The amount could
be either understated or overstated. I suppose there are lots of er-
rors that could occur. Obviously, basic math mistakes and other
clerical errors could affect the total in either direction. In addition,
accounts receivable would be understated if management omitted
some customer receivables when they calculated the total. I think
the deliberate ‘mistakes’ are more likely to overstate accounts re-
ceivable because that makes the balance sheet look better, and
probably means profit is overstated, too. Accounts receivable would
be overstated if some of the receivables management claimed in
the total did not exist at year-end, did not belong to Cloud 9, were
overvalued because bad debts were not written off, or sales from the
next period were included in the earlier period.”
“Very good,” says Suzie. “It is the same for every line item.
Every time management prepares a financial statement, they
assert that all these errors did not occur—that all the individual
items in the financial statements are not materially misstated.
The auditor has to break down the financial statement audit into
accounts and assertions and consider the risk of misstatement for
each assertion for each account or transaction class. The auditor
deals with the risk of material misstatement of the entire set of
financial statements by gathering evidence at the assertion level
for each account. Then, all the evidence is put together so the auditor
can form an opinion on the overall financial statements.”

The Audit Risk Model and Its Components

Inherent risk and control risk are the client’s risks and exist separately from the audit of the
financial statements. In other words, the auditors have no control over a client’s inherent and
control risks. Inherent risk is driven by industry, economic, and client factors that are out of
the control of the auditor. Control risk is impacted by the client’s design and implementation
of internal controls, which are also out of the control of the auditor. When these two risks are
combined, we refer to it as risk of material misstatement.
The risk of material misstatement (RMM) is the risk that the financial statements are risk of material misstatement
materially misstated prior to the audit (AU-C 200.14). Risk of material misstatement exists at (RMM)  the risk that the finan-
the financial statement level and at the assertion level. At the financial statement level, the risk cial statements are materially
of material misstatement refers to risks that affect the financials as a whole. For example, if a misstated prior to the audit; a
client purchases a new computer system and does not adequately train staff in its use, there is combination of inherent risk and
control risk
a risk of errors when recording transactions used to prepare the financial statements. In this
scenario, all accounts are at risk of material misstatement. At the assertion level, the risk of
material misstatement refers to risks that affect classes of transactions, account balances, and
disclosures. For example, if a client sells goods overseas, there is a risk that transactions may
not be recorded correctly using appropriate exchange rates at the date of each transaction. In
this scenario, revenue and accounts receivable are at risk of material misstatement.
RMM considers (1) the inherent risk that an assertion is misstated and (2) the effective-
ness of the internal controls in preventing, or detecting and correcting, misstatements on a
timely basis. Therefore, auditors must identify client characteristics that place its financial
statements at risk of material misstatement (inherent risk) and determine whether controls
designed to limit such a risk exist and are effective (control risk). Once RMM has been as-
sessed, auditors can plan the audit procedures to be performed in response to the assessed
RMM. This leads us to the final component of audit risk, which is detection risk. Detection detection risk  the risk that
risk is the risk that the auditor’s procedures will not be effective in detecting a material mis- the auditor’s testing procedures
statement should there be one. Detection risk is the only component of audit risk that can will not be effective in detecting a
be controlled by the auditor, which we will discuss in more depth next. But note that it is material misstatement
3-18  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

impossible to reduce any of these risks to zero. Risk will always exist in an audit, whether it
is from economic or industry factors (inherent risk), a failure of an internal control (control
risk), or a failure of an audit procedure (detection risk).
Audit risk can be presented in a model that indicates the relationship between its com-
ponents (AU-C 200.A36). The model states that audit risk is a function ( f ) of risk of material
misstatement (which consists of inherent risk and control risk) and detection risk, as illus-
trated below.

AR = f(RMM * DR)

AR = f(IR * CR * DR)
where:
AR = Audit risk
RMM = Risk of material misstatement
IR = Inherent risk
CR = Control risk
DR = Detection risk

Auditors plan and perform their audit to keep audit risk at an acceptably low level (AU-C
200). If inherent and control risks are high for an assertion, the auditor will set detection
risk as low, to maintain a low audit risk. Illustration 3.7 provides an example of a high risk
assertion at the account level. After reviewing the example, you’ll see there is an inverse re-
lationship between the risk of material misstatement (inherent and control risks combined)
and detection risk (as set by the auditor). A low detection risk means the auditors increase the
amount of detailed audit procedures used to test the year-end account balances and transac-
tions from throughout the year.

ILLUSTRATION 3.7  
Risk of material misstatement
High risk assertion with
qualitative analysis
Audit risk = Detection risk
Inherent risk Control risk

Low High High Low

Audit Reasoning Example  High Risk Assertion

A client sells high-end fashion clothing and has inadequate security. Inherent risk is high for the
existence assertion of inventory as clothing may be stolen. Control risk is high since there is inad-
equate security, which increases the risk of theft. The auditor cannot rely on the client’s security
system to reduce the risk of material misstatement associated with the existence of inventory. The
auditor will set a low detection risk and spend more time performing audit procedures to deter-
mine that recorded inventory actually exists.

Audit Reasoning Example  High Risk Assertion

A client is an importer with inexperienced clerical staff. Inherent risk is high for the accuracy as-
sertion of recorded purchases as they involve foreign currency translation. Control risk is high as
clerical staff are inexperienced and not accustomed to recording complex foreign currency trans-
actions. The auditor will set a low detection risk and spend more time performing audit proce-
dures to determine that purchases are recorded at appropriate amounts.
  Professional Skepticism and Audit Risk  3-19

The audit risk model can also be used for quantitative analysis in which all risks are
stated as a percentage ranging from 1% to 100%. Suppose auditors want to keep audit risk low
at 1%, which means a 1% risk they will issue an inappropriate opinion. If inherent risk and
control risk are both high, say 100% inherent risk and 80% control risk, then what will detec-
tion risk be? Refer to Illustration 3.8 for the mathematical analysis. Solving for detection
risk, the answer would be a 1.25% risk that the auditors’ procedures will not be effective in de-
tecting a material misstatement. Another way to state it is the auditors are 98.75% confident
that their audit procedures will detect a material misstatement if present. A 1.25% detection
risk is a low detection risk, which implies auditors will perform extensive detailed testing of
related account balances and use larger sample sizes.

ILLUSTRATION 3.8  
Risk of material misstatement
High risk assertion with
Audit risk Detection risk quantitative analysis
= Inherent risk × Control risk ×

.01 = 1.00 × .80 × ?

.01 = 1.00 × .80 × .0125

In contrast, if inherent risk and control risk are low, the auditor can set detection risk as
high. Review Illustration 3.9 for an example of this situation. Remember, there is an inverse
relationship between the risk of material misstatement (inherent and control risks combined)
and detection risk (as set by the auditor). By setting detection risk as high, auditors reduce
the level of reliance placed on their detailed testing of the account balance or transactions.
Auditors are not eliminating the detailed testing of account balances and transactions; rather,
they are acknowledging that the account, transaction class, or assertion is low risk. If risk of
material misstatement is low, then extensive detailed testing is not required.

ILLUSTRATION 3.9  
Risk of material misstatement
Low risk assertion with
Audit risk = Detection risk qualitative analysis
Inherent risk Control risk

Low Low Low High

Audit Reasoning Example  Low Risk Assertion

A client sells concrete pipe and has a high-voltage fence surrounding the pipe inventory. Inherent
risk is low for the existence assertion of inventory as concrete pipe is very heavy and difficult to
move. It is unlikely that recorded pipe does not exist. After testing that the security system is
working and has been operational throughout the year, the auditor can set control risk low. In this
case, the auditor will need to spend less time performing detailed audit procedures to determine
that recorded pipe actually exists.

Audit Reasoning Example  Low Risk Assertion

A client has implemented a strong system of internal controls over purchases of raw materials
(e.g., grain). Inherent risk is low for the accuracy assertion of recorded purchases as the pric-
ing of raw materials is not complex. After testing that programmed controls and related manual
3-20  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

follow-up are working properly, the auditor will verify that access to the program is limited to au-
thorized personnel and that the program has not been tampered with. When the auditor is satis-
fied the program is working well and the client’s controls are effective, the auditor can set control
risk as low. In this case, the auditor will spend less time performing detailed audit procedures on
raw materials to determine that the recorded amount is accurate.

Using the quantitative analysis, suppose auditors assess inherent risk and control risk
as low: 30% and 5%, respectively. Refer to Illustration 3.10 for the mathematical analysis.
Solving for detection risk, the answer would be a 67% risk that the auditors’ procedures
will not be effective in detecting a material misstatement. This is a stark contrast to the
detection risk of 1.25% in Illustration 3.8. But remember, as inherent risk and/or control risk
decrease, detection risk will increase, reflecting that less extensive substantive testing will
be conducted by auditors because the client’s internal controls are effective for the related
account balance and assertion.

ILLUSTRATION 3.10  
Risk of material misstatement
Low risk assertion with
quantitative analysis Audit risk Detection risk
= Inherent risk × Control risk ×

.01 = .30 × .05 × ?

.01 = .30 × .05 × .667

The quantitative analysis highlights the role of detection risk in changing how auditors
respond to their client’s risk of material misstatement. As stated earlier, inherent risk and
control risk are the client’s risks, and the auditor has no control over them. Auditors can only
assess the level of inherent and control risks. Auditors can control detection risk by planning
to perform more or less detailed audit procedures. The components of the model can be rear-
ranged to solve for detection risk as follows:

DR = AR ÷ RMM
where:
DR = Detection risk
AR = Audit risk
RMM = Risk of material misstatement

The examples provided in this section are extremes. The reality will often fall some-
where in between, where inherent risk is high, but the client has an effective system of
internal controls in place to mitigate that risk. For example, a client sells high-end fashion
clothing and has effective security and controls, so the risk of material misstatement for the
existence assertion of inventory is low. Alternatively, if inherent risk is low, the client may
not consider it worthwhile investing in sophisticated control procedures (that is, any benefit
is perceived to exceed the cost). For example, a client sells concrete pipe and has minimal
security controls because the pipe would be very difficult to steal. In both cases, auditors will
perform less extensive audit procedures when testing the existence of inventory.
   Audit Strategy  3-21

Cloud 9 - Continuing Case

Cloud 9 sells athletic shoes and apparel. The shoes are likely to
“go out of fashion” reasonably quickly, making obsolescence a big
issue. These factors affect the inherent risk of inventory valuation.
There is also a risk of errors occurring in transactions with suppli-
ers and customers, which will affect inventory balances. How high
is the control risk? Much to Suzie’s delight, Ian suggests they will
be able to make better assessments of both inherent and control
risk for all assertions once they have a better understanding of the
client and its system of internal control.

Before You Go On
4.1 Why is an attitude of professional skepticism important for auditors?
4.2  What is significant risk?
4.3 What are the components of the audit risk model?
4.4 What is the relationship between risk of material misstatement and detection risk?

Audit Strategy
audit strategy  the determi-
Lea rning Objective 5
nation of the amount of time
Explain how auditors determine their audit strategy and how audit strategy affects spent testing the client’s internal
audit decisions. controls and conducting detailed
testing of transactions and
account balances
The results of the auditor’s determination of materiality and audit risk lead to the develop- nature of an audit procedure 
ment of an overall audit strategy. The audit strategy provides the basis for developing an the determination of what type
audit plan that details the nature, extent, and timing of audit procedures to be performed. of audit procedure to use, such
The nature of an audit procedure refers to what type of procedure will be used, such as as tests of controls or substantive
procedures
tests of controls or substantive procedures. The auditor also needs to determine that the
evidence collected is both reliable and relevant to the assertion being tested. The extent of tests of controls (controls
an audit procedure refers to how much testing will be done, for example, how large of a testing)  audit procedures
designed to evaluate the operat-
sample size to use. Detection risk influences decisions about sample size. For example, when
ing effectiveness of controls in
detection risk is low, auditors will use larger sample sizes than when detection risk is high.
preventing, or detecting and cor-
The timing of an audit procedure refers to when it will be performed. The determination recting, material misstatements at
of when procedures will be performed is dependent on the effectiveness of the client’s con- the assertion level
trols and will be further discussed below. The process of developing an audit strategy helps
substantive procedures
auditors allocate audit resources efficiently and make decisions such as which audit staff will (substantive testing or tests
be assigned to the audit, a time budget for the completion of the audit, and a schedule for of details)  audit procedures
when certain audit procedures will be performed. designed to detect material
Illustration 3.11 illustrates a general timeline of when audit activities occur for the au- misstatements at the assertion
dit of a client that uses a calendar year-end. Most of the audit planning and risk assessment level
occur during the second and third quarters of the client’s accounting year. The period referred extent of an audit procedure 
to as “interim” is typically during the latter part of the third quarter and into the fourth quar- the determination of the quantity
ter. The “year-end” period is just before the client’s balance sheet date and the 4- to 6-week of audit procedures to be performed
period after the client’s year-end. The period is referred to as “year-end” because the client’s timing of an audit procedure 
accounting year has substantially finished and the account balances reflect the totals for the the determination of when an au-
year under audit. In the audit of private companies, many times the auditor will not begin dit procedure is to be performed
3-22  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

“year-end” procedures until several weeks after year-end when the client has completed all
year-end closing procedures. This timeline will be a helpful resource for you as we discuss
audit strategy and activities occurring during the different phases of the audit. The remainder
of this section discusses two broad audit strategies that auditors can follow. These strategies
are detailed in depth in AU-C 330 Performing Audit Procedures in Response to Assessed Risks
and Evaluating Audit Evidence Obtained and AS 2301 The Auditor’s Responses to the Risks of
Material Misstatement.

ILLUSTRATION 3.11   Timeline of audit activities

Risk Assessment Risk Response Reporting

Phase Phase Phase

Year-end Issue
Risk assessment Interim substantive audit
and audit planning testing testing report

6/30 9/30 11/30 1/31

1/1/2022 12/31/2022 2/15 3/31/2023

Period covered by the

2022 financial statements

Reliance on Controls Approach

An audit strategy is developed at the account or assertion level, such as for accounts re-
ceivable, inventory, and other line items on the financial statements. The first step is to
identify inherent risks at the account or assertion level during the risk assessment phase
when auditors are gaining an understanding of the client and the environment in which
it operates, which is discussed in depth in Chapter 4. If inherent risk is determined to be
high for an account or assertion, the next step is to determine if an internal control is in
place to mitigate the risk of a material misstatement. If an internal control is in place,
auditors will determine if the control is operating effectively—that is, does it work? Audi-
tors will usually perform tests of controls during interim testing. If results from the tests
of controls show the internal control is effective at preventing and/or detecting material
misstatements, auditors will conclude that control risk is low and overall risk of material
misstatement (RMM) is low. Recall that RMM is a function of both inherent risk and con-
trol risk. Therefore, an effective internal control can mitigate the high inherent risk for an
account or assertion.
If RMM is low, the audit strategy will be to rely more on the client’s internal controls
and less on the auditor’s substantive procedures. The nature, extent, and timing of substan-
tive procedures would be adjusted since the client’s internal control is strong. For example,
auditors may perform substantive procedures for balance sheet accounts one or two months
prior to year-end, rather than at year-end, and may decide to use smaller sample sizes since
RMM is low. Performing substantive procedures one or two months prior to year-end for
lower-risk accounts, rather than waiting to perform the procedures at year-end, helps au-
ditors use their time efficiently. The year-end time period can be more focused on perform-
ing substantive procedures for higher-risk accounts and assertions. Note that auditors can
never completely rely on a client’s system of internal controls and will always conduct some
substantive procedures to gather evidence regarding the account balances in the financial
statements.
   Audit Strategy  3-23

Audit Reasoning Example  Existence of Inventory

Jennifer is auditing a private company that manufactures batteries for cell phones. The company
has good perpetual inventory records and inventory controls. In the prior year audit, tests of con-
trols confirmed the company had excellent internal controls over inventory. In planning this year,
based on inquiries with various client personnel, the system has not changed. Therefore, Jennifer
is planning to test controls at an interim date, and if this year’s tests of controls confirm that
controls continue to be strong, she will also perform substantive procedures on the existence of
inventory at an interim date.

Illustration 3.12 provides a diagram of the process used when developing the audit strat-
egy for an account or assertion. Notice that the left side of the diagram provides an overview
of the reliance on controls approach described in this section.

ILLUSTRATION 3.12  
Identify inherent risks at the account or assertion level Process used when developing
an audit strategy at the
account or assertion level

Determine whether an internal control(s) can

mitigate the risk factor

YES NO

Does the control(s)

exist?
NO
Reliance on Controls Approach

Substantive Approach

YES

Test the
control(s)

Increase extent of detailed

Is the control(s)
NO substantive procedures
effective? Does it work?
performed at year-end

YES

Perform less extensive

detailed substantive
procedures at interim
3-24  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Substantive Approach
Referring to Illustration 3.12, the substantive approach is detailed on the right side of the diagram.
The process for a substantive approach begins in the same way as a reliance on controls approach.
Auditors identify inherent risks at the account or assertion level during the risk assessment
phase. If inherent risk is determined to be high for an account or assertion, the next step is
to determine if an internal control is in place to mitigate the risk of a material misstatement.
If there is no internal control in place, auditors assess RMM as high since both inherent and
control risk are high. If there is an internal control in place, auditors may decide to test the
effectiveness of the internal control. The test of controls may reveal that the internal control
is not operating effectively. This situation would also cause auditors to assess RMM as high.
If RMM is high, the audit strategy will be to perform extensive detailed substantive pro-
cedures and place little or no reliance on the client’s internal controls. The nature, extent, and
timing of substantive procedures would be adjusted since the client’s internal control is weak
or nonexistent. For example, auditors will perform their substantive procedures at year-end so
the entire account balance can be tested rather than testing at interim when the account bal-
ance is not yet reflecting the entire year’s activity. Auditors will also use larger sample sizes and
perform more extensive substantive procedures since RMM is high and detection risk is low.
Illustration 3.12 illustrates the extreme of each approach, but auditors can also use a
blended approach. For example, if inherent risk is assessed as moderate or low, auditors may
decide to perform some tests of controls or not perform any tests of controls. The decision
regarding control testing would then impact the nature, extent, and timing of the substantive
procedures. Control risk and the testing of controls are discussed further in Chapters 6 and 8.
Essentially, the process of determining an audit strategy for an account or assertion is heavily
influenced by materiality, professional skepticism, and the risk of material misstatement.

Audit Reasoning Example  Valuation of Inventory

Jennifer is auditing a private company that manufactures batteries for cell phones. While the
company has good perpetual inventory records and inventory controls, Jennifer is concerned
about reported problems with lithium-ion battery fires. It is not clear that the industry has solved
these problems. The company has already noted a slowing in sales of one battery model. As a
result, Jennifer is concerned about the lower-of-cost-or-net-realizable-value (LCNRV) issues that
may arise by year-end. Will the company have problems selling the inventory of batteries on
hand at year-end? Because of the volatile market of lithium-ion batteries, Jennifer plans to audit
the valuation of inventory at net realizable value after year-end using a primarily substantive
approach.

Cloud 9 - Continuing Case

Suzie explains that Cloud 9’s audit could be planned and conducted
in different ways, depending on the audit strategy adopted. In fact,
the overall audit strategy sets the scope, timing, and direction of
the audit, and guides the development of the detailed audit plan.
“What audit strategy would be suitable for Cloud 9? Start by
thinking about the scope of the audit,” she prompts. “The scope is
about the different types of work we have to do—some audits have
extra requirements.”
“I suppose we should find out if Cloud 9 has any special re-
quirements. The fact that it is a public company means we must
follow the PCAOB auditing standards and conduct an audit of
both the financial statements and the effectiveness of internal
controls,” Ian suggests.
“That is a good start,” says Suzie. “What else?”
“Well, I can think of several other things, such as whether
any other auditors will be involved, whether there are any for-
eign currency translation issues, any industry-specific regula-
tions (although I don’t think this is as big an issue for clothing
and footwear as it would be for banks, for example), whether
there are any service organizations involved such as payroll ser-
vices, and whether software-aided audit technology is going to
be used.”
“Very good,” says Suzie. “That will do for now. What about
timing issues? Are there any special things we should take into
account for Cloud 9?”
“What is the date the audit has to be finished?” asks Ian.
“Good question,” says Suzie. “We will have a deadline, so we
obviously have to work toward it.”
   Fraud Risk  3-25

“Also,” says Ian, “when are our staff available, and when are
Cloud 9’s key people available to talk to us?”
“Yes,” says Suzie. “This is all basic. But if we don’t ask these
really important questions, we will find ourselves unable to meet
the deadline and perhaps under pressure to cut corners. We also
have to think about timing of requests to third parties for infor-
mation. Now, can you think of anything regarding the direction
of the audit?”
“I understand about the extra requirements and working out
the timing. But I don’t really know what you mean by direction,”
Ian says, confused.
“We have already discussed it to some extent,” Suzie ex-
plains. “Remember when we spoke about the risk for Cloud 9
created by obsolescence of inventory, and errors occurring with
transactions with customers and suppliers? ‘Direction’ is about
where we think there should be extra attention because of higher
risk, and how we give that extra attention. We could, for exam-
ple, make sure we have suitable experts available, if required, to
value the inventory. This is also where we bring in our work on
materiality, both setting materiality for planning purposes, and
identifying the material account balances. In our plan, we need
to allocate additional time to areas where there may be higher
risk of material misstatement. And, one of our biggest tasks will
be considering the evidence about the design and operating ef-
fectiveness of internal controls at Cloud 9, which we haven’t yet
considered in detail.”
“I see,” says Ian. “If we assess the internal controls as being
strong, then we plan to do more testing of controls (to confirm
our assessment), and less testing of the underlying substance of
transactions and account balances. We have to put this in our plan
now. But what if our first thoughts about controls are wrong? Will
our plan be wrong?”
“That happens,” replies Suzie. “That is why our initial plan
is constantly changing as we gather more information about the
client. Particularly, as in this case, for a new client that we don’t
have a lot of detailed information on yet. However, we already
know what accounts are important to Cloud 9—the client’s previ-
ous years’ financial statements and interim results show us that.”

Before You Go On
5.1 What is the purpose of developing an overall audit strategy?
5.2  Describe the audit strategy when the auditor adopts a predominantly substantive approach.
5.3 Why would the auditors adopt a reliance on controls approach?

Fraud Risk
Lea rning Objective 6
Explain the fraud risk assessment process and analyze fraud risk.

During the risk assessment phase of the audit, auditors assess the risk of material misstate-
ment due to error or fraud. Error refers to an unintentional misstatement in amounts or dis- error  an unintentional
closures in the financial statements. Fraud, however, is an intentional act involving the use misstatement in amounts or
of deception that results in the misstatement of financial statements that are being audited disclosures in the financial
(AU-C 240.11 and AS 2401.05). As you can imagine, fraud can be difficult to uncover because statements
the perpetrator(s) will go to great lengths to conceal the deception. Therefore, auditors should fraud  an intentional act
adopt an attitude of professional skepticism to ensure any indicator of a potential fraud is through the use of deception
properly investigated. This means auditors must remain independent of the client, maintain that results in a misstatement in
a questioning attitude, and search thoroughly for corroborating evidence to validate informa- financial statements that are the
subject of an audit
tion provided by the client. Auditors must not assume that past experience with the client’s
management and staff is indicative of the current risk of fraud.
Auditors should be alert for red flags4 that indicate a fraud may have occurred. Examples
of red flags include:

•  Substantial discrepancy between financial growth and growth in related nonfinancial

measures.
•  A high turnover of key employees.

4
J. D. Wilson and J. J. Root, Internal Auditing Manual, 2nd ed. (Warren, Gorham & Lamont, 1989).
3-26  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

•  Key employees with accounting or internal control responsibilities refusing to take leave.
•  Overly dominant management.
•  Poor compensation practices.
•  Inadequate training programs.
•  A complex business structure.
•  No (or ineffective) internal auditing staff.
fraudulent financial reporting  •  A high turnover of auditors.
intentional misstatements,
including omissions of amounts •  Unusual transactions such as large adjusting entries at the end of a period.
and disclosures in financial •  Weak internal controls.
statements, to deceive financial
statement users There are two kinds of fraud. Fraudulent financial reporting is intentionally misstat-
misappropriation of assets  ing items or omitting important facts from the financial statements. Misappropriation of
intentional theft of a company’s assets involves some form of theft. Illustration 3.13 provides examples of financial reporting
assets by employees and misappropriation of assets frauds.

illustration 3.13   Examples of frauds

Fraudulent Financial Reporting Misappropriation of Assets

•  Improper asset valuations
•  Unrecorded liabilities
•  Timing differences such as bringing forward the recognition of
revenues and delaying the recognition of expenses
•  Recording fictitious sales
•  Capitalizing items that should be expensed
•  Inappropriate application of accounting principles
•  Using a company credit card for personal use
•  Employees remaining on the payroll after ceasing employment
•  Unauthorized discounts or refunds to customers
•  Theft of inventory by employees or others
•  Using a company car for unauthorized personal use
•  Writing checks to fictitious vendors

fraud risk factors  conditions
that indicate an incentive or pres-
sure to commit fraud, provide an
opportunity to commit fraud, or
indicate rationalizations to justify
fraudulent actions
The responsibility for preventing and detecting fraud rests with client management and
those charged with governance. Prevention refers to the use of controls and procedures aimed
at avoiding a fraud. Detection refers to the use of controls and procedures aimed at uncover-
ing a fraud should one occur. It is the responsibility of auditors to assess the risk of fraud and
the effectiveness of the client’s attempts to prevent and detect fraud via its internal control
system. When assessing the risk of fraud, auditors consider the fraud risk factors that may
be present, such as incentives and pressures to commit a fraud, opportunities to perpetrate a
fraud, and attitudes and rationalizations used to justify committing fraud (AU-C 240.A75).
Illustration 3.14 illustrates the fraud risk factors, which are explained in more depth in the
following sections.

ILLUSTRATION 3.14  
Fraud risk factors

Opportunity

Fraud

Pressure Rationalization
   Fraud Risk  3-27

Professional Environment  Importance of Professional Skepticism

The PCAOB periodically issues Staff Audit Practice Alerts
(“Alerts”). These Alerts “highlight new, emerging, or otherwise
noteworthy circumstances that may affect how auditors conduct
audits under the existing requirements of PCAOB standards
and relevant laws.”5 The Alerts are not rules of the board but are
meant to provide guidance in the application of the standards.
Alert No. 10, Maintaining and Applying Professional Skepticism in
Audits, was issued on December 4, 2012. The purpose of Alert No.
10 is to remind auditors of the requirement to appropriately apply
professional skepticism throughout the audit, but especially in sit-
uations that involve significant management judgment and in the
consideration of fraud.
During inspections of the work of registered accounting
firms, PCAOB inspectors found many instances of auditors failing
to appropriately apply professional skepticism in certain aspects
of the audit. Alert No. 10 identifies some impediments to the ap-
plication of professional skepticism of which auditors should be
aware. One impediment is unconscious human bias toward client
preferences. For example, auditors may feel pressure to maintain
good client relationships to ensure future audit engagements. This
could cause auditors to rationalize or evaluate information in a
manner that is consistent with what the client wants rather than
what would be in the best interests of external users of the finan-
cial statements. Other examples of human bias include an over-
confidence in management, a desire to keep audit costs low, and/
or a desire to sell other services to the client.
Another impediment to the application of professional skep-
ticism is the workload of the auditors. Audit firms typically expe-
rience a “busy season” in which the audits of many of the firm’s
clients happen simultaneously. Audit team partners and managers
may experience heavy workloads and try to meet multiple dead-
lines simultaneously. They may feel pressure to complete work too
quickly, which could lead to gathering less evidence than is nec-
essary, or to gathering evidence that is the easiest to obtain rather
than gathering evidence that is the most reliable and relevant.
What can auditors do to improve the application of profes-
sional skepticism throughout the audit process? PCAOB standards
require that registered audit firms establish a system of quality
control to provide reasonable assurance that audit personnel are
complying with professional standards. Some elements of a firm’s
quality control system that can help ensure the appropriate appli-
cation of professional skepticism include:
•  Firm culture—Communication from firm leadership should
emphasize the application of professional skepticism.
•  Performance appraisal, promotion, and compensation pro-
cesses—Firm personnel should be rewarded for adhering to
professional standards in performing the audit rather than
rewarded for getting work done faster or selling more ser-
vices to existing clients.
•  Professional competence and assigning personnel to en-
gagement teams—Personnel assigned to audit engagements
should possess the appropriate technical training and experi-
ence required for the client circumstances.
•  Documentation—All areas of the audit should be properly
documented. This is especially relevant for areas that require
significant judgment.
•  Monitoring—If a firm identifies a deficiency in which there
was a failure to appropriately apply professional skepticism
in performing the audit, the firm should take corrective ac-
tion and modify its procedures as needed.
It is the responsibility of the engagement partner to supervise
the audit team members by being actively involved in planning,
directing, and reviewing the work of the other team members.
The partner and senior audit team members can help less expe-
rienced team members to apply professional skepticism. More
senior team members may also be better equipped to challenge
the financial reporting position of senior management when nec-
essary. Ultimately, it is the responsibility of each individual audi-
tor on the engagement team to appropriately apply professional
skepticism throughout the audit to better serve the interests of
external users.

Incentives and Pressures to Commit a Fraud

In assessing the risk of fraud, auditors consider incentives and pressures faced by client per-
sonnel to commit a fraud. While the examples provided below indicate that client personnel
may be inclined to commit a fraud, they in no way indicate that a fraud has definitely oc-
curred. When auditors become aware of any of these risk factors, in isolation or combination,
they plan their audit to obtain evidence in relation to each risk factor.
Examples of incentives and pressures that increase the risk of fraud include:

•  The client operating in a highly competitive industry.

•  A significant decline in demand for the client’s products or services.
•  Falling profits.
•  A threat of takeover.
•  A threat of bankruptcy.

5
PCAOB Staff Audit Practice Alert No. 10, Maintaining and Applying Professional Skepticism in Audits
(December 4, 2012), www.pcaobus.org/standards/pages/guidance.
3-28  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

•  Ongoing losses.
•  Rapid growth.
•  Poor cash flows combined with high earnings.
•  Pressure to meet market expectations and profit targets.
•  Planning to list on a stock exchange.
•  Planning to raise debt or renegotiate a loan.
•  The client being about to enter into a significant new contract.
•  A significant proportion of remuneration tied to earnings (that is, bonuses or stock options).

Audit Reasoning Example  Fraud at Toshiba: Part I

You may be familiar with Toshiba Corporation, a publicly traded Japanese company headquar-
tered in Tokyo that makes consumer electronics, household electronics, office equipment, and
more. In July 2015, the CEO of Toshiba announced he was resigning amid an accounting scandal
in which profits had been overstated for the past seven years by approximately $1.9 billion (224.8
billion yen). What incentives and pressures were involved that led to the fraud? The technology
industry is extremely competitive and Toshiba’s upper management set aggressive profit targets.
The home electronics and appliances division was showing losses and the memory chip division
was feeling pressure because of decreasing demand from Chinese electronics companies.6 As an
example, in September 2012, the head of the digital products and service division was told by the
CEO to improve a 24.8 billion yen loss into a 12 billion yen profit in just three days!7 Think about
how the external auditor would learn about the incentives given to lower-level management. How
might an internal auditor learn about these incentives?

Opportunities to Perpetrate a Fraud

After identifying one or more incentives or pressures to commit a fraud, auditors assess
whether a client’s employees have an opportunity to perpetrate a fraud. Auditors utilize their
knowledge of how other frauds have been perpetrated to assess whether the same opportuni-
ties exist at the client. While the examples below of opportunities to commit a fraud suggest
a fraud may have been committed, their existence does not mean a fraud has definitely oc-
curred. Auditors must use professional judgment to assess each opportunity in the context of
other risk indicators and consider available evidence thoroughly.
Examples of opportunities that increase the risk that a fraud may have been perpetrated
include:

•  Accounts that rely on estimates and judgment (discussed further in Chapter 9).
•  A high volume of transactions close to year-end.
•  Significant adjusting entries and reversals after year-end.
•  Significant related-party transactions (discussed further in Chapter 4).
•  Poor corporate governance mechanisms.
•  Poor system of internal control (discussed further in Chapters 6 and 8).
•  A high turnover of staff with accounting or internal control responsibilities.
•  A nonexistent or ineffective whistleblower system.

6
E. Pfanner and M. Fujikawa, “Toshiba Slashes Earnings for Past Seven Years,” The Wall Street Journal
(September 7, 2015), https://www.wsj.com/articles/toshiba-slashes-earnings-for-past-7-years-1441589473.
7
K. Nagata, “Pressure to Show a Profit Led to Toshiba’s Accounting Scandal,” The Japan Times (September 18,
2015), http://www.japantimes.co.jp/news/2015/09/18/business/corporate-business/pressure-to-show-a-profit-
led-to-toshibas-accounting-scandal/#.WNJjNmQrLjA.
   Fraud Risk  3-29

•  Reliance on complex transactions.

•  Transactions out of character for a business (for example, invoicing sales before delivery
of the goods to customers).

Audit Reasoning Example  Fraud at Toshiba: Part II

Returning to the Toshiba fraud, what opportunities existed at Toshiba for such a massive fraud to
occur? Overall, there was a lack of internal controls in upper management and an unethical corporate
culture led by upper management. Controls that did exist were overridden by upper management’s
pressure to show profits. Compounding the problem was the Japanese culture of obedience, which
disallows subordinates refusing orders from upper management. One of the areas that was heavily
manipulated was estimates involving long-term projects. Estimation techniques relied heavily on
internal data, and internal controls over the estimation process were easily overridden by upper
management.8 It is easier to see these risk factors with hindsight. However, if you were working on
the Toshiba audit, could you find the warning signs and adjust the audit appropriately?

Attitudes and Rationalization to Justify a Fraud

Together with the identification of incentives, pressures, and opportunities to perpetrate
a fraud, auditors assess the attitudes and rationalization of client management and staff
to fraud. Attitude refers to ethical beliefs about right and wrong, while rationalization
refers to an ability to justify an act. While the examples below indicate that a fraud may
occur in companies where these characteristics are identified, they do not mean a fraud
has occurred.
Examples of attitudes and rationalizations used to justify a fraud include:

•  Management and employees who do not place a high priority on the entity’s value or
ethical standards.
•  Management attempts to justify marginal or inappropriate accounting, on the basis of
materiality, on a recurring basis.
•  An excessive focus on maximization of profits and/or stock price.
•  A poor attitude regarding compliance with accounting regulations.
•  Rationalization that other companies make the same inappropriate accounting choices.

Audit Reasoning Example  Fraud at Toshiba: Part III

In the Toshiba fraud, upper management’s rationalization for fraudulent financial reporting
was to maintain the company’s stock price by maximizing profits. One thing history tells us is
that fraud never successfully maintains the stock price nor maximizes profits. As a result of the
Toshiba fraud, the stock price dropped about 70% from May 2015 to February 2016. Nine mem-
bers of senior management resigned in the wake of the fraud, including the CEO at the time the
scandal was made public, and two former CEOs who were still with the company but in different
roles.9 Toshiba is also being sued by multiple groups, including a Japanese bank seeking 1 billion
yen ($8.7 million) in damages on behalf of its pension fund clients, 45 overseas institutional inves-
tors seeking 16.7 billion yen in damages, and 15 different groups and individuals in Japan seeking
a total of 15.3 billion yen.10

8
“Toshiba Accounting Scandal,” Summary for a meeting of the International Ethics Standards Board for Ac-
countants (IESBA), Agenda item F-2 (September 2015), https://www.ethicsboard.org/system/files/meetings/
files/Agenda_Item_F-2_-_Toshiba_Accounting_Scandal_0.pdf.
9
Ibid.
10
T. Uranaka and M. Yamazaki, “Trust Banks Plan to Sue Toshiba over 2015 Accounting Scandal,” Reuters
(January 30, 2017), http://www.reuters.com/article/us-toshiba-accounting-idUSKBN15E03A.
3-30  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

In future chapters on internal control, we will discuss the importance of “tone at the top” and
the control environment. While a goal of management is to maximize profits, auditors must be alert
to a management that is willing to give tacit approval of fraud in order to keep the share price high.

Fraud Risk Assessment Process

Perpetrators of fraud will go to great lengths to hide their activities from auditors. That is why
auditors must maintain an attitude of professional skepticism and a questioning mindset, and
investigate any indicators of potential fraud. The primary procedures auditors use in the fraud
risk assessment process are brainstorming among the audit team members and inquiry of
management and others internal or external to the client.
Auditors are required to discuss among the audit team members the susceptibility
of the client’s financial statements to a material fraud. This discussion usually takes place
in a “brainstorming session” in which members of the audit team are encouraged to share
thoughts and ideas about how a fraud might be conducted and concealed (AU-C 240.15 and
AS 2110.52). The discussion includes topics related to gaining an understanding of the entity
and its environment as these topics are also related to risk of fraud. For example, discussions
about changes in the client’s industry or changes in the client’s internal controls lead to ideas
about why management would have an incentive or opportunity to commit fraud. The brain-
storming session also serves as an opportunity for more senior members of the audit team to
share important information about the client with new members of the audit team. The audit
team members should be encouraged to share information about fraud risk at any time during
the performance of the audit.
Auditors inquire of management and other client personnel about any knowledge of
fraud that has occurred. They inquire about specific internal controls that management has in
place to prevent and detect fraud, and how often these controls are monitored and modified as
needed. The client’s audit committee of the board of directors (discussed further in Chapter 4)
should also be involved in the assessment of fraud risk. Auditors should directly inquire of the
audit committee members regarding their role in fraud prevention and detection. If the client
has an internal audit function, auditors also make inquiries about fraud risk assessment of
the internal auditors. Auditors may also consider inquiry of external parties, such as vendors
and customers, if necessary. Auditors must extensively document their fraud risk assessment.
The documentation should provide details of the brainstorming session, including when it
took place and the audit team members who participated. The significant risks identified by
auditors and the planned audit response to those risks are also documented.

Cloud 9 - Continuing Case

Suzie explains fraud risk is always present, even though actual
fraud is reasonably rare, and auditors must explicitly consider it
as part of their risk assessment. Being aware of the incentives,
pressures, opportunities, and attitudes within the client relating to
fraud helps the auditor make the assessment. Ian admits he has a
little trouble understanding the difference between incentives and
attitudes. He thinks he understands the concept of opportunity.
Suzie explains that incentives relate to the factor that pushes (or
pulls) a person to commit a fraud. Examples include a need for
money to pay debts or gamble. Attitudes, or rationalization, relate
to the thinking about the act of fraud. For example, the person
believes it is acceptable to steal from a mean boss; that is, the theft
is justified by the boss’s “meanness.”

Before You Go On
6.1 What are the responsibilities of the client and the auditor when it comes to fraud?
6.2  Explain four incentives and pressures that increase the risk of fraud.
6.3 Explain four opportunities that increase the risk of fraud.

Learning Objectives Review
1  Evaluate client acceptance and continuance decisions.
Factors to consider include the integrity of the client, such as its rep-
utation and its attitude to risk, accounting policies, and internal con-
trols (see Illustration 3.1). An auditor will gain an understanding of
the client via communication with the client’s prior auditor (in the
case of a client acceptance decision), staff, management, and other
relevant parties. The final stage in the client acceptance or contin-
uance decision process involves the preparation of an engagement
letter, which sets out the terms of the audit engagement, to avoid any
misunderstandings between the auditor and the client.
2  Identify the different phases of an audit.
The phases of an audit include risk assessment, risk response, and
reporting. During the risk assessment phase, an auditor will gain an
understanding of the client, identify risks, set the planning material-
ity, and develop an audit strategy. During the risk response phase, an
auditor will execute the detailed testing of controls, account balances,
and transactions. The final phase of every audit involves reviewing all
of the evidence gathered throughout the audit and arriving at a con-
clusion regarding the fair presentation of the client’s financial state-
ments. The auditor will then prepare an audit report that reflects the
auditor’s opinion based upon the audit findings.
3  Explain and apply the concept of materiality.
Information is considered to be material if it impacts the decision-
making process of users of the financial statements. Planning mate-
riality guides audit planning and testing for the financial statements
as a whole. Performance materiality is an amount less than planning
materiality that is determined at the account balance, class of trans-
actions, or disclosure level. Auditors consider both quantitative and
qualitative factors when determining materiality.
4  Explain professional skepticism and apply the audit
risk model.
Key Terms Review
Assertions Fraud risk factors
Audit risk Fraudulent financial reporting
Audit strategy Inherent risk
Control risk Materiality
Detection risk Misappropriation of assets
Engagement letter Nature of an audit procedure
Error Performance materiality
Extent of an audit procedure Professional skepticism
Fraud Qualitative materiality
Key Terms Review  3-31
Auditors are required to maintain professional skepticism, or a ques-
tioning attitude, during the planning and performance of an audit.
Audit risk is the risk that an auditor expresses an inappropriate au-
dit opinion when the financial statements are materially misstated.
The three components of audit risk are inherent risk, control risk,
and detection risk. The risk of material misstatement consists of in-
herent risk and control risk. Both professional skepticism and audit
risk are key concepts used by the auditor when developing an audit
strategy.
5  Explain how auditors determine their audit strategy
and how audit strategy affects audit decisions.
The assessed level of the risk of material misstatement (RMM) for an
account or assertion drives the development of the audit strategy and
the nature, extent, and timing of audit procedures to be performed.
If RMM is low, the auditors may rely on a controls approach. Un-
der this approach, the auditors will extensively test internal controls
to determine if they are effective, and spend less time performing
substantive procedures. If RMM is high, the auditors may pursue a
substantive approach. Under this approach, the auditors will spend
little or no time testing internal controls and will focus their efforts on
performing substantive procedures on the year-end account balance
and assertions.
6  Explain the fraud risk assessment process and analyze
fraud risk.
Error is an unintentional misstatement in an amount or disclosure in
the financial statements. Fraud is an intentional act using deception
that results in the misstatement of the financial statements that are be-
ing audited. The two kinds of fraud are financial reporting fraud and
misappropriation of assets. When assessing the risk of fraud, the audi-
tors should consider the fraud risk factors that may be present, such as
incentives and pressures to commit a fraud, opportunities to perpetrate
a fraud, and attitudes and rationalizations used to justify committing a
fraud. The primary procedures that auditors use in the fraud risk assess-
ment process are brainstorming among the audit team members and
inquiry of management and others internal or external of the client.
Quantitative materiality
Reporting phase
Risk assessment phase
Risk of material misstatement
Risk response phase
Significant risk
Substantive procedures
Tests of controls
Timing of an audit procedure
3-32  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy
Audit Decision-Making Example
Background Information
You have been assigned to the audit of inventory for a private
company that owns and operates a chain of retail jewelers. The
company’s sales revenue has grown by 300% in the last two years,
primarily by acquisitions. Seventy-eight percent of the value of the
company’s inventory is in wedding rings, diamonds, gold neck-
laces, and high-end watches. Because the company has grown
through acquisition, the company has not yet brought two ac-
quired companies (representing 35% of sales) under the company’s
inventory system. As a result, the company is currently operating
with three different inventory-control systems. The core inventory
system being used by retail stores represents 65% of sales. Sixty
percent of inventory was tested in the prior year and controls over
the existence of inventory were effective.
The CFO’s top priority is to put all retail operations under this
one inventory-control system by the end of the fiscal year (Janu-
ary 31). He is particularly concerned about lower than expected
gross margins at some of the acquired stores, and he expects that
better inventory control will improve this situation. In addition,
gold prices have risen 15% in the last 12 months, and the company
is making sure it is not selling “conflict diamonds” illegally traded
to fund conflict in war-torn areas of ­Africa. Your responsibility is
to develop an audit strategy for testing the existence of inventory.
Identify the Audit Issue
The focus of attention in this instance is to develop an audit strat-
egy for testing the existence of inventory. The auditor may develop
a different audit strategy for testing the valuation of that inventory.
Gather Information and Evidence
Important information includes:
•  A significant portion of the inventory is high in value, small
in size, and susceptible to theft.
•  A good system of internal controls may not be operating
effectively and uniformly.
•  The weak gross margins in some stores may be evidence of
inventory shrinkage or theft.
CPAexcel
CPAexcel questions and other resources are available in WileyPLUS.
Multiple-Choice Questions
1.  (LO 1)  If a prospective new audit client does not allow the
­auditor to contact its existing auditor:
a.  the auditor should contact the existing auditor anyway
­because it is their duty.
b.  t he auditor should consider that a negative factor on the
­integrity of client management.
•  Fraud risk may be high in some locations due to the opportu-
nity offered by weak internal controls.
•  The auditor needs to determine how internal controls affect
audit strategy, and whether the auditor wants one audit strat-
egy for part of the inventory and another audit strategy for
another part of the inventory.
Analysis and Evaluation of Alternatives
Analysis of risk:
•  Inherent risk factors include valuable inventory that is sub-
ject to theft and misappropriation.
•  Internal controls are not uniform. Based on prior year’s evi-
dence and a preliminary understanding of the system in the
current year, strong internal controls appear to operate over
only 60% of the inventory.
•  It may be more efficient to physically inspect inventory as of
one date and use one audit strategy for all inventory testing.
•  Fraud risk is considered to be high at locations where inven-
tory controls are not strong.
Conclusions Regarding Audit Strategy for the Existence
of Inventory
•  Inherent risk is set at the maximum because inventory is
high in value and susceptible to theft and misappropriation.
•  Control risk is set at high, as 40% of inventory may not have
sufficient internal controls.
•  Fraud risk is considered high due to the opportunity offered
by weak internal controls.
•  This results in setting detection risk at low.
•  Low detection risk impacts the nature, timing, and extent of
substantive testing. For example, the auditor will plan test-
ing of the physical existence of inventory at year-end, select
a larger number of locations to visit, and vary the extent of
inventory testing at each location depending on internal con-
trols over the counting of inventory at each location.
c.  the existing auditor should contact the new auditor to tell
them all about the client.
d.  t he auditor should respect the prospective client’s right to
privacy.

2.  (LO 2)  The risk assessment phase of an audit does not include:
a.  gaining an understanding of the client.
b.  audit execution and reporting.
c.  identification of factors that may affect the risk of a material
misstatement in the financial statements.
d.  d
 evelopment of an audit strategy and a risk and materiality
assessment.
3.  (LO 3)  Which of the following is an example of a qualitative
materiality factor?
a.  The client is experiencing a slowdown in sales and is strug-
gling to pay vendors on time.
b.  Inventory represents 40% of current assets.
c.  The client installed a new security system to protect the building.
d.  T
 otal salaries expense is greater than 5% of income before taxes.
4.  (LO 4)  An attitude of professional skepticism means:
a.  the auditor can rely on past experience to determine current
risk of fraud.
b.  any indicator of fraud is properly investigated.
c.  the auditor can rely on management assertions.
d.  the auditor is independent of the client.
5.  (LO 4)  An auditor will identify accounts and related assertions at
risk of material misstatement:
a.  after testing internal controls.
b.  after writing the audit report.
c.  to plan the audit to focus on those accounts.
d.  to eliminate audit risk.
6.  (LO 4)  Which component of audit risk can the auditor control?
a.  Inherent risk.
b.  Control risk.
Review Questions
R3.1  (LO 1)  Why are there procedures governing the client accep-
tance or continuance decision? Explain why auditors do not accept
every client.
R3.2  (LO 1)  What is the purpose of the engagement letter? Are all
engagement letters the same?
R3.3  (LO 2)  Explain the relationship between the risk assessment,
risk response, and reporting phases of an audit.
R3.4  (LO 2)  Are all audits the same? Why might an audit change
from year to year?
R3.5  (LO 3)  How does the auditor’s assessment of planning materi-
ality affect audit planning? What does an auditor consider when mak-
ing the preliminary assessment of planning materiality?
R3.6  (LO 3)  The quantitative materiality of an item is assessed
relative to a particular benchmark. What are some of the choices
for this benchmark, and what factors guide the auditor in this
choice?
Review Questions  3-33
c.  Financial risk.
d.  Detection risk.
7.  (LO 5)  Obtaining positive results from testing controls means that:
a.  the auditor can completely rely on a client’s system of inter-
nal controls.
b.  no substantive testing is required.
c.  the auditor can plan to reduce the reliance on detailed
­substantive testing of transactions and account balances.
d.  materiality will be set at a low dollar amount.
8.  (LO 5)  The audit strategy known as the predominantly “substan-
tive approach”:
a.  is appropriate when internal controls are very strong.
b.  means the auditor will spend minimum effort testing the
client’s system of internal controls.
c.  requires the auditor to conduct extensive control testing.
d.  means the auditor will conduct some interim testing and
minimal year-end account-balance testing.
9.  (LO 5)  The audit strategy known as “reliance on controls approach”:
a.  is appropriate when internal controls are minimal.
b.  means the auditor will spend minimum effort testing the
client’s system of internal controls.
c.  requires the auditor to conduct extensive control testing.
d.  means the auditor will conduct extensive year-end account-
balance testing.
10.  (LO 6)  An example of an incentive or pressure that increases
the risk of fraud is:
a.  the client operates in a highly competitive industry.
b.  the client has a history of reporting losses.
c.  a significant percentage of management pay is tied to earnings.
d.  All of these answer choices are correct.
R3.7  (LO 3)  Explain the relationship between planning materiality
and performance materiality.
R3.8  (LO 3)  Explain how setting a lower materiality level affects the
number of items that are material and affects the decisions about the
nature, extent, and timing of the audit procedures.
R3.9  (LO 4)  Consider this statement, “Auditors should only use
professional skepticism when considering fraud risk.” Do you agree
or disagree with this statement? Support your position.
R3.10  (LO 4)  Explain the approach adopted by auditors of identifying
accounts and related assertions at risk of material misstatement. How
does this approach help reduce audit risk to an acceptably low level?
R3.11  (LO 4)  Consider the following statement: “When inherent and
control risk are assessed as high, the risk of material misstatement is
assessed as high, and an auditor will set detection risk as low to reduce
audit risk to an acceptably low level.” Explain what it means to set de-
tection risk as low. What does this mean for the operation of the audit?
3-34  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

R3.12  (LO 5)  If auditors adopt a predominantly substantive ap-
proach to the audit, do they have to consider and test the client’s in-
ternal controls? Explain.
R3.13  (LO 5)  If auditors adopt a reliance on controls approach, do
they have to perform any substantive procedures? Explain.
R3.14  (LO 5)  A client has physical controls over inventory, includ-
ing a locked warehouse with access restricted to authorized person-
nel. Testing of these physical controls over inventory shows that they
are very effective. Can the auditor conclude that the valuation asser-
tion for inventory is not at risk? Explain.
R3.15  (LO 6)  In the context of fraud, explain the differences be-
tween (1) incentives and pressures, (2) opportunity, and (3) attitudes
and rationalization. Why is it important for an auditor to consider cli-
ent systems relevant to all three concepts?
R3.16  (LO 6)  In the context of fraud risk assessment, what is the
purpose of the brainstorming session?

Analysis Problems
AP3.1  (LO 1)  Basic   Client continuance  Star Software is a client of Jones & Parker, LLP. Star has
experienced increased competition in its industry that has resulted in decreased profits over the last three
years. In an effort to stay financially sound, Star is considering employee layoffs to decrease expenses.
Star is planning significant layoffs in the accounting and finance department and within the internal au-
dit function. Star management feels that internal controls are well established and fewer employees are
needed to monitor the internal control system. Also, since the accounting function is heavily dependent
on IT, fewer employees are needed to keep track of the company’s accounting data.

Required
What issues should Jones & Parker consider when deciding whether to continue the client relationship
with Star Software? If Star were your client, would you continue to be the auditor? Explain.

AP3.2  (LO 1)  Moderate   Research   Client acceptance decision  The audit committee of the
board of directors of WaterFun Corporation asked DDD LLP to audit WaterFun’s financial statements for
the 2022 fiscal year. DDD requested permission to communicate with the predecessor auditor and was
granted permission by WaterFun’s management to do so.

Required
a.  What inquiries should DDD make of the predecessor auditor?
b.  Assuming that DDD is satisfied with the results of the communication with the predecessor auditor,
the next step is to draft an engagement letter that will be presented to the audit committee of Water-
Fun. Discuss the key items that should be included in an engagement letter. (Research AU-C 210.A23
to provide a full response. ASB standards can be accessed at the AICPA website, www.aicpa.org).
c.  What if WaterFun’s management does not grant permission for DDD to communicate with the pre-
decessor auditor? What action would DDD take next?

AP3.3  (LO 1)  Challenging   Public Company   Client acceptance decision  Godwin, Key &
Associates is a small, but rapidly growing, accounting firm. Its success is largely due to the growth of sev-
eral clients that have been with the firm for more than five years. One of these clients, Carolina Company
Inc., is preparing to transition from a private company to a publicly traded company and must comply
with additional reporting regulations. Carolina Company’s rapid growth has meant that it is financially
stretched, and its accounting systems are struggling to keep up with the growth in business. The client
continuance decision is about to be made for the next fiscal year.
The managing partner of Godwin, Key & Associates, Rebecca Sawyer, has recognized that the firm
needs to make some changes to deal with the issues created by the changing circumstances of its major
client and the firm’s overall growth. She is particularly concerned that the firm could be legally liable if
Carolina Company’s financial situation worsens and it fails.

Required
Evaluate the factors that Rebecca should consider when making the client continuance decision for
Carolina Company Inc. for the next fiscal year.

AP3.4  (LO 3)  Basic   Materiality assessment  Mark Jackson is the manager on the audit team for
a new client, Central Companies (CC). CC is a home appliance and lighting retailer specializing in
high-end kitchen equipment and specialty light fixtures. The client engaged Mark’s accounting firm in
 Analysis Problems  3-35

August 2022 in preparation for the December 31, 2022, audit. From January 2022 onward, CC has
consistently paid its inventory suppliers late, well past the suppliers’ agreed-upon credit terms. Some
suppliers are even demanding cash on delivery from CC and no longer extending credit. Mark is also
aware from his review of correspondence between CC and its bank that the company has been experi-
encing cash flow problems since 2021.

Required
Discuss how this information impacts Mark’s assessment of planning materiality for CC.

AP3.5  (LO 3, 4)  Moderate   Audit risk components and materiality  Carl’s Computers imports
computer hardware and accessories from China, Japan, and South Korea. It has branches in every U.S.
capital city, and the main administration office and central warehouse are in Chicago, Illinois. There
is a branch manager in each store plus a number (depending on the size of the store) of full-time staff.
There are also several part-time staff who work on weekends since the stores are open both Saturday and
Sunday. Either the branch manager or a senior member of the full-time staff is on duty at all times to
supervise the part-time staff. Both part-time and full-time staff members are required to attend periodic
company training sessions covering product knowledge and inventory- and cash-handling requirements.
The inventory is held after its arrival from overseas at the central warehouse and distributed to each
branch on receipt of an inventory transfer request authorized by the branch manager. The value of in-
ventory items ranges from a few cents to several thousand dollars. Competition is fierce in the computer
hardware industry. New products are continuously coming onto the market, and large furniture and office
supply discount retailers are heavy users of advertising and other promotions to win customers from spe-
cialists like Carl’s Computers. Carl’s Computers’ management has faced difficulty keeping costs of supply
down and has started to use new suppliers for some computer accessories such as printers and ink.

Required
a.  Evaluate the inherent risks for inventory for Carl’s Computers. How would these risks affect the
accounts?
b.  Identify strengths and weaknesses in the inventory control system.
c.  Comment on materiality for inventory at Carl’s Computers. Is inventory likely to be a material bal-
ance? Would all items of inventory be audited in the same way? Explain how the auditor would deal
with these issues.

AP3.6  (LO 4)  Basic   Audit risk and revenue  Ajax Finance Inc. (Ajax) provides small and
­medium-sized personal, car, and business loans to clients. It has been operating for more than 10 years
and has always been run by Bill Short. Bill has been the public face of the finance company, appearing
in most of its television and radio advertisements, and developing a reputation as a friend of the “little
person” who has been mistreated by the large finance companies and banks.
Ajax’s major revenue stream is generated by obtaining large amounts on the wholesale money mar-
ket and lending in small amounts to retail customers. Margins are tight, and the business is run as a
“no frills” service. Offices are modestly furnished, and the mobile lenders drive small, basic cars when
visiting clients. Ajax prides itself on full disclosure to its clients, and all fees and services are explained
in writing to clients before loans are finalized. However, although full disclosure is made, clients who do
not read the documents closely can be surprised by the high exit charges when they wish to make early
repayments or transfer their business elsewhere.
Ajax’s mobile lenders are paid on a commission basis. They earn more when they write more loans.
For example, they are encouraged to sell credit cards to any person seeking a personal loan. Ajax receives
a commission payment from the credit-card companies when it sells a new card, and Ajax also receives a
small percentage of the interest charges paid by clients on the credit card.

Required
Analyze the inherent and control risks for Ajax’s revenue. What type of misstatements would be most
likely for revenue?

AP3.7  (LO 4)  Basic   Control risk  All Tunes Satellite Radio (ATS) provides a subscription service to
satellite radio channels. Customers can pay for a subscription on monthly basis, or pay for a year in ad-
vance and receive a 15% discount. Approximately 53% of customers pay in advance. When ATS receives
payment in advance, a deferred revenue account (Unearned Revenue) is credited. At the end of each
month as the satellite radio service is provided to customers, ATS makes an adjusting entry to recognize
subscription revenue. If controls over the recording of deferred revenue or the subsequent adjusting en-
try are not functioning properly, then revenue transactions will not be properly classified.
3-36  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Required
Analyze how the balance sheet and income statement may be at risk of material misstatement if controls
over the proper allocation of revenue are not functioning properly.

AP3.8  (LO 5)  Moderate   Audit strategy  All Tunes Satellite Radio (ATS) provides a subscription
service to satellite radio channels. Customers can pay for a subscription on a monthly basis, or pay for
a year in advance and receive a 15% discount. Approximately 53% of customers pay in advance. When
ATS receives payment in advance, a deferred revenue account (Unearned Revenue) is credited. At the
end of each month as the satellite radio service is provided to customers, ATS makes an adjusting entry
to recognize subscription revenue. The audit team is planning a reliance on controls strategy to obtain
evidence of revenue recognition for ATS. The team will be testing internal controls over the recognition
of subscription revenue during interim.

Required
a.  Explain the type of audit strategy planned by the audit team for gathering evidence about revenue
recognition.
b.  Suppose during the interim testing of internal controls the team discovers a significant number of
instances in which subscription revenue received in advance is recognized immediately as revenue.
Analyze how the audit strategy will be impacted.

AP3.9  (LO 4, 5)  Challenging   Determining an audit strategy  Avery Island Dairy is a boutique
cheese maker based on Avery Island, Louisiana. Over the years, the business has grown by supplying
local retailers and through exports. In addition, there is a “farm-gate” shop and café located next to
the main processing plant on Avery Island serving tourists who also visit the other specialist food
and wine businesses in the region. Quality control over the cheese-manufacturing process and stor-
age of raw materials and finished products at Avery Island Dairy is extremely high. All members of
the business are committed to high product quality because any poor food-handling practices that
could result in a drop in cheese quality or contamination of the products would ruin the business
very quickly.
The export arm has become the largest revenue earner for the business and is managed by the
younger of the two brothers who have run Avery Island Dairy since it was established. Jim Guidry
has a natural flair for sales and marketing but is not very good at completing the associated detailed
paperwork. Some of the export deals have been poorly documented, and Jim often agrees to different
prices for different clients without consulting his older brother, Bob, or informing the sales department.
Consequently, there are often disputes about invoices, and Jim makes frequent adjustments to customer
accounts using credit notes when clients complain about their statements. Jim sometimes falls behind
in responding to customer complaints because he is very busy juggling the demands of making export
sales and running his other business, Café Consulting, which provides contract staff for the café busi-
ness at Avery Island Dairy.

Required
a.  Identify the factors that would affect the preliminary assessment of inherent risk and control risk at
Avery Island Dairy.
b.  Analyze how these factors would influence your choice between the predominantly substantive
approach and the reliance on controls approach for sales, inventory, and receivables.

AP3.10  (LO 4, 6)  Moderate   Public Company   Financial reporting fraud risk  Vaughan En-
terprises Inc. has grown from its beginnings in the steel fabrication business to become a multinational
manufacturer and supplier of all types of packaging, including metal, plastic, and paper-based prod-
ucts. It has also diversified into a range of other businesses, including household appliances in Europe,
­Australia, and Asia. The growth in the size of the business occurred gradually under the leadership of the
last two CEOs, both of whom were promoted from within the business.
At the beginning of last year, the incumbent CEO died of a heart attack and the board took the
opportunity to appoint a new CEO from outside the company. Despite the company’s growth, returns
to shareholders have been stagnant during the last decade. The new CEO has a reputation of turning
around struggling businesses by making tough decisions. The new CEO has a five-year contract with gen-
erous bonuses for improvements in various performance indicators, including sales/assets, profit from
continuing operations/net assets, and stock price.
During the first year, the new CEO disposed of several components of the business that were not
profitable. Very large losses on the discontinued operations were recorded, and most noncurrent assets
throughout the business were written down to recognize impairment losses. These actions resulted in a
 Analysis Problems  3-37

large overall loss for the first year, although a profit from continuing operations was recorded. During the
second year, recorded sales in the household appliances business in Europe increased dramatically, and,
combined with various cost-saving measures, the company made a large profit.
The auditors have been made aware through various conversations with middle management
that there is now an extreme focus on maximizing profits through boosting sales and cutting costs.
The attitude toward compliance with accounting regulations has changed, with more emphasis on
pleasing the CEO rather than taking care to avoid breaching either internal policies or external regu-
lations. The message is that the company has considerable ground to make up to catch up with other
companies in both methods and results. Meanwhile, the share price over the first year-and-a-half
of the CEO’s tenure has increased 65%, and the board has happily approved payment of the CEO’s
bonuses and granted the CEO additional stock options in recognition of the change in the company’s
results.

Required
a.  Analyze the incentives, pressures, and opportunities to commit financial reporting fraud, and atti-
tudes and rationalizations to justify a fraud in the above case.
b.  What fraudulent financial reporting would you suspect could have occurred at Vaughan?
c.  Explain why professional skepticism would be critical in assessing the risk of fraud.

AP3.11  (LO 6)  Moderate   Public Company   Fraud risk  Pelican Oil is a publicly traded oil and
gas company specializing in global exploration and offshore drilling. Even though Pelican has been
operating for almost 30 years, it is still considered a “newcomer” in the industry. The key leaders in the
industry are large conglomerates that have been operating for over 100 years.
Over the last 18 months, the global supply of oil has exceeded the demand, resulting in a significant
drop in oil prices. A drop in oil prices means decreased revenue for oil and gas companies of all sizes. For
smaller companies in the industry like Pelican, significant drops in oil prices are harder to withstand.
(The larger conglomerates are so well diversified that they have an easier time withstanding fluctuations
in the oil market.) In response to the drop in oil prices and decreased demand, Pelican has temporarily
suspended drilling operations and laid off employees in the field and in the corporate office.
You are preparing for the upcoming audit of Pelican. Looking at the interim financial statements
for the current year, you calculate an 18% decrease in revenue compared to the same interim period from
the previous year. You have been reading in the global financial news that the drop in oil prices has led to
increased fraud in the industry, with much of the fraud being committed by senior managers. The audit
team is meeting tomorrow to have a brainstorming session about fraud risk for Pelican Oil.

Required
To prepare for the brainstorming meeting, research online the types of fraud that occur in the oil and gas
industry. Assess the risk of fraud for Pelican Oil by discussing the fraud risk factors that may be present.

AP3.12  (LO 6)  Challenging   Fraud   Research   The auditor and the Ponzi scheme  Bernard
Madoff was convicted in 2009 of running a Ponzi scheme, the biggest in U.S. history. A Ponzi scheme is
essen­tially the process of taking money from new investors on a regular basis and using the cash to pay
promised returns to existing investors. The high and steady returns received by existing investors are the
attraction for new investors, but they are not real returns from investments.
As long as new investors keep contributing and existing investors do not seek redemptions (the
return of their money), the scheme continues. However, eventually, as in the Madoff situation, cir-
cumstances change, the scheme is discovered, and the remaining investors find that their capital has
disappeared.
At age 71, Madoff was sentenced to prison for 150 years and will die in jail. Madoff’s auditor, David
G. Friehling was accused of creating false and fraudulent audited financial statements for Madoff’s firm,
Bernard L. Madoff Investment Securities LLC. Prosecutors alleged that these fraudulent reports cov-
ered the period from the early 1990s to the end of 2008.11

Required
a.  Research the case against David Friehling. Write a report explaining his role in the Madoff Ponzi
scheme and the outcome of the legal action against him.
b.  Explain how Friehling’s actions violated U.S. auditing standards and professional ethics.

11
D. Searcey and A. Efrati, “Sins and Admission: Getting into Top Prisons,” The Wall Street Journal: Europe
(July 17–19, 2009), p. 29; C. Bray and Efrati, “Madoff Ex-Auditor Set to Waive Indictment,” The Wall Street
Journal: Europe (July 17–19, 2009), p. 29.
3-38  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Audit Decision Cases

King Companies, Inc.
Questions C3.1 and C3.2 are based on the following case.

King Companies, Inc. (KCI) is a private company that owns five auto parts stores in urban Los Angeles,
California. KCI has gone from two auto parts stores to five stores in the last three years, and it plans con-
tinued growth. Eric and Patricia King own the majority of the shares in KCI. Eric is the chairman of the
board of directors of KCI and CEO, and Patricia is a director as well as the CFO. Shares not owned by Eric
and Patricia are owned by friends and family who helped the Kings get started. Eric started the company
with one store after working in an auto parts store. To date, he has funded growth from an inheritance
and investments from a few friends. Eric and Patricia are thinking about expanding by opening three to
five additional stores in the next few years.
In October 2021, Eric approached your accounting firm, Thornson & Danforth LLP, to conduct an
annual audit of KCI for the year ended December 31, 2022. KCI has not been audited before, but this year
the audit has been requested by the company’s bank because of anticipated bank loans and by a new
private equity investor that has just acquired a 20% share of KCI.
KCI employs 20 full-time staff. These workers are employed in store management, sales, parts deliv-
ery, and accounting. About 40% of KCI’s business is retail walk-in business, and the other 60% is regular
customers where KCI delivers parts to their locations and bills these customers on account. During peak
periods, KCI also uses part-time workers.
Eric is focused on growing revenues. Patricia trusts the company’s workers to work hard for the
company and she feels they should be rewarded well. The accounting staff, in particular, is very loyal
to the company. Eric tells you that accounting staff enjoy their jobs so much they have never taken any
annual vacations, and hardly any workers ever take sick leave.
There are two people currently employed as accounting staff, the most senior of whom is
Jonathan Jung. Jonathan heads the accounting department and reports directly to Patricia. He is in
his late fifties and hopes to retire in two or three years and move away from Los Angeles. Jonathan
keeps a close watch on accounting and does many activities himself, including opening mail, cash
receipts and vendor payments, depositing funds received, performing reconciliations, posting jour-
nals, and performing the payroll function. His second employee, Abby Owens, is a recent college
graduate who just passed the CPA exam. Abby is responsible for the payroll functions and posting
all journal entries into the accounting system. Jonathan and Abby often help each other out in busy
periods.

C3.1  (LO 3, 4)  Challenging   Materiality and audit risk  Analysis and evaluation: What qualitative
factors in the background information would you consider when determining planning materiality for
the 2022 audit of KCI? Evaluate how each factor affects your assessed audit risk and your initial assess-
ment of the planning materiality.

C3.2  (LO 6)  Challenging   Assessing fraud risk

a.  Gather information: Identify and explain any significant fraud risk factors for KCI.
b.  Analysis: For each fraud risk factor you identify, analyze how the risk will affect your approach to
the audit of KCI.

Mobile Security, Inc.

Questions C3.3 and C3.4 are based on the following case.

Mobile Security, Inc. (MSI) has been an audit client of Leo & Lee LLP for the past 12 years. MSI is a small,
publicly traded aviation company based in Cleveland, Ohio, where it manufactures high-tech unmanned
aerial vehicles (UAV), also known as drones, and other surveillance and security equipment. MSI’s prod-
ucts are primarily used by the military and scientific research institutions, but there is growing demand
for UAVs for commercial and recreational use. MSI must go through an extensive bidding process for
large government contracts. Because of the sensitive nature of government contracts and military prod-
uct designs, both the facilities and records of MSI must be highly secured.
In October 2022, MSI installed a new cloud-based inventory costing system to replace a system
that had been developed in-house. The old system could no longer keep up with the complex and
detailed manufacturing costing process that provides information to support competitive bidding.
MSI’s IT department, together with the consultants from the software company, implemented the
 Audit Decision Cases  3-39

new inventory costing system which went live on December 1, 2022. Key operational staff and the
internal audit team from MSI were significantly engaged in the selection, testing, training, and im-
plementation stages.
MSI’s fiscal year-end is June 30. The following table shows financial information for the first two
quarters of the fiscal year-end June 30, 2023 (amounts in millions). Note that the financial data listed
are for the three-month quarter ended (i.e., the second quarter does not include the first quarter data).

Item 1st Quarter 2nd Quarter

Total assets $96.0 $92.0
Total revenues 33.0 31.0
Pretax income 3.2 2.8

The pretax income for the first two quarters is reasonable with a net profit margin falling between 8–10%
of sales. Based on prior years, pretax income for the third quarter usually holds steady relative to the
second quarter, but pretax income for the fourth quarter typically decreases by 20% over the third quarter
as governments reach the end of their spending budgets.

C3.3  (LO 4)  Challenging   Public Company   Assessing inherent risk  Gather information:
Considering both industry and entity factors, what are the major inherent risks in the MSI audit?

C3.4  (LO 3)  Challenging   Public Company   Assessing planning materiality  Analysis and
evaluation: Discuss the factors to consider when determining planning materiality for MSI. Calculate an
amount for planning materiality for the audit of fiscal year-end June 30, 2023.

Brookwood Pines Hospital

Question C3.5 is based on the following case.

Goodfellow & Perkins gained a new client, Brookwood Pines Hospital (BPH), a private, not-for-profit
hospital. The fiscal year-end for Brookwood Pines is June 30. You are performing the audit for the 2023
fiscal year end, and the audit is currently in the risk assessment phase.
The healthcare industry can be very complicated, especially in the area of billing for services
provided. BPH contracts with private physician groups who use the hospital facilities, equipment,
and nursing staff to treat patients. The physicians in the private group are not employees of the hos-
pital; they are simply using the hospital facilities to treat patients. For example, a group of urologists
have their own practice, separate from the hospital, where they treat patients. If one of the patients
needs a surgical procedure that must be done at a hospital, then the attending urologist will approve
the paperwork required to admit the patient to BPH. BPH offers inducements to the urologists so
they will refer patients to BPH rather than a competing hospital. One of the inducements BPH of-
fers is free office space in the hospital for the doctors to use when they are treating patients in the
hospital.
After the doctor and hospital services are provided to the patient, the patient and/or the patient’s
insurance company is billed. The doctor will bill for the services he or she provided, and the hospital
will bill for the use of hospital facilities and staff. Doctors and hospitals bill using a coding system
that is standardized across the healthcare industry and consists of three main code sets: ICD, CPT,
and HCPCS. Using a coding system is more efficient and data-friendly compared to writing a narra-
tive about the procedures performed. However, the coding system is very complex, with thousands of
different codes for medical procedures and diagnoses. To complicate matters even more, for patients
who are covered by government-sponsored Medicare or Medicaid, doctors and hospitals must adhere
to complicated government regulations surrounding billings to Medicare and Medicaid.
As healthcare costs continue to rise each year, BPH administrators struggle to maintain consis-
tent profitability. They look for ways to keep costs low and also to collect from patients and insurance
companies as quickly as possible. In addition, BPH must have a strong risk management team to
handle unique situations that may occur in hospitals, such as malpractice lawsuits and periodic in-
spections by the state department of health and hospitals. Negative publicity for BPH could lead to
decreased revenues if physicians decide to contract with a competing hospital.

Required
a.  Gather information: Research online to learn more about common types of health care fraud. Iden-
tify and explain any significant fraud risk factors for BPH.
b.  Analysis: Which financial statement accounts would you identify as being at significant risk for
material misstatement?
3-40  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy
Cloud 9 - Continuing Case
W&S Partners has just won the January 31, 2023, audit for
Cloud 9. The audit team assigned to this client is:
•  Partner, Jo Wadley
•  Audit manager, Sharon Gallagher
•  Audit senior, Josh Thomas
•  IT audit manager, Mark Batten
•  Experienced staff, Suzie Pickering
•  First-year staff, Ian Harper
As a part of the risk assessment phase for the new audit, the
audit team needs to gain an understanding of Cloud 9’s structure
and its business environment, determine materiality, and assess
the risk of material misstatement. This will assist the team in de-
veloping an audit strategy and designing the nature, extent, and
timing of audit procedures.
One task during the planning phase is to consider the con-
cept of materiality as it applies to the client. Auditors will de-
sign procedures to identify and correct errors or irregularities
that would have a material effect on the financial statements
and affect the decision-making of the users of the financial
statements. Materiality is used in determining audit procedures
and sample selections, and evaluating differences from client
records to audit results. Materiality is the maximum amount of
misstatement, individually or in aggregate, that can be accepted
in the financial statements. In selecting the benchmark to be
used to calculate materiality, the auditors should consider the
key drivers of the business. They should ask, “What are the end
users (that is, stockholders, banks, etc.) of the accounts going
to be looking at?” For example, will stockholders be interested
in profit figures that can be used to pay dividends and increase
share price?
W&S Partners’ audit methodology dictates that one plan-
ning materiality (PM) amount is to be used for the financial
statements as a whole. The benchmark selected for determin-
ing materiality is the one determined to be the key driver of the
business.
W&S Partners use the following percentages as starting
points for the various benchmarks:
Benchmark Threshold (%)
Income before tax 5.0
Total revenue 0.5
Gross profit 2.0
Total assets 0.5
Equity 1.0
These starting points can be increased or decreased by taking
into account qualitative client factors, which could be:
•  The nature of the client’s business and industry (for example,
rapidly changing, either through growth or downsizing, or
an unstable environment).
•  Whether the client is a public company (or subsidiary of)
subject to regulations.
•  The knowledge of or high risk of fraud.
Typically, income before tax is used; however, it cannot be used
if reporting a loss for the year or if profitability is not consistent.
When calculating PM based on interim figures, it may be nec-
essary to annualize the results. This allows the auditors to plan
the audit properly based on an approximate projected year-end
balance. Then, at year-end, the figure is adjusted, if necessary, to
reflect the actual results.
Required
Answer the following questions based on the information pre-
sented for Cloud 9 in the appendix to this text and in the current
chapter and previous chapters.
a. Using the October 31, 2022, trial balance (in the appendix
to this text), calculate planning materiality and include the
justification for the benchmark that you have used for your
calculation.
b. Discuss how the planning materiality would be used to deter-
mine performance materiality.
c. If the planning materiality amount is subsequently increased or
decreased later in the audit, how would that impact the audit?
 Chapter 4
Risk Assessment Part II
Understanding the Client

The Audit Process

Overview of Audit and Assurance

(Chapter 1)

Professionalism and Professional Responsibilities

(Chapter 2)

Client Acceptance/Continuance and Risk Assessment

(Chapters 3 and 4)

Gaining an Identify Significant

Set Planning
Understanding of Accounts and
Materiality
the Client Transactions

Gaining an Understanding
Make Preliminary
of the System of Internal Control
Risk Assessments
(Chapter 6)

Develop Responses to Risk and an Audit Strategy

Audit Data Analytics

Audit Evidence
(Chapter 5)

(Chapter 7)
Performing Tests of Controls Performing Substantive Procedures
(Chapter 8) (Chapter 9)

Audit Sampling for Substantive Tests

(Chapter 10)

Auditing the Auditing the Purchasing Auditing the Balance Sheet

Revenue Process and Payroll Processes and Related Income Accounts
(Chapter 11) (Chapter 12) (Chapter 13)

Completing and Reporting on the Audit

(Chapters 14 and 15)

Procedures Performed Near Drawing Audit

Reporting
the End of the Audit Conclusions

4-1
4-2  Ch a pte r 4  Risk Assessment Part II: Understanding the Client

Learning Objectives

LO 1 Apply procedures to gain an understanding of the LO 5  Describe common corporate governance

client.
LO 2 Explain how clients measure performance and
how it impacts the auditor’s risk assessment.
LO 3  Demonstrate how auditors use analytical procedures
when assessing risk, including the use of audit data
analytics.
LO 4  Define related party transactions and explain how
they affect the auditor’s risk assessment.
structures and how they impact the auditor’s risk
assessment.
LO 6 Explain how a client’s internal control and
information technology (IT) can affect risk.
LO 7  Discuss how client closing procedures can affect
risk and a client’s reported results.

Auditing and Assurance Standards

PCAOB Auditing Standards Boa rd

AS 1301  Communications with Audit Committees AU-C 250  Consideration of Laws and Regulations in an
Audit of Financial Statements
AS 2110  Identifying and Assessing Risks of Material
Misstatement AU-C 260 The Auditor’s Communication with Those
Charged with Governance
AS 2405  Illegal Acts by Clients
AU-C 315  Understanding the Entity and Its Environment
AS 2410 Related Parties and Assessing the Risks of Material Misstatement
AU-C 550 Related Parties

Cloud 9 - Continuing Case

Ian knows there are many possible problems in an audit that
would cause the auditor to issue the wrong type of audit report,
but he is struggling to understand why the audit team will spend
time gaining an understanding of a client. How does this help?
Why aren’t audits all the same?
Suzie explains to Ian that issuing the wrong type of audit re-
port is a risk the auditor always faces, but the risk varies across au-
dits. The variation in the risk is partly related to how well the audit
team performs its tasks, which is dependent on the team members’
levels of skill, effort, supervision, and so on. But the variation in
risk is also related to the particular characteristics of the client and
its environment. Some clients are more likely than others to have
errors or deficiencies in their accounting and financial reporting
systems, operations, or underlying data. Even within one client’s
business, some areas are more likely to have problems than others.
Suzie asks Ian to think about what sort of problems Cloud 9’s draft
financial statements are most likely to have, and why.

Chapter Preview: Audit Process in Focus

In Chapter 3, we began our discussion of risk assessment by considering the audit as a whole and
the development of a unique audit strategy for each client. This chapter focuses on the remainder of
the risk assessment process. Remember, the purpose of risk assessment procedures is to assess the
risk that a material misstatement, caused by error or fraud, could occur in the client’s financial state-
ments. The risk assessment procedures we discuss in this chapter include gaining an understanding
of the client, its industry, related party transactions, corporate governance, internal controls, the in-
formation technology environment, significant accounts and transactions, and closing procedures.
Two sections of this chapter deal with performance measurement and analytical procedures.
By understanding how a client assesses its own performance, auditors gain insight into which
accounts may be at risk of material misstatement. Recall from Chapter 3 that the risk of material
misstatement is a combination of inherent risk and control risk. Many of the factors discussed
in this chapter impact the auditor’s assessment of inherent risk. Chapter 6 will discuss controls
a client might put in place to reduce control risk and the overall risk of material misstatement.
   Understanding the Client  4-3

Understanding the Client

Lea rning Objective 1
Apply procedures to gain an understanding of the client.

We will continue the discussion of risk assessment procedures that was started in Chapter 3.
Illustration 4.1 presents the graphical depiction of risk assessment that was introduced in
Chapter 3 (Illustration 3.5). The concepts of materiality, professional skepticism, and audit
risk were discussed in Chapter 3, along with fraud risk assessment. The remaining risk assess-
ment procedures from Illustration 4.1 will be discussed in this chapter, starting with “Under-
stand the entity and the industry,” then proceeding clockwise.

illustration 4.1   Risk assessment

Materiality Professional Skepticism Audit Risk

Understand the entity

and the industry
Compliance with
Fraud risk
laws and regulations

Client performance
Closing procedures Risk Assessment measurement

Understand internal
Analytical procedures
controls and IT

Corporate governance Related parties

Audit Strategy

Gain an Understanding of the Entity

It is important for auditors to understand a client’s business because often inherent risk is
related to underlying business risks. For example, what are some business risks of a fast-food
restaurant? Some that come to mind are high employee turnover, strong competition, and
quickly changing customer preferences. Would a high-end restaurant face the same business
risks as a fast-food restaurant? Since they are both in the food-service industry, there may
be some similarities, but there will also be different risks because they have different busi-
ness models, profit margins, and volumes of transactions. For example, a high-end restaurant
would be more at risk when the economy is suffering from a recession. Consumers may cut
back on spending, especially on luxury items such as an expensive meal at a high-end restau-
rant. Auditors must approach each client as unique when gaining an understanding of the
entity, even if some clients are in the same industry.
AU-C 315 Understanding the Entity and Its Environment and Assessing the Risks of Ma-
terial Misstatement and AS 2110 Identifying and Assessing Risks of Material Misstatement
provide guidance on the steps to take when gaining an understanding of a client. How do
4-4  Ch a pte r 4  Risk Assessment Part II: Understanding the Client
entity-level risk  client risk
that affects multiple financial
statement accounts, assertions,
and transaction classes
transaction-level risk  client
risk that affects only one transac-
tion class, account, or assertion
auditors develop a knowledgeable perspective about the entity and its risks when the auditors
are external and independent of the client? They use specific procedures such as interviewing
client personnel and others outside the entity, performing analytical procedures (covered in
depth later in this chapter), observing client operations, and inspecting documents. For ex-
ample, when auditors read the minutes of board of directors’ meetings, they are inspecting a
document (the minutes). By reading the minutes, auditors can gain an understanding of key
issues and strategic initiatives being discussed by the board. When gaining an understanding
of the client, auditors consider issues at both the entity and industry levels. For new clients,
this process is very detailed and time consuming. For a continuing client, this process is less
onerous and involves updating the knowledge gained on previous audits.
By gaining an understanding of the client, the auditor is in a stronger position to as-
sess entity-level risks and the financial statement accounts that require closer examination.
Entity-level risks often affect multiple accounts and assertions. For example, if management is
close to breaching a debt covenant that requires maintaining a certain current ratio, manage-
ment may have an incentive to either overstate current assets or understate current liabilities.
This could be accomplished in a number of ways that could affect one or more current asset or
current liability accounts. Alternatively, transaction-level risk affects only one transaction
class, such as revenue and accounts receivable. Understanding the entity may illuminate both
entity-level risks and transaction-level risks. Illustration  4.2 summarizes factors that can
increase or decrease inherent risk in the client’s financial statements. Each factor in Illustra-
tion 4.2 is numbered, and the following paragraphs provide more discussion of each of these
factors auditors consider when gaining an understanding of the client.
(1) Major customers are identified so the auditor may consider whether those customers
have a good reputation, are on good terms with the client (that is, likely to remain a customer
in the future), and are likely to pay the client on a timely basis. Dissatisfied customers may
withhold payment, which affects the allowance for doubtful accounts and the client’s cash
flow, or decide not to purchase from the client in the future, which can affect the client’s
operations. If a client has only one or a few customers, this risk is increased if losing a major
customer would cause the client to significantly curtail operations. The auditor also considers
the terms of any long-term contracts between the client and the client’s customers.
(2) Major suppliers are identified to determine whether they are reputable and supply
quality goods on a timely basis. Consideration is given to whether significant levels of goods
are returned to suppliers as faulty, the terms of any contracts with suppliers, and the terms
of payment to suppliers. Auditors assess whether the client pays its suppliers on a timely
basis. If the client is having trouble paying its suppliers, it may have trouble sourcing goods
as suppliers may refuse transactions with a company that does not pay on time. Significant
cash flow issues may be an indicator of going concern problems.
Auditors identify whether the client is an (3) importer or exporter of goods. If the client
trades internationally, auditors consider the stability of the country (or countries) the client
trades with, the stability of the foreign currency (or currencies) the client trades in, tariffs or
other barriers to trade, the effectiveness of any risk management policies the client uses to
limit exposure to currency fluctuations (such as hedging policies), and the appropriateness of
accounting for realized and unrealized gains and losses.
Auditors consider the client’s capacity to adapt to (4) changes in technology and other
trends. If the client is not well-positioned to adjust to such changes, it risks falling behind
competitors and losing market share, which in the longer term can affect the client’s oper-
ations. If the client operates in an industry subject to frequent change, it risks significant
losses if it does not keep abreast of such changes and “move with the times.” For example,
if a client sells laser printers, auditors need to assess whether the client is up to date with
changes in technology and customer demands for environmentally friendly printers. The
financial statement consequences could include losses for obsolete inventory and accruals
for loss contingencies associated with possible environmental cleanup.
The nature of any (5) warranties provided to customers is assessed by the auditors. If
the client provides warranties on products sold, auditors need to assess the likelihood that
goods will be returned and the risk the client has underprovided for that rate of return
(adequacy of the warranty liability). Auditors pay particular attention to goods being re-
turned for the same problems, indicating there may be a systemic fault. For example, if the
client sells quality pens and the auditors notice that a number of pens are being returned
because the mechanism to twist the pen open is faulty, auditors will assess the likelihood

illustration 4.2   Entity factors that influence inherent risk
Lower Inherent Risk Assessments
Satisfied customers who pay on time and are likely
to remain a customer in the future
Client has many customers
Reputable suppliers that supply goods on a timely
basis
Few goods are returned to supplier as faulty
Client pays suppliers on a timely basis
Trades with countries that are stable
Trades in stable foreign currencies
Minimal tariffs or barriers to trade
Client maintains effective risk management policies
regarding foreign trade
Client well-positioned to adjust to changes in
technology
Client does not offer warranties on its products
If client does offer warranties, product quality is high
and the likelihood that goods will be returned is low
Few discounts are given by the client to its
customers
Client takes advantage of discounts offered by
suppliers
Client has good reputation with customers,
suppliers, employees, and the wider community in
which it operates
Client has few locations and primary operations are
centralized
No international operations
No recent implementation of new standards
No change in the application of accounting
standards
Personnel involved in the selection and application
of accounting standards are competent and
experienced
Determination of account balance is objective and
supported by transactions with third parties
Transactions are routine and relatively homogeneous
Account has low volume of transactions
Less complex payroll system and benefit structures
Defined-contribution pension plans
Less reliance on debt for financing
Pays interest payments on time
Less risk of violating terms of debt covenants
Simple capital structure
Pays dividends from operating cash flow
Factors That Influence Inherent Risk Higher Inherent Risk Assessments
(1) Major customers
(2) Major suppliers
(3) Importer or exporter
(4) Changes in technology
(5) Warranties
(6) Discounts
(7) Client reputation
(8) Operations
(9) Selection and application of
accounting principles
(10) Significant accounts and
classes of transactions
(11) Relations with employees
(12) Sources of financing
(13) Ownership structure
  Understanding the Client  4-5
Dissatisfied customers who may withhold
payment or decide to not purchase from the
client in the future
Client has only one or very few customers
Suppliers may not supply goods on a timely
basis
Significant amounts of goods are returned
to the suppliers because they are faulty
Client does not pay suppliers on a timely basis
Trades with countries that are not stable
Trades in unstable foreign currencies
Complex tariffs and other barriers to trade
Client does not maintain effective risk
management policies regarding foreign trade
Client falls behind with changes in technology
and has not “kept up with the times”
Client offers warranties on its products
History of poor product quality and goods
being returned for the same problem
Client offers discounts to its customers,
possibly because it does not have much
bargaining power
Client misses opportunities to take
advantage of supplier discounts
Client does not have a good reputation with
customers, employees, and/or the wider
community in which it operates
Client has larger number of locations and
operations are decentralized
Multiple locations operated internationally
Recent implementation of new accounting
standard
Change in the application of an accounting
standard
Personnel involved in the selection and
application of accounting standards lack
competence and experience
Determination of account balance involves
considerable subjectivity
Transactions are complex and unique
Account has high volume of transactions
More complex payroll system and benefit
structures
Defined-benefit pension plans
Heavy reliance on debt as a source of financing
Struggles to pay interest payments on time
Higher risk for violating terms of debt
covenants which could indicate going
concern issues
Complex capital structure
Struggles to pay dividends from operating
cash flow
4-6  Ch a pte r 4  Risk Assessment Part II: Understanding the Client

that other pens will be returned for the same reason, the steps being taken by the client to
rectify the problem, and whether the warranty liability is adequate in light of this issue.
The financial statement impact would involve the adequacy of a warranty reserve and the
adequacy of reserve for lower-of-cost-or-net-realizable-value issues with inventory.
Auditors review the terms of (6) discounts given by the client to its customers and received
by the client from its suppliers. An assessment is made of the client’s bargaining power with its
customers and suppliers to determine whether discounting policies are putting profit margins
at risk, which may place the future viability of the client at risk.
Auditors consider the (7) client’s reputation with its customers, suppliers, employees,
shareholders, and the wider community. A company with a poor reputation places future prof-
its at risk and increases the risk of going concern issues. It is also not in the best interest of the
auditor to be associated with a client that has a poor reputation, as we discussed in Chapter 3.
Auditors gain an understanding of client (8) operations. Auditors note where the client
operates, the number of locations in which it operates, and dispersion of these locations.
The more spread out the client’s operations are, the harder it is for the client to effectively
control and coordinate its operations, which increases the risk of errors in the financial
statements. Auditors visit locations where inherent risk is greatest to assess the processes
and procedures at each site. If the client has operations interstate or overseas, auditors may
plan a visit to those sites by audit staff from affiliated offices at those locations where risk is
greatest. For example, an auditor is more likely to visit client operations if the client opens a
new, large site or if the business is located in a country where there is a high rate of inflation
or where there is a high risk of theft.
Auditors must gain an understanding of the client’s procedures for the (9) selection and
application of accounting principles. They need to know who oversees the financial reporting
process on a daily basis, an individual or a group, and consider the qualifications of those
involved. Client personnel with more experience generally are more competent at applying
complex accounting principles. Other considerations include whether the client has imple-
mented a new accounting standard or changed how an accounting standard is applied. Fi-
nancial reporting is already a complex process, but when implementing a new standard or
making changes with a current standard, inherent risk increases because of the possibility
of applying the accounting standard incorrectly.
(10) Significant accounts and classes of transactions are identified during the risk assess-
ment phase. Recall from Chapter 3 that a significant risk could be an account, transaction, or
activity that has an increased risk of causing a material misstatement on the financial state-
ments. For example, the inventory account would be a significant account for a large retail
client for several reasons. It is probably the largest current asset for the client, it has a large vol-
ume of transactions, and some of the transactions may involve complex contractual arrange-
ments with suppliers. Auditors devote more audit time to the inventory account since it poses
a higher inherent risk. Another example would be a client’s process of determining if goodwill
has been impaired. Since there is subjectivity involved in the measurement of this financial
statement item, auditors may plan audit procedures to ensure adequate time is spent testing
the client’s goodwill impairment procedures. Keep in mind, an account or class of transac-
tions that is significant for one client may not be significant for other clients, even if they are in
the same industry. For example, not every client is going to have a goodwill account. Auditors
determine significant accounts and classes of transactions on a client-by-client basis.
An understanding is gained of the client’s (11) relations with its employees. Auditors
consider how a client pays its employees, the mix of wages and bonuses, and the attitude of
employees to their employer. The more complex a payroll system, the more likely it is that
errors can occur. Auditors might also expect more complex control systems when payroll
transactions are complex. When employees are unhappy, there is greater risk of industrial
action, such as strikes, which disrupt client operations.
Auditors assess a client’s debt and equity sources, the reliability of future (12) sources of
financing, the structure of debt, and the reliance on debt versus equity financing. Auditors
determine whether the client is meeting interest payments on debt and repaying debt when
it is due. If a client has a covenant with a lender, auditors need to understand the terms of
that covenant and the nature of the restrictions it places on the client. Debt covenants vary.
A company may, for example, agree to limit further borrowings, to freeze a line of credit for
a period of time, or to maintain a certain debt-to-equity ratio. If the client does not meet the
   Understanding the Client  4-7

conditions of a debt covenant, the lender may recall the debt, placing the client’s liquidity
position at risk, and increasing the risk the client may not continue as a going concern.
Auditors learn about the client’s (13) ownership structure, such as the amount of debt
financing relative to equity, the use of different forms of shares, and the differing rights of
shareholder groups. The client’s dividend policy and its ability to meet dividend payments
out of operating cash flow are also of interest when evaluating whether an entity is a going
concern. Also, complex ownership arrangements and differing rights of shareholder groups
will require more complex disclosures by the client.

Audit Reasoning Example  Samsung Fire Fiasco

Most likely you are familiar with Samsung and own at least one Samsung product, such as a TV,
kitchen appliance, or laptop. Samsung has consistently been the top seller of smartphones world-
wide, and in 2017 Samsung had 21% of the global smartphone market share.1 In the third and
fourth quarters of 2016, Samsung experienced a public relations nightmare when some customers
had problems with their Galaxy Note 7 smartphones catching fire. An investigation determined
that the battery in the phone had the potential to catch fire when overheated. Samsung recalled
all of the nearly three million Galaxy Note 7 devices that had been sold and permanently ended
production of the device.2 Suppose you are on the audit team for the December 31, 2016, financial
statement audit for Samsung. How does the Galaxy Note 7 situation impact the inherent risk fac-
tors listed in Illustration 4.2? Here are some examples:
•  Customers may decide not to purchase Samsung mobile devices in the future, which im-
pacts revenues and profits.
•  Samsung may consider switching battery suppliers, which could affect costs and product
quality.
•  Samsung must honor the warranty on the phone and issue refunds and/or replacement
products to customers, which impacts profits.
•  Samsung’s reputation was tarnished by the negative publicity, and the situation sparked
multiple lawsuits that will drag on for years and cost Samsung millions of dollars.

During the audit, you and the other audit team members would plan to give additional audit
attention to accounts and note disclosures directly impacted by the Galaxy Note 7 situation, such
as warranty-related accounts, inventory (lower-of-cost-or-net-realizable value), sales returns, and
contingent liability accruals.

Another important component of understanding the entity includes gaining an under-

standing of the client’s system of internal controls as it relates to the audit. This includes
learning about the design of the client’s internal controls and the different components of the
client’s internal control system. Strong internal controls both reduce the likelihood of material
misstatement and change the nature of audit tests. A thorough discussion of gaining an un-
derstanding of the client’s system of internal controls is covered in Chapter 6.

Cloud 9 - Continuing Case

Ian is starting to think about Cloud 9 more closely. He can remem-
ber something being said about Cloud 9 importing the shoes from
a production plant in Vietnam and then wholesaling them to ma-
jor department stores.
“OK,” says Suzie. “Let’s just take that one aspect of the oper-
ations and think about the issues that could arise.”
Ian realizes the department stores would be customers
of Cloud 9 (although they should check that the stores actually
purchase the shoes rather than hold them on consignment). If there
were a mistake or a dispute with one of the stores, or if the store were
in financial difficulty, the collectibility of accounts receivable would
be in doubt, so assets could be overstated. If the store disputed a sale,

1
Chandan, “Smartphone Manufacturers in the World 2017,” https://www.techzac.com/top-10-smartphone-
manufacturers-in-the-world/ (accessed August 30, 2017).
2
S. Pham, “Samsung Blames Batteries for Galaxy Note 7 Fires” (January 23, 2017), http://money.cnn.com/2017.
4-8  Ch a pte r 4  Risk Assessment Part II: Understanding the Client

or a sales return was not recorded correctly, sales (and profit) could
be overstated. Is Cloud 9 liable for warranty expenses if the shoes
are faulty? The auditors would need to read the terms of the con-
tract to determine if a warranty liability should be recorded on the
balance sheet. What about the balance of inventory? Do the shoes
belong to Cloud 9 when they are being shipped from Vietnam, or
only after they arrive at the warehouse? Is Cloud 9 exposed to for-
eign currency exchange risk and how is this accounted for?
Suzie points out that the answer to each of these ques-
tions could be different for Cloud 9 than for other clients be-
cause of its different circumstances. Auditors need to gain
an understanding of these circumstances so they can assess
the risk that accounts receivable, sales, sales returns, inven-
tory, and liabilities are misstated. Once they understand all
the risks, they are in a position to decide how they will audit
Cloud 9.

Gain an Understanding of the Industry and

Business Environment
At the industry level, auditors are interested in the client’s position within its industry, the
level of competition in that industry, and the client’s size relative to its competitors. Auditors
evaluate the client’s reputation among its peers and the level of government support for com-
panies operating in that industry. Another consideration is the level of demand for the prod-
ucts sold or services supplied by companies in that industry and the factors that affect that
demand. For example, an ice cream manufacturer is affected by the weather, which causes
revenue to be seasonal. This would be important for auditors to know because during the
slow season, revenue may be at higher inherent risk if the client is trying to maintain a certain
profit target. A summary of some key industry and business environment factors that can
influence inherent risk is provided in Illustration 4.3. Each factor in Illustration 4.3 is num-
bered, and the following paragraphs provide more discussion of these industry and business
environment factors that auditors consider when gaining an understanding of the client.

illustration 4.3   Industry and business environment factors that influence inherent risk

Industry Factors That Influence

Lower Inherent Risk Assessments
Less competitive industry, which puts less stress
on the client’s ability to generate a profit
Good reputation relative to others in the industry
Customers and suppliers may be attracted
to conduct business with the client versus a
competitor
A new industry with considerable government
support and incentives
New or established industry with intense
international competition with considerable
government support and incentives
Industry with minimal government regulation
and no special taxes or unique financial reporting
requirements
Demand is not seasonal, which provides steady
revenue flow
Industry minimally affected by trends/customer
preferences
Industry has low risk of technological
obsolescence
Economy as a whole experiences an upturn,
which leads to easily sustainable profit levels
Inherent Risk Higher Inherent Risk Assessments
(1) Level of competition Very competitive industry, which puts more
stress on the client’s ability to generate a
profit
(2) Reputation Poor reputation relative to others in the
industry
Customers and suppliers may shift business
to a competitor
(3) Legal, political, and regulatory A new industry with little or no government
environment support
New or established industry with intense
international competition with little or no
government support
Heavily regulated industry with special
taxes and unique regulations and financial
reporting requirements
(4) Demand Seasonal demand for products, which leads
to sporadic revenue flow
Industry subject to changing trends/
customer preferences
Industry subject to technological
obsolescence
(5) Economy Economy as a whole experiences a
downturn, which leads to pressure to
maintain expected profit levels
   Understanding the Client  4-9

Auditors compare the client with its close competitors nationally and internationally.
When auditors have a number of clients that operate in the same industry, and the audit
firm has significant experience auditing clients in that industry, this stage of the audit is
more straightforward than if the client operates in an industry the auditors are not already
familiar with. The audit team assesses the (1) level of competition in the client’s industry. The
more competitive the client’s industry, the more pressure is placed on the client’s profits,
which will assist auditors when developing expectations regarding the client’s profitability.
In an economic downturn, the weakest companies in highly competitive industries face
financial hardship and possible going concern problems. A key issue for an auditor is the cli-
ent’s position among its competitors and its ability to withstand downturns in the economy.
Auditors also consider the client’s (2) reputation relative to other companies in the same
industry. If the client has a poor reputation, customers and suppliers may shift their business
to a competing firm, threatening the client’s profits. In such circumstances, a client’s manage-
ment may resort to aggressive accounting choices to improve profits (or reduce losses). The
audit team can assess the client’s reputation by reading articles and industry publications.
Auditors consider the (3) legal, political, and regulatory environment for the client’s industry.
This issue is important if the industry faces significant competition internationally or the indus-
try is new and requires time to become established. Support is sometimes provided to industries
that produce items in line with government policy, such as manufacturers of water tanks, solar
heating, and reduced-flow taps in the context of environmental policies. Regulations can affect
a client’s ability to continue operating or affect continued profitability, for example, through dif-
ferent taxes and charges imposed on companies operating in the industry. Some industries have
unique accounting and financial reporting requirements, such as the oil and gas industry. The
audit team must be alert to how changes in the regulatory environment might affect the client’s
profitability and operations.
The auditors should understand the level of (4) demand for the goods sold or services pro-
vided by companies in the client’s industry. If a client’s products or services are seasonal, this will
affect revenue flow. As mentioned, if a client is an ice-cream producer, sales would be expected
to increase in the summer; however, if the weather is unseasonal, profits may suffer. If a client
sells swimsuits, sales will fall in a cool summer. If a client sells ski equipment, sales will fall if
the winter brings little snow. If a client operates in an industry subject to changing trends, such
as fashion, the client risks inventory obsolescence if it does not keep up and move quickly with
changing styles. When a product or process is subject to technological change, there is the risk a
client will quickly be left behind by its competitors. If products become obsolete, it will affect the
lower-of-cost-or-net realizable value accounting for inventory, and it might affect the collectibility
of receivables related to inventory sold to customers that has not yet been sold to end consumers.
Finally, when gaining an understanding of a client, auditors assess how factors in the
(5) economy affect the client. Economic upturns and downturns, changes in interest rates, and
currency fluctuations affect most companies. The audit team is concerned with the client’s sus-
ceptibility to these changes and its ability to withstand economic pressures. The auditors also
determine if negative consequences have been appropriately reported in the financial statements.

Audit Reasoning Example  Economic Upturns and Downturns

During an economic upturn, companies are under pressure to perform as well as or better than
competitors, and shareholders expect consistent improvements in profits. When conducting the
audit in this environment, more focus is given to the risk of overstatement of revenues and under-
statement of expenses. What about an economic downturn? When the economy as a whole is poor
and the entire industry is down, does management face the same pressures? During an economic
downturn, management may decide to “take a bath,” meaning that companies may purposefully
understate profits. When the economy is poor, there is a tendency to maximize write-offs because
a fall in profits can easily be explained to shareholders when most companies in the industry are
also experiencing a decline in earnings. In other words, management decides, “If it’s already a
bad year, let’s make it a really bad year.” A benefit of “taking a bath” is it provides a low base from
which to demonstrate an improvement in results in the following year. When conducting the
audit during times when the economy is in recession and clients may be tempted to “take a bath,”
how would auditors modify their audit approach? More focus is given to the risk of understate-
ment of revenues and overstatement of expenses.
4-10  C h a pte r 4  Risk Assessment Part II: Understanding the Client
illegal acts  violations of laws or
governmental regulations
direct and material effect  a
situation in which noncompli-
ance with laws and regulations
impacts amounts and disclosures
already included in the financial
statements
indirect effect  a situation
in which noncompliance with
laws and regulations does not
have a direct impact on amounts
and disclosures in the financial
statements, but could require the
creation of a contingent liability
or an additional disclosure
Compliance with Laws and Regulations
Auditors should also obtain a general understanding of laws and regulations that apply to the
client’s industry and operations. For example, manufacturing clients must adhere to regula-
tions imposed by the Environmental Protection Agency (EPA) and the Occupational Safety
& Health Administration (OSHA). If a client commits an illegal act by not complying with
applicable regulations, the client may be fined or may be subject to future litigation. It is the
responsibility of company management and those charged with governance to ensure that
policies and internal controls are in place to assist in the prevention and timely detection of
noncompliance with laws and regulations.
What is the auditor’s responsibility regarding illegal acts committed by the client? Re-
member, the objective of the audit is to determine if the financial statements are presented
fairly in accordance with the appropriate financial reporting framework. An auditor is not
expected to be an expert in non-accounting laws and regulations such as environmental reg-
ulations and health and safety laws, but an illegal act by the client could impact the financial
statements through fines and litigation. AU-C 250 Consideration of Laws and Regulations in
an Audit of Financial Statements and AS 2405 Illegal Acts by Clients address the auditors’ re-
sponsibility as it relates to the client’s compliance with laws and regulations.
For illegal acts that have a direct and material effect on the financial statements, the
auditors have the same responsibility for detecting those acts as they do for detecting material
misstatements caused by error or fraud. Many of the laws and regulations that would have a
direct and material effect on the financial statements are already familiar to the auditors. For
example, auditors regularly investigate the compliance with tax law and fair presentation of
income tax expense in the income statement, as well as compliance with pension laws and
pension disclosures in the financial statements.
For illegal acts that have a material but indirect effect on the financial statements,
the auditor’s responsibility is limited to performing specified audit procedures that may
identify noncompliance. Some examples of laws and regulations that could fall into this
category are environmental and safety regulations, or food and drug administration regu-
lations. If information comes to the auditors’ attention that provides evidence concerning
the occurrence of possible illegal acts, the auditors should use professional skepticism and
perform further audit procedures to specifically determine if an illegal act has occurred,
and whether a contingent liability that is material to the financial statements should be
recorded or disclosed. It is important to note that an audit conducted according to stan-
dards provides no assurance that all illegal acts that have an indirect effect on the financial
statements will be detected or any contingent liabilities that may result will be disclosed
(AS 2405.07 and AU-C 250.A3).
If auditors discover or suspect that an illegal act has occurred, they should gain an
understanding of the nature of the act, gather information to determine the possible ef-
fects on the financial statements, and document all of their work. The audit team should
discuss the situation with management at a level above those involved with the suspected
noncompliance and, if appropriate, also discuss the situation with those charged with gov-
ernance. Auditors should consider the implications of noncompliance on other areas of
the audit, such as audit risk, materiality, and reliability of management representations.
For example, if an illegal act occurred, auditors should re-evaluate the internal controls
that should have prevented or detected the illegal act. If the controls are determined to be
weak, auditors may need to adjust the audit strategy to perform more substantive testing
rather than relying on the internal controls. It is important to remember the entire risk
assessment process is an iterative process, and auditors may come across evidence that
contradicts prior risk assessments. In these situations, auditors should revise their risk
assessments and decisions about the nature, timing, and extent of audit procedures in light
of the new evidence.
If management or those charged with governance do not respond appropriately to an
identified situation of noncompliance, the auditors should consult with their own legal coun-
sel and consider withdrawing from the audit. Reporting illegal acts to external parties is gener-
ally not part of the auditor’s responsibility because of the auditor’s ethical obligation of client
confidentiality, as discussed in Chapter 2.
   Understanding the Client  4-11

Audit Reasoning Example  Illegal Act, Direct and Material Effect

Henry is an audit associate assigned to the audit of Quick Fix Burgers, a regional fast-food chain.
To gain an understanding of the client’s payroll system, Henry obtained a listing of all employees
and then queried the client’s system to provide a listing of all checks made payable to employees
for the last month of the second quarter. Quick Fix pays its employees twice a month; therefore,
each employee should receive two paychecks each month. While scanning the report, Henry no-
ticed that some of the frontline employees, such as cashiers and cooks, had three or four checks
for the month. He selected one of the employees who had received four checks and looked more
closely at the supporting detail. Two of the checks were payment for 10 hours worked during the
first and second half of the month, and these checks had state and federal income taxes withheld
along with Social Security and Medicare. The other two checks were for a single amount, which
was about the same amount as the net pay on the payroll checks, but with no withholdings or
other payroll deductions, and were paid on the same date as the payroll checks. Why might there
be these additional checks to employees? Were they reimbursements for expenses incurred by
the employee? Or could Quick Fix Burgers be trying to avoid payroll taxes, such as the employer
share of Social Security and Medicare, by calling these additional payments “employee reimburse-
ments”? Failure on the part of employers to remit the appropriate amount of payroll taxes is an
illegal act that can lead to significant fines and penalties. If Quick Fix is under-reporting an em-
ployee’s hours and the related payroll taxes, then both expenses (wages expense and payroll tax
expense) and liabilities (wages payable and payroll taxes payable) will be understated and have a
material and direct effect on the financial statements.

Audit Reasoning Example  Illegal Act, Material but Indirect Effect

Henry is an audit associate assigned to the audit of Quick Fix Burgers, a regional fast-food chain.
A month ago, Quick Fix received some bad publicity because two customers, who had eaten at
two different Quick Fix restaurants, posted on social media they had become seriously ill after
eating at Quick Fix. One of the customers was admitted to a hospital and posted that doctors
suspected it was a case of E. coli that could be caused by unsanitary food handling. Henry had a
meeting with Quick Fix’s controller and asked about the social media posts. The controller said,
“All of our restaurants are inspected by the state health department, and we have always received
excellent scores. We have not been contacted by the health department regarding those posts on
social media.” When Henry gets back to his desk he thinks, what if the health department does
contact Quick Fix regarding the incidents? What if Quick Fix did violate some health regulations?
Does failure to comply with health regulations impact the financial statements directly? No, it does
not. But could there be a material indirect effect on the financial statements? Yes. Customers who
became sick could pursue legal action against Quick Fix, which could lead to a contingent liability
and related expense, not to mention bad publicity. Henry documents this information in his risk
assessment notes and will follow up on the situation during interim and year-end audit work.

Cloud 9 - Continuing Case

Suzie explains to Ian that the partner, Jo Wadley, has asked
her to join the team for this audit because she has experi-
ence in the clothing and footwear industry. Jo wants to make
sure the team’s industry knowledge is very strong. Several
other members of the team also have experience in audit-
ing clients in the retail industry, including Jo and manager
Sharon Gallagher. In addition, Josh is highly regarded at W&S
Partners for his knowledge of receivables and cash-receipts
systems.
Suzie has the task of leading the team writing the report on the
industry-specific economic trends and conditions. The report must
include an assessment of the competitive environment, including
any effects of technological changes and relevant legislation. So
that Ian can appreciate how understanding the client is an import-
ant part of the risk assessment phase, Suzie asks him to help write
the report on the product, customer, and supplier elements. Then,
together, they will assess the specific risks arising from the entire
report, including risks at the economy level, for the Cloud 9 audit.
4-12  C h a pte r 4  Risk Assessment Part II: Understanding the Client
Client Approaches to Measuring Performance
key performance indicators
(KPIs)  measurements, agreed
to beforehand, that can be quanti-
fied and reflect the success factors
of an organization
profitability  the ability of a
company to earn a profit
price–earnings (PE) ratio  from one year to the next may reflect an increased cost of doing business or highlight that it
measures how much a
stockholder is willing to pay per
dollar of earnings
earnings per share (EPS)
ratio  measures the earnings
return on each common share
issued
Before You Go On
1.1  What is the purpose of gaining an understanding of a client?
1.2 Explain how changing trends in an industry affect the inherent risk for an audit client, for
example, in the energy industry. Illustrate with a few tangible examples.
1.3 Give an example of an illegal act that could have a material but indirect effect on the financial
statements.
Lea rning O bjective 2
Explain how clients measure performance and how it impacts the auditor’s risk
assessment.
Part of the process used when gaining an understanding of a client involves learning how a
­client measures its own performance. The key performance indicators (KPIs) used by
a client to monitor and assess its own performance and the performance of its senior staff
provide auditors with insights into the accounts their client focuses on when compiling its
financial statements and which accounts are potentially at risk of material misstatement.
Some KPIs are common to many clients, such as return on assets and return on stock-
holders’ equity. Other KPIs will vary from industry to industry and client to client. For exam-
ple, a client in the airline industry is concerned about revenue per passenger mile, a client in
the retail industry is concerned about inventory turnover, and a client in the finance industry
is concerned about its risk-weighted assets and interest margins. It is very important for audi-
tors to understand which KPIs a client is most concerned about in that year so the audit can be
planned around relevant accounts. It is inappropriate to assume all clients use the same KPIs.
It is also inappropriate to assume a client will use the same KPIs every year. Just as businesses
change their focus, KPIs change to help businesses achieve new goals.
Profitability
It is common for companies to use profitability measures to assess their performance and that
of their senior staff. Companies often track their revenue and expenses over time and assess
the variability from budgets, goals, or expectations. A company will compare its revenues and
expenses with close competitors and assess its ability to compete, as well as whether results are
matching expectations based on known factors such as seasonality or economic downturns.
This also provides auditors with valuable insights into the expectations of management.
A company’s management will track revenues from month to month to identify and ex-
plain trends. Management of a large company will compare revenues earned across divisions
to highlight good and poor performance. Comparisons among divisions, or against budget,
may be used to assess how well managers of those divisions are controlling costs. Changes
may be time to source cheaper suppliers or focus on production or product changes.
Companies are concerned about their stockholders (owners). The price–earnings (PE)
ratio (market price per share divided by earnings per share) shows how much a stockholder
is willing to pay per dollar of earnings. For example, a PE of 10 means investors (and potential
investors) are willing to pay 10 times current earnings for a company’s shares. This gives value
to the future earning capacity of the enterprise. The earnings per share (EPS) ratio (profits
available to common shareholders divided by weighted average common stock shares issued)
   Client Approaches to Measuring Performance  4-13

reflects the earnings return on each common share issued. When a client’s PE or EPS ratios
are in decline, auditors may be concerned that management is under pressure to manipulate
earnings. The cash earnings per share (CEPS) ratio (operating cash flow divided by outstand- cash earnings per share
ing shares) shows the cash flow capacity of a company for each common share issued. CEPS (CEPS) ratio  shows cash flow
may be a more reliable indicator of a company’s financial health because it excludes noncash capacity of a company for each
components such as depreciation and amortization, as well as noncash mark-to-market earnings. common share issued
Retailers and manufacturers are generally concerned about their inventory turnover (cost
of sales divided by average inventory), often at a department level. An assessment of this ra-
tio is made within the context of the industry in which a company operates. For example, a
company that sells perishable goods such as ice cream requires a much higher turnover than
a company that sells nonperishable goods such as furniture. If a client’s inventory turnover
slows significantly, auditors may be concerned that inventory is overvalued.

Liquidity, Solvency, and Cash Flow

Liquidity is the ability of a company to meet its needs for cash in the short term, and liquidity  the ability of a
solvency is the ability to meet its long-term financial obligations. It is vital for a company company to pay its current debts
to have access to cash to pay its debts when they fall due. If it cannot meet these obliga- when they fall due
tions, a company may be forced into liquidation. Companies require cash to pay their em- solvency  the ability of a
ployees’ wages, utility bills, supplier bills, interest payments on borrowed funds, dividends company to meet its long-term
to stockholders, and so on. In the longer term, companies need cash to repay long-term financial obligations
debt and undertake capital investment. Because cash is so vital, cash flow is closely moni-
tored by the company and by external users, such as analysts and stockholders.
To gain an understanding of a client’s cash flow, auditors analyze the cash flow state-
ment. Recall from your previous accounting courses that the cash flow statement summa-
rizes all cash activities into three categories: operating activities, investing activities, and
financing activities. The cash flow provided, or used, by operating activities indicates a com-
pany’s ability to generate cash. For analysis purposes, the cash flow from operations amount
can be adjusted for any one-time influences on cash flow from operations to determine
sustainable cash flow from operations. For example, if the client made a large, one- sustainable cash flow from
time litigation payment, that amount could be added back to the cash flow from operations operations  cash flow from
amount to provide a more realistic view of cash flow generated from normal and recurring operations adjusted for one-time
operating activities. influences
Companies often agree to debt covenants with lenders when taking on loans. That is,
they promise to maintain specified profitability, liquidity, or other financial ratios, or to
seek the lender’s permission before taking on new borrowings or acquiring other compa-
nies. These covenants are written into the borrowing contracts and restrict a company’s
activities. If a company breaches a debt covenant, it may need to renegotiate or repay the
loan.
By understanding how their client measures and assesses its own performance and any
restrictions implied by debt covenants, auditors gain a deeper understanding of the accounts
potentially at risk of material misstatement. For example, if a client is close to violating the
terms of a debt covenant, management may have incentive to misstate reported amounts in
ways to show compliance with covenants.

Cloud 9 - Continuing Case

In her discussions with the partner, Jo Wadley, Suzie learns the
senior people in the Cloud 9 accounting/finance department are
entitled to receive stock options if revenue targets are met. Cloud
9’s share price (which determines the value of the stock options)
reflects market expectations about future profits.
Cloud 9 has taken on additional debt this year, and costs
are rising because of issues associated with its drive to increase
market share. These results increase interest expense and de-
crease profitability, potentially reducing the value of the stock
options. Suzie decides to allocate time in the audit plan to con-
sider whether these pressures could impact any of the senior
staff’s incentives and increase inherent risk and possibly fraud
risk.
4-14  C h a pte r 4  Risk Assessment Part II: Understanding the Client
Analytical Procedures
analytical procedures  eval-
uations of financial information
through analysis of plausible
relationships among financial and
nonfinancial data
Before You Go On
2.1  What is a PE ratio? Why is it important to auditors?
2.2 Explain how internal performance reports may be used by auditors to assess the risk of ma-
terial misstatement.
2.3 What is a debt covenant? Develop an example of why a debt covenant is important to assess-
ing the risk of material misstatement.
Lea rning O bjective 3
Demonstrate how auditors use analytical procedures when assessing risk, including
the use of audit data analytics.
As auditors gain an understanding of their client, the industry in which it operates, and how
the client measures its own performance, they can develop their own expectations regard-
ing the client’s financial statement items. For example, if auditors are aware their client has
borrowed a significant amount of money in the previous financial year, a reduction in the
client’s debt-to-equity ratio would be unusual and would warrant further investigation. This
is an example of auditors using analytical procedures to assess risk. AU-C 315 and AS 2110
define analytical procedures as evaluations of financial information through analysis of
plausible relationships among financial and nonfinancial data. Analytical procedures involve
the identification of fluctuations in accounts that are inconsistent with the auditors’ expec-
tations based upon their understanding of the client. It is essential that auditors have clear
expectations about their client’s results for the reporting period before conducting analytical
procedures, so that unexpected fluctuations can be correctly identified and investigated.
Analytical procedures are conducted throughout an audit. During the risk assessment
phase, analytical procedures are used to aid in the risk identification process. During the risk
response phase, analytical procedures are an efficient method of testing account balances that
are derived from estimates. At the conclusion of the audit, analytical procedures are used to
assess whether the financial statements reflect the auditors’ knowledge of their client and the
client’s industry. In this chapter we concentrate on the application of analytical procedures
during the risk assessment phase. The use of analytical procedures when conducting substan-
tive procedures and during the conclusion of the audit is discussed in Chapters 9 to 14.
Analytical procedures are conducted during the risk assessment phase of the audit to:
•  Highlight unusual fluctuations in accounts.
•  Aid in the identification of risk.
•  Enhance the understanding of a client and its industry.
•  Identify the accounts at risk of material misstatement.
•  Minimize audit risk by concentrating audit effort where the risk of material misstate-
ment is greatest.
AU-C 315 and AS 2110 require auditors to perform analytical procedures as part of their
risk identification process, even if the data is preliminary or aggregated at a high level. Analyt-
ical procedures include simple comparisons, trend analysis, common-size analysis, and ratio
analysis. Let’s discuss each of these forms of analysis and factors to consider when conducting
analytical procedures.
Comparisons
Comparisons are often made between account balances for the current year and the previous
year(s), the current year and the budget, or the current year and industry data. When comparing
  Analytical Procedures  4-15

account balances from one year to the next, significant changes can be tracked and investi-
gated further by the auditors. Auditors will assess these changes in light of their expectations
based upon their understanding of the client and any changes experienced over the previous
year. For example, if the client had opened a new retail outlet, total sales would be expected
to have increased by a predictable amount since the previous year. When comparing account
balances with budgeted amounts, auditors are concerned with uncovering variations between
actual results and those expected by the client. Significant unexpected variations should be
discussed with client personnel and the results of such inquiry should be corroborated by
other evidence. Comparisons of one year to the next involve only limited data. As a result,
auditors keep results of analytical procedures for continuing clients so they have running data
over a number of years to spot changing trends more easily.

Trend Analysis
Trend analysis (or horizontal analysis) is a comparison of account balances over time. It trend analysis  a comparison of
is conducted by selecting a base year and then restating all accounts in subsequent years as account balances over time
a percentage of that base. It allows auditors to gain an appreciation of how various accounts
have changed through time. When conducting a trend analysis, it is important for auditors to
consider significant changes in economy-wide factors, such as a recession, which may affect
their interpretation of the trend. Illustration 4.4 provides an example of a trend analysis.

ILLUSTRATION 4.4  
2020 2021 2022 2023
% Change % Change % Change Trend analysis
(in Compared Compared Compared
$ millions) to 2020 to 2020 to 2020
Income statement items
Sales 250 (20) (10) 20
Cost of sales 110 (10) 0 10
Interest expense 10 (30) 30 0
Wages expense 70 (20) 30 6
Rent expense 40 0 0 0
Balance sheet items
Cash 400 20 10 25
Inventory 350 30 20 10
Trade receivables 300 (10) 5 15

Various accounts can be selected for inclusion in a trend analysis. Accounts that
vary from one year to the next are generally the focus. In the trend analysis depicted in
Illustration 4.4, 2020 was selected as the base year. The following years appear as a percentage
increase or decrease of the 2020 amount. For example, sales in 2021 were 20% lower than sales
in 2020; in 2022 sales were only 10% lower than the 2020 figure, and in 2023 sales grew to 20%
higher than the 2020 amount. A trend analysis allows auditors to assess movements in the
accounts over time and determine whether the underlying trends match their understanding
of the client and its operations over the period under review.

Common-Size Analysis
Common-size analysis (or vertical analysis) is a comparison of account balances to a single common-size analysis  a com-
line item. In the balance sheet, the line item used is generally total assets. In the income state- parison of account balances to a
ment, the line item used is generally sales or revenue. A common-size analysis allows auditors single line item
to gain a deeper appreciation of how much each account contributes to the totals presented in
the financial statements. By preparing common-size accounts for several years, auditors can
trace the relative contribution of various accounts through time. Illustration 4.5 provides an
example of a common-size analysis.
4-16  C h a pte r 4  Risk Assessment Part II: Understanding the Client

ILLUSTRATION 4.5  
2020 2021 2022 2023
Common-size analysis % % % %
Income statement items
Sales 100 100 100 100
Cost of sales 44 50 48 40
Interest expense 4 4 6 3
Wages expense 28 28 22 25
Rent expense 16 20 18 13
Balance sheet items
Cash 5 4 4 3
Inventory 20 27 23 23
Trade receivables 18 25 22 18
Payables 15 15 17 16
Total assets 100 100 100 100

The common-size analysis depicted in Illustration 4.5 shows that cost of sales grew and
then decreased as a proportion of sales. This may reflect a change in prices charged by sup-
pliers, prices charged to customers, and/or quantity of goods on hand. In the balance sheet,
inventory levels rose and then dropped, which may indicate a build-up of inventory on hand
when sales dropped in 2021.

Ratio Analysis
Auditors perform ratio analysis to assess the relationship between various financial statement
account balances. Auditors will calculate profitability, liquidity, and solvency ratios.

Profitability Ratios
Profitability ratios reflect a company’s ability to generate earnings and ultimately the cash
flow required to pay debts, meet other obligations, and fund future expansion. Common prof-
itability ratios, shown in Illustration 4.6, include the gross profit margin, profit margin, re-
turn on assets, and return on stockholders’ equity.

ILLUSTRATION 4.6  
Ratio Formula
Common profitability ratios
Gross profit
Gross profit margin
Net sales
Net income
Profit margin
Net sales
Net income
Return on assets (ROA)
Average total assets
Net income
Return on stockholders’ equity (ROE)
Average equity

gross profit margin  measures
whether a seller of goods has
sufficient markup on goods sold
to pay other expenses
profit margin  measures
profitability after taking into
account all operating expenses
The gross profit and profit margins indicate the proportion of sales turned into profits.
The gross profit margin indicates whether a seller of goods has a sufficient markup on
goods sold to pay for other expenses. A markup is the difference between the selling price of
goods and the cost of goods sold. A decline in this ratio indicates a client may be paying more
for its inventory or charging less to its customers. If the gross profit margin continues to de-
cline, the client may have a loss if it is not able to cover its operating expenses.
The profit margin indicates the profitability of a company after taking into account
all operating expenses. By looking at the trend in the profit margin over time, auditors can
  Analytical Procedures  4-17

identify variability in the profit-earning capacity of their client. If the profit margin is steadily
falling, this may affect the future viability of the client. A profit margin that varies widely from
year to year indicates volatility and uncertainty, which makes it difficult to assess the fair pre-
sentation of the current reported earnings without further investigation.
The return on assets (ROA) ratio indicates the ability of a company to generate return on assets (ROA) ratio 
income from its average investment in total assets. The return on stockholders’ equity measures ability to generate
(ROE) ­ratio indicates the ability of a company to generate income from the funds invested by income from average investment
its common stockholders. If a company is unable to generate a sufficient return on funds in- in total assets
vested, there may be insufficient funds available to pay dividends and invest in future growth. return on stockholders’ equity
Auditors calculate these ratios to assess trends in profitability. If the ROA and ROE, and result- (ROE) ratio  measures ability
to generate income from funds
ing cash flow, are falling, it will affect the ability of their client to pay dividends and interest,
invested by common stockholders
and repay loans, all of which depend on the client’s ability to generate cash.
Auditors compare the current year and previous years to identify trends in their client’s
profitability. Comparisons are also made with budgeted results and with competitors. When
comparing actual results with the budget, auditors assess how profitable the client is com-
pared to management’s expectations as outlined in the budget. Auditors discuss any signif-
icant variance with management. When comparing their client with competitors, auditors
assess their client’s profitability relative to companies of a similar size operating in the same
industry. Any significant trends that appear unusual when compared to previous years, bud-
get, or competitors are investigated further by the audit team as a possible indication of a risk
of a material misstatement.

Liquidity and Activity Ratios

Liquidity ratios reflect a company’s ability to meet its short-term debt obligations, and activity
ratios measure a company’s ability to convert its assets to cash. If a company is unable to pay its
debts when they fall due, key employees may leave, suppliers may refuse to supply goods, and
lenders may demand the repayment of loans. Auditors are concerned with their client’s liquidity
situation to alert them to any potential going concern issues. Some important short-term liquidity
ratios, shown in Illustration 4.7, include the current ratio, the acid-test (quick) ratio, free cash
flow, and the ability of cash flow from operations to cover current debt and dividends. The turn-
over ratios are activity ratios and serve as indicators of managerial efficiency and client activity.

ILLUSTRATION 4.7  
Ratio Formula
Common liquidity and activity
Current assets ratios
Current ratio
Current liabilities
Cash + Short-term investments + Receivables (net)
Acid-test (quick) ratio
Current liabilities
Sustainable free cash flow Sustainable cash flow from operations – Capital expenditures
Ability of cash flow from operations Sustainable cash flow from operations
to cover current debt and dividends Current portion of financing debt + Dividends

Inventory turnover in days 365 days ÷ ( Cost of sales

Average Inventory )
Receivables turnover in days 365 days ÷ ( Net credit sales
Average net receivables )
Payables turnover in days 365 days ÷ ( Cost of sales
Average accounts payable )
Gross operating cycle Receivables turnover in days + Inventory turnover in days current ratio  measures ability
to meet short-term obligations as
Net operating cycle Gross operating cycle – Payables turnover in days
they come due
acid-test (quick) ratio 
The current ratio indicates how well current assets cover current liabilities. A ratio that measures ability to meet short-
is greater than 1.0 indicates a company should be able to meet its short-term commitments term obligations with liquid
when they fall due. In reality, this will depend upon the ability of a company to convert its assets such as cash, short-term
inventory and receivables into cash on a timely basis. The acid-test (quick) ratio indicates investments, and receivables
4-18  C h a pte r 4  Risk Assessment Part II: Understanding the Client
sustainable free cash flow  Sustainable free cash flow measures the cash flow remaining after covering cash out-
measures cash flow remaining
after covering cash outflows
for operations and capital
expenditures
ability of cash flow from
operations to cover current
debt and dividends  measures
ability to cover current debt
maturities and dividends with
operating cash flow
inventory turnover in days  panies prefer to sell their inventory quickly, and generate a profit, rather than have it sit
measures how many days, on
average, it takes a company to sell
its inventory
receivables turnover in days  Receivables turnover in days measures how many days, on average, it takes a com-
measures how many days, on
average, it takes a company to
collect its receivables
payables turnover in days  Payables turnover in days measures how many days, on average, it takes a company to
measures how many days, on
average, it takes a company to pay
its suppliers
gross operating cycle 
measures how many days, on
average, it takes to purchase
inventory, sell it, and collect the
receivable
net operating cycle  measures
how many days, on average, it
takes a company to purchase
and sell inventory, collect the
receivable, and pay back creditors
how well liquid assets cover current liabilities. Liquid assets include cash, short-term invest-
ments, and receivables. Acceptable current and acid-test ratio benchmarks vary from one in-
dustry to another. Auditors compare the trend in both ratios over time to assess whether their
client’s liquidity situation is improving or deteriorating. Auditors also compare their client’s
ratios with the industry average to assess their client’s liquidity relative to close competitors. If
a client’s liquidity situation is deteriorating or is poor when compared to the industry average,
auditors may be concerned about the future viability of the company.
flows for operations and capital expenditures. Larger numbers indicate a company has the ca-
pacity to finance operations and capital expenditures with operating cash flow, and it has the
ability to take advantage of opportunities that may arise unexpectedly. For example, a large
free cash flow balance could indicate the client could acquire another company if the oppor-
tunity was available. The ability of cash flow from operations to cover current debt and
dividends estimates the company’s ability to cover current debt maturities and dividends
with operating cash flow. A larger number indicates an increased ability to cover current debt
maturities and dividends with operating cash flow.
Inventory turnover in days measures how many days, on average, it takes a com-
pany to sell its inventory. In general, the lower the number of days the better, because com-
on a shelf or in a warehouse. This ratio will vary widely from one industry to another. For
example, the inventory turnover in days for a supermarket would be much lower than for
a luxury boat manufacturer. Auditors look at the trend in this ratio to determine whether
inventory is being sold more quickly or more slowly from year to year. They also compare
the inventory turnover in days for their client to the industry average to determine whether
their client is competitive with its rivals. If a client operates in a high-technology industry
or the fashion industry, where customer preferences change quickly, an increase in the in-
ventory turnover in days may indicate the client is not keeping up with change and products
are not being sold as quickly. When a client’s inventory turnover in days increases by more
than expected, auditors will spend more time testing the valuation of inventory. Inventory
may need to be written down in response to slowing demand. In this situation, auditors
will also investigate whether sales revenue has fallen in line with the slowing movement of
inventory.
pany to collect cash from its customers. In general, a lower number of days is better. The
sooner a company can collect cash from customers, the sooner that cash can be used to pur-
chase more inventory, pay down debt, or finance new capital assets. The receivables turnover
in days should be compared to the client’s credit terms that it offers customers. For example,
if the credit terms are 3/10, net/30, auditors would expect the receivables turnover in days
to be about 30 days or maybe less. If the ratio is 41 days, it may indicate the client is making
sales to customers who are unable to pay for their goods on a timely basis or the client is not
following up with customers who are late in paying. In this example, auditors will spend more
time considering the adequacy of the allowance for doubtful accounts.
pay its suppliers. A lower number of days means a company is paying off its short-term debt at
a faster rate. The payables turnover in days should be compared with the average time frame
the client’s vendors allow for payment. For example, suppose most of the client’s vendors al-
low 30 days for the client to remit payment of an invoice. If the client’s ratio is 58 days, it may
indicate the client is struggling to make vendor payments and is consistently late. This could
lead to late fees and possibly vendors not wanting to sell to the client any more. It may also
indicate that controls over accounts payable are weak. In this example, auditors will spend
more time considering controls over the accounts payable process to ensure all liabilities that
occurred are properly recorded in accounts payable.
Gross operating cycle is an estimate of the number of days it takes for a company to
purchase inventory, sell it, and collect the receivable. A smaller amount of days represents
faster turnover of a company’s merchandise, which is desirable to maintain strong cash flow.
Net operating cycle is the gross operating cycle minus the payables turnover in days. The net
operating cycle reflects that a company may use credit to finance inventory purchases. It is an
estimate of how long the company is waiting to sell inventory, collect on receivables, and then
  Analytical Procedures  4-19

pay back creditors. A smaller number of days indicates a faster turnover of merchandise. It is
important to remember that different industries have different capital needs and product life
cycles; therefore, determining whether a company has a long or short operating cycle should
be made within the industry context.

Solvency Ratios
Solvency ratios are used to assess the long-term viability of a company. Liquidity ratios take
a short-term view of a company whereas solvency ratios have a long-term perspective. Com-
mon solvency ratios are the debt-to-equity ratio and times-interest-earned ratio, as shown in
Illustration 4.8.

ILLUSTRATION 4.8  
Ratio Formula
Common solvency ratios
Total liabilities
Debt to equity
Total equity
Income before income taxes and interest expense
Times interest earned
Interest expense

The debt-to-equity ratio indicates the relative proportion of total assets being funded debt-to-equity ratio  measures
by debt relative to equity. A high debt-to-equity ratio increases the risk that a client will not be the relative proportion of equity
able to meet principal and interest payments to lenders when due. Companies with long-term and debt used to finance total
debt are more likely to have debt covenants with a lender, which may restrict the company’s assets
activities. Auditors consider the trend in the client’s debt-to-equity ratio over time and gain
an understanding of the make-up of total liabilities (e.g., what percentage of debt is current
versus long-term). An increasing ratio may indicate a client will not be able to repay its loans
when they fall due and increases the risk a client will breach a debt covenant. Auditors also
compare a client’s debt-to-equity ratio with similar companies in the same industry, as this
ratio tends to vary across industries.
The times-interest-earned ratio measures the ability of earnings to cover interest pay- times-interest-earned ratio 
ments. A low ratio indicates a client may have difficulty meeting its interest payments to lenders. measures ability of earnings to
Auditors consider how this ratio has changed over time. A downward trend is a concern as it indi- cover interest payments
cates lenders may charge the client a higher rate of interest on future borrowings. At the extreme,
lenders may demand the repayment of debt if the client does not make interest payments on time.

Audit Reasoning Example  Ratio Analysis

Sadie is conducting ratio analysis during the risk assessment phase for the audit of Bayou Sports
Shop. She has calculated the following ratios for Bayou and compared them to the industry
­average:

Ratio Bayou Sports Shop Industry Average

Receivables turnover in days 27 days 26 days
Inventory turnover in days 58 days 61 days
Current ratio 1.88 2.0
Debt-to-equity ratio 1.21 .50

When compared to the industry averages, what areas appear to be risky for Bayou? ­Bayou is con-
sistent with the industry in terms of collecting receivables, turning over inventory, and maintain-
ing liquidity. In terms of solvency, Bayou’s debt-to-equity ratio is more than double the industry
average. Compared to others in the industry, Bayou has more debt, which means more cash is
being used to pay interest on the debt. Bayou has increased risk of not being able to pay interest
payments on time if the economy takes a downturn and sales decline. Sadie documents a fol-
low-up procedure to inspect loan documents to see if there are any debt covenants that require
Bayou to maintain certain ratios. If the debt-to-equity ratio continues to increase, Bayou could be
in violation of a debt covenant and be required to pay back borrowed funds immediately.
4-20  C h a pte r 4  Risk Assessment Part II: Understanding the Client
audit data analytics (ADA)  More sophisticated analytical procedures are used by some auditors. Audit data analytics
using software to discover and
analyze patterns, identify anomalies,
and extract other useful infor­­­
mation in data underlying the
subject matter of an audit through
analysis, modeling, and visualiza-
tion for the purpose of planning
or performing an audit
Audit Data Analytics
(ADA) is the use of software to conduct detailed analysis of client data, such as information
contained in the client’s ledgers and journals. These applications can be used to conduct the
analysis outlined above, as well as to search for unusual transactions, including those that
occur at odd times, are for unusual amounts, or within unusual accounts. An in-depth discus-
sion of ADA is provided in Chapter 7, and ADA is also addressed in other chapters throughout
the text. Here is a brief discussion of using ADA to conduct cluster analysis, time-series analysis,
and regression analysis.
Cluster analysis involves sorting client data into various dimensions or measures.
For example, client data can be sorted across dimensions such as location, cost center, or
manager. It can then be measured as inventory purchased, inventory sold, inventory on hand,
sales, or rent expense across those dimensions. Once measured data are sorted by dimensions,
they can be analyzed to determine whether the relationships between the various data are
consistent with the auditors’ understanding of their client. Journal entry summaries provide
condensed overviews of transactions. Summaries can be prepared using a range of criteria by
month, by division, or by manager.
Time-series analysis can be used to analyze data that occur regularly within the client,
for example, sales and purchases. This form of analysis uses data from the past to predict
the future. For example, sales made in the past can be used to predict sales in the period
under audit. Significant fluctuations in expected sales trends are then investigated by the
audit team. When assessing variations, auditors incorporate their understanding of changes
that have occurred in the current year that may explain the variations observed. For exam-
ple, the client may have closed some retail outlets, which would explain a sharp decline in
sales. When conducting a time-series analysis, auditors look at the long-term trend, seasonal
variation (for example, sales of ice cream are likely to be higher in summer), and unexpected
variations.
Regression analysis can be used to investigate the relationships among different
groups of data or variables. This analysis considers the relationship between a dependent
variable, such as sales, and various independent variables, such as selling costs, purchases,
and advertising expense. Regression analysis provides a statistical measure of the associ-
ations among data. It establishes whether movements in the independent variables result
in a change in the dependent variable. Significant differences between what the regression
model predicts and the client’s reported balances are investigated as they indicate a poten-
tial misstatement, such as an overstatement of sales relative to associated expenses.
Factors to Consider When Conducting
Analytical Procedures
There are several factors to consider when conducting analytical procedures. The first
is the reliability of client data. If auditors believe there is a significant risk the client’s
records are unreliable due to, for example, poor internal controls, then auditors are less
likely to rely on analytical procedures. Another issue is the ability to make comparisons
over time. If the client has changed accounting methods, this will reduce the comparabil-
ity of the underlying data. In this case, auditors will need to restate prior years’ financial
statement data using the current accounting methods before making any comparisons.
Finally, if past results are unaudited, they are considered less reliable for comparison
purposes.
During the risk assessment phase, auditors may only have access to their client’s half-year
results. They will need to annualize revenue and expense items before making comparisons
with the prior year. If a client earns revenues evenly throughout the year, it is appropriate
to double the half-year revenues. If a client earns more revenues in some months relative to
  Analytical Procedures  4-21

others (for example, an ice-cream seller earns more in warmer months), trends must be con-
sidered when annualizing half-year results.
When comparing actual financial results to budgeted results, auditors must con-
sider the reliability of the budget. This can be assessed by comparing budgets to actual
results for prior years. If the client continually overestimates earnings, for example, au-
ditors take this into account when comparing actual and budgeted results for the current
period.
Auditors must be careful when benchmarking a client with industry data. If the client is
significantly smaller or larger than most companies in its industry, comparison may not be
valid. If competitors do not use the same accounting methods, the comparison is problematic.
If the client has very different results and ratios from the industry average, there may be a
problem with the industry data rather than with the client data.
In conducting analytical procedures, the following information sources are generally con-
sidered to be reliable:

•  Information generated by an accounting system that has effective internal controls.

•  Information generated by an independent reputable external source.
•  Audited information.
•  Information generated using consistent accounting methods.
•  Information from a source internal to the client that has proven to be accurate in the past
(for example, preparation of budgets).

Auditors document the results of the analytical procedures, including the accounts iden-
tified as being at risk of material misstatement. These results are used to further refine the
audit strategy and develop the audit plan.

Cloud 9 - Continuing Case

Ian volunteers to start the analysis of Cloud 9’s interim results and
previous period’s financial data. He previously attended a training
session on the W&S Partners’ software that he will use to produce
reports showing unusual relationships and fluctuations. Suzie is
grateful for the help but cautions Ian, “You do realize that judging
what is ‘unusual’ is a little more complex than getting a software
application to identify a change above a certain percentage? You
need considerable industry experience and client knowledge to
make sense of the information. For example, no change in a fig-
ure can be more suspicious than a large change, depending on the
circumstances.”
“Yes, I realize that, and I know that I don’t have the experi-
ence to complete the analysis, but I am hoping to learn from you
by seeing what you do with the data and reports that I hadn’t even
considered doing,” he says.

Before You Go On
3.1 Why are liquidity ratios calculated? Develop an example of how a liquidity ratio might help
the auditor in risk assessment.
3.2 What is a trend analysis and why might an auditor use this form of analysis for risk
assessment?
3.3 Explain the factors that the auditor should consider when performing analytical procedures
in the risk assessment process.
4-22  C h a pte r 4  Risk Assessment Part II: Understanding the Client
Related Parties
related party  an affiliate,
principal owner, manager, or
other party that is not indepen-
dent of the entity
Lea rning O bjective 4
Define related party transactions and explain how they affect the auditor’s risk
assessment.
Another risk assessment procedure is the search for related party relationships and transac-
tions. What is a related party? According to FASB ASC Topic 850, Related Party Disclosures,
related parties of a company include the following:
•  Affiliates of the entity.
•  Investments in other entities accounted for by the equity method.
•  Trusts for employee benefit plans, such as pensions, that are managed by or under the
trusteeship of management.
•  Principal owners of the entity and their immediate family members.
•  Management of the entity and their immediate family members.
•  Other parties that can significantly influence management or operating policies of the entity.
Financial reporting frameworks, such as GAAP, require disclosure of related party relation-
ships, transactions, and accounts so financial statement users can understand their potential
effects on the financial statements.
Companies can have transactions with related parties frequently in the normal course
of business, but because they are related parties, there is a risk that some of the transactions
may not be accounted for according to their true substance. In other words, transactions with
related parties may not be the same as “arm’s-length” transactions between independent and
unrelated buyers and sellers or borrowers and lenders. For example, a company may loan
money to an affiliated company, but have no scheduled terms for how or when the money will
be paid back. Should this be accounted for as a loan? Is that the true substance of the transac-
tion? If related party transactions are not accounted for properly, then one or more material
misstatements could occur in the financial statements.
AU-C 550 Related Parties and AS 2410 Related Parties provide audit guidance associated
with related party transactions and disclosures. During the risk assessment phase, the objec-
tive of the auditors is to gain an understanding of a client’s related party relationships and
transactions. The audit team should gain an understanding of the client’s procedures for iden-
tifying related parties, authorizing transactions with related parties, and disclosing the rela-
tionships and transactions in the financial statements. The client should have internal controls
in place to ensure related parties are identified and disclosed. Discussion among audit team
members should include an emphasis on maintaining professional skepticism and considering
how related parties may be involved in fraud. The existence of related parties is a fraud risk
factor because fraud may be more easily committed among related parties (see the section “Op-
portunities to Perpetrate a Fraud” in Chapter 3). For example, transactions between the client
and a known business partner of a key manager could be arranged for the purpose of misap-
propriating (stealing) assets. Another example would be a major stockholder paying back a
loan at period end, but the client lending the same amount of money back to the stockholder
shortly after period end. This is a scheme referred to as “period-end window dressing.”
Auditors use specific procedures to confirm related parties that have been identified by
management and to identify additional related parties that management’s processes may not
have identified. Some common procedures used by auditors to identify related parties are listed
in Illustration 4.9. Note these procedures are used during risk assessment and throughout
the remaining phases of the audit. Auditors should always be mindful of potential related par-
ties because client circumstances could change and new relationships could be created at any
time during the client’s year. Auditors should document all identified related parties and the
nature of the relationships. If any of the related party relationships or transactions are iden-
tified as posing a significant risk of material misstatement, auditors will plan to gather more
evidence or adjust audit procedures, as needed, during the risk response phase of the audit.
   Corporate Governance  4-23

illustration 4.9  
Procedures to identify related parties: Procedures used by auditors to
•  Obtain a listing of related parties from management. identify related parties
•  Read minutes of the board of directors’ meetings.
•  Review client filings with the SEC, if applicable.
•  Read contracts or other agreements related to significant unusual transactions.
•  Review life insurance policies purchased by the client.
•  Review conflict-of-interest statements from management.
•  Review shareholder registers to identify the principal shareholders.
•  Review correspondence from the client’s advisors, such as attorneys or consultants.
•  Obtain a listing of the trustees of pension plans and other trusts for the benefit of employees.

Audit Reasoning Example  Related Parties

Juan is assigned to the audit of MED Inc., a new client that manufactures medical supplies made
from fabrics, such as bandages, blankets, and head caps, for newborn babies. Throughout the year,
MED Inc. hires temporary workers as needed to meet demand when customers place large or un-
expected orders. MED Inc. uses the services of three personnel agencies to find temporary workers
and pays finder’s fees to the personnel agencies. While reviewing the amounts paid to the three per-
sonnel agencies, Juan notices that one agency is being paid considerably more than the other two.
Juan meets with the controller, Amanda, to gain a better understanding of the transactions with the
personnel agencies. Amanda says, “The primary agency we use is Any Time Workers. The agency
opened last year, and it’s actually owned by the wife of our VP of Operations. She has done a great job
keeping us supplied with workers so we can keep up with demand.” Back at his desk, Juan documents
his conversation with Amanda and notes this is a related party situation. What potential risks are
created by this situation? First, there is a disclosure risk. The audit team must ensure that MED Inc.
is disclosing the related party and the transactions. Second, the existence of related party transactions
is a fraud risk factor. Could the payments to MED Inc. be a misappropriation of assets? Is MED Inc.
paying Any Time Workers above-market prices for its services, or paying for services it has not actu-
ally received? Could inflated payments represent additional compensation for the VP of Operations,
via his wife’s company, to avoid payroll tax expenses associated with making bonus payments? This
type of thought process is an example of Juan using professional skepticism. He will keep these risks
in mind when planning the audit procedures related to the transactions with the personnel agencies.

Before You Go On
4.1  What is a related party? Provide at least two examples.
4.2  Why is an auditor interested in identifying related parties during the risk assessment phase
of an audit?
4.3  Are procedures to identify related parties only performed during risk assessment? Explain.

Corporate Governance

Lea rning Objective 5

corporate governance  refers to
Describe common corporate governance structures and how they impact the the people, systems, and processes
auditor’s risk assessment. within companies used to ensure
that companies are well-managed
and that risks are identified and
Corporate governance refers to the people, systems, and processes within companies used controlled by management and
to ensure that companies are well-managed and that, among other things, risks are identified entity personnel
4-24  C h a pte r 4  Risk Assessment Part II: Understanding the Client
board of directors  a group that
represents the shareholders and
is responsible for ensuring the
company is being run to benefit
the shareholders
executive directors  employees
of the company who also hold a
position on the board of directors
non-executive directors  board
members who are not employees of
the company; their involvement on
the board is limited to preparing for
and attending board meetings and
relevant board committee meetings
ILLUSTRATION 4.10  
Composition of a board of
directors
audit committee  a committee
of the board of directors respon-
sible for oversight of internal
controls, financial reporting and
disclosure in the financial state-
ments, regulatory compliance,
and the company’s independent
auditors
those charged with
governance  persons with
responsibility for overseeing the
strategic direction of the entity
and the obligations related to the
accountability of the entity
and controlled by management and entity personnel. In publicly traded companies, the group
responsible for overseeing management is the board of directors. The board of directors rep-
resents the shareholders and is responsible for ensuring the company is being run to benefit the
shareholders. The board of directors will hold meetings at least once a quarter, but will meet
more often as needed. A board is comprised of a mixture of executive and non-executive direc-
tors. Executive directors are also part of the company’s management team, and they are full-
time employees of the company, such as the Chief Executive Officer (CEO) and the Chief Fi-
nancial Officer (CFO). Non-executive directors are not part of the company’s management
team, and their involvement is limited to preparing for and participating in board meetings and
relevant board committee meetings. The audit partner will meet with members of the board
when necessary throughout the audit. Illustration 4.10 depicts the composition of the board
of directors and serves as a reference for the remaining discussion of corporate governance.
Board of Directors
Executive
directors Non-executive directors
Audit committee
Direct
communication
Auditors
During risk assessment, auditors gain an understanding of a client’s corporate gov-
ernance structure. It is important that the board of directors has a mixture of executive
and non-executive members. The executive members have a deeper understanding of the
company and its workings, which is why auditors meet with executive directors, such as the
CFO, throughout the audit. The non-executive members may be better representatives of
shareholders as they are not company employees and can be more impartial in their stra-
tegic decision-making. Ideally, non-executive directors should be somewhat independent of
the company and be objective and knowledgeable about the industry and financial reporting.
The presence of non-executive board members helps to reduce the risk of material misstate-
ment because they provide oversight of top-level management decisions, such as the amount
of dividends declared, plans for significant asset purchases, purchases and sales of major in-
vestments, and major agreements with other companies. The auditor reads minutes of board
meetings to learn about these key decisions regarding the strategic direction of the company.
Boards of larger entities will also have a series of committees made up of various, but not all,
members of the board. It is the role of these committees to efficiently deal with specific important
issues. The main board committee the auditors interact with is the audit committee. The audit
committee is responsible for overseeing the accounting and financial reporting processes of the
company and the audit of the financial statements. While ultimate responsibility for the finan-
cial reporting process rests with the full board, an audit committee can improve the efficiency of
achieving this goal. Some private companies may not have an audit committee or even a board of
directors. In that case, auditors should communicate with those charged with governance.
Those charged with governance are individuals with the responsibility for overseeing the strategic
direction of the entity and the obligations related to the accountability of the entity, including the
financial reporting process. Those charged with governance may include management person-
nel, such as executive members of a governance board or an owner-manager (AU-C 260.06).
For public companies, SOX has specific requirements for the composition and duties of the
audit committee. These specific requirements are listed in Illustration 4.11. AS 1301 Commu-
nication with Audit Committees requires that auditors establish an understanding with the audit
committee regarding the terms of the audit engagement and then document that understanding
in the engagement letter. Auditors should meet with the audit committee before the engagement
starts to discuss the auditor’s responsibilities, significant accounting policies, and other issues. If
the audit committee has concerns over a certain area of the entity, the audit committee members
can request that auditors perform specific procedures such as conducting special investigations
or visiting specific locations of the client company. These requested activities would be in addition
   Corporate Governance  4-25

to the audit teams’ planned procedures, and not restrict the scope of the auditor’s planned pro-
cedures. PCAOB and ASB standards also require that auditors communicate important details
about the audit to the audit committee during or towards the conclusion of the audit. These
required communications will be discussed in Chapter 14.

ILLUSTRATION 4.11  
SOX requirements and duties for audit committees of public companies:
Sarbanes-Oxley Act of 2002,
•  Audit committee members must be independent members of the board of directors, not Section 301: Public company
executive directors or otherwise affiliated with the issuer. audit committees and Section
•  Audit committee members cannot accept consulting or advisory fees from the issuer, beyond 407: Disclosure of audit
the normal director compensation. committee financial expert
•  At least one audit committee member must be a “financial expert” as evidenced through
education or work experience.
•  The audit committee is responsible for the appointment, compensation, and oversight of the
auditors.
•  Auditors report directly to the audit committee, and the audit committee is responsible for
resolving any disagreements between management and auditors over financial reporting.
•  The audit committee establishes procedures for receiving complaints regarding accounting
or internal control matters of the company, including receipt of anonymous complaints from
employees.
•  The audit committee has authority to engage legal counsel if necessary.

Professional Environment  Recruiting for an Audit Committee

The passing of the Sarbanes-Oxley Act of 2002 significantly
changed the landscape of corporate governance. In particular, the
audit committee has taken on more responsibility in areas such
as whistle-blowing, auditor oversight, and internal controls over
financial reporting. The increased duties of the audit committee
are making it more challenging for companies to find qualified
candidates to serve on audit committees. In December 2015, the
chairwoman of the Securities and Exchange Commission, Mary
Jo White, was speaking to the American Institute of CPAs in
Washington, D.C. She stated, “Just meeting the technical require-
ments of financial literacy may not be enough to fully understand
the financial reporting requirements or to challenge senior man-
agement on major, complex decisions. I have growing concerns
about the amount of work required of some audit committees.”3
As the requirements for the audit committee position have
increased, the supply of qualified individuals has decreased. With
increased workloads for audit committee members, potential candi-
dates are reluctant to serve on multiple boards as they have done in
the past. Some companies are enlisting the help of search firms to
find qualified candidates and are trying to be more creative with po-
tential recruits. The typical “go-to” candidate for an audit committee
member would be a retired CFO or retired auditor. However, there
are plenty of other qualified candidates, but it may take more effort
to find them. In fact, finding candidates that are not the typical audit
committee candidate could have a positive effect by bringing more
diversity to the audit committee. Committee members with more
diverse backgrounds could bring different perspectives to the group
and could be willing to ask different questions.

Cloud 9 - Continuing Case

The partner, Jo Wadley, and manager, Sharon Gallagher, are
working on the task of assessing the quality of corporate gover-
nance at Cloud 9. Typically, the most senior people on the audit
team talk to the client’s senior people. However, the work done
by Suzie, Ian, and others on the audit team will also inform the
assessment of Cloud 9’s corporate governance quality because
lower-level workers often have some interesting stories to relate
about how things really work at a company. Suzie will be think-
ing about these issues when she visits the client’s premises next
week.

Before You Go On
5.1  What is the purpose of a board of directors?
5.2  What is the difference between executive directors and non-executive directors?
5.3  According to SOX, what are some duties of the audit committee of the board of directors?

3
R. Teitelbaum and K. Johnson, “Boards Face Recruiting Challenges,” Wall Street Journal (December 14, 2015),
www.wsj.com.
4-26  C h a pte r 4  Risk Assessment Part II: Understanding the Client
Internal Control and Information Technology
information technology (IT)  Auditors also consider the particular risks faced by the client associated with informa-
the use of computers to process,
record, and store financial report-
ing data and other information
Lea rning O bjective 6
Explain how a client’s internal control and information technology (IT) can affect risk.
According to AU-C 315, auditors must gain an understanding of the client’s system of internal
controls. The concept of control risk was discussed in Chapter 3. Recall that if strong internal
controls exist at the account or assertion level, then auditors may adopt a reliance on controls
approach and perform less extensive substantive testing. However, if the internal controls are
weak at the account or assertion level, then auditors will rely less on internal controls and
adopt a substantive approach. An in-depth discussion of the specific procedures used by audi-
tors to gain an understanding of a client’s system of internal controls is covered in Chapter 6.
tion technology (IT). IT is a part of most companies’ accounting processes, which include
transaction initiation, recording, processing, correction as needed; transfer to the general led-
ger; and compilation of the financial statements. AU-C 315 and AS 2110 require that auditors
gain an understanding of the client’s IT system, the associated risks, and related controls.
Risks associated with IT include unauthorized access to computers, software, and data;
errors in applications; lack of backup; and loss of data. Unauthorized access to data can occur
when there is insufficient security or poor password protection procedures. Unauthorized ac-
cess can result in data being lost or distorted. Unauthorized access to application software can
result in either fraud or misstatements in the financial statements. Access can be limited in a
number of ways, including security protocols (such as locked doors) and frequent changes of
passwords.
Errors in programming can occur if applications are not tested thoroughly. It is important
that new applications and changes to applications are tested extensively before being put into
operation. Errors can also occur if mistakes are made when writing an application or if appli-
cations are deliberately changed to include errors. Deliberate changes may be made by staff
or outsiders who gain unauthorized access to a client’s IT system. For example, unhappy staff
may purposefully change an application, causing errors to embarrass their boss or to perpe-
trate fraud. Therefore, it is important that access be limited to authorized staff. Errors can also
occur if application changes are not processed on a timely basis. Applications may need to be
changed due to changes in sales prices, updating of discounts being offered to customers, and
so on. It is important that these changes be made by authorized personnel on a timely basis to
avoid errors and that there are appropriate controls over such changes.
New applications can be purchased “off the shelf” from a software provider or developed
internally by a client’s staff. When a client purchases a general-purpose application off the
shelf, there is a risk it will require modification to suit the client’s operations, which can lead
to errors. An advantage of purchasing general-purpose applications from reputable companies
is they will have been tested before being made available for sale. In contrast, when a client’s
staff develops an application, the application is more likely to have the features required, but
there is a risk of errors if the application is written by inexperienced staff or it is not adequately
tested before being put into operation.
When a client installs a new IT system, there are a number of risks, such as the risk the
system may not be appropriate for the client and its reporting requirements. After installa-
tion, there is the risk that data may be lost or corrupted when transferring information from
an existing system to the new system, or the risk that the new system does not process data
appropriately. There is the risk that client staff are not adequately trained to use the new sys-
tem effectively. It is important that a client has appropriate procedures for selecting new IT
systems, changing from an existing system to a new system, training staff in using the new
system, and ensuring that a new system includes embedded controls to minimize the risk of
material misstatement. An in-depth discussion of IT controls is presented in Chapter 6. At
the risk assessment phase, and as part of assessing control risk, it is important for auditors to
identify significant risks, as well as any controls that mitigate those risks.
   Closing Procedures  4-27

Cloud 9 - Continuing Case

Suzie explains to Ian that her experience in the clothing and
footwear industry has taught her to be very inquisitive about the
systems used to manage orders. She has seen a few clothing busi-
nesses fail because they could not get their goods to retail outlets
in time. Fashion is such a fickle market that even being a few
weeks late means stores run out of inventory, and when inventory
does arrive, stores have to discount it to sell it. After this occurs a
couple of times, retailers turn to more reliable suppliers, even if
the designs aren’t as imaginative.
Suzie has heard that Cloud 9 is very reliant on inventory man-
agement software developed internally. Because it is not a widely
used package, she does not know anything about it and is concerned
about its ability to provide reliable data. Suzie and Ian decide to
allocate extra time to assessing the reliability of this software.

Before You Go On
6.1 What are some of the risks associated with the use of IT? Explain the risks and develop an
example of how they might be controlled.
6.2 What are two common sources of new application software? What risks are present when an
entity introduces a new application and how might those risks be controlled?

Closing Procedures

Lea rning Objective 7

Discuss how client closing procedures can affect risk and a client’s reported results.

Auditors also consider the adequacy of the client’s closing procedures. If the client’s closing closing procedures  processes
procedures are weak, there is increased risk that revenues and expenses will not be recorded used by a client when finalizing
in the proper period, which can lead to material misstatements on both the income statement the accounts for an accounting
and balance sheet of two consecutive periods. Revenue and expense items must include all period
transactions that occurred during the accounting period and exclude transactions that relate
to other periods. Asset and liability balances must include all relevant items, accruals must
be complete, and contingent liabilities must accurately and completely reflect potential future
obligations.
Auditors are concerned that transactions and events have been recorded in the correct
accounting period. The client should have controls in place to ensure the closing procedures
are performed correctly. A common risk is that management may override controls when pre-
paring adjusting and allocating entries, especially if management is under pressure to meet
certain earnings targets. Oversight of this process is the responsibility of those charged with
governance. It is the responsibility of auditors to assess the internal controls over the closing
procedures.
Auditors must determine the risk associated with the client’s closing procedures. In addi-
tion to the annual financial statements, clients prepare monthly, quarterly, and/or semiannual
financial statements for internal and/or external purposes. Auditors can review these state-
ments to assess the accuracy of the client’s closing procedures. If there are significant issues,
where closing procedures are inadequate and transactions are not always recorded in the ap-
propriate reporting period, auditors will plan to spend more time conducting detailed testing
of transactions and balances around year-end.
There are a number of ways auditors can assess the adequacy of their client’s clos-
ing procedures. Clients that prepare financial statements monthly are more likely to have
4-28  C h a pte r 4  Risk Assessment Part II: Understanding the Client

well-established closing procedures than clients that prepare financial statements only an-
nually. Auditors verify the accuracy of accrual and deferral calculations around year-end
and look at earnings trends to assess whether the reported income is in line with similar
prior-year periods (months or quarters). For example, revenues are generally higher for an
ice-cream seller in warmer months, and wages are generally higher during months when
extra staff are hired to help with the increased activity.
If auditors believe the client is under pressure to report strong results, there is risk
that revenues earned after year-end may be included in the current year’s income and
expenses incurred before year-end may be excluded. Alternatively, if auditors believe
their client is under pressure to smooth its income and not report any unexpected in-
creases, there is risk that revenues earned just before year-end will be excluded from cur-
rent income and expenses incurred after year-end will be included. In both cases, audi-
tors will perform procedures to confirm that transactions are recorded in the appropriate
­accounting period.

Audit Reasoning Example  Period-End Closing Entries at WorldCom

A summary of the WorldCom scandal was provided in Chapter 2. The WorldCom case is an ex-
cellent example of the importance of gaining an understanding of the pressures faced by the cli-
ent, the corporate governance structure, and the client’s closing procedures. WorldCom was under
significant pressure to increase its stock price, which translated to incentive for management to
commit fraud. Scott Sullivan, the CFO, saw an opportunity to perpetrate fraud through quar-
ter-end journal entries. As the CFO, Scott used his authority to instruct his accounting staff to
make entries that resulted in capitalizing costs on the balance sheet that should have been ex-
pensed on the income statement. There was no accounting justification for the entries. Who was
supposed to have oversight of the closing process? Since WorldCom was a public company, the
audit committee should have had oversight of the closing process because closing entries impact
the financial statements as a whole. During the years the fraud was occurring, were the members
of the audit committee fulfilling their duties? Were they asking for verification and explanation
of the period-end entries? If they were, what type of information and documentation was Scott
providing them? Was the audit committee being skeptical or overly trusting of Scott? These same
questions can be directed at Arthur Andersen, WorldCom’s external auditor. Were the auditors
fulfilling their duties by gaining an understanding of the client’s processes for period-end closing
entries? Were the auditors using professional skepticism when interviewing Scott and other ac-
counting staff? Most likely, the answer is “no.”

Cloud 9 - Continuing Case

The partner, Jo Wadley, has learned of pressure on Cloud 9’s Cloud 9’s management to meet targets resulting in additional
management to increase revenue by 3% this year. Jo is also risks for closing procedures and has instructed Josh to allocate
aware of cost increases associated with a new store and spon- additional time to auditing closing procedures on the Cloud 9
sorship deals. Jo believes this places additional pressure on audit.

Before You Go On
7.1  Explain how an auditor can assess the risk associated with the client’s closing procedures.
7.2 What is the particular risk when an auditor believes that the economy has taken a downturn
and the client has an incentive to overstate poor results to improve the picture for future
periods?

Learning Objectives Review
1  Apply procedures to gain an understanding of the client.
An auditor will need to gain an understanding of the client to aid
in the risk assessment process. This process involves consideration of
issues at the entity level, the industry level, and the broader economic
level. At the entity level, an auditor will identify the client’s major cus-
tomers, suppliers, and stakeholders (that is, banks, shareholders, and
employees), significant accounts and classes of transactions, who the
client’s competitors are, the capacity of the client to adapt to changes
in technology, and compliance with applicable laws and regulations.
At the industry level, an auditor is interested in the client’s position
within its industry. At the economic level, an auditor will assess how
well-positioned the client is to cope with current and changing gov-
ernment policies, regulations, laws, and economic conditions.
2  Explain how clients measure performance and how it
impacts the auditor’s risk assessment.
The different ways that clients measure their own performance was
reviewed in this chapter to highlight that, by understanding how a
client measures its own performance, the auditors can plan their au-
dit to take into consideration areas where their client may be under
pressure to achieve certain outcomes. This helps the auditors identify
accounts and classes of transactions likely to be misstated.
3  Demonstrate how auditors use analytical proce-
dures when assessing risk, including the use of audit
data analytics.
Analytical procedures are conducted at the risk assessment phase of
the audit to identify unusual fluctuations, help identify risks when
gaining an understanding of a client, identify the accounts at risk of
material misstatement, and reduce audit risk by concentrating audit
effort where the risk of material misstatement is greatest. Many pro-
cesses can be used when conducting analytical procedures. The pro-
cesses discussed in this chapter include comparisons, trend analysis,
common-size analysis, and ratio analysis.
4  Define related party transactions and explain how
they affect the auditor’s risk assessment.
A related party is an affiliate, principal owner, manager, or other party
that is not independent of the client. Financial reporting frameworks,
such as GAAP, require that companies disclose related party relation-
ships and transactions. Transactions with related parties may not be
at the same “arm’s length” as transactions between independent and
Key Terms Review
Ability of cash flow from operations to cover Audit committee
  current debt and dividends Audit data analytics (ADA)
Acid-test (quick) ratio Board of directors
Analytical procedures Cash earnings per share (CEPS) ratio
  Key Terms Review  4-29
unrelated buyers and sellers or borrowers and lenders. In addition, re-
lated party transactions are considered a fraud risk factor because fraud
may be more easily committed between related parties. Auditors perform
procedures to confirm related parties that have been identified by man-
agement and to identify additional related parties that management’s
processes may not have identified. If any of the related party relationships
or transactions are identified as posing a significant risk for material mis-
statement, the auditors will plan to gather more evidence or adjust audit
procedures, as needed, during the risk response phase of the audit.
5  Describe common corporate governance structures
and how they impact the auditor’s risk assessment.
Corporate governance refers to the people, systems, and processes
within companies used to ensure that companies are well-managed
and that, among other things, risks are identified and controlled by
management and entity personnel. In publicly traded companies,
the group responsible for overseeing management is the board of
directors. The board of directors is composed of executive and non-­
executive members. The audit committee, composed of non-executive
members of the board, is responsible for overseeing the accounting
and financial reporting processes of the company and the audit of the
financial statements. The audit committee is tasked with hiring the
auditors, and the auditors must communicate with the audit commit-
tee as needed and as required by standards and regulations.
6  Explain how a client’s internal control and informa-
tion technology (IT) can affect risk.
Auditors must gain an understanding of a client’s internal controls to
assess control risk and develop an audit strategy. They must also iden-
tify risks associated with information technology, such as unauthorized
access to software applications or data, errors in programming, and in-
adequate testing of new or changed systems. During the risk assessment
phase of the audit, the auditors will assess the likelihood that the client’s
financial statements are misstated due to limitations of its IT system.
7  Discuss how client closing procedures can affect risk
and a client’s reported results.
There are a number of risks associated with a client’s closing proce-
dures. Closing procedures are the processes used by a client at month-
end, quarter-end, or year-end to ensure that appropriate adjusting
entries are made and transactions are recorded in the appropriate
accounting period. From an audit perspective, the auditor should de-
termine the risk that a material misstatement may occur during the
client’s closing procedures.
Closing procedures
Common-size analysis
Corporate governance
Current ratio
4-30  C h a pte r 4  Risk Assessment Part II: Understanding the Client

Debt-to-equity ratio Inventory turnover in days Related party

Direct and material effect Key performance indicators (KPIs) Return on assets (ROA) ratio
Earnings per share (EPS) ratio Liquidity Return on stockholders’ equity (ROE) ratio
Entity-level risk Net operating cycle Solvency
Executive directors Non-executive directors Sustainable cash flow from operations
Gross operating cycle Payables turnover in days Sustainable free cash flow
Gross profit margin Price–earnings (PE) ratio Those charged with governance
Illegal acts Profitability Times-interest-earned ratio
Indirect effect Profit margin Transaction-level risk
Information technology (IT) Receivables turnover in days Trend analysis

Audit Decision-Making Example

Background Information
Your client, Baldwin Industries, manufactures personal comput-
ers, tablets, and cell phones. Baldwin Industries has positioned
itself to be very price competitive and, as a result, sales have grown
by 50% over the last two years. At the beginning of the current
fiscal year, the board of directors approved a new compensation
structure for all high-level and executive-level employees, such
that bonuses are based on the company’s sales growth and profit
margins. In the fourth quarter of the current fiscal year, Baldwin
released a new cell-phone product about four months ahead of
schedule to be the first to market with new technologies, despite
having three months of inventory on hand of the current model.
The results of analytical procedures performed in planning the
audit are below. Given this information, explain the inherent risk
factors and risks of material misstatement that are present in the
audit. Be specific about the potential misstatements that may be
present and connect the risk factors to the potential misstatements
identified.

Current Prior Second Prior Year Second Prior

Year Year Prior Year Industry Year Industry
Unaudited Audited Audited Median Median
Current ratio 4.82 5.50 5.56 5.61 5.64
Quick ratio 3.37 3.09 2.96 2.94 2.89
Debt to equity .21 .16 .15 .21 .19
Sales to total assets 1.34 1.16 1.12 1.10 1.08
% Profit before tax to sales 12.3% 5.7% 6.3% 7.3% 9.1%
Return on assets 16.5% 6.7% 7.31% 8.0% 9.8%
Return on equity 19.8% 7.0% 7.9% 9.9% 11.9%
Accounts receivable turnover in days 86.4 74.8 76.2 69.9 75.3
Inventory turnover in days 180.0 169.4 166.3 152.4 160.6
Gross operating cycle 266.4 244.2 242.5 222.3 235.9
Accounts payable turnover in days 22.0 27.6 29.1 33.6 30.8
Net operating cycle 244.5 216.6 213.4 188.7 205.1

Identify the Audit Issue f.  Inventory turnover in days is increasing.

Identify specific inherent risks or risks of material misstatement in g.  Accounts payable turnover in days is decreasing.
the audit of Baldwin Industries. Show the logic between the risk h. In the current year, Baldwin has recorded significant
factors and the risks of material misstatement identified. ­increases in sales, profit margins, return on assets, and
Gather Information and Evidence return on equity.

Specific risk factors identified include: i.  Profit margins are stronger than the industry medians.

a. Compensation has changed for high-level and executive-
level employees to reward increases in sales and profit
margin.
b. Baldwin has recorded significant sales growth over the
last two years (50%).
c. Baldwin released a new product with new technology
when it had significant levels of the existing product on
hand.
d.  The industry is very price-competitive.
e.  Accounts receivable turnover in days is increasing.
Analysis and Evaluation of Alternatives
Following is an analysis of the risk factors identified above:
a. Changes in compensation may increase the risk that
managers might push the limit on accounting issues or
engage in fraudulent financial reporting to secure better
compensation.
b. The sales growth experienced over the last two years com-
bined with the slower collection period (e) may indicate
revenue-recognition problems.

c., d. Releasing the new product to the market in a price-­
competitive industry (d) with significant quantities on
hand of the old product increases the risk that the older
product may not be sold at a price that will recover the cost
of inventory on hand. This might require write-downs of
the value of inventory on hand.
e. The slower collection period may indicate an increased
risk of collectibility of receivables.
f. Slower inventory turnover in days may indicate inven-
tory obsolescence or lower-of-cost-or-net-realizable-value
problems with older models without new technology
features.
g. Decreasing accounts payable turnover in days may indi-
cate potential for unrecorded liabilities and unrecorded
expenses.
h. Sales growth may be the result of premature revenue rec-
ognition (see b above). Improved profit margin could be
the result of potential unrecorded liabilities.
i. Strong profit margins may be the result of unrecorded
­expenses and liabilities.
CPAexcel
CPAexcel questions and other resources are available in WileyPLUS.
Multiple-Choice Questions
1.  (LO 1)  When gaining an understanding of the client, the auditor
will consider:
a.  related party identification.
b.  the appropriateness of the client’s system of internal controls
to mitigate identified business risks.
c.  controls over the technology used to process and store data
electronically.
d.  All of these answer choices are correct.
2.  (LO 1)  When gaining an understanding of the client, the auditor
will identify the geographic location of the client because:
a.  more centralized clients are harder to control.
b.  the auditor will only visit one location to assess processes and
procedures.
c.  the auditor may plan to use staff from affiliated offices to visit
overseas locations.
d.  more decentralized clients are easier to control.
3.  (LO 1)  When gaining an understanding of the client’s sources of
financing, the auditor:
a.  is not interested in debt covenants because most debt con-
tracts are the same.
b.  ignores the relative reliance on debt versus equity funding
because that is a management decision, not an audit issue.
c.  determines if the client is meeting principal and interest pay-
ments when they are due.
  Multiple-Choice Questions  4-31
Conclusions Regarding Inherent Risk and Risk of
Material Misstatement
The following risks are considered significant (before considering
any internal controls that may mitigate these risks):
•  Revenue recognition problems may exist based on the in-
crease in sales to total assets, the increase in accounts re-
ceivable turnover in days, and the incentive for managers to
increase compensation based on sales.
•  Inventory may have a lower-of-cost-or-net-realizable-value
problem because Baldwin released new technology while it
still had significant inventories of the older technology and
because of the increase in inventory turnover in days.
•  There may be a completeness problem with both liabilities
and expenses as evidenced by the decrease in accounts pay-
able turnover in days and the increase in the company’s
profit margins.
•  There may be problems with the adequacy of the allowance
for doubtful accounts based on the increase in accounts re-
ceivable turnover in days.
d.  determines if the client is writing off uncollectible accounts
receivable.
4.  (LO 1)  When gaining an understanding of the client at the indus-
try level, the auditor will:
a.  consider the level of demand for the goods provided by com-
panies in the industry.
b.  determine if the client has centralized or decentralized
operations.
c.  assess the amount of faulty goods the client returns to suppliers.
d.  determine if the client has a simple or complex capital structure.
5.  (LO 2)  Companies use profitability measures to assess perfor-
mance and to:
a.  assess their ability to compete.
b.  maintain consistency in operations each month.
c.  measure their ability to pay short term debts on time.
d.  measure their ability to pay long term debts on time.
6.  (LO 3)  Common uses of analytical procedures include all of the
following except:
a.  risk identification during the risk assessment stage.
b.  testing account balances derived from estimates during the
risk response stage.
c.  overall assessment of financial statements at the final review
stage of the audit.
d.  test of internal controls.
4-32  C h a pte r 4  Risk Assessment Part II: Understanding the Client

7.  (LO 3)  Analytical procedures: b.  the CFO and two other board members who are also
a.  cannot be performed on interim data. shareholders.

b.  a re not affected by different accounting methods between the
client and other members of the industry.
c.  must take into account seasonal variation in the client’s
business.
d.  are only useful if the client’s variation from budget is low.
c.  the audit partner, the CFO, and a shareholder.
d.  m
 embers of the board of directors who are independent
directors.
10.  (LO 6)  Risks of material misstatement that are associated with a
client’s IT system include all of the following except:

8.  (LO 4)  Which of the following statements is false regarding re-
lated parties?
a.  Management should have controls in place for identifying re-
lated parties.
b.  R
 elated party transactions do not have to be disclosed if they
are conducted at “arm’s length.”
c.  A subsidiary company is considered a related party.
d.  The presence of related parties is considered a fraud risk
­factor.
9.  (LO 5)  An audit committee of a publicly traded company should
be composed of:
a.  executive and non-executive members of the board of
directors.
a.  failure to accrue for a contingent liability.
b.  a terminated employee who is still able to log on to the client’s
IT system.
c.  the installation of new software that still needs modifications
to operate as needed.
d.  no schedule for backing up data.
11.  (LO 7)  Client closing procedures:
a.  are routine transactions that do not impact audit risk.
b.  are the responsibility of those charged with governance who
must ensure that transactions are recorded in the correct ac-
counting period.
c.  affect expense accounts only.
d.  affect balance sheet accounts only.

Review Questions
R4.1  (LO 1)  Explain the importance of the risk assessment phase of
a financial statement audit.
R4.2  (LO 1)  List and briefly explain the key factors the auditor
would consider during risk assessment.
R4.3  (LO 1)  When gaining an understanding of a client, an auditor
will be interested in an entity’s relationships with both its suppliers
and customers. What aspects of these relationships will the auditor be
interested in and how would they affect the assessment of audit risk?
R4.4  (LO 2)  What is the difference between liquidity and solvency?
Why does this difference matter to an auditor?
R4.5  (LO 3)  Explain, using examples, how you could use analyti-
cal procedures in assessing the risk of material misstatement of sales
revenue.
R4.6  (LO 3)  What are some possible explanations of a change in
the gross profit margin? How could the auditor investigate which
of these explanations is the most likely cause of the change in the
ratio?
R4.7  (LO 3)  What is a time-series analysis? How could it be useful
to an auditor?
R4.8  (LO 4)  Why is it important to maintain professional skepti-
cism when gaining an understanding of related party transactions?
R4.9  (LO 5)  Do only publicly traded companies have good corpo-
rate governance? Explain.
R4.10  (LO 5)  Why is it important that an audit committee not have
any executive directors as members?
R4.11  (LO 6)  Why does an auditor need to understand a client’s IT
system? Explain how IT affects the financial statements.
R4.12  (LO 7)  Create an example of a client closing procedure. Us-
ing your example, analyze the accounts that would be affected if the
closing procedure is performed inadequately.

Analysis Problems
AP4.1  (LO 1)  Basic   Risk assessment  Michael has drafted an audit plan for a new client. The client
is Countrywide Capers, a party supplies rental business. Countrywide Capers earns 80% of its revenue from
renting marquees, tables and chairs, lights, and other party equipment and 20% from sales of disposable table-
ware, utensils, napkins, and tablecloths. Michael’s plan shows that audit time is divided to reflect this revenue
pattern (that is, 80% of the audit time is spent on the rental business and 20% of the time is spent on the retail
business). Michael believes that the significance of the revenue activities should be the only driver of the audit
plan because the client has no related parties and has a simple, effective corporate governance structure.

Required
What questions would you have for Michael before accepting his audit plan?
  Analysis Problems  4-33

AP4.2  (LO 1)  Moderate   Understanding the client and its risks—risk assessment  Ivy Brown
is preparing a report for the engagement partner of an existing client, Scooter Inc., an importer of scooters
and other low-powered motorcycles. Ivy has been investigating certain aspects of Scooter’s business given
the change in economic conditions over the past 12 months. She has found that Scooter’s business, which
experienced rapid growth over its first five years in operation, has slowed significantly during the last
year. Initially, sales of scooters were boosted by good economic conditions and solid employment growth,
coupled with rising gas prices. Consumers needed transportation to get to work and the high gas prices
made the relatively cheap running costs of scooters seem very attractive. In addition, the low purchase
price of a small motorcycle or scooter, at between $3,000 and $8,000, meant that almost anyone who had
a job could obtain a loan to buy one.
However, Ivy has found that the sales of small motorcycles and scooters have slowed significantly,
and all importers of these products, not just Scooter, are being adversely affected. The onset of an eco-
nomic recession has restricted employment growth and those people who still have jobs are less certain
of continued employment. In addition, the slowdown in the world economy has made gas prices fall,
further reducing demand for this type of economical transportation. Ivy has also discovered that, due to
the global financial crisis, the finance company used by Scooter’s customers to finance the purchase of
scooters and motorcycles has announced that it will not be continuing to provide loans for any type of
vehicle with a purchase price of less than $10,000.

Required
a.  Identify industry and business environment issues that potentially impact the audit of Scooter Inc.
b.  Evaluate how industry and business environment issues can impact risk assessment by identifying
specific financial statement risks and related accounts that would require closer examination.

AP4.3  (LO 1)  Moderate   Research   Noncompliance with laws and regulations   As part of
your intern training at a large public accounting firm, you have been asked to conduct research about
audit procedures related to client noncompliance with laws and regulations. You will report the findings
of your research to the other interns in your training class.

Required
Access the Clarified Statements on Auditing Standards at the AICPA website (www.aicpa.org). Navigate
to AU-C 250 and answer the following questions:
a.  What might be indicators that a client has committed an illegal act?
b.  What are some specific procedures the auditor can use to obtain an understanding of an identified
or suspected illegal act?
c.  In what situations might an auditor have a duty to notify external parties about a client’s noncom-
pliance with laws and regulations?

AP4.4  (LO 1, 3)  Basic   Understanding the client  The audit team is preparing to audit a new client
in the fashion industry. The client imports garments from manufacturers in several Asian countries and
retails them in a chain of shops located throughout the United States.
You have access to the following information for the client:
a.  Prior period financial statements.
b.  Anticipated results for the current year.
c.  Industry averages.

Required
Discuss how you would use the information to understand your new client.

AP4.5  (LO 2, 3)  Moderate   Planning analytical procedures using profitability ratios   Li Chen
has calculated profitability ratios using data extracted from his client’s pre-audit trial balance. He also has
the values for the same ratios for the preceding two years (using audited figures).
The data for the gross profit and profit margins are:

2022 2021 2020

Gross profit margin 45% 35% 40%
Profit margin 9% 15% 20%

Li is a little confused because the profit margin shows declining profitability but the gross profit margin
has improved in the current year and is higher in 2022 than in the previous two years.
4-34  C h a pte r 4  Risk Assessment Part II: Understanding the Client

Required
a.  Create a list of possible explanations for the pattern observed in the gross profit and profit margins.
b. Which of your explanations suggest additional audit work should be planned? For each, discuss the
accounts and/or transactions that would need special attention in the audit.

AP4.6  (LO 2, 3)  Challenging   Analytical procedures for liquidity and solvency issues   Bright
Spark Fashion has retail outlets in six large regional cities in the eastern United States. The shops are
run by local managers, but purchasing decisions for all stores are handled by Ray Bright, the owner of
the business. Fashion is an extremely competitive business. Bright Spark Fashion sells only for cash and
generates sales through a reputation of low prices for quality goods. The winter clothing moves quite
slowly, but summer fashion sells very well, providing a disproportionate amount of the business’s sales
and profits. Ray is constantly monitoring cash flow and negotiating with suppliers about payment terms
and with banks about interest rates and extensions of credit.
Jenna Kowalski has the tasks of assessing the liquidity and solvency of Bright Spark Fashion and
identifying the audit risks arising from this aspect of the business. She discovers a major long-term debt
is due to be retired two months after the close of the fiscal year, but Ray is having difficulty obtaining
approval from his current bank for a renewal of the debt for a further two-year term. In addition, interest
rates have risen since the last fixed rate was agreed to two years ago, adding an additional 2% to the likely
rate for the new debt (if it is approved).
The seasonality of the business means that inventory levels fluctuate considerably. At the end of
the year (January 31), Ray has placed prepaid orders for the summer fashion and the goods have started
arriving in the stores by March.
Required
a. What liquidity and solvency issues does Bright Spark Fashion face? Evaluate the likely impact of
each issue on liquidity and solvency ratios.
b.  Advise Jenna Kowalski about the audit risks for Bright Spark Fashion and propose how she could
take these into account in the audit plan.

AP4.7  (LO 4)  Moderate   Research   Understanding related party transactions  During the
risk assessment phase for a new client, you have been assigned the task of identifying related parties. You
need to refresh your memory regarding why identifying related parties is necessary in the audit.

Required
Access the Clarified Statements on Auditing Standards at the AICPA website (www.aicpa.org). Navigate
to AU-C 550 and answer the following questions:
a. What is an “arm’s-length transaction” as defined by the standard?
b. Identify examples of how related party relationships and transactions may give rise to higher risks
of material misstatement than transactions with unrelated parties.

AP4.8  (LO 1, 5)  Moderate   Public Company   Research   Understanding the client and its
governance  Ajax Inc. is a public company and a new client of Hawthorne Partners, a medium-sized
audit firm. Jeffrey Rush is the engagement partner on the audit and has asked the members of the audit
team to begin the process of gaining an understanding of the client, in accordance with AS 2110. One
audit manager leads the group investigating the industry and economic factors, and another helps Jeffrey
consider issues at the entity level. Jeffrey will hold discussions with members of the audit committee and
will discuss a wide range of issues. He has a meeting arranged for next week with the four members of
the audit committee, including the chair of the committee, Stella South, who, like the other members of
the audit committee, is an independent director.

Required
a.  Access AS 2110 at the PCAOB website (www.pcaobus.org). Make a list of the main factors that will
be considered by each audit manager’s group.
b. Based on the information, can you conclude that Ajax Inc. complies with Section 301 of the
Sarbanes-Oxley Act regarding its audit committee? Explain.

AP4.9  (LO 6)  Moderate   IT risk assessment  Genesis Physical Therapy has been providing out-
patient physical therapy services for 30 years. The owners, Jesse and Janice, have been slow to imple-
ment updated technology for the accounting system because it is costly. However, at the beginning of
the current year, they decided to install a new patient revenue system. It is an off-the-shelf product that
is marketed to the healthcare industry. The auditor asked one of Genesis’ accounting staff for feedback
about the new system. The staff member provided the following comments:
• “A frequent error has been occurring in which we invoice people who were past patients because
they happened to have the same last name as one of our current patients.”
  Analysis Problems  4-35

• “We had a power outage a couple of weeks ago, and we had to re-enter all patient services that had
been provided for that week because they had not been saved.”
• “When we first starting using the system, we had a significant number of complaints from patients
because they were being billed for more than their insurance would allow. We discovered a month
later there was an error in the billing calculation formula in the system. We fixed the error and it
has been functioning properly.”

Required
Evaluate the audit risks associated with the new patient revenue system.

AP4.10  (LO 6)  Challenging   Assessing the risks associated with information technology 
Shane Woodrow is getting to know his new client Clarrie Potters, a large discount electrical retailer.
Shane discovers that toward the end of last year, Clarrie Potters installed a new IT system for inventory
control. The system was not operating prior to the end of the last financial year so its testing was not
included in the previous audit. The new system was custom-built for Clarrie Potters by a Chicago-based
software company by modifying another system it had designed for a furniture manufacturer and retailer.

Required
Evaluate the audit risks associated with the installation of the new inventory IT system at Clarrie Potters.

AP4.11  (LO 1, 7)  Challenging   Public Company   Impact of closing procedures on perfor-
mance  Dunks Holdings Inc. (Dunks) is an importer of hardware goods and distributes the goods to
hardware retailers around the country. The growth in the do-it-yourself (DIY) market that has accompa-
nied the boom in house prices in most capital cities over the past five years has provided consistent sales
growth for both hardware retailers and wholesalers like Dunks. However, the recession, which began
last year, has cast doubt on the ability of this sector to keep growing. Some analysts believe the DIY mar-
ket will not be affected by the recession because in tough economic times home owners increase their
“nesting’’ behavior. They spend even more on improving their homes and retreat from outside activities
such as vacations, the theater, and restaurants. This view is disputed by other analysts who believe that
job losses and general pessimism in the economy will impact adversely on all company profits, including
Dunks.
Dunks’s share price has fallen over the last year as doubt about its ability to grow its profits in the
current year spreads. The CEO and other senior management have large bonuses linked to both share
prices and company profitability and there is a mood within the company that achieving sales and profit
targets this year is vital to avoid job losses at the company.
You have been brought into the audit team for Dunks this year and given the responsibility for audit-
ing Dunks’ closing procedures. Dunks has a monthly reporting system for internal management, but you
notice the reports are being issued later in each month this year than they were last year.

Required
a.  Evaluate why and how the circumstances described above could affect your risk assessment.
b. How would you audit Dunks’ closing procedures? Which potential errors would be of most interest?
Explain.

AP4.12  (LO 1, 7)  Challenging   Public Company   Research   Annual reports—disclosures 

Publicly traded companies are required to make certain disclosures in their annual reports about the com-
pensation paid to their top executives. One reason for this is to help interested stakeholders assess the per-
formance of executives. It also helps boards of directors and companies set appropriate compensation levels
based on what other companies in the same industry and/or of the same size are paying their executives.
These disclosures are audited.

Required
Obtain the annual proxy statements of 10 publicly traded U.S. companies in the same industry. (Hint: Go
to www.sec.gov, click on Fast Answers in the Education tab, and then search for an explanation on the
required disclosure of executive compensation as a fast way to find the information on the SEC’s website.)
Summarize the information on executive compensation and describe the data using graphs and/or tables.
Write a report addressing the following questions (justify your responses by referring to the data where
appropriate).
•  How are the executives paid (cash, bonuses)?
•  Which companies’ executives are paid the most and what is the range of pay?
• Which companies’ executives’ pay is most linked to the company’s profit and/or stock price perfor-
mance? (Explain any assumptions you have to make.)
• Overall, what do you conclude about how company executives are paid and how clearly the com-
pensation data is reported?
4-36  C h a pte r 4  Risk Assessment Part II: Understanding the Client

Audit Decision Cases

King Companies, Inc.

Question C4.1 is based on the following case.

King Companies, Inc. (KCI) is a private company that owns five auto parts stores in urban Los Angeles,
California. KCI has expanded from two auto parts stores to five stores in the last three years, and it plans
continued growth. Eric and Patricia King own the majority of the shares in KCI. Eric is the chairman of
the board of directors and CEO of KCI, and Patricia is a director as well as the CFO. Shares not owned
by Eric and Patricia are owned by friends and family who helped the Kings get started (Eric started the
company with one store after working in an auto parts store). To date, Eric has funded growth from an
inheritance and investments from a few friends. Eric and Patricia are thinking about expanding by opening
three to five additional stores in the next few years.
In October 2021, Eric approached your accounting firm, Thornson & Danforth, LLP, to conduct an
annual audit of KCI for the year ended December 31, 2022. KCI has not been audited before, but this
year the audit has been requested by the company’s bank because of anticipated bank loans and by a new
private equity investor that has just acquired a 20% share of KCI.
KCI employs 20 full-time staff. These workers are employed in store management, sales, parts deliv-
ery, and accounting. About 40% of KCI’s business is retail walk-in business, and the other 60% is regular
customers where KCI delivers parts to their locations and bills these customers on account. During peak
periods, KCI also uses part-time workers.
Eric is focused on growing revenues. Patricia trusts the company’s workers to work hard for the
company and she feels they should be rewarded well. The accounting staff, in particular, is very loyal to
the company. Eric tells you that the accounting staff enjoys their jobs so much they have never taken any
annual vacations, and hardly any workers ever take sick leave. There are two people currently employed
as accounting staff, the most senior of whom is Jonathan Jung. Jonathan heads the accounting depart-
ment and reports directly to Patricia. He is in his late fifties and hopes to retire in two or three years and
move away from Los Angeles. Jonathan keeps a close watch on accounting and does many activities
himself, including opening mail, cash receipts and vendor payments, depositing funds received, perform-
ing reconciliations, posting journals, and performing the payroll function. The second employee, Abby
Owens, is a recent college graduate who just passed the CPA exam. Abby is responsible for the payroll
functions and posting all journal entries into the accounting system. Jonathan and Abby often help each
other out in busy periods.

C4.1  (LO 1, 3)  Challenging   Gaining an understanding of a new client  Gather information: You
have access to the following information for KCI:
1. Prior period financial statements.
2. Budgets for the current year.
3. Industry comparisons.
Plan, in detail, the types of analytical procedures the audit team will use to gain an understanding of KCI.

Mobile Security, Inc.

Question C4.2 is based on the following case.

Mobile Security, Inc. (MSI) has been an audit client of Leo & Lee, LLP for the past 12 years. MSI is a small,
publicly traded aviation company based in Cleveland, Ohio, where it manufactures high-tech unmanned
aerial vehicles (UAV), also known as drones, and other surveillance and security equipment. MSI’s prod-
ucts are primarily used by the military and scientific research institutions, but there is growing demand
for UAVs for commercial and recreational use. MSI must go through an extensive bidding process for
large government contracts. Because of the sensitive nature of government contracts and military prod-
uct designs, both the facilities and records of MSI must be highly secured.
The MSI board of directors consists of 12 members. The CEO and CFO are board members, and the
remaining 10 board members are not employees of MSI. One of the board members, who is part of the
audit committee, is stepping down next month, so MSI is looking to fill that spot.

C4.2  (LO 5)  Moderate   Public Company   Research   Audit committees

a. Gather information: As MSI is looking for someone to fill the vacant board position, what require-
ments must be followed? What characteristics or qualities would be ideal for the board member
to have?
  Audit Decision Cases  4-37

b. Gather information: Go to www.pcaobus.org and access AS 1301 Communication with Audit Com-
mittees. Discuss specific items the auditors must communicate with the audit committee before the audit
begins. (Note: Do not discuss the auditor’s requirements for communicating the results of the audit.)

Brookwood Pines Hospital

Question C4.3 is based on the following case.

Goodfellow & Perkins LLP is a successful mid-tier accounting firm with a large range of clients across
Texas. During 2022, Goodfellow & Perkins gained a new client, Brookwood Pines Hospital (BPH), a pri-
vate, not-for-profit hospital. The fiscal year-end for BPH is June 30. Goodfellow & Perkins is performing
the audit for the fiscal year-end June 30, 2023.
BPH provides medically necessary care to patients, regardless of their ability to pay. Both uninsured
and underinsured patients are offered discounts of up to 100% of charges based on their income as a
percentage of the federal poverty-level guidelines. BPH does not pursue collection of these accounts;
therefore, they are not reported in patient service revenue and accounts receivable. The cost of providing
the charity care is included in operating expenses.
BPH’s investments consist of mutual funds, common equities, corporate and U.S. government debt
issues, state and municipal government debt issues, and trusts. A majority of the investments are the
result of charitable contributions to the hospital by generous donors. Earnings from the investments are
used to cover the costs of the charity care. BPH is also eligible for certain government grants to help cover
the costs of the charity care.
Selected financial statements and other financial information are provided below. Since BPH op-
erates as a non-for-profit, it reports assets, liabilities, and net assets. (Note: Net assets takes the place of
equity since there are no owners.)

Brookwood Pines Hospital

Statement of Financial Position
(in thousands)
June 30, 2023 June 30, 2022
Assets
Cash and cash equivalents $   43,077 $   36,361
Short-term investments 22,725 49,338
Patient accounts receivable, net 119,380 99,962
Current portion of pledges and grants receivable, net 9,208 5,099
Current portion of insurance recoverable 2,364 1,953
Inventory 10,740 10,056
Other current assets 25,792 23,193
  Total current assets 233,286 225,962
Long-term investments 915,088 807,321
Property and equipment, net 576,432 538,981
Prepaid pension cost 19,760 7,248
Insurance recoverable, less current portion 11,619 10,723
Other assets, net 31,535 28,463
  Total assets $1,787,720 $1,618,698

Liabilities and net assets

Accounts payable $   38,431 $   39,547
Accrued salaries and benefits 52,361 50,754
Grants payable, current portion 6,459 8,459
Accrued expenses and other current liabilities 19,209 27,380
Due to third-party payors 72,494 67,687
Current accrued liabilities under self-insurance programs 15,709 14,965
Current maturities of long-term debt 5,040 4,928
Short-term debt 14,550 0
Long-term debt subject to short-term refinancing agreements 0 53,132
  Total current liabilities 224,253 266,852
Long-term debt, net, less current maturities 220,796 179,530
Accrued liabilities under self-insurance program, less current portion 82,618 82,559
Grants payable, less current portion 13,245 16,489
Other liabilities 42,669 48,336
  Total liabilities 583,581 593,766
(continued)
4-38  C h a pte r 4  Risk Assessment Part II: Understanding the Client

June 30, 2023 June 30, 2022

Net assets:
  Without donor restrictions 1,138,140 962,652
  With donor restrictions 65,999 62,280
   Total net assets 1,204,139 1,024,932
    Total liabilities and net assets $1,787,720 $1,618,698

Brookwood Pines Hospital

Statement of Operations
Year Ended June 30
(in thousands)
2023 2022
Revenue
Net patient service revenue $791,572 $706,073
Estimated uncollectible accounts (33,675) (25,810)
Net patient service revenue after estimated
  uncollectible accounts 757,897 680,263
Rental and other revenue 42,727 41,975
Net assets released from donor restrictions and
  federal and state grants 4,541 4,407
  Total revenue 805,165 726,645
Expenses
Salaries and employee benefits $377,895 $344,360
Supplies 146,172 126,633
Purchased services 89,774 79,391
Depreciation and amortization 47,858 45,630
Insurance 17,430 18,132
Rent and utilities 15,218 13,935
Repairs and maintenance 14,722 14,563
Interest 7,351 8,874
Texas hospital assessment 17,227 14,081
Other 21,324 21,151
  Total expenses 754,971 686,750
   Operating income 50,194 39,895
Nonoperating gains (losses)
Investment return 109,212 25,951
Change in fair value of certain investments 6,254 (6,202)
Contribution of DeLaune unrestricted net
  assets 0 64,995
Grants provided (3,362) (4,458)
Other 1,630 (489)
  Total nonoperating gains, net 113,734 79,797

   Excess of revenues over expenses $163,928 $119,692

Selected information from the cash flow statement is as follows (in thousands):

Item 2023 2022

Net cash provided by operating activities $63,648 $67,903
Net cash used in investing activities (60,394) (75,300)
Net cash provided by financing activities 3,463 3,706

C4.3 (LO 1, 3)  Challenging   Analytical procedures  Analysis: Using BPH’s financial data, perform
analytical procedures to gain an understanding of BPH. Conduct a trend analysis, common-size analysis,
and ratio analysis. Based on your analysis, document in a memo your understanding of the client, potential
problem areas (accounts at risk of material misstatement), and any other special concerns. (Note: Some
ratios provided in the text may need to be modified for a not-for-profit organization. If necessary, use the
internet for additional research about financial ratios used in the hospital industry.)

Cloud 9 - Continuing Case
Part 1: Gain an Understanding of the Client
W&S Partners began the planning phase of the Cloud 9 audit. As
part of the risk assessment phase for the new audit, the audit
team needs to gain an understanding of Cloud 9’s structure and its
business environment, determine materiality, and assess inherent
risk. This will assist the team in developing an audit strategy and
designing the nature, extent, and timing of audit procedures.
Required
Answer the following questions based on the additional infor-
mation about Cloud 9 presented in the appendix to this text and
the current and earlier chapters. You should also consider your
answer to the case study questions in earlier chapters where
relevant.
Your task is to research the retail and wholesale footwear in-
dustries and report back to the audit team. Your report will form
part of the overall understanding of Cloud 9’s structure and its
environment.
You should concentrate your research on providing findings
from those areas that have a financial reporting impact and are
 Audit Decision Cases  4-39
considered probable given Cloud 9’s operations. Use the factors
listed in Illustrations 4.2 and 4.3 as a guide for your research.
Part 2:  Analytical Procedures
Required
Answer the following questions based on the information pre-
sented for Cloud 9 in the appendix to this text and the current and
earlier chapters. You should also consider your answers to the case
study questions in earlier chapters.
a. Using analytical procedures and the information provided
in the appendix, perform an analysis of Cloud 9’s financial
position and its business risks. Discuss the ratios indicating a
significant or an unexpected fluctuation.
b. Which specific areas do you believe should receive special
emphasis during your audit? Consider your discussion of
the analytical procedures results as well as your prelim-
inary estimate of materiality. Prepare a memorandum to
Suzie Pickering outlining potential problem areas (that
is, where possible material misstatements in the financial
statements exist) and any other special concerns.
 Chapter 5
Audit Evidence
The Audit Process

Overview of Audit and Assurance

(Chapter 1)

Professionalism and Professional Responsibilities

(Chapter 2)

Client Acceptance/Continuance and Risk Assessment

(Chapters 3 and 4)

Gaining an Identify Significant

Set Planning
Understanding of Accounts and
Materiality
the Client Transactions

Gaining an Understanding
Make Preliminary
of the System of Internal Control
Risk Assessments
(Chapter 6)

Develop Responses to Risk and an Audit Strategy

Audit Data Analytics

Audit Evidence
(Chapter 5)

(Chapter 7)
Performing Tests of Controls Performing Substantive Procedures
(Chapter 8) (Chapter 9)

Audit Sampling for Substantive Tests

(Chapter 10)

Auditing the Auditing the Purchasing Auditing the Balance Sheet

Revenue Process and Payroll Processes and Related Income Accounts
(Chapter 11) (Chapter 12) (Chapter 13)

Completing and Reporting on the Audit

(Chapters 14 and 15)

Procedures Performed Near Drawing Audit

Reporting
the End of the Audit Conclusions

5-1
5-2  Ch a pte r 5  Audit Evidence
Learning Objectives
LO 1  Define management assertions about classes of
transactions, account balances, and presentation and
disclosure.
LO 2  Discuss the characteristics of audit evidence.
LO 3 Apply the procedures for gathering audit evidence,
including the use of audit data analytics.
Auditing and Assurance Standards
PCAOB
AS 1105 Audit Evidence
AS 1205 Part of the Audit Performed by Other
Independent Auditors
AS 1210  Using the Work of a Specialist
AS 1215 Audit Documentation
AS 2110  Identifying and Assessing Risks of Material
Misstatement
AS 2310 The Confirmation Process
AS 2605  Consideration of the Internal Audit Function
Cloud 9 - Continuing Case
At the next planning meeting for the Cloud 9 audit, Suzie Pickering
presents the results of the analytical procedures performed so far
and a working draft of the audit program. The audit manager,
Sharon Gallagher, and the audit senior, Josh Thomas, are also in-
volved in the planning, with special responsibility for the internal
control assessment.
The meeting’s agenda is to discuss the available sources of ev-
idence at Cloud 9 and specify these in the detailed audit program.
The team members also must ensure they have enough evidence
to conduct the audit. Two specific issues worry members of the
team. First, there are three very large asset balances on Cloud 9’s
trial balance that have particular valuation issues. Josh suggests
that a specialist will be required for the derivatives, but they can
Chapter Preview—Audit Process in Focus
In Chapters 3 and 4, we considered audit risk and risk assessment. Those chapters focused
on the importance of risk identification to help ensure the auditor’s desired level of risk is
LO 4 Evaluate when it is appropriate for auditors to use
the work of others.
LO 5  Document the details of evidence gathered in
working papers.
Auditing Standards Board
AU-C 230 Audit Documentation
AU-C 315  Understanding the Entity and Its Environment
and Assessing the Risks of Material Misstatement
AU-C 500 Audit Evidence
AU-C 505 External Confirmations
AU-C 600  Special Considerations—Audits of Group
Financial Statements (Including the Work of Component
Auditors)
AU-C 610  Using the Work of Internal Auditors
AU-C 620  Using the Work of an Auditor’s Specialist
handle the accounts receivable and inventory themselves. Second,
Sharon is worried about how they will gather evidence regarding a
subsidiary of Cloud 9 located in Vietnam. W&S Partners does not
have an office in Vietnam, so they must determine the most effec-
tive and efficient way to gather evidence regarding the subsidiary.
In the planning meeting, the team considers the following
questions:
•  What evidence is available?
•  What criteria will the team use to choose among alternative
sources of evidence?
•  What are the implications of using the work of specialists
and other auditors?
   Management Assertions  5-3

achieved. This chapter begins the discussion of obtaining audit evidence in response to iden-
tified risks. Once auditors have identified the key risk factors for their client, they will plan
“what” to test, “how” to test it, and “who” should test it. In this chapter, we explain “what”
the auditors are testing by defining and describing management assertions. Then, we discuss
characteristics of audit evidence, including traits that make some types of evidence more
appropriate than others.
Next, we discuss the “how” of gathering audit evidence. What specific procedures do audi-
tors perform to gather evidence? You have already been introduced to the broad categories of
risk assessment procedures, tests of controls, and substantive tests. This chapter will describe
specific actions auditors perform to gather evidence at the risk assessment and risk response
phases of the audit. In most audits, the audit team will perform all of the evidence gathering
procedures, but “who” else may perform evidence-gathering procedures for the audit? We
discuss situations in which auditors may use the work of others, such as specialists in a field
other than accounting or auditing, the client’s internal auditors, or auditors from another
accounting firm.
Finally, auditors document the details of their risk assessment, tests of controls, and sub-
stantive tests in their working papers. An auditor’s working papers provide proof of audit
work completed, procedures used, and evidence gathered. Each accounting firm has its own
working paper format and preferences. This chapter provides some examples of a typical audit
file and the types of working papers it may contain.

Management Assertions
Lea rning Objective 1
Define management assertions about classes of transactions, account balances,
and presentation and disclosure.

It is the responsibility of management and those charged with governance to ensure the finan-
cial statements are fairly presented. When preparing the financial statements, management
makes assertions about each account and related disclosures in the notes. An assertion is a assertion  statement or rep-
statement or representation, explicit or implied, made by management regarding the recogni- resentation, explicit or implicit,
tion, measurement, presentation, and disclosure of items included in the financial statements made by management regarding
and notes. For example, when reporting inventory, management is claiming, or asserting, that the recognition, measurement,
the items exist, are owned by the entity, represent a complete list of the inventory owned, presentation, and disclosure of
items included in the financial
and are valued appropriately. When reporting sales, management is asserting that the amount
statements and notes
represents sales of the entity that occurred during the accounting period. Management also
asserts that sales are recorded at the correct amount, represent a complete list of all sales, and
are classified correctly.
During the risk assessment phase, auditors use management assertions as a guide
when determining the different types of potential material misstatements that could occur,
or what can go wrong in the financial statements. Assertions also guide auditors in the
collection of evidence, as the evidence used to evaluate many assertions is unique to that as-
sertion. For example, evidence the auditor will use to evaluate the completeness of revenues
is different from the evidence used to evaluate the occurrence of revenues. AU-C 315 Un-
derstanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
provides a summary of the assertions used by auditors. The assertions are divided into the
three categories of classes of transactions and events, account balances at the period-end,
and presentation and disclosure. The assertions are summarized in Illustration 5.1. Each
assertion in Illustration 5.1 is numbered and the following paragraphs provide more discus-
sion of each one.
5-4  Ch a pte r 5  Audit Evidence

illustration 5.1   Assertions by category

Assertions About Classes of Transactions and Events for the Period Under Audit
(1) Occurrence Transactions and events that have been recorded have occurred and pertain to the
entity.
(2) Completeness All transactions and events that should have been recorded have been recorded.
(3) Accuracy Amounts and other data relating to recorded transactions and events have been
recorded appropriately.
(4) Cutoff Transactions and events have been recorded in the correct accounting period.
(5) Classification Transactions and events have been recorded in the proper accounts.

Assertions About Account Balances at the Period-End

(6) Existence Assets, liabilities, and equity interests exist.
(7) Rights and obligations The entity holds or controls the rights to assets, and liabilities are the obligations
of the entity.
(8) Completeness All assets, liabilities, and equity interests that should have been recorded have
been recorded.
(9) Valuation and allocation Assets, liabilities, and equity interests are included in the financial statements at
appropriate amounts, and any resulting valuation or allocation adjustments are
appropriately recorded.

Assertions About Presentation and Disclosure

(10) Occurrence and rights and obligations
(11) Completeness
(12) Classification and understandability
(13) Accuracy and valuation
Disclosed events, transactions, and other matters have occurred and pertain to the
entity.
All disclosures that should have been included in the financial statements have
been included.
Financial information is appropriately presented and described, and disclosures
are clearly expressed.
Financial and other information are disclosed fairly and in appropriate amounts.

Source: AU-C 315.A128.

Let’s discuss these assertions in more detail, beginning with the assertions about
classes of transactions and events for the period under audit, and what can go wrong with
each assertion. When considering (1) occurrence, auditors gather evidence to verify that a
recorded transaction or event, such as revenue or an expense item, actually took place and
relates to the entity. This assertion is particularly important when auditors believe there is a
risk of overstatement and that some transactions are recorded but did not actually occur. For
example, a client may record revenues prematurely in error, or management might record
fictitious sales to overstate revenues and profit.
When considering (2) completeness, auditors gather evidence that all transactions have
been recorded and the financial statements are not understated or overstated because transac-
tions have been omitted. This assertion is particularly important when auditors believe there
is a risk of understatement and that some transactions or events that should have been re-
corded have not been recorded. For example, a client may have incurred an expense but not
recorded it because the vendor’s invoice had not been received, or because management in-
tended to understate expenses and overstate profit.
When considering (3) accuracy, auditors gather evidence that transactions and events
have been recorded at appropriate amounts. This assertion is important when auditors believe
there is a risk the reported amounts are not accurate. For example, a client might inadver-
tently use the wrong price on an invoice or may have complex foreign exchange calculations
where errors can easily occur.
When considering (4) cutoff, auditors search for evidence that transactions have been
recorded in the correct accounting period. This assertion is particularly important for transac-
tions close to year-end. For example, a client may record a sale before year-end that actually
occurred after year-end, or a client may record an expense after year-end that was actually
incurred before year-end. Unintentional cutoff mistakes may happen when internal controls
   Management Assertions  5-5

are poor. Alternatively, a client may be motivated to record an expense or revenue in the wrong
period to manipulate net income for the period.
When considering (5) classification, auditors gather evidence that transactions and events
have been recorded in the proper accounts. For example, a client may have recorded a rou-
tine maintenance expense in a fixed asset account when it should be recorded in an expense
account. Auditors should be alert to misstatements that result in capitalizing an amount that
should be expensed.

Audit Reasoning Example  Wells Fargo Scandal

Wells Fargo is an international banking giant headquartered in San Francisco. In 2016, news
broke that Wells Fargo employees had participated in various fraud schemes to increase reve-
nue. One of the schemes was charging auto loan customers for vehicle insurance without their
knowledge. Which assertion about classes of transactions is violated with this scheme? Did these
revenues actually occur? Wells Fargo was collecting actual payments from actual customers, so
this wasn’t a case of fictitious customers. But charging customers without their consent is fraud-
ulent and violates the occurrence assertion. Why did Wells Fargo employees participate in this
scheme? The company had very aggressive internal sales goals with compensation tied to sales
performance. Wells Fargo management encouraged cross-selling to existing customers as a way to
boost revenues, and employees felt pressure to meet the lofty sales goals. In July 2017, Wells Fargo
announced “it would issue $80 million in refunds or account adjustments to more than 570,000
auto loan customers who were charged for vehicle insurance without their knowledge.”1
Consideration of the occurrence assertion for revenues is a relevant assertion for all audits.
Historically, many accounting frauds have involved overstatement of revenues either through cre-
ation of fictitious revenue, improper period-end cutoff, and/or improper application of revenue
recognition rules. Auditors spend considerable time gathering evidence to support management’s
assertion that recorded revenue occurred and relates to the entity.

The next category of assertions focuses on account balances at the end of the period, which
is typically fiscal year-end. When considering (6) existence, auditors search for evidence to verify
that asset, liability, and equity items on the balance sheet actually exist. This assertion is import-
ant when auditors believe there is a risk of overstatement. For example, a client may miscount
inventory, resulting in an overcount and overstatement, or a client may attempt to overstate
inventory or accounts receivable to improve financial ratios for the period.
When considering (7) rights and obligations, auditors gather evidence to verify recorded assets
are owned by the entity and recorded liabilities represent commitments of the entity. This asser-
tion is particularly important when auditors believe there is a risk that recorded assets or liabilities
are not owned by the entity. This assertion is different from existence, as the assets and liabilities
may exist but not be owned by the entity. An example of inventory that physically exists but does
not satisfy the rights and obligations assertion is inventory held on consignment in the client’s
warehouse (and therefore not owned by the entity), which is incorrectly recorded as an asset.
When considering (8) completeness, auditors search for assets, liabilities, and equity items
to ensure they have been recorded. This assertion is particularly important when auditors be-
lieve there is a risk of understatement and the client has omitted some items from the balance
sheet. For example, a client may fail to record various accrued liabilities due to an error or an
attempt to improve reported financial ratios for the period.
When considering (9) valuation and allocation, auditors search for evidence that assets, lia-
bilities, and equity items have been recorded at appropriate amounts and allocated to the correct
general ledger accounts. With respect to assets, auditors need to be aware of both valuation at
historical cost and any fair value tests that may be relevant. This assertion is particularly import-
ant when auditors believe there is a risk of over- or undervaluation. For example:

•  An auditor verifies that inventory has been appropriately recorded at the lower of cost or
net realizable value (risk of overstatement).
•  An auditor tests for the adequacy of the allowance for doubtful accounts (risk of under-
statement or overstatement depending on the client’s motivation).

1
K. McCoy, “Wells Fargo’s Legal Challenges Accumulate,” USA Today (August 9, 2017), p. 2B.
5-6  Ch a pte r 5  Audit Evidence

•  An auditor verifies that equipment used in operations has been appropriately marked
down if it is impaired (risk of overstatement).

Cloud 9 - Continuing Case

Ian and Suzie have already talked in general terms about the
errors that could occur in Cloud 9’s accounts receivable. For
example, basic mathematical mistakes and other clerical errors
could affect the customer’s total in either direction. Suzie em-
phasizes that Cloud 9’s management asserts this error did not
exist when they prepared the financial statements—i.e., they
assert that accounts receivable are valued correctly. Auditors
must gather evidence about each assertion for each transaction
class, account, and note in the financial statements. Now that
Ian understands this idea better, he can identify the assertions
that relate to the potential errors in accounts receivable that
they discussed earlier:
•  No mathematical mistakes or other clerical errors exist that
could affect the total receivables in either direction—valua-
tion and allocation.
•  No accounts receivables were omitted when calculating the
total—completeness.
•  Accounts receivables included in the total do exist at year-
end—existence.
•  Accounts receivables belong to Cloud 9 and have not been
sold or factored—rights and obligations.
•  Bad debts have been provided for—valuation and allocation.
•  Sales from the next period are not included in the earlier
­period—cutoff. Ian is a bit confused about this because cutoff
is an assertion for transactions, not account balances. Suzie
agrees it is a special sort of assertion that relates to transac-
tions or events, but also gives evidence about balance sheet
accounts (e.g., an overstatement of revenue is also an over-
statement of receivables).

The last category of assertions focuses on presentation and disclosure in the financial
statements and the notes. You’ve probably noticed that most of the assertions in this category
are also listed in one or both of the other categories. That makes sense considering the note
disclosures and presentation in the financial statements are inherently tied with a client’s
transactions and year-end balances. Auditors gather evidence that disclosed items represent
events and transactions that occurred and pertain to the entity, (10) occurrence and rights
and obligations, and that all items that should have been disclosed are included in the fi-
nancial statements, which is (11) completeness. Auditors ensure items included in the finan-
cial statements are appropriately presented and disclosures are clearly expressed, which is
(12) classification and understandability, and financial and other information is disclosed
fairly and in appropriate amounts, which is (13) accuracy and valuation.
The PCAOB standards also address management assertions but in a more condensed manner
than the ASB standards. AS 1105 Audit Evidence lists just five assertions and does not use the three
categories of assertions like the ASB standard. The five assertions defined in AS 1105.11 are:

•  Existence or occurrence—Assets or liabilities of the company exist at a given date, and

recorded transactions have occurred during a given period.
•  Completeness—All transactions and accounts that should be presented in the financial
statements are so included.
•  Valuation or allocation—Asset, liability, equity, revenue, and expense components have
been included in the financial statements at appropriate amounts.
•  Rights and obligations—The company holds or controls rights to the assets, and liabilities
are obligations of the company at a given date.
•  Presentation and disclosure—The components of the financial statements are properly
classified, described, and disclosed.

relevant assertion  an assertion
that has a reasonable possibility
of containing a material misstate-
ment or misstatements that would
cause the financial statements
to be materially misstated and,
therefore, has a meaningful
impact on whether the account is
fairly stated
You can see there are similarities with the assertions listed in both sets of standards. The ASB
standard simply provides a more detailed description of the assertions, especially in the cat-
egory of presentation and disclosure.
Recall from Chapter 4 that one of the risk assessment procedures is to identify significant
accounts and classes of transactions. Once these are identified, auditors assess the risk of
material misstatement at the relevant assertion level for these significant classes of transac-
tions and account balances. Relevant assertions are assertions that have a reasonable possibility
of containing a material misstatement that would cause the financial statements to be ma-
terially misstated and, therefore, have a meaningful impact on whether the account is fairly
stated (AU-C 315.A131). All assertions may not be relevant for a particular account balance
   Characteristics of Audit Evidence  5-7

or transaction. For example, the valuation of cash is typically not an issue, but the existence
of cash is always relevant because there is risk that a client may overstate its cash balance due
to the misappropriation of cash. Once the relevant assertions are identified for significant ac-
counts and classes of transactions, auditors can proceed with planning their audit procedures
to gather evidence in support of management assertions. The specific procedures auditors
audit program  a listing of
will use to gather evidence are detailed in the audit program. The audit program is part of details of the audit procedures
the audit documentation that lists the details of the audit procedures to be used when testing to be used when testing controls,
controls and when conducting detailed substantive procedures. Audit procedures will be fur- conducting detailed substantive
ther discussed in this chapter in the section “Procedures for Gathering Audit Evidence.” Audit audit procedures, and completing
documentation is discussed in the section “Documentation—Audit Working Papers.” the audit

Before You Go On
1.1 When auditing accounts receivable, what will an auditor search for when testing for rights
and obligations?
1.2 What does the accuracy assertion mean? Develop an example in the context of purchases of
inventory.
1.3 What is the auditor trying to ensure when considering the cutoff assertion? Develop an
example in the context of payroll transactions.

Characteristics of Audit Evidence

Lea rning Objective 2
Discuss the characteristics of audit evidence.

Audit evidence is the information auditors use when arriving at their opinion on the fair audit evidence  information
presentation of the client’s financial statements (AU-C 500 Audit Evidence and AS 1105 Audit gathered by the auditor that is
Evidence). It is the responsibility of management and those charged with governance to ensure used when forming an opinion on
the financial statements are prepared in accordance with the appropriate financial reporting the fair presentation of a client’s
framework (usually GAAP). They are also responsible for ensuring that accurate accounting financial statements
records are maintained and any potential misstatements are prevented, or detected and cor-
rected. It is the responsibility of auditors to gather sufficient appropriate evidence to arrive at
their opinion. Before considering the different procedures auditors will use for gathering evi-
dence, we start with a discussion of what is meant by the phrase sufficient appropriate evidence.

Sufficient Audit Evidence

Sufficient refers to the quantity of audit evidence gathered. Essentially, auditors determine sufficient  refers to the quantity
at what point they have gathered enough evidence to support their opinion on the financial of audit evidence gathered
statements. AU-C 500.A4 and AS 1105.05 state the quantity of evidence needed is affected
by the risk of material misstatement in a relevant assertion for an account balance or class
of transactions. In other words, as risk increases, the amount of evidence the auditor should
gather also increases. For example, the existence assertion for the accounts receivable balance
is typically a relevant assertion because of the risk of overstatement of receivables due to pre-
mature revenue recognition, which inflates revenues and receivables. In contrast, the risk of
understatement of accounts receivable, which is the completeness assertion, is typically low
because a client would most likely record all credit sales and related accounts receivable. In
this scenario, auditors will gather more evidence in support of the existence assertion since it
presents the higher risk of material misstatement. Auditors should also be alert that, for some
private companies needing audits, the incentive might be to understate pretax profits in order
to minimize income tax expense.
5-8  Ch a pte r 5  Audit Evidence

Appropriate Audit Evidence

appropriate  refers to the qual-
ity of audit evidence gathered
relevance  refers to the logical
connection with the assertion
being tested
reliability  refers to the source,
form, or nature of the audit
evidence
Appropriate refers to the quality of audit evidence gathered. The concepts of quantity and
quality are interrelated as the quality of evidence gathered will affect the quantity required.
Typically, the higher the quality of the evidence, the less quantity that may be required. What
contributes to the quality of audit evidence? AU-C 500.A5 and AS 1105.06 state the quality
of audit evidence is determined by its relevance and reliability in providing support for the
conclusions on which the auditor’s opinion is based.
Relevance of audit evidence refers to its relationship to the assertion being tested. In
other words, does the evidence gathered really support the assertion being tested? For exam-
ple, if auditors are testing for the completeness of the accounts payable balance, they are trying
to determine if all accounts payable owed have been properly recorded. Suppose auditors in-
spect a sample of accounts payable balances from the ledger and verify they are true payables
owed by the client. Have the auditors gathered evidence about completeness? No, they have
not. They have gathered evidence in support of the existence assertion: that payables that have
been recorded actually do exist. To gather relevant evidence for the completeness assertion,
auditors must use a different procedure. Auditors could examine a client’s unpaid invoices file
and determine if payables have been properly created for any unpaid invoices. This procedure
would provide relevant, or appropriate, evidence in support of the completeness assertion.
Reliability of audit evidence refers to the source of the evidence and form or nature of
the evidence. In general, here are some guidelines regarding the reliability of audit evidence
provided in AU-C 500.A32 and AS 1105.08:
•  Evidence gathered from a knowledgeable source independent of the client is more reli-
able than evidence gathered solely from internal client sources.
•  The reliability of evidence generated internally from the client is increased when the
client’s internal controls over the information are effective.
•  Evidence obtained directly by the auditor is more reliable than evidence obtained indi-
rectly by the auditor.
•  Evidence provided by original documents is more reliable than evidence obtained from
copies, scans, or faxes. However, this could be mitigated if internal control over the dupli-
cation of documents is effective.
•  Evidence that has been documented (paper or electronic form) is more reliable than
strictly oral evidence obtained by having a discussion with an individual.
Some examples of these reliability guidelines are provided in Illustration 5.2.

ILLUSTRATION 5.2     Nature/Source of  

Examples of reliability of   Evidence
audit evidence
Independent source
Effective internal controls
Direct knowledge by
auditor
Original documents
Documented
Example
Auditors communicate directly with a client’s bank regarding the
existence of the client’s cash account balances at year-end. The bank
confirms the cash balances directly with the auditor. This is more reliable
than relying solely on the client’s internal records related to its cash
account balances.
If auditors determine that controls over the client’s accounting information
system are effective, then information generated from the client’s accounting
information system is deemed more reliable than if controls were weak.
Auditors visit a client’s warehouse to observe, in person, the physical count
of the client’s inventory to support the existence assertion of inventory. This
is more reliable than auditors reading a summary report of the physical
count or interviewing client personnel about the physical count.
Auditors review the original title to verify the client’s rights to a piece of
equipment. Inspecting the original title is more reliable than inspecting a
copy because a copy can be altered and/or forged.
Auditors read the minutes from a board of directors’ meeting. This
documented evidence, either written or in electronic form, is more
reliable than interviewing one of the board members about the topics
covered in the meeting.
   Characteristics of Audit Evidence  5-9

Cloud 9 - Continuing Case

Whenever Suzie’s draft audit program shows the team relying on by an auditor or externally generated evidence that has passed
internally generated evidence, it also includes requirements to through the client’s hands. Therefore, the audit program includes
obtain additional evidence. This is because the evidence obtained plans to obtain evidence from tests of controls for each assertion,
from the client is less persuasive than evidence gathered directly to support the conclusion that internal controls are strong.

Audit Risk and Sufficient Appropriate

Audit Evidence
In Chapter 3, we discussed the audit risk model. Let’s discuss how the audit risk model im-
pacts the gathering of audit evidence. Audit risk affects the quantity and quality of evidence
gathered by an auditor during the risk response phase. When there is a significant risk of
material misstatement with an assertion and the client’s system of internal controls is not con-
sidered to be effective at reducing that risk, detection risk is set as low. (See Illustration 5.3.)
How would this scenario impact the quality and quantity of evidence to be gathered? When
detection risk is low, auditors want to decrease the risk that their audit procedures will not
detect a material misstatement. Therefore, auditors would plan for substantive procedures
that result in higher quality evidence and possibly gather an increased quantity of evidence
for that assertion.

ILLUSTRATION 5.3    
Risk of material misstatement Level of High risk assertion
sufficient
Audit risk = Detection risk
appropriate
Inherent risk Control risk evidence

Low High High Low Increased

When the risk of material misstatement with an assertion is inherently low and the
client’s system of internal controls is considered effective at reducing risk, then detection risk is
set as high. First, the auditor will obtain evidence through risk assessment procedures to sup-
port the low inherent risk assessment, and perform tests of controls to support the low control
risk assessments. Second, since detection risk is high, that means auditors are willing to accept
a higher risk that their audit procedures may not detect a material misstatement. Therefore,
auditors would plan for substantive procedures that may result in lower quality evidence and
possibly a decreased quantity of evidence for that assertion. This scenario is demonstrated in
Illustration 5.4.

ILLUSTRATION 5.4    
Risk of material misstatement Level of Low risk assertion
sufficient
Audit risk = Detection risk
appropriate
Inherent risk Control risk evidence

Low Low Low High Decreased

The risk patterns illustrated in Illustrations 5.3 and 5.4 are extremes. The risk of material
misstatement associated with most assertions falls somewhere in between. Ultimately, the
amount of evidence gathered when conducting substantive procedures is a matter for profes-
sional judgment and will vary from assertion to assertion and client to client. Nevertheless,
5-10  C h a pte r 5  Audit Evidence

there is a direct relationship between the risk of material misstatement (inherent and control
risk) and the extent of sufficient appropriate evidence gathered when testing transactions and
balances.

Cloud 9 - Continuing Case

Ian thinks he finally understands. To limit the risk of an inappro-
priate audit opinion for Cloud 9, the audit team will assess inher-
ent risk and control risk at the assertion level for account balances
and transactions. They make the inherent and control risk assess-
ments after gaining an understanding of the client because these
risks are influenced by the client’s circumstances.
If inherent and control risk are assessed as high, the audit
team will set detection risk as low. This means the audit team will
need to gather more, better-quality evidence through substantive
testing than if inherent and control risk are assessed as low. In
addition, planning materiality is set by considering what would be
influential to users of the financial statements. The lower the de-
tection risk and materiality level, the more sufficient appropriate
evidence that needs to be gathered.
Suzie thinks the time spent having coffee with Ian has been
well worth it!

Before You Go On
2.1  What are two characteristics of appropriate audit evidence? Develop an example of each.
2.2 What is a disadvantage of using evidence that is generated internally by the client? Explain
with an example.
2.3 Describe the relationship between the risk of material misstatement and sufficient appropri-
ate audit evidence. Develop an example in the context of auditing the occurrence of revenues.

Procedures for Gathering Audit Evidence

Lea rning O bjective 3
Apply the procedures for gathering audit evidence, including the use of audit data
analytics.

accounting records  client’s
records of the initial accounting
entry and supporting documents
Auditors spend a considerable amount of total audit time on the process of obtaining and
evaluating audit evidence in support of management assertions. The primary source of the
evidence is the client’s accounting records. The accounting records consist of the records
of initial accounting entry and supporting documents such as checks, invoices, contracts, gen-
eral and subsidiary ledgers, and client-prepared spreadsheets and cost allocations. Auditors
also gather evidence from other sources independent of the client to corroborate, or confirm,
amounts recorded in the client’s accounting records. Audit evidence consists of any infor-
mation that supports and corroborates management’s assertions and any information that
contradicts the assertions. In some situations, the absence of information may also constitute
audit evidence (AU-C 500.A1). For example, suppose a client recorded the purchase of a new
piece of equipment, which increased total assets. Auditors would observe the tangible asset
and inspect the vendor’s invoice for the purchase in support of the existence assertion, and
make inquiries about how the equipment was financed. If there is no invoice to corroborate
the purchase of a new piece of equipment, then perhaps the client did not actually buy the
equipment. The equipment could be a short-term rental and therefore should not be recorded
as an asset. The absence of an invoice would serve as audit evidence that contradicts man-
agement’s assertion.
  Procedures for Gathering Audit Evidence  5-11

Let’s now discuss “how” auditors gather audit evidence. Audit procedures are the
methods used by auditors in gathering evidence and they are classified into three general
categories:

1.  Risk assessment procedures (discussed in Chapters 3 and 4)—Methods used to gain an
understanding of a client and its industry for the purpose of identifying risk of material
misstatement.
2.  Tests of controls (discussed in Chapters 3 and 8)—Methods used to determine the op-
erating effectiveness of the client’s controls in preventing, or detecting and correcting,
material misstatements at the assertion level.
3.  Substantive procedures (discussed in Chapters 3 and 9–14)—Methods designed to detect
material misstatements at the assertion level. Two categories of substantive procedures
are tests of details (of account balances, transactions, and disclosures) and substantive
analytical procedures.

We introduced these categories in Chapters 3 and 4 in the discussion of risk assessment, audit
risk, and audit strategy. We now detail the specific procedures auditors perform to gather suf-
ficient appropriate evidence. The specific procedures described in the rest of this section are
used as risk assessment procedures, tests of controls, or substantive procedures as determined
by the auditors.

Inspection of Documents and Assets

Inspection involves the examination of documents and physical assets. Let’s first discuss the inspection  an evidence-­
inspection of documents. The documents could be internally or externally generated and in gathering procedure that involves
paper or electronic form. Inspection of documents can be used as a risk assessment procedure, examining documents and
test of controls, or a substantive procedure. For example, as a risk assessment procedure, au- physical assets
ditors inspect the board of directors’ meeting minutes to become familiar with the objectives
and strategies of the client. As a test of controls, auditors inspect purchase orders for proper
authorization by a manager before a purchase is made. As a substantive procedure, auditors
inspect vendor invoices in support of management’s assertion of the valuation of inventory.
When used as a substantive procedure to test management’s assertions of occurrence
vouching  a type of inspection
and completeness, the inspection procedure can be further explained by the direction of the
in which auditors select transac-
testing. First, auditors want to determine if transactions recorded in sales revenue actually
tions from a journal or ledger and
occurred. They start by selecting transactions from the sales journal or ledger and then exam- work backward to examine the
ining the underlying source documents, such as a shipping document and an invoice to the underlying source documents.
customer as shown in Illustration 5.5. This procedure is called vouching. Auditors are Vouching provides evidence
essentially working backward from the recording of the event back to the supporting docu- for the occurrence or existence
mentation. Vouching provides evidence that recorded transactions actually occurred. assertion

Direction of Testing Assertion ILLUSTRATION 5.5    

Existence or Vouching versus tracing
Vouching
occurrence

Source
Journal Ledger
document

Tracing Completeness

tracing  a type of inspection

in which auditors select source
What if auditors are gathering evidence in support of the completeness assertion for documents and work forward to
sales? They want to determine if all sales that occurred have been completely recorded. This follow the transaction through
time, auditors will start with the underlying source documents and work forward to follow the to recording in the journal and
transaction through to recording in the journal and ledger (see Illustration 5.5). This process ledger; tracing provides evidence
is called tracing. In the sales example, auditors would start with a sales order, then follow the for the completeness assertion
5-12  C h a pte r 5  Audit Evidence

transaction forward to a shipping document, to an invoice to a customer, and then to related

journal entries and posting to the ledger.
Inspection is also used to gather evidence for assertions related to physical assets. For
example, auditors inspect an actual piece of machinery in a client’s factory to support the exis-
tence assertion. If the machinery is not being used, perhaps it is obsolete or in need of repairs.
This evidence is used to determine if assets should be written down below cost, which relates
to the valuation and allocation assertion.

Cloud 9 - Continuing Case

Suzie will head the team gathering evidence about inventory.
There are some issues with Cloud 9’s inventory control, includ-
ing difficulties in delivering merchandise from the warehouse to
the store in a timely manner. Suzie is also concerned about the
thefts at Cloud 9’s retail store. Although Cloud 9’s management
has been very open in disclosing the thefts, Suzie is concerned
about what this means for the effectiveness of inventory con-
trol. She plans to inspect inventory and gather evidence of its
existence and quality (because obsolescence is another major
concern).
Sharon will also assign a team to inspect the furniture and
equipment, and the leasehold improvements, as there have
been some major additions this year because of the new store
opening.
Ian is a little concerned about being asked to inspect assets.
“I don’t understand how inspection can sometimes relate to the
existence assertion and other times relate to the completeness
a­ ssertion. How do I know when the evidence relates to one asser-
tion and not the other?” he asks Suzie.
Suzie tries to explain that it depends on the process. If you
start with the accounting records and then gather evidence to sup-
port the records, you are gathering evidence about existence. For
example, the furniture and equipment ledger account has a record
stating that Cloud  9 owns a copy machine. The record contains
information about brand, size, and other details. Can you agree
the records to the physical item? That is, can you find the copy
machine in the office? If so, you have evidence that it exists.
(You would also do separate tests for its valuation and rights and
obligations.) However, if you see a copy machine in the office, your
question is then whether the item is in the accounting records.
That is, are the accounting records complete? In this case, you start
with the physical item and trace it through to the records. If the
copy machine is entered in the ledger, you have evidence about the
completeness of the accounting records.

observation  an evidence-­
gathering procedure that involves
watching a process or procedure
being carried out by client person-
nel or another party
Observation
Observation is an audit procedure that involves watching a process or procedure being
carried out by client personnel or another party. It is used most often as a risk assessment
procedure or a test of controls. For example, auditors observe the opening of the mail to de-
termine whether the appropriate control procedures over the handling of cash receipts are
being followed with appropriate segregation of duties. Keep in mind that observation only
provides evidence of a process at the time auditors observe it happening, and people tend to
alter behaviors when being watched. Auditors must determine whether there is evidence that
the procedures observed have been applied consistently throughout the period under audit.

inquiry  an evidence-gathering
procedure that involves asking
questions verbally or in written
form to gain an understanding of
various matters throughout the
audit
Inquiry
Inquiry involves asking questions verbally or in written form of knowledgeable individuals in-
ternal or external to the client. Inquiry is used when gaining an understanding of the client and
to corroborate other evidence gathered throughout the audit. For example, during risk assess-
ment, auditors will inquire of client management regarding various topics such as related par-
ties, corporate governance, and major customers. The results of inquiries of client personnel
and third parties are documented by the auditor. If the evidence is particularly important, au-
ditors may document the information more formally and ask the other party (or parties) to the
discussion to sign their agreement that the auditors have recorded the discussion accurately.
As a test of controls or substantive procedure, inquiry of client personnel, on its own,
typically does not provide reliable evidence to reduce audit risk to a low-enough level for
a relevant assertion (AS 1105.17). Additional evidence needs to be gathered to corroborate
the client’s statements. For example, auditors ask the CFO about any new or updated lease
agreements. The CFO tells the auditors the company signed a lease agreement for a new
manufacturing facility. The auditors will document the response but will also follow up by
­inspecting the actual signed lease agreement. This is an example of auditors using profes-
sional skepticism by verifying statements made by the client.
  Procedures for Gathering Audit Evidence  5-13

Audit Reasoning Example  Evidence for Relevant Assertion

Your client is Jane’s Apparel, a national chain of women’s clothing stores. There are 500 Jane’s
stores located in malls across the United States. Inventory is a key account for Jane’s, and the
existence assertion for inventory is always a relevant assertion. As part of your risk assessment
procedures, you meet with the national inventory manager, Carla, to inquire about internal con-
trols over inventory and other issues about inventory for the current-year audit. Carla says, “As
you know, one of our biggest problems is employee theft of our merchandise. We just recently
decided to hire an outside company to perform our annual physical inventory count rather than
having our own employees perform the count. Although it will be an additional cost for us, we
think the benefits of an independent inventory count will be worth it. It will deter employee theft
and hopefully detect instances of theft that are occurring.”
After your meeting, you document Carla’s responses to your inquiries. You are excited about
the news of an independent company performing the inventory count and discuss it with another
member of your audit team, John. You say to John, “Since an independent company is performing
the count, I guess that means we do not have to observe the physical inventory count anymore. We
can use the report from the independent company, right?” John thinks for a moment, then says, “I
agree that it is an improvement in internal controls to have an independent company physically
count the inventory. But remember, we have documented that the existence of inventory is a rel-
evant assertion. Therefore, we must gather an increased level of sufficient, appropriate evidence
to support our conclusion. Can we rely solely on inquiry of the client? Can we rely on the report
from the independent company that is counting the inventory? I recommend that we still observe
the physical inventory counting, even though it is being performed by an independent company.
As we have done before, we will select a sample of stores from across the country and have audi-
tors from our firm present while the inventory is being counted.” You agree with John that having
your auditors observe the physical inventory count provides more relevant and reliable evidence
to support the existence assertion for inventory.

Confirmation
AU-C 505 External Confirmations and AS 2310 The Confirmation Process provide guidance on
the use of external confirmations. External confirmation is an audit procedure in which external confirmation  an
the auditor corresponds directly with a third party, either in paper or electronic form. The audit procedure in which the au-
third party is asked to respond directly to the auditor, not to the client, on the matter(s) in- ditor corresponds directly with a
cluded in the confirmation. Evidence obtained from external confirmations is considered re- third party, either in paper or elec-
liable because it is obtained from an independent source outside of the client. However, audi- tronic form, and the third party
responds directly to the auditor
tors must maintain control over the confirmations at all times. Specifically, auditors determine
on the matter(s) included in the
the following for the confirmations:
confirmation
1.  What information should be confirmed or requested?
2.  Who is the appropriate confirming third party?
3.  How should the confirmation request be designed?
4.  How will the third party respond directly to the auditor?
5.  When should the confirmation request be sent?
6. If applicable, how should auditors follow up on requests when the third party has not
responded?

External confirmations can be sent to any third parties the auditors deem necessary, but the
most common confirmations are with the client’s bank and customers.
A bank confirmation is a request for information about the amount of cash held in the bank confirmation  correspon-
bank, details of any loans with the bank (e.g., interest rates and terms), and details of any pledges dence sent directly by the auditors
of assets made to guarantee loans. This information is used to confirm that the cash listed on to their client’s bank requesting
the client’s balance sheet actually exists, is recorded at the appropriate amount (valuation and information such as cash held in the
­allocation assertion), is in the client’s name (rights and obligations assertion), and that all bank and details of any loans with
the bank and interest rates charged
loans with the bank are included in the liability section of the balance sheet (completeness as-
sertion). The bank confirmation also requests details of interest rates paid on the client’s cash
balances, if applicable, and interest rates charged on bank overdrafts and loans. This information
5-14  C h a pte r 5  Audit Evidence

receivable confirmation  Receivable confirmations can be sent to customers to verify amounts owed to the client.
correspondence sent directly
by the auditors to their client’s
customers requesting information
about amounts owed to the client
by the customer
positive confirmation  There are two types of external confirmations: positive and negative. ­Positive confirmations
correspondence sent directly by
an auditor to a third party, who
is asked to respond to the auditor
on the matter(s) included in the
letter in all circumstances (that
is, whether they agree or disagree
with the information included in
the auditor’s letter)
negative confirmation 
correspondence sent directly by
an auditor to a third party, who
is asked to respond to the auditor
on the matter(s) included in the
letter only if the party disagrees
with the information provided
is used when auditing interest income and interest expense items (accuracy assertion). We will
cover the bank confirmation in depth in Chapter 13.
Auditors select the customers to whom they will send confirmations. Criteria used when select-
ing the customer balances to confirm include materiality (large trade receivables), age (overdue
accounts), and location (if customers are dispersed, a selection from various locations). The
primary assertion being tested when using receivable confirmations is existence. The confir-
mations provide audit evidence that the customers exist. They also provide some evidence on
ownership (rights and obligations assertion), as customers confirm that they owe money to the
client. Customers are only asked to confirm they owe the amount outstanding at year-end (or
at an interim date). They do not confirm their intention to pay the amount due. Therefore, con-
firmations provide very little evidence regarding the valuation and allocation assertion.
ask recipients to reply in all circumstances. If a response cannot be obtained, auditors must perform
follow-up procedures. Negative confirmations ask recipients to reply only if they disagree
with the information provided. If a recipient does not respond to a negative confirmation, it is
assumed they agree with the information provided. But could there be other reasons why there
is no response? What if the customer never ­received the confirmation, perhaps because of an
address error? What if it is sitting on someone’s desk and has not been opened? Because of
these “unknowns,” this form of request is of limited benefit when the assertion being tested is
existence. According to AU-C 505.15 and AS 2310.20, auditors should not use negative confir-
mations as the sole audit procedure unless all of the following conditions are present:
1.  Auditors have assessed the risk of material misstatement for accounts receivable as low.
2.  Auditors have gathered sufficient appropriate evidence that internal controls are effective.
3.  The population of accounts receivable balances consists of a large number of small
account balances.
4.  Auditors expect a low exception rate.
5.  Auditors are not aware of any circumstances that would cause the recipients to disregard
the confirmation request.

In practice, negative confirmations are not commonly used. Positive confirmations provide
superior evidence because auditors must follow up on any nonresponses by verifying the
appropriate recipient and sending a follow-up request or by completing alternative procedures.
When auditors send a positive receivable confirmation, they ordinarily include the amount
recorded in their client’s records for each customer to confirm. There is risk that a customer
may sign and return the confirmation to the auditor without checking the balance outstanding.
As the primary assertion being tested when using this audit procedure is existence, rather than
valuation and allocation, this issue is not of great concern. Auditors will rely on other proce-
dures to provide evidence on the valuation and allocation of the receivable balance. If auditors
were to send a confirmation to customers requesting they provide the balance outstanding,
there is risk that customers will not respond as locating the amount owed takes some effort to
find, which would reduce the overall response rate and the amount of evidence available for the
existence assertion. We will revisit the accounts receivable confirmation process in Chapter 11.

Professional Environment  Updating Audit Confirmation Standards

How has technology influenced audit practice and standards?
According to Daniel Goelzer, a former member of the Public
Company Accounting Oversight Board (PCAOB), it has im-
pacted practice more than the standards. In 2009, Goelzer be-
lieved that changes to the U.S. standard on audit confirmations
(at the time AU Section 3302) were necessary to bring it into
the twenty-first century.3 Goelzer suggested that technologi-
cal innovations such as the internet and email have changed
confirmation practice since AU Section 330 was written in the
early 1990s.4

2
Public Company Accounting Oversight Board (PCAOB), AU Section 330 The Confirmation Process, www.
pcaobus.org.
3
D. L. Goelzer, “Statement on Consideration of Concept Release on Possible Revisions to the Standard on Audit
Confirmations” (April 14, 2009), www.pcaobus.org; WebCPA 2009, PCAOB Mulls Revising Audit Confirmation
Standards (April 14, 2009), www.webcpa.com.
4
Goelzer, 2009.
  Procedures for Gathering Audit Evidence  5-15

In the United States, the practice of audit confirmations is
essentially mandatory, unlike the situation that typically prevails
in the rest of the world where confirmations are an optional proce-
dure—a tool available for auditors to select as part of a package of
audit procedures.5 The U.S. requirement to use confirmations dates
back to a famous fraud case, McKesson Robbins, in the 1930s.6 In
that case, around $19 million of a total of $87 million in assets
were entirely fictitious and the fraud would probably have been
discovered if audit confirmations had been used appropriately.7
More recent scandals, such as the Madoff, Satyam, and Parmalat
cases, have meant that the confirmation process is back in the
spotlight.8
The PCAOB believes that a new confirmation standard
should take into account today’s sophisticated security and en-
cryption tools for email and online transactions. Specifically, some
confirming parties have indicated that instead of responding to
confirmation requests, they prefer to allow the auditors to have
electronic access to the company’s accounts so the auditor may
directly check the confirming party’s records.9 Former PCAOB
member Steven Harris believed “the standard should address
the use and reliability of confirmations received electronically. It
should address the authenticity and accuracy of direct access to
online account information.”10 In addition, auditors are continu­
ally faced with disclaimers—clauses inserted into a client’s cus-
tomer’s reply to a confirmation request disclaiming responsibility
for any inaccuracy in the information provided. In a litigious
­society like the United States, these disclaimers are routinely used
to avoid legal liability for statements made. However, the auditor
is then faced with a decision; that is, how much weight should be
placed on a statement that is accompanied by a disclaimer? The
PCAOB included this issue in its request for public comment on
the new standard.
The comment period for the proposed rule closed in Septem-
ber 2010. The PCAOB received 27 comment letters, 19 of which
were from accounting firms and associations of accountants. There
was general acknowledgment from the respondents that the exist-
ing standard needs to be revised. However, there were two primary
recommendations from the respondents. One recommendation is
that the standard should be modified to be based more on princi-
ples and risk rather than being a hard rule that auditors must use
confirmations. With a model based on principles and risk, auditors
can rely more on their professional judgment when determining if
confirmations are appropriate for a given client. The second rec-
ommendation is that additional research should be conducted to
determine how additional confirmation requirements will affect
the confirming parties. Currently, the PCAOB has not issued any
updated standard on the confirmation process.11
The clarified standards of the Auditing Standards Board in-
clude an updated standard on external confirmations that became
effective for audit periods ending after December 31, 2012. Para-
graph A15 of AU-C 505 addresses the issue of validating the source
of replies received in electronic format, such as email. It may be
possible for the auditor to establish a secure environment for elec-
tronic responses, for example, by the use of encryption, electronic
digital signatures, and procedures, to verify website authenticity.
However, if this is not possible and the auditor has doubts about
the reliability of any form of evidence obtained through the con-
firmation procedure, AU-C 505 requires the auditor to consider
alternative procedures, for example, telephone contact with the
respondent (AU-C 505.A14).

Cloud 9 - Continuing Case

Suzie explains to Ian that they use external confirmations to
gather sufficient appropriate evidence about the existence of
Cloud 9’s customers. However, the confirmations will not be
appropriate for valuation purposes, as a reply from a customer
to confirm the debt exists does not mean the customer is going
to pay the debt when it is due. The audit team will use other
procedures to provide evidence about the valuation assertion
for accounts receivable.
Suzie also suggests that bank confirmations will be useful on
the Cloud 9 audit for the rights and obligations, existence, and valu-
ation assertions for bank accounts. The audit team will also ask the
banks to supply any information they have about any other bank
accounts or loans, which is useful for gathering evidence about the
completeness assertion for these accounts.
Suzie incorporates her ideas on confirmations into the
draft audit program.

Recalculation
Recalculation is the audit procedure of checking the mathematical accuracy of documents recalculation  an audit pro-
or records. Recalculation can be performed manually or electronically with the aid of software. cedure that involves checking
Some recalculations are simple, such as footing (adding/subtracting figures) a column in a client- the mathematical accuracy of
prepared spreadsheet. Other recalculations are more complex, such as foreign currency documents or records
translation, payroll taxes, interest on loans outstanding, and depreciation. When ­conducting

5
Ibid.
6
Ibid.
7
S. B. Harris, “Statement on Proposed Auditing Standard on Confirmation” (July 13, 2010), www.pcaobus.org.
8
WebCPA, 2009.
9
Harris, 2010.
10
WebCPA, 2009.
11
Public Company Accounting Oversight Board (PCAOB), “Transcript Excerpt and Slides: Standing Advisory
Group Meeting,” Docket 28 (October 14, 2010), www.pcaobus.org.
5-16  C h a pte r 5  Audit Evidence
reperformance  an audit
procedure that involves the inde-
pendent execution of procedures
or controls that were originally
performed by client personnel
analytical procedures  eval-
uations of financial information
through analysis of plausible re-
lationships among both financial
and nonfinancial data
scanning  a type of analytical
procedure in which auditors use
their professional judgment to
review accounting data to identify
unusual or significant items to
examine further
complex recalculations, auditors agree the amounts included in the calculations to externally
prepared documents, when available, and check that the formulas are used appropriately and
are free of errors.
Reperformance
Reperformance involves the independent execution of procedures or controls that were
originally performed by client personnel. In other words, the auditors will “re-do” a proce-
dure that was performed by the client to determine if the auditors get the same result. Reper-
formance is commonly used as a test of controls. For example, a client’s control procedure
over cash disbursements states that checks are prepared only after all source documents have
been independently approved in a voucher packet. Auditors can reperform this procedure by
looking at approved voucher packets awaiting check processing. Auditors reperform the act
of agreeing all of the source documents and verify that an approval signature is on the packet.
Another example is reperforming a bank reconciliation the client has prepared. Client
personnel prepare bank reconciliations for all bank accounts each month as an internal con-
trol procedure. Auditors will reperform the bank reconciliation to gather evidence that the
procedure was performed correctly.
Analytical Procedures
Recall from Chapter 4 that analytical procedures are evaluations of financial information
through analysis of plausible relationships among both financial and nonfinancial data. Some
examples of analytical procedures include data comparisons, ratio analysis, and trend analysis.
During risk assessment, analytical procedures are required and are used to identify accounts
at risk of material misstatement, which aids in planning the audit. They can also be used as a
substantive procedure to gather sufficient appropriate evidence, but auditing standards do not
require the use of analytical procedures during the risk response phase.
When properly designed and executed, analytical procedures may provide an efficient alter-
native to other audit procedures and, in some cases, may provide the most effective test of the ap-
propriateness of account balances. For example, when auditing management’s estimate of the al-
lowance for doubtful accounts or the accrual for warranty costs, auditors compare the current-year
estimates with prior-year estimates, taking into consideration any increases or decreases in sales.
Based on the results, auditors may decide that no further substantive testing is needed. In other sit-
uations, analytical procedures may provide the only method of gathering evidence. For example,
if the client does not maintain an effective costing system, auditors could estimate manufacturing
overhead in finished inventory by relating actual overhead for the year to actual direct labor. The
use of analytical procedures as a substantive procedure is covered in more depth in Chapter 9.
Scanning
Scanning is a type of analytical procedure in which auditors use their professional judgment
to review accounting data to identify unusual or significant items that may be an indication
of a material misstatement. Scanning includes the identification of unusual individual items
within an account balance or other accounting records such as journals, reconciliations, and
detailed transaction reports. Examples of unusual items include a large dollar amount for a
transaction, such as a very large cash receipt that might be evidence of a loan, or a nonstan-
dard journal entry. Once an unusual item is identified, auditors may decide to further examine
the item using other audit procedures, such as inspection or recalculation.
Audit Data Analytics (ADA)
As clients have incorporated more technology into their processes, so have auditors. Auditors
use software to assist with gathering evidence. Software usage ranges from simple techniques,
such as electronic spreadsheets and software for a paperless audit, to more sophisticated
procedures, such as cluster analysis.
  Procedures for Gathering Audit Evidence  5-17

Auditors use software to perform procedures such as calculations (for example, the sum-
ming of a report) and logic tests (for example, sorting or comparing current-year amounts
with prior years), and to select key items and representative samples for testing. Audit data audit data analytics (ADA) 
analytics (ADA) is using software to discover and analyze patterns, identify anomalies, using software to discover and an-
and extract other useful information from client data. Auditors then use “visualization” tech- alyze patterns, identify anomalies,
niques to draw conclusions and communicate the information. Visualization refers to the and extract other useful infor-
use of graphics to explain and communicate findings. Typical visualization techniques include mation in data underlying the
subject matter of an audit through
graphs, charts, trend lines, scatter diagrams, and dashboards. For example, traditional audit
analysis, modeling, and visualiza-
techniques would compare aggregate figures, such as current-year sales compared to prior-year
tion for the purpose of planning
sales, or quarterly sales totals in the current year to quarterly sales totals from the prior year. or performing an audit
ADA software can provide a deeper examination of sales activity by summarizing every sales
visualization  using graphics
transaction for the year into a graph that shows a trend line with time on the x-axis and dollars
to explain and communicate
of sales on the y-axis. This deeper analysis shows more detailed trends with highs and lows findings
of sales activity. Knowing more about their clients helps auditors plan a more effective audit.
Using ADA software makes the audit (1) more comprehensive because each item in
a client’s file can be examined and subjected to a variety of tests and (2) more efficient
because the software can handle large volumes of data, thereby reducing time-consuming
clerical tasks. Using software also allows auditors to concentrate on designing the test cri-
teria and evaluating and interpreting the results, rather than on performing the detailed
audit procedures.
ADA can be used during risk assessment and risk response. The main considerations in
deciding whether to use ADA are the completeness of the client’s records and the reliability
of the client’s data. As with any audit procedure, the nature and ­extent of the procedures
performed with ADA will largely depend on the evaluation of the effectiveness of the client’s
information technology controls. The use of ADA will be covered in more depth in Chapters 7
and 11–13.

Cloud 9 - Continuing Case

Suzie and Ian have already begun gathering evidence by perform-
ing the analytical procedures on Cloud 9’s interim results and
prior-period statements. Further evidence gathering at the risk as-
sessment phase will be performed by members of the team when
they begin their assessment of the internal controls system by in-
specting the relevant documents. They will gather evidence from
observing personnel performing their duties and making inquiries
of members of Cloud 9’s staff and management. In addition, the
partner, Jo Wadley, held discussions with the previous auditors
(Ellis & Associates) before accepting the client. The record of these
discussions, plus others that Jo held with Cloud 9 management, is
already in the evidence files.
Ian has some questions about the evidence: in particu-
lar, why the audit team is bothering to gather verbal evidence,
through ­inquiry, which has low persuasiveness. Suzie explains
that all forms of evidence have their limitations. Observation is
useful to see how staff perform their tasks (as opposed to what
the manuals say they should be doing), but people often “be-
have” better when they are being watched. Documents can be
lost or altered, or misinterpreted, and not everything is written
down. Electronic evidence is hard to audit if the system does
not have a “hack-proof” audit trail. Signatures on documents do
not mean the signor actually read the document properly, and
people can pre- or post-date documents. Auditors must use pro-
fessional judgment and skepticism to determine the appropri-
ateness and sufficiency of evidence by considering it as a whole
and be prepared to follow up on any problems or discrepancies
they observe until any doubts are satisfactorily resolved.

Before You Go On
3.1 Explain the procedures of vouching and tracing. Illustrate with an example in the context of
the revenue process.
3.2  What is a bank confirmation? Why is it an important confirmation?
3.3 How is a positive confirmation different from a negative confirmation?
3.4 Explain the audit procedure of reperformance. Illustrate with an example in the context of
revenue transactions.
5-18  C h a pte r 5  Audit Evidence
Using the Work of Others
ILLUSTRATION 5.6    
General structure of an   10 or more years’
audit team
specialist  an individual or
organization with expertise in a
field other than accounting or
auditing whose work in that field
is used by the auditors to assist in
obtaining sufficient appropriate
evidence
Lea rning O bjective 4
Evaluate when it is appropriate for auditors to use the work of others.
We have covered a significant amount of information regarding the planning and design of
an audit. As you have probably concluded, an audit requires many hours of work by a team
of auditors. The size of an audit team will vary depending on the size and complexity of the
client. The composition of a general audit team is depicted in Illustration 5.6. You can think
of the composition of an audit team like a triangle, with more team members at the base
of the triangle and fewer at the top. The senior and associates perform the detailed testing
under the supervision of the manager. The partner holds ultimate responsibility for audit
decisions, supervision of the team members, and the issuance of the final audit report.
Throughout the engagement, as audit procedures are completed and documented, they are
reviewed by an audit team member with seniority over the team member who did the work.
Chapter 14 will provide more information about the review of audit documentation.
Partner experience
Manager 6–10 years’
experience
Senior/In-charge 2–5 years’
experience
Staff/Associates 0–3 years’
experience
In Illustration 5.6, the approximate years of experience for each level of team member
are also shown in the diagram. When assigning the audit team, an accounting firm will make
sure it assigns individuals with appropriate audit experience. An appropriate response to an
identified risk may be assigning an individual with the right experience. For example, when
fraud risk is high, the accounting firm may assign an individual with more audit experience in
a particular industry to audit an assertion than when fraud risk is low.
In some situations, the audit team will rely on the work of others during the risk assess-
ment and/or risk response phase of the audit. Some examples include relying on an industry
or technical specialist, the client’s internal auditors, and/or other auditors. These situations
will be discussed in the following sections.
Using the Work of a Specialist
Some audits may require the use of a specialist when gaining an understanding of a client,
testing internal controls, and/or performing substantive tests. A specialist is an individual or
an organization with expertise in a field other than accounting or auditing whose work in that
field is used by the auditors to assist in obtaining sufficient appropriate audit evidence. The
specialist may be an employee of the accounting firm or may be contracted by the accounting
firm as needed. Some examples of when a specialist may be used include estimating oil and
mineral reserves for inventory reporting and performing actuarial calculations for the de-
termination of employee benefit plan liabilities. Specialists may also be used to evaluate the
quality of inventory, such as taking samples of grain from a grain elevator to determine if
the grain has any bacteria or other attributes that could affect its quality.
   Using the Work of Others  5-19

AU-C 620 Using the Work of an Auditor’s Specialist and AS 1210 Using the Work of a
­ pecialist provide guidelines for auditors when using the work of a specialist. The first step
S
is for auditors to determine whether a specialist is required. The need to engage the services
of a specialist depends on the knowledge of the audit team, the significance and complexity of
the item, the risk of material misstatement of the account or assertion, and the availability of
appropriate alternative corroborating evidence. If the audit team has experience with the item
being audited and can draw on their knowledge from previous audits of that client or similar
companies in the same industry, there is less need to use a specialist. If auditors decide they
do not have the expertise necessary to test and evaluate the accuracy of reported information,
they can seek assistance in the form of a specialist’s opinion to corroborate other evidence
obtained. For example, a licensed appraiser may be engaged to provide an opinion on the
value of a client’s property, a geologist may be engaged to evaluate the quantity and quality of
mineral deposits, a vintner may be engaged to assess the quality and value of wine stocks, or
an actuary may be engaged to develop an estimate of a pension liability.
Once it has been determined that a specialist is required, the next step is for the audi-
tors to determine the scope of the work to be carried out and agreed to by the specialist. The
agreement can be in the form of a formal engagement letter with the specialist or recorded
in the audit planning documents when using a specialist from the accounting firm. Auditors
determine the nature, timing, and extent of work to be completed by the specialist. It is
important that auditors are involved in setting the scope of the work required because the
judgment of the specialist forms part of the audit evidence upon which auditors form their
audit opinion. Written instructions to the specialist can cover the (1) issues the specialist
is to report upon, such as the market price of properties owned by the client; (2) the details
to be included in the report, such as computations used in arriving at their conclusion;
(3) the sources of data to be used, such as market interest rates or market prices of shares;
(4) clarification of the way the auditors intend to use the information included in the specialist’s
report; and (5) notice that the specialist’s report and the data used in compiling the report
must remain confidential.
Before contacting a specialist, auditors should assess the competence, capability, and
objectivity of the specialist. Competence refers to the expertise of the specialist. What are
the qualifications of the specialist? Does he or she maintain a license or certification in
a relevant field? How many years of experience does the specialist have in the relevant
field? Capability refers to the ability of the specialist to perform the required work. For
example, does the specialist have the time and resources needed to complete the work? Is
the specialist located in the area or will significant travel be required? Objectivity refers
to the possible effects that bias, conflicts of interest, or the influence of others may have
on the professional judgment of the specialist (AU-C 620.A15). Auditors should inquire of
the client and of the specialist as to whether any interests or relationships exist between
the client and the specialist that would impair the specialist’s objectivity. For example,
does the specialist have any financial interests or outside business relationships with the
client? The specialist is not required to be completely independent of the client. If some
type of relationship does exist between the client and the specialist, auditors may decide
to perform some additional procedures with respect to the specialist’s work to determine
that the findings are reasonable.
Once the specialist’s work is complete, auditors will assess the specialist’s report. The
report should detail each stage of the process used in arriving at the overall conclusion in the
report, including information about the data sources or estimation models used, or calcula-
tions conducted. Auditors assess the consistency of any assumptions made with those made
in prior years and with other known information and with conclusions drawn with corrobo-
rating evidence gathered by the audit team.
The responsibility for arriving at an overall conclusion regarding fair presentation of a
client’s financial statements rests with the auditors. When auditors decide to use a specialist,
that responsibility is not reduced in any way. It is the responsibility of auditors to assess the
quality of the evidence provided by a specialist and determine whether it is reliable and objec-
tive. Auditors do this by following the process outlined above. They will determine the need
for a specialist, the scope of the specialist’s work, and the competence and objectivity of the
specialist. Finally, auditors will assess the quality of the specialist’s report and the reliability
of the information included in it.
5-20  C h a pte r 5  Audit Evidence

Professional Environment  Working with IT Auditors

Specialist IT auditors are often used in audits of clients with com-
plex information technology (IT) environments because the effec-
tive audit of the IT systems contributes to overall audit quality.
Large audit firms usually have such specialists within the firm, but
smaller audit firms could engage external IT consultants for this
part of the financial statement audit. In general, reliance on an
IT specialist is appropriate when the financial statement auditor
complies with the conditions of AU-C 620.
If the IT expert and the financial statement auditor do not
work well together, audit quality can be impaired. For this rea-
son, researchers have investigated the factors that affect the way
that financial statement auditors work with specialist IT auditors.
Brazel12 reviewed this research evidence and drew the following
conclusions. First, responses from financial statement auditors in
the United States who were surveyed about their experiences with
IT auditors indicated that they believe IT auditors’ competence
levels vary in practice. Financial statement auditors also said that
IT auditors appear to be overconfident in their abilities in some
settings, and questioned the value provided by IT auditors to the
financial statement audit.
Second, Brazel suggests the research shows that both finan-
cial statement auditors’ IT ability and experience and the IT audi-
tor’s competence affect how these two professions interact on an
audit engagement. This indicates that audit firms need to ensure
that staff training and scheduling produce appropriate combi­
nations of financial statement auditors and IT auditors on an
­engagement.
Finally, Brazel argues that the research findings demon­
strated that auditors need to consider the implications of finding
a balance between greater software-assisted audit techniques
training for financial statement auditors and greater use of IT
specialists for overall audit efficiency and effectiveness.
The role of IT audit specialists could grow to become even
more than a support function for auditors. Some researchers
suggest that in e-businesses, the external financial statement
auditor’s authority will be challenged by IT audit specialists be-
cause of technological change and its impact on auditing.13 In
e-businesses, economic transactions are captured, measured,
and reported on a real-time basis without either internal human
intervention or paper documentation.14 Auditing is likely to be-
come more real-time and continuous to reflect the pattern of the
transactions. If traditional auditors are unwilling or unable to
adapt to the new environment, their role could be taken over by
IT specialists.
Other developments such as reporting using XBRL (eXten-
sible Business Reporting Language) provide challenges for au-
ditors as they have to adapt their techniques and approaches to
audit financial information that is disaggregated and tagged. Us-
ers can extract and analyze XBRL data directly without re-entry
and the tag provides additional information about the calculation
and source of the data. This means auditors have to recognize that
their clients are reporting financial data with different levels of
information and users might have greater expectations of the data.
Learn more about XBRL at www.xbrl.org.

Cloud 9 - Continuing Case

Josh will take responsibility for obtaining a specialist’s opinion on
the derivatives. He knows that W&S Partners has other staff (who
are not part of the audit team) who can provide additional expertise.
However, because he believes the accounts are so material to the
audit and derivatives have become such a big issue in audits in re-
cent years, he deems an external specialist’s opinion is also required.
He has some experience with using a derivatives specialist on prior
audits, and he also plans to ask Jo Wadley (the partner) to recom-
mend a suitable specialist.
Josh plans to investigate any possible connections between
the specialist and Cloud 9 that could adversely impact the special-
ist’s objectivity before engaging him for this audit.

Using the Work of Internal Auditors

internal auditors  employees
of the client who perform assur-
ance and consulting activities
designed to evaluate and improve
the effectiveness of the entity’s
governance, risk management,
and internal control processes
The role of the internal audit function was introduced in Chapter 1. Internal auditors are
employees of the client who perform assurance and consulting activities designed to evaluate
and improve the effectiveness of the entity’s governance, risk management, and internal con-
trol processes. Not every client will have an internal audit function. For example, small and
medium-sized companies, especially private companies, may not have the resources to staff
an internal audit function. But if the client does have an internal audit function, what role,
if any, do the internal auditors play in the financial statement audit? According to AU-C 610

12
J. F. Brazel, “How Do Financial Statement Auditors and IT Auditors Work Together?” The CPA Journal
(November 2008), pp. 38–41.
13
A. Kotb, C. Roberts, and S. Sian, “E-business Audit: Advisory Jurisdiction or Occupational Invasion?” Criti-
cal Perspectives on Accounting 23, no. 6 (2012), pp. 468–482.
14
Kotb et al., 2012.
   Using the Work of Others  5-21

Using the Work of Internal Auditors and AS 2605 Consideration of the Internal Audit Function,
auditors may (1) use the work of internal auditors in gathering audit evidence and (2) use
internal auditors to provide direct assistance under the direction, supervision, and review of
the external auditors.
If external auditors intend to use the work of internal auditors, they must first assess the
objectivity, competence, and processes of the internal audit function. The concepts of objec-
tivity and competence discussed above in the context of a specialist also apply when consid-
ering internal auditors. Since internal auditors are employees of the client, they are not inde-
pendent. However, a well-designed internal audit function can operate free of bias and avoid
conflicts of interest. Illustration 5.7 lists factors for auditors to consider when assessing the
objectivity and competence of the internal audit function. Auditors should also consider the
processes of the internal audit function. Essentially, auditors want to determine if the internal
auditors follow a systematic and disciplined approach to their work and have quality control
procedures in place. Ideally, the internal audit function should plan, supervise, document, and
review its activities in a way that is distinct from other monitoring activities within the entity.

ILLUSTRATION 5.7    
Factors that impact objectivity:
Factors that impact objectivity
•  Internal auditors report directly to the board of directors, audit committee, or owner-manager. and competence of internal  
•  There is no assignment of managerial or operational duties that are outside of the internal auditors
audit function.
•  Policies prohibit internal auditors from auditing areas where relatives are employed or areas
where the internal auditor was previously assigned before moving to the internal audit
function.
•  Internal auditors are members of a professional body that obligates compliance with
professional standards regarding objectivity.

Factors that impact competence:

•  Evidence of technical training and proficiency shown by education, years of experience, and
professional certification in a relevant field.
•  Internal auditors hold membership in relevant professional bodies that require compliance
with professional standards and continuing professional education.
•  Staffing is appropriate to the size of the entity.
•  There are established policies for hiring, training, and assigning internal auditors.
•  Quality-of-work documentation and reports exist.

If auditors determine that the internal auditors are objective, competent, and follow ap-
propriate procedures, then the next step is to determine how the internal auditors’ work may
affect the nature, timing, and extent of the audit. Procedures planned or already performed
by the internal audit function may be the same as, or very similar to, audit procedures the
external auditor would design and perform, particularly in the area of evaluation of the per-
formance of internal controls. Therefore, work already performed or planned to be performed
by the internal auditors can affect the auditors’ risk assessment procedures, testing of controls,
and/or substantive procedures performed. Here are some examples:

•  The internal auditors have developed a flowchart for a new sales and receivables software
application. The external auditors obtain a copy and review the flowchart to gain an
understanding of the new application. If the auditors are satisfied with the quality of
the flowchart, they will not need to prepare their own flowchart, which improves the
efficiency of the audit.
•  The internal auditors have tested relevant controls over the completeness assertion for
accounts payable. The results of the internal auditors’ procedures provide evidence that
controls are operating effectively. If satisfied that the controls are operating effectively,
auditors may reduce the extent of their testing of these controls.
5-22  C h a pte r 5  Audit Evidence

•  As part of their own work, the internal auditors confirm a sample of accounts receiv-
able balances to ensure a new sales and receivables software application is functioning
­properly. Auditors may use this work as evidence obtained and then reduce the number
of additional receivable balances that would be confirmed.

When determining the extent to which the internal auditors’ work will affect the auditors’ pro-
cedures, auditors consider the materiality of the account balance or transaction; the risk of ma-
terial misstatement of the assertions related to the account balance, transaction, or disclosure;
and the amount of subjectivity involved in evaluating the evidence gathered (AU 2605.20). As
these factors increase, the need for auditors to perform their own tests of the related assertions
also increases. Remember, external auditors have sole responsibility for expressing an opinion
on the fair presentation of the financial statements. That responsibility is not decreased by the
use of work performed by internal auditors.
External auditors may also obtain direct assistance from internal auditors to carry out
audit procedures the external auditors would normally do themselves. In this scenario, inter-
nal auditors would be under the direction, supervision, and review of the external auditors.
When determining the nature of work to be assigned to internal auditors, external auditors
should follow the same guidelines as mentioned in the previous paragraph. As the factors
of materiality, risk of material misstatement, and subjectivity increase, the need for external
auditors to perform the procedures will increase. An example might be the valuation asser-
tion for assets that require significant accounting estimates. Areas involving less materiality,
lower risk of material misstatement, and less subjectivity are more appropriate to assign to
internal auditors. An example might be the existence assertion for prepaid expenses. External
auditors should obtain written acknowledgment from management, or those charged with
governance, regarding the use of internal auditors for direct assistance with the audit. This
written acknowledgment can be included within the audit engagement letter or prepared as
a separate document.
Audit evidence obtained from the internal auditors and the work performed by internal
auditors providing direct assistance are included in the external auditors’ documentation as
evidence of work completed. Also included is the evaluation of the objectivity, competence,
and procedures of the internal auditors. Audit documentation is discussed further in this
chapter in the section “Documentation—Audit Working Papers.”

Audit Reasoning Example  Consideration of Internal Audit Function

One of your clients is Mary Lee’s Cookie Company. Mary Lee’s produces various types of cook-
ies and sells them at grocery stores and convenience stores across the United States. Mary Lee’s
is a family-run, private company, and it has experienced significant growth over the last six
years. The founder and chair of the board of directors, Mary Lee Nguyen, has a goal of taking
the company public one day, so she wants to start preparing the company to be run more like a
public company. Therefore, she has decided to create an internal audit function. Two months
after the conclusion of the prior-year audit, Mary Lee hired Kathy Bourgeois to lead the in-
ternal audit function. Kathy has three years of internal audit experience working at a public
company, and she is a certified internal auditor (CIA). To add to her department, Kathy has
hired a recent college graduate who has taken courses in internal auditing, and she also has a
current college student who is interning part-time. Kathy and her team will report directly to
Mary Lee and the board of directors.
One of Kathy’s first tasks has been to document Mary Lee’s transaction processes and
internal controls. Can your audit team use the work of Kathy’s team regarding the transaction
flows and internal controls documentation? Are Kathy and her team objective and compe-
tent? You consider objectivity. Kathy is a CIA and therefore must comply with professional
standards to maintain her certification. The internal audit function reports to the board of
directors, not to a member of management. No one in the internal audit function is assigned
managerial duties. Therefore, based on these factors, the internal audit function seems to be
objective. Now you consider competence. Kathy is a CIA, but she only has three years of work
experience. The rest of her department, a recent college graduate and an intern, is not experi-
enced. The internal audit department has only been functioning for a few months. Based on
   Using the Work of Others  5-23

these factors, you do not consider the internal audit function highly competent at this time.
Therefore, for the current-year audit, you do not plan to use any of the work of Mary Lee’s in-
ternal auditors. However, over time, the internal audit function may develop more competence
and you may consider using the work of the internal auditors or obtaining direct assistance
from them.

Using the Work of Another Auditor

Sometimes auditors must rely on work performed by a separate accounting firm. For example,
when auditing a consolidated company, the auditors may rely on another accounting firm to
audit a subsidiary that is located in a foreign country. AU-C 600 Special Considerations—Au-
dits of Group Financial Statements (Including the Work of Component Auditors) provides guid-
ance when using the work of another audit firm. Group financial statements include the group financial statements 
financial information of more than one entity, or component, such as consolidated financial financial statements that include
statements prepared by a parent company. A component is an entity or business activity that the financial information of more
is required by the applicable financial reporting framework to prepare financial information than one entity, or component
that will be included in group financial statements. An audit of group financial statements is component  an entity or
referred to as a group audit. The group engagement team will establish the overall group business activity whose financial
audit strategy and communicate with the component auditors. The component auditors information is required by an
applicable financial reporting
are from a different audit firm and gather evidence on a component that will be used as audit
framework to be included in
evidence for the group audit. The group engagement partner is the partner responsible
group financial statements
for the performance of the group audit engagement and for the auditor’s report on the group
group audit  an audit of group
financial statements.
financial statements
When making a client acceptance or continuance decision, auditors will consider their
capacity to undertake the audit and the proportion of the financial statements for which they group engagement team 
partners and staff who establish
will rely on component auditors. The group engagement partner’s firm should audit the ma-
the overall group audit strategy,
jority of a client’s financial statements and be knowledgeable about the components of the
communicate with component
financial statements they do not audit themselves. For example, when accepting a new client auditors, perform work on the
that has a 50% interest in a joint venture in another country that is audited by another audit consolidation process, and
firm, the group engagement partner must be knowledgeable about the business of the joint evaluate audit evidence to form
venture so that he or she can evaluate the risks associated with the joint venture and how the an opinion on the group financial
joint venture is reported in the financial statements of the potential audit client. Without such statements
knowledge, the firm should not accept the new client. component auditor  an audit
When assigning work to a component auditor, the group engagement partner will con- firm that performs work on the
sider the capacity of the other auditor to undertake the work. The group engagement partner financial information of a com-
will also consider the reputation of the component auditor and ensure that it is a member of a ponent that will be used as audit
reputable professional body. It is the responsibility of the group engagement partner to ensure evidence for the group audit
the work completed by a component auditor meets the group engagement partner’s require- group engagement partner 
ments and standards. the partner who is responsible
AU-C 600 sets out the responsibilities of the group engagement partner when using the for the group audit engagement
work of a component auditor. The group engagement partner is responsible for the direc- and its performance and for the
tion, supervision, and performance of the group audit engagement. The two auditors may auditor’s report on the group
financial statements that is issued
discuss the detailed procedures to be used, and the group engagement partner then reviews
on behalf of the firm
the main conclusions drawn in the documentation of the component auditor. The extent of
review of the component auditor’s work depends on a number of factors. The group engage-
ment partner will spend more time when the component is material and/or at risk of material
misstatement. The group engagement partner will spend less time if the component auditor
has a good reputation and/or has done audit work for the group engagement partner in the
past, and if the financial statements being audited by the component auditor are at low risk of
material misstatement. The group engagement partner uses the evidence provided by a com-
ponent auditor when drawing a final conclusion on the fair presentation of the group financial
statements. Chapter 15 will discuss what modifications may be required to the independent
auditor’s report when component auditors are used.
The corresponding PCAOB standard for using the work of another auditor is AS 1205 Part
of the Work Performed by Other Independent Auditors. The guidance in the PCAOB standard
5-24  C h a pte r 5  Audit Evidence

is essentially the same as the ASB standard for private companies. The key difference is the
PCAOB standard uses different terminology. The term “principal auditor” is used instead of
“group engagement team” and “group engagement partner.” The term “other auditors” is used
instead of “component auditors.”

Cloud 9 - Continuing Case

Sharon knows that Cloud 9 has production operations in
Vietnam. The previous auditors, Ellis & Associates, used an
accounting firm based in Vietnam to gather evidence regard-
ing the inventory and property, plant, and equipment at the
Vietnamese production facilities. If they want to use the same
Vietnamese accounting firm, Sharon will need to assess the
reputation of the other firm and the firm’s capacity to take on
the engagement. Sharon decides to set up a meeting with the
partner (Jo) to further discuss how to proceed with gathering
evidence related to the Vietnamese operations.

Before You Go On
4.1  What factors may influence an auditor’s decision on the need to use a specialist? Illustrate
with an example.
4.2  Why might an external auditor want to use the work of the internal audit function? Illustrate
with an example.
4.3  Who is the group engagement partner? Why is this position important?
4.4  What are some of the factors that a group engagement partner will consider when assigning
work to a component auditor?

Documentation—Audit Working Papers

Lea rning O bjective 5
Document the details of evidence gathered in working papers.

working papers  paper or
electronic documentation of the
audit created by the audit team as
evidence of the work completed
In this chapter, we have discussed the characteristics of audit evidence, the procedures for
gathering audit evidence, and situations when others may be used to gather audit evidence
to support management assertions. Next, we cover procedures for documenting all of the
audit evidence that has been gathered. AU-C 230 Audit Documentation and AS 1215 Audit
Documentation require auditors to document each stage of the audit in their working 
papers to provide a record of work completed and evidence gathered in forming their audit
opinion. Determining what and how much to document is a matter of professional judg-
ment, but the documentation must be sufficient to enable an experienced auditor, having
no connection with the audit, to understand the procedures performed and the conclusions
reached.
Auditors document each stage of the audit and the procedures used. During the risk as-
sessment phase, auditors document their understanding of the client, the risks identified,
analytical procedures used to aid in risk identification, their materiality assessment, the
understanding of the client’s system of internal controls, the understanding of the client’s
information technology, related parties identified, and a preliminary audit strategy. During the
   Documentation—Audit Working Papers  5-25

risk response phase, auditors develop an audit program, and document details of tests under-
taken, copies of significant documents referenced, correspondence with the client’s lawyers
and bankers, confirmations received from customers, and inquiries of management.
Documentation will vary from client to client. It will depend upon the audit procedures
used, the risks identified, the extent of judgment used, the persuasiveness of the evidence
gathered, the nature and extent of exceptions noted, and the audit methodology utilized
(AU-C 230). An audit working paper generally includes:

•  Client name.
•  Period under audit.
•  Title describing the contents of the working paper.
•  File reference indicating where the working paper fits in the audit file.
•  Initials identifying the preparer of the working paper together with the date the working
paper was prepared.
•  Initials identifying the reviewer(s) of the working paper together with the date(s) the
working paper was reviewed.
•  Cross-referencing between working papers indicating where further work and evidence
is summarized elsewhere.

Working papers for each client consist of two main files called the permanent file and the
current file.

Permanent File
The permanent file includes client information and documentation that applies to mul- permanent file  contains client
tiple audits. In the first year of a continuing audit, auditors gather information that will be information that is relevant for
relevant to future audits. The information included in the permanent file is checked and more than one audit
updated at the start of each annual audit. The permanent file usually contains the client’s
head-office address, other locations, and contact details (telephone, fax, and email). Infor-
mation about key personnel and an organizational chart are included in the permanent
file. A client’s organizational chart includes details of key roles within the organization and
the names of the people in those roles. The file may also include the details of the client’s
bank(s) and lawyer(s).
The permanent file includes copies of long-term contracts and agreements. These doc-
uments will be used to calculate interest payable on outstanding long-term loans, or enable
the assessment of any lease obligations. Debt covenants will be included in the permanent
file. Auditors can check the details of these agreements to assess the client’s compliance with
covenants. If a client has long-term commitments with customers and suppliers, auditors will
include the relevant documentation in the permanent file. Key long-term investments will be
detailed, including the details of the broker used for these transactions.
The permanent file includes details of the client’s board of directors and its subcommit-
tees, such as the audit committee. The file includes the minutes of significant meetings held
by the client, such as its board of directors’ meetings. It may include details of bonus and stock
option plans for the client’s senior staff.
The permanent file details a client’s primary accounting policies and methodologies.
Prior financial statements and audit reports are included in the permanent file. Details of
prior analytical procedures are included and added to so auditors can observe changing
trends. Flowcharts and narratives detailing a client’s system of internal controls are in-
cluded in the permanent file and amended as needed during the risk assessment phase of
each audit.
Reports sent to the client during previous audits will be included in the permanent file.
For example, letters to management that detail weaknesses in internal controls identified
by the auditors in previous years are included and referred to by the auditors. When plan-
ning future audits, auditors read these reports and discuss their contents with the client’s
management.
5-26  C h a pte r 5  Audit Evidence
Cloud 9 - Continuing Case
Cloud 9’s permanent file contains the basic information about the
company (that is, its headquarters’ address, key senior staff and
their employment contracts) plus a copy of the engagement let-
ter appointing W&S Partners and stating the scope of the audit.
current file  contains client
information that is relevant for
the duration of one audit
lead schedule  summarizes
the detail included in a specific
account on the financial
statements
Sharon and Suzie have gathered copies of some of the relevant
agreements and will add these and more to the permanent file.
Josh’s documentation of Cloud 9’s system of internal control will
be added to the permanent file once it is completed.
Current File
The current file is developed as audit work is performed and includes client information and
documentation that apply to the current year’s audit. Contents of the current file vary from
client to client depending on the accounts in the client’s financial statements and the client’s
activities. The current file includes the details of all testing and evidence gathered in prepara-
tion of the audit report.
The current file also includes correspondence among the auditors and the client, the
client’s bankers, and the client’s lawyers that pertain to the current audit period. Corre-
spondence with other auditors, specialists, and relevant third parties is also included.
The engagement letter is included in the current file, along with the management letter
detailing any weaknesses uncovered in the client’s system of internal control. Represen-
tation letters (discussed in Chapter 14) and confirmation letters are also included in the
current file.
The current file includes extracts from the minutes of meetings, such as the board of
directors’ meetings, that pertain to the current audit. The file includes details of the audit
planning process and the audit program. The current file also includes detailed descriptions
of evidence gathered, testing conducted, and audit procedures performed. It will detail the
analytical procedures, tests of controls, and detailed substantive testing undertaken, as well
as the conclusions drawn at the completion of testing. The current file includes testing of any
subsequent events (discussed in Chapter 14) and a copy of the final audit opinion.
Examples of Working Papers
This section provides two examples of working papers. While each accounting firm has its
own way of documenting evidence, most have common elements. To aid your understanding,
examples are provided of how a fictitious accounting firm, Bell & Bowerman, LLP, prepares
its working papers.
Working papers are prepared and stored electronically. Once the audit is concluded, the
accounting firm usually retains a paper copy of working papers, as well as an electronic copy
of files and working papers. An accounting firm will back up electronic files and archive
working papers in a location that is secure. (Chapter 14 provides more details on documenta-
tion retention.) Once they are completed, working papers are typically electronically locked so
they cannot be modified. Each audit has a unique file name for ease of identification, which
usually includes the client’s name and the year-end of the financial statements being audited.
Each current file created for an audit is divided into unique sections with each section rep-
resenting a different element of the audit (e.g., cash, accounts receivable, or inventory). Each
section contains (1) a lead schedule that summarizes the detail included in the financial
statements for a particular account, and (2) supporting working papers that provide evidence
obtained related to that account. Each working paper generally includes details such as the
client’s name, the period under audit, a file reference, cross-references to other parts of the
audit file, details of the testing conducted, comments/conclusions drawn, and identification
of the preparer and reviewers.
For illustration, a series of working papers are presented for a fictional client of Bell &
Bowerman, LLP, New Millennium Ecoproducts (NME). The working paper examples are for
the audit period ending December 31, 2022. NME was created by its founders, brothers Tomas
and Charles Delron, avid environmentalists, at the turn of the twenty-first century. The vision
for the company is to produce everyday products in a sustainable way, providing an affordable
   Documentation—Audit Working Papers  5-27

alternative for environmentally conscientious customers. NME operates from three locations
and produces a wide range of household products that it sells to supermarkets and specialty
stores.
At the front of every audit file is a copy of the client’s trial balance that supports the fi-
nancial statements. The trial balance is then referenced into the appropriate lead and support-
ing schedules in the audit file where audit work is documented for each account in the trial
balance. At Bell & Bowerman, LLP, the trial balance is referenced using the letter “A”; cash
and cash equivalents in various banks are referenced into the C Lead; accounts receivable are
referenced into the E Lead; inventory accounts are referenced into the F Lead; property, plant
and equipment are referenced into the K Lead; and so on.
The first working paper example is the cash and cash equivalents lead schedule
(see Illustration 5.8). The purpose of this lead is to summarize all general ledger accounts
that are combined into the cash and cash equivalents account on the financial statements.
The lead schedule also has adjusting journal entries, if any, that are proposed by the auditor.
In the top-left corner of the lead schedule are the client name, period-end, and currency
unit (in this example, balances are rounded to the nearest thousand dollars). In the top
center of the lead schedule is section identification (C). In the top-right corner, details of
the working paper preparer and reviewers are documented. Next, details of the cash and
cash equivalents balance are listed. For each item listed in the lead schedule, the following
are noted:

•  General ledger account number, per the client records.

•  General ledger account name, per the client records.
•  Preadjusted balance, any adjustments, and the audit-adjusted current-year balance per
the client’s trial balance (TB).
•  The prior-year balance, per the prior-year audit file (PY).

illustration 5.8   Working paper example: Cash lead schedule

Client: New Millennium Ecoproducts Bell & Bowerman, LLP Prepared by: KM 1/21/2023
Period-end: 12/31/2022 C–LEAD Reviewed by: SO 1/22/2023
Currency unit: $000 Reference: C-Lead Reviewed by: MM 1/24/2023

Lead schedule:

Pre- Adjusted
adjusted current-year Prior-year
Account balance balance balance %
no. Account name 12/31/2022 Adjustments 12/31/2022 12/31/2021 Variance Variance Ref

10100 Cash in Bank: Wells Fargo $ 11,000 $0 $ 11,000 TB $ 10,500 PY $500 5% C01

10200 Cash in Bank: U.S. Bank 134 0 134 TB 134 PY 0 0% C02

10300 Cash in Bank: Barclays 126 0 126 TB 126 PY 0 0% C03

10400 Cash in Bank: Citigroup 56 0 56 TB 50 PY 6 12% C04

10500 Short-Term Deposits 5,796 0 5,796 TB 5,600 PY 196 4% C05

Total Cash and Cash $17,112 $0 $17,112 $16,410 $702 4%
Equivalents
Key to audit tick marks (TM):
TB Agrees to client’s trial balance.
PY Agrees to prior-year audit file.

Background: No significant changes in banks or bank accounts from the prior period. Note: Analytical review on movements in the cash flows has
been performed on the cash flow schedule — see A1.1.

Comments: Cash and cash equivalents: In line with budget and change consistent with level of activity for the period (see also our review of the
statement of cash flows referenced in A1.1). Short-term deposits: Although the balance is very consistent with previous period, inclusion of
short-term deposits within cash and cash equivalents is acceptable (refer to C5).
5-28  C h a pte r 5  Audit Evidence

•  Variance and percentage change, the calculated difference between the prior-year and
current-year balances.
•  The cross-reference to the working paper where supporting documentary evidence is
kept for each balance (e.g., C02).

The final section of the lead working paper includes any relevant background information
about the account and comments based upon completed testing.
The second working paper example relates to accounts receivable and would be found
in the “E” section of the audit file (see Illustration 5.9). As noted before, in the top left
corner are the client name, period-end, and currency unit ($000). In the top center are the
working paper reference (E02) and title (confirmations and related alternative procedures).
The upper-right corner of the working paper shows who performed and who reviewed
the audit procedures. Next, the date of the interim confirmation is noted. In this case, the
confirmation was conducted for the accounts receivable balance at two months prior to
year-end. The balance in the accounts receivable account on that date is noted ($9,500)
and cross-referenced to the accounts receivable subsidiary ledger (SL) and another part
of the accounts receivable section of the audit file (E03). Receivable balances for a sample
of customers were confirmed as of October, 31, 2022. The date the confirmations were
sent is then noted. The first request was sent on November 5, 2022, and a second request
was sent on December 10, 2022, to customers that did not reply to the first request. The
table contains details of the customers who were sent confirmation requests. (This working

illustration 5.9   Working paper example—Confirmations and related alternative procedures

Client: New Millennium Ecoproducts Bell & Bowerman, LLP Prepared by: DM 12/14/2022
Period-end: 12/31/2022 E02– CONFIRMATIONS AND RELATED
Reference: E02 Reviewed by: SO 12/17/2022
ALTERNATIVE PROCEDURES
Currency unit: $000 Reviewed by: MM 12/19/2022

Confirmation/Interim date 10/31/2022 Date 1st request sent 11/5/2022

AR as of confirmation date $9,500 SL/E03 Date 2nd request sent 12/10/2022

Alternative procedures in case of no response or variance

Alternative
Balance per procedures
Balance as of customer as of Subsequent other than
Account or confirmation confirmation cash subsequent
invoice Customer date Date date Variance receipts Date or cash receipts Total
number name [A] TM/Ref Received [B] TM/Ref [A – B] [C] source TM/Ref [D] TM/Ref [C + D] Comments

123456 Greenwash $2,000 SL 11/28/2022 $2,000 E02.1 – –

654321 EcoFriend $545 SL $545 $400 11/18/2022 ✓ $145 β $545

789789 BigSupa $6,000 SL 11/19/2022 $6,000 E02.2 – –

987654 Cleanair $500 SL 11/20/2022 $450 E02.3 $50 $50 11/1/2022 ✓ $50 A

– –

Key to audit tick marks (TM):

✓ Agrees to check copy/remittance advice, which indicates invoice was paid subsequent to the confirmation date.
β Agrees to shipping reports signed by external carriers, which indicates item was shipped prior to the confirmation date.
SL Agrees to subledger—accounts receivable.

Comments: • A: OK payment made by customer prior to the confirmation date, but received by the client just after confirmation date. This timing difference does not affect the existence of
receivables as of the end of October.
   Documentation—Audit Working Papers  5-29

paper shows audit work for only a few customers, just to provide an example.) The table
documents:

•  The account or invoice number per the accounts receivable subsidiary ledger (SL).
•  The customer name per the accounts receivable subsidiary ledger (SL).
•  The balance at confirmation date per the accounts receivable subsidiary ledger (SL).
•  The date the auditor received a response from the customer.
•  The balance outstanding at the confirmation date according to the customer correspon-
dence (filed and cross-referenced E02.1, E02.2, E02.3).
•  Any variance between the client records and the customer correspondence, which is cal-
culated and listed by the auditor.
•  An explanation of alternative procedures used when a customer has not responded or if
the customer’s response varies from the client’s records.

by the auditor at the bottom of the page. In this case, the tick marks ✓ and β refer to audit
The table also includes several tick marks (✓, β) that cross-reference to explanatory comments

procedures performed on customers EcoFriend and Cleanair that are explained at the bottom
of the working paper.
The following discussion interprets the audit work documented on this working paper.
The table shows the following audit work was performed to evaluate the appropriateness of
the accounts receivable balances for four customers that were selected for confirmation.

•  Customer Greenwash confirmed the balance owed to NME as $2,000.

•  No response was received from EcoFriend. The auditor determined that EcoFriend paid
$400 on November 18, 2022, and also vouched the remaining balance to underlying ship-
ping documents that shows the goods had been shipped and title had passed to Eco­
Friend prior to the confirmation date. With this evidence, the auditor determined that
$545 was the correct receivable balance as of the confirmation date.
•  Customer BigSupa confirmed the balance owed to NME as $6,000.
•  Customer Cleanair confirmed it owed $450 to NME. The variance of $50 represented a
cash receipt on November 1, 2022, that was likely in the mail to NME prior to October 31,
2022.

The bottom part of the working paper includes the auditor’s comments related to the last
customer, Cleanair. The auditor concluded the timing difference did not affect the existence of
a receivable as of the end of October.

Cloud 9 - Continuing Case

The first major item in the current file for Cloud 9 is the audit
plan with the detailed audit program. The current file also con-
tains documentation for every test performed during the audit.
Ian is still struggling with how to correctly complete the papers.
He often forgets to complete all the relevant fields and Sharon
and Josh are continually sending papers back to him with re-
quests to clarify some of his comments. However, embedding
the working papers in Excel has made life easier, because an
error message will be generated if certain key fields are not
completed.

Before You Go On
5.1  What is a current file?
5.2  What is a permanent file and how does it relate to a current year’s audit?
5.3  What will an auditor document during the risk assessment phase of the audit?
5-30  C h a pte r 5  Audit Evidence
Learning Objectives Review
1  Define management assertions about classes of
transactions, account balances, and presentation and
disclosure.
When preparing the financial statements, management will make as-
sertions about each account and related disclosures in the notes. Au-
ditors use these assertions to assess the risk of material misstatement
and design audit procedures. The assertions used when considering
classes of transactions and events are occurrence, completeness, accu-
racy, cutoff, and classification. The assertions used when considering
account balances at period-end are existence, rights and obligations,
completeness, and valuation and allocation. The assertions used
when considering presentation and disclosure are occurrence and
rights and obligations, completeness, classification and understand-
ability, and accuracy and valuation. The auditors will determine the
relevant assertions for significant accounts and transactions to plan
the audit procedures used to gather evidence.
2  Discuss the characteristics of audit evidence.
Sufficient appropriate evidence is a core concept in auditing. Suffi-
cient relates to the quantity and appropriate relates to the quality of
audit evidence gathered. For evidence to be of high quality, it must be
both relevant and reliable. The audit risk model impacts the quality
and quantity of evidence to be gathered. For high risk assertions, au-
ditors may increase the quantity and quality of evidence gathered. For
low risk assertions, auditors may modify the quantity and quality of
evidence gathered. Ultimately, the determination of sufficient appro-
priate evidence is a matter of professional judgment.
3  Apply the procedures for gathering audit evidence,
including the use of audit data analytics.
Audit procedures are the specific methods used by auditors to gather
evidence to support management assertions. The audit procedures
are inspection of documents (including vouching and tracing), ob-
servation, inquiry, confirmation, recalculation, reperformance, ana-
lytical procedures, scanning, and audit data analytics (ADA). These
Key Terms Review
Accounting records Component auditor
Analytical procedures Current file
Appropriate External confirmation
Assertion Group audit
Audit data analytics (ADA) Group engagement partner
Audit evidence Group engagement team
Audit program Group financial statements
Bank confirmation Inquiry
Component Inspection
procedures can be used during risk assessment, for testing of con-
trols, and as substantive tests of account balances, transactions, and
disclosures.
4  Evaluate when it is appropriate for auditors to use
the work of others.
In some situations, the audit team will rely on the work of others
during the risk assessment and/or risk response phase of the audit.
A specialist with expertise in a field other than accounting or audit-
ing may be used by the auditors to assist in obtaining sufficient ap-
propriate audit evidence. If the client has an internal audit function,
the auditors may use the work of the internal auditors and/or obtain
direct assistance from the internal auditors to carry out audit pro-
cedures that the external auditors would normally do themselves.
A group auditor may need to use the work of a component auditor
when their client operates in a number of locations or has subsidiar-
ies spread around the country or the globe. In all cases when using
the work of others, the auditors should first assess the objectivity,
competence, and capability of the individuals or firms that will be
used.
5  Document the details of evidence gathered in work-
ing papers.
Audit evidence is documented in an auditor’s working papers. Audit
working papers include the client’s name, the period under audit,
a title describing the contents of the working paper, a file reference
indicating where the working paper fits in the audit file, the initials
identifying the preparer of the working paper together with the date
the working paper was prepared, the initials identifying the review-
er(s) of the working paper together with the date(s) the working
paper was reviewed, and cross-referencing between working pa-
pers indicating where further work and evidence are summarized
elsewhere. Working papers are stored in either the permanent file
or the current file. The permanent file includes client information
and documentation that apply to multiple audits. The current file
includes client information and documentation that apply to the
current year’s audit.
Internal auditors
Lead schedule
Negative confirmation
Observation
Permanent file
Positive confirmation
Recalculation
Receivable confirmation
Relevance

Relevant assertion Specialist
Reliability Sufficient
Reperformance Tracing
Scanning
Audit Decision-Making Example
Background Information
You have been assigned to the audit of a new client, Acadian
Chemicals (AC), headquartered in southern Louisiana. AC produces
a product called carbon black. It is a black powder that is used in
making other products, such as toner for printers/copy machines
and vehicle tires. The powder is produced in four different grades,
from very fine powder to coarser powder. The finished powder
is stored in a large silo that has four compartments for the four
different grades of powder. The silo is about two stories tall and
can store a maximum of 700,000 pounds of powder. The bottom
of the silo can be opened to fill 20-pound bags, 50-pound sacks,
or entire train cars so the powder can be shipped to customers
for further refinement into other products. The 20-pound bags
and 50-pound sacks are stored in a large warehouse located on
the production premises. You have toured the production facility
and have seen the warehouse and the storage silo. There are no
windows in the silo to see how much powder is inside, and no
lighting inside of the silo. At the top of the silo, there is a lid for
each compartment that can be opened, but when you look in, all
you see is darkness. At any given time during the year, about 40%
of AC’s inventory is stored in the silo, waiting to be packaged and
shipped. The production facility operates continuously, 24 hours
a day, 7 days a week.
Identify the Audit Issue
One of the issues here is determining what assertion is most at
risk with the inventory that is stored in the silo. Another issue is
determining what audit procedures to use to gather sufficient ap-
propriate evidence regarding the inventory that is in the silo.
Gather Information and Evidence
Important information includes:
•  A material portion (40%) of the inventory is stored in the silo;
therefore, it should be audited. However, there is no way to
see how much is actually in the silo.
•  Since the production facility operates continuously, there is al-
ways powder being loaded into at least one compartment of the
silo. It is not possible to stop production for purposes of deter-
mining what is in the silo. Even if production could be stopped,
it is still not possible to see what or how much is in the silo.
•  Fraud risk may be high because AC management could lie
about how much is in the silo in an effort to overstate inven-
tory. Management could also put something different in the
silo, such as sand, thereby providing false information about
the silo’s contents.
  Audit Decision-Making Example  5-31
Visualization
Vouching
Working papers
•  Risk of theft of the powder is low because it is not a prod-
uct that is easy to steal or in demand (unlike jewelry or
cars).
•  The client has a method of determining how much is in
the silo. The client uses a “strapping tool” to measure the
empty part of the silo. The strapping tool is basically a tape
measure on a reel with a weight on the end of the tape mea-
sure. From the top of each compartment of the silo, the
client lowers, or reels, the tape measure down into each
compartment. When the weight on the end of the tape hits
the powder, the client stops reeling and looks at the mea-
surement on the tape. Essentially, the client is measuring
the empty part of the compartment. Once the measure-
ment is obtained, it is entered into a client-prepared
spreadsheet that contains a formula. The total volume of
the silo, minus the strapping tool measurement (converted
into a volume amount), equals an estimate of volume of
powder in the silo.
Analysis and Evaluation of Alternatives
Analysis of risk and alternatives:
•  Risk of material misstatement is high for the existence asser-
tion of powder stored in the silo.
•  Visually observing the amount of inventory in the silo is
not possible in this situation. However, you can reperform
the client’s procedure of using the strapping tool to mea-
sure the empty part of the tank, and then use the client’s
spreadsheet formula to determine the volume of powder in
the silo.
•  You may consider hiring a specialist to assist in the observa-
tion of inventory in the silo. The specialist can also inspect
the client’s spreadsheet formula to ensure it is mathemati-
cally reasonable and consistent with what is used in the
industry.
Audit Conclusion
Since AC is a new client with a unique inventory situation, your
firm will hire a specialist in the carbon black industry to perform
procedures on the client’s spreadsheet and measurement process
for inventory in the silo. The specialist will summarize his or her
findings in a report that will be included in the audit documenta-
tion for AC. If the specialist determines that AC’s procedures are
reasonable and consistent with the industry, then the specialist
probably will not be needed for future audits unless the client’s
process for storing the powder changes significantly.
5-32  C h a pte r 5  Audit Evidence
CPAexcel
CPAexcel questions and other resources are available in WileyPLUS.
Multiple-Choice Questions
1.  (LO 1)  The three categories of management assertions are:
a.  journal entries, ledgers, and trial balances.
b.  journal entries, account balances, and financial statements.
c.  transactions, ledgers, and account balances.
d.  classes of transactions, account balances, and presentation
and disclosure.
2.  (LO 1)  The assertion related to recording transactions in the cor-
rect accounting period is:
a.  accuracy.
b.  completeness.
c.  cutoff.
d.  occurrence.
3. (LO 1)  A detailed listing of the specific audit procedures to be
used to gather evidence for an account is called the:
a.  permanent file.
b.  audit strategy.
c.  audit program.
d.  accounting records.
4. (LO 2)  The quantity of evidence that an auditor will gather:
a.  varies with the assessed risk of material misstatement.
b.  is the same for most audits because it has to be appropriate.
c.  depends on the size of the audit team.
d.  is the same for clients in the same industry.
5. (LO 2)  Which is generally the most reliable form of evidence?
a.  Internally generated evidence from the client’s IT system.
b.  Internally generated evidence based on discussions with
upper management.
c.  Externally generated evidence held by the client.
d.  Externally generated evidence sent directly to the auditor.
6. (LO 3)  An external confirmation sent to a bank:
a.  requests information about the bank balances and loan
amounts.
b.  requests information about interest rates paid on deposits and
charged on loans.
c.  is relevant to the audit of interest revenue and expense.
d.  All of these answer choices are correct.
7. (LO 3)  When an auditor inspects a tangible asset to support a balance
in the client’s records, the auditor is gathering evidence to support the:
a.  completeness assertion.
b.  existence assertion.
c.  valuation and allocation assertion.
d.  rights and obligations assertion.
8. (LO 3)  When an auditor inspects loan documentation and ­traces
the details to recording in the client’s records, the auditor is gathering
evidence to support the:
a.  completeness assertion.
b.  existence assertion.
c.  valuation and allocation assertion.
d.  rights and obligations assertion.
9. (LO 3)  Which audit procedure is being used when an auditor
checks the calculations in a client-prepared spreadsheet?
a.  Analytical procedure.
b.  Recalculation.
c.  Reperformance.
d.  Scanning.
10. (LO 4)  If a specialist is engaged to assist with the audit:
a.  it means the auditor does not have the requisite skill and
knowledge to assess the item.
b.  it means the auditors should not have taken on the audit
because they are not qualified.
c.  the PCAOB must be contacted and permission obtained
before the specialist starts work.
d.  the auditor does not have to take responsibility for the fair
presentation of the item in the financial statements.
11. (LO 4)  Before the external auditors decide to use the work
performed by the internal auditors, the external auditors must first
assess:
a.  the size of the internal audit function relative to the client.
b.  the independence of the internal auditors.
c.  the supervision skills of the internal audit function.
d.  t he competence and objectivity of the internal audit
function.
12. (LO 5)  The working papers for a client contain both a per-
manent and a current file. The difference between the two files
is that:
a.  the permanent file is kept by the audit partner in charge and
cannot be altered after the first audit engagement is com­
pleted, but the current file can be updated.
b.  the copy of the permanent file must be sent to a regulator
(PCAOB or State Board of Accountancy) and the current file
is not.
c.  the permanent file includes documents that relate to the cli-
ent and are relevant for more than one year’s audit, and the
current file includes the details of work completed and evi-
dence gathered that relate to the current year’s audit.
d.  the permanent file cannot be altered, but the current file can
be altered.
  Analysis Problems  5-33

Review Questions
R5.1  (LO 1)  Are financial statements considered statements of fact?
Discuss in the context of management assertions.
R5.2  (LO 2)  Explain why the quality of audit evidence is deter-
mined by the choice of audit procedure and the assertion most at risk
of material misstatement.
R5.3  (LO 2)  Discuss why an auditor must consider the reliability of
audit evidence.
R5.4  (LO 3)  Explain how inspecting a client’s tangible assets pro-
vides evidence about the completeness and existence assertions.
R5.7  (LO 3)  Differentiate between recalculation and reperformance,
and provide an example of each.
R5.8  (LO 4)  If an auditor does not have sufficient knowledge and
skill in an area, the auditor can ask for the assistance of a specialist.
Does this create a problem? Explain how an auditor knows if the spe-
cialist’s work is reasonable if the auditor is not also a specialist.
R5.9  (LO 4)  Describe the general composition of an external audit
team. Discuss whether a client’s internal auditors can be part of the
external audit team.

R5.5  (LO 3)  Differentiate between the “occurrence” and “exis- R5.10  (LO 4)  Provide examples of situations in which an auditor
tence” assertions. How do both differ from “completeness”? would use the work of a component auditor.

R5.6  (LO 3)  List and describe the procedures for gathering audit ev- R5.11  (LO 5)  List some key elements that would be included in any
idence. At which stage(s) of the audit is each procedure appropriate? working paper document.

Analysis Problems
AP5.1  (LO 1)  Basic   Assertions at risk  The inventory of a large grocery store client is material,
and it is the largest current asset on the balance sheet. The cost of inventory items ranges from very small
amounts (like individual candy at the checkout line) to larger amounts (like prime meat and specialty
deli items). Typical risks for a grocery store are theft and spoilage of inventory. During the second quarter,
the client caught three employees in a scheme of stealing produce and meats from the store and selling
them, at a discount, to friends and family. Based on an investigation by authorities and store manage-
ment, the scheme had been operating for about two months.

Required
Based on the information, evaluate which accounts and assertions are at risk of misstatement.
AP5.2  (LO 1)  Basic   Assertions at risk  Davis Do-It-Center (Davis) is a local hardware store with
five locations in southern Georgia. The company has been operating for over 70 years. In the last 15 years,
the two owners, who are brothers, have been working hard to transition from manual processes to elec-
tronic systems. Recently, one of the store managers had to fill in at the checkout register, which uses a
scanning system to capture the sales price of each item, and noticed that the scanned sales prices of some
items were incorrect. The manager alerted one of the brothers about the issue. Upon further investiga-
tion, this brother discovered that the scanning system was pulling sales prices from outdated price lists
for three inventory categories: lawn and garden, plumbing, and paint supplies.

Required
Based on the information, evaluate which accounts and assertions are at risk of misstatement.
AP5.3  (LO 1, 2)  Moderate   Assertions and evidence  Propel Equipment rents heavy equipment,
such as cranes, bulldozers, and dump trucks, to industrial contractors. One of Propel’s larger expenses
is repairs and maintenance on the rental equipment. The company’s policy is to capitalize repairs that
improve the useful life or increase the operating efficiency of the equipment. Routine repair and mainte-
nance costs should be expensed as incurred. Business has been slow for the last two quarters, so Propel is
taking advantage of the “down time” to catch up on repair and maintenance items.
Propel’s auditors have completed their risk assessment procedures and noted the increased activity
with repairs and maintenance. Since business is slow, auditors also noted there is increased risk that
management may try to understate expenses to inflate profit.

Required
a.  If Propel management incorrectly capitalizes repairs and maintenance expenses, evaluate which
accounts and assertions are at risk of misstatement.
b.  If auditors determine there is increased risk for understatement of expenses, how does that impact
the sufficiency and appropriateness of the audit evidence?
5-34  C h a pte r 5  Audit Evidence

AP5.4  (LO 1, 2, 3)  Moderate   Types and persuasiveness of audit evidence  Jenna is working on the
audit of a client’s accounts receivable. During the last few weeks, she has conducted interviews with the ac-
counts receivable manager, the chief financial officer, and staff working in the accounts receivable depart-
ment. She has overseen the external confirmations of accounts receivable, 30% of which required the recipient
to respond whether or not the amount stated was correct. Jenna also inspected subsequent cash receipts from
the client’s customers. She vouched a sample of accounts receivable balances back to the underlying invoices,
cash receipts and sales returns, and traced a sample of these documents to the accounts receivable ledger.

Required
a.  List the audit procedures used by Jenna to gather evidence and comment on the reliability of the
evidence.
b.  Relate each type of evidence to the relevant accounts receivable assertions.

AP5.5  (LO 1, 2, 3)  Moderate   Audit evidence  James Thomas is responsible for preparing bank recon-
ciliation statements at Ajax Inc. Ajax has many bank accounts, including separate accounts for each major
branch, accounts for payments of salaries and dividends, and accounts kept in foreign currency for overseas
divisions. James maintains records including bank statements and weekly bank reconciliations for each ac-
count. In addition, there are files containing correspondence with banks about disputed transactions, dis-
honored checks from Ajax’s customers, and other bank-initiated transactions such as fees and interest.

Required
a.  Comment on the appropriateness of the evidence in James’ files for Ajax’s financial statement audit.
b.  Explain how an auditor would obtain more appropriate evidence for the relevant assertions for the
bank accounts at Ajax.

AP5.6  (LO 1, 2, 3)  Basic   Audit evidence  An audit associate is preparing an audit program for the
audit of a client’s revenue transactions. To gather evidence in support of the occurrence assertion, the
associate included the following audit procedure in the audit program:

Select a sample of authorized shipping documents and approved customer orders and trace them
to recording in the sales journal.

Required
a.  Evaluate the relevance of the procedure in addressing the occurrence assertion.
b.  Comment on the reliability of the evidence gathered using the procedure.

AP5.7  (LO 1, 2, 3)  Moderate   Audit evidence  An audit associate is preparing an audit program
for the audit of a client’s inventory purchases transactions. To gather evidence in support of the cutoff
assertion, the associate included the following audit procedure in the audit program:

Select a sample of receiving reports in the warehouse for three days before and after year-end and
inspect related journal entries in inventory/accounts payable to determine that purchases were
recorded in the proper period.

Required
a.  Evaluate the relevance of the procedure in addressing the cutoff assertion.
b.  Comment on the reliability of the evidence gathered using the procedure.

AP5.8  (LO 1, 2, 3)  Basic   Audit evidence  An audit associate is preparing an audit program for the
audit of a client’s allowance for doubtful accounts. To gather evidence in support of the valuation asser-
tion, the associate included the following audit procedure in the audit program:

Confirm accounts receivable by sending positive confirmations to a sample of customer account

balances.

Required
a.  Evaluate the relevance of the procedure in addressing the valuation assertion.
b.  Comment on the reliability of the evidence gathered using the procedure.

AP5.9  (LO 1, 2, 3)  Challenging   Gathering evidence  Max Crowe is an associate auditor who
has just started with the team conducting the audit of a new client in the construction industry. Max is
shadowing Susan Wong, an experienced auditor. Susan is showing Max how to be a member of an audit
team and is trying to teach Max about the benefits of getting to know the client. Susan is also trying to
help Max develop experience in picking up subtle signals about the client’s problems and what the client
might be trying to hide from the auditor.
  Analysis Problems  5-35

Max is getting a little frustrated with the “shadowing” assignment. He cannot understand why Susan
is spending so much time talking to the client’s staff and touring the various construction sites and
offices. When Susan is not doing this, she is working on a spreadsheet of the client’s previous financial
statements and unaudited interim data. Max wants to know when they are going to do some “real” work
and start gathering audit evidence. Susan tells Max that they have already started.

Required
a.  Discuss Susan’s comment that they have already started the audit. What evidence have they gathered
so far?
b.  Explain what work is being done with the spreadsheets of financial data. Give some specific exam-
ples for this client. How is this type of work relevant to different phases of the audit?
c.  When Susan is touring the client’s premises, she is taking notes of equipment and furniture she sees, es-
pecially anything that looks either newly purchased or older and unused. Explain why she is doing this.

AP5.10  (LO 4)  Moderate   Using the work of internal auditors  Theobald Inc. has an internal audit
department that primarily focuses on audits of the efficiency and effectiveness of its production depart-
ments. The other main role of the internal audit department is auditing compliance with various govern-
ment regulations surrounding correct disposal of waste and storage of raw materials at its five factories.
Theobald’s internal audit department is run by Harry Potts, a CPA and a member of the Institute of Internal
Auditors. There are three other members of the department, all of whom have experience in performance
auditing and, in addition, have completed industry-run training courses in waste management and han-
dling dangerous goods. Harry meets regularly with the chief production manager and sends monthly re-
ports to the CEO and the board of directors. Your initial investigations suggest that Harry is highly regarded
within Theobald, and his reports are often discussed at board meetings. In most cases, the board authorizes
the actions recommended in Harry’s reports with respect to major changes to production and logistics.

Required
Evaluate the extent of reliance the external auditor should place on the work of the internal audit department
at Theobald Inc. Explain the likely impact of the internal audit department’s work on the audit plan.

AP5.11  (LO 4)  Challenging   Research   Using a specialist  SolarTubeGen is a start-up company in
the renewable energy sector. The founder of SolarTubeGen, Fritz Herzberg, has developed cutting-edge tech-
nology to convert the energy in the sun’s rays to electricity via a novel system of mirrors designed to focus
the sun’s rays onto tubes containing a patented type of gas, which then heats and expands to drive turbines.
Ramirez & Walker LLP has won the contract for the first audit of SolarTubeGen on the basis of its expertise in
the energy sector. However, the lead partner, Mark Ramirez, recognizes the success of the audit is dependent
on the correct assessment of the technology being used at SolarTubeGen. Mark specified in the successful au-
dit bid documents that the audit will use an external specialist to help with valuation of the company’s assets.
Fritz Herzberg is very protective of his company’s intellectual property and is resistant to Mark’s
first suggested specialist, Manfred Hamburg. Fritz believes that Manfred Hamburg is hostile toward him
because they clashed when they both worked for a German company making photovoltaic cells in the
1990s. Fritz has suggested another specialist, Lily Beilherz, with whom he has had good working rela-
tions over the last 20 years.

Required
a.  Advise Mark Ramirez about the choice of a specialist for the audit of SolarTubeGen. What must
he consider when making his choice? Refer to AU-C 620 Using the Work of an Auditor’s Spe-
cialist to support your answer. (ASB standards can be accessed at www.aicpa.org/research/
standards.)
b.  SolarTubeGen takes over another renewable energy company during the second-year audit. The
new subsidiary is based in another country and has previously been audited by a local audit firm.
Evaluate how Mark should handle the new audit responsibilities brought about by the client’s
­expansion.

AP5.12  (LO 3, 5)  Moderate   Research   Documentation  Jennifer Jones is reading documents
prepared by the members of the team working on the audit of receivables for a private company audit
client. Jennifer is the senior manager assisting the engagement partner, Ruby Rogers. Jennifer and Ruby
have worked together on many audits, and Jennifer knows the types of questions Ruby will ask about the
working papers if they are not up to the standard required by AU-C 230. Jennifer is trying to make sure
that all documents are up to the required standard before Ruby sees them tomorrow.
Jennifer is particularly concerned about the documents relating to the receivable confirmations.
This is because the audit assistant who wrote the confirmation results recommended that no further
work was required. On review of the results, Jennifer discovered the audit assistant had incorrectly
5-36  C h a pte r 5  Audit Evidence

treated “no reply” results as acceptable for a positive confirmation, when they are acceptable only for a
negative confirmation. Jennifer had ordered further work be done to follow up on these “no reply” results.

Required
a.  What is the minimum standard that audit documentation must meet?
b.  Propose how you would treat the corrections made to the audit assistant’s recommendations and the
additional work on receivable confirmations in the working papers. Refer to both AU-C 505 External
Confirmations and AU-C 230 Audit Documentation in your answer.

AP5.13  (LO 4, 5)  Challenging   Fraud   Public Company   Research   Overstating revenue—
Satyam Computer Services, Ltd  In April 2011, the SEC charged Satyam Computer Services Ltd.,
an India based-company, with fraudulently overstating the company’s revenue, income, and cash balances
by more than $1 billion over five years. The SEC also sanctioned the company’s auditors for conducting
deficient audits that allowed the fraud to go undetected for years. The auditors were five India-based
affiliates of PricewaterhouseCoopers (PwC). The SEC stated that “PW India’s failure to properly execute
third-party confirmation procedures resulted in the fraud at Satyam going undetected for years.”15

Required
a.  Go to www.sec.gov and research the Satyam fraud scandal. Briefly summarize the fraud, such as
the time period over which it took place, who was involved, and how it was conducted.
b.  Go to www.pcaobus.org and search for PCAOB Release No. 105-2011-002. Summarize the audit
deficiencies noted by the PCAOB in the audit of the cash and receivables balances. Also summarize
how the auditors violated Auditing Standard No. 3 Audit Documentation. (Note that the Auditing
Standards have since been reorganized. The documentation standard is now AS 1215.) What penalties/
punishment was levied on the PwC affiliate firms?

Audit Decision Cases

King Companies, Inc.
Questions C5.1 and C5.2 are based on the following case.

King Companies, Inc. (KCI) is a private company that owns five auto parts stores in urban Los Angeles, Califor-
nia. KCI has gone from two auto parts stores to five stores in the last three years, and it plans continued growth.
Eric and Patricia King own the majority of the shares in KCI. Eric is the chairman of the board of directors and
CEO of KCI, and Patricia is a director as well as the CFO. Shares not owned by Eric and Patricia are owned by
friends and family who helped the Kings get started. Eric started the company with one store after working in
an auto parts store. To date, he has funded growth from an inheritance and investments from a few friends.
Eric and Patricia are thinking about expanding by opening three to five additional stores in the next few years.
KCI employs 20 full-time staff. These workers are employed in store management, sales, parts deliv-
ery, and accounting. About 40% of KCI’s business is retail walk-in business, and the other 60% is made up
of regular customers for whom KCI delivers parts to their locations and bills these customers on account.
During peak periods, KCI also uses part-time workers.
As part of gaining an understanding of KCI, you inspect (1) the accounts receivable trial balance that lists
amounts owed by each customer and (2) an aging of accounts receivable schedule. One customer, Tire Repair
Specialists (TRS), has a large material balance that is more than 90 days past due. You discuss the TRS balance
with Jonathan, one of KCI’s accounting staff, and he says there are rumors that TRS is having serious financial
difficulty. Jonathan says no adjustment or allowance has been made regarding the TRS account.
You just completed a continuing professional education (CPE) course at your firm, Thornson &
Danforth, about audit documentation. AU-C 230 has specific requirements about documenting audit
work. In particular, paragraph 9 states:
“In documenting the nature, timing and extent of audit procedures performed, the auditor
should record:
a.  the identifying characteristics of the specific items or matters tested;
b.  who performed the audit work and the date such work was completed; and
c.  who reviewed the audit work performed and the date and extent of such review.”

15
Securities Exchange Commission (SEC), “SEC Charges India-Based Affiliates of PWC for Role in Satyam
Accounting Fraud,” Release 2011-82 (April 5, 2011), www.sec.gov.
  Audit Decision Cases  5-37

In addition, paragraph 11 states:

“The auditor shall document discussions of significant findings or issues with management,
those charged with governance, and others, including the nature of the significant finding or
issues discussed, and when and with whom the discussions took place.”

C5.1  (LO 1)  Moderate   Assertions at risk  Analysis and evaluation: Based on the information, evaluate
which accounts and assertions are at risk of misstatement.

C5.2  (LO 5)  Moderate   Documentation  Analysis: Describe how you would apply the manda-
tory requirements of AU-C 230 when documenting your understanding related to the potential bad
debt.

Mobile Security, Inc.

Question C5.3 is based on the following case.

Mobile Security, Inc. (MSI) has been an audit client of Leo & Lee, LLP for the past 12 years. MSI is
a small, publicly traded aviation company based in Cleveland, Ohio, where it manufactures high-
tech unmanned aerial vehicles (UAV), also known as drones, and other surveillance and security
equipment. MSI’s products are primarily used by the military and scientific research institutions,
but there is growing demand for UAVs for commercial and recreational use. MSI must go through
an extensive bidding process for large government contracts. Because of the sensitive nature of
government contracts and military product designs, both the facilities and records of MSI must be
highly secured.
MSI has a small internal audit department that is led by Lorenzo Mandella, a former audit senior
of Leo & Lee who worked on the MSI audit. Lorenzo never took the time to sit for the CPA exam and
therefore was not able to advance to manager at Leo & Lee. He was thankful that the opportunity at MSI
became available. Lorenzo was hired by MSI five years ago as MSI’s first internal auditor. He was tasked
with establishing the internal audit function and hiring more internal audit staff as needed. Over the
past five years, he has hired three additional internal audit staff. Two of his staff are CPAs and one is a
certified internal auditor (CIA). The two CPAs have 2-3 years of external audit experience from working
at a mid-size public accounting firm. The CIA is a recent college graduate whose only work experience
was an internal audit internship for a health insurance company.
On a day-to-day basis, Lorenzo works closely with the CFO and other accounting personnel as part
of internal control monitoring. The CFO will ask Lorenzo’s group to perform audits of accounts if errors
are suspected. Lorenzo reports to the audit committee as needed, particularly if there are issues with
internal controls that the audit committee should be made aware of. Lorenzo and the rest of his group do
not have any managerial duties outside of their internal audit role.

C5.3  (LO 4)  Moderate   Public Company   Research   Considering the work of internal 
auditors  Analysis and evaluation: Using AS 2605 as a guide, discuss how Leo & Lee would evalu-
ate the internal audit function of MSI. Based on the information, make a decision regarding the use
of MSI’s internal auditors and defend your decision. (PCAOB auditing standards can be accessed at
www.pcaobus.org.)

Brookwood Pines Hospital

Question C5.4 is based on the following case.

Goodfellow & Perkins LLP is a successful mid-tier accounting firm with a large range of clients across
Texas. During 2022, Goodfellow & Perkins gained a new client, Brookwood Pines Hospital (BPH), a pri-
vate, not-for-profit hospital. The fiscal year-end for BPH is June 30. Goodfellow & Perkins is performing
the audit for the fiscal year-end June 30, 2023.
BPH provides medically necessary care to patients, regardless of their ability to pay. Both uninsured
and underinsured patients are offered discounts of up to 100% of charges based on their income as a
percentage of the federal poverty level guidelines. BPH does not pursue collection of these accounts;
therefore, they are not reported in patient service revenue and accounts receivable. The cost of providing
the charity care is included in operating expenses.
BPH’s investments consist of mutual funds, common equities, corporate and U.S. government debt
issues, state and municipal government debt issues, and trusts. A majority of the investments are the
result of charitable contributions to the hospital by generous donors. Earnings from the investments are
used to cover the costs of the charity care. BPH is also eligible for certain government grants to help cover
the costs of the charity care.
5-38  C h a pte r 5  Audit Evidence

The breakdown by payor of BPH’s accounts receivable balance approximates the following:
Medicare 16%
Medicaid 12%
Blue Cross 19%
Other insurance providers 33%
Patients 20%

The historical estimated allowance for uncollectible accounts is approximately 23%.

The following table lists selected asset accounts for BPH as of June 30, 2023 and 2022 (amounts in
thousands).

Account June 30, 2023 June 30, 2022

Cash and cash equivalents $   43,077 $   36,361
Short-term investments 22,725 49,338
Patient accounts receivable, net 119,380 99,962
Inventory 10,740 10,056
Long-term investments 915,088 807,321
Property and equipment:
  Land 57,839 58,140
  Buildings 577,546 556,590
  Equipment and furniture 194,481 169,603
  Construction in progress 89,890 58,290
919,756 842,623
Accumulated depreciation 343,324 303,642
Property and equipment, net 576,432 538,981

Total current assets 233,286 225,962

Total assets 1,787,720 1,618,698

C5.4  (LO 1, 2, 3)  Challenging   Assertions and audit procedures  Analysis: Select three asset ac-
counts that you consider significant accounts for BPH and explain why they are significant. For each
significant account that you identify, determine the two most relevant assertions for that account and
select one audit procedure that would provide sufficient appropriate audit evidence related to each of the
relevant assertions.

Cloud 9 - Continuing Case

W&S Partners will need the assistance of auditors in Vietnam and
a derivatives specialist to complete the Cloud 9 audit.
The other auditors will be asked to provide evidence about the
inventory shipped to the United States from the production plant
in Vietnam and about the property, plant, and equipment at the
Vietnam plant. Although the inventory is sent FOB shipping point,
there have been several occasions when the shipping agent was un-
able to place the inventory on a ship. In these cases, the inventory
was stored in the shipping agent’s warehouse until a vessel became
available. Suzie has some concerns about the quality of the ware-
houses because if the goods are damaged they could become worth-
less, and the value of goods in transit will be overstated.
In addition, Josh has asked Jo Wadley (the partner) for help in
choosing a specialist to help with valuation aspects of the audit of
derivatives. Jo has provided him with three names of specialists in
the field, but she has had no personal experience with any of them.
Josh must make a choice and engage the specialist soon to be sure
the specialist’s opinion will be received in time to complete the audit.
Answer the following questions based on the information
presented for Cloud 9 in the appendix to this text and the current
and earlier chapters. You should also consider your answers to the
case study questions in earlier chapters.
Required
a. Access AS 1205 Part of the Audit Performed by Other Indepen-
dent Auditors at www.pcaobus.org. Explain the procedures
that W&S Partners must complete before engaging other au-
ditors to perform the work on the inventory and property,
plant, and equipment in Vietnam. Cite the audit standard in
your response.
b. Access AS 1210 Using the Work of a Specialist at www.pcaobus.
org. Advise Josh on engaging the derivatives specialist. Discuss
the qualities the specialist must possess. What must the spe-
cialist provide to Josh so that he can be sure he has sufficient
appropriate evidence about the derivatives? What steps must
Josh perform? Cite the audit standard in your response.
 Chapter 6
Gaining an Understanding
of the Client’s System of
Internal Control
The Audit Process

Overview of Audit and Assurance

(Chapter 1)

Professionalism and Professional Responsibilities

(Chapter 2)

Client Acceptance/Continuance and Risk Assessment

(Chapters 3 and 4)

Gaining an Identify Significant

Set Planning
Understanding of Accounts and
Materiality
the Client Transactions

Gaining an Understanding of the

Make Preliminary Risk
System of Internal Control
Assessments
(Chapter 6)

Develop Responses to Risk and an Audit Strategy

Audit Data Analytics

Audit Evidence
(Chapter 5)

(Chapter 7)
Performing Tests of Controls Performing Substantive Procedures
(Chapter 8) (Chapter 9)

Audit Sampling for Substantive Tests

(Chapter 10)

Auditing the Auditing the Purchasing Auditing the Balance Sheet

Revenue Process and Payroll Processes and Related Income Accounts
(Chapter 11) (Chapter 12) (Chapter 13)

Completing and Reporting on the Audit

(Chapters 14 and 15)

Procedures Performed Near Drawing Audit

Reporting
the End of the Audit Conclusions

6-1
6-2  Ch a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

Learning Objectives

LO 1  Define internal control and describe the COSO LO 5  Discuss the different techniques used to document
framework. internal controls.
LO 2 Explain and evaluate internal controls at the entity LO 6 Explain the importance of identifying strengths
level. and weaknesses in a system of internal control.
LO 3 Explain and evaluate internal controls at the LO 7 Explain how to communicate internal control
transaction level. weaknesses to those charged with governance.
LO 4 Explain and evaluate information technology (IT)
controls.

Auditing and Assurance Standards

PCAOB Auditing Standards Board

AS 2110  Identifying and Assessing Risks of Material
Misstatement
AS 2201 An Audit of Internal Control Over Financial
Reporting That Is Integrated with An Audit of Financial
Statements
AU-C 265  Communicating Internal Control Related
Matters Identified in an Audit
AU-C 315  Understanding the Entity and Its
Environment and Assessing the Risks of Material
Misstatement

Cloud 9 - Continuing Case

Sharon Gallagher (audit manager), Josh Thomas (audit senior),
Ian Harper, and Suzie Pickering (both audit staff) are meeting to
discuss their internal control assessment for Cloud 9. Sharon asks,
“What is the purpose of understanding Cloud 9’s system of internal
control?” Ian answers, “We need to understand the system in or-
der to issue a report on internal controls over financial reporting.”
Sharon responds, “If Cloud 9 were a private company, would we
still need to understand the system of internal control?” ­Suzie now
jumps into the conversation. “In every audit we need to understand
the strengths and weaknesses in an entity’s system of internal con-
trol. For Cloud 9, this helps us understand control risk and which
internal controls to test. If Cloud 9 were a private ­company, we
would still need to understand the system of internal controls to
evaluate control risk and determine audit strategy.” ­Sharon summa-
rizes, “You are right, Suzie. We need to understand internal controls
at both the entity level and at the transaction level. This helps us
assess risk. We hope to find sound internal control strengths at all
levels, so we can test controls and support our opinion on internal
controls since it is a public company. However, we should also be
alert to any significant deficiencies or material weaknesses in inter-
nal controls. Both need to be reported to the board of directors and
we need to include a discussion of any material weaknesses in our
audit report on internal controls. This process all begins by under-
standing the internal controls that Cloud 9 has placed in operation.”

Chapter Preview: Audit Process in Focus

An integrated audit focuses on internal controls to (1) express an opinion on the effec-
tiveness of internal control over financial reporting (ICFR), and (2) permit the auditor to
make judgments about the evidence needed for the financial statement audit. To form an
opinion on ICFR, the audit team must obtain an understanding of the entity’s system of
ICFR, gather evidence, evaluate the evidence, and verify it against some form of indepen-
dent reference.
The most commonly accepted global framework is the Internal Control—Integrated Frame-
work developed by the Committee of Sponsoring Organizations of the Treadway ­Commission
   Internal Control Defined  6-3

(COSO).1 This framework enables organizations to effectively and efficiently develop systems
of internal control. It also provides a common framework for users to understand audits of
internal control over financial reporting. When internal controls put in place by management
conform to the COSO framework and function effectively, internal control is described as
strong. When they do not agree closely to the COSO framework, or they do not operate effec-
tively, the internal control is described as weak. Recall from Chapter 1 that if a public company
has one material weakness in ICFR, the company will receive an adverse opinion on ICFR. In
audits of private companies, not-for-profit entities, and governments, where the auditor does
not have to issue a report on ICFR, the auditor must still understand the system of internal
control, evaluate control risk, and assess the impact of internal controls on audit strategy.
In this chapter, we begin with a discussion of how the client’s system of internal controls
relates to an integrated audit. This involves understanding:

•  What is meant by the term internal control.

•  The objectives of the internal controls put in place by management.
•  The components of internal control (at the entity level and at the transaction level).
•  What the auditor should understand about the client’s system of internal control.

Next, we focus on information technology (IT) controls and how they work. This chapter
concludes with a discussion of identifying strengths and weaknesses in a system of internal
control and how weaknesses are communicated to both management and those charged with
governance.

Internal Control Defined

Lea rning Objective 1
Define internal control and describe the COSO framework.

Why is understanding the internal controls of an organization important? It is because when

controls are effective, the organization is more likely to achieve its strategic and operating
objectives. Internal control is a very broad concept and encompasses all of the elements of
an organization—its resources, systems, processes, culture, structure, and tasks. When these
elements are taken together, they support the organization’s ability to achieve its objectives.
Internal control is defined by COSO as follows: internal control  a process,
effected by an entity’s board of
Internal control is a process, effected by an entity’s board of directors, management, directors, management, and other
and other personnel, designed to provide reasonable assurance regarding the achieve- personnel, designed to provide
ment of the objectives related to operations, reporting and compliance.2 reasonable assurance regarding
the achievement of the objectives
Understanding internal control is important to (1) audit internal controls over financial related to operations, reporting,
reporting and (2) make a preliminary assessment of control risk. Control risk is a key compo- and compliance
nent of the overall audit risk assessment and provides evidence that influences the resulting
audit strategy developed by the auditor. Both AS 2110 Identifying and Assessing Risks of Mate-
rial Misstatement and AU-C 315 Understanding the Entity and Its Environment and Assessing
the Risks of Material Misstatement require the auditor to obtain an understanding of an entity’s
internal controls. This applies to all audits, including when the auditor of a private company
decides that an entirely substantive approach (control risk is assessed at the maximum) is the
appropriate response to the risks identified. Understanding an entity’s system of internal con-
trol assists the auditor both in identifying the types of misstatements that are likely to occur
and the risk of fraud in the financial statement audit.

1
COSO, Internal Control—Integrated Framework (AICPA: Durham, NC, 2013).
2
Ibid.
6-4  Ch a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

The COSO Framework

The COSO framework has global acceptance and is the most commonly recognized frame-
work for understanding and evaluating a system of internal control. It has three dimensions,
as shown in Illustration 6.1. First, the COSO framework discusses the objectives of internal
control. Second, the COSO framework discusses important components of internal control.
Third, the COSO framework discusses how these objectives and components fit into an orga-
nizational structure.

ILLUSTRATION 6.1   Objectives

Organizational structure
The relationship among the

e
ns

nc
g
three dimensions of internal

io

tin

ia
at

pl
r
po
er
control: objectives, components,

m
Op

Co
Re
and organizational structure

Function
Operating unit
Control environment

Division
Components
Risk assessment

Entity
Control activities

Information and communication

Monitoring activities

Objectives of Internal Control

The COSO framework depicted in Illustration 6.1 identifies three objectives of internal control
that allow organizations to focus on the differing purposes of internal control. These three
objectives are:

•  Operations objectives. These pertain to the effectiveness and efficiency of the entity’s op-
erations, including operational and financial performance goals, and safeguarding assets
against loss.
•  Reporting objectives. These pertain to internal and external financial and nonfinancial
reporting and may encompass reliability, timeliness, transparency, or other terms as set
forth by regulators, recognized standard setters, or the entity’s policies.
•  Compliance objectives. These pertain to adherence to laws and regulations to which the
entity is subject.

(COSO, Internal Control—Integrated Framework, 2013)

These three objectives of internal control help the auditor understand why the controls are
important and the problems they are designed to prevent. Without understanding the in-
tention of management in implementing internal controls, it is harder to understand how
controls prevent, or detect and correct, financial statement misstatements. Management
and those charged with governance are concerned about adequately controlling the entity’s
­operations, its financial reporting, and its compliance with laws and regulations. The exter-
nal auditor, on the other hand, is primarily concerned with the reporting objectives and the
­operations objectives related to safeguarding of assets.

Components of Internal Control

The second dimension of the COSO framework depicted in Illustration 6.1 identifies five
­integrated components of internal control:

•  Control environment.
•  Risk assessment.
•  Control activities.
   Internal Control Defined  6-5

•  Information and communication.

•  Monitoring activities.

Within the five components of internal control, the 2013 COSO framework clearly articulates
17 principles that are essential to evaluating whether the five components of internal con-
trol are present and operating effectively. The principles also apply to an entity’s operations,
reporting, and compliance internal control objectives. These components and principles are
summarized in Illustration 6.2.

illustration 6.2  
Control Environment Seventeen COSO principles of
1. The organization demonstrates a commitment to integrity and ethical values. internal control

2. The board of directors demonstrates independence from management and exercises

­oversight over the development and performance of internal control.
3.  Management establishes, with board oversight, structures, reporting lines, and appropriate
authorities and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain competent
­individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control responsibilities in
the pursuit of objectives.

Risk Assessment

6. The organization specifies objectives with sufficient clarity to enable the identification and
assessment of risks relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the entity and
analyzes risk as a basis for determining how the risks should be managed.
8. The organization considers the potential for fraud in assessing the risks to the achievement
of objectives.
9. The organization identifies and assesses changes that could significantly impact the system
of internal control.

Control Activities

10. The organization selects and develops control activities that contribute to the mitigation of
risks to the achievement of objectives to acceptable levels.
11. The organization selects and develops general control activities over technology to support
the achievement of objectives.
12. The organization deploys control activities through policies that establish what is expected
and procedures that put policies into actions.

Information and Communication

13. The organization obtains or generates and uses relevant, quality information to support the
functioning of internal control.
14. The organization internally communicates information, including objectives and
­responsibilities for internal control, necessary to support the functioning of internal
­control.
15. The organization communicates with external parties regarding matters affecting the func-
tioning of internal control.

Monitoring

16. The organization selects, develops, and performs ongoing and/or separate evaluations to as-
certain whether the components of internal control are present and functioning.
17. The organization evaluates and communicates internal control deficiencies in a timely man-
ner to those parties responsible for taking corrective action, including senior management
and the board of directors, as appropriate.
(COSO, Internal Control—Integrated Framework, 2013)
6-6  Ch a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

Organizational Structure
The third dimension of the COSO framework depicted in Illustration 6.1 describes an
entity’s organizational structure. While some private companies or not-for-profit organi-
zations may have simple organizational structures, and some multinational organizations
have complex organizational structures, the key issue is that some controls are imple-
mented at the entity level, while other controls may be implemented at a division, operat-
ing unit, or function level. All three internal control objectives (operations, reporting, and
compliance) should be accomplished throughout the organizational structure of the en-
tity. When understanding a client’s system of internal control, the auditor must consider
the client’s objectives and the five components of internal control (control environment,
risk assessment, control activities, information and communication, and monitoring).
Within this context, the auditor must understand the scope of the control implemented
by the client and the number of transactions that may be affected by the control imple-
mented by the client. The controls related to financial reporting and to the safeguarding
of assets are most relevant to an audit of ICFR as well as to an audit of the financial state-
ments. Other controls related to operations, other types of reporting, and compliance may
be relevant when they affect the data or evidence used by the auditor when performing
audit procedures.

Inherent Limitations
Internal control, no matter how effective, can only provide an entity with reasonable assur-
ance in achieving its financial reporting objectives. For example, people may have effective
alarm systems in their homes, but if they are in a hurry and leave the house without activating
the alarm system, the control is ineffective. Common inherent limitations in internal control
include:

•  Ability of management to override internal control.

•  Human error that results in a breakdown in internal control.
•  Ineffective understanding of the purpose of a control.
•  Collusion by two or more individuals to circumvent a control.
•  Overriding or disabling a control within a software program.
•  Decisions made by management as to the nature and extent of the control it chooses to
implement.

Another example is a person may receive a daily exception report but not know what to
do with it. If potential errors are not investigated and corrected, the programmed control that
flags items for review loses its effectiveness.

Before You Go On
1.1  What is the purpose of a system of internal control?
1.2  Why is it important to understand the client’s system of internal control?
1.3  Explain the three objectives of internal control.
1.4  Identify the five components of internal control.
1.5 Explain the relationship between internal control objectives, internal control components,
and organizational structure.
1.6  Describe the inherent limitations of internal control.
  Entity-Level Internal Controls  6-7

Entity-Level Internal Controls

Lea rning Objective 2
Explain and evaluate internal controls at the entity level.

PCAOB AS 2201 describes a top-down approach to understanding internal control over

­financial reporting and selecting which specific internal controls to test. A top-down approach
begins by considering what can go wrong in the financial statements. The auditor needs to
understand what could go wrong both at the entity and transaction levels, and controls the
client may have in place at both levels. Therefore, the auditor focuses on entity-level controls
and works down to significant accounts and disclosures and their relevant assertions.
The internal control components listed in Illustrations 6.1 and 6.2, when collectively consid-
ered, are often referred to as entity-level controls because each of them exists at an entity (orga- entity-level controls  the
nizational) level rather than at a transactional level. For example, a control ensuring that sales are client’s control environment, risk
recorded in the sales ledger is a transaction-level control. A control such as strong tone at the top of assessment process, information
the organization emphasizing the importance of internal control is an entity-level control. system, control activities, and
Gaining an understanding of the entity-level internal control components helps in es- monitoring of controls that exist
at the organizational level
tablishing the appropriate level of professional skepticism; gaining an understanding of the
client’s business and financial reporting risks; and making assessments of the risk of material
misstatement. Understanding all of these elements determines the nature, timing, and extent
of audit procedures. The 17 COSO principles of internal control (see Illustration 6.2) are usu-
ally implemented at the entity level. If the entity-­level controls are weak, it is less likely that
transaction-level controls will be effective. This section focuses on how the auditor gains an
understanding of entity-level controls using the 17 COSO principles as a framework.

The Control Environment

The control environment sets the tone of an entity and influences the control conscious- control environment  the
ness of its people. It is the foundation for all other components of internal control and is often attitudes, awareness, and
thought of as a combination of the culture, structure, and discipline of an organization. It reflects actions of management and
the overall attitude, awareness, and actions of management, the board of directors, any others those charged with governance
charged with governance, and owners concerning the importance of controls and the emphasis concerning the entity’s internal
control and its importance in the
given to controls in determining the organization’s policies, processes, and organizational struc-
entity
ture. The control environment includes the first five principles summarized in Illustration 6.2.
Principle 1. The organization demonstrates a commitment to integrity and
ethical values.  Integrity and ethical values are essential elements of the control environ-
ment and affect the design, administration, and monitoring of key processes. Integrity and
ethical values are the products of the organization’s ethical and behavioral standards, how
the standards are communicated, and how they are monitored and enforced in its business
activities. They include management’s actions to remove or reduce incentives, pressures, and
opportunities that might prompt personnel to engage in dishonest, illegal, or unethical acts.
They also include the communication of the organization’s values and behavioral standards to
personnel through policy statements, codes of conduct, and the examples set by management.
For example, management may put in place methods for personnel to raise questions
about the appropriateness of accounting and financial reporting at progressively higher lev-
els, including a hotline that is monitored by the audit committee or the internal audit group.
This, coupled with other procedures, may support an effective control environment. It is also
important that management is seen as complying with its own policies.
Principle 2. The board of directors demonstrates independence from man-
agement and exercises oversight over the deployment and performance of
internal control.  The organization’s control environment is influenced significantly by
its board of directors and others charged with governance of the entity, for example, the audit
6-8  Ch a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

committee members. The board of directors oversees the entity’s accounting and financial
reporting policies and procedures, including its system of internal control. As a result, those
charged with governance have an obligation to be concerned with the entity’s system of
internal control, internal and independent (external) audit processes, and financial reporting
to shareholders and the investing public.
In determining the effectiveness of the participation of those charged with governance,
in particular the board of directors, auditors consider the board’s independence from manage-
ment, the experience of its members, the extent of its involvement and scrutiny of manage-
ment’s day-to-day activities, and its interactions with the internal and/or external auditors. For
example, if the board has regular and open communications with its auditors, management
may be more willing to inform the board of issues arising in the system of internal control on
a timely basis (to avoid “surprises”).

Principle 3. Management establishes, with board oversight, structures,

reporting lines, and appropriate authorities and responsibilities in the
pursuit of objectives.  Organizational structure reflects management philosophy and
company size. Management’s assignment of authority and responsibility relates to orga-
nizational structure. Many ways exist to assign authority and responsibility. Some entities
empower employees across the entire organizational hierarchy with decision-making au-
thority. Others limit decision-making authority. The key to successful empowerment and
an effective control environment is to:
•  Delegate only as much authority as is needed to achieve the organization’s goals.
•  Ensure that those making decisions understand that they will be held accountable.
•  Hold those who are responsible accountable for their actions.
Assignment of authority and responsibility includes how authority and responsibility
for operating activities are assigned and how reporting relationships and authorization
hierarchies are established. It includes policies related to appropriate business practices,
knowledge and experience of key personnel, and resources provided for carrying out
duties. It also includes policies and communications directed toward ensuring all employ-
ees understand the organization’s objectives, know how their individual roles and actions
contribute to those objectives, and recognize how they will be held accountable for their
actions and decisions.
Principle 4. The organization demonstrates a commitment to attract, develop,
and retain competent individuals in alignment with objectives.  A key aspect of
setting the tone at the top involves management’s commitment to ensure that workers have the
knowledge, skills, and training to make appropriate judgments required by their job responsibil-
ities. A commitment to competence requires two management steps. First, management needs
to decide what skills are required to appropriately perform job responsibilities. Second, manage-
ment must staff those jobs with individuals who have the needed skills. Trade-offs can be made
in fulfilling these required steps, such as placing a less experienced person in a demanding job
and providing that person with extra supervision. Regardless of how it is accomplished, a strong
control environment involves a commitment to job responsibilities with people of sufficient
competence. Auditors use professional judgment to determine whether they believe manage-
ment and employees appear to be competent to carry out their assigned roles and receive ade-
quate supervision where required. For example, do employees have the knowledge and expertise
necessary to understand and execute the requirements of generally accepted accounting princi-
ples (or another reporting framework that is applicable to the entity)? The PCAOB emphasizes
the importance of commitment to competence by stating that, for ICFR to operate effectively, it
must function as intended and be implemented by a person with appropriate qualifications. The
lack of personnel with appropriate skills may be an internal control deficiency.
Principle 5. The organization holds individuals accountable for their internal
control responsibilities in the pursuit of objectives.  The discussion related to
assigning authority and responsibility in Principle 3 above notes several keys to successful
empowerment and an effective control environment, including holding those who are re-
sponsible accountable for their actions. When individuals or managers are not held account-
able, little attention is given to the accounting system and the completeness and accuracy of
  Entity-Level Internal Controls  6-9

i­ nformation that flows from the accounting system. If a manager is not held accountable for
the results of his or her operating unit, there is little incentive to correct errors in accounting
for transactions. Although written job descriptions should delineate specific duties and re-
porting relationships, it is important for the auditor to understand informal structures that
may exist and how individuals are held accountable for their actions. The auditor should
also be aware of how management assigns authority and responsibility for IT, and how in-
dividuals responsible for IT are held accountable, particularly with respect to procedures for
authorizing and approving system changes. A lack of accountability over making changes in
programmed control procedures creates an environment that is conducive to utilizing IT to
cover employee fraud.
When gaining an understanding of the control environment, the auditor considers each
of the five principles just discussed and their interrelationships. In particular, the auditor
needs to understand whether there are any significant deficiencies related to one principle
that may have an impact on the effectiveness of other principles or other components of inter-
nal control. If the control environment is weak, it decreases the likelihood that other compo-
nents of internal control will be effective.
The assessment of internal controls, as well as the impact of weaknesses in or exceptions
to internal controls, is discussed in more detail in Chapter 8.

Cloud 9 - Continuing Case

During an interview Josh and Sharon held with David Collier, CFO
of Cloud 9, they learned a lot about the tone at the top at Cloud 9.
Top-level management and the board of directors adopted a code
of conduct that emphasizes the importance of management and
other employees acting with integrity. Cloud 9’s board members
and senior managers attend training and awareness sessions on
the code at least annually. In addition, there has been a rigorous
process of embedding the code’s main points throughout the com-
pany’s policies and procedures, most of which have been rewritten
in the previous two years.
Josh intentionally conducts interviews with employees
at all levels within Cloud 9. He finds that all employees have
attended training on the code of conduct. Several accounting
personnel add that while the company has financial goals
to achieve, the emphasis from the top has been getting the
­f inancial numbers right. Accurate financial reporting is a top
priority.
A copy of the company’s code of conduct and the pol-
icies and procedures are included in the audit working
papers. Josh also writes a description of the company’s efforts
to communicate its approach to management integrity in the
report. He assesses the control environment at Cloud 9 as
likely to be effective.

Audit Reasoning Example  Tone at the Top

Susan Larson, a senior manager, was having lunch with Linh Sun (an audit senior) and Peter
Miller (a new audit staff). All three were working on an audit of a pharmaceutical client. Both
Linh and Peter were focused on understanding the client’s system of internal control for a new
audit client. Susan commented, “I want you to get a good feel for the control environment and the
tone at the top about financial reporting by talking to employees at all levels of the organization,
particularly in accounting. Wells Fargo has been in the news recently because the tone at the top
focused on hitting targets at any cost, and there were significant negative consequences for those
who did not meet artificially high expectations. At one end of the spectrum, you have companies
like Wells Fargo with a poor tone at the top. At the other end of the spectrum, I had a client that
I approached with a misstatement that was significant, but probably had not met our materiality
threshold. After the controller understood the underlying cause of the misstatement, and how
their control system failed to detect the problem, the controller announced that the company
would book the adjustment, even though it decreased unaudited earnings that had previously
been announced. When I asked the controller about his reasoning, he stated, ‘We are more con-
cerned about our credibility with investors than one earnings announcement.’ These are the two
ends of the spectrum, and our new audit client may be somewhere in between these two exam-
ples. I want you to determine where on this control environment spectrum this new client is.”
6-10  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control
risk assessment process  the
entity’s process for identifying
and responding to risks that an
organization will not achieve its
objectives
Risk Assessment
All entities, regardless of their size, structure, nature, or industry, encounter risks at all lev-
els within the organization. Risk is defined as anything that can keep an organization from
achieving its objectives (operations, reporting, or compliance). Therefore, an entity’s risk
­assessment process is its process for identifying and responding to risks that an organiza-
tion will not achieve its objectives. Risks will affect the entity’s ability to survive, compete,
grow, and improve the quality of its products, services, and people. It follows that objectives
must be set and threats to achieving those objectives must be identified before the risks can be
assessed. It is not possible to reduce these risks to zero; however, management (in conjunction
with those charged with governance) needs to determine how much risk is acceptable to the
organization. Some organizations have a risk committee, which is responsible for ensuring
that all of these risks are identified, managed, and reported to the board of directors.
An organization’s risk assessment process is different from the auditor’s consideration of risk.
The purpose of the entity’s risk assessment process is to identify, analyze, and manage the risks
that affect its ability to achieve its operational effectiveness. If a risk is not properly identified, it is
likely there will be no control designed to mitigate the risk. In an audit, the purpose is to assess the
combined inherent, control, and detection risks to evaluate the likelihood that material misstate-
ments could occur in the financial statements (see discussion in Chapter 3 of the audit risk model).
An effective risk assessment process requires management and the board of directors to
implement the following four principles.
Principle 6. The organization specifies objectives with sufficient clarity to en-
able the identification and assessment of risks relating to objectives.  If risk
is defined as anything that can keep an organization from achieving its operations, reporting, or
compliance objectives, risk assessment begins with clearly articulating the entity’s objectives.
Objectives must be clearly set so that threats to achieving those objectives can be identified, and
risks can be assessed. It is important for management (and auditors) to understand the relation-
ship between the entity’s objectives and risks that can affect financial reporting. For example,
a company may plan on introducing new technology. However, if it introduces the new tech-
nology to the marketplace while it still has a significant inventory of older technology on hand,
the introduction of new technology may cause existing inventory to become obsolete or have a
lower-of-cost-or-net realizable value problem. The auditor needs to be alert to make sure that the
financial consequences of business risks are fairly presented in an entity’s financial statements.
Principle 7. The organization identifies risks to the achievement of its objec-
tives across the entity and analyzes risk as a basis for determining how the
risks should be managed.  The identification and analysis of risk involves several steps.
Management should establish a process for (1) identifying risk relevant to the achievement of
the entity’s objectives, (2) estimating the significance of the risks, (3) assessing the likelihood
of their occurrence, and (4) deciding about actions to address those risks. For example, new
legislation or regulation might force changes to operating policies or strategies. Illustration 6.3
provides some examples of external and internal risk factors that an entity might consider.
Principle 8. The organization considers the potential for fraud in assessing
the risks to the achievement of objectives.  Fraud risk was discussed in Chapter 3.
In a strong system of internal control, management should be alert to financial reporting
frauds, misappropriation of assets, and various types of corruption associated with fraud or
other types of misconduct. When assessing fraud risks, management should consider the
three elements of the fraud triangle: (1) incentives and pressures to commit fraud, (2) oppor-
tunities to perpetrate fraud, and (3) attitudes and rationalization. A good system of internal
control should significantly reduce or eliminate the opportunity to perpetrate a fraud. There-
fore, management should consciously assess the risk of fraud and put appropriate controls in
place to reduce fraud risk to an acceptable level.
Principle 9. The organization identifies and assesses changes that could signifi-
cantly impact the system of internal control.  Risks can arise or change as a result of
changes to the organization and the environment in which it operates. These include changes in
the operating environment, personnel, technology, growth, business structures, and accounting
pronouncements. It is important for the auditor to understand the risks identified by the entity,
  Entity-Level Internal Controls  6-11

ILLUSTRATION 6.3  
External Risk Factors
Examples of risk factors
•  Technological development can affect the nature and timing of research and development, or
lead to changes in procurement.
•  Changing customer needs or expectations can affect product development, production
processes, customer service, pricing, or warranties.
•  Competition can alter marketing or service activities.
•  New legislation and regulation can force changes in operating policies and strategies.
•  Natural catastrophes can lead to changes in operations or information systems and highlight
the need for contingency planning.
•  Economic changes can have an impact on decisions related to financing, capital expenditures,
and expansion.

Internal Risk Factors

•  Ability to adjust existing operations and legacy IT infrastructures to meet performance
expectations.
•  A disruption in information systems processing can adversely affect the entity’s operations.
•  The quality of personnel hired and methods of training and motivation can influence the level
of control consciousness within the entity.
•  A change in management responsibilities can affect the way certain controls are implemented.
•  The nature of the entity’s activities, and employee accessibility to assets can contribute to
misappropriation of resources.
•  An unassertive or ineffective board or audit committee can provide opportunities for
indiscretions.

as this will assist the auditor in considering where (and if) a material misstatement in the finan-
cial statements might exist. The overall potential for risks to have a material impact on financial
reporting is increased when management appears willing to accept unusually high risks in mak-
ing business decisions, enters into major commitments without sufficient consideration of the
risks, and fails to closely monitor and control the risks associated with commitments.

Cloud 9 - Continuing Case

In their interview, Josh and Sharon ask David Collier about Cloud
9’s risk assessment process. They want to know which risks man-
agement has identified so that they can consider whether those
risks could cause a material misstatement in the accounts. They also
want to know about the company’s methods of responding to the
identified risks. David Collier tells them that Cloud 9’s management
continually monitors its competitors’ activities. It also considers the
risk of interruption to supplies because of shipping problems and
labor disputes at production plants or transport companies.
Other examples of risks that could have a major impact on
the accounts are the use of forward exchange contracts to control
the risks caused by purchasing in foreign currencies. Cloud 9 man-
agement is also very aware of risks associated with the just-in-time
inventory system, which has had some problems lately, and has
planned some changes to deal with those problems.
Management is monitoring the risks of using a soccer player
as a spokesperson for the brand, plus the broader risks arising from
sponsorship of the soccer team, because there has been a lot of ad-
verse publicity about soccer players’ behavior over the past year.
Such adverse publicity could impact negatively on sales. Cloud 9’s
management ensures that the soccer team’s management keeps
the company’s management informed of players’ activities, where
appropriate. Management has also assessed fraud risks, and it be-
lieves that between the company’s code of conduct, tone at the top
about its code of conduct, and strong system of internal controls,
the incentives for fraud and the opportunity to commit fraud are
minimal.
Josh concludes from the interview and from Suzie’s review
of documents including company plans, board minutes, and sig-
nificant contracts and agreements that Cloud 9 has a potentially
effective system of risk assessment because it actively searches
out and considers potential risks to the business, and it has de-
veloped action plans to deal with each risk depending on its likely
­occurrence.

Control Activities
control activities  policies
Control activities are policies and procedures that help ensure management’s directives are and procedures that help ensure
carried out and that necessary actions are taken to address risks impacting the achievement of that management directives are
the organization’s objectives. Control activities, whether automated or manual, have various carried out
6-12  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

objectives and are applied at various organizational and functional levels. Effective control
activities require management and the board of directors to implement the following three
principles.
Principle 10. The organization selects and develops control activities that
contribute to the mitigation of risks to the achievement of objectives to ac-
ceptable levels.  Management, with the oversight of the board of directors, selects and
develops control activities to ensure that the entity achieves its objectives. Control activities
often use a combination of IT and manual controls. AU-C 315.A99 provides the following
examples of control activities:
•  Authorization controls.
•  Performance reviews.
•  Information-processing controls.
•  Physical controls.
•  Segregation of duties.
Each of these categories of control activities is discussed below.
Authorization controls. A major purpose of proper authorization procedures is to ensure
that every transaction is authorized by management personnel acting within the scope of their
authority. Each transaction should be properly authorized and approved in accordance with
management’s general or specific authorization. General authorization relates to the general
conditions under which transactions are authorized, such as standard price lists for products
and credit policies for charge sales. Specific authorization relates to the granting of the autho-
rization on a case-by-case basis. When transactions are individually processed, authorization
is usually provided in the form of a signature or stamp on the source document or in the form
of electronic authorization that leaves a computerized audit trail.
Proper authorization procedures often have a direct effect on control risk for existence
and occurrence assertions, and in some cases, the valuation and allocation assertion, such
as the authorization of an expenditure or the authorization of a customer’s credit limit. The
board of directors may authorize capital expenditures at a designated amount. Expenditures
in excess of that amount might indicate existence problems (an invalid transaction) or classi-
fication problems (expenses classified as assets).
Performance reviews. Examples of performance reviews include management review and
analysis of:

•  Reports that summarize the detail of account balances such as an aged trial balance of
accounts, reports of cash disbursements by department, or reports of sales activity and
gross profit by customer or region, salesperson, or product line.
•  Actual performance versus budgets, forecasts, or prior-period amounts.
•  The relationship of different sets of data such as nonfinancial operating data and finan-
cial data (for example, comparison of hotel occupancy statistics with revenue data).
Management’s use of reports that drill down and summarize the transactions that make
up sales or cash disbursements may provide an independent check on the accuracy of the ac-
counting information. For example, a university department chair might review the details of
the payroll that was charged to his or her department on a monthly basis. The quality of this
review may provide control over the occurrence, completeness, and accuracy of payroll trans-
actions. Management’s analysis of operating performance may serve another purpose similar
to the auditor’s use of analytical procedures in audit planning. That is, management may de-
velop nonfinancial performance measures that correlate highly with financial outcomes, and
those measures may allow management to detect accounts that might be misstated.
Information-processing controls. Information-processing controls address both IT risks
and risks related to financial statement assertions. These controls are particularly relevant to
the financial statement audit. Most entities, regardless of size, now use IT for data processing
in general and for accounting systems in particular. In such cases, it is useful to further catego-
rize information-processing controls as general controls and application controls. IT general
controls are the subject of Principle 11 and are discussed in detail in this chapter in the section
“Information Technology (IT) Controls.”
  Entity-Level Internal Controls  6-13

Physical controls. Physical controls are concerned with limiting the following two types
of access to assets and important records: (1) direct physical access and (2) indirect access
through the preparation or processing of documents such as sales orders and disbursement
vouchers that authorize the use or disposition of assets. Physical controls pertain primarily
to security devices and measures used for the safekeeping of assets, documents, records, and
software programs or files. Security devices include on-site safeguards such as fireproof safes
and locked storerooms, and off-site safeguards such as bank deposit vaults and certified public
warehouses. Security measures also include limiting access to storage areas to authorized per-
sonnel. Such controls reduce the risk of theft or misappropriation of assets.
Physical controls also involve the use of mechanical and electronic equipment in execut-
ing transactions. For example, cash registers help to ensure that all cash receipt transactions
are rung up, and they provide locked-in summaries of daily receipts. Finally, physical control
activities include periodic counts of assets and comparison with amounts shown on control
records. Examples include petty cash counts and physical inventory counts.
Segregation of duties. Illustration 6.4 depicts strong segregation of duties.

Authorization of ILLUSTRATION 6.4  

transactions
Appropriate segregation of
duties

Maintaining custody Maintaining recorded

of assets accountability
Compare recorded
in accounting records
accountability with assets

Failure to maintain strong segregation of duties makes it possible for an individual to com-
mit an error or fraud and then be in a position to conceal it in the normal course of his or
her duties. For example, an individual who processes cash remittances from customers (has
access to the custody of assets) should not also have authority to approve and record credits
to customers’ accounts for sales returns and allowances or write-offs (authorize transactions).
In such a case, the individual could steal a cash remittance and cover the theft by recording a
sales return or allowance or bad-debt write-off.
Sound segregation of duties also involves comparing recorded accountability with assets
on hand. For example, sound internal control involves independent bank reconciliations com-
paring bank balances with book balances for each bank account. Perpetual inventory records
should also be periodically compared with inventory on hand. Sound segregation of duties
limits the opportunity for individuals to perpetrate fraud.
Principle 11. The organization selects and develops general control activities
over technology to support the achievement of objectives.  IT general controls
are policies and procedures that relate to many software applications and support the effective
functioning of IT application controls. IT general controls function at an entity level to control
a wide variety of IT risks. IT general controls maintain the integrity of information and secu-
rity of data. They commonly include controls over:

•  Data center and network operations.

•  System software acquisition, change, and maintenance.
•  Program changes.
•  Access security.
•  Application system acquisition, development, and maintenance.
6-14  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control
information and communi-
cation  the information and
communication system relevant
to financial reporting objectives,
which includes the accounting
system, consists of methods and
records established to identify,
assemble, analyze, classify, re-
cord, and report entity transactions
(as well as events and conditions)
and to maintain accountability for
the related assets and liabilities;
communication involves a clear un-
derstanding of individual roles and
responsibilities pertaining to ICFR
If IT general controls are weak, it is less likely that IT application controls will be effective,
which would lead the auditor to assess control risk as high. These controls are discussed in
more detail later in this chapter in the section “Information Technology (IT) Controls.”
Principle 12. The organization deploys control activities through policies that
establish what is expected and procedures that put policies into actions.  A
good system of internal control needs to be both properly designed and placed in operation.
At the entity level, management (with board of director oversight) needs to address both the
effectiveness of the design of internal controls and the effectiveness of how internal controls
actually operate. Management and the board of directors should oversee the testing of inter-
nal controls to determine whether they prevent material misstatements or detect and correct
material misstatements on a timely basis.
In understanding the client’s control activities at the entity level, consideration is given
to factors such as:
•  The extent to which performance of control activities relies on IT.
•  Whether the necessary policies and procedures exist with respect to each of the entity’s
activities, including IT security and system development.
•  The extent to which controls included in the organization’s policies are being applied.
•  Whether management has clear objectives in terms of budget, profit, and other finan-
cial and operating goals, and whether these objectives are clearly written, communicated
throughout the entity, and actively monitored.
•  Whether planning and reporting systems are in place to identify variances from planned
performance and communicate such variances to the appropriate level of management.
•  Whether the appropriate level of management investigates variances and takes appropri-
ate and timely corrective actions.
•  To what extent duties are divided or segregated among different people to reduce the risk
of errors, fraud, or manipulation of results.
•  Whether software is used to control access to data and programs and, if so, the extent to
which segregation of incompatible duties is achieved by implementing these software
controls.
•  Whether periodic comparisons are made of amounts recorded in the accounting system
with physical assets.
•  Whether adequate safeguards are in place to prevent unauthorized access to or destruc-
tion of documents, records, and assets.
Compared to other types of entity-level controls, the auditor finds control activities the
easiest to test because their operation is readily verifiable. For example, the controls surround-
ing the counting of inventory can be observed, while management’s integrity is not observable
or easily verified. This concept is covered in more detail in Chapter 8.
Information and Communication
The role of information systems is to capture and exchange the information needed to conduct,
manage, and control an entity’s operations. The quality of information and communication
affects management’s ability to make appropriate decisions in controlling the organization’s
activities and to prepare reliable financial reports. Information and communication
involve capturing and providing information to management and employees so that they can
carry out their responsibilities, including providing an understanding of individual roles and
responsibilities as they relate to internal controls over financial reporting.
An effective system of information and communication requires management and the
board of directors to implement the following three principles.
Principle 13. The organization obtains or generates and uses relevant, qual-
ity information to support the functioning of internal control.  Information is
needed at all levels of the entity to run the business, and to assist in the achievement of
  Entity-Level Internal Controls  6-15

financial reporting, operating, and compliance objectives. An array of information is used. Fi-
nancial information, for instance, is used not only in developing financial reports for external
dissemination; it may also be used for operational decisions, such as monitoring performance
and allocating resources. Similarly, operating information (for example, airborne particle
emissions, personnel data) may be needed to achieve compliance and financial reporting ob-
jectives, as well as operating objectives. However, certain operating information (for example,
purchases and sales data) is essential for developing financial reports. As such, information
developed from internal and external sources, both financial and nonfinancial, is relevant to
all three objectives.
Information is identified, captured, processed, and reported by information systems. Infor-
mation systems may be computerized, manual, or a combination thereof. The term “informa-
tion systems” is frequently used in the context of processing internally generated data relating to
transactions (for example, sales) and internal operating activities (for example, production pro-
cesses). However, information systems as they relate to internal controls are much broader—
they also deal with information about external events, activities, and conditions.
Auditors are most interested in the information systems that are relevant to the financial
reporting objective. AU-C 315.A92 states that the information systems relevant to financial
reporting objectives, which includes the accounting system, consist of the procedures and
records designed and established to:
•  Initiate, authorize, record, process, and report entity transactions (as well as events and
conditions) and maintain accountability for the related assets, liabilities, and equity.
•  Resolve incorrect processing of transactions (for example, automated suspense files and
procedures followed to clear suspense items out on a timely basis).
•  Process and account for system overrides or bypasses to controls.
•  Transfer information from the transaction-processing system to the general ledger.
•  Capture information relevant to financial reporting for events and conditions other than
transactions, such as the depreciation and amortization of assets and change in the recov-
erability of accounts receivable.
•  Ensure information required to be disclosed by the applicable financial reporting frame-
work is accumulated, recorded, processed, summarized, and appropriately reported in
the financial statements.

Principle 14. The organization internally communicates information, includ-

ing objectives and responsibilities for internal control, necessary to support
the functioning of internal control.  Communication by an entity of roles and respon-
sibilities related to operations, financial reporting, and compliance objectives involves pro-
viding an understanding of individual roles and responsibilities. It is important for senior
management to communicate a clear message that internal control responsibilities are to be
taken seriously. It is important for employees to believe that their supervisors really want to
know about problems, and that the supervisors take necessary actions. Communication of
information within the entity often includes clearly stating control objectives, the importance
and benefits of effective internal control, roles and responsibility in performing controls, and
the expectations to communicate within the entity significant issues related to internal control,
including noncompliance with controls or policies. Many public companies also have
hotlines for confidential reporting of suspected violations of policies, codes of conduct, or
other concerns employees may have about financial reporting.
Principle 15. The organization communicates with external parties regard-
ing matters affecting the functioning of internal control.  There are a number of
ways communication with external parties may improve the system of internal control. For
example, it is important for an entity to consider how it receives information from customers
regarding incorrect billings, late shipments, or shipments of incorrect items. An entity also
should consider how it receives information from vendors regarding late payments or incor-
rect payments. If this information goes to an independent party within the entity, it will pro-
vide feedback on the effectiveness of the entity’s system of internal control. It is also important
for a company to consider how it shares information within the entity regarding regulatory
examinations or tax audits.
6-16  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

An entity may also want to communicate its code of conduct with vendors, so that ven-
dors understand the entity’s values and ethical culture prior to doing business. Ultimately,
public companies need to communicate with stakeholders and the SEC regarding any mate-
rial weaknesses in ICFR.

Cloud 9 - Continuing Case

Josh has significant experience in understanding information sys-
tems and, based on the interview with David Collier, which cov-
ered the information systems at a high level, Josh can conclude
that the entity-level controls in this area are likely to be effective.
Josh will gather further information in an interview with Cloud 9’s
financial controller, Carla Johnson. Based on this second inter-
view and a review of the company’s documents, he and Suzie will
write a description of their understanding of the processes used in
each of the major transaction cycles.

monitoring  a process that
assesses the quality of internal
control performance over time.
It involves assessing the design
and operation of controls on a
timely basis and taking necessary
corrective actions
Monitoring Activities
After establishing and maintaining internal controls, management must monitor the controls to
assess whether they are operating as intended. Over time, systems of internal controls change,
and the way controls are applied may evolve. Also, the circumstances for which the system of
internal controls was originally designed may change, causing it to be less effective in warning
management of risks brought about by new conditions. Accordingly, management needs to de-
termine whether its internal controls continue to be relevant and able to address new risks.
Effective processes to monitor controls require management and the board of directors to
implement the following two principles.
Principle 16. The organization selects, develops, and performs ongoing and/
or separate evaluations to ascertain whether the components of internal con-
trol are present and functioning.  Monitoring is a process of assessing the quality
of internal control performance over time, considering whether controls are operating as in-
tended, and making sure controls are modified as appropriate for changes in conditions. It
involves assessing the design and implementation of controls on a regular basis and taking
necessary corrective actions. This process is accomplished through ongoing activities and sep-
arate evaluations, or a combination of the two.
Ongoing monitoring procedures are built into the normal recurring activities of the entity
and include regular management and supervisory activities. For example, managers of sales,
purchasing, and production at divisional and corporate levels should understand the entity’s
operations and question the accuracy of reports that differ significantly from their knowledge
of operations. Monitoring activities may include using information obtained from communica-
tions with external parties. For example, an entity’s customers ordinarily verify and corroborate
their billing data by paying their invoices or by complaining about overcharging or other errors.
Much of the information used in monitoring is produced by the entity’s information sys-
tems. If management assumes that data used for monitoring is accurate without having a basis
for the assumption, errors may exist in the information, potentially leading management to
incorrect conclusions about its monitoring activities.
One of the most common monitoring activities is the internal audit function. In many
organizations, internal auditors (or personnel performing similar functions) contribute to
the monitoring of the client’s activities through separate evaluations. They regularly provide
information about the functioning of internal controls, focusing considerable attention on
the evaluation of the design and implementation of controls. They communicate information
about strengths and weaknesses and make recommendations for improving internal control.
The importance that a company places on its internal audit function also provides evidence
about its overall commitment to internal control. Refer to Chapter 5 for a discussion of how
external auditors may use the work of internal auditors.
Principle 17. The organization evaluates and communicates internal control
deficiencies in a timely manner to those parties responsible for taking correc-
tive action, including senior management and the board of directors, as ap-
propriate.  As discussed above, an entity may learn about deficiencies in internal control
from sources such as outside customers or vendors, managers evaluating the accuracy of the
  Entity-Level Internal Controls  6-17

information about the objectives for which they are held accountable, information that may
surface through hotlines, and regular ongoing evaluation by management or internal audi-
tors. The monitoring function is most effective when deficiencies are reported to those respon-
sible for taking corrective action on a timely basis. It is also common for any deficiency to be
reported to management at least one level above the individuals responsible for taking correc-
tive action. Senior management and the board of directors should get a report of deficiencies
noted and corrective actions taken on a regular basis.
When the auditor obtains an understanding of the client’s monitoring processes at the
entity level, the auditor considers factors such as the following:

•  Whether periodic evaluations of internal control are made.

•  The extent to which personnel, in carrying out their regular duties, obtain evidence as to
whether the system of internal controls continues to function.
•  The extent to which communications from external parties corroborate internally gener-
ated information, or indicate problems.
•  Whether management implements internal control recommendations made by internal
and external auditors.
•  Management’s approach to correcting known significant deficiencies on a timely basis.
•  Management’s approach to dealing with reports and recommendations from regulators.
•  The existence of an internal audit function that management uses to assist in its moni-
toring activities.
•  Evaluations or observations made by the external auditors.

Cloud 9 - Continuing Case

In the interview with David Collier, Sharon and Josh ask questions
about both the control activities and the monitoring of those ac-
tivities at Cloud 9. Sharon and Josh are particularly interested in
the systems used at the company to make sure that information
about management’s plans is transmitted throughout the organi-
zation and that there are policies and procedures to ensure that the
­appropriate actions are taken and reviewed.
In addition to asking David Collier about these matters, ­Suzie
reads the policy and procedures manuals. Josh and Suzie then
take a tour of the offices and other facilities. For example, Cloud
9 has a tightly structured system of performance reviews. Manag-
ers at each level must report financial and operating ­performance
against budgets at regular intervals. Higher-level managers are
able to access information about activities within their area of
responsibility for monitoring purposes through the information
system. Although there have been some issues with theft of goods
from the retail store, the losses have been contained following the
installation of additional security, including cameras. Josh and
Sharon have been particularly impressed with Cloud 9’s thorough
approach to appropriate segregation of duties.
Josh is able to conclude that, at an entity level, there is suffi-
cient evidence that these controls are potentially effective. He asks
Suzie to review the specific controls that affect transaction processes
in more detail and document their understanding of these processes.

Internal Control in Small Entities

In smaller entities, there are often limitations surrounding the entity’s ability to put effective
internal controls in place. This is due to the limited number of employees, which in turn
impacts the ability of the organization to segregate duties. Also, it is often not practical for
smaller organizations to create an appropriate paper trail of documentation that allows an
assessment of internal controls to be made.
However, despite the size limitations of these entities, internal controls may still exist.
Ordinarily in smaller businesses there is an owner-manager (and primary stakeholder in the
business) who is heavily involved in the day-to-day running of the business. This can be both a
strength and a weakness. It is a strength (assuming the owner-manager is competent) because
he or she is closely involved in the business and day-to-day operations, including the selling of
goods and services as well as the daily cash management of the operations. Effective owner-
manager performance reviews make it unlikely that material errors that might occur would not
be detected by the owner-manager. It is also a weakness because that same owner-manager is
in a position to override internal controls.
6-18  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

The risk of management override can be reduced by establishing documented policies

and procedures. However, if no such procedures or controls are in place, the risk of manage-
ment override will need to be reduced from an audit perspective by the performance of addi-
tional audit procedures (through an increase in substantive procedures).

Professional Environment  Human Risks

Why do controls fail? Once a computer is programmed to do
something, it will keep doing exactly what it is programmed to do.
Will employees do exactly what they are told to do, every time? A
perfect control is no match for the employee who doesn’t know
how to operate the control or isn’t careful. In an article explaining
the human side of risk,3 Russell Jackson urges internal auditors
to take a careful look at the human element of risk by considering
how controls are used by employees, and to not just concentrate
on evaluating the design of control systems within organizations.
External auditors also need to recognize that financial reporting
misstatement risk does not simply come from an organization’s
processes or controls, but from the people behind the processes
and controls who might make mistakes or commit fraud.
Human risks are perennial because they are among the most
difficult to define, control, and manage.4 A report conducted by
Ernst & Young (EY)5 shows that human resource (HR) issues rank
among the top five business risks to a company’s results. The EY
report contains the results from surveying senior finance, account-
ing, risk, and HR executives at 150 Fortune 1000 companies. The
executives were asked to rank the HR issues that they perceived as
having a high impact and likelihood of occurrence within a global
organization. The top five HR issues were:
1.  Talent management and succession planning.
2.  Ethics/tone at the top.
3.  Regulatory compliance.
4.  Pay and performance alignment.
5.  Employee training and development.
The executives in these 150 companies were also asked
about the methods used to monitor these risks. The results
show that 41% of executives surveyed admit to reviewing these
risks on an ad hoc basis or never.6 These results reinforce
the view that HR issues are not managed effectively in many
­organizations.
One aspect of HR risk that is closely related to external
auditing is the effect of HR policies on promoting and commu-
nicating ethical values throughout the organization and ensur-
ing that the appropriate “tone at the top” trickles down through
the organization. The EY survey revealed that these issues have
become more visible and significant in recent years, possibly as
a result of adverse publicity about corporate ethics. However,
although ethics is becoming more significant as a HR risk, the
executives responding to the survey rated the likelihood of ethical
problems arising throughout the organization as low. The survey’s
authors suggest HR executives should pay more attention to the
alignment between values espoused by company management in
public arenas and actual practices by employees at all levels within
the organization.7

Before You Go On
2.1  What are the five components of internal control?
2.2  Briefly explain the important aspects of a strong control environment.
2.3 Explain the key elements of the client’s risk assessment process and how they interact with
other components of internal control.
2.4 What are the five common categories of control activities? Why is segregation of duties im-
portant when understanding internal control?
2.5  Briefly explain the information and communication component of internal control.
2.6 Develop several examples of monitoring activities that an auditor might expect to find in
entity-level controls.

3
R. Jackson, “The Human Side of Risk,” Internal Auditor, vol. 64, no. 5 (October 2007), pp. 38–44.
4
Ernst & Young, 2008 Global Human Resources (HR) Risk: From the Danger Zone to the Value Zone, Accelerat-
ing Business Improvement by Navigating HR Risk (2008), p. 5, www.ey.com.
5
Ernst & Young, 2008.
6
S. Steffee, “HR Risks Are Largely Ignored,” Internal Auditor, vol. 65, no. 6 (December 2008), pp. 14–15.
7
Ernst & Young, 2008.
  Transaction-Level Internal Controls  6-19

Transaction-Level Internal Controls

Lea rning Objective 3
Explain and evaluate internal controls at the transaction level.

Now that we have discussed entity-level controls, we will briefly overview transaction-level
controls. Transaction-level controls are discussed in more detail in Chapters 8, 11, 12, and 13.
As explained previously, entity-level controls are at the entity-wide or whole-­organization
level and have the potential to impact all of the processes management puts in place for the
entire organization.
As its name suggests, transaction-level controls are controls that affect a particular transaction-level controls 
transaction or group of transactions. Transactions in this sense refer to transactions that are controls that affect a particular
ordinarily recorded in the general ledger for the client and span from initiation of the transac- transaction or group of
tion through to the reporting of the transaction in the financial statements. Transaction-level transactions
controls are those controls that respond to things that can go wrong with transactions. They
need to be sensitive enough to either prevent an error from occurring, or to detect the error,
report it, and have it corrected on a timely basis. These controls are referred to as preventive
and detective controls and are explained further in Chapter 8.
An important process used for developing an audit strategy for various assertions involves
the following steps:

1. Understand entity-level controls.

2. Understand the flow of transactions.
3. Identify what can go wrong (WCGW) for financial statement assertions.
4. Identify relevant controls to test.
5. Determine a preliminary audit strategy.
6. Perform tests of controls.
7. Evaluate audit evidence, assess control risk, and reevaluate audit strategy (if necessary).
8. Report internal control weaknesses to those charged with governance.

Steps 2–5 focus significant attention on understanding internal controls at the transaction
level. The auditor often obtains this understanding by performing a walkthrough of a transac-
tion cycle, such as the sales process or a cash receipts process. A walkthrough involves fol- walkthrough  following a
lowing a transaction from initiating the transaction until it is recorded in the financial records. transaction from initiating the
The auditor will understand the documents used by the client, as well as the entity’s use of transaction until it is recorded in
information technology. The auditor will often ask questions of the entity’s personnel about the financial records
their understanding of their responsibilities and controls that they are involved in. Through
inquiry and observation, the auditor obtains an understanding of transaction-level controls
as well as the adequacy of segregation of duties. The discussion below provides examples of
the flow of a transaction from initiating the transaction, to exchanging the title to a good or
service, to recording the transaction in the general ledger.

Example Transaction Flows—Sales Process

The transaction flow in a typical sales process for a client that sells goods includes processing
orders, approving credit, shipping goods, invoicing customers, and recording sales and ac-
counts receivables. The transaction flows for a client that sells services are similar but instead
of shipping goods the client sells or performs the services.
Common documents and files that are found in the process of selling goods include:

•  Customer master file—An electronic file containing the customer shipping and billing
­information and the customer credit limit.
6-20  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

•  Sales order—A client-prepared prenumbered document that includes customer informa-

tion, description and quantity of what was ordered, terms of sale, and authorization of
the sales order.
•  Bill of lading—A shipping document that serves as acknowledgement of receipt of goods
for delivery by a freight carrier.
•  Packing slip—A client-prepared document with the details of items included in a
shipment.
•  Sales invoice—A client-prepared document stating the particulars of a sale, including the
amount owed, terms, and date of sale. It is used to bill customers, and it provides the basis
for recording a sale in the sales journal.
•  Sales cycle database—Electronic files that accumulate data on sales, cash receipts, and
accounts receivable.
•  Monthly statements of receivable balances—A report sent to each customer showing the
beginning receivable balance, transactions during the month, and the ending receivable
balance.

This chapter will discuss sales in the context of a client that sells goods. Examples of risks
and controls that can be put in place relating to sales are described in Illustration 6.5.

ILLUSTRATION 6.5   Sales process example risks and controls

Transaction Documents and Files Risks (WCGW) Example Control Key Assertion*
Initiating Credit Customer master file Sales may be made Only a limited number of individuals Occurrence,
Sales to unauthorized can change the customer master file Valuation and
customers and all file changes are reviewed by allocation
appropriate levels of management
Sales order Sales may be made The software application matches Occurrence,
to unauthorized the customer on the sales order with Accuracy
customers the customer master file
Sales order Sales may be The software application matches Occurrence,
made without amount of sales order with credit Valuation and
credit approval authorization on the customer allocation
master file
Delivering Goods Perpetual inventory Goods may be The software application matches Occurrence
released from all goods pulled from inventory
warehouse for (perpetual inventory) to approved
unauthorized sales order
orders
Bill of lading and packing Products are Application control generates Accuracy,
slip shipped without packing slip and delivery ­Completeness
shipping doc- documentation when order is
uments being processed
generated
Goods ordered The software application prints a Completeness
may not be report of all unfilled sales orders
shipped
Recording Sales Sales invoice Some shipments The software application prints Completeness
may not be billed a ­report of all bills of lading not
matched with sales invoices
Invoices are prenumbered and
accounted for
Sales invoice Billing may be The software application matches Occurrence
made for fictitious sales invoice information with
transactions, or underlying shipping information
duplicate billing
may be made
(continued)
  Transaction-Level Internal Controls  6-21

illustration 6.5   (continued)

Transaction Documents and Files Risks (WCGW) Example Control Key Assertion*
Sales invoice Sales invoices may The software application matches Cutoff
be recorded in the sales invoice date with accounting
incorrect account- period in which goods are shipped
ing period
Sales invoice Sales invoices may The software application matches Accuracy
be recorded in the sales invoice quantities with ship-
incorrect amount ping information and prices with
master price list
Sales invoice Invoices may not The software application checks run- Accuracy,
Sales cycle database be journalized to-run total of beginning receivables, Completeness
or posted to cus- plus sales transactions with the sum
tomer accounts of ending receivables.
Sales invoice Sales invoices may The software application matches Accuracy
be billed to the customer number on sales invoice
wrong customer with customer number of sales order
and bill of lading
Monthly statements of Customers may Mailing of monthly statements with Completeness,
receivable balances be billed incorrect independent follow-up on customer Occurrence,
amounts complaints Accuracy, Cutoff

*Most assertions may apply. However, this example has focused on the key assertion(s) for each WCGW.

Example Transaction Flows—Cash Receipts

The cash receipts function, which includes the processing of receipts from cash and credit
sales, involves the following subfunctions: (1) receiving cash, (2) depositing cash, and
(3) recording the receipts. As in the case of credit sales transactions, segregation of duties in
performing these subfunctions is an important internal control. Today, many cash receipts
­involve the electronic transfer of funds and cash is received directly by the bank. Alterna-
tively, in some circumstances, cash or checks may be received by the entity that is responsible
for both receiving and depositing cash.
A major risk in processing cash receipts transactions is the possible theft of cash before or
after a record is made of the cash receipt. Thus, control procedures should provide reasonable
assurance that documentation establishing accountability is created at the moment cash is
received and that cash is subsequently safeguarded.
Common documents and files that are found in the cash receipts process include:
•  Remittance advice—A document received from the customer showing details of payments
made by the customer.
•  Prelist of cash receipts—An internally prepared document showing the listing of cash
­received from customers.
•  Remittance report from the bank—A document prepared by the bank showing the details
of electronic funds transfers received by the bank from customers.
•  Bank deposit slip—A receipt from the bank showing the total amount deposited with the
bank.
•  Sales cycle database—Electronic files accumulating data on sales, cash receipts, and
accounts receivables.
•  Independent bank reconciliation—Independent person reconciles cash account in the
general ledger with the bank statement from the bank.
•  Monthly statements of receivable balances—A report sent to each customer showing the
beginning receivable balance, transactions during the month, and the ending receivable
balance.
Examples of what can go wrong and controls that can be put in place relating to cash
receipts are shown in Illustration 6.6.
6-22  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

ILLUSTRATION 6.6   Cash receipts process example risks and controls

Transaction Documents and Files Risks (WCGW) Example Control Key Assertion*
Receiving Prelist of cash receipts Cash sales may not Use of cash registers or Completeness
Cash be recorded point-of-sale devices
Prelist of cash receipts Mail receipts may Immediate preparation of prelist of Completeness
be lost or misappro- mail receipts; restrictive endorsement
priated after receipt of checks immediately upon receipt
Prelist of cash receipts Checks received Independent check of agreement of Completeness,
Remittance advices may not agree with remittance advices with prelisting of Occurrence,
prelist of cash cash received Accuracy
Depositing Bank deposit slip Cash may not be Independent check of agreement of Completeness,
Cash Prelist of cash receipts deposited intact prelisting of cash receipts or bank Accuracy
Bank remittance report daily remittance report with validated
deposit slip
Recording Sales database Cash receipts may Software application agreement of Completeness,
Cash Receipts Prelist of cash receipts be recorded in error amounts journalized and posted with Occurrence,
Bank ­remittance report the prelist of cash receipts or bank Accuracy, Cutoff
remittance report
Independent bank Errors may be Preparation of periodic independent Completeness,
­reconciliation made in journaliz- bank reconciliations Occurrence,
ing cash receipts Accuracy, Cutoff
Monthly statement to Receipts may be Mailing of monthly statements to Completeness,
customers posted to the wrong customers Occurrence,
customer account Accuracy, Cutoff,
Classification

*Most assertions may apply. However, this example has focused on the key assertion(s) for each WCGW.

Audit Reasoning Example  Transaction-Level Internal Controls

Jonathan Briggs (an audit manager) was talking with Marisa Sherwani (an audit senior) about the
audit of a private company with retail hardware operations in thirty states. Jonathan states: “I have
reviewed the work that you and the team have done to document the revenue process, purchases
process, and payroll process. While you have documented the transaction flow from initiating the
transaction to the general ledger, now I want you to turn your attention to the period-end financial
reporting process. Adjusting journal entries and consolidating entries can have a material impact
on the client’s financial statements. Specifically, I want you to pay attention to:

•  The locations involved in the month-end reporting process.

•  T
 he financial inputs used, adjusting and consolidating journal entries developed, reviews
performed, and outputs used by the company to produce the monthly and annual financial
statements.
•  The extent of involvement of IT in each month-end reporting process.
•  Who participates from management in this process.
•  The types of adjusting and consolidating entries developed at month-end.
•  T
 he nature and extent of the oversight of the process by management, the board of directors,
or the audit committee.”

Before You Go On
3.1  What is the difference between entity-level controls and transaction controls?
3.2  Explain the process of a system walkthrough.
3.3 Explain one risk, and corresponding control to address the risk, for each assertion related to
credit sales transactions.
3.4 Explain one risk, and corresponding control to address the risk, for each assertion related to
cash receipt transactions.
   Information Technology (IT) Controls  6-23

Information Technology (IT) Controls

Lea rning Objective 4
Explain and evaluate information technology (IT) controls.

Benefits and Risks of IT Systems

In order to understand internal control in an IT environment, it is important to understand
the benefits and risks of IT systems.
The major benefits of IT systems over manual systems include the following:

•  IT systems can provide greater consistency in processing than manual systems because
they uniformly subject all transactions to the same controls.
•  More timely software-generated accounting reports may provide management with
more effective means of analyzing, supervising, and reviewing the operations of the
company.
•  IT systems enhance the ability to monitor the entity’s performance and activities.

Important risks of IT systems over manual systems include the following:

•  The IT system may produce a transaction trail that is available for audit for only a short
period of time.
•  There is often less documentary evidence of the performance of control procedures in
IT systems.
•  Files and records in IT systems are usually in machine-sensible form and cannot be read
without a computer.
•  The decrease of human involvement in IT processing can obscure errors that might be
observed in manual systems.
•  IT systems may be more vulnerable to physical disaster, unauthorized manipulation, and
mechanical malfunction than information in manual systems.
•  Various functions may be concentrated in IT systems, with a corresponding reduction in
the traditional segregation of duties followed in manual systems.
•  Changes in the system are often more difficult to implement and control in IT systems
than in manual systems.
•  IT systems are vulnerable to unauthorized changes in programs, systems, or data in
­master files.
•  Reliance is placed on systems that process inaccurate data, process data inaccurately, or
both.
•  Unauthorized access to data may result in the destruction of data or improper changes to
data, including the recording of unauthorized or nonexistent transactions, or inaccurate
recording of transactions.
•  There may be inappropriate or unauthorized manual intervention.

Many IT risks are controlled by layering control activities. Illustration 6.7 provides an
important overview of IT control activities and describes how controls function in IT systems,
regardless of the methods of input, data organization, data processing, or output devices. The
following paragraphs describe the control procedures depicted in Illustration 6.7.
IT general controls at the entity level control program development, program changes,
computer operations, and access to programs and data. They represent a higher level of con-
trols designed to provide reasonable assurance that individual software applications oper-
ate consistently and effectively. General controls will be discussed in more detail in the next
­section, “IT General Controls.”
6-24  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control
ILLUSTRATION 6.7  
Information technology
­controls
IT general controls  controls of
program development, program
changes, computer operations,
and access to programs and data;
these entity-level controls are
designed to provide reasonable
assurance that individual software
applications operate consistently
and effectively
Data input
IT application
IT
controls during
general controls
processing of transaction
Output of processed Exception
transactions and reports reports
User controls over Manual
assertions follow-up
Another layer of control is provided by IT application controls, which are designed to
prevent or detect potential misstatements in specific transaction processes. For purposes of
illustration, consider the processing of a sales order. When a sales order is input, the software
application subjects the data to application controls that check, for example, the validity of
a customer number or whether a customer has reached its credit limit. IT application con-
trols are designed to provide reasonable assurance that the IT system records, processes, and
reports data properly for specific purposes, such as sales, purchases, payroll, or inventory
control. IT application controls will be discussed in more detail in the section “IT Application
Controls.”
The output of processing and IT application controls are usually twofold. First, the soft-
ware will process and produce transactions and reports. In some systems, the processed trans-
actions or reports will be subject to manual controls such as supervisory review. Second, the
system generates exception, or error, reports. Some exception reports may appear on a screen,
such as an edit check of the validity of a customer number. Some exception reports may result
in printed reports, such as all daily transactions where customers exceeded their credit limit.
In either case, people must follow up on the exceptions noted by the software application. The
effectiveness of the control depends on the effectiveness of both the programmed application
control and the manual follow-up.
In some instances, software programs only process and record data, and data input to the
system is not subject to IT application controls that might identify potential misstatements. In
such cases, other controls must be applied. These are discussed in the section “IT-Dependent
Manual Controls.”
IT General Controls
The purpose of IT general controls is to control program development, program changes,
computer operations, and to secure access to programs and data. The following five types of
IT general controls are widely recognized:
1.  Data center and network operations controls address the segregation of duties within the
IT department and between IT and user departments. A critical component is segregating
access to programs from access to data files. Weakness in these controls usually affects all
IT applications.
2.  System software acquisition, change, and maintenance controls relate to software programs
that are designed to operate and control the hardware and to provide a platform for run-
ning application software. The controls focus on both acquiring new operating systems
and ensuring the integrity of operating systems over time. If system software is subject to
unauthorized changes or poor maintenance, there is an increased risk that IT application
controls will not function as designed.
3.  Program change controls are designed to provide assurance that changes to software
­applications are introduced in a controlled and coordinated manner. Unauthorized
changes create a significant risk that software applications will not function consistently
   Information Technology (IT) Controls  6-25

over time. Programs should be changed with forethought, and changes should be tested
and reviewed by users before they are approved for use with live data.
4.  Access controls are designed to prevent unauthorized use of IT equipment, data files, and
software programs. The specific controls include a combination of physical, software
(password controls), and procedural safeguards.
5.  Application system acquisition, development, and maintenance controls focus on con-
trolling specific software applications, such as a sales or inventory application. The con-
trols focus on the acquisition of new application software, controlling changes to that
software, and ensuring that the software is maintained without unauthorized changes.

IT general controls pertain to the IT environment and all IT activities as opposed to a

single IT application. Because of the pervasive character of IT general controls, if the auditor
is able to obtain evidence that IT general controls function effectively, then the auditor also
has important assurance that individual application systems may be properly designed and
operate consistently during the period under audit. For example, strong IT general controls
involve regular testing and review of individual programs that process sales, cash receipts,
payroll, and many other transactions. Alternatively, deficiencies in IT general controls may
affect many applications and may prevent the auditor from assessing control risk below the
maximum for many applications and transaction processes.

Cloud 9 - Continuing Case

Josh finds that he is spending a great deal of time with Will
­Burton, Cloud 9’s IT manager. Josh and Suzie have a number of
questions for Will about what software programs are designed
within the accounting system to process transactions; whether
there have been any changes to those programs during the
year; how changes are authorized, reviewed, and tested; who
has access to programs and data files; and how access to pro-
grams and data is protected. Will walks the audit team through
Cloud 9’s principal data center, showing them various physical
controls, and printouts and reports that Will receives regard-
ing changes to system access and changes to various programs.
­Suzie inspects documentation regarding program changes, their
authorization, and testing. The team is focused on adequacy
of segregation of duties; controls over program changes, mainte-
nance and ­updates; access controls, and plans for hardware and
software upgrades.
At this point, Suzie and Josh are just trying to obtain an under-
standing of IT general controls at Cloud 9. They know that testing
will come later. When they are finished, Josh is satisfied that Cloud
9 has addressed the control issues that he is most concerned about.
Overall the system design appears to be operating as planned, based
on their questions, observation of Cloud 9 personnel, and prelim-
inary inspection of reports from Cloud 9’s IT system. If tests of
controls show that IT general controls are effective, this will make
testing applications more efficient, and increase the probability that
the audit team can use a reliance on controls approach during the
audit. Strong IT general controls are also critical to giving Cloud 9
an unqualified opinion on internal controls over financial reporting.

IT Application Controls
The purpose of IT application controls is to use the power of information technology to IT application controls 
control transactions in individual transaction cycles. Therefore, IT application controls will controls designed to provide
differ for each transaction cycle (e.g., sales vs. inventory controls). reasonable assurance that the
The following three groups of application controls are widely recognized: recording, processing, and
reporting of data by IT are
•  Input controls. properly performed for specific
applications
•  Processing controls.
•  Output controls.

These controls are designed to provide reasonable assurance that the recording, processing,
and reporting of data by an IT system are properly performed for specific applications. Thus,
the auditor must consider these controls separately for each significant accounting applica-
tion, such as billing customers or preparing payroll checks.
In today’s IT environment, IT application controls execute the function of independent
checks by (1) using programmed application controls to identify transactions that contain pos-
sible misstatements and (2) having people follow up and correct items noted as an exception.
The following discussion explains how programmed controls may be used to identify items
that should be reported as exceptions.
6-26  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

Input controls are program controls designed to detect and report errors in data that are
input for processing. They are of vital importance in IT systems because most of the errors
occur at this point. Input controls are designed to provide reasonable assurance that data re-
ceived for processing have been properly authorized and converted into machine-sensible
form. These controls also include the people who follow up on the rejection, correction, and
resubmission of data that were initially incorrect.
Controls over the conversion of data into machine-sensible form are intended to ensure
that the data are correctly entered and converted data are valid. Examples of input controls
are provided in Illustration 6.8. The correction and resubmission of incorrect data are vital
to the accuracy of the accounting records. If the processing of a valid sales invoice is stopped
because of an error, both accounts receivable and sales will be understated until the error
is eliminated and the processing completed. Furthermore, strong controls create a log of
potential misstatements, and the data control group is required to periodically review their
disposition.

ILLUSTRATION 6.8   Example IT application ­controls

Input Controls Processing Controls Output Controls

•  Verification controls. Data input for pro-
cessing is compared with information
contained on master files, or other data
independently entered at earlier stages
of a transaction.
•  Missing data check. This check en-
sures that all required data fields have
been completed and no blanks are
present.
•  Valid character check. This check veri-
fies that only alphabetical, numerical,
or other special characters appear as
required in data fields.
•  Limit (reasonableness) check. This
check determines that only data
falling within predetermined limits are
entered (e.g., time cards exceeding a
designated number of hours per week
may be rejected).
•  Valid code check. Classification (e.g.,
expense account number) or transac-
tion codes (e.g., cash receipts entry)
are agreed to the master list of codes
permitted for the type of transaction to
be processed.
•  Control totals. Provision for accumu­
lating control totals is written into the
software program to facilitate the bal-
ancing of input totals with processing
totals for each run. Similarly, run-to-run
totals are accumulated to verify process-
ing performed in stages.
•  Limit and reasonableness checks. A
limit or reasonableness test would
compare computed data with an
expected limit (e.g., the product of
payroll rates times hours worked would
be included on an exception report and
not processed if it exceeded a predeter-
mined limit).
•  Before-and-after report. This report
shows a summary of the contents of
a master file before and after each
update.
•  Sequence tests. If transactions are given
identification numbers, the transaction
file can be tested for sequence (e.g., an
exception report would include missing
numbers or duplicate numbers in a
sequence of sales invoices).
•  Reconciliation of totals. Output totals
that are generated by the software
programs are reconciled to input and
processing totals by the data control
group or user departments.
•  Comparison to source ­documents.
­Output data are subject to detailed
­comparison with source documents
(e.g., comparing sales invoices to ship-
ping documents).
•  Visual scanning. The output is re-
viewed for completeness and apparent
reasonableness. Actual results may be
compared with estimated results.
•  Run-to-run totals. Ending balances are
compared to beginning balances plus
known transactions processed.

Processing controls are designed to provide reasonable assurance that the IT processing
has been performed as intended for the particular application. Thus, these controls should
prevent data from being lost, added, duplicated, or altered during processing. Processing con-
trols take many forms, but the most common ones are programmed controls incorporated
into the individual application’s software. Examples of processing controls are also provided
in Illustration 6.8.
Output controls are designed to ensure that the processing results are correct, that ex-
ceptions are addressed on a timely basis, and that only authorized personnel receive the out-
put. The accuracy of the processing result includes both updated machine-sensible files and
printed output. In addition, a data control group usually controls who can have access to data
in a database and maintains control over any centrally produced reports for the distribution
of output. This group maintains a high level of control over reported exceptions to ensure that
they are addressed and corrected on a timely basis. Finally, this group should exercise special
   Information Technology (IT) Controls  6-27

care over the access to, or distribution of, confidential output. To facilitate control over the
disposition of output, systems documentation should include reports of who has access to
various aspects of a database or some form of a report distribution sheet.

Cloud 9 - Continuing Case

Suzie will document their understanding of the various trans-
action processes. By performing a system walkthrough in each
major accounting system, Suzie will document the flow of trans-
actions and the documents that the client uses in the accounting
system. Josh is particularly focused on transaction and account
balance assertions, what can go wrong for each assertion, and the
controls that the client has implemented to identify and correct
potential misstatements. Suzie asks questions about what excep-
tion reports are generated by the system, and how items appearing
on exception reports are cleared. She learns that some exceptions
are noted only on computer terminals, and corrections must be
made before transactions are processed further.
Once the types of potential material misstatements and the
controls that Cloud 9 has put in place to detect and correct any
misstatements are understood, the audit team will consider the
magnitude and likelihood of the misstatement in the financial
statements. This will help narrow the risk assessment and deter-
mine what audit procedures should be performed. In addition, the
audit team considers how errors in each financial statement asser-
tion might occur.
This analysis will guide the audit planning for additional sub-
stantive testing. Sharon and the audit partner can also decide if
there are any material weaknesses that should be included in the
management letter.
Suzie knows that documenting her understanding of the pro-
cesses is necessary for the team to identify control strengths that
can be relied upon to justify reduced substantive testing. Substan-
tive testing will be reduced if tests of those controls confirm that
these design strengths are reflected in actual performance of the
control system. Josh thinks he will need to discuss his assessment
of control strengths and weaknesses with Sharon before finalizing
the audit program. He needs her help to determine if some control
weaknesses are compensated for by other strengths. They will also
identify the most important controls to test. Some controls may
actually be redundant; that is, another control exists that performs
the same function.

IT-Dependent Manual Controls

IT-dependent manual controls are internal controls that are performed by individuals, IT-dependent manual controls 
but rely on IT-generated information. In some cases, accounting information is input into controls that involve manual
IT systems, but the data is not subject to IT application controls; therefore, the IT processes review of the completeness and
the data without performing any tests to validate the information. The completeness and accuracy of computer-generated
accuracy of the system-generated accounting information depends on the effectiveness of information
the manual control over the output.
For example, software might be used to generate sales invoices, a sales journal, and an
accounts receivable file. An IT-dependent manual control would require that an independent
person compare the output to the input to validate that all sales invoices are recorded
(completeness), that sales invoices are recorded only for valid transactions (occurrence), that
sales invoices are accurate (accuracy), that sales invoices are billed to the correct customer
(classification), and that sales invoices are recorded in the correct time period (cutoff).

Audit Reasoning Example  IT-Dependent Manual Controls

Dave Bartlett is the senior on the audit of a manufacturer of automobile engines that has union
labor, managers, and executives. The company has four plants that operate two shifts, six days a
week. Each plant has approximately the same number of employees. The CFO has been with the
company for 10 years, and thoroughly understands the company business process and payroll
processes. She reviews weekly payroll summary reports prepared by the centralized accounting
function. With the company’s flat organizational structure and smaller size; the CFO’s extensive
background with the company; her understanding of seasonal fluctuations, business cycles, and
workflows; and her close familiarity with the budget and reporting processes, the CFO quickly
identifies any signs of improprieties with payroll and their underlying cause, whether related to
a project, overtime, hiring, or layoffs. The CFO investigates as needed to determine whether mis-
statements have occurred and whether any internal controls have not operated effectively. Based
on the results of audit procedures related to the control environment and controls over manage-
ment override, Dave observes that the CFO demonstrates integrity and commitment to effective
internal control over financial reporting.
6-28  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

Dave is in the process of determining whether he can rely on the reviews conducted by the
CFO to detect material misstatements related to payroll processing because the CFO’s threshold
for investigating significant differences from expectations, and her follow-up, is adequate. As Dave
goes through his mental checklist, he realizes that additional evidence and testing are important.
The CFO’s reviews are only as strong as the reports produced by the company’s IT system. The
CFO’s review can be effective only if the IT controls over the completeness and accuracy of those
reports are effective. Therefore, the auditors will need to test the company’s IT general controls, as
well as IT application controls over the completeness and accuracy of software application reports.

Professional Environment  Blockchain

Blockchain first gained notoriety as the core technology behind
Bitcoin. The appeal of blockchain technology is in its use of peer-
to-peer networks combined with a highly secure environment.
Blockchain offers parties, who may or may not know each other,
the ability to conduct transactions without requiring a trusted
intermediary such as a bank or payment processor. By eliminat-
ing the intermediary and harnessing the power of peer-to-peer
networks, blockchain technology may provide opportunities to
reduce transaction costs and decrease settlement time. However,
blockchain technology is still emerging and has not yet been
effective on a commercial scale.
The major potential of blockchain involves the following
characteristics:
•  Blockchain involves a distributed shared ledger that is com-
mon among participants of a business network.
•  Blockchain involves a set of permissions such that each
member of the network has access rights so that confidential
information is shared only on a need-to-know basis.
•  Blockchain is highly secured, because consensus is required
from all network members and all validated transactions are
permanently recorded. The blockchain technology will not
allow an individual person, not even the system administra-
tor, to alter or delete a transaction.
What are the implications of the use of blockchain for au-
ditors? This is the subject of a recent report by Deloitte Canada,
CPA Canada, the AICPA, and the University of Waterloo, Audit &
Assurance Alert—Blockchain Technology and Its Potential Impact
on the Audit and Assurance Profession. While verifying the occur-
rence of a transaction is a key aspect of the financial statement
audit, it is just one of many assertions. Will blockchain provide
sufficient, appropriate evidence for all assertions? For example,
consider a hypothetical bitcoin transaction involving the sale of a
product recorded in a blockchain. The auditor may or may not be
able to determine that the product was delivered solely by evaluat-
ing the information in the blockchain. The blockchain may or may
not provide sufficient, appropriate information for all assertions of
interest to the auditor.
The auditor should not assume that because data comes
out of a blockchain it is reliable. The auditor must still consider
information technology general controls (ITGCs) related to the
blockchain environment. The auditor should also understand
and assess the reliability of the consensus protocol for the specific
blockchain, as well as understand the linkage between the block-
chain information and the information reported in the financial
statements.
The report, Audit & Assurance Alert — Blockchain Technol­
ogy and Its Potential Impact on the Audit and Assurance Profession,
also identifies risks associated with a recorded blockchain transac-
tion. The transaction may be:
•  Unauthorized, fraudulent, or illegal.
•  Executed between related parties.
•  Linked to a side agreement that is “off chain.”
•  Incorrectly classified in the financial statements.
While blockchain is an important technology, the auditor
still must assess the risk of misstatement in a transaction, assess
the strength of internal controls over the transaction, and design
appropriate substantive tests as blockchain will not eliminate all
risks of material misstatement.
Source: Deloitte Canada, CPA Canada, AICPA, and Univers­ity of
Waterloo, Audit & Assurance Alert—Blockchain Technology and Its
Potential Impact on the Audit and Assurance Profession (Deloitte
Development LLC: Toronto, Canada, 2017).

Before You Go On
4.1  Explain the risks and benefits of information technology (IT) compared with manual systems.
4.2 Explain the overall purpose of IT general controls. Provide two examples of IT general con-
trols and the types of situations that can occur if the IT general control is ineffective.
4.3 Explain the overall purpose of IT application controls. Provide two examples of IT applica-
tion controls that might be found in a revenue process and the types of misstatements that
can occur if the IT application control is ineffective.
4.4 Explain the overall purpose of IT-dependent manual controls. Provide two examples of
IT-dependent manual controls and identify the assertion that is controlled by the example
IT-dependent manual control.
   Documenting Internal Controls  6-29

Documenting Internal Controls

Lea rning Objective 5
Discuss the different techniques used to document internal controls.

Before the auditor tests specific internal controls, he or she needs to document his or her
understanding of the system of internal control. AU-C 315.33 requires auditors to document
their understanding of each of the internal control components. The most common forms of
documentation include the following.

•  Narratives. This is the most common form of documentation, particularly in smaller

environments where accounting and internal control activities are simple or where a
flow of a particular transaction is relatively simple and straightforward. It involves the
auditor describing (in words) each step of the flow of a transaction from start to finish
(that is, from initiation to reporting in the financial report). Refer to Illustration 6.9 for
an example.

ILLUSTRATION 6.9  
A customer sales order is received by fax or email. The sales staff checks customer details to see
Example narrative for
that it is on the customer master list. If not, it is referred to the credit department to obtain required
documenting credit sales
customer approvals. Sales staff also checks the customer account balance to see if the customer
process
has exceeded its credit limit. If the customer has exceeded its limit, staff refers the sales order to the
credit manager (S. Fitzpatrick) for approval. If approval is denied, staff refers the order back to the
sales manager to discuss with the customer and notify customer. If customer has not exceeded its
credit limit or the credit manager (S. Fitzpatrick) has provided an approval to exceed the limit, an
internal sales order is generated to initiate the shipment of goods.

•  Flowcharts and logic diagrams. This form of documentation is used in larger and more
complex environments. It involves the auditor summarizing (in flowcharts or logic dia-
grams) each step of the flow of a transaction from start to finish (that is, from initiation
to reporting in the general ledger). Logic diagrams are more common than flowcharts.
Logic diagrams provide a visual perspective of the flow of the transaction and key con-
trols throughout the flow that is often simpler for the reader or reviewer to understand.
The key to a good logic diagram is to keep it as simple as possible, with as few words as
possible so as not to overload the reader with information. Refer to Illustration 6.10 for
an example.
•  Combinations of narratives and flowcharts. This form of documenting internal controls
is typically a page divided into two sections with the process flowchart on the left-hand
side, and the narrative describing each step in the flow on the right-hand side. The flow-
chart side highlights the key activities from initiation to reporting, while the narrative
column contains the details about what happens in the flow of the transaction. Refer to
Illustration 6.11 for an example.
•  Checklists and preformatted questionnaires. An internal control checklist or questionnaire
is another technique used to systematically identify the most common types of internal
control procedures that should be present. This is particularly helpful in industries that
the auditor may not personally be familiar with, or when less experienced auditors find
it difficult to identify which are the critical controls (for example, when documenting
entity-level controls). Refer to Illustration 6.12 for an example.

Regardless of which of the above approaches is used to document internal controls, the
extent of the documentation will increase as the complexity of the client, its systems, and its
internal controls increases.
6-30  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

ILLUSTRATION 6.10   Example logic diagram for credit sales process

Sales order for

credit sale received

Refer to credit dept.

Approved
NO to obtain required
customer?
customer approvals

YES

Reject sale or refer

Balance below approved Request approval to Request
credit limit? NO exceed credit limit approved? NO to sales manager for
follow-up with customer

YES

Process internal
YES
sales order

Stock picking and

delivery process

ILLUSTRATION 6.11   Example combination documentation for credit sales process

Sales order for Sales order is received by fax or email.

credit sale
received

Refer to credit dept. The sales staff check customer details to see
Approved that it is on the customer master file. If not,
NO to obtain required
customer? it is referred to the credit department to
customer approvals
obtain required customer approvals.

YES

Reject sale or Sales staff check to see if the customer’s

Balance below
Request approval to Request refer to sales balance will be below its credit limit. If
approved NO exceed credit limit approved?
NO manager for follow-up
credit limit? the customer’s balance exceeds its credit
with customer limit, refer to credit manager (S. Fitzpatrick)
for approval. If approval is denied, refer the
order back to the sales manager to discuss
YES with the customer.

If the customer has not exceeded its

Process internal
YES credit limit, or the credit manager has
sales order
approved a transaction in excess of the
credit limit, prepare an internal sales order.

Once the sales order is received in the

Stock picking and warehouse, the ordered goods are picked
delivery process from inventory and shipped to the customer.
   Identifying Strengths and Weaknesses in a System of Internal Controls   6-31

ILLUSTRATION 6.12   Example checklist for documenting a credit sales process

IT/Reliance on
Electronic Data?
Process Step Performed by Yes/No
Customer places sales order and order is input into the sale order program.
Customer is compared with approved master customer list.
Credit and/or credit terms approved.
Order filled and prepared for shipment.
Shipping/delivery documents prepared.
Order shipped, delivered to, or picked up by customer.
Sale invoice prepared.
Prices (or deviations from standard prices) are approved.
Invoices reviewed for accuracy and emailed/delivered to customers.
Sales journal produced.
Sales journal summarized and posted to general ledger and trade receivables detail.
Provide any other details that are necessary to understand the initiation, processing, recording, and reporting of the transactions:

Briefly describe the client’s revenue recognition policy, including standard billing and collection terms:

Briefly describe the client’s credit terms and credit authorization procedures:

Briefly describe the client procedures for sales returns and allowance and for issuance of credit memos:

Cloud 9 - Continuing Case

Suzie will prepare a flowchart or narrative to document her
understanding of the different transaction processes. This will
help her understand the stages at which errors can occur. She will
include the entire process from the initiation of the transaction
through to recording in the general ledger. Where appropriate, she
will link several accounting processes together into one seamless
flow of transactions. For example, as a first step she makes a simple
diagram of the flow of transactions from initiation of a purchase
order through to the cash payment to the supplier. The process
comprises three smaller processes: initiating a purchase order
through to receiving the goods as they arrive; receiving the pur-
chase invoice from the supplier through to entering the invoice
in the general ledger; and requesting cash payment through to re-
cording the payment to the supplier. In the next step, the flow of
transaction diagram will be supplemented with additional details
of the IT tests and their disposition.

Before You Go On
5.1  Explain the different techniques used to document internal controls.
5.2  What is the difference between a narrative and a flowchart or logic diagram?
5.3 Explain the benefits of combining a flowchart with a narrative to document internal controls.

Identifying Strengths and Weaknesses in a

System of Internal Controls
Lea rning Objective 6
Explain the importance of identifying strengths and weaknesses in a system of
internal control.

An important outcome of understanding the system of internal controls that a client puts
in place is the ability to make observations, draw conclusions, and offer recommendations
6-32  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control
deficiency in internal control
(control deficiency)  a
deficiency in the design or
operations of a control does not
allow management or employees,
in the normal course of perform-
ing their assigned functions, to
prevent, or detect and correct,
misstatements on a timely basis
material weakness  a
deficiency, or a combination of
deficiencies, in internal control
such that there is a reasonable
possibility that a material mis-
statement of the entity’s financial
statements will not be prevented,
or detected and corrected, on a
timely basis
significant deficiency  a
deficiency, or a combination of
deficiencies, in internal control
that is less severe than a material
weakness, yet important enough
to merit attention by those
charged with governance
r­ egarding the strengths and weaknesses observed. When the auditor identifies internal control
strengths, the auditor will consider a reliance on controls approach for assertions influenced by
these strengths. If the auditor identifies internal control weaknesses, the risk of material misstate-
ments being undetected by management’s processes and controls increases. Further, the areas of
weakness are where the auditor typically performs additional substantive testing to quantify the
(potential) material misstatement. The link between weaknesses in internal controls and the level
of substantive procedures required to address these exceptions is explained further in Chapter 9.
Internal control weaknesses are commonly categorized into three groups by both PCAOB
auditing standards and ASB auditing standards. These three groups are:
1.  Deficiency in internal control (or control deficiency). A deficiency in internal con-
trol exists when the design or operation of a control does not allow management or em-
ployees, in the normal course of performing their assigned functions, to prevent, or detect
and correct, misstatements on a timely basis. A deficiency in the design exists when (a) a
control necessary to meet the control objective is missing or (b) an existing control is not
properly designed so that, even if the control operates as designed, the control objective
would not be met. A deficiency in the operation exists when a properly designed control
does not operate as designed or the person performing the control does not possess the
necessary authority or competence to perform the control effectively.
2. Material weakness. A deficiency, or a combination of deficiencies, in internal control
such that there is a reasonable possibility that a material misstatement of the entity’s finan-
cial statements will not be prevented, or detected and corrected, on a timely basis. It takes
only one material weakness for a public company to receive an adverse opinion on ICFR.
3. Significant deficiency. A deficiency, or a combination of deficiencies, in internal con-
trol that is less severe than a material weakness, yet important enough to merit attention
by those charged with governance. Further, having numerous significant deficiencies
could add up to a material weakness.
Note that the term “deficiency in internal control” or “control deficiency” is a broad term that
encompasses all types of internal control problems. Material weaknesses and significant deficiencies
are examples of deficiencies in internal control, but they are classified separately because they are
more serious control deficiencies. A material weakness is the most severe type of deficiency in inter-
nal control. An easy way to remember that a material weakness is the most severe is to focus on the
word “material.” A “material” weakness means increased risk of a “material” misstatement occur-
ring in the financial statements because it was not prevented or detected by the internal control sys-
tem. As the definition above explains, a significant deficiency is not as severe as a material weakness,
but it must still be reported to those charged with governance. If a significant deficiency is not cor-
rected by management in a timely manner, it could develop into a material weakness in the future.
PCAOB AS 2201 requires that, in an audit of ICFR, material weaknesses are reported to the
public in the auditor’s report on ICFR. The auditor’s report on ICFR was introduced in Chapter
1 and will be revisited in Chapter 15. Both PCAOB AS 2201 and AU-C 265 Communicating In-
ternal Control Related Matters Identified in an Audit require the auditor to provide those charged
with governance with timely observations regarding both material weaknesses and significant
deficiencies in internal control. It is for these key reasons that the auditor prepares a manage-
ment letter. For audits of private companies, AU-C 265 states that the auditor should not issue
a written communication stating that no significant deficiencies in internal control were identi-
fied during the audit. If the auditor has not audited internal controls over financial reporting for
a private company client and is only issuing an opinion on the financial statements, the scope
of the work required to understand internal control may be sufficient to determine an audit
strategy, but not sufficient to determine if no significant deficiencies in internal control exist.
Before You Go On
6.1 Why is it important to identify both the strengths and weaknesses in a system of internal controls?
6.2 How does the auditor’s audit strategy vary depending on whether the auditor finds a strength
or weakness in internal controls related to an assertion?
6.3 What obligations does the auditor have regarding communicating strengths or weaknesses
in internal controls?
   Management Letters  6-33

Management Letters
Lea rning Objective 7
Explain how to communicate internal control weaknesses to those charged with
governance.

A management letter (sometimes referred to as a letter of recommendations) is a document management letter  a

prepared by the audit team and provided to those charged with governance. The management letter ­document prepared by the audit
discusses internal control weaknesses and other matters discovered during the course of the audit. team and provided to the client
The purpose of the management letter is to meet the auditor’s responsibility for communicating that discusses internal control
internal control matters in writing on a timely basis to those charged with governance and to in- weaknesses and other matters
discovered during the course of
form those charged with governance of the auditor’s recommendations for improving its internal
the audit
controls. The combination of the auditor’s experience in auditing various businesses and the under-
standing gained in conducting an audit means the auditor is in a unique position to provide insights
regarding the system of internal controls designed and monitored by those charged with gover-
nance. An example of a management letter to a private company is shown in Illustration 6.13.

ILLUSTRATION 6.13  
March 15, 2023 Example of a management
letter
To the Management and the Board of Directors of New Millennium Ecoproducts:

In planning and performing our audit of the financial statements of New Millennium Ecoproducts (the
Company) as of and for the year ended December 31, 2022, in accordance with auditing standards
generally accepted in the United States of America, we considered the Company’s internal control
over financial reporting (internal control) as a basis for designing audit procedures that are appropri-
ate in the circumstances for the purpose of expressing our opinion on the financial statements, but
not for the purpose of expressing an opinion on the effectiveness of the Company’s internal control.
Accordingly, we do not express an opinion on the effectiveness of the Company’s internal control.

Our consideration of internal control was for the limited purpose described in the preceding para-
graph and was not designed to identify all deficiencies in internal control that might be material
weaknesses or significant deficiencies and therefore, material weaknesses or significant deficien-
cies may exist that were not identified. However, as discussed below, we identified certain deficien-
cies in internal control that we consider to be material weaknesses and significant deficiencies.

A deficiency in internal control exists when the design or operation of a control does not allow manage-
ment or employees, in the normal course of performing their assigned functions, to prevent, or detect
and correct, misstatements on a timely basis. A material weakness is a deficiency, or a combination of
deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement
of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
We consider the following deficiency in the Company’s internal control to be a material weakness.

During our audit procedures, we observed that there was limited segregation of duties in the
accounts payable and cash payments process. We understand that due to the size of the Company’s
finance team, lack of segregation of duties will exist. This is largely due to the small number of
employees. However, limited segregation of duties increases the risk of loss through error or fraud. We
recommend that the directors undertake a periodic review of a selection of cash payments to ensure
that there is adequate supervision, and that the degree of reliance upon employees is warranted.
Alternatively, a director could be selected to review and approve all payments over a specified limit.

A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is

less severe than a material weakness, yet important enough to merit attention by those charged
with governance. We consider the following deficiency in the Company’s internal control to be a
significant deficiency.

During our observation of the inventory count, we noted that two of the items counted as part of
our sample did not reconcile to the quantities stated in the system. Upon investigation, this was
6-34  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

found to be the result of a sale that had been invoiced the previous day that had not yet been
dispatched. This was caused by the delivery not being physically separated from the year-end in-
ventory on hand. This resulted in a risk that inventory, sales, and cost of sales could be misstated
due to incorrect cutoff of deliveries of goods sold. We encourage New Millennium Ecoproducts
to implement a control requiring the physical segregation of deliveries from remaining stock on
hand as soon as the sale has been picked and packaged.

This communication is intended solely for the information and use of management and the Board of
Directors, and it is not intended to be, and should not be, used by other than these specified parties.

Will B. Ready
Bell & Bowerman, LL
o
P rtland, Oregon

Significant professional judgment is necessary in deciding whether an identified weak-

ness is significant enough to warrant communicating to management and those charged with
governance. When the auditor identifies risks of material misstatement that the entity has not
controlled (or has not adequately controlled), or if in the auditor’s judgment there is a material
weakness in the entity’s design or implementation of internal control, the auditor is required
to communicate these weaknesses as soon as practicable to those charged with governance.
Deciding whether an internal control deficiency, and whether the deficiency has been reme-
diated, should be reported to those charged with governance is often a matter of consultation
and discussion amongst the audit team.
AU-C 265 requires written communication of internal control deficiencies to those charged
with governance of the entity. A management letter meets this requirement and avoids any am-
biguity or confusion as to what observations, conclusions, and recommendations the audit firm
has made. It also provides a simple way for management to document the actions it has taken
in response to the issues raised, and to share these actions (and the progress towards the resolu-
tion of the issues) with those charged with governance. Discussing internal control deficiencies
with management and those charged with governance also provides the auditor with valuable
insights into management’s attitude towards the importance of internal controls by being able
to evaluate what management has done in response to the recommendations made in the pre-
vious year at the start of each audit. Depending on the size of the engagement and the timing
of when control weaknesses are identified relative to the final audit visit, teams will sometimes
prepare an interim management letter at the end of planning and interim procedures, with a
final management letter issued at the completion of the audit.

Cloud 9 - Continuing Case

Once Suzie has documented the audit team’s understanding of
Cloud 9’s system of internal controls and her preliminary assess-
ment of the system’s strengths and weaknesses, Josh presents the
document to Jo Wadley, the engagement partner of the audit. The
audit team will gather additional evidence about the system of
internal controls during the audit, and at the completion of the
audit the senior members of the audit team will make a final as-
sessment of Cloud 9’s internal controls and write a management
letter. Providing a management letter, including recommenda-
tions for future changes to the system of internal controls, is an
important part of the auditor’s role. The management letter not
only discharges the audit team’s responsibilities to the client,
but helps the client improve its systems. In turn, this will likely
increase the quality of its financial reporting in the future and
improve the efficiency and effectiveness of future financial state-
ment audits.

Before You Go On
7.1 Do auditors always communicate internal controls deficiencies to those charged with gover-
nance? Explain your answer.
7.2 Can the content ordinarily included in a management letter be delivered verbally to those
charged with governance? Explain your answer.
7.3 Why should communications with those charged with governance be done in ­writing?

Learning Objectives Review
1  Define internal control and describe the COSO frame-
work.
Internal control is the process designed, implemented, and main-
tained by those charged with governance as well as management
and other personnel to provide reasonable assurance about the
achievement of the entity’s objectives with regard to reliability
of financial reporting, effectiveness and efficiency of operations,
and compliance with applicable laws and regulations. The term
“controls” refers to any aspects of one or more of the components
of internal control. The COSO framework is three-dimensional.
The first dimension is the objectives of internal control, which in-
clude operations objectives, reporting objectives, and compliance
objectives. The second dimension is the components of internal
control, which include the control environment, risk assessment,
control activities, information and communication, and moni-
toring. The final dimension addresses the entity’s organizational
structure.
2 Explain and evaluate internal controls at the entity
level.
There are 17 principles of internal control that guide the auditor’s
understanding of internal control at the entity level. These are
summarized in Illustration 6.2. It is important that management
and those charged with governance of the entity pay attention to
­entity-level controls because if controls are weak at the entity level,
it reduces the likelihood that transaction-level controls will be
effective.
3  Explain and evaluate internal controls at the transac-
tion level.
Transaction-level controls are controls that impact a particular trans-
action or group of transactions. Transactions in this sense refer to
transactions that are ordinarily recorded in the general ledger for the
client and span from initiation of the transaction through to the re-
porting of the transaction in the financial report. Transaction-level
controls are those controls that respond to things that can go wrong
with transactions. The auditor will often obtain an understanding of
transaction-level controls by performing a system walkthrough for
each transaction cycle.
Key Terms Review
Control activities IT application controls
Control environment IT-dependent manual controls
Deficiency in internal control IT general controls
Entity-level controls Management letter
Information and communication Material weakness
Internal control Monitoring
  Key Terms Review  6-35
4 Explain and evaluate information technology (IT)
­controls.
Information technology controls are often grouped into three catego-
ries: IT general controls, IT application controls, and IT-dependent
manual controls. IT general controls are designed to control program
development, program changes, computer operations, and access to
programs and data. IT application controls are designed to provide
reasonable assurance that the recording, processing, and reporting of
data by IT are properly performed for specific applications. Finally,
IT-dependent manual controls are controls performed by individuals
to check the completeness and accuracy of IT-generated information.
5 Discuss the different techniques used to ­
document
internal controls.
The most common forms of documentation include narratives, flow-
charts, logic diagrams, combinations of narratives and flowcharts,
and checklists and preformatted questionnaires.
6  Explain the importance of identifying strengths and
weaknesses in a system of internal controls.
When the auditor identifies internal control strengths, the auditor
will be able to consider a lower assessed level of control risk approach
for assertions influenced by these strengths. If the auditor identifies
internal control weaknesses, the risk of material misstatements being
undetected by management’s processes and controls increases, which
has a direct effect on audit strategy and audit testing. Further, pro-
fessional standards require auditors to communicate material weak-
nesses and significant deficiencies in internal control to those charged
with governance of an entity. This is generally done through a man-
agement letter.
7  Explain how to communicate internal control weak-
nesses to those charged with governance.
A management letter is a deliverable prepared by the audit team and
provided to those charged with governance of an entity. It informs the
client of the auditor’s recommendations for improving its system of
internal control.
Risk assessment process
Significant deficiency
Transaction-level controls
Walkthrough
6-36  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control
Audit Decision-Making Example
Background Information
Simmons Optics Company (SOC) is a private company manufac-
turing medical devices in Florida. Through a network of whole-
salers and medical supply warehouses, it sells various instru-
ments used by optometrists. SOC has a number of new products
at various stages of development, with various investments in its
research and development budget aimed primarily at taking ad-
vantage of tax credits. It is also experiencing competition from
a new entrant to the industry, Bright Eyes Instruments, Inc.,
which is taking a significant percentage of the optical instru-
ments market. As a result, SOC’s CEO is pushing supervisors to
reduce product development time from 24 months to 10 months,
but without any new capital expenditures. He is also focused on
increasing sales; he has set aggressive sales budgets and wants
weekly sales reports. The board of directors almost always agrees
with the CEO’s initiatives and has rubber-stamped this course
of action.
Six months ago, SOC hired a new CFO. He is a hands-off
CFO, is concerned about maximizing sales, and spends significant
time networking with customers in the sunshine, at the country
club, and at the ocean. During his first six months he realigned
the reporting responsibilities of the company so that the credit
and collections department reports to the sales manager, rather
than to the treasury department. He gave the sales manager in-
creased authority to develop business by negotiating the terms
of sales transactions. The sales manager is also responsible for
establishing effective internal controls. The sales manager devel-
oped and negotiated a new type of agreement, called a Guaran-
teed Profit Agreement, that relieves Simmons’s distributors of any
obligation to pay for goods until they are sold through to the end
users (optometrists). Under these agreements, Simmons records
the revenue when the goods are shipped to wholesalers and med-
ical supply warehouses. The CFO is not aware of any reversals for
unsold goods, but he admits that the information systems are not
designed to keep track of goods in Simmons’s distributors’ ware-
houses. Finally, plans to hire an internal auditor have been put on
hold due to budget constraints.
Identify Audit Issues
Identify entity-level risk factors in the above scenario and poten-
tial implications for audit strategy.
Gather Additional Information and Evidence
Important information includes:
•  Research and development is primarily aimed at taking ad-
vantage of tax credits rather than new revenue potential.
•  Simmons is losing market share to a new entrant to the in-
dustry, representing a significant external risk.
•  The board of directors is not independent.
CPAexcel
CPAexcel questions and other resources are available in WileyPLUS.
•  The CFO has a hands-off approach and is not paying signifi-
cant attention to internal controls.
•  The CEO and CFO have put significant emphasis on maxi-
mizing sales.
•  The combination of realigned responsibilities (moving credit
and collections from treasury to sales) and the development
of the Guaranteed Profit Agreement will likely increase re-
ceivables and inventory on hand at the distributors’ ware-
houses, and slow cash flow into the business.
•  The responsibility for internal controls rests with the sales
manager.
•  The company has no information system to track when in-
ventory has been sold through to end customers.
•  No internal controls appear to be in operation to monitor
revenue recognition or collectibility of receivables.
•  No significant monitoring controls are in place.
Analysis and Evaluation of Alternatives
•  The control environment is weak. The tone at the top, from
both the CEO and CFO, is focused on meeting aggressive
sales targets, not on accuracy of reported financial state-
ments. In addition, the board of directors is not independent.
The CFO is not focused on internal controls or the integrity
of financial reporting.
•  There are significant external risk factors, including signifi-
cant competition from a new entrant to the market. There are
also significant internal risk factors, including a lack of at-
tention to internal controls and the entity’s information and
communication system. Also, changes in business processes
may slow down collections and cash flows.
•  Due to the weak control environment, there is a risk that con-
trol activities may not be effective.
•  SOC’s information and communication system is not geared
up to appropriately recognize revenue. There is a problem
with the occurrence of revenue and the existence of receiv-
ables. Revenue should not be recognized until the product is
sold through to end customers.
•  There are no significant monitoring systems in place. The
company has put off hiring an internal auditor.
Audit Conclusion
Due to a number of weaknesses in entity-level controls, it is un-
likely that transaction-level controls will function effectively. In
addition, risk factors point to particularly high risk regarding reve-
nue recognition. The auditor should consider a primarily substan-
tive approach for all assertions, planning the audit for after year-
end, with larger sample sizes.

Multiple-Choice Questions
1.  (LO 1)  Internal control is defined as:
a.  the entity’s system to prevent, or detect and correct, misstate-
ments in the financial statements.
b.  a process, effected by an entity’s board of directors, manage-
ment, and other personnel, designed to provide reasonable
assurance regarding the achievement of the objectives related
to operations, reporting, and compliance.
c.  a process, implemented by management, to ensure the integ-
rity of the entity’s management information system.
d.  t he entity’s system to ensure that management and those
charged with governance of the entity have quality informa-
tion for decision making.
2.  (LO 1)  It is important for an auditor to understand a public com-
pany’s system of internal control in order to:
a.  audit internal control over financial reporting.
b.  make a preliminary assessment of control risk.
c.  develop an audit strategy.
d.  All of these answer choices are correct.
3.  (LO 1)  The objectives of internal control include:
a.  operations objectives, internal control objectives, and finan-
cial reporting objectives.
b.  operations objectives, control environment objectives, and
­financial reporting objectives.
c.  operations objectives, reporting objectives, and compliance
objectives.
d.  r isk assessment objectives, compliance objectives, and report-
ing objectives.
4.  (LO 2)  The control environment:
a.  sets the tone of an entity with respect to internal control and
influences the control consciousness of its people.
b.  is focused on how the entity addresses information-
technology risks.
c.  only applies to public companies.
d.  directly addresses adequacy of segregation of duties.
5.  (LO 2)  An entity’s risk assessment process:
a.  is designed to help an entity think about risk in the same way
that an auditor thinks about risk.
b.  is established only if the entity is subject to unusually high
risk.
c.  is the entity’s process for identifying and responding to busi-
ness risks and the results of those risks.
d.  n
 ever allows management of an entity to decide to accept a
risk without taking any action.
6.  (LO 2)  The internal control component that addresses how an
organization holds an individual accountable for his or her internal
control responsibilities in pursuit of objectives is related to:
a.  the control environment.
b.  risk assessment.
c.  control activities.
d.  information and communication.
  Multiple-Choice Questions  6-37
7.  (LO 2)  Which of the following represent a common categoriza-
tion of control activities?
a.  A
 uthorization controls, control over human error, information-
processing controls, physical controls, and segregation of
duties.
b.  Authorization controls, control over human error, information-
processing controls, and segregation of duties.
c.  Authorization controls, information-processing controls,
physical controls, and segregation of duties.
d.  Authorization controls, performance reviews, information-
processing controls, physical controls, and segregation of
duties.
8.  (LO 2)  In a good system of segregation of duties, which of the
following duties should be segregated?
a.  A
 uthorization of transactions, physical access to assets, and
recording transactions.
b.  Authorization of transactions, physical access to assets, and
management.
c.  Physical access to assets, recording of transactions, and
­consideration.
d.  Authorization of transactions, recording transactions, and
management.
9.  (LO 3)  An auditor normally obtains an understanding of
transaction-level controls by:
a.  conducting an interview with senior management.
b.  performing a system walkthrough.
c.  reading the prior year’s management letter.
d.  testing the entity’s risk assessment process.
10.  (LO 4)  Which of the following is a good example of an IT appli-
cation control over the occurrence of revenue transactions?
a.  P
 hysical access to IT systems is limited only to specific
personnel who work in the revenue cycle.
b.  The software application compares information on a sales in-
voice with information from the bill of lading to ensure that
sales invoices are only prepared for actual shipments. Any
exceptions are not processed and are set aside for manual
­follow-up.
c.  The software changes to the revenue program must be tested
and authorized before they may be used with live data.
d.  Strong segregation of duties exists between IT operations and
IT program development.
11.  (LO 4)  If the auditor is able to collect evidence that IT general
controls are strong, then the auditor can conclude that:
a.  a pplication controls function properly and put the correct
transactions on exception reports.
b.  software applications are more likely to operate consistently
over time.
c.  IT transactions are adequately supported by source documents.
d.  the risk of batch totals failing to detect misstatements is
low.
6-38  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

12.  (LO 5)  Documenting internal controls:
a.  is always handled through the use of checklists and prefor-
matted questionnaires.
b.  is done after internal controls are tested so that the results can
be included in the documentation.
c.  can be handled with a combination of narratives and flow-
charts or logic diagrams.
d.  is not done for smaller clients because of the risk of manage-
ment override.
13.  (LO 6)  When an auditor identifies internal control deficiencies,
what levels of internal control deficiencies must be reported to those
charged with governance of the entity?
a.  Material weaknesses only.
b.  Significant deficiencies only.
c.  Deficiencies and significant deficiencies in internal control.
d.  Significant deficiencies and material weaknesses in internal
control.
14.  (LO 7)  A management letter:
a.  lists only the material weaknesses discovered during the
audit.
b.  is written by management to the auditor at the start of the
audit.
c.  contains recommendations for improving significant defi-
ciencies and material weaknesses in internal control discov-
ered during the course of the audit.
d.  is only required for public company audits.

Review Questions
R6.1  (LO 1)  If an auditor does not intend to rely on internal con-
trols in the audit, does the auditor need to obtain an understanding of
internal control? Explain.
R6.2  (LO 1)  What are the three internal control objectives? Illus-
trate each with an example.
R6.3  (LO 2)  Discuss the idea that the control environment is the
most important part of a system of internal control.
R6.4  (LO 2)  Explain why an auditor would be interested in the func-
tioning of the human resources department within an organization.
R6.5  (LO 2)  For a retail entity, give some examples of risks that
should be considered in the risk assessment process. Which of these
risks would be relevant to a retailer’s financial reporting? Explain.
R6.6  (LO 2)  Explain the importance of segregation of incom-
patible duties. What duties should be segregated within the sales
process? Why?
R6.7  (LO 2)  Why would an auditor be interested in a client’s mon-
itoring processes?
R6.8  (LO 3)  Explain eight steps that an auditor follows when under-
standing internal controls at the transaction level and developing an
audit strategy.
R6.9  (LO 4)  Identify four risks associated with IT systems in ac-
counting. For each of the four risks, identify whether they are miti­
gated by IT general controls or IT application controls. Identify a
specific control that mitigates the risk (for each of the four IT risks
identified) and explain how it mitigates the risk identified.
R6.10  (LO 5)  Four approaches to internal control documenta-
tion are discussed in this chapter. List the advantages and disad-
vantages of each. How would documentation assist the auditor to
identify strengths and weaknesses of an entity’s system of internal
controls?
R6.11  (LO 6)  If an auditor identifies an internal control weakness
for an assertion, how does it affect the audit strategy? If the auditor
identifies an internal control strength for an assertion, how does it
affect the audit strategy?
R6.12  (LO 7)  Why do auditors prepare management letters?

Analysis Problems
AP6.1  (LO 1)  Basic   Understanding client controls  Parsons & Co, LLC, an audit firm, has au-
dited Cascade Motors, a manufacturer of auto parts, for the last two years. Dereck Miller, a first-year
auditor, has noted that the IT auditor has evaluated IT general controls (ITGC) as strong. Dereck notes
that because ITGC’s are strong, controls over program changes are strong. Therefore, Dereck concludes
they don’t need to do additional work to understand internal controls at Cascade Motors.

Required
Evaluate Dereck’s comments about the need to do additional work to understand internal controls.

AP6.2  (LO 2)  Basic   Understanding components of internal control  Internal controls can be
categorized using the following framework:

1.  Control environment

2.  Risk assessment
  Analysis Problems  6-39

3.  Control activities

3.1.  Authorization
3.2.  Performance reviews
3.3.  Information-processing controls
3.3.1.  IT general controls
3.3.2.  IT application controls
3.3.3.  IT-dependent manual controls
3.4.  Physical controls
3.5.  Segregation of duties
4.  Information and communication
5.  Monitoring
Following is a list of controls implemented by Waterfront, Inc.:
a.  Management established a code of conduct that includes rules regarding conflicts of interest for
purchasing agents.
b.  Waterfront’s management established a disclosure committee to review the selection of new
­accounting policies.
c.  Any software program revision must be approved by user departments after testing the entire
­program with test data.
d.  The managers of each of Waterfront’s manufacturing departments must review expenditures
charged to their responsibility center weekly.
e.  The CEO, CFO, and controller review the financial consequences of business risks annually to
­ensure that controls are in place to address significant business risks.
f.  Human resources focuses on ensuring that accounting personnel have adequate qualifications,
­experience, and training for work performed in billing and accounts receivable.
g.  Security software limits access to programs and data files, and keeps a continuous log of programs
and files that have been accessed. The log is reviewed by the security manager daily.
h.  A software program prints a daily report of all shipments that have not yet been billed to customers.
i.  The controller reviews sales and collections bi-monthly.
j.  The software application compares the information on the sales invoice with underlying shipping
information for the transaction.
k.  Customer billing complaints are directed to internal audit for follow-up and resolution.
l.  The documentary transaction trail for all credit sales is documented in company policy manuals.
m. Waterfront uses a Microsoft Excel program to calculate depreciation expense. An accounting man-
ager tests the calculations on a sample basis and evaluates the overall reasonableness of depreciation
expense.

Required
a.  Indicate the category of internal control applicable to each procedure using the framework above.
b.  Identify the assertion or assertions to which each procedure pertains.

AP6.3  (LO 2)  Basic   Understanding segregation of duties in a small business  Big State Com-
puters has premises on the main street of a large regional city. The business is owned by Max and Betty
Waldup, who purchased it three years ago. Betty has an extensive background in IT and has a talent for
diagnosing and solving problems with computers that are brought in for repair. Max also has an IT back-
ground and oversees the sales and administration staff. They employ three people: a computer techni-
cian who assists Betty, a part-time salesperson, and a part-time bookkeeper. Sally, the bookkeeper, enters
transactions into a simple computerized accounting system. Sally is also responsible for issuing invoices
and monthly statements to customers who have service contracts with the business. These customers are
generally other businesses who ask Betty to visit their premises for routine and emergency repairs and
who purchase software and hardware from the business.
Max and Betty have worked diligently over the last three years, but they are having cash flow prob-
lems. Their bank manager has requested a meeting to discuss the business’s poor cash balances. The
bank manager asks Max and Betty to prepare for the meeting by analyzing their accounts receivable
and customer receipts. Max and Betty review the accounts receivable ledger and find that it is not up to
date. They also discover that customer statements have not been printed or mailed to customers for four
months. They are unable to identify from the cash receipts journal which clients have paid their accounts.
6-40  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

Required
a.  Discuss the attitude and control consciousness of Big State Computers’s management.
b.  Which duties should be segregated in this business? Recommend an appropriate allocation of duties
for the personnel at Big State Computers.

AP6.4  (LO 2)  Basic   Public Company   Understanding the control environment  Peterson,
CPA, is auditing the financial statements of a publicly held manufacturing company, Amalgamated
Products, Inc. In complying with the PCAOB standards, Peterson seeks to obtain an understanding of
Amalgamated’s control environment.

Required
a.  Identify the control environment factors that can impact the effectiveness of the other components
of internal control.
b.  What effect may the preliminary audit strategy have on the required level of understanding of the
control environment factors?

AP6.5  (LO 2)  Moderate   Control environment at a large company  A large international
bank is experiencing bad publicity surrounding huge fraud losses in its foreign currency department.
­Accusations are being made in the press that a rogue trader blamed for the losses was operating
outside the official bank guidelines, with the tacit approval of senior management in the department
because of the large profits made by this trader in previous years. The press claims it was common
knowledge in the foreign currency department that strict policies and procedures surrounding the
size of trades and the processes for balancing out trades at the end of each day were not to be followed
if the trader had verbally informed his supervisor of the trade. The press is also suggesting that the
problems are not confined to the foreign currency department.

Required
Discuss the control environment at this large international bank assuming the press reports are correct.
Which parts appear to be most deficient?

AP6.6  (LO 2)  Moderate   Control activities and related assertions  Several categories of control
activities are identified in the chapter using the following framework:

A.  Authorization
B.  Performance reviews
C.  Information-processing controls
C1.  IT general controls
C2.  IT application controls
C3.  IT-dependent manual controls
D.  Physical controls
E.  Segregation of duties

Following are specific control procedures prescribed by Trusty Inc., a public company:

1.  The software application must match information from a vendor’s invoices with information from
receiving and information from the purchase order before a check is issued.
2.  Two authorized signatures are required on every check for payment of purchases over $100,000.
3.  Each month the credit manager carefully reviews the computer-generated aged trial balance of
­accounts receivable to identify past-due balances and follows up for collection.
4.  A supervisor must approve overtime work.
5.  The software application assigns sequential numbers to sales invoices used in the billing system.
6.  The software application verifies the mathematical accuracy of each voucher and prints an excep-
tion report for items with mathematical errors.
7.  Employee payroll records are kept on an electronic file that can only be accessed by certain terminals
and are password-protected.
8.  An accounting supervisor reviews journal entries periodically for reasonableness of account
classifications.
9.  Two individuals open the mail and prepare a prelisting of checks received. Then the checks received
from customers and related remittance advices are separated in the mailroom and subsequently
processed by different individuals.
  Analysis Problems  6-41

10.  All vouchers must be stamped “paid” on payment.

11. On a quarterly basis, the controller reviews a software-generated comparison of warranty expenses
and actual warranty claims.
12.  Computer programmers are not allowed in the computer room.
13. The software application will not complete the processing of a batch when the accounts receivable
control account does not match the total of the subsidiary ledgers.

Required
a.  Indicate the category of control activities applicable to each procedure using the framework above.
b.  Identify an assertion to which each procedure pertains.

AP6.7  (LO 3)  Basic   Expense transaction risk  Sinha Airways owns many of its aircraft. The useful
lives and residual values may be influenced by external changes to economic conditions, demand, and new
technology. Analytical procedures show that depreciation expense is down by 8% compared to prior years.

Required
a.  Evaluate inherent risk for depreciation expense.
b.  Discuss what can go wrong.
c.  Suggest an internal control that management might put in place to control the appropriate recording
of depreciation expense.

AP6.8  (LO 3)  Moderate   Research   Public Company   Revenue fraud risk  Omega Airways
is a public company and a new client of your audit firm. Its accounting policy for revenue is to credit
unearned revenue when cash is received, and subsequently transfer to revenue in the income statement
when passengers or freight are transported.
Your review of last year’s financial statements reveals that realized revenue from passengers rep-
resents 80% of total revenue, and that this year there is little change in realized revenue from passengers
but an 11% decrease in unearned revenue from passengers. You have also read articles in the financial
press that suggest an increased incidence of fraud due to a global decrease in the number of passenger
air miles. At quarter-end, Omega Airway’s controller evaluates the unearned revenue account and re-
lated revenue recognition. This adjusting journal entry is later reviewed by the CFO and the company’s
disclosure committee.

Required
a.  Research PCAOB AS 2201 and summarize the auditor’s responsibility to address the risk of fraud
when understanding the entity’s system of internal control.
b.  Consider what you know about Omega Airways and explain why the revenue in the income state-
ment is at significant risk of fraudulent financial reporting by management.
c.  Evaluate the internal controls Omega has established over unearned revenue and revenue recognition.

AP6.9  (LO 3)  Moderate   What can go wrong at the transaction level  Carmel Harrison owns
and runs Emerald Spa, a business providing women-only hairdressing, beauty, relaxation massage, and
counseling services in a small tourist town. Ninety percent of the clients using the beauty and massage
services at Emerald Spa are weekend visitors, but 80% of the hairdressing and counseling clients are
­locals. The masseuse and counselor have appropriate qualifications and licenses, allowing clients to
claim the cost of the service(s) with their private health insurer, if an appropriate receipt is provided
when the client pays.
Emerald Spa has just opened another branch of the business in a town 100 miles away, and there are
plans to open a third branch nearby next year. Carmel has been very busy establishing each new branch and
relies on staff in each office to run the day-to-day operations, including ordering supplies and depositing
cash receipts. In addition, the branch manager organizes the staff and authorizes their time sheets. Carmel
makes the payments for rent, power, salaries, and large expenditures, such as furniture purchases.

Required
a.  Give examples of transactions that would occur at Emerald Spa.
b.  Explain what could go wrong with these transactions if the system of internal control is not effective
for each transaction class assertion.

AP6.10  (LO 3, 5)  Moderate   Segregation of duties and documentation  Lisa Curtis is document-
ing the purchasing and cash payments processes at Hardies Wholesaling, Inc. (HWI), a company in Iowa.
HWI distributes garden and landscaping items such as pots, furniture, fountains, mirrors, and sculptures.
6-42  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

All items are made from materials such as stone, concrete, metal, and wood, and are distributed to retail-
ers throughout the country.
Purchases are denominated in U.S. dollars. The purchasing department initiates a purchase order
when inventory levels reach reorder points or sales staff notify the department of large customer orders that
need to be specially filled. The purchase order is approved and sent to suppliers selected from an approved
supplier list. Goods are transported from Southeast Asia by ship and are delivered by truck to the HWI cen-
tral warehouse in Des Moines. A receiving report is generated by the receiving department and forwarded
to the accounts payable department to be matched with the copy of the original purchase order and the
supplier’s invoice. When the package of documents is completed, a purchase is entered into the purchases
journal that debits an appropriate account and credits accounts payable. When the cash payment is due,
the cash payments department reviews the supporting documentation and requests payment of the invoice
according to the supplier’s payment terms. The payment is approved and the cash payment is made.

Required
a.  Create a flowchart or logic diagram to represent the flow of transactions from initiating a purchase
order to cash payment.
b.  Which duties in the above process should be segregated?

AP6.11  (LO 2, 7)  Challenging   Risk assessment  Recent reports have warned of climate change
impacts on the Florida coastline, including a rise in sea levels, more frequent storms, flooding, and
coastal erosion. Assume you are a member of senior management at a large property development com-
pany in Florida that owns a material amount of undeveloped ocean front property, which the company
expects to develop over the next 15 years.

Required
Write a report identifying the main risks to your company that you believe should be considered at
the next meeting of the risk assessment committee. Include risks to the company’s operations, assets,
­finances, and personnel.

Audit Decision Cases

King Companies, Inc.
Questions C6.1 and C6.2 are based on the following case.

King Companies, Inc (KCI) is a private company that owns five auto parts stores in urban Los Angeles,
California. King Companies has gone from two auto parts stores to five stores in the last three years,
and it plans continued growth. Eric and Patricia King own the majority of the shares in KCI. Eric is the
chairman of the board of directors of KCI and CEO, and Patricia is a director as well as the CFO. Shares
not owned by Eric and Patricia are owned by friends and family who helped the Kings get started. Eric
started the company with one store after working in an auto parts store. To date, he has funded growth
from an inheritance and investments from a few friends. Eric and Patricia are thinking about expanding
by opening three to five additional stores in the next few years.
In October 2021, Eric approached your accounting firm, Thornson & Danforth, LLP, to conduct an
annual audit of KCI for the year ended December 31, 2022. KCI has not been audited before, but this
year the audit has been requested by the company’s bank because of anticipated bank loans and by a new
private equity investor that has just acquired a 20% share of KCI.
KCI employs 20 full-time staff. These workers are employed in store management, sales, parts deliv-
ery, and accounting. About 40% of KCI’s business is retail walk-in business, and the other 60% is regular
customers where KCI delivers parts to their locations and bills these customers on account. During peak
periods, KCI also uses part-time workers.
Eric is focused on growing revenues. Patricia trusts the company’s employees to work hard for the
company, and she feels they should be rewarded well. The accounting staff, in particular, is very loyal
to the company. Eric tells you that accounting staff enjoy their jobs so much they have never taken any
annual vacations and hardly any workers ever take sick leave.
There are two people currently employed as accounting staff, the most senior of whom is Jonathan
Jung. Jonathan heads the accounting department and reports directly to Patricia. He is in his late fif-
ties and hopes to retire in two or three years and move away from Los Angeles. Jonathan keeps a close
watch on accounting and does many activities himself including opening mail, cash receipts and vendor
  Audit Decision Cases  6-43

payments, depositing funds received, performing reconciliations, posting journals, and performing the
payroll function. His second employee, Abby Owens, is a recent college graduate who just passed the CPA
exam. Abby is responsible for the payroll functions and posting all journal entries into the accounting
system. Jonathan and Abby often help each other out in busy periods.

C6.1  (LO 2, 3)  Challenging   Internal control components

a. Gather information: Explain how the internal control components are usually adjusted to meet the
needs of small entities. What advantages and disadvantages does this bring?
b. Analysis: Assess the control environment at KCI. What changes would you recommend?
c. Evaluation: Based on what you know about the accounting system, what recommendations would
you offer in terms of control activities?

C6.2  (LO 7)  Challenging   Communication with management  Conclusion: Write a management
letter to Eric and Patricia King and the board of directors. Address your findings, your recommendations,
and how you believe your recommendations would benefit the company.

Mobile Security, Inc.

Question C6.3 is based on the following case.

Mobile Security, Inc. (MSI) has been an audit client of Leo & Lee, LLP for the past 12 years. MSI is a small,
publicly traded aviation company based in Cleveland, Ohio, where it manufactures high-tech unmanned
aerial vehicles (UAV), also known as drones, and other surveillance and security equipment. MSI’s prod-
ucts are primarily used by the military and scientific research institutions, but there is growing demand
for UAVs for commercial and recreational use. MSI must go through an extensive bidding process for
large government contracts. Because of the sensitive nature of government contracts and military prod-
uct designs, both the facilities and records of MSI must be highly secured.
In October 2022, MSI installed a new cloud-based inventory costing system to replace a system that
had been developed in-house. The old system could no longer keep up with the complex and detailed
manufacturing costing process that provides information to support competitive bidding. MSI’s IT de-
partment, together with the consultants from the software company, implemented the new inventory
costing system which went live on December 1, 2022. Key operational staff and the internal audit team
from MSI were significantly engaged in the selection, testing, training, and implementation stages.
The inventory costing system uses various manufacturing costing and unit of production inputs to
calculate and produce a database of all product costs and recommended sales prices. It also integrates
with the general ledger each time there are product inventory movements such as purchases, sales, waste,
and damaged inventory losses.
It is now February 2023, and you are beginning the audit planning for the June 30, 2023, annual
financial statement audit. You are assigned to assess MSI’s IT controls with particular emphasis on the
recent implementation of the new inventory costing system.

C6.3  (LO 2, 3, 4)  Challenging   Public Company   Components of internal control  Analysis:
Explain how the external auditors would evaluate each of the following components with respect to the
new inventory costing system.
a. The control environment.
b. Management’s risk assessment process.
c. IT general controls.

Brookwood Pines Hospital

Question C6.4 is based on the following case.

Goodfellow & Perkins gained a new client, Brookwood Pines Hospital (BPH), a private, not-for-profit
hospital. The fiscal year-end for Brookwood Pines is June 30. You are performing the audit for the 2023
fiscal year end, and the audit is currently in the risk assessment phase.
The healthcare industry can be very complicated, especially in the area of billing for services pro-
vided. BPH contracts with private physician groups who use the hospital facilities, equipment, and nurs-
ing staff to treat patients. The physicians in the private group are not employees of the hospital; they are
simply using the hospital facilities to treat patients. For example, a group of urologists have their own
practice, separate from the hospital, where they treat patients. If one of these patients needs a surgical
procedure that must be done at a hospital, then the attending urologist will approve the paperwork re-
quired to admit the patient to BPH. BPH offers inducements to the urologists so they will refer patients
to BPH rather than a competing hospital. One of the inducements BPH offers is free office space in the
hospital for the doctors to use when they are treating patients in the hospital.
6-44  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

After the doctor and hospital services are provided to the patient, the patient and/or the patient’s
insurance company is billed. The doctor will bill for the services he or she provided, and the hospital
will bill for the use of hospital facilities and staff. Doctors and hospitals bill using a coding system that is
standardized across the healthcare industry and consists of three main code sets: ICD, CPT, and HCPCS.
Using a coding system is more efficient and data-friendly compared to writing a narrative about the
procedures performed. However, the coding system is very complex, with thousands of different codes
for medical procedures and diagnoses. To complicate matters even more, for patients who are covered by
government-sponsored Medicare or Medicaid, doctors and hospitals must adhere to complicated govern-
ment regulations surrounding billings to Medicare and Medicaid.
As healthcare costs continue to rise each year, BPH administrators struggle to maintain consistent
profitability. They look for ways to keep costs low and also to collect outstanding payments from patients
and insurance companies as quickly as possible. In addition, BPH must have a strong risk management
team to handle unique situations that may occur in hospitals such as malpractice lawsuits and periodic
inspections by the state regulators. Negative publicity for BPH could lead to decreased revenues if physi-
cians decide to contract with a competing hospital.

C6.4  (LO 2, 3, 4)  Challenging   Risk assessment and transaction-level controls

a. Gather information: You have been assigned to evaluate revenue from patients who are covered by
government-sponsored Medicare or Medicaid programs. What questions do you want to ask about
BPH’s risk assessment controls?
b. Analysis: Assume that you are focused on the occurrence of revenue recognized from patients who
are covered by government-sponsored Medicare or Medicaid programs. What controls do you expect
to be in place regarding this assertion?

Cloud 9 - Continuing Case

Sharon Gallagher and Josh Thomas have assessed the inter-
nal controls at Cloud 9 as being effective at an entity level. This
means that, at a high level, the company demonstrates an envi-
ronment where potential material misstatements are prevented
or detected.
Answer the following questions based on the information
presented for Cloud 9 in the appendix to this text and the current
and earlier chapters. You should also consider your answers to the
case-study questions in earlier chapters.
Required
You have been assigned the task of documenting the process for
recording sales, trade receivables, and cash receipt transactions for
wholesale customers. In your absence, Josh met with the Cloud
9 controller, Carla Johnson, and received permission to tape the
interview, which is provided as a transcript (see the appendix to
this text). Using this interview transcript and other information
presented in the case, you are asked to:
a.  Prepare a flowchart, logic diagram, or narrative document-
ing your understanding of the revenue process for wholesale
sales from making sales to recording sales invoices in the gen-
eral ledger.
b.  Identify any follow-up questions you should ask the client
if aspects of the process are not adequately explained. You
could address such questions to Carla Johnson or any other
employee you deem appropriate.
c.  For each assertion associated with recording wholesale revenue
transactions, identify a control related to that assertion. If no
controls are identified, recommend a control for the assertion.
d.  Draw an overall conclusion about internal controls related to
the recording of wholesale revenue transactions.
 Chapter 7
Audit Data Analytics
Special thanks to Dr. Adrian Gepp of Bond University, Queensland, Australia, for his invaluable
assistance in co-authoring this chapter.

The Audit Process

Overview of Audit and Assurance

(Chapter 1)

Professionalism and Professional Responsibilities

(Chapter 2)

Client Acceptance/Continuance and Risk Assessment

(Chapters 3 and 4)

Gaining an Identify Significant

Set Planning
Understanding of Accounts and
Materiality
the Client Transactions

Gaining an Understanding
Make Preliminary Risk
of the System of Internal Control
Assessments
(Chapter 6)

Develop Responses to Risk and an Audit Strategy

Audit Data Analytics

Audit Evidence
(Chapter 5)

(Chapter 7)
Performing Tests of Controls Performing Substantive Procedures
(Chapter 8) (Chapter 9)

Audit Sampling for Substantive Tests

(Chapter 10)

Auditing the Auditing the Purchasing Auditing the Balance Sheet

Revenue Process and Payroll Processes and Related Income Accounts
(Chapter 11) (Chapter 12) (Chapter 13)

Completing and Reporting on the Audit

(Chapters 14 and 15)

Procedures Performed Near Drawing Audit

Reporting
the End of the Audit Conclusions

7-1
7-2  Ch a pte r 7  Audit Data Analytics

Learning Objectives

LO 1 Explain the five-step process associated with
planning, performing, and evaluating results from audit
data analytics.
LO 2 Apply steps associated with accessing and
preparing data for audit data analytics.
LO 3 Explain how audit data analytics is used as a risk
assessment procedure.
LO 4 Apply audit data analytics as a risk assessment
procedure and evaluate the results.
LO 5 Explain how audit data analytics is used as a
substantive test.
LO 6 Apply audit data analytics as a substantive test
and evaluate the results.

Auditing and Assurance Standards

PCAOB Auditing Standards Board

AS 1105 Audit Evidence AICPA  Guide to Audit Data Analytics
AU-C 230 Audit Documentation
AU-C 315  Understanding the Entity and Its
Environment and Assessing the Risks of Material
Misstatement
AU-C 500 Audit Evidence

Cloud 9 - Continuing Case

Sharon Gallagher (audit manager) and Josh Thomas (audit senior)
have just returned from an all-day staff training session on audit
data analytics (ADA). Josh asks Sharon, “Do you think using audit
data analytics would be an effective tool on the Cloud 9 audit? If
so, where do you think we might implement audit data analytics?”
Sharon responds: “Why don’t we involve the entire audit team in a
brainstorming session about the use of audit data analytics. Every-
one would benefit from this discussion.”
Later that week, Jo Wadley (audit partner), Sharon, Josh, Suzie
Pickering (experienced audit staff), and Ian Harper (new audit
staff) met to discuss the application of ADA to the audit. They were
joined by Mark Batten, IT audit manager. They began by determin-
ing where ADA might be most effectively implemented in the au-
dit. They quickly listed accounts like accounts receivable, inventory,
and payables to suppliers. At this point, Jo stepped in and said, “We
have to be more thoughtful about how we think about the uses of
ADA. For each of these accounts, what are the assertions where we
might use data analytics as an audit tool? Once we identify asser-
tions where we think it might be cost-effective, we then need to think
about the data that might support our audit of those assertions. Is the
client’s data reliable? Does the data need to be cleaned? Let’s start by
answering these questions.”

Chapter Preview: Audit Process in Focus

audit data analytics (ADA)  This chapter addresses an emerging and quickly evolving audit topic—audit data analytics.
the science and art of discovering
and analyzing patterns, identifying
anomalies, and extracting
other useful information in
data underlying or related to
the subject matter of an audit
through analysis, modeling, and
visualization for planning and
performing the audit
More and more audit clients have significant data in machine-readable form that the auditor
can interrogate to look for anomalies, unusual trends, or other information of interest to the
auditor. Today, tools at the audit team’s disposal allow the auditor to search a large database
for the “needle in the haystack.”
The AICPA Guide to Audit Data Analytics defines audit data analytics (ADA) as
“the science and art of discovering and analyzing patterns, identifying anomalies, and
extracting other useful information in data underlying or related to the subject matter of
an audit through analysis, modelling, and visualization for planning and performing the
   Steps in Performing Audit Data Analytics  7-3

audit.”1 Audit data analytics (ADA) is an additional tool available to the auditor that makes
the audit more effective given the right circumstances. In some audit applications, ADA may
replace a sampling technique, and in some audit applications it may not. This is discussed
further in Chapter 10.
In this chapter, we begin with an introduction to audit data analytics and a discussion
of the five-step process suggested in the AICPA Guide to Audit Data Analytics. Prior to con-
sidering how to implement audit data analytics, the auditor uses his or her business acumen,
knowledge of the business and industry, and an understanding of the availability of relevant
and reliable data to evaluate where audit data analytics might be successful and cost-effective.
Next, the chapter explores issues associated with preparing the data for analysis. The au-
ditor needs to consider both the relevance and reliability of the data, just as in any other audit
test. In some cases, the auditor may need to take steps to prepare the data for analysis or con-
sider procedures needed to determine whether the data is sufficiently reliable for analysis.
The chapter then focuses on two areas in some depth, starting with the use of audit data
analytics as a risk assessment procedure. Here, the auditor focuses on identifying and assessing
the risk of material misstatement, whether due to error or fraud. Audit data analytics may ef-
fectively identify subpopulations with a high risk of material misstatement. In this discussion,
we explain how the auditor may use various sorting and clustering techniques, regression
analysis, or various matching techniques to identify items with a high likelihood of material
misstatement. The chapter also discusses the risks and benefits of using visualization techniques
to analyze the risk of material misstatement.
Second, the chapter addresses using audit data analytics as a substantive test. In this sec-
tion of the chapter, we describe how the auditor might use audit data analytics to examine
100% of a population and identify misstatements in the population. This section also illus-
trates a process of matching key information to identify revenue recognition problems, as well
as techniques for identifying duplicate payments to a vendor.

Steps in Performing Audit Data Analytics

Lea rning Objective 1
Explain the five-step process associated with planning, performing, and evaluating
results from audit data analytics.

Auditors have been using software-assisted audit techniques for some time to investigate client
databases and perform audit procedures. However, a recent review of big data in accounting and
finance revealed that auditing is lagging behind other disciplines in the use of data analytics, per-
haps due to a lack of policy guidance and related professional standards.2 In response, the
International Auditing and Assurance Standards Board now has a Data Analytics Working
Group. In 2017, the AICPA published the AICPA Guide to Audit Data Analytics. The follow-
ing year, the International Accounting Education Standards Board published an exposure draft
addressing updated learning objectives related to information and communication technologies
and professional skepticism. These learning objectives emphasize the overlap of skills related to:

•  Business acumen.
•  Behavioral competence.
•  Digital acumen.
•  Data interrogation, synthesis, and analysis.
•  Communication skills.

1
AICPA, Guide to Audit Data Analytics (AICPA: Durham, NC, 2017).
2 
A. Gepp, M.K. Linnenluecke, T.J. O’Neill, and T. Smith, “Big Data Techniques in Auditing Research and
Practice: Current Trends and Future Opportunities,” Journal of Accounting Literature (2018), pp. 102–115.
7-4  Ch a pte r 7  Audit Data Analytics

Finally, the Big 4 firms all now have pages on their websites that promote their use of data ana-
lytics, demonstrating an emphasis on utilizing ADA. Mid-sized firms are expanding their uses
of software-assisted audit techniques to include the regular use of ADA, and many smaller
audit firms are using various forms of ADA in current audits.
Data analytics is increasingly discussed in businesses, even at the board of directors’ level.
As clients continue to adopt data analytics in their business, they expect auditors to do the
same. Auditors need to understand ADA to have effective conversations with clients. Further,
auditors need to adopt ADA in the world of big data so they avoid information overload and
improve the quality of audit decisions. It is imperative for auditors to understand ADA and the
insights data analytics can provide.
Finally, simply utilizing a small team of data analysts is not recommended when attempting
to utilize ADA on a large scale and in new ways. Individuals with data analytics skills need to be
fully integrated with the rest of the audit team so new opportunities for risk analysis and substan-
tive testing can be identified and utilized. An understanding of what data analytics techniques
can offer audit firms is essential for every member of the audit firm that influences the audit.
The use of ADA is providing opportunities to rethink how an audit is performed. In some
ways, the audit does not change. The auditor must still audit the same assertions, must still
understand the business and industry, and must still understand an entity’s system of internal
control. However, ADA allows the auditor to rethink how risk is assessed and how substantive
tests might be performed.
Audit data analytics can be used at virtually any phase of the audit. ADA can be used as
a risk assessment tool, as a test of controls, as a test of details, or to help form a conclusion
regarding virtually any audit assertion. In this chapter, ADA is discussed in the contexts of a
risk assessment tool and as a substantive test of details.
As with all audit procedures, auditors must carefully plan the nature, timing, and extent
of ADA to be used for each client. In its Audit Guide for Audit Data Analytics, the AICPA out-
lines a five-step process, shown in Illustration 7.1, to follow when planning, performing, and
evaluating results from ADA.

illustration 7.1  
Five-step process for planning Step 1: Plan the ADA
and performing audit data
analytics

Step 2: Access and prepare the data for

the ADA

Step 3: Consider the relevance and reliability

of data used

Step 4: Perform the ADA

Step 5: Evaluate the results and conclude whether

the purpose and specific objectives of performing
the ADA have been achieved

The following discussion addresses each of these steps in detail. The discussion of these
five steps will be illustrated in the context of auditing a retailer of consumer electronics and
appliances. Assume the client has a very heterogeneous inventory, and preliminary analytical
procedures indicate that in aggregate, inventory moves slower than the industry average. The
intent of the ADA is to analyze inventory turnover for each item in inventory (e.g., for each
SKU number) to determine if there is a problem with the net realizable value of inventory
(valuation and allocation assertion) as of the company’s fiscal year-end. Illustration 7.2
indicates the key characteristics of this ADA application.
   Steps in Performing Audit Data Analytics  7-5

Financial Broad illustration 7.2  

Business Concern for Risk of Material Statement ADA Audit Overview of applying ADA
Environment Misstatement Account(s) Assertion Objective when auditing a retailer of
consumer electronics and
Retailer of •  Inventory moves slower than •  Inventory Valuation Gather
appliances
consumer the industry average. •  Cost of of inventory evidence
electronics and •  Inventory may be overstated. Goods at net for risk
appliances It may need to be written Sold realizable assessment
down to its net realizable value value
because of obsolete or slow-
moving items.

Step 1: Plan the Audit Data Analytics

The typical starting point for ADA is good business acumen. An auditor needs to customize an
ADA application to an audit client. Analyzing inventory for a retailer of consumer electronics
and appliances will be entirely different from analyzing inventory for a construction company.
Therefore, the initial planning of where to use ADA may involve significant audit partner and
manager time, or it may be combined with a brainstorming session that involves all members
of the audit team.
In addition, the auditor needs to consider the availability of data to suit the auditor’s pur-
pose. In various medium-sized businesses, city and county governments, and not-for-profit
organizations, data may not be subject to a strong system of internal controls. As a result,
the data may be inaccurate and not well-suited for the ADA application. Illustration 7.3
outlines some key questions an audit team is likely to consider when planning an ADA
application.

illustration 7.3  
Key questions for an audit team to consider when planning an ADA application: Key issues to consider
• What financial statement items, accounts, or disclosures and related assertions are being audited? when planning an ADA
• What is the overall purpose of the ADA application and how will it contribute to the balance of application
the audit? For example, is ADA being used as a risk assessment procedure or as a substantive
test?
• What is the audit population being analyzed or tested using ADA? The auditor should also
consider the relevance of the data to the audit assertion(s) being tested, and the availability
and reliability of the data.
• What ADA tool is best suited for the audit purpose? Here the auditor selects the techniques,
tools, graphics, tables or other analytical techniques to be used.

Initially, an audit staff member thought the audit team should determine inventory
turnover by comparing sales revenue for each item in inventory with the underlying cost of
each item in inventory. However, after discussing this approach with a colleague, the staff
member realized that the revenue includes a markup for gross margin, while the inventory
data is at cost. As a result, it would be like comparing apples with oranges. Further, the
client uses a perpetual inventory method and does not have cost of sales for each item in
inventory. The client does have data on the quantity of each item sold and the quantity and
location of each item in inventory. The audit team can calculate inventory turnover in days
by comparing quantities sold with quantities on hand. Internal controls over this data have
previously been tested as part of tests of controls, and the audit team assessed control risk
as low. The auditor is also satisfied with the quality of the company’s IT general controls.
In this example, the auditor wants to use ADA to combine the quantities at each location
and sort each SKU number by the number of days sales in inventory (comparing quantity sold
to quantity on hand). Once ADA has been used to develop an appropriate aging for each item,
the auditor will examine the slowest-moving inventory using traditional substantive tests to
determine whether a material amount of inventory may need to be written down to its net
realizable value.
7-6  Ch a pte r 7  Audit Data Analytics

Step 2: Access and Prepare the Data for

Audit Data Analytics
Once the auditor has planned the ADA application, the auditor must access the data, make a
copy of the client’s data, and prepare the data for analysis. Illustration 7.4 lists some key ques-
tions that the auditor should consider when preparing data for analysis. This topic is discussed
in detail in this chapter’s section “Steps Associated with Accessing and Preparing Data for Audit
Data Analytics.”

illustration 7.4  
Key issues to consider when
preparing data for ADA
Is the data complete?
• Does the data agree with the general ledger and the financial statements?
• The auditor should check the numerical continuity of the data. Are there missing numbers (e.g.,
missing numbers in the sequence of invoices)?
Does the data need to be cleaned?
• Are there fields with missing data?
• Is the data appropriately and consistently formatted?

In our example of the audit of a consumer electronics and appliances retailer, the auditor,
in investigating inventory turnover, will want to ensure that ending inventory quantities match
ending inventory used to prepare the financial statements. The auditor will also want to test the
completeness of the data regarding inventory sold. Finally, the auditor needs to make sure that
information about inventory SKU numbers and inventory quantities are in a consistent format,
and that there are no fields with missing data.

Step 3: Consider the Relevance and Reliability of

the Data Used
The question of relevance and reliability of the data should be addressed as part of any audit
test. For example, AU-C 500 (.A29 and .A31) suggests that the auditor consider the following
items when evaluating the relevance of information.

•  A given set of procedures may provide audit evidence that is relevant to certain assertions
but not to others.
•  Designing substantive procedures includes identifying conditions relevant to the purpose
of the test that constitute a misstatement in the relevant assertion.

It is particularly important that the data be relevant to the assertion being tested. The data
that will help the auditor determine that all transactions are recorded (completeness) is not
the same data that will help the auditor determine that recorded transactions are valid (occur-
rence). Further, the mere fact that the data set agrees to the general ledger does not mean that
the data set is complete. Transactions may be missing from both the data set and the general
ledger.
As discussed in Chapter 5, AU-C 500.A32 provides the following guidance regarding the
reliability of the data.

•  The reliability of audit evidence is increased when it is obtained from independent

sources outside the entity.
   Steps in Performing Audit Data Analytics  7-7

•  The reliability of audit evidence that is generated internally is increased when the related
controls imposed by the entity, including those over its preparation and maintenance, are
effective.
•  Audit evidence obtained directly by the auditor (for example, observation of the applica-
tion of a control) is more reliable than audit evidence obtained indirectly or by inference
(for example, inquiry about the application of a control).
•  Audit evidence in documentary form, whether paper, electronic, or other medium, is
more reliable than evidence obtained orally (for example, a contemporaneously written
record of a meeting is more reliable than a subsequent oral representation of the matters
discussed).
•  Audit evidence provided by original documents is more reliable than audit evidence
provided by photocopies, facsimiles, or documents that have been filmed, digitized, or
otherwise transformed into electronic form, the reliability of which may depend on the
controls over their preparation and maintenance.

In AS 1105 Audit Evidence, the PCAOB provides similar guidance.

It is particularly important for the auditor to understand internal controls over the data
set. If internal controls are weak, the data set may contain misstatements and inaccuracies,
or the data may be incomplete. The auditor may need to consider whether the data set should
be subjected to audit procedures to verify the data before using it to draw an audit conclusion.
On the other hand, the auditor is likely to feel more comfortable using data that comes from a
strong system of internal controls, and the controls provide some validation of the reliability
of the data set.
In the example involving the audit of an electronics and appliances retailer, where the
auditor wants to use ADA to compare quantities on hand to quantities sold for each item in
inventory, the auditor will test the internal controls over the inventory system, and how the
inventory system interacts with the purchases system and the sales system. The auditor will
want to know that the client regularly tests inventory on hand against the perpetual inventory,
purchases of inventory with the quantities received, and sales of inventory with shipping
records.
In situations where the auditor obtains electronic data from outside the entity, the
auditor should also consider the reliability of the data. While information that comes
from an independent source is normally more reliable than information obtained inside
the entity, the auditor still needs to evaluate the quality of electronic information obtained
from outside the entity. For example, say your client is an independent grocery chain that
purchases liquor from the state. While the liquor inventory is “purchased” from the state,
it goes to the warehouse of an independent third party and does not become the grocer’s
inventory until it leaves the warehouse and is shipped to a retail grocery outlet. It is im-
portant for the auditor to understand the system of control at the independent warehouse
company.

Step 4: Perform the Audit Data Analytics

At Step 4, the auditor executes the ADA. This is discussed in considerable detail in the sections
“Applying Audit Data Analytics as a Risk Assessment Procedure” and “Applying Audit Data
Analytics as a Substantive Test.”
In the example of a retailer of consumer electronics and appliances, assume the auditor
determines that the inventory quantities on hand in the electronic file agree to the quantities used
to prepare the financial statements, and the auditor has reliable data about the quantity of each
item sold from the revenue system. Next, the auditor uses ADA to screen out items that have been
discontinued during the year, so the auditor is analyzing data on inventory for all items in inven-
tory on hand in any location at year-end. The auditor then uses ADA to calculate the inventory
turnover in days for each item in inventory [(Inventory Quantity ÷ Inventory Sales) × 365]. The
inventory is grouped into deciles, or groups of approximately 10% of the inventory. The results are
shown in Illustration 7.5.
7-8  Ch a pte r 7  Audit Data Analytics

illustration 7.5   Estimate of How Long

ADA ranking of inventory by It Will Take to Sell
decile groups of how long it Quantity Quantity % of Inventory Each Decile Group of
should take to sell the existing Sold on Hand on Hand Existing Inventory
inventory
6,954 6,667 10% 349.9
9,023 6,682 10% 270.3
22,523 6,720 10% 108.9
25,047 6,680 10% 97.3
29,953 6,703 10% 81.7
39,602 6,685 10% 61.6
51,500 6,710 10% 47.6
58,201 6,690 10% 42.0
65,318 6,705 10% 37.5
100,385 6,755 10% 24.6

408,506 66,997 100%

Aggregate inventory turnover is 59.9 days.

Step 5: Evaluate the Results and Draw

Conclusions
Finally, Step 5 involves evaluating the results provided by the ADA. On average, this retailer
of consumer electronics and appliances is able to turn over its inventory about every 60 days
(59.9), which is fairly standard for the industry. However, inventory turnover in days for this
company is very heterogeneous. The fastest 20% of the inventory turns over every 37.5 days
or less. On the other hand, the slowest-moving 20% of the inventory takes 270 days or more
to sell. This means it takes over nine months to sell 20% of the inventory, and almost all year
(349.9 days) to sell 10% of the inventory on hand at year-end.
The next step is to look at the underlying cost of the inventory on hand. The analysis
performed above only looked at inventory quantities. The analysis will be more meaningful if
dollar values are associated with each stratum of inventory. Illustration 7.6 shows the cost
associated with each inventory item, the cost of the total inventory, and the cost of goods sold
from the unaudited financial statements.

illustration 7.6   ADA ranking of inventory by decile groups including the cost of inventory on hand

Estimate of How Long

% of It Will Take to Sell Cost of % of
Quantity Quantity Inventory Each Decile Group of Inventory Inventory Cumulative
Sold on Hand on Hand Existing Inventory on Hand Value %
6,954 6,667 10% 349.9 $7,947,064 16.4% 16.4%
9,023 6,682 10% 270.3 $6,334,536 13.1% 29.5%
22,523 6,720 10% 108.9 $5,591,040 11.5% 41.0%
25,047 6,680 10% 97.3 $4,883,080 10.1% 51.1%
29,953 6,703 10% 81.7 $5,536,678 11.4% 62.5%
39,602 6,685 10% 61.6 $4,973,640 10.3% 72.8%
51,500 6,710 10% 47.6 $4,623,190 9.5% 82.3%
(continued)
   Steps in Performing Audit Data Analytics  7-9

ILLUSTRATION 7.6   (continued)

Estimate of How Long

% of It Will Take to Sell Cost of % of
Quantity Quantity Inventory Each Decile Group of Inventory Inventory Cumulative
Sold on Hand on Hand Existing Inventory on Hand Value %
58,201 6,690 10% 42.0 $3,652,740 7.5% 89.8%
65,318 6,705 10% 37.5 $3,345,795 6.9% 96.7%
100,385 6,755 10% 24.6 $1,587,425 3.3% 100.0%

408,506 66,997 100% 59.9 $48,475,188 100%

Cost of goods sold per unaudited financial statements $232,541,934
Estimated number of days to sell inventory 76.1

Analysis of this information shows that the 20% of inventory that takes over 270 days to sell
represents almost 30% of the cost of inventory (29.5%). When the auditor calculates the average
number of days to sell inventory based on the financial statements (using dollars instead of
quantities), it calculates 76.1 days compared to 59.9 days. On one hand, the client’s inventory
may just turn over slowly. On the other hand, the client may need to mark down inventory
in order to sell it. It is possible that the audit client has a lower-of-cost-or-net-realizable-value
problem with inventory. The next step for the auditor will be to compare the cost of items in
inventory with the evidence of what that inventory has sold for to determine if there is a net
realizable value problem with inventory. Given that almost 30% of the dollar value of inven-
tory is very slow-moving, the auditor needs to investigate this issue further.
The auditor also needs to evaluate the client’s past experience selling inventory and the
underlying business model. If the client has a history of taking significantly longer to sell
high-priced goods but gets a better margin on those items when they do sell, net realizable
value may not be a problem. However, if the client has ventured into selling higher-cost and
higher-priced items for the first time, and those items are not selling in the client’s market,
it is more likely that a write-down of inventory to its net realizable value is necessary. This is
where the auditor’s business acumen and experience, both with the audit client and with the
client’s industry, becomes so important.

Audit Documentation
Recall from Chapter 5 that AU-C 230.08 states that the auditor should prepare audit documen-
tation that is sufficient to enable an experienced auditor, having no previous connection with
the audit, to understand (a) the nature, timing, and extent of the audit procedures performed
to comply with GAAS and applicable legal and regulatory requirements; (b) the results of the
audit procedures performed, and the audit evidence obtained; and (c) significant findings or
issues arising during the audit, the conclusions reached thereon, and significant professional
judgments made in reaching those conclusions.
Paragraph 1.51 of the AICPA Guide to Audit Data Analytics suggests that the documenta-
tion of ADA might include the following:

•  Objectives of the procedure.

•  Risks of material misstatement that the procedure intended to address at the financial
statement level or at the assertion level.
•  The sources of the underlying data and how it was determined to be sufficient and appropri-
ate (as necessary in the context of the nature and objectives of the ADA being performed).
•  The ADA and related tools and techniques used.
•  The tables or graphics used, including how they were generated.
•  The steps taken to access data, including the system accessed and, when applicable, how
the data was extracted and transformed for audit use.
7-10  C h a pte r 7  Audit Data Analytics

•  The evaluation of matters identified as a result of applying the ADA and actions taken
regarding those matters.
•  The identifying characteristics of the specific items or matter tested.
•  The individual who performed the audit work and the date such work was completed.
•  The individual who reviewed the audit work performed and the date and extent of such
review.

The discussion in the AICPA Guide to Audit Data Analytics also states that GAAS do not re-
quire, and it may not be practicable, to include in the audit file all the data analyzed or tested
using an ADA audit procedure (paragraph 1.50). The illustrations used in this chapter provide
partial examples of what might be documented in an audit file. They are not intended to pro-
vide complete examples of the documentation that might be created in an audit file.

Professional Environment  Personal Views on the Use of Technology in Audits

Melanie McLaren, Executive Director of the Financial Reporting •  Deepened the auditor’s understanding of the entity.
Council (FRC) in the United Kingdom, noted that in 2015 the FRC •  Facilitated the focus of audit testing on areas of highest risk
observed the use of data analytics in only 16 of 109 inspected audits. through stratification of large populations.
However, the FRC expects the use of audit data analytics to
•  Aided in the exercise of professional skepticism.
increase. In these 16 inspected audits, the FRC observed the fol-
lowing use of data analytics: •  Improved the consistency and central oversight of group
audits.
•  Analysis of all transactions in a population, stratifying that
•  Enabled the auditor to perform tests on large or complex
population and identifying outliers for further examination.
datasets where a manual approach would not be feasible.
•  Reperformance of calculations relevant to the financial
•  Improved audit efficiency.
statements.
•  Assisted in identifying instances of fraud.
•  Matching transactions as they pass through a processing
cycle. •  Enhanced communications with audit committees.
•  Assisting in segregation of duties testing.
•  Comparing entity data to externally obtained data. Source: Melanie McClaren, Developments in Technology and Data
Analytics,” Speech delivered at the PCAOB International Institute
•  Manipulating data to assess the impact of different Panel Discussion (December 8, 2017).
assumptions.
In addition, the FRC noted the following benefits of the use
of audit data analytics:

Cloud 9 - Continuing Case

After some discussion, the Cloud 9 audit team decided they might
use ADA to look at the collectibility of receivables. The intent is to
identify specific customers with past due balances. Cloud 9 has a
relatively low allowance for doubtful accounts. Is management’s
assessment justified?
The Cloud 9 audit team also thought that they might look at
purchases to do a triple match of items ordered, items received, and
items recorded as liabilities. Preliminary analytical procedures show
that accounts payable turnover in days have declined, so a careful
look at transactions might help identify potential problems. Mark
then brought up a key issue. How good is the client’s data? Is it reli-
able? Sharon responded that internal controls appeared to be strong
at Cloud 9, and the audit team was just beginning to perform tests of
controls. The team decided the next step was to look carefully at the
data that might be used to perform these audit tests. Then, they would
meet again to discuss the application of ADA in the Cloud 9 audit.

Before You Go On
1.1  Explain each of the five steps associated with performing audit data analytics.
1.2 Develop two examples where client data might not be ready to use for audit data analytics. In
each instance, suggest a strategy to correct the deficiencies.
1.3 In the inventory turnover example for a retailer of consumer electronics and appliances dis-
cussed in the chapter, what is the red flag in the data showing that there might be a net
realizable value problem?
   Steps Associated with Accessing and Preparing Data for Audit Data Analytics  7-11

Steps Associated with Accessing and Preparing Data for

Audit Data Analytics
Lea rning Objective 2
Apply steps associated with accessing and preparing data for audit data analytics.

Before using client data for audit data analytics, the auditor needs to address several issues. First,
the auditor needs to make a copy of the client’s data for purposes of the auditor’s analysis. The
auditor should never perform any functions or procedures that would modify or change the
client’s actual data. All analysis should be done on a copy of the client’s data. Next, the auditor
needs to determine if the data obtained from the client is complete. The auditor also needs to
determine if the data is in a consistent format and whether it needs to be cleaned before it can
be used. Finally, the auditor must evaluate the relevance and reliability of the client’s data before
it is ready to be used for audit data analytics. These topics are discussed in more detail below.

Is the Data Complete?

There are several questions the auditor wants to ask about the underlying completeness of the
data set to be used for ADA. First, when appropriate, the auditor should determine if the data
set agrees with the general ledger. If the auditor is auditing an accounts receivable file, the
auditor will want to make sure the receivable file matches the general ledger as of the date of
the test. Sometimes, the accounting department may run the general ledger off a different set
of parameters than, for example, individuals in a sales office or another part of the organiza-
tion that may use a preconfigured report. If the auditor runs an ADA application without first
reconciling the data to the general ledger, the auditor may identify anomalies only because
the data is incomplete. The analysis of an incomplete data file may be both inefficient and
ineffective.
Second, the auditor should determine if there are gaps in the sequence of prenumbered
documents in the audit file. If the auditor is auditing revenues and identifies gaps in the sequence
of prenumbered sales invoices, the auditor may be facing a completeness problem, even if the
file reconciles with the general ledger. Alternatively, if the auditor identifies duplicate invoice
numbers, this may reveal the possibility of occurrence problems with recorded revenues.
Similarly, data may be incomplete if it does not contain key elements of the analysis, such
as unique ID numbers for personnel when auditing payroll-related applications, or unique
customer numbers when auditing receivables. In another example, when combining data as-
sociated with a global entity, the auditor needs to make sure all desired fields are complete
across the entire organization. If a geographic division is unable to provide data fields consis-
tent with other geographic areas, it might cause problems in the auditor’s ADA application.
Finally, the auditor must consider the purpose of the ADA application. For example, the
auditor might be auditing the data given to an actuary for purposes of developing an estimate of
pension obligations. In this example, the auditor might be given W-2 wages, but this may be dif-
ferent from pensionable wages. Pensionable wages may include nonmonetary compensation that
might not be included in W-2 wages. Therefore, the auditor needs to be knowledgeable about the
purpose of the ADA application and be able to assess the completeness of the data received from
the client. Incomplete data will make the ADA application inefficient and possibly ineffective.

Does the Data Need to Be Cleaned?

Once the auditor has determined that the data is complete and available for all desired fields,
the auditor must also make sure that the data is clean and ready for analysis. A common
problem with multinational organizations is recording dates in different formats. Some parts
of the world record dates as month/day/year, while other parts of the world use a format
7-12  C h a pte r 7  Audit Data Analytics

of day/month/year. The date 10/4/22 in Australia would be the same as 4/10/22 in the
United States. Dates must be in a consistent format before the auditor can begin the ADA
application.
Also, data problems may arise when the auditor compares data over several years. Key
identifiers such as customer or employee numbers should not change from year to year. If an
existing customer number is taken from an old customer that no longer does business with
the company and is assigned to a new customer, it may cause problems with the underlying
analysis.
It is common for data problems to arise when a company acquires another company.
When a new company is acquired, there is frequently a period of transition and integration
of accounting and IT systems when different formats are introduced. The acquired subsidiary
may not have data fields that are consistent with the parent company, and it may take time
to migrate the acquired company onto the parent’s accounting system. Auditors should also
be alert to problems that may arise if a subsidiary company outsources part of its accounting
system to an external service provider (such as an external payroll service). Finally, the auditor
should be alert to similar problems that arise when an entity, of its own volition, transitions
from one accounting system to another. These are common problems that may require the
auditor to take extra care in ensuring the data is clean and in a consistent format across the
entire ADA application.

Key Questions to Be Addressed in Evaluating the

Relevance and Reliability of Data Used in Audit
Data Analytics
The auditor determines the relevance of the data by the audit question or assertion being
audited; the data must be relevant to the assertion or audit question. Further, the auditor
should be open to evaluating anomalies that may relate to an assertion that the auditor may
not be looking for. For example, the auditor may be planning a test of revenue recognition. In
the process, the auditor reconciles total revenues to the general ledger and then finds gaps in
the numeric sequence of sales invoices. This leads the auditor to discover a problem with the
completeness of revenues. The auditor should always evaluate evidence with a questioning
mind and an attitude of professional skepticism.
When evaluating the reliability of data, the AICPA Guide for Audit Data Analytics sug-
gests the following key questions the auditor should address:

•  W
 hat is the nature of the data? For example, is it financial or nonfinancial? Is it economic
or business sector data? Is it original data or summarized data?
•  W
 hat is the source of the data? For example, does it come from the client’s accounting
system? Is it internal or external data?
•  W
 hat is the process used to produce the data? For example, is the data subject to the en-
tity’s system of internal control over financial reporting (ICFR)?
•  W
 hat matters might the auditor consider in determining the nature, timing, and extent
of procedures to perform regarding whether the data is sufficiently reliable? For example,
will tests of controls confirm that the controls over data reliability are strong? Alterna-
tively, have substantive tests already been performed that may indicate that the data is
reliable?
•  W
 hat procedures regarding data reliability will the auditor consider performing? For
example, when auditing revenues, the auditor will often perform a test of missing invoice
numbers or breaks in the prenumbered sequence. The auditor might also look for dupli-
cate invoice numbers.

The AICPA Guide for Audit Data Analytics also provides some examples of how the
auditor might document the answers to these questions. Illustration 7.7 provides an ex-
ample of this documentation in the context of the ADA inventory application shown in
Illustration 7.6.
   Using Audit Data Analytics as a Risk Assessment Procedure  7-13

ILLUSTRATION 7.7   Documenting the reliability of data used in audit data analytics: An inventory illustration

Nature of the data
Source of the data
Process used to produce the data
Matters the auditor might consider in determining
the nature, timing, and extent of procedures to per-
form regarding whether data is sufficiently reliable
Procedures regarding data reliability an auditor
may consider performing
Data on quantities of inventory on hand and quantities of inventory sold.
The data comes from the company’s inventory system.
Data is produced by the client’s inventory management system, which interacts with
the purchases of inventory (purchases process) and sale of inventory (revenue process).
The company tests inventory on hand through a process of cycle counts. Quantities of
purchases and sales are reviewed by purchasing managers and sales staff.
The audit team tested internal controls over cycle counts and inventory quantities
and found the controls effective. Controls over purchases and sales were also found
to be effective.
This is a planned risk assessment procedure. Based on tests of controls, the data is
considered reliable for identifying slow-moving items in inventory that may be at
risk of being written down to net realizable value. In addition, audit team members
will talk with inventory managers about slow-moving inventory as part of inventory
observation procedures.

Cloud 9 - Continuing Case

Sharon, Josh, and Mark are talking about using data analytics to test
the aging of accounts receivable and evaluate net realizable value
of receivables. They have determined that they need to know be-
ginning receivables, all sales transactions, and all cash receipts on
account for the entire year, as well as any sales adjustment transac-
tions. All of the information should come out of the revenue process
for Cloud 9. Sharon’s first question relates to the merger with Mc-
Clellan’s Shoes in 2021. “I just want to confirm our understanding
that McClellan’s operations have been fully integrated with Cloud 9’s
operations and we are only running one accounting system.” Josh
confirms that that is his understanding. “Thank goodness!” he says.
“I would not like to run ADA and have to combine two accounting
systems to get the needed data.” However, Mark makes a note to
double-check, as tests of controls still need to be performed.
Mark then asks, “Cloud 9 sells on a global scale. When
Cloud 9 sells to British Commonwealth and European coun-
tries, do they change the format of the dates on sales invoices?”
Josh responds that he has asked questions about this; the elec-
tronic file is all in one format: day/month/year. However, de-
pending on the customer code, the date may print out on the
invoice as month/day/year. From Josh’s understanding, the
electronic file has dates in a single format. Mark is pleased that
Josh has asked this level of detailed questions in understand-
ing the system. Mark then states, “Let’s get the data from the
client and then take a close look at it. Before we proceed with
the analysis, we need to make sure the data is clean and in a
consistent format.”

Before You Go On
2.1  Develop two examples of how an auditor might obtain an incomplete data set.
2.2 Develop two examples of a data set that needs to be cleaned before it is ready for an ADA
application.
2.3  Describe how the auditor evaluates the relevance of a data set for an ADA application.
2.4  List five key questions that help the auditor in evaluating the reliability of a data set for ADA.

Using Audit Data Analytics as a Risk Assessment Procedure

Lea rning Objective 3
Explain how audit data analytics is used as a risk assessment procedure.

AU-C 315 Understanding the Entity and Its Environment and Assessing the Risks of Material
Misstatement defines risk assessment procedures as “audit procedures performed to obtain
7-14  C h a pte r 7  Audit Data Analytics

an understanding of the entity and its environment, including the entity’s internal control,
to identify and assess the risk of material misstatement, whether due to error or fraud, at the
financial statement level and relevant assertion levels.” Often when performing ADA as a risk
assessment procedure, the auditor will have first obtained an understanding of the entity and
its environment because it takes a significant understanding of the entity to identify misstate-
ments and anomalies. It is also likely that the auditor has obtained an understanding of the
system of internal control, and perhaps performed tests of controls, to assess the reliability of
data used in performing ADA.

Understanding the Risk Analysis Decision Tree

ADA is effective not only for identifying general types of misstatements but also for identifying spe-
cific transactions or accounts that are likely to be misstated. Consider the thought process outlined
in Illustration 7.8. The following discussion will illustrate this thought process in the context of
the inventory example presented in Illustration 7.6.

illustration 7.8   Environment of Professional Skepticism

Risk analysis decision tree Population

Fits the auditor’s Does not fit the

expectation auditor’s expectation

Acceptable variation Unacceptable variation

from the auditor’s from the
expectation auditor’s expectation

Remote probability Reasonable possibility

of aggregating of aggregating
to a material to a material
misstatement misstatement

In this example, the population is inventory on hand, and the auditor is focused on de-
termining if there is a net realizable value problem with inventory. The auditor has obtained
data on inventory quantities on hand for each item in inventory, as well as the quantities of in-
ventory sold during the year. Using this data, the auditor has ordered items in inventory from
the fastest-moving inventory to the slowest-moving inventory. The auditor must then decide
what constitutes a “slow-moving item” that represents a net realizable value problem. In other
words, which items in inventory are outside the auditor’s expectation in the context of inven-
tory turnover? The auditor must use his or her business acumen, knowledge of the business,
and knowledge of the industry and economy in which the audit client operates.
The auditor might know that on average it takes 90 days for a retailer of consumer elec-
tronics and appliances to sell inventory, and that some inventory regularly turns more slowly
than every 90 days. As a result, the audit team plans to pay particular attention to inventory
if there is more than a 120-day supply of inventory on hand. In the context of Illustration 7.8,
the auditor might conclude that any inventory items with more than a 120-day supply of
inventory on hand initially do not fit the auditor’s expectation.
However, the auditor might also know that some items in inventory regularly take more
than 120 days to sell. For example, the client may make a business decision to carry items that
are high-price and high-margin, but on average turn over only twice a year, or every 180 days.
Based on prior evidence and the auditor’s experience, these items do not represent a net realiz-
able problem with these particular products. Therefore, these would be acceptable variations
from what the auditor expects.
Ultimately, the auditor must determine the items in inventory that represent an unaccept-
able variation from the client’s experience and the auditor’s expectations (e.g., items where
there is a significant risk of net realizable value issues). The auditor pays particular attention
to inventory where changes in technology might result in an oversupply of inventory that will
   Using Audit Data Analytics as a Risk Assessment Procedure  7-15

likely need to be marked down. Alternatively, the client may have overestimated the demand
for a particular product, and the inventory will need to be marked down significantly in order
to sell that inventory on hand. The auditor might choose to look at sales of these items after
year-end to evaluate the client’s ability to reduce its inventory of slow-moving items without
incurring a loss. At this point, the auditor will engage in traditional audit tests of these high-
risk items to determine if it is reasonably possible that a material misstatement exists with
respect to the net realizable value of inventory.

What Do We Mean by Notable Items?

When the auditor uses ADA, the auditor is looking for anomalies, or balances or transac-
tions that do not meet the auditor’s expectations. The AICPA Guide to Audit Data Analytics
(DATA 2.14) defines these balances or transactions of audit interest as notable items.
A  “notable item is an item identified from the population being analyzed that has one or notable item  an item
more characteristics that, for a relevant assertion, may do the following: identified from the population
being analyzed that has one or
a.  Be indicative of a risk of material misstatement: more characteristics that, for a
i.  Not previously identified (a new risk) relevant assertion, may do the
following: (a) be indicative of a
ii.  A higher risk of material misstatement than anticipated by the auditor, or
risk of material misstatement, or
b. Provide information useful in designing or tailoring procedures to address risks of ma- (b) provide information useful in
terial misstatement.” designing or tailoring procedures
to address risks of material
An issue related to the net realizable value of inventory is that notable items are all items for misstatement
which the audit client has more than a 120-day supply of inventory on hand. Identifying notable
items depends on both the auditor’s understanding of the client’s business and the industry
in which the client operates, and the auditor’s understanding of the particular client circum-
stances. For example, expected inventory turnover for a retailer of electronics and appliances
will be different from the expected turnover for a retail grocer. Further, it takes a considerable
understanding of the client’s business to identify transactions or balances that may initially ap-
pear to be slow-moving inventory but do not represent a risk of a net realizable value problem.
Consider another example where the auditor is investigating the collectibility of accounts
receivable. An initial look at notable items might include any customer with receivables that
are outstanding over 90 days. However, when the auditor uses ADA to take a closer look at
these notable items, the auditor may find two groups of customers: (1) a group of customers
that take 100–120 days to pay but regularly pays the outstanding receivable in full, and
(2) clients that have a deteriorating credit history (e.g., customers were making payments in
full in 30 to 60 days early in the client’s fiscal year, but those same customers were not paying
receivables in full on a timely basis near the end of the client’s fiscal year). The second group
of customers represent customers of greater concern when evaluating the adequacy of the
allowance for doubtful accounts.
Defining notable items depends on the assertion being audited and the auditor’s under-
standing of the business and industry.

Tools for Searching for Notable Items

There are a number of ways an auditor might search an audit population for notable items.
Following are four techniques an auditor might use as a risk assessment procedure to identify
notable items that are at a high risk of being materially misstated:

1. Clustering transactions or balances based on a particular characteristic or multiple char-

acteristics. The example regarding inventory turnover clustered each item in inventory
based on inventory turnover [(Quantity of inventory on hand ÷ Quantity of inventory
sold) × 365].
2. Matching the characteristics of two populations to see if there are any overlaps. For ex-
ample, when auditing accounts payable, the auditor might attempt to match addresses
of vendors, or bank account numbers of vendors, with the addresses of employees or the
bank account numbers of employees. The auditor would not expect a match in these two
different populations, but a match might be an indicator of fraudulent transactions.
7-16  C h a pte r 7  Audit Data Analytics
false positives  items incorrectly
identified as notable items
3. Statistical analysis, such as regression analysis, whereby the notable items are identified
using statistics (e.g., transactions or balances that are more than three standard devia-
tions from a mean).
4. Visualization, where the auditor plots certain characteristics of a population of account
balances or transactions looking for unusual characteristics.
Each of these methods will be discussed in more detail later in the chapter.
What to Do When ADA Identifies a Large Number
of Items for Further Consideration
A challenge for many auditors is what to do when initial investigation identifies a large num-
ber of notable items. Does the auditor have to look at each notable item identified? This issue
is addressed in the AICPA Guide to Audit Data Analytics, which states, “a large number of
notable items may mean, for example, that the number is such that it is not practicable for the
auditor to address the items manually. For some audits, notable items could number in the
hundreds or thousands for audits of very large organizations.” When this happens, the AICPA
Guide to Audit Data Analytics suggests a process similar to that outlined in Illustration 7.6,
which involves an iterative process of grouping and filtering.
The AICPA Guide to Audit Data Analytics suggests that the auditor first evaluate whether
the ADA has been appropriately planned and performed and, if not, refine and reperform the
ADA. The Guide (DATA 2.19) suggests that “the auditor might also decide to apply a grouping
of filtering process when, for example, a large number of notable items identified have many
diverse characteristics. A grouping and filtering process could be used as follows:
a. Identify characteristics common to groups of notable items, focusing on their nature,
cause and what can go wrong at the relevant assertion level.
b. For each group identified in step a, sort the notable items into two groups being com-
prised of either:
i. Items requiring no further response to identify new or higher risks (sometimes called
“false positives”); or
ii.  Items requiring a further response from the auditor to identify new or higher risks.
c. Further analyze the characteristics of the items in b.ii to help identify and sort those nota-
ble items into three subgroups:
i. Those indicating one or more risks of material misstatement of which the auditor
was not previously aware (new risks);
ii. Those indicating a higher level of risk of material misstatement than previously iden-
tified; or
iii. Those that do not indicate new or higher levels of risk of material misstatement.”
The following discussion applies this logic of notable items to the investigation of the net
realizable value of inventory shown in Illustration 7.6. The auditor determined that an inventory
item would be a notable item if there was more than a 120-day supply of inventory on hand at
year-end. These notable items represent in excess of 29.5% of inventory on hand at year-end (see
Illustration 7.4). Upon further investigation, the auditor notes inventory turnover for the retailer
is very heterogeneous. Some of the inventory turns over quickly, and some turns over slowly.
The auditor also knows that the client intentionally stocks inventory that is high-margin and
slow-moving. Looking at the last three years of history of these items, they seem to take about
9  months to sell, and they regularly sell at a higher-than-average profit margin. These
high-margin items represent about 10% of the quantity and 15% of the value of inventory on
hand. Based on this history, the auditor believes these items represent a low risk of material
misstatement and require no further response or investigation. Items that are incorrectly
identified as notable items are called false positives.
When these high-margin items are removed from the notable items, the remaining
population of notable items represents about 20% of the quantity and 15% of the value of
total inventory. The auditor needs to take a careful look at these items. The auditor might
  Applying Audit Data Analytics as a Risk Assessment Procedure  7-17

use additional data analytics to determine what proportion of these items were sold in a period
of eight weeks after year-end (10 days before the anticipated report date), whether the items
were marked down to speed up the sale of these items, and whether the client had to sell these
items at a loss to move them out of inventory. For items that have been sold, the auditor can
determine with hindsight if an allowance for net realizable value is material to the financial
statements. If inventory has not been sold in the eight weeks after year-end, the auditor needs
to use his or her knowledge of the industry to determine if the value of inventory is materi-
ally overstated. In determining the need for a proposed audit adjustment, the auditor must
also consider any allowance for the lower-of-cost-or-net-realizable-value that the client may
already have recorded in preparing the financial statements.

Cloud 9 - Continuing Case

Josh and Mark are talking about the results of using ADA as a
risk assessment technique. Josh notes that from looking at Cloud 9’s
trial balance, Cloud 9 has provided an allowance for doubtful ac-
counts at 1% of gross receivables. Josh and Mark are concerned
because they have found that about 6% of total receivables are
over 90 days old. Mark asks, ”If Cloud 9 has a good collection
history, why is such a large proportion of receivables over 90 days
old?” Josh suggests that they look deeper at the customers who
are past due.
The first thing they see is some very large receivables that are
over 90 days old. These customers include one large sporting goods
chain, several large shoe chains, and one large national retailer. In
fact, these four customers represent about 5% of receivables. When
they look more closely, these customers regularly take 100 to 120
days to pay their invoices, but regularly pay their invoices in that
time period. By looking at a year’s worth of both sales and cash
receipts, the evidence bears out that these important customers
regularly take longer to pay invoices. Once these customers are
filtered out, there are some smaller customers who take a long
time to pay but pay regularly; however, there are also customers
(smaller shoe stores) who seem to be having problems. Some of
these were current in their payments early in the year but not late
in the year. Upon closer review, Josh believes that, based on the
last year’s collection history and looking at each customer, allow-
ance of 1% of receivables is adequate.

Before You Go On
3.1 Assume you are using ADA to conduct a risk assessment regarding the allowance for doubt-
ful accounts for a company that manufactures sunscreen and other skincare products and
sells to many retail outlets. How would you apply the risk analysis decision tree to this
situation?
3.2 Explain the role of business acumen in applying the risk analysis decision tree.
3.3 Describe a “notable item” and why it is important to audit data analytics.
3.4 Assume that you are auditing the manufacturer of sunscreen and other skincare products
and you find a large quantity of customers that have long-outstanding receivables that qual-
ify as notable items. Determine whether the auditor needs to audit each customer that rep-
resents a notable item. Why or why not?

Applying Audit Data Analytics as a Risk Assessment Procedure

Lea rning Objective 4
Apply audit data analytics as a risk assessment procedure and evaluate the results.

Auditors can use a wide variety of data analytics techniques in a risk assessment ADA. In
fact, it may not be reasonable for a single auditor to be aware of all possible techniques. Recall
that the initial planning stages may involve brainstorming sessions with all members of the
audit team. One advantage of such team sessions is pooling together the knowledge about
7-18  C h a pte r 7  Audit Data Analytics

data analytics techniques so the team can discuss which techniques are most appropriate
to use. In this section, four particularly useful techniques for risk assessment ADA are dis-
cussed, as shown in Illustration 7.9. Different examples are used to illustrate how each
technique might be helpful and integrated into the five-step ADA process.

ILLUSTRATION 7.9   Data Analytics Techniques

Selected data analytics for Risk Assessment
techniques for risk
assessment

Matching Information Regression

Cluster Analysis Visualization
in Key Data Fields Analysis

Professional Environment  Audit Data Analytics Software

A number of ADA software is available for use, such as the Tableau: The focus of Tableau software is visual analytics to help
following: individuals and organizations see and understand their data.
Tableau Desktop and Tableau Prep are free for students and
Microsoft Excel: Microsoft Excel is commonly used by many
faculty; see https://www.tableau.com/academic/students.
CPAs as a basic tool for various analyses. The latest version of
Excel includes a variety of tools to improve the ability to import R: R is one of the most popular software environments for data
data, as well as some new functions and workflow tools. science. It is open source, which means it is freely available to all
users. R provides a vast array of analytics and visualization capa-
IDEA: IDEA is a powerful and user-friendly tool designed to
bilities that can be used for any purpose, including ADA. One of
help accounting and finance professionals, including CPA
the reasons for its popularity is that R has ongoing updates from
firms and internal audit groups, extend their auditing capa-
the analytics community and thus is kept up-to-date with cut-
bilities, detect fraud, and meet documentation standards. It
ting-edge advances in analytics. RStudio is a popular user inter-
easily imports data from almost any source to analyze large
face to access R that many people find easier to use than R directly.
data sets, report findings using visualization tools, and auto-
Details and installation instructions for RStudio can be found at
mate repeatable processes without programming. See IDEA’s
https://www.rstudio.com/. Please note that R should be in-
Academic Partnerships at https://www.casewareanalytics.
stalled (https://www.r-project.org/) before installing RStudio.
com/idea-academic-partnership.
Python: Python is another very popular programming language
ACL: ACL is another popular audit software, similar to IDEA,
for data science, with similar capabilities as R.
that is used by accounting firms and internal audit groups.

cluster analysis  the process
of discovering groups (termed
clusters in data science) of similar
items in a set of data; items in
the same group are similar, while
items in different groups are not
as similar
Cluster Analysis
Cluster analysis is the process of discovering groups (termed clusters in data science) of
similar items in a set of data; items in the same group are similar, while items in different
groups are not as similar. The characteristics of the groups need not be known beforehand;
they are determined by the data. For this reason, it is a particularly useful technique when the
auditor does not know much about the data set. However, in the audit environment, cluster-
ing is often informed by the auditor’s knowledge of the business and industry, knowledge of
the client, and an understanding of the accounts, transactions, and assertions being audited.
Consequently, the creation of groups should be guided by a combination of the data and the
auditor’s expert knowledge. The auditor is generally not advised to outsource clustering work
without active communication with the person performing the clustering.
There are numerous algorithms available in software packages that perform clustering:
k-means and hierarchical clustering are two of many popular clustering techniques.3

3 
Most data science and data analytics texts contain more information about modern clustering techniques.
Provost and Fawcett (2013, pp. 163–183) is one such example that is directed at a business
audience, not mathematicians and statisticians. F. Provost and T. Fawcett, Data Science for Business
(O’Reilly Media: Sebastopol, United States, 2013).
  Applying Audit Data Analytics as a Risk Assessment Procedure  7-19

Clustering can also be performed by graphing data in a way that allows for visual identi-
fication of groups. For example, the auditor might use clustering to search for customers
who are taking longer than usual to pay, or inventory that is taking abnormally long to sell.
Clustering could also be used in the audit of a construction company to look for work in
progress with unusually high gross profit margins. Unusual items may be uncovered by
clustering because individual items do not belong to a group, or because an entire group
is identified as abnormal. In either case, unusual items should be treated as notable items
and be investigated further according to the risk analysis decision tree (Illustration 7.8) to
determine whether (i) their unusual characteristics are acceptable because they are under-
pinned by a valid business reason that can be substantiated or (ii) whether there is a risk of
a material misstatement.
Clustering is illustrated in the context of an audit client that specializes in eco-friendly,
solar-dried fruit. Illustration 7.10 identifies key characteristics of this ADA application. The
client is involved in the production of dried fruit, the wholesale distribution to retailers, and
retail sales through farmers’ markets. The client purchases fruit from the wholesale markets
and dries it using patented solar driers. Its patented drier results in a product with a lower
moisture content than its competitors, which allows the client to have a 24-month best before
date on all products. Although the products can still be sold at a discount (usually more than
50%) after the best before date, commercial customers usually only accept products with at
least 6-months until the best before date.

Financial Broad illustration 7.10  

Business Concern for Risk of Statement ADA Overview of applying clustering
Environment Material Misstatement Account(s) Assertion Objective when auditing a company that
dries fruit
A company in •  Inventory soared from •  Inventory Valuation Gather
growth mode. $3,833,046 in the prior year to •  Cost of of inventory evidence
It is involved $10,180,954 in the current year. Goods at net realiz- for risk
in the produc- •  Inventory may expire or spoil Sold able value assessment
tion, wholesale before it can be sold. The value
distribution, and of inventory may need to be
retail of dried adjusted to net realizable value.
fruit.

With the social aim of reducing food waste, the client performs a number of fruit rescues
each year. The first way a fruit rescue occurs is when weather conditions damage fruit so it
can no longer be sold as fresh fruit. The fruit is, however, often well-suited for drying, and the
client is able to purchase damaged crops at a discount. Fruit rescues can also occur when the
yield of fresh fruit is too high for all of it to be sold as fresh fruit. In this case, the client offers
to buy the excess at a discount from the price for fresh fruit. Fruit rescues benefit the client
because the price per pound is substantially lower than in wholesale markets. At historical
production levels, the client has substantial spare capacity to dry more fruit should additional
attractive fruit rescue opportunities present themselves.
The client has a December 31 year-end, and the audit report is expected in March of
the following year. At December 31, 2022, the client had $10,180,954 of inventory; a year
earlier, it had $3,883,046. Performance materiality for inventory and cost of sales is set
at $500,000.

Plan the Audit Data Analytics

The client’s inventory value has increased more than 250% in one year. Such a large increase
needs to be investigated by the auditor. It is vital for auditors to use their business acumen and
knowledge of the business in this investigation. Recall that the company had capacity to perform
more fruit rescue, which could result in substantial and sudden increases in inventory. First, the
auditor wants to know that the inventory exists. Second, the auditor wants to determine that the
7-20  C h a pte r 7  Audit Data Analytics

inventory is properly valued and is likely to be sold well before the best before date to avoid heavy
discounting.
The production process first involves purchasing fresh fruit. Regardless of the method
of obtaining the fresh fruit (raw materials), it is always dried in a matter of days to maintain
product flavor. The dried fruit is then immediately packaged into bags (ranging from ¼ pound
to 3 pounds) and then individually barcoded. These are sold to distributors and retailers.
The business model suggests that fresh fruit (raw materials) quickly becomes bags of
dried fruit of varying weight (finished goods). Because of the business cycle, no raw materials
(fresh fruit) or inventory-in-process (fruit currently being dried) are on hand at year-end. This
is consistent with expectations. Assume that, at this stage, the auditor has observed inventory
and that inventory observation confirms a substantial increase in finished goods inventory.
The auditor has also audited the production process, addressed the issues associated with
decreases in weight during the production process, and is satisfied with a value of inventory
at cost of $10,180,954.
The unique nature of the business means that the client’s inventory levels are likely to
be notably different from other food production, distribution, and retail companies. Conse-
quently, comparisons to industry averages are not very beneficial. Instead, the auditor plans to
use ADA to investigate the large increase in inventory, specifically focusing on the age of fin-
ished goods and turnover of finished goods for each product in inventory. Graphical clustering
techniques will be used with both the current and prior years’ data to identify abnormalities
that might be notable items. The information from the ADA will be used to help the auditor
evaluate the valuation and allocation assertion and determine whether the large increase in
inventory is justified or whether inventory should be written down.

Access and Prepare the Data for Audit Data Analytics

The client uses a perpetual inventory method and does not have cost of sales for each item
in inventory. Consequently, the ADA will compare quantities sold with quantities on hand
for each product, while also considering the total cost of each product. Examples of products
include ¼-pound bag of Mango, 3-pound bag of Mango, 1-pound bag of Fuji Apples with Skin,
and 1-pound bag of Fuji Apples without Skin. Overall, there are 48 different fruit types and
5 different bag weights, which multiply to total 240 different products.
The auditor gathers data on the quantity and carrying cost of inventory per product (for
240 products) from year-end accounting used to cost finished goods inventory and cost of
goods sold for the years ended 2021 and 2022. The quantity sold per product during the year
was obtained from the revenue system. For reliability testing reasons, the auditor also ex-
tracted all the records of finished goods produced during 2022.
There was no change to the products offered during this time period. Further, all the data
was clean and in a consistent format, so the auditors proceeded to document their evaluation
of the relevance and reliability of the data used.

Evaluate the Relevance and Reliability of the Data Used

The auditor’s evaluation of the relevance and reliability of the data obtained from the client is
summarized in Illustration 7.11.

ILLUSTRATION 7.11   Documentation of relevance and reliability of information obtained from the client

Nature of the data Data categorized by product name was obtained from the client regarding:
•  Quantity of finished goods on hand at December 31, 2021 and 2022.
•  Cost of finished goods on hand at December 31, 2021 and 2022.
•  Quantity sold during the year ending December 31, 2021.
•  Quantity sold during the year ending December 31, 2022.
•  Sales transactions from January 1 to December 31, 2022.
•  Records of finished goods produced from January 1 to December 31, 2022.
(continued)
  Applying Audit Data Analytics as a Risk Assessment Procedure  7-21

ILLUSTRATION 7.11   (continued)

Source of the data
Process used to produce the data
Matters the auditor might consider in determining
the nature, timing and extent of procedures to
perform regarding whether data is sufficiently
reliable
Procedures regarding data reliability an auditor
may consider performing
All the data comes from the client.
The client’s perpetual inventory system collects finished goods data.
The client’s revenue system collects quantity sold data.
As part of tests of internal controls, the audit team assessed control risk as low for
both the revenue system and the inventory system, including records of finished
goods. The auditor is also satisfied with the quality of the company’s IT general
controls.
The client conducts cycle counts of approximately 5 to 10% of inventory every 14 days.
This control was also tested and found to be effective. Further, the client carefully
stores inventory in order of age, so that the oldest inventory is sold first. Any
inventory older than 15 months is flagged to sell quickly. Any inventory older than
18 months is sold through retail outlets only. This process has been tested and
verified by the auditor.
The audit team determined that the total cost of inventory matched the general
ledger, and the inventory quantities on hand matched the data used to prepare the
financial statements. The audit team has also already tested and found no issue with
the existence assertion for inventory.
The data about quantity sold during the year ending December 31, 2022, was rec-
onciled with a sales transaction file provided by the client that in turn matched the
general ledger.
The following also reconciles:
Quantity of finished goods at December 31, 2021 866,444
+ Total quantity of bagged products of finished goods
   produced during 2022 5,237,416
– Quantity sold during 2022 (3,538,720)
Quantity of finished goods at December 31, 2022 2,565,140

Perform the Audit Data Analytics

The audit team first used ADA to summarize the relevant annual changes shown in
Illustration 7.12. The analytical procedures performed in audit planning reveal that in ad-
dition to the increase in the cost of finished goods, quantity has also substantially increased.
The average cost by weight of the inventory has decreased, which is consistent with additional
fruit rescues being performed with favorable fruit pricing. Further, the estimated number of
days to sell inventory more than doubles in a year. This indicates that, on average, the addi-
tional finished goods from extra fruit rescues may take substantially longer to sell. It also
highlights the need for a detailed analysis by individual product.

ILLUSTRATION 7.12  
Annual
2021 2022 Increase Finished goods and quantity
sold for 2021 and 2022
Cost of finished goods at year-end $3,883,046 $10,180,954 162%
Quantity of finished goods at year-end 866,444 2,565,140 196%
Weight (pounds) of finished goods at year-end 921,327 2,613,676 184%
Average cost per pound $4.21 $3.90 −8%
Quantity sold during year 2,521,694 3,538,720 40%

  [(Finished goods quantity ÷ Quantity sold) × 365]

Estimated number of days to sell 125.4 264.6 111%
7-22  C h a pte r 7  Audit Data Analytics

The initial analysis presented averages over 240 products. Illustration 7.13 presents the
results from a more detailed analysis that considers each product separately. Recall that al-
though the products have a 2-year best before date, distributors generally do not purchase
inventory that is older than 1.5 years (that is, with less than 6 months remaining of best be-
fore). Therefore, for products to be sold through distributors (as well as retail), the estimated
number of days to sell is expected to be less than 547.5 days [(18 ÷ 12) × 365]. Consequently,
as per the first level of the risk analysis decision tree (Illustration 7.8), any products with
estimated days to sell greater than 547.5 have been highlighted in yellow, indicating “Does
Not Fit the Auditor’s Expectation.” Any products with values of more than $500,000 have also
been flagged if they have days to sell greater than 182.5 (half a year). The shorter expectation
is because of the importance of these products in value terms, as they are individually over the
performance materiality threshold limit of $500,000.

ILLUSTRATION 7.13   $ 900

Total cost of finished goods
against estimated days to sell
for each product and by year
(December 31, 2021 and 2022)
Total cost of finished goods on hand ($000)

700

500
Year
2021
2022

300

100

0.0 182.5 365.0 547.5 730.0 912.5

Estimated days to sell

Preliminary analysis shows many interesting facts that are observable in Illustration 7.13.
Looking first at the previous year (2021), it is clear that finished goods on hand for most prod-
ucts is below $100,000, but that estimated days to sell can range up to just over one year (365).
The majority of the products in 2022 have similar characteristics. However, in 2022 there are
also a number of products that have much higher cost of finished goods on hand, as well as
some with a notably longer estimated selling time. Further, all the products that are outside
of expectations in the yellow highlighted region are from 2022. In 2022, there are 51 products
out of 240 (21.2%) that have fallen outside of the auditor’s expectations. Furthermore, some
are well outside of expectations with more than 730 (2 years) estimated days to sell, longer
than the best before duration. It is now clear that the changes in finished goods are driven by a
minority of products, rather than a common increase in all products. In fact, the 51 products
only represent a small number of fruits: 30 Apple products, 9 Blueberry products, 8 Apricot
products, and 1 Banana, 1 Mango, 1 Tomato, and 1 Cherry product. This is consistent with the
client’s statement that it undertook large-scale fruit rescue opportunities for specific fruits
in 2022.
The 51 products identified as notable items now need to be processed through the next
level of the risk analysis decision tree to determine whether each of them is an acceptable
or unacceptable variation from expectation. When the results were presented to the client,
management commented that many of its products are expected to have substantial increases
in sales volume in 2023 because until now supply has not met demand. The auditor noted that
  Applying Audit Data Analytics as a Risk Assessment Procedure  7-23

100% of the inventory on hand at December 31, 2021, was sold during 2022. Evidence was also
found in the sales department of orders that could not be filled during the first six months of
the year. It can also be seen from Illustration 7.14 that the total production of finished goods
in 2022 primarily occurred late in the year, which means that the business is quite seasonal,
and a significant amount of the 2022 production would be expected to be sold in 2023.

31% ILLUSTRATION 7.14  

29% Production of bagged products
1,500
(finished goods) in 2022
Quantity (in thousands)

20%
1,000

11%
500

6%

3%

0% 0% 0% 0% 0% 0%
0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Month

Because the audit report was not expected until March 2023, the audit team decides to
look at notable items with hindsight, so they extract additional information to determine what
sales in the first two months of 2023 indicate about the rates of sale for 2023. Illustration 7.15 is
the same as Illustration 7.13 with the exception that the items indicated in dark blue represent
items that should sell within 365 days based on sales in the first two months of 2023. These
represent 25 of the 51 notable items.

$ 900 ILLUSTRATION 7.15  

Copy of Illustration 7.13 with
highlighted notable items that
are selling in January and
February of 2023 at a rate that
Total cost of finished goods on hand ($000)

700 indicates their estimated days

to sell is less than 365 days
(shown in dark blue)

500
Year
2022
2023

300

100

0.0 182.5 365.0 547.5 730.0 912.5

Estimated days to sell
7-24  C h a pte r 7  Audit Data Analytics

Of the remaining 26 notable items in the yellow highlighted region, the item with the
highest total cost and the other 25 items sum to a total cost of $373,748.90. The notable
item with the highest total cost is found to be 3-pound bags of Organic Cherry; its key
details are described in Illustration 7.16. The cost per pound has dropped by 20%, which
matches the cost motivation for conducting large fruit rescues. In the first two months
of 2023 (59 days), 4,238 of these products have been sold. If this rate were to continue,
it would take 540 days [(38,750 ÷ 4,238) × 59] to sell the finished goods inventory from
December 31, 2022. Although high, this period is marginally within the initial threshold
of 18 months (547.5 days) to allow for a product to be sold through distributors as well as
retail.

ILLUSTRATION 7.16  
Jan.–Feb.
Finished goods and sales 2021 2022 2023
summary for 3-pound bags of
Organic Cherry Cost of finished goods at year-end $145,555 $892,800
Quantity of finished goods at year-end 5,054 38,750
Cost per pound $9.60 $7.68
Quantity sold during the period 30,500 31,000 4,238
Estimated number of days to sell 60.5 456.3 539.5

Evaluate the Results and Draw Conclusions

The audit team has thoroughly investigated the fact that total finished goods inventory
increased more than 196% in 2022, while sales only increased by 40%. The audit team is most
concerned about the net realizable value of inventory. Initially, 51 products were notable
items because they are estimated to take much longer than 18 months to sell based on past
sales levels. However, the client is trying to break new ground and substantially increase its
scale. The client has increased inventory, at a lower cost per pound, because it believes that
there is unmet demand for its products, which will result in a large increase in 2023 sales.
An analysis of sales for the first two months of the year indicate that 25 of these 51 notable
items are selling at a pace where they are likely to be sold within one year. The remaining
26 notable items are of concern, but the client is not at risk of writing down the value of
this inventory in the next 12 months. Most of these items were produced within the last six
months, and the client has between 12 and 16 months to liquidate this inventory. As a result,
the audit team determined that there was not a net realizable value issue at this time.
However, the auditors discussed with the client their findings and concerns about the
26 products that are at risk of not being sold in sufficient time. In addition, the auditors recom-
mended that items with more than a 365-day supply be classified as long-term inventory. The
client agreed to monitor quantities of these 26 products on a monthly basis. Further, the client
recognized that it must evaluate quantities of inventory on hand when considering purchases of
raw fruit during the 2023 production process. The client also agreed to report certain inventory as
long-term inventory.
The audit team also raised a separate concern about how the increase in inventory had
been funded, and the effect of growing inventory on the client’s cash flow. The audit team
discovered that capital had been raised from an existing owner and a new investor, and that
the inventory growth was funded primarily with investments from new owners rather than
from a drawdown of existing cash reserves.

Audit Reasoning Example  Multiple Transactions Below a Key Threshold

Bill Cannon is working on an audit of an advertising agency. The entity’s primary expenditure is
purchased advertising (radio, TV, online, billboard, and other physical advertising) for clients. De-
partment managers are able to purchase advertising at their own discretion below a $1,000 threshold.
Advertising purchases above $1,000 need a second level of approval. When Bill analyzes advertising
expenditures for the agency, he finds the following frequency of purchases in the first nine months.
  Applying Audit Data Analytics as a Risk Assessment Procedure  7-25

Histogram of Invoices
1,500

1,000
Frequency

500

0
0 1,000 2,000 3,000 4,000 5,000 $6,000
Invoice amounts ($000)
While many of the advertising agency’s clients are small and have limited budgets, Bill is surprised
to find such a large number of small purchases. Further investigation reveals the following:
Histogram of Invoices Less than $1,000

800

600
Frequency

400

200

0
0 200 400 600 800 $1,000
Invoice amounts
This further analysis shows a normal distribution of expenditures less than $800, and 32% of
the expenditures are between $900 and $999. Bill subsequently finds that 95% of the advertising
purchases are made by one advertising manager, with one online advertiser. What questions does
this raise? Bill is concerned about the risk that the advertising manager may be intentionally cir-
cumventing internal controls by breaking up large purchases (greater than $1,000) into smaller
purchases. Further, is the advertising manager getting any kickback from the online advertiser?
As Bill talks this over with Shannon (the audit manager), Shannon is impressed with the level of
professional skepticism that Bill has exhibited. Bill is pleased that audit data analytics allowed
him to dig deeper to answer questions with evidence, rather than accepting a representation from
the client. At this point, Bill and Shannon decide to bring this to the attention of the CFO of the
advertising agency, and let management take the next step in the investigation.
With respect to the audit of advertising expenses, Bill and Shannon believe that they cannot
rely on the internal controls. After management completes its investigation, Bill and Shannon
plan to proceed with a primarily substantive approach, completing their tests of transactions at
year-end. In addition, they must look more carefully at other transactions approved by the adver-
tising manager, as fraud risk just went up.

matching information in
Matching Information in Key Data Fields key data fields  the process
whereby the auditor uses audit
Matching information in key data fields is a process whereby the auditor uses audit data data analytics to search for key
analytics to search for key characteristics that may exist in several different databases. Often, characteristics that may exist in
the auditor uses this process with an expectation that there should be no matches. For example, several different databases
7-26  C h a pte r 7  Audit Data Analytics

the auditor would not expect an overlap between addresses in a vendor database and a payroll
database as shown in Illustration 7.17. However, if segregation of duties is weak, there may
be an opportunity for an employee to create a fictitious vendor, and the vendor address may
match an employee’s address. Using audit data analytics to search for this type of evidence of
fraud may be a useful technique if fraud risk is assessed as high.

ILLUSTRATION 7.17  
Example of searching for and
finding unexpected matches is
two data fields Vendor Addresses
Vendor
Database
Unexpected
Address Matches

Payroll Employee Addresses

Database

The matching process is illustrated in the context of work performed by an internal

audit department in a U.S. state government. Illustration 7.18 identifies key character-
istics of this ADA application. Once again, the five-step process for ADA will be used in
conjunction with the risk analysis decision tree. The state has approximately 10 million
citizens, and its government currently employs about 125,000 people across all its divi-
sions. More than 500,000 citizens receive some type of benefit from the state government
(e.g., unemployment benefits). The audit period covered by this ADA is the 2021–2022
fiscal year from July 1, 2021, to June, 30, 2022.

ILLUSTRATION 7.18  
Business Broad ADA
Overview of matching Environment Concern Account(s) Audit Objective
example performed by
a state government internal U.S. state To ensure that government employees • Payroll Uncover fraud
audit department government are not receiving a paycheck and a Expenses
internal audit government benefit; if an employee is • Benefit
department receiving both at the same time, this Expenses
is considered fraud

Plan the Audit Data Analytics

According to the publicly disclosed conditions of the benefit plans offered, it is not possible for any
employee of the state government currently receiving wages or salary to be eligible for any ben-
efits. Given the large number of employees and benefit recipients, the internal audit team wants
to verify whether anybody is receiving payments from both sources at the same time and thereby
possibly defrauding the state government. The audit team plans to use this ADA to investigate the
employee and beneficiary populations to see whether this is the case. This involves investigating
hundreds of thousands of people receiving multiple payments during the 2021–2022 fiscal year.
Analyzing such populations is not feasible by hand but has been made possible by ADA. The state
government internal audit team uses IDEA software to assist with its ADA.
As this ADA involves matching populations of data (employees and benefit recipients), a key
decision is what field(s) to use to perform the matching. Although not always possible, it is ideal
to have a common field that is unique for each data point (or person in this case). Both employees
and benefit recipients are required to provide their social security number (SSN) in order to re-
ceive payments. Furthermore, SSNs are unique by design, so they are an ideal field for matching.
The ADA is concerned with both types of payments being made to the same SSN during
the 2021–2022 fiscal year. This could be discovered by analyzing the payment data, but the
audit team has decided to first check whether there is any overlap with SSNs between all
employees and all beneficiaries. If there is overlap, then the payment data will need to be
investigated. If there is no overlap, then the larger task of analyzing payments is not required.
  Applying Audit Data Analytics as a Risk Assessment Procedure  7-27

Access and Prepare the Data for Audit Data Analytics

First, an employee master file is needed. However, there are 20 different divisions within the
state government, and each maintains its own employee file. Furthermore, each division
maintains two lists: one for salaried employees and another for employees who receive hourly
wages. Thus, there are 40 files that need to be combined.
The auditor obtains all 40 and imports them into IDEA. The salary files have slight differ-
ences between them, particularly between salaried and hourly employees, but all have Employee
Number, SSN, Name, and Address fields in a consistent format. The unique state-government-
issued employee number is used for internal identification purposes, such as for payment trans-
actions. The auditor verifies that the SSN field is mandatory, which correctly means that it cannot
be empty. Given that no other information is needed to perform the matches in this ADA, the files
are merged into an Employee Master List that comprises SSNs for all employees from the entire
state government, both hourly and salaried, using IDEA’s Append Database functionality.
A master file of benefit recipients including their SSN is now needed to compare with the
Employee Master List. Unlike employee lists, the Welfare division maintains central lists of
benefit recipients. However, separate lists are kept for each of the 17 different benefit schemes.
The auditor determines that all files have Beneficiary Number, SSN, Name, and Address fields
in a consistent format, and once again that the SSN field is mandatory. Thus, using the same
approach as for the employee files, the auditor appends the 17 files together to create a Bene-
ficiary Master List that comprises SSNs for all recipients of benefits.
The control systems should not allow any employee or beneficiary to exist without
an SSN, but it is valuable to check, particularly since it is quick and easy in IDEA. As ex-
pected, no missing values were detected.
The auditor also verifies access to:
•  The Payroll Wages data set and the Payroll Salaries data set, which contain details of the
payments, including dates, paid to employees from all 20 divisions.
•  The Benefits Paid data set that contains details of all benefit payments (from all schemes)
and when they were paid.
The auditor noted that none of these data sets contained the SSN, but they did contain
the internal identifier Employee Number (EMP_NUM) or Beneficiary Number (BENF_NUM),
which can be used to link them to the master lists that contain SSNs. However, this is not neces-
sary if no matches are found in employees and benefit recipients with the following exception:
The auditor needs to verify that no payments have been made to employees or benefit recipi-
ents that are not in the master files just created. The control systems should prevent this from
happening, but once again it is important to check to ensure the reliability of the results of this
ADA. As expected, all payroll payments were made to employees in a master list, so the ADA
can proceed. Further, all benefit payments were made to individuals on the benefits master file.

Evaluate the Relevance and Reliability of the Data Used

The auditor’s evaluation of the relevance and reliability of the data obtained is summarized
in Illustration 7.19.

ILLUSTRATION 7.19   Evaluation of relevance and reliability of information obtained

Nature of the data The following data sets were obtained and imported into IDEA:
•  Salaried employee list from each of the 20 divisions.
•  Hourly employee list from each of the 20 divisions.
•  Benefit recipient list for each of the 17 benefit plans from the
Welfare division.
•  Payroll Wages, Payroll Salaries, and Benefits Paid from the Finance
division.
Source of the data All the data comes from the 20 divisions within the state government.
Process used to produce the data IDEA was used to perform all data preparation and analysis.

(continued)
7-28  C h a pte r 7  Audit Data Analytics

ILLUSTRATION 7.19   (continued)

Matters the auditor might consider in determining the
nature, timing, and extent of procedures to perform
regarding whether data is sufficiently reliable
Procedures regarding data reliability an auditor may
consider performing
The IT general controls have previously been tested and found effective
for all 20 divisions by the internal audit team.
The internal audit team has:
•  Verified that the payment data obtained is the same data used to
prepare the financial statements.
•  Checked for and found no duplicates in the data sets used in this
analysis.
•  Checked for and found no people in the data sets with missing
SSNs nor payments made to people not on the payroll master
file.

Perform the Audit Data Analytics

The audit team used IDEA to perform the matching based on SSNs. The resulting data was not
empty but contained eight matches as shown in Illustration 7.20. While there was a match
in the SSN field, the full SSN number was not printed for privacy reasons. It is noteworthy
that employee Adrian Queen has a different name as a beneficiary (Adrian McQueen). This is
suspicious and will be discussed later in the ADA.

ILLUSTRATION 7.20   Match SSN employee benefit data set—the result of matching employee
master list and beneficiaries master list by SSN

EMP_NUM EMP_FNAME EMP_LNAME SSN BENF_NUM BENF_FNAME BENF_LNAME

E0100013 Steve Roger XXXXX3122 B02913784 Steve Roger
E0030230 Vanessa Rodreges XXXXX1780 B01284130 Vanessa Rodreges
E0134995 Adrian Queen XXXXX1246 B0226012 Adrian McQueen
E0039616 Taylor Blue XXXXX9622 B0240748 Taylor Blue
E0013018 Mark Muller XXXXX8073 B0193545 Mark Muller
E0088492 John Molman XXXXX9991 B0403283 John Molman
E0085311 Alana Hopman XXXXX5756 B0252775 Alana Hopman

Given that matches have been found, the next step is to analyze payments to the matching
SSNs during the 2021–2022 fiscal year. The result is 119 payments that include only seven
people. These 119 payments are notable items as they do not fit the auditor’s expectation that
benefits and wages/salary would not be paid to the same SSN. These notable items are now
investigated further to determine whether they are acceptable variations consistent with the
second level of the risk analysis decision tree. This was done by visual analysis of the dates
of the payments; if there is no overlap between benefit payments and wage/salary payments,
then it is acceptable. For example, a person might have switched from being initially eligible
for benefits to later working for the state government, or vice versa.
Illustration 7.21 shows all the payments to Vanessa Rodreges during 2021–2022 and
some of the payments to Adrian Queen. Note that all types of payments are made on the 15th
or 30th of every month (28th in February), and benefits and wages are also paid on the 15th of
each month. Vanessa Rodreges’ payments are acceptable as she receives benefits for a while
and then receives wages as an hourly employee. Adrian Queen’s case (Adrian McQueen), on
the other hand, is very different. He receives salary every month as an employee while at the
same time receiving benefits under a slightly different name. This is clearly an issue that must
be investigated. After conducting similar visual analysis for all seven employees, problems
are identified with Adrian Queen and Alana Hopman, while the other five have acceptable
payment patterns.
  Applying Audit Data Analytics as a Risk Assessment Procedure  7-29

ILLUSTRATION 7.21   Selected rows from the created payments match SSN 2021–2022 data set

EMP_FNAME EMP_LNAME WAGE_DATE SAL_DATE BENF_DATE PAY_DATE SSN

Vanessa Rodreges 03/15/2022 03/15/2022 XXXXX1780
Vanessa Rodreges 03/30/2022 03/30/2022 XXXXX1780
Vanessa Rodreges 04/15/2022 04/15/2022 XXXXX1780
Vanessa Rodreges 04/30/2022 04/30/2022 XXXXX1780
Vanessa Rodreges 05/15/2022 05/15/2022 XXXXX1780
Vanessa Rodreges 05/30/2022 05/30/2022 XXXXX1780
Vanessa Rodreges 06/15/2022 06/15/2022 XXXXX1780
Vanessa Rodreges 06/30/2022 06/30/2022 XXXXX1780
…
Adrian Queen (McQueen) 07/30/2021 07/30/2021 XXXXX1246
Adrian McQueen (Queen) 08/15/2021 08/15/2021 XXXXX1246
Adrian Queen (McQueen) 08/30/2021 08/30/2021 XXXXX1246
Adrian McQueen (Queen) 08/30/2021 08/30/2021 XXXXX1246
Adrian McQueen (Queen) 09/15/2021 09/15/2021 XXXXX1246
Adrian Queen (McQueen) 09/30/2021 09/30/2021 XXXXX1246
Adrian McQueen (Queen) 09/30/2021 09/30/2021 XXXXX1246
…

Evaluate the Results and Draw Conclusions

By matching SSNs, this Risk Assessment ADA identified eight people who are on both a list of
employees and a list of benefit recipients, and 119 notable items were identified as payments
during 2021–2022 to these seven SSNs. These items did not fit expectations as the benefit plan
criteria and internal controls should make it impossible for an employee to be eligible for ben-
efits. Deeper analysis revealed five people had acceptable payment patterns with no overlap
in benefits and wages/salary, and two people had unacceptable payment patterns with over-
lapping payments. Although the auditors did not use a visualization to conduct the ADA, they
developed Illustration 7.22 to summarize the findings for their report to the Chief Auditor
of the state.

Payment type: Benefit Salary Wage Salary and benefit ILLUSTRATION 7.22  
Visualization of 2021–2022
Steve Roger payments to matching SSNs

Vanessa Rodreges

Adrian Queen

Taylor Blue

Mark Muller

John Molman

Alana Hopman

Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun
7-30  C h a pte r 7  Audit Data Analytics
regression analysis  a
statistical process that involves
estimating a prediction equation
that expresses an item of interest
(commonly known as the y or
dependent variable) in terms
of other data fields (the x or
independent variables)
The two unacceptable cases of Adrian Queen and Alana Hopman were thoroughly
investigated at the end of this ADA because false payments can easily amount to material
sums of money over time. As shown in the visualization, Adrian Queen starts and ends the
fiscal year receiving only salary, but in the middle receives benefits and salary at the same
time. The investigation revealed that Adrian works as a salaried employee in the Welfare
division and had been approving benefit payments to himself. In an interview, he disclosed
that he thought avoiding receiving benefits in the first and last period of the fiscal year
reduced his likelihood of getting caught. The name change to Adrian McQueen for receiving
benefits was another attempt to conceal his wrongdoing. Alana Hopman, another salaried em-
ployee in the Welfare division, discovered Adrian’s wrongdoing in October. She confronted
Adrian, who in an attempt to avoid being reported taught Alana how to do it to receive extra
money. This explains why, from the end of November, Alana also started to receive both
benefits and salary.
In addition to following through on Adrian’s and Alana’s cases of wrongdoing, the audit
team also concluded that an investigation is needed immediately into the control system fail-
ure that allowed these two employees to make changes to the benefit master file and approve
benefit payments to themselves. In this case, the matching process utilized by a state internal
audit department identified fraud on the part of two state employees.
Regression Analysis
Regression analysis is a statistical process that involves estimating a prediction equation
that expresses an item of interest (commonly known as the y or dependent variable) in
terms of other data fields (the x or independent variables). Auditors can use such a prediction
equation to inform their expectations and then compare them against actual figures in
search of notable items. Consider an auditor analyzing revenue as part of a risk assess-
ment procedure. Revenue might be strongly seasonal, as it is for many retailers, in which
case the auditor might expect revenue to follow a time-series regression that is based on
the trend and seasonality in historical revenue figures. On the other hand, revenue might
be strongly related to the level of internet traffic for a purely online business, in which case
the auditor might expect revenue to follow a regression that is based on the numbers of
page views or hits.
As part of ADA, the following steps should be used for regression analysis:
1. Estimate the prediction equation using data that is not currently being audited (usually
historical data).
2. Validate the prediction equation from a business logic point of view based on the auditor’s
knowledge of the client, the industry, and the data being analyzed. Make modifications
to Step 1 as needed.
3. Validate the prediction equation from a statistics point of view. Make modifications to
Step 1 as needed.
4. Use the regression equation to make predictions for the data currently being audited.
5. Compare the predicted values (auditor’s expectation) with the actual values.
6. Any values that are unacceptable variations should be treated as notable items and be
investigated further according to the risk analysis decision tree (Illustration 7.8) to de-
termine whether (i) their unusual characteristics are acceptable because they are under-
pinned by a valid business reason that can be substantiated or (ii) whether there is a risk
of a material level of misstatement.
Notice how business acumen is a key part of this analytical procedure (in Steps 2 and 6).
Estimating a linear (straight-line) regression is the most common approach. There are
also a vast number of more complex regression models should a linear regression not be appro-
priate. All well-known analytics packages can perform linear regression, and more advanced
packages are also able to perform other regressions, such as logistic regression and other gen-
eralized linear regressions, local regression, time-series regressions, and more. Ultimately,
  Applying Audit Data Analytics as a Risk Assessment Procedure  7-31

the auditor should choose the most appropriate regression model for the problem—a more
complex model will provide worse results if it is not the most suitable model. In fact, simple
models often perform very well.
The simplest regression is where the prediction equation is the average of the data. Even
this model can be useful. Insurance premiums for a large, mature company are likely akin to
fixed costs that could be predicted well by their average. In this case, the auditor might flag any
observations that fall outside of two standard deviations as notable items. About 95% of the
data falls within two standard deviations of the mean if the data is approximately normally
distributed, and even if it is not, there should still be at least 75% of the data (using Chebyshev’s
Theorem).
The use of regression analysis as an ADA technique can be illustrated in the context of an
analysis of passenger service expenses in the audit of G&J Airlines. Illustration 7.23 identi-
fies key characteristics of this ADA application. Once again, the five-step process for ADA will
be used in conjunction with the risk analysis decision tree. Here, regression analysis is used
as a general risk assessment tool. The focus is on transactions recorded during the year, and
misstatements could arise from any assertion. The audit period covered by this ADA is the
year ended December 31, 2022.

ILLUSTRATION 7.23   Overview of airline example

Financial
Business Concern for Risk of Material Statement Broad ADA
Environment Misstatement Account(s) Assertion Objective
Regional airline Potential for under- or overstatement Passenger Completeness, Search for unac-
in the United of passenger expenses based on Service occurrence, accuracy, ceptable variations
States relationship to number of passengers Expenses cutoff, or classification from expected
(using information in the database on of passenger service patterns
number of passengers). expenses

G&J Airlines is a regional airline in the United States. Over the past five years, the
average quarterly revenue was $660 million. Although the airline is not a public com-
pany, its financials are audited annually to support debt financing. G&J Airlines has a
December 31 year-end, and the audit associated with this application of ADA focuses on
the year 2022. In this example, the five-step process for ADA will be used in conjunction
with the risk analysis decision tree (Illustration 7.8) to investigate the level of passenger
service expenses. Examples of such expenses include costs associated with cleaning air-
craft, handling luggage, and passenger check-in. In total, all costs relating to processing
and servicing passengers before, during, and after the flight should be coded as passenger
service expenses.

Plan the Audit Data Analytics

Some financial values have consistent patterns over time, such that deviations from that pat-
tern might be notable items. In this example, quarterly data were made available to the audi-
tor. No expected quarterly patterns for passenger service expenses over time were known to
the auditor, so the audit team decided to explore historical data to determine if there were any
clearly noticeable patterns. To this end, the audit team produced the time-series plot shown
in Illustration 7.24. It appears that there may be some seasonality to the data and a slow in-
creasing trend, but overall there are no clearly noticeable features that could be used from an
audit expectations standpoint.
Instead of exploring the data, the auditors thought more about their expectations for pas-
senger service expenses. They concluded that they expected there to be a substantial fixed-cost
component, as well as a variable-cost component strongly linked to the number of passengers.
The audit team proceeded to plan the ADA based on this expectation.
7-32  C h a pte r 7  Audit Data Analytics

ILLUSTRATION 7.24   $25,000

Quarterly cost of passenger services ($000)

Quarterly passenger service
expenses of G&J Airlines
20,000
over time

15,000

10,000

5,000

0
Q1 Q1 Q1 Q1 Q1 Q4
2014 2016 2018 2020 2022

Historical data prior to the financials to be audited (2022) was used to develop a linear re-
gression model that predicts passenger service expenses based on an intercept term (fixed cost)
and the number of passengers (variable cost). This model would then be used to predict the pas-
senger service expenses in 2022 based on the passenger numbers. These predictions represent
the audit team’s expectation and are compared to the actual figures as per the risk analysis deci-
sion tree (Illustration 7.8). Performance materiality for this analysis has been set at $15 million.
For this ADA, the audit team used the R data science programming language that is avail-
able for free. Other spreadsheet and statistical programs are also able to complete the analysis.

Access and Prepare the Data for Audit Data Analytics

G&J Airlines have made quarterly data available even though only the annual financials are
being audited. Current and historical data for passenger service expenses and passenger num-
bers have been provided in a spreadsheet. As the data was clean, the auditors proceeded to
document their evaluation of the relevance and reliability of the data.

Evaluate the Relevance and Reliability of the Data Used

The auditors’ evaluation of the relevance and reliability of the data obtained from the client is
presented in Illustration 7.25.

ILLUSTRATION 7.25   Evaluation of relevance and reliability of information obtained from the client

Nature of the data
Source of the data
Process used to produce the data
Matters the auditor might consider in determining
the nature, timing, and extent of procedures to per-
form regarding whether data is sufficiently reliable
Procedures regarding data reliability an auditor
may consider performing
Quarterly data from the first quarter of 2014 to the fourth quarter of 2022 was obtained
from the client regarding:
•  Passenger service expenses.
•  Passenger numbers.
All the data comes from the client.
The client’s accounting database for costs contained the expense information, while
the database of operational information housed the passenger numbers data.
The client has a well-defined process of recording the number of passengers
on each flight in the database of operational information and then aggregating
them for a reporting period. This process has been tested and verified by the
auditor.
The audit team has also previously tested and found effective the IT general controls
and internal controls over the accounting and operational databases.
The audit team verified that the quarterly expense data supplied reconciled with the
annual data being audited.
  Applying Audit Data Analytics as a Risk Assessment Procedure  7-33

Perform the Audit Data Analytics

Illustration 7.26 is a plot of quarterly passenger service expenses against the corresponding
total number of passengers. There appears to be a noticeable linear relationship.

Historical Current year ILLUSTRATION 7.26  

Quarterly cost of passenger services ($000) $25,000 Passenger service expenses
against passenger numbers

20,000

15,000

10,000

5,000

0
0 1,000 2,000 3,000 4,000
Quarterly passenger numbers (’000)

The next step after visually observing a linear relationship is to confirm by estimating a linear
regression. The regression model must be estimated based only on the historical data to ensure it
can be used to make predictions for the current period. The resulting regression equation is:

Predicted passenger service expenses = $9,794,630.16 + ($2.48 × Number of passengers)

This regression indicates that quarterly passenger service expenses has a fixed-cost compo-
nent that is almost $10 million and a variable cost component of approximately $2.48 per pas-
senger. It is important to verify that the model makes logical sense to the auditors given their
knowledge of the business and the industry. In this case, the model is suitable and consistent
with expectations formed in the planning stage (see “Plan the Audit Data Analytics” earlier
in this section). Furthermore, both coefficients are highly statistically significant (meaning
that they are reliably not zero) as shown by the t-statistics and p-values in Illustration 7.27.
The auditors also conducted appropriate tests and did not find any clear violation of linear
regression model assumptions.

p-Value (two- ILLUSTRATION 7.27  

Coefficient t-Statistic sided) Results of linear regression
model to predict quarterly
Intercept 9,794,630.16 7.15 0.00000005 passenger service expenses
Quarterly passenger numbers 2.48 5.35 0.000008

The auditors then proceeded to use the model to calculate expectations for 2022. As an
example, if there were 3 million passengers in a quarter, then using the regression model the
auditor would expect just over $17 million in passenger service expenses:

$9,794,630.16 + ($2.48 × 3,000,000) = $17,232,111.45

However, performing an exact comparison between expectations and actual figures results
in every quarter being a notable item, because they do not match the auditor’s expectation
exactly (even if they are very close). Thus, the concept of acceptable variations from the risk
analysis decision tree needs to be introduced. In this case, the audit team calculated a 95% pre-
diction interval for each quarter in 2022. If the actual value fell outside of that interval, then it
was deemed an “Unacceptable Variation from Auditor’s Expectation.” Illustration 7.28 shows
the results.
7-34  C h a pte r 7  Audit Data Analytics
ILLUSTRATION 7.28   Historical
Result of regression-based
ADA for G&J Airlines
visualization  the representation
of a data set, or key information, as
a chart or other image
Simple regression line Current year
95% prediction interval
$25,000
Quarterly cost of passenger services ($000)
20,000
15,000
10,000
5,000
0
0 1,000 2,000 3,000 4,000
Quarterly passenger numbers (’000)
Evaluate the Results and Draw Conclusions
Based on business logic, the audit team developed expectations that the passenger service
expenses should be related to passenger numbers. This relationship was validated with data
and a linear regression model was estimated and used to form expectations for the four quar-
ters of 2022 currently being audited. This risk assessment ADA identified two quarters (Q2
and Q3) that are unacceptable variations from the auditor’s expectation and that are at risk
of being overstated. Furthermore, given these quarterly costs are in excess of the $15 million
threshold for performance materiality (as per the third level in the risk analysis decision tree),
they need to be investigated further.
An investigation into these two quarters revealed the reason for their unusually high val-
ues is that some fuel costs had been miscoded as passenger service expenses—approximately
$4 million in Q2 and $3.2 million in Q3. Once these figures were correctly coded, all passenger
service expenses were well within their 95% prediction interval. The investigation further re-
vealed that all of the miscoding had been performed by Steve Baxly, a new employee. As a result
of this ADA, Steve was informed that fuel expenses are not passenger-related and have their own
expense code. Steve’s manager has also informed the audit team that they are reviewing the new
staff training procedures to make sure this error does not happen again with new employees.
Finally, the audit team increased control risk with respect to tests of the classification assertion
in the purchases process, decreased detection risk, and increased the scope of substantive testing
to look further for potential of classification misstatements.
Visualization
Visualization is the representation of a data set, or key information, as a chart or another
image. Computers do not need visualizations. Instead, visualizations are produced to reveal
information to people. “Visualization is a fundamentally human activity” is how Garrett
­Grolemund and Hadley Wickham put it in their recent data science book.4 Good visualizations
have the following characteristics:
•  F
 acilitate people making visual comparisons between data elements. This can help auditors
to identify patterns, deviations from patterns, and outliers in the analysis stage of ADA.
•  Are generally understood by a wider audience. Visualizations reduce the message to its
core components and use minimal, or no, jargon. This is particularly useful to auditors
because they have to present findings to business people with varied backgrounds. This
benefit is also applicable to auditors sharing the results of ADA with the rest of the audit
team who will not be as familiar with ADA as the auditor who performed it.
4
G. Grolemund and H. Wickham, R for Data Science (O’Reilly, 2017), Chapter 2.
  Applying Audit Data Analytics as a Risk Assessment Procedure  7-35

•  Communicate a lot of information efficiently. There is truth to the saying a picture is worth
a thousand words. A popular statistics textbook5 refers to a research finding that man-
agers in meetings reach a consensus 25% faster when shown presentations that include
graphics. Managers are extremely busy people, and so auditors will benefit from being
able to communicate their findings efficiently. Once again, a similar logic applies to audi-
tors communicating findings within an audit team.
•  Are likely to be better remembered. In the book Brain Rules, John Medina6 talks of vision be-
ing the top-ranked sense and that the human brain excels at remembering pictures. Having
a strong recollection of the findings from ADA is useful to the auditor when combining the
large number of findings to make sense of the audit as a whole. It is also useful for clients
(and any other stakeholders) to better remember what auditors are trying to tell them.
In the context of ADA, a visualization can be used to assist with the analysis, to communicate
findings effectively and efficiently, or both.
Just as is the case for the benefits, the risks associated with visualizations are related to
their association with people. There are risks when visualizations are created in isolation.
Visualizations are excellent at summarizing results, but they generally do not provide precise
figures or tests of statistical significance that are often needed in ADA. That is, they should
be used in combination, not isolation. An excellent visualization of an otherwise poor ADA is
not useful. Even a beautiful visual as part of a good ADA is useless if it has no purpose. On the
other hand, an excellent visualization that is integrated into a well-defined and well-executed
five-step ADA can add tremendous value.
There is also a risk that the pretty visualization will be remembered rather than the mes-
sage it was intended to convey. Auditors need to focus viewers on the substance, not the form,
of the visualization. Current software makes it very easy to create complex visualizations, but
they are not always appropriate. For example, three-dimensional graphs are rarely needed
because they are relatively difficult to interpret. Usually, all the information can be displayed
in a standard two-dimensional graph. The lesson is to use the graph that is best suited to the
need of the ADA. This requires business acumen and equally applies to simple cases. In the
advertising agency example (see Audit Reasoning Example “Multiple Transactions Below a
Key Threshold” from earlier in the chapter), a simple histogram was a well-suited visualization.
Even then, without the proper business acumen, the ADA could have concluded that there
were no notable items based on the first histogram. However, what was needed was a more
detailed analysis of smaller amounts, so a second histogram was produced. The most appro-
priate visualization to use and the best parameters to use for that chosen visualization should
be decided on a case-by-case basis. It is also important to acknowledge that there are inherent
limitations with visualizations because people can only view three dimensions, but it is easily
possible to have a regression or clustering based on four, or more, data fields.
Visualizations can also easily be misleading. Illustration 7.29 presents an alarming
picture of revenue dropping.

Crisis: Major Drop in Revenue ILLUSTRATION 7.29  

Example of a misleading graph
Annual revenue (in $ billions)

2018 2019 2020 2021 2022

5
G. Keller, Statistics for Management and Economics 11e (Cengage Learning: Stamford, CT, 2017), p. 14.
6
J. Medina, Brain Rules (Updated and Expanded): 12 Principles for Surviving and Thriving at Work, Home, and
School, Second Edition (Pear Press: Seattle, WA, 2014).
7-36  C h a pte r 7  Audit Data Analytics

However, using identical data, Illustration 7.30 reveals that revenue is in fact extremely
stable and that the misleading figure was produced by manipulating the vertical axis and then
removing the information that would reveal the manipulation. Auditors need to guard against
this by using professional skepticism whenever viewing visualizations produced by others.
When producing visualizations, it is important to remember that a good visualization is clear
and well-labeled, concise and informative, accurate and not misleading.

ILLUSTRATION 7.30   Very Consistent Revenue Crisis: Major Drop in Revenue

$50.0
Undistorted axis example (left $50
panel) and distorted axis with

Annual revenue (in $ billions)

labels example (right panel) Annual revenue (in $ billions) 40
49.8

30 49.6

20 49.4

10 49.2

0 49.0
2018 2019 2020 2021 2022 2018 2019 2020 2021 2022

Let us consider some of the visualizations already presented in this chapter to see these
benefits and risks in practice.
The dried fruit case was an example of visualizations being used to enhance analysis and
communicate results to the client (Illustrations 7.13, 7.14, and 7.15). As part of the analysis,
the auditor used this visualization to help identify common patterns in inventory turnover
and outliers from those patterns. Even though the visualization was useful as an analysis tool,
the auditor still needed numbers for precise analysis, which were presented in tables in the
example. The visualization helped to understand the bigger picture—it helped to see the forest
but was not the correct tool for viewing individual trees (individual dried fruit products in this
example).
Visualizations were also used for dual purposes in the G&J Airlines example (Illustra-
tions 7.26 and 7.28). The results of the regression and the prediction intervals were shown
visually for the auditor to easily identify notable items, but it was also used to tell the story to
the client. This visualization (Illustration 7.28) effectively presents a lot of information: the
historical data, current data being audited, the expectations as per the regression’s predictions,
and the prediction intervals that clearly identify any points with unacceptable variations from
expectation. None of this needs to be explained in text, as it is evident from the visualization.
Another key lesson from this ADA is that not all visualizations are useful. Initially, a time-
series graph was produced, but it was not appropriate for this ADA. When additional business
acumen was applied, the more suitable regression analysis was chosen.
In contrast to the other examples, no visualizations were used to conduct the analysis
matching welfare benefit disbursements with payroll disbursements as part of a state govern-
ment internal audit. In that example, IDEA software was used to process hundreds of thousands
of records looking for matches; that is, to “find the needle in the haystack.” A visualization was
still useful as a means of reporting the results to superiors. When viewing the visualization
(Illustration 7.22), it is easy to learn the payment patterns of all people with matching SSNs in
the employee and beneficiary databases. These patterns would be difficult, and cumbersome,
to describe in only text. As an exercise, you might like to try describing the payment patterns
shown in Illustration 7.22 and see how difficult it is to convey all the information in that graph.
This ADA is an example where a visualization was not useful in the analysis stage, but a well-
suited visualization was an effective and efficient way to communicate the results.
Overall, a successful ADA is accomplished by all five steps in the process being done
well and with sound reasoning. It is clear that visualizations are a necessity in the ADA tool
box. They can help with analysis and communicate results, but they are not the correct tool
to solve every ADA challenge. Visualizations are tools to enhance the five-step ADA process,
not replace it.
   Using Audit Data Analytics as a Substantive Test  7-37

Before You Go On
4.1  What is clustering? How is clustering used as a risk assessment tool?
4.2  What is the goal of using ADA to find matches in two large populations?
4.3  Explain how the auditor would use regression analysis to identify notable items.
4.4  What should be accomplished with good visualizations?

Using Audit Data Analytics as a Substantive Test

Lea rning Objective 5
Explain how audit data analytics is used as a substantive test.

A number of substantive tests of details involve matching information in the accounting

rec­ords with information on underlying documents. For example, an auditor might per-
form a vouching procedure whereby the auditor vouches the quantities on a sales invoice
to the quantities on underlying shipping documents, the existence of a bill of lading, and
the prices compared to the sales order. In another example, if a confirmation of an ac-
counts receivable balance is not returned by the customer, the auditor might validate the
receivable by looking at evidence of subsequent cash receipt in the amount of the billing
to the customer.
Today, these previously paper documents have been transferred to electronic form. It is
appropriate for the auditor to compare electronically what was previously compared manu-
ally. Further, the auditor should make the same judgments about the relevance and reliability
of information when making an electronic comparison as the auditor would consider when
making a manual comparison. AU-C 315.A61–.A64 provides a discussion about how the use
of information technology results in benefits and risks that may affect the reliability of data.
AU-C 500.A27–.A34 provides a general discussion about the relevance and reliability of ev-
idence.
When the auditor is performing ADA as a substantive test of details of a population of
transactions or balances, the auditor will have evaluated inherent risk and will likely have per-
formed tests of controls to assess control risk. Therefore, the auditor will most likely perform
ADA as a substantive test when the auditor has performed tests of controls and concluded that
the entity has:
•  Strong IT general controls, including strong access controls.
•  Strong IT application controls related to the assertion being tested.
•  Strong controls over electronic data interchange and the exchange of electronic informa-
tion about a transaction between the client and its customers or suppliers.
If the auditor is performing substantive tests at an interim date, the auditor must perform
steps to update the conclusion to the date of the financial statements. This roll-forward process
is discussed in more detail in Chapter 9. Finally, if the auditor finds a misstatement when per-
forming substantive tests, the auditor needs to evaluate (1) the materiality of the misstatement
found, and (2) whether the misstatement provides evidence of a weakness in internal controls.
If the evidence about internal controls does not support a previous conclusion regarding in-
ternal controls, the auditor should reassess internal controls at a higher level and reevaluate
the implications of a high control risk assessment on detection risk and the auditor’s audit
strategy.
The following section provides an example illustrating the use of ADA as a substantive test.
7-38  C h a pte r 7  Audit Data Analytics

Before You Go On
5.1 Develop an example of a traditional manual comparison of information in a substantive test
where the same process can be done electronically with ADA.
5.2 What conditions are normally present when an auditor plans to use ADA as a substantive
test of details?
5.3 What should the auditor consider when ADA performed as a substantive test of details iden-
tifies misstatements?

Applying Audit Data Analytics as a Substantive Test

Lea rning O bjective 6
Apply audit data analytics as a substantive test and evaluate the results.

The use of ADA as a substantive test is illustrated in the context of an analysis of reve-
nues and receivables at an electric power cooperative. Illustration 7.31 identifies key
characteristics of this ADA application. Once again, the five-step process for ADA will
be used as a substantive test. The focus is on validating revenue transactions recorded
during the year and accounts receivable at December 31, 2022. Therefore, the assertions
being tested are the occurrence of revenue transactions and the existence of receivables.
It is possible that the test could uncover problems with the accuracy of revenues or the
valuation of receivables at their gross amount.

ILLUSTRATION 7.31   Overview of electric cooperative example

Business Concern for Risk of Material Financial Statement Broad ADA

Environment Misstatement Account(s) Assertion Objective
Electric power Potential for overstatement of • Revenue • Occurrence of revenues Substantive test
cooperative revenues and accounts receivable. • Accounts and existence of receivables
Receivable • Accuracy of revenues and
valuation of receivables

Validating Sales Revenue and Accounts

Receivable with Subsequent Cash Receipts
The following example illustrates the five-step process for ADA to validate both sales
revenue and accounts receivable when auditing the revenue process. In this example, the audit
client is an electric power cooperative that delivers power to approximately 209,000 members.
Most of the members are households in the electric utility district, and it has been difficult
for the auditor to obtain confirmations from general consumers of electric power. The auditor
plans to use ADA as a substantive test of details to validate both revenues and receivables by
matching billings to members with subsequent cash receipts from members. The client has a
December 31 year-end, and the audit report is expected in April of the following year. For the
year-end December 31, 2022, the client had power sales to members of $237,166,939. Receiv-
ables from members at December 31, 2022, amounted to $23,044,787. Performance materiality
for revenues and receivables is set at $725,000.
  Applying Audit Data Analytics as a Substantive Test  7-39

Plan the Audit Data Analytics

The purpose of the ADA is to validate power revenues from members for the year ended Decem-
ber 31, 2022, and receivables from members as of December 31, 2022. The auditor is auditing
the occurrence and accuracy of sales revenues, and the existence and valuation of receivables.
Inherent risk for revenue and receivables is determined to be moderate to high because of the
volume of transactions going through the account. Control risk is assessed as low based on
tests of controls and the following conclusions have been reached. The electric cooperative has:
•  A strong control environment.
•  Strong IT general controls.
•  Strong IT application controls related to the occurrence of revenue, the completeness of
cash receipts, and the existence and valuation of receivables.
The cooperative reviews the collectibility of power bills monthly to decide about turn-
ing off power to members with receivables that are 90 days past due. The CFO reviews old
outstanding receivables quarterly and decides whether to turn past due receivables over to a
collection agency, evaluates the allowance for doubtful accounts, and determines the amount
of receivables that should be written off.
The auditor plans to validate the occurrence and accuracy of sales revenue by matching
power billings with subsequent cash receipts. The auditor will also validate the existence and
valuation of receivables at December 31, 2022, by matching receivables with subsequent cash
receipts during January and February 2023.

Access and Prepare the Data for Audit Data Analytics

To test the completeness of the data, the auditor summarized the information in Illustration 7.32
from the client’s general ledger.

Accounts Allowance for ILLUSTRATION 7.32  

Receivable Doubtful Accounts Summary of Accounts
Balance, December 31, 2021 $  22,342,841 $ 11,985 Receivable activity for the
14 months ended February 28,
Power sales to members 237,166,939 2023
Collected from members (236,369,269)
Provision for bad debts 97,000
Accounts Receivable written off    (95,724) (95,724)
Balance, December 31, 2022   23,044,787 13,261
Power sales to members   40,572,853
Collected from members (39,965,046)
Balance, February 28, 2023 $  23,652,594 $ 13,261

The auditor then obtained a sales transaction file, a cash receipts transaction file, and an
accounts receivable file from the client. The accounts receivable files matched the information
above that was taken from the general ledger. The sales file also matched the general ledger.
The auditor then prepared the information in Illustration 7.33, which reconciled the above
information to the cash receipts journal.

For the Year Ended For the Two Months ILLUSTRATION 7.33  
December 31, 2022 Ended February 28, 2023 Reconciliation of Cash
Cash collected from members $236,369,269 $39,965,046 collected from members to
total cash receipts
Cash received from bank loan  3,000,000     –
Cash received from sale of assets    142,837    28,771
Cash received per cash reciepts journal $239,512,106 $39,993,817
7-40  C h a pte r 7  Audit Data Analytics

The auditor was able to reconcile the data files received from the client to the client’s
general ledger. All the data was clean and in a consistent format, so the auditors proceeded to
document their evaluation of the relevance and reliability of the data used.

Evaluate the Relevance and Reliability of the Data Used

The auditor’s evaluation of the relevance and reliability of the data obtained from the client is
shown in Illustration 7.34.

ILLUSTRATION 7.34   Evaluation of relevance and reliability of information obtained from the client

Nature of the data
Source of the data
Process used to produce the data
Matters the auditor might consider
in determining the nature, timing,
and extent of procedures to perform
regarding whether data is
sufficiently reliable
Procedures regarding data reliability
an auditor may consider performing
Data was obtained from the client regarding:
•  Accounts receivable at December 31, 2021.
•  Accounts receivable at December 31, 2022.
•  Accounts receivable at February 28, 2023.
•  Power sales for the 14 months ended February 28, 2023.
•  Cash receipts for the 14 months ended February 28, 2023.
The data came from the electric cooperative’s financial database.
The client’s accounting information system (database) collects information on revenue and
cash receipt transactions, as well as journal entries made. This database is also used to produce
accounts receivable balances.
The audit team tested internal controls related to the cooperative’s control environment. The
following controls were also tested and found effective:
•  IT general controls.
•  I T application controls related to occurrence of revenues, accuracy of revenues,
completeness of cash receipts, and the existence and valuation of accounts receivable.
The audit team reconciled the following information received from the client with the general
ledger:
•  Accounts receivable as of December 31, 2021, December 31, 2022, and February 28, 2023.
•  T
 otal power sales to members for the periods ending December 31, 2022, and February 28,
2023.
•  Total cash receipts for the periods ending December 31, 2022, and February 28, 2023.
•  S
 ales adjustments for the provision for bad debts and the write-off of accounts receivable
for the year ended December 31, 2022.

Perform the Audit Data Analytics

The audit team used ADA to match billings for power sales to members with subsequent
cash receipts. The audit team also used ADA to match receivables at December 31, 2022, to
subsequent cash receipts during the two months ended February 28, 2023. Illustration 7.35
summarizes the results of the ADA performed.

ILLUSTRATION 7.35   Summary of matching of power billings with subsequent cash receipts
for the year ended December 31, 2022, and matching receivables at December 31, 2022, with
subsequent cash receipts

Number of
Members Dollars Percentage
Power billings 1/1/2022–12/31/2022 subject to matching procedures 193,629 $ 237,166,939 100.0%
Cash collection equals billing 188,023 $ 209,167,026 88.2%
Cash collection greater than billings subsequently offset by
  cash collections less than billings 1,978 1,805,948 0.8%
Cash collections greater than billings 482 454,445 0.2%

(continued)
  Applying Audit Data Analytics as a Substantive Test  7-41

ILLUSTRATION 7.35   (continued)

Number of
Members Dollars Percentage
Cash collection less than billings subsequently offset by
  cash collections greater than billings 1,714 $ 1,643,710 0.7%
Cash collections less than billings 1,127 965,353 0.4%
 Total cash received from customers $ 214,036,482 90.2%
193,324
No cash received 23,130,457 9.8%
 Total billings subject to matching procedures 193,324 $ 237,166,939 100.0%
Ending receivables at 12/31/2022 191,839 23,044,787
Billings for 2022 subsequently written off 305 85,670
 Total of no cash received on 2022 billings $ 23,130,457

Accounts receivable 12/31/2022 subject to matching procedures 191,839 $ 23,044,787 100.0%

Cash collection equals billing 183,162 22,002,475 95.5%
Cash collection greater than billings subsequently offset by
  cash collections less than billings 1,292 143,156 0.6%
Cash collections greater than billings 1,957 174,969 0.8%
Cash collection less than billings subsequently offset by
  cash collections greater than billings 2,076 256,785 1.1%
Cash collections less than billings 3,287 455,876 2.0%
No cash collected 65 11,526 0.1%
 Total cash received from customers 191,839 $ 23,044,787 100.0%

Evaluate the Results and Draw Conclusions

The audit team is focused on the occurrence and accuracy of sales revenues. The presumption
is that when power bills are paid in full by the customer, the transaction is validated by the
subsequent payment in full by the customer and no dispute of the amount by the member. The
same presumption is made regarding receivables at year-end. If they are paid in full and are not
disputed, the receivable at December 31, 2022, exists and is properly valued at its gross amount.
With respect to the power billings to members, 88.2% of billings were matched by identical
cash receipts. Further, there was significant overlap between the group of members that overpaid
and the group of members that underpaid. Detailed analysis showed that 1,978 members overpaid
their bills, and the same members subsequently underpaid their bills. Investigation showed that
some of these members unintentionally overpaid one month, which reduced the amount due the
next month, and the customer then paid the amount due (which was less than the power bill for
the month). In some cases, members paid three or four months of expected power bills in advance,
and then made no payments for several months. A similar pattern was noted among the 1,714
members that initially underpaid. Often, in the next 30 to 60 days, the customers brought their bills
current with an overpayment of what was billed in the current month. To the extent that collec-
tions were less than billings and not offset by overpayments, the result was a growth in receivables.
An analysis of the collection of accounts receivable at December 31, 2022, shows that 95.5%
of receivables were collected in full during the subsequent period. Once again, some members
overpaid the receivable they owed, and other members underpaid the receivable owed to the
electric cooperative. Further, a detailed analysis shows a significant overlap between the mem-
bers who overpaid and members who underpaid. However, an analysis of year-end receiv-
ables showed 3,287 members whose underpayments were not offset by overpayments. These
receivables amounted to $455,876. Upon investigation, some of these members complained about
the size of their bill, believing that they had been overbilled. As a result, receivables were growing
for these members. Other members did not complain but their receivables were growing as well.
7-42  C h a pte r 7  Audit Data Analytics

The auditor determined that the potential misstatement of revenues and receivables amounted
to $467,402 ($455,876 + $11,526) which was less than performance materiality. In the cases where
members overpaid or underpaid but brought themselves current in a short period of time there-
after, the auditor determined that there was not a breakdown in internal controls. However, the
auditor was concerned about the extent of the CFO review of the allowance for doubtful accounts
on a quarterly basis. At year-end, the allowance for doubtful accounts was only $13,261, and the
estimate for bad debt was only $97,000. After discussion with the CFO, it was determined that,
while net receivables were not materially misstated, the auditor did not believe that internal con-
trols related to the estimate for bad debts and the allowance for doubtful accounts were adequate.
The audit team included a discussion of a significant deficiency in internal controls related to these
items in a management letter to the board of directors of the electric cooperative.

Before You Go On
6.1 What was the evidence in the electric cooperative case supporting the conclusion that power
sales for the year ended December 31, 2022, actually occurred and the billings were accurate
in their amount?
6.2 What was the evidence in the electric cooperative case supporting the conclusion that
accounts receivable at December 31, 2022, existed and were valued correctly at the amount
due from members?
6.3 If ADA shows that an account balance is materially correct, can a weakness in internal controls
exist? Explain your reasoning.

Learning Objectives Review

1  Explain the five-step process associated with plan-
ning, performing, and evaluating results from audit data
analytics.
The five steps involved in planning, performing, and evaluating the
results of audit data analytics are (1) plan the ADA, (2) access and pre-
pare the data for the ADA, (3) consider the relevance and reliability of
the data used, (4) perform the ADA, and (5) evaluate the results and
conclude whether the purpose and specific objectives of performing
the ADA have been achieved.
2  Apply steps associated with accessing and preparing
data for audit data analytics.
When preparing data for ADA, the auditor should first determine
if the data is complete and agrees with the general ledger. The au-
ditor also needs to determine if the data is in a consistent format
and needs to be cleaned. Subsequently, the auditor should address
the following questions in the audit documentation: (1) What is the
nature of the data? (2) What is the source of the data? (3) What is
the process used to produce the data? (4) What matters might the
auditor consider in determining the nature, timing, and extent of
procedures to perform regarding whether the data is sufficiently reli-
able? (5) What procedures regarding data reliability will the auditor
consider performing?
3  Explain how audit data analytics is used as a risk as-
sessment procedure.
The auditor often uses his or her knowledge of the entity, its business,
and its industry combined with ADA to identify account balances,
transactions, or disclosures that are at a high risk of material misstate-
ment. Illustration 7.6 explains a process for identifying notable items.
This section also explains what an auditor should do when ADA iden-
tifies a large number of notable items for further consideration.
4  Apply audit data analytics as a risk assessment pro-
cedure and evaluate the results.
This discussion illustrates the application of cluster analysis (a pro-
cess of matching information in key data fields) and regression analy-
sis. This section discusses the benefits and risks of data visualization.
Each method is discussed in a case context that walks through the
five-step process for using ADA.
5  Explain how audit data analytics is used as a substan-
tive test.
A number of substantive tests of details involve matching information
in the accounting records with information on underlying documents.
  Audit Decision-Making Example  7-43

Today, much of the evidence that was previously in the form of paper
documents has been transferred to electronic form. It is appropriate
for the auditor to compare electronically what was previously com-
pared manually. This discussion explains what the auditor should
know about the risk of material misstatement, including the system
of internal control when evaluating the relevance and reliability of
data used for ADA. Further, if the auditor finds misstatements when
performing the ADA, the auditor should evaluate (1) the materiality
of the misstatements found and (2) whether the misstatements provide
evidence of a weakness in internal controls. If the evidence about
internal controls does not support a previous conclusion regarding
internal controls, the auditor should reassess control risk at a higher
level, and re-evaluate the implications of a high control risk assess-
ment on detection risk and the auditor’s audit strategy.
6  Apply audit data analytics as a substantive test and
evaluate the results.
This section illustrates the use of ADA as a substantive test. The
five-step process is illustrated in the context of validating revenue
by matching electronic information, rather than manually compar-
ing information. The example in this section of the chapter uses
ADA to match information about customer billings with information
about cash receipts and payment of billings. While this is often done
manually, it can also be done electronically. The example also walks
through the evaluation of results when not every customer billing can
be matched with subsequent cash receipts.

Key Terms Review

Audit data analytics (ADA) Matching information in key data fields Visualization
Cluster analysis Notable item
False positives Regression analysis

Audit Decision-Making Example

Background Information7 •  The expiration dates of leases, in particular, those expiring

Edwin Iverson has been assigned to the audit of a private company in the current year (internal data from a source outside the
that owns 10 apartment buildings. A member of the audit team financial reporting system).
built a nonstatistical model to predict the company’s revenues •  Average monthly rental rates in the marketplace in which
based on the following: the company operates (external data).

•  The number of units in each of the company’s 10 apartment •  Average monthly vacancy rates in that marketplace (external
buildings (internal data from a source outside the financial data).
reporting system).
•  The size (square footage) and number of rooms of the units
(internal data from a source outside the financial reporting
system).

Analysis of the data showed the following results:

Actual vs. Expected Monthly Rental Revenue

$1,400,000
1,200,000
1,000,000
800,000
600,000
400,000
200,000
–
ne
y

y
ch

ay

ly

Oc r
No ber

De ber

r
ril

Se gus

be

be
ar

ar

Ju
Ju
M
ar

Ap
nu

em

to

m
Au
M
br

ve

ce
Ja

pt
Fe

Expected revenue Actual revenue

7
Background information taken from AICPA, Guide to Audit Data Analytics (AICPA: Durham, NC, 2017),
Appendix D.
7-44  C h a pte r 7  Audit Data Analytics

Expected Annual Revenue vs. Actual

Annual Revenue by Property
$2,000,000

1,500,000

1,000,000

500,000

e.

t
.
on et

Pa et

Av t
e

et
52 Ave

rb tree

e
AV

No Plac

iv

nu
tre

re

re

re
Dr

e
St

St

St
ew

rk

S
tS

d
t

Ri nd
rth

th

d
en
vi

es

ar
49
ng

7t
m
W

Bo
Lo

ge

ve
Ed

Expected Actual

Identify Audit Issues Analysis and Evaluation of Alternatives

The above data shows that revenues might be overstated. Over-
statements might be due to occurrence problems, cutoff problems,
or accuracy problems. It is also possible that the prediction model
could be incorrect. For example, the prediction model might over-
state vacancy rates. In particular, the auditor might focus detail
testing on the months of July, December, and February. The au-
ditor might also focus attention on the following properties: 52nd
Street, 49th Street, 7th Avenue, and Broad Street.
Gather Additional Information and Evidence
Edwin determined that he needed to look at lease contracts signed
in the months of July, December, and February at the above-
mentioned properties. The model predicted that units would stay
vacant for 17 days before finding a new tenant. Upon investigation,
the actual vacancy times were closer to 7 days at the properties in-
vestigated. Further, all four properties were in an area where a major
urban renewal project had been completed by the city in the last year.
As a result of the urban renewal project, lease contracts showed a
higher monthly rental rate than predicted by the model based on
vouching rental transactions to new contracts. The shorter vacancy
periods were vouched to both signed leases and cash deposits from
new tenants. The increased rental revenue was also supported by
increased cash inflows.
Audit Conclusion
Based on detail testing, the increase in rental revenues was at-
tributed to shorter vacancy periods than predicted by the model
and larger rental increases than predicted by the model. Edwin also
determined that increased revenues were supported by increased
cash flows. Based on the ADA performed and the subsequent
vouching of selected transactions, Edwin determined that revenues
were presented fairly, in all material respects.

CPAexcel
CPAexcel questions and other resources are available in WileyPLUS.

Multiple-Choice Questions
1.  (LO 1)  What step follows planning the ADA?
a.  Evaluating results and concluding whether the purpose of the
ADA has been achieved.
b.  Considering the relevance and reliability of data used.
c.  Accessing and preparing the data for ADA.
d.  Performing the ADA.
2.  (LO 1)  A key aspect of preparing the data for ADA is:
a.  determining the source of the data.
b.  determining if the data is complete.
c.  e valuating the reliability of internally generated evidence.
d.  determining the validity of data obtained from an external
source.

3.  (LO 2)  Which of the following is an example of data that needs to
be cleaned before it can be analyzed?
a.  The data has dates in two different formats (MM/DD/YY and
DD/MM/YY).
b.  The data has information from customers in data files from
two different divisions.
c.  The data comes from a system with poor internal controls.
d.  T
 he data contains misstatements.
4.  (LO 2)  A key aspect of testing the completeness of a data set is:
a.  determining that every customer has a transaction.
b.  the data has information from customers in data files from
two different divisions.
c.  checking the numerical continuity of the data.
d.  t he data contains misstatements.
5.  (LO 3)  When performing ADA as a risk assessment procedure, a
notable item:
a.  is indicative of a risk of material misstatement not previously
identified by the auditor.
b.  is indicative of a higher risk of material misstatement than
anticipated by the auditor.
c.  provides information useful in designing procedures to ad-
dress the risk of material misstatement.
d.  A
 ll of these answer choices describe notable items.
6.  (LO 3)  A “false positive” is:
a.  another term for a notable item.
b.  indicative of a higher risk of material misstatement.
c.  incorrectly identified as a notable item and requires no fur-
ther response to identify new or higher risks.
d.  a notable item that requires further investigation.
7.  (LO 4)  An auditor is performing a cluster analysis and sorts
a client’s customers into groups based on the aging of accounts
Review Questions
R7.1  (LO 1)  Identify and briefly describe the five steps of perform-
ing ADA and place them in the proper order.
R7.2  (LO 1)  Describe three key issues to consider when planning
ADA.
R7.3  (LO 2)  Are the quality of internal controls relevant when eval-
uating the reliability of data to be used in ADA? Explain why or why
not, and provide an example.
R7.4  (LO 2)  How does each of the following influence the reliability
of the data: (1) data obtained from external versus internal sources,
(2) data obtained directly versus indirectly, (3) data from original doc-
uments versus electronic scans, and (4) and data from written infor-
mation sources versus records of verbal conversations?
R7.5  (LO 3, 4)  Explain how the risk analysis decision tree can be
used in conjunction with the five-step process for ADA. Provide an
example.
R7.6  (LO 3, 4)  Provide two examples of items that “Do Not Fit
the Auditor’s Expectation” per the risk analysis decision tree. One
Review Questions  7-45
receivable. The auditor is most likely auditing which of the following
a­ ssertions?
a.  E
 xistence.
b.  Rights and obligations.
c.  Valuation and allocation.
d.  Completeness.
8.  (LO 4)  An auditor is using regression analysis to investigate bat-
tery expense for a computer manufacturer that purchases batteries.
Which of the following would be a good choice of independent vari-
able for the regression?
a.  R
 evenues.
b.  Number of employees.
c.  Square footage of manufacturing space.
d.  Number of computers sold.
9.  (LO 5)  When performing ADA as a substantive test, the auditor:
a.  u
 ses ADA to match electronic information that otherwise
would have been audited manually.
b.  uses ADA to identify high-risk transactions and balances
and then audits those high-risk items with traditional audit
tests.
c.  relies solely on the client’s system of internal controls.
d.  uses ADA to identify breakdowns in the client’s system of
­internal control.
10.  (LO 6)  An auditor is using ADA as a substantive test to validate
accounts receivable because consumers are poor at responding to con-
firmations. In this case, the auditor validates the receivable by:
a.  v ouching the receivable back to sales orders.
b.  tracing shipping documents to bills of lading.
c.  finding electronic evidence that the receivable is supported by
subsequent cash receipt in the same amount.
d.  finding electronic evidence of strong internal controls.
example should be an acceptable variation and the other an unac-
ceptable variation.
R7.7  (LO 4)  Explain how visualizations can be used as part of ADA
and why they are important.
R7.8  (LO 4)  Describe two risks associated with using visualizations
as part of ADA.
R7.9  (LO 4)  Identify two analytical techniques that could be used as
part of risk assessment ADA and how they could be useful.
R7.10  (LO 5)  Explain why strong IT general controls and strong IT
application controls are important when an auditor plans to use ADA
as a substantive test of details.
R7.11  (LO 5, 6)  What should an auditor do if the conclusion from
performing ADA as a substantive test does not agree with a previous
conclusion regarding internal controls?
R7.12  (LO 6)  Explain how applying ADA as a substantive test dif-
fers from ADA as a risk assessment procedure.
7-46  C h a pte r 7  Audit Data Analytics

Analysis Problems
AP7.1  (LO 1)  Basic   Planning an ADA application  You are auditing Quick Technologies, Inc.
(QTI). QTI is a manufacturer of various computer technologies and works hard on bringing new technol-
ogies to market. QTI has approximately 4,000 customers (some with multiple locations). On average, QTI
sells its inventory every 45 days, and it takes approximately 33 days to collect receivables. QTI has also
experienced a high degree of competitiveness and technological obsolescence. The company has found
that the average product life is between 9 and 15 months.

Required
a. Identify a potential application for ADA in the audit of QTI. Explain the account and the assertion(s)
tested by the application.
b.  What is the population being analyzed and tested using ADA?
c.  Is ADA being used as a risk assessment procedure or as a substantive test?
d.  Explain the ADA application that is planned and how it will contribute to the evaluation of the
assertion being audited.
e.  Explain the role of business acumen in the application of ADA.

AP7.2  (LO 2)  Basic   Planning an ADA application  Timothy Steele, a recent college gradu-
ate and new audit staff member, is having lunch with Michael Watts, an audit senior. Both are work-
ing on the audit engagement of a retailer that has operations in North America and Europe. Timothy
says to Michael, “I have been doing some reading about audit data analytics, and there is something
I don’t understand. While I understand the importance of internal controls to the reliability of the
client’s data, I also keep reading that the auditor needs to clean the data before it can be analyzed.
I don’t understand what people are talking about with when they talk about ʻcleanʼ data. Is there a dif-
ference between ʻcleanʼ and ʻdirtyʼ data? Can you explain this to me with a practical illustration? I just
don’t get what the discussion of ʻcleanʼ data is about.”

Required
Answer Timothy’s questions. As Timothy asks, explain the concept of “clean” versus “dirty” data with a
practical illustration.

AP7.3  (LO 2)  Moderate   Preparing data for ADA  Emma Reed, an audit partner at Gung & Ho,
CPAs, is auditing a company in the music industry that owns multiple record labels and sells music in
North America and Europe. Emma is currently performing ADA as a risk assessment procedure investi-
gating sales. Emma has asked you, a junior auditor at Gung & Ho, to assist her with the second step of the
five-step ADA process. The client maintains two separate sales transaction files—one for North America
(NAsales.csv) and one for Europe (EUsales.csv).

Required
Emma has specifically asked you to create one sales transaction file in a consistent format (data files are
available in WileyPLUS).

AP7.4  (LO 3)  Moderate   ADA as a risk analysis procedure  McCaffery, CPA, is the auditor of
the Raleigh Corporation. Raleigh is a construction company that builds single-family homes and low-
rise apartment buildings. Raleigh uses the percentage-of-completion method to recognize revenues on
projects. Percentage of completion is based on discussion with project managers and the percentage of
expenditures versus budget for each project. McCaffery has decided to use ADA as a risk analysis tool to
evaluate revenue recognized on various projects.

Required
a.  Identify the assertion being audited.
b.  How would an auditor set an expectation regarding percentage-of-completion for each project?
c.  What would be an acceptable deviation from the auditor’s expectation? Explain the role of business
acumen in evaluating an acceptable deviation from the auditor’s expectation.
d.  What would be an unacceptable deviation from the auditor’s expectation? Explain the role of busi-
ness acumen in evaluating an unacceptable deviation from the auditor’s expectation.

AP7.5  (LO 4)  Basic   Visualizing the results of ADA using Tableau  Illustration 7.6 presented
the analysis of using clustering as an ADA technique to identify inventory that was at a high risk of not
 Analysis Problems  7-47

being properly valued at the inventory’s net realizable value. The information contained in this illustration
is presented in an Excel file (Illustration 7.6.xls), available in WileyPLUS.

Required
Using Tableau, develop visualizations to present to the client illustrating the potential problems and risks
associated with slow-moving inventory.

AP7.6  (LO 4)  Challenging   Performing ADA involving matching  A team from More & Less
CPAs are auditing SportsLovers, a U.S. sporting goods manufacturer and distributor. The audit team
recently had a meeting to discuss how to perform the current ADA, which is designed to investigate the
risk of employees stealing by shipping products to their home address. The team has already completed
the first three steps of the five-step ADA process. The discussion point in the meeting was how to com-
pare the addresses in the Employee Master File with the addresses in the Shipment List File. The relevant
fields in each database are shown below.

Database Field Code Field Description Data Type

Employee E_ID A unique identification number for each employee 6-digit number
Master File E_ADD Employee’s home address excluding city, state, zip code Text
E_CITY City associated with E_ADD Text
E_STATE State associated with E_ADD Text
E_ZIP Zip code associated with E_ADD 5-digit number
E_COUN Country associated with E_ADD Text
(currently US for all employees but stored in case of
future expansion)
Shipment SHIP_NO A unique identification number for each package 8-digit number
List File shipped
INV_NO The invoice number the shipped package belongs to 8-digit number
SHIP_ADD Shipping address excluding city, state, zip code Text
SHIP_CS City and state (separated by a comma) associated Text
with SHIP_ADD
SHIP_ZIP Zip code associated with SHIP_ADD 5-digit number
SHIP_ Country associated with SHIP_ADD Text
COUNTRY (currently US for all employees but stored in case of
future expansion)

During the meeting, the following ideas were proposed for a criterion to identify notable items:

1.  E_ADD is the same as SHIP_ADD.

2.  E_ZIP is the same as SHIP_ZIP.
3.  The result of joining E_ADD, E_CITY, E_STATE, and E_ZIP is the same as joining SHIP_ADD,
SHIP_CS, and SHIP_ZIP.
4.  E_NUMS is the same as SHIP_NUMS. E_NUMS is created by joining E_ADD and E_ZIP together
and then removing all letters so only the numbers remain. In a similar way, SHIP_NUMS is created
by joining SHIP_ADD and SHIP_ZIP and retaining only the numbers.

Required
a.  Critically analyze the advantages and disadvantages of each of the four suggestions.
b.  Recommend a criterion to identify notable items and justify your choice.
c.  Evaluate the risk of missing truly notable items given your recommendation in (b).

AP7.7  (LO 4)  Challenging   Role of assertions and risk analysis decision tree in ADA  The
audit firm you work for is auditing the 2022 financial statements for a national clothing retailer. As part
of the audit, ADA is being used to assess risk associated with accrued wages. Regression-based ADA was
developed, and the first four steps of the five-step ADA process have already been completed. The regres-
sion was developed using monthly data from 2019, 2020, and 2021. The regression model was validated
from a statistics and a business logic point of view.
The results from the regression analysis are summarized in the following visualization, where the blue
dots outside the confidence interval represent November and December 2022. The independent variable is
monthly number of employees. The dependent variable is payroll payable at the end of the month.
7-48  C h a pte r 7  Audit Data Analytics

Historical Linear regression line Current year

95% prediction interval

$45,000

Monthly payroll payable ($000)

35,000

25,000

15,000
4,500 5,000 5,500 6,000 6,500 7,000
Monthly number of employees

Required
a.  Evaluate the results of the ADA. In your answer, be sure to state what assertions might be misstated.
b.  What tests would you perform next to determine whether any notable items identified have a valid
business reason supporting them?

AP7.8  (LO 5)  Basic   ADA as a risk assessment procedure versus a substantive test   Timothy
Steele, a recent college graduate and new audit staff member, is having lunch with Michael Watts, an au-
dit senior. Both are working on the audit engagement of a retailer that has operations in North America
and Europe. Timothy has another question for Michael: “In my reading I have seen a number of exam-
ples of audit data analytics. However, I am having a difficult time distinguishing between ADA as a risk
assessment procedure and ADA as a substantive test.” Can you explain the difference to me and illustrate
with a practical example?”

Required
Answer Timothy’s questions. Explain the difference between ADA as a risk assessment procedure and
ADA as a substantive test. Illustrate your explanation with practical illustrations.

AP7.9  (LO 6)  Challenging   ADA as a substantive test  Assume that you are auditing a real estate
company that owns and rents several apartment buildings. In total, the company owns 22 buildings and
has over 1,000 apartments that it rents out on annual leases. You are auditing accounts receivables. From
past experience, it has been difficult to get renters to confirm receivables at the end of the year. As an
alternative, you choose to use ADA to investigate the relationship between accounts receivable and sub-
sequent cash receipts. Using ADA, you get the following results.

Accounts receivable at year-end subject to ADA $2,634,008 100.0%

Cash collection equals accounts receivable 2,122,858 80.6%
Cash collection greater than accounts receivable     — 0.0%
Cash collection less than accounts receivable   418,025 15.9%
No cash collected on December 31, 2022, accounts receivable   93,125 3.5%
$2,634,008 100.0%

Required
a.  What assertion(s) is the auditor investigating?
b.  How do you interpret the results presented above?
c.  What tests would you perform next to determine whether any notable items identified have a valid
business reason supporting them?
 Audit Decision Case  7-49

AP7.10  (LO 4, 6)  Moderate   Research   False positive analysis  Read the following article,
available online: G. Baader and H. Krcmer, “Reducing False Positives in Fraud Detection: Combining
the Red Flag Approach with Process Mining,” International Journal of Accounting Information Systems
(December 2018).

Required
Prepare a two-page summary of the article outlining the definition of a false positive, the solution
proposed, and the performance of that solution on the tested data set.

Audit Decision Case

G&J Airlines
Questions C7.1 and C7.2 are based on an audit of G&J Airlines, a regional airline described in this chapter
in the section “Regression Analysis.” Data files needed to complete this case are available in WileyPLUS.

C7.1  (LO 1, 2, 3, 4)  Challenging   Using regression analysis to search for notable items in
revenue  Perform the following as part of the 2022 audit of G&J Airlines. The dependent variable is
revenue. The independent variable is passenger miles.
a.  Plan an ADA as a risk assessment procedure that uses regression to investigate revenue.
b.  Prepare the data for your ADA
c.  Document the relevance and reliability testing that would need to be performed for this ADA to be
effective and efficient. Assume all tests are satisfied.
d.  Perform your planned regression analysis using the six steps outlined in the chapter section
“Regression Analysis.”
e.  Create a visualization to describe the results of the ADA and evaluate the results of the ADA.
f.  Recommend procedures that should be taken because of your findings in (e).

C7.2  (LO 1, 2, 3, 4)  Challenging   Using regression analysis to search for notable items in an
expense  Perform the following as part of the 2022 audit of G&J Airlines. The dependent variable is sal-
aries and wages expenses. You should determine which independent variable(s), if any, are appropriate
from the data set provided.
a.  Plan an ADA as a risk assessment procedure that uses regression to investigate salaries and wages
payable.
b.  Prepare the data for your ADA.
c.  Document the relevance and reliability testing that would need to be performed for this ADA to be
effective and efficient. Assume all tests are satisfied.
d.  Perform your planned regression analysis using the six steps outlined in “Regression Analysis.”
Looking for Notable Items.
e.  Create a visualization to describe the results of the ADA and evaluate the results of the ADA.
f.  Recommend procedures that should be taken because of your findings in (e).

Cloud 9 - Continuing Case

You have been asked to assist in the planning and development involves electronic invoice presentment and payment (EIPP) for
of audit data analytics as a substantive test for Cloud 9. Cloud 9 90% of its purchase transactions. The following information is cap-
uses an evaluated receipt settlement system (see Chapter 12) that tured electronically within this system.

Database Field Code Field Description Data Type Data Input By

Vendor Vendor_ID A unique identification number for each vendor 6-digit number Cloud 9
Master File Vendor_ADD Vendor’s mailing address excluding city, state, Text Cloud 9
post (zip) code
7-50  C h a pte r 7  Audit Data Analytics

Database Field Code Field Description Data Type Data Input By

Vendor_CITY City associated with Vendor_ADD Text Cloud 9
Vendor_STATE State associated with Vendor_ADD Text Cloud 9
Vendor_PC Vendor post (zip) code Text Cloud 9
Vendor_COUN Country associated with Vendor_ADD Text Cloud 9
Vendor_Bank Routing number and account number for vendor Numeric data Cloud 9
Account Number
Vendor Credit Limit Amount of credit extended by the vendor 9-digit number Cloud 9
EIPP
DatabaseC Vendor_ID A unique identification number for each vendor 6-digit number Cloud 9
EIPP_NO A unique transaction number that follows each 14-digit number Cloud 9 and
transaction from order (serves as purchase order Vendor
number), through shipment (serves a shipment
number), receiving (serves as receiving number),
invoicing (serves an ASN number), recording
of the liability (serves as voucher number) and
payment (number identified on payment).
PO_DATE Order date MM/DD/YYYY Cloud 9
PO_SHIP_ADD Shipping address for PO excluding city, state, post Text Cloud 9
(zip) code
PO_CS PO_SHIP_ADD Text Cloud 9
PO_PC Post (zip) code for PO_SHIP_ADD Text or number Cloud 9
PO_COUNTRY Country associated with PO_SHIP_ADD Text Cloud 9
PO_PROD_CODE Product number 14-digit number Cloud 9
PO_PROD_QUANT Inventory quantity ordered by Cloud 9 7-digit number Cloud 9
PO_PROD_PRICE Price per unit for each item ordered by Cloud 9 $X,XXX.XX Cloud 9
PO_ACCT Account charged based on ordering department 5-digit number Cloud 9
TOTAL_ORD_PRICE Total price for the individual purchase order $XXX,XXX.XX Cloud 9
ASN_DATE ASN date MM/DD/YYYY Vendor
PROD_NO Unique inventory number 14-digit number Vendor
PROD_QUANT Inventory quantity ordered by Cloud 9 7-digit number Vendor
PROD_PRICE Price for each item ordered by Cloud 9 $X,XXX.XX Vendor
ASN_TOTAL Sum total of the vendor’s advance shipping notice $XXX,XXX.XX Vendor
ASN_TERMS % discount allowed if paid within XX days from PP.P%/XX Vendor
receiving date
BILL_ADD Billing address excluding city, state, post (zip) code Text Vendor
BILL_CS City and state (separated by a comma) associated Text Vendor
with BILL_ADD
BILL_PC Post (zip) code associated with BILL_ADD Text Vendor
BILL_COUNTRY Country associated with BILL_ADD Text Vendor
BL_DATE Bill of lading date MM/DD/YYYY Vendor
SHIP_ADD Shipping address excluding city, state, post (zip) code Text Vendor
SHIP_CS City and state (separated by a comma) associated Text Vendor
with SHIP_ADD
SHIP_PC Post (zip) code associated with SHIP_ADD 5-digit number Vendor
SHIP_COUNTRY Country associated with SHIP_ADD Text Vendor
SHIP_PROD_NO Unique inventory number 14-digit number Vendor
SHIP_QUANT Inventory quantity shipped by vendor 7-digit number Vendor
REC_DATE Date of receipt of goods MM/DD/YYYY Cloud 9
REC_ADD Shipping address excluding city, state, post (zip) code Text Cloud 9
  Audit Decision Case  7-51

Database Field Code Field Description Data Type Data Input By

REC_CS City and state (separated by a comma) associated Text Cloud 9
with SHIP_ADD
REC_PC Post (zip) code associated with SHIP_ADD 5-digit number Cloud 9
REC_COUNTRY Country associated with SHIP_ADD Text Cloud 9
REC_PROD_NO Unique inventory number of item received 14-digit number Cloud 9
REC_PROD_QUANT Quantity of inventory item received 7-digit number Cloud 9
VOUCHER_DATE Date of recording the liability MM/DD/YYYY Cloud 9
VCH_ PROD_NO Unique inventory number on voucher 14-digit number Cloud 9
VCH_PROD_QUANT Inventory quantity on voucher 7-digit number Cloud 9
VCH_PROD_PRICE Price for each item on voucher $X,XXX.XX Cloud 9
VCH_TOTAL Sum total of the liability on voucher $XXX,XXX.XX Cloud 9
VCH_ACCT Account charged with liability for purchase 5-digit number Cloud 9
PAY_DATE Date of payment MM/DD/YYYY Cloud 9
TOTAL_PYMT_AMT Total amount of payment of invoice $XXX,XXX.XX Cloud 9

Required
Plan a substantive test of purchase transactions using ADA as a
substantive test. When planning the substantive test, identify the
following:
a.  What is (are) the assertion(s) being tested?
b.  What information are you comparing electronically for each
assertion?
c.  What electronic evidence would represent a misstatement for
each assertion?
 Chapter 8
Risk Response
Performing Tests of Controls

The Audit Process

Overview of Audit and Assurance

(Chapter 1)

Professionalism and Professional Responsibilities

(Chapter 2)

Client Acceptance/Continuance and Risk Assessment

(Chapters 3 and 4)

Gaining an Identify Significant

Set Planning
Understanding of Accounts and
Materiality
the Client Transactions

Gaining an Understanding of the

Make Preliminary Risk
System of Internal Control
Assessments
(Chapter 6)

Develop Responses to Risk and an Audit Strategy

Audit Data Analytics

Audit Evidence
(Chapter 5)

(Chapter 7)
Performing Tests of Controls Performing Substantive Procedures
(Chapter 8) (Chapter 9)

Audit Sampling for Substantive Tests

(Chapter 10)

Auditing the Auditing the Purchasing Auditing the Balance Sheet

Revenue Process and Payroll Processes and Related Income Accounts
(Chapter 11) (Chapter 12) (Chapter 13)

Completing and Reporting on the Audit

(Chapters 14 and 15)

Procedures Performed Near Drawing Audit

Reporting
the End of the Audit Conclusions

8-1
8-2  Ch apt e r 8  Risk Response: Performing Tests of Controls

Learning Objectives

LO 1  Describe the steps in assessing control risk.
LO 2 Explain the different types of controls that an
auditor might encounter.
LO 3 Explain the types of evidence that can be used to
support a test of controls.
LO 4  Determine how to select and design tests of
controls.
LO 5 Evaluate the results of tests of controls.
LO 6  Document the results of tests of controls.

Auditing and Assurance Standards

PCAOB Auditing Standards Board

AS 1215 Audit Documentation
AS 2110  Identifying and Assessing Risks of Material
Misstatement
AS 2201 An Audit of Internal Control Over Financial
Reporting That Is Integrated with An Audit of Financial
Statements
AU-C 230 Audit Documentation
AU-C 265  Communicating Internal Control Related
Matters Identified in an Audit
AU-C 315  Understanding the Entity and Its Environment
and Assessing the Risks of Material Misstatement

Cloud 9 - Continuing Case

Based on the procedures used to obtain an understanding of internal
controls, Sharon Gallagher, the audit manager, believes Cloud 9 has
effective internal controls at the entity level. Sharon has instructed
the audit team to turn its attention to controls at the transaction
level.
Josh, Ian, and Suzie completed documenting the various ac-
counting processes at Cloud 9. Now, for each transaction process,
they try to determine the likely sources of potential misstatements
by asking “what could go wrong” within a given significant account.
Josh has asked Ian to identify the controls that Cloud 9
uses in the payroll cycle to either prevent or detect the types of
misstatements they have identified so far. Ian would like to clarify
the difference between preventive and detective controls. Josh tells
Ian that he is available to consult with him as he identifies key
controls and plans tests of controls for Cloud 9’s payroll cycle. He
wants him to focus the testing on the key controls. Ian is confused.
He thought a reliance on controls approach to an audit required
the auditors to test all the controls.
How can they justify testing only some controls? Which are
the key controls?

Chapter Preview: Audit Process in Focus

As we discussed in Chapter 3, assessing audit risk involves assessing the inherent and con-
trol risks and then setting detection risk for each significant account and assertion. The
assessment of control risk is accomplished by understanding and evaluating the client’s
system of internal controls (see Chapters 3 and 6) and by performing tests of controls.
When control risk is assessed as low, the auditor has determined controls are in place. The
auditor must then test the controls to provide evidence that the controls put in place by
the organization are designed and operating effectively to prevent material misstatements
from occurring, or to detect their occurrence and to then correct the misstatement in a
timely manner.
In this chapter, we begin with an overview of the steps involved in assessing control risk.
We then discuss the different types of controls that an auditor might find when gaining an
understanding of and evaluating the client’s system of internal controls. When the auditor
decides to include control testing in the audit strategy, he or she must select those controls
   Steps in Assessing Control Risk  8-3

that will provide the most efficient and effective audit (that is, provide the assurance required
that the controls are working). Also, auditors test only those controls they believe are critical
to their opinions on both the financial statements and on internal control over financial re-
porting (ICFR) for public company audits. Auditors select those controls that are extensive
and sensitive enough to provide reasonable assurance that the controls operated effectively
throughout the period covered by the audit report. Deciding which controls to test will be in-
fluenced by whether the control covers the “what can go wrongs” associated with the relevant
account assertions, and the level of assurance the auditor wants to gain that the control has
been designed and implemented effectively.
The auditor must then make decisions about how to test the control. The auditor’s tests
of controls depend on the nature of the control and the evidence that may be available to con-
clude on the operating effectiveness of the control. Many procedures are available to test the
controls identified when planning the audit. In this chapter, we include examples of audit de-
cisions about (1) what controls should be selected for testing, (2) the extent of tests of controls
(depending on the type of control being tested), and (3) the timing of tests of controls. The
chapter will also address how the extent of control testing will influence the auditor’s decision
about control risk. Finally, the chapter will discuss the auditor’s response to any exceptions
or errors found in their testing of controls, as well as how to document the results of tests of
controls.

Steps in Assessing Control Risk

Lea rning Objective 1
Describe the steps in assessing control risk.

The steps associated with assessing control risk are depicted in Illustration 8.1. Each of these
steps is discussed briefly below.

Understand Entity-Level Controls

Assessing control risk begins with understanding entity-level controls (see Entity-Level Inter-
nal Controls in Chapter 6). Entity-level controls involve all five components of internal con-
trols: the client’s control environment, risk assessment process, control activities, information
and communication system, and monitoring of controls. Strong entity-level controls make it
more likely that transaction-level controls will operate effectively. Strong entity-level controls
are a necessary element of a strong system of internal control. Even if entity-level controls are
strong, the auditor must still identify key controls at the transaction level. However, if entity-
level controls are weak, and if the tone at the top is poor, it is unlikely that the auditor will find
effective internal controls at the transaction level.

Understand the Flow of Transactions

The flow of a transaction and the documents involved will differ from one transaction class to
another. For example, the flow of documents that provides evidence of a transaction will dif-
fer among sales transactions, purchases transactions, and payroll transactions. Nevertheless,
there are common steps in any transaction stream. These common steps are:

•  Authorization. Normally a transaction is authorized at the start of a transaction stream.

•  Executing the transaction. This involves filling the order so that title of a good passes. In
a sales process, normally title passes when goods are shipped or received. In a service
8-4  Ch apt e r 8  Risk Response: Performing Tests of Controls
illustration 8.1  
Steps in assessing control risk
what can go wrong (WCGW) 
describes where material mis-
statements due to error or fraud
could occur in a flow of transac-
tions or source and preparation of
information that affects a relevant
financial statement assertion
1. Understand entity-level controls
2. Understand the flow of transactions
3. Identify what can go wrong (WCGW)
for financial statement assertions
4. Identify relevant controls to test
5. Determine preliminary audit strategy
6. Perform tests of controls
7. Evaluate the evidence, assess control risk,
and reevaluate audit strategy (if necessary)
8. Report internal control weaknesses
to those charged with governance
process, the transaction is executed when a service is completed. In a payroll process, the
transaction takes place when individuals work.
•  Recording the transaction. On an accrual basis, transactions are recorded after title passes
(for goods) or services are completed. In the sales process, the transaction is recorded
with a sales invoice. In the purchases process, the transaction is normally recorded with
an internally prepared voucher.
•  Consideration. A transaction is completed when consideration (usually cash or electronic
transfer of funds) is received or paid. A sales transaction is completed when cash is received
from a customer. A purchase transaction is normally completed when a vendor is paid.
It is important for the auditor to understand the flow of transactions and the documentary
audit trail for each business process.
Identify What Can Go Wrong (WCGW)
Once auditors understand the flow of transactions, they will use their knowledge of assertions
to understand what can go wrong (WCGW). For example, regarding the occurrence of
revenues, the auditor is concerned about potential revenue recognition problems that lead to
premature revenue recognition. Auditors use the financial statement assertions to guide them
in considering WCGW with each assertion relevant to the various transaction classes, account
balances, or disclosures being audited.
   Steps in Assessing Control Risk  8-5

Identify Relevant Controls to Test

Once the auditor identifies WCGW, the auditor will look for relevant internal controls that will
either prevent misstatements from happening or detect and correct misstatements on a timely
basis. Many public companies have built in redundant control systems such that if one control
fails, another control might succeed in ensuring accurate financial reporting. In many cases, an
audit client might have multiple controls related to an assertion. This presents a challenge for
the auditor. It is inefficient to test every control. The auditor only desires to test controls, often
referred to as “key” controls, that are important to the auditor’s conclusion about whether the
entity’s controls sufficiently address the assessed risk of misstatement for each relevant asser-
tion. Identifying controls to be tested is a subjective task that requires professional judgment.

Determine Preliminary Audit Strategy

If the auditor identifies internal control strengths relative to an assertion, the auditor will con-
sider the efficiency of testing the controls, and possibly following a reliance on controls strategy. If
the audit firm is performing an integrated audit for a public company, there is an expectation that
the auditor will test controls in order to support an opinion on ICFR. If the audit firm is auditing
a private company, a not-for-profit organization, or a government, the auditor will decide whether
audit efficiencies are obtained by testing internal controls that appear to be strong. In some cases,
it may be efficient for the auditor to follow a primarily substantive approach even when internal
controls appear to be strong, particularly when auditing smaller audit populations. For example,
in the notes payable account, if the only activity in the account is the monthly payment on the
principal, it may be more efficient for the auditor to follow a substantive approach because there
are so few transactions. The auditor will also follow a primarily substantive audit strategy for
assertions that do not appear to have strong internal controls.

Perform Tests of Controls

Once the auditor has decided to follow a reliance on controls strategy for an assertion and
identified the key controls to test, the auditor performs tests of controls. The auditor will
­design different tests for automated controls versus manual controls. The section “Selecting
and Designing Tests of Controls” in this chapter provides numerous examples associated with
the selection and design of tests of controls, and how the auditor makes decisions about the
nature, timing, and extent of tests of controls.

Evaluate Evidence and Assess Control Risk

The section “Results of the Auditor’s Testing” discusses how to evaluate the results of tests
of controls. In some cases, the results of tests of controls may indicate that the control is not
functioning as designed. In these situations, the auditor should determine whether other con-
trols covering the relevant financial statement assertion exist. The auditor should test these
compensating controls to determine if they are operating effectively to mitigate the internal
control weakness. If tests of controls indicate that a key control is not functioning as designed,
and if other compensating controls do not exist, the auditor should:
•  Increase the assessed level of control risk.
•  Decrease the level of calculated detection risk.
•  Make appropriate changes to the nature, timing, and extent of substantive tests related
to the assertion.
The auditor must also carefully document the evidence obtained when performing tests of
controls and the conclusions reached based on that evidence.

Reporting Findings
Recall from Chapter 6 that if an auditor finds a breakdown in the system of internal control,
the auditor must classify any breakdown as a deficiency in internal controls, a significant
8-6  Ch apt e r 8  Risk Response: Performing Tests of Controls

deficiency, or a material weakness. If the auditor is auditing a public company in the United
States and must report on ICFR, the identification of one or more material weaknesses will
result in an adverse opinion on ICFR. If, however, internal control breakdowns are not as severe
as a material weakness, and are classified as either a control deficiency or a significant
deficiency, the auditor can issue an unqualified opinion on ICFR.
Both PCAOB AS 2201 An Audit of Internal Control Over Financial Reporting That Is Inte-
grated with an Audit of Financial Statements and AU-C 265 Communicating Internal Control
Related Matters Identified in an Audit require the auditor to provide those charged with gover-
nance with timely observations regarding both material weaknesses and significant deficiencies
in internal control. This is normally accomplished when the auditor issues a management letter
to those charged with governance of the entity with the auditor’s observations and potential
ways to correct the deficiencies.

 
A Brief History of PCAOB Standards and Inspection Activities
Professional Environment 1
­Related to Internal Control over Financial Reporting

On March 26, 2014, Jeanette Franzel, a member of the Public Com-
pany Accounting Oversight Board, delivered a speech to the Insti-
tute of Internal Auditors in which she recounted a brief chronology
of the PCAOB standards and inspection activities. Students should
note that, while the PCAOB was created by the Sarbanes-Oxley Act
of 2002, it took several years to appoint the board and board staff,
and go through a due process in creating the first standards for au-
dits of ICFR. Following is Jeanette’s brief chronology.
2004: The Board adopted Auditing Standard No. 2, An Audit
of Internal Control Over Financial Reporting Performed in Conjunc-
tion with an Audit of Financial Statements (AS 2), to govern the
newly required audit of internal controls.
2006: On May 1, the Board issued a statement announcing
it would focus on how efficiently the firms performed audits ac-
cording to AS 2. At that time, PCAOB inspections were focused on
efficiency including (1) the degree of integration between the au-
dit of ICFR and the financial statements; (2) the auditor’s use of a
top-down approach; (3) the proper assessment of and response to
identified risks; and (4) using the work of others. Through inspec-
tions and other monitoring, the PCAOB determined that, although
the audit of internal control over financial reporting produced
benefits, those benefits came at a significant cost.
2007: On June 12, the Board adopted Auditing Standard
No. 5, An Audit of Internal Control Over Financial Reporting That
Is Integrated with An Audit of Financial Statements (AS 5), to im-
prove implementation of ICFR audits. AS 5 became effective for
audits for fiscal years ended on or after Nov. 15, 2007, and em-
phasizes a top-down, risk-based audit approach that focuses on
the most important audit matters. It also eliminated unnecessary
audit procedures and was designed to be scalable to the size and
complexity of the business.
2008: The PCAOB’s 2008 inspections of ICFR audits focused
on whether auditors were effectively transitioning to AS 5. During
inspections fieldwork, inspections teams communicated specific
observations to the audit teams and discussed overall observa-
tions for each firm with the firm’s leadership. Inspection findings
related to ICFR were not reported in individual firm inspection
reports, but were summarized in a general report issued by the
Board.
2009–2010: The Board continued to monitor the execution of
AS 5 and its inspections focused on whether firms had obtained
sufficient audit evidence to support audit opinions on the effec-
tiveness of ICFR. Beginning primarily in the 2010 inspections
cycle, when inspections staff found deficiencies in the auditor’s
testing of the design and/or the operating effectiveness of internal
controls, those deficiencies were communicated to the audit firms
primarily through comment forms and then reported, as appropri-
ate, in the firms’ inspection reports.
2013: The PCAOB issued Staff Audit Practice Alert No. 11,
Considerations for Audits of Internal Control over Financial Report-
ing, in light of significant ICFR audit practice issues observed by
PCAOB inspection staff from 2010–2012. (The results of this Staff
Audit Practice Alert are discussed later in this chapter.)
Authors’ note: Guidance provided by PCAOB Auditing Standard No.
2 and No. 5 is now covered in PCAOB AS 2201.

Before You Go On
1.1  Explain each of the seven steps associated with assessing control risk.
1.2 Explain each of the four steps commonly involved with a transaction, from start to finish.
Provide an example in the context of selling goods to a customer.
1.3  How do auditors identify WCGW in the flow of transactions?
1.4 An auditor might commonly identify multiple controls related to an assertion. What factors
should an auditor consider when determining which control(s) should be tested during the audit?
1.5 What steps should an auditor take if the auditor determines that a key control is not
operating effectively?

1
J. M. Franzel, “Effective Audits of Internal Control in the Current ‘Perfect Storm’, ” Speech delivered to the
Institute of Internal Auditors (March 26, 2014).
   Types of Controls  8-7

Types of Controls
Lea rning Objective 2
Explain the different types of controls that an auditor might encounter.

There are a number of ways to categorize the specific controls that a client may use. As
described previously, there are two levels of internal control: entity-level ­controls and
transaction-level controls. This chapter focuses on transaction-level controls. Transaction-level
controls relate to two of the five components of entity-level internal controls as set out in
the COSO Framework: information and communication and control activities. Transaction-
level controls are implemented by businesses to reduce the risk of misstatement due to error
or fraud, and to ensure that business processes are operating effectively.
Controls have two main objectives: (1) to prevent or detect misstatements in the finan-
cial statements, (2) control operations objectives, and (3) control compliance objectives. The
method by which controls are applied to achieve these objectives can be broadly classified
as either manual or automated controls. Automated controls are commonly referred to as IT
controls and include IT general controls (ITGC), IT application controls, and IT-dependent
manual controls, as discussed in Chapter 6. Now let’s look more closely at how both manual
and automated controls are used to prevent or detect misstatements.

Preventive and Detective Controls

Preventive Controls
Preventive controls are those applied to each transaction during normal processing that are preventive controls  controls ap-
intended to stop fraud or errors from occurring. Preventing errors during processing is an im- plied to each transaction that stop
portant objective of every accounting system. Illustration 8.2 shows examples of preventive fraud or errors from occurring
controls and some of the WCGWs each control is designed to prevent.

Assertion WCGW Preventive Control illustration 8.2  

Examples of preventive
Valuation and Sales occur that may The software application will not allow a sale to
controls
allocation not be collectible. be processed if a customer has exceeded its credit
limit.
Occurrence Fictitious employees Employees are not eligible to be paid without an
are paid. IT application control matching a valid employee
ID number to the employee master file and
hours worked to an authorized time sheet.
Accuracy Sales are recorded at Sales invoices are automatically priced using the
an incorrect amount. information in the price master file.
Classification Transactions are The account coding on each purchase order is
classified and posted to checked by the software application to a table of
incorrect accounts. valid account numbers, and then various logic
tests are performed by the application.

When designing controls, consideration is given to WCGW with the transaction (the risk
of material misstatement) at the assertion level. Preventive controls do not always have phys-
ical evidence indicating whether the control was performed, who performed it, or how well
it was performed. Many preventive controls result in error messages that require employees
to enter valid information before the transaction is processed; however, these controls do
not leave a documentary audit trail. In other cases, there may be evidence that the control
8-8  Ch apt e r 8  Risk Response: Performing Tests of Controls
detective controls  controls
applied after transactions have
been processed to identify
whether fraud or errors have
occurred, and to rectify the fraud
or errors on a timely basis
was performed, but evidence as to the effectiveness of the control may not be available. For
example, the signature of a staff member on a receiving report indicates the signer agreed
the goods were physically received into the warehouse, but it does not guarantee that the
person carefully reviewed the report, or the person agreed the quantities of each item on the
receiving report. The documentation may have been signed based on only a quick glance or
without any review at all. Thus, goods may be recorded that do not exist, excess goods may
have been received but not recorded, or the goods received may not match the goods ordered
and recorded. Having a staff member’s signature, without the ability to reperform the control,
does not provide the quality of evidence for the auditor to conclude that the control operated
effectively throughout the reporting period.
An absence of effective preventive controls increases the risk that errors or fraud may
occur and therefore increases the need for controls that are sensitive enough to detect these
errors should they occur.
Detective Controls
Most companies design detective controls to ensure that if preventive controls are not effective,
errors or fraud are detected and corrected on a timely basis. Detective controls are those ap-
plied after transactions have been processed to identify whether fraud or errors have occurred,
and to rectify the fraud or errors on a timely basis. Companies put detective controls in place to
assist management in ensuring WCGWs do not occur in financial reporting and that the busi-
ness is functioning as planned through the design and implementation of its business processes.
Often detective controls are applied using IT application controls. For example, to gen-
erate sales invoices, a software application may electronically match every sales order with
an underlying shipping document to ensure a sales transaction that is about to be recorded
actually occurred. If the software application is not able to match the sales order with the
underlying shipping document, the transaction is not processed and it is reported on an
exception report for manual follow-up. It is important to note that the effectiveness of the
control depends both on the effectiveness of design of the software and the effectiveness of
the manual follow-up.
Detective controls vary from client to client to a greater extent than preventive con-
trols. Detective controls can depend on the nature of the client’s business processes and
on the competence, preferences, and imagination of the people who perform the controls.
Detective controls may be formally established procedures such as the preparation of a
monthly reconciliation and the subsequent follow-up of unusual items. Alternatively, an ac-
countant may keep a list of standard month-end journal entries to post monthly to use as the
basis for identifying and following up on any exceptions.
It is important that detective controls:
1.  Completely and accurately capture all relevant data.
2.  Identify all potentially significant misstatements (e.g., address all relevant assertions).
3.  Are performed on a consistent and regular basis.
4. Include follow-up and correction on a timely basis for any misstatements or issues
­detected.
There are many examples of detective controls, including the following:
•  IT application controls and manual follow-up. Reports are automatically produced show-
ing transactions that fall outside a set of parameters selected by the client. These excep-
tions are then reviewed, and appropriate action must be taken on each item. For example,
a report may be produced that shows all sales orders written to customers who have ex-
ceeded their credit limits. The credit manager then follows up on these sales orders with
the salesperson to ensure no further sales are made until the balance is brought below
the credit limit. In rare cases, the credit manager might allow the customer to go over its
credit limit.
•  R
 econciliations are prepared, unusual items are then investigated, and issues are resolved
or corrections made, if necessary. The performance of reconciliations without following
up on reconciling or unusual items is not a control. The control is the follow-up. Typical
   Types of Controls  8-9

reconciliations are performed between the general ledger and some other form of ex-
ternal evidence or a subsidiary ledger. For example, the bank reconciliation reconciles
the bank statement to the cash account recorded in the general ledger, and accounting
­personnel make adjustments for transactions identified in the bank statement that have
not been recorded (e.g., recording bank service charges).
•  Management level reviews consist of actual performance versus budgets, forecasts, prior
periods, competitors (if available), or industry averages (if available). Management’s
­actions in analyzing and following up on unexpected variances is a detective control. For
example, the financial controller may review the monthly results and compare the num-
ber of days’ sales outstanding to previous periods to ensure the allowance for doubtful
accounts is reasonable.
•  Performance indicators relate different sets of data, operational or financial, to each other.
These indicators, together with an analysis of the relationships and the subsequent
follow-­­up of anomalies, are also control activities. The auditor needs to understand
whether the client uses the information for operational purposes only (to assist in mak-
ing operating decisions), or whether the client uses it to also follow up on unexpected
results in the financial reporting system. If the information is only used for operational
purposes, it is unlikely that the auditors will gather a significant amount of audit evi-
dence to assist them in the integrated audit. Performance indicators include, for example,
purchase price variances, inventory ordered but not yet manufactured, and percentage
of sales returned compared to total sales orders. By investigating unexpected results or
unusual trends, the client may identify issues in the underlying procurement or manu-
facturing processes.

Illustration 8.3 shows examples of detective controls and some of the WCGWs each control
is designed to address.

Assertion WCGW Detective Control illustration 8.3  

Completeness Shipment of goods is neither
billed nor recorded in the
sales journal or in the general
ledger.
Occurrence Revenue is recorded for items
that have not been shipped
and revenue is recognized
prematurely.
Completeness, Cash is received but not
Occurrence, Cutoff recorded in the general ledger;
payments are made but not
recorded; cash receipts or cash
payments are not real or not
recorded on a timely basis.
Completeness, There are unrecorded billings
Classification and errors in classifying sales
or cash receipts.
Accuracy Among other things, errors are
found in the number of units,
or unit prices are calculated or
applied incorrectly.
Examples of detective controls
The software application compares all bills
of lading with sales invoices. If differences
are revealed, a report is generated for review
and follow-up by the billing supervisor.
The software application compares all sales
invoices with underlying shipping infor-
mation on the bills of lading and packing
slips with sales invoices. If differences are
revealed, a report is generated for review
and follow-up by the billing supervisor.
Bank reconciliation identifies unexpected
outstanding items (e.g. unexpected or large
deposits in transit, checks, or bank charges
processed by the bank but not recorded in
the general ledger), which are followed up.
Credit balances in accounts receivable
are reviewed monthly to determine their
causes.
The sales manager reviews daily shipments,
total sales, and sales per unit shipped.

When assessing detective controls it is not necessary for the auditor to reperform all of the
steps in, for example, preparing a reconciliation to gain sufficient evidence that the control is
operating effectively. It is normally enough to make inquiries of staff and examine evidence
that the reconciliation was properly completed and that the appropriate reviews and follow-­
ups were carried out by the client in a timely manner.
8-10  C h apte r 8  Risk Response: Performing Tests of Controls

Preventive and Detective Controls Compared

Detective controls are often accompanied by physical evidence such as exception reports
or monthly reconciliations. This is in direct contrast to preventive controls, which tend to
be dependent on IT. Preventive controls are often driven by error messages that are part
of the particular software used by the company, and therefore there is no physical evidence
of the control. Often, a specialist with IT skills is required to audit ITGCs and IT application
controls, depending on how sophisticated the client’s IT system is. Therefore, the auditor is
more likely to identify detective controls as “key controls” to test and evaluate. Note, however,
that some detective controls are more effective when the underlying data and transactions
(and therefore preventive controls) can be relied upon. Therefore, it is important to gain an
understanding of the preventive controls in addition to the detective controls to which they
relate before developing an audit strategy.
For example, the review and follow-up of a monthly management report that compares
actual results to budget results would be ineffective if there were no evidence available to show
that the budgeted amounts were the approved amounts and the actual amounts were the total of
the transactions recorded in the general ledger. In addition, the auditor needs to obtain evidence
that the underlying transactions are captured and recorded properly. This is ordinarily done via
the identification and testing of the underlying preventive controls. Also, the monthly compari-
son needs to be at an information level detailed enough to identify material misstatements, and
the review and follow-up needs to be performed by supervisory personnel on a timely basis.
Detective controls can be applied on a transaction-by-transaction basis, or on reconcil-
iations that test the accumulation of transactions. An auditor might identify IT application
controls that screen transactions on a transaction-by-transaction basis. If such controls are
important to the audit strategy, the auditor must also identify and test the appropriate man-
ual follow-up of exceptions that are identified by the application control. In computerized
environments, detective controls can often be tested effectively and efficiently. This is because
preventive and detective controls are accompanied by direct evidence as to the effectiveness of
their operation (for example, review and follow-up of exception reports) or the auditor is able
to reperform the control to ensure it is operating effectively. This is discussed in more detail in
the following section “Manual and Automated Controls.”
Reconciliations are ordinarily performed less frequently than preventive controls (e.g.,
bank reconciliations are performed monthly). In this case, a high degree of assurance the
controls operated effectively throughout the period of reliance can be obtained by examining
a relatively small amount of evidence.

Cloud 9 - Continuing Case

Ian asks Josh about the types of controls that are normally used in a
company like Cloud 9. Josh explains that it is useful to start by clas-
sifying controls as automated, manual, IT-dependent manual, or
IT general controls. However, Ian’s focus should be on considering
whether each of these controls prevents an error occurring in the
first place, or whether the control is designed to detect an error that
has already occurred, so it can be brought to someone’s attention.
Josh gives Ian an example of a preventive control at Cloud 9.
Based on his conversation with Carla Johnson, the financial con-
troller, he has discovered that the computerized payroll system
checks to make sure each employee is on the master payroll file
before the transaction is processed further. However, Ian must de-
termine who has access to change the master payroll file. Also,
how does the client ensure the completeness and accuracy of the
master payroll files?
Josh also gives Ian an example of a detective control at
Cloud 9. Carla told Josh about an incident that happened
earlier in the year. In February, a large group of employees
were given a retroactive pay raise. When this payroll was pro-
cessed, the software application produced an exception report.
It turned out that some of the employees who were eligible for
the retroactive payment had left the company and did not work
during the affected payroll period. The IT application control
checked to make sure that each employee actually worked
during the period before processing the payroll for the time
period. As a result, Carla had to personally approve payment
of the retroactive payroll that was due to employees who did
not work during the affected period. The software identified
a potential misstatement, and the manual follow-up also did
its job.

Manual and Automated Controls

As the auditor considers preventive and detective controls, the auditor must also consider
the degree to which controls are manual or automated. In this section, we discuss manual
   Types of Controls  8-11

controls and review automated, or IT, controls that were covered in Chapter 6. Illustration 8.4
shows the types of controls and how they are interrelated. The illustration also shows
that both manual and automated controls have the potential to be preventive or detective
controls.

IT general controls illustration 8.4  

Types of controls
Detective

Detective
IT-
IT
dependent
Manual Application
manual
Controls
controls
Preventive

Preventive
Manual Controls
Purely manual controls are those that do not rely on the client’s IT environment for their
operation. An example is a locked inventory cage for high dollar-value items to which only
a few authorized staff have a key to access. However, manual controls may use IT-produced
information from third parties. For example, a client may reconcile the amount of inventory
held on consignment that was manually counted during its inventory count to the amounts
listed in the third party’s IT-generated consignment inventory statement.
There are very few, if any, companies that do not use some form of IT to assist in transac-
tion processing, and most controls rely on IT in some way (refer to the section “IT-Dependent
Manual Controls” below). In most situations, purely manual controls are preventive controls
and, therefore, the considerations for an effective preventive control, listed in the section “Pre-
ventive Controls,” are particularly important.

Automated Controls
Controls generally rely on the client’s IT applications (or software) in some way, as discussed
in the Chapter 6 section “Information Technology Controls.” It is important to identify the
extent of reliance a control places on IT to determine the effect of IT on the evaluation of
controls. The key consideration for relying on automated aspects of controls is to determine
whether or not the client has effective ITGCs.

IT General Controls (ITGCs)  ITGCs support the ongoing functioning of the automated
(programmed) aspects of preventive and detective controls and also provide the auditor with a
­basis for relying on electronic audit evidence. The auditor needs to identify, understand, walk-
through, test, and evaluate the ITGCs that have been implemented for software applications
the auditor plans to rely on, as is done for any other type of control.
Ordinarily, an entity has five types of ITGCs in place (as explained in Chapter 6):

1.  Data center and network operations controls.

2.  System software acquisition, change, and maintenance controls.
3.  Program change controls.
4.  Access controls.
5.  Application system acquisition, development, and maintenance controls.
8-12  C h apte r 8  Risk Response: Performing Tests of Controls

ITGCs are important because they impact the effectiveness both of IT application controls
and IT-dependent manual controls, as well as potentially affect the reliability of electronic au-
dit evidence the auditor may wish to rely upon during the audit. For example, if a client relies
on an application that records a sale and then automatically records and updates the accounts
receivable ledger for that particular customer, the client also relies on its IT program change
procedures and security to verify that the program and this specific control is not changed
without appropriate approval and testing.

IT Application Controls  IT application controls are the fully automated controls that
apply to the processing of individual transactions. They are the controls that are driven by the
particular software application being used for different business processes, hence the name
“application” controls. They include controls such as edit checks, validations, calculations,
and authorizations. Application controls may also be important in enforcing the segregation
of incompatible duties, particularly in large organizations.
A common test of IT application controls involves the auditor entering test data into
the client’s software application while the application is under the auditor’s control. For
example, if the client has an authorization control that checks that (1) the customer is an
authorized customer, and (2) that the customer has not exceeded its credit limit, the auditor
will submit test data involving both valid and invalid customers and test data where one
customer is over, and another customer is under, its credit limit. The software application
should accept appropriate transactions and reject other transactions that do not meet the
control criteria. However, as noted in Chapter 6, the effectiveness of the software applica-
tion also depends on the effectiveness of manual follow-up of items that the software iden-
tifies as exceptions.

IT-Dependent Manual Controls  In many situations, the auditor identifies a preventive

or detective control that has both manual and automated aspects to it. These are referred to as
IT-­dependent manual controls. For these controls, consideration is given to both the manual
and the automated aspects. For example, management reviews a monthly variance report and
follows up on significant variances. Because management relies on the IT-generated report to
identify the variances, the auditor also needs to check that there are controls in place to ensure
that the variance report is complete and accurate.
When evaluating the completeness and accuracy of IT-produced information, before the
auditor can rely on the information he or she needs to identify the source and the controls that
ensure the information is complete and accurate. This testing can either be performed directly
on the report in question or, alternatively, testing can be performed on the overall application
that produces the report and the relevant ITGCs, which then removes the need to test the
actual report.

Professional Environment PCAOB Evidence on Tests of Controls

In 2012 and again in 2013, the PCAOB released some troubling results
of inspections of audits of internal controls over financial reporting.
In 2012, the PCAOB issued a report, Observations from 2010 Inspec-
tions of Domestically Annually Inspected Firms ­Regarding Deficiencies
in Audits of Internal Control over Financial Reporting.2 This report
summarized the results of 309 inspections of integrated audit engage-
ments. The report’s findings include the following:
•  In 46 of the 309 integrated audit engagements, or 15%, that
were inspected in 2010, inspections staff found that the
firm, at the time it issued its audit report, had not obtained
sufficient audit evidence to support its audit opinion on the
effectiveness of internal control due to one or more deficiencies
identified by the inspections staff.
•  In 39 of those 46 engagements, or 85%, where the firm did
not have sufficient evidence to support the internal control
opinion, the firm also did not obtain sufficient audit evidence
to support the financial statement audit opinion. These en-
gagements represent 13% of the 309 integrated audit engage-
ments that were inspected.
•  These deficiencies also revealed weaknesses in some audit
firms’ systems of quality control of such significance that, in
the Board’s view, required remediation.

2
PCAOB, Observations from 2010 Inspections of Domestically Annually Inspected Firms Regarding Deficiencies
in Auditors of Internal Control over Financial Reporting (Washington, DC, December 10, 2012).
   Procedures for Testing Controls  8-13

Subsequently, in 2013, the PCAOB issued Staff Audit Prac- •  Obtain sufficient evidence to update the results of testing of
tice Alert No. 11, Considerations of Audits of Internal Control controls from an interim date to the company’s year-end (i.e.,
over ­Financial Reporting.3 This report summarized audit practice the roll-forward period).
­issues observed by the PCAOB inspections staff over the three •  Sufficiently test controls over the system-generated data and
­previous years. Significant auditing deficiencies that had been reports that support important controls.
cited ­frequently in PCAOB inspection reports included the fol-
•  Sufficiently perform procedures regarding the use of the
lowing deficiencies in which audit firms did not:
work of others.
•  Identify and sufficiently test controls that were intended to •  Sufficiently evaluate identified control deficiencies.
address the risks of material misstatement.
As you read the remainder of this chapter, it would be helpful
•  Sufficiently test the design and operating effectiveness of
to focus on the types of activities that would prevent these types of
management review controls that were used to monitor the
audit deficiencies.
results of operations.

Before You Go On
2.1  What are the different types of controls?
2.2 Which type of control, preventive or detective, is usually a more effective control type to test?
­Explain your answer.
2.3  What is the difference between an IT application control and an IT general control?

Procedures for Testing Controls

Lea rning Objective 3
Explain the types of evidence that can be used to support a test of controls.

Tests of controls (or controls testing) are the audit procedures performed to test the operat- tests of controls or controls
ing effectiveness of controls in preventing, or detecting and correcting, material misstatements testing  audit procedures
at the assertion level. designed to evaluate the ­operating
Tests of controls include inquiry, observation, inspection of physical evidence, reper- effectiveness of controls in
formance, and various data analytics techniques. Ordinarily, a combination of these testing preventing, or detecting and
correcting, material misstatements
procedures provides the evidence that the control operated as intended throughout the
at the assertion level
period for which the auditor wishes to place reliance on the control. Each of these tests is
discussed below.

Inquiry
This procedure involves the auditor using questioning skills to determine how the control is
completed and whether it appears to have been carried out properly and on a timely basis. For
example, the auditor may ask the employee who prepares the bank reconciliation how recon-
ciling items are identified, the reasons for them, and the procedures in place to ensure that
the accounting records are corrected on a timely basis. The auditor may also ask management
how it ensures the reconciliation is prepared correctly and on a timely basis. In addition, the
auditor might ask questions of employees who follow up on exception reports about the types
of misstatements that employees find and how exceptions are cleared. Finally, while inquiry
is helpful, it does not stand on its own in terms of quality of evidence. Important information
obtained through inquiry should be corroborated with other evidence.

3
PCAOB, Staff Audit Practice Alert No. 11, Considerations for Audits of Internal Control over Financial
R
­ eporting (Washington, DC, October 24, 2013).
8-14  C h apte r 8  Risk Response: Performing Tests of Controls

Observation
This procedure involves the auditor observing the actual control being performed. For example,
the auditor may observe the preparation of the bank reconciliation. The limitation with this
technique is that employees often perform procedures more diligently when they know they are
being observed. Observation is also important to identifying appropriate segregation of duties.

Inspection of Physical Evidence

This procedure relies on the auditor testing the physical evidence to verify that a control has
been performed properly. For example, the auditor may inspect initials and dates on a bank
reconciliation, or trace certain amounts on the bank reconciliation to the accounting records
or to other documents (for example, a bank statement) to gain evidence that the procedures
were properly performed. Also, auditors may read some or all of the reconciliations for other
periods and examine the reconciling items to determine whether the reconciliation routinely
detected errors and whether those errors were appropriately dealt with. ITGCs often result in
documented evidence of authorization of program changes or testing, and other reports of
system access that provide important evidence associated with these controls.

Reperformance
This procedure involves the auditor reperforming the control to test its effectiveness. For
example, the auditor may test the effectiveness of manual follow-up by reperforming the
­follow-up procedures to see that items put on an exception report were appropriately cleared.
In some smaller organizations, the auditor might find manual controls where an independent
person checks the accuracy of the software program’s output to its input. If the auditor wants
to test this control, the auditor must find evidence that the control was performed on a timely
basis and then reperform the control to make sure it was performed correctly.

Software-Based Audit Techniques

The auditor might use a variety of software-based techniques to test controls. A common
technique involves submitting test data to the client’s software application while the applica-
tion is under the auditor’s control. Submitting auditor test data to the client’s application will
allow the auditor to verify that the application is functioning as designed.
When the auditor uses test data to test an IT application control, the auditor needs
the following package of evidence to gain assurance that the control functions properly
throughout the period:

1.  Test data that shows that the program properly identifies exceptions.
2.  Evidence that IT general controls are strong, to conclude that the program has not been
subject to unauthorized changes.
3.  Evidence that manual follow-up procedures are effective and correct items flagged by the
IT application control on a timely basis.

In addition, in various circumstances the auditor might use a form of ADA to test
controls. For example, let’s assume that transactions are both authorized and approved elec-
tronically, and the software electronically tracks the individuals authorizing or approving
transactions. Subsequently, the auditor might use audit software to identify any transactions
for which the individual authorizing the initiation of a transaction and the approval of the
transaction for payment were the same. Alternatively, let’s say that the policy in a private
company is that all purchases over $500,000 must be approved by the CEO. The audit soft-
ware can identify all transactions over $500,000 and extract any that do not have the CEO’s
approval.
   Selecting and Designing Tests of Controls  8-15

Audit Reasoning Example  How to Test a Control

Elena Hauge (an audit senior) is talking with Tonya Tran (a seasoned audit staff member) about
testing controls on the audit of Midwest Wholesale Foods. The client produces a daily report list-
ing each sales invoice and gross margins for each sale. Each morning, the sales manager reviews
the report and investigates invoices with unusually high or low gross margins. Elena asks Tonya,
“How do you want to test this control?” Tonya responds, “Inquiry of the sales manager about what
he finds and how he resolves discrepancies might be an option, but it does not, by itself, provide
sufficient evidence to conclude that the control is operating effectively. I am also concerned about
reviewing the reports and looking for the initials of the sales manager. Based on the initials of the
sales manager, we cannot conclude that a thorough review and appropriate follow-up was per-
formed. In addition to the initials, we would also need to reperform the control on a sample basis.
If we identify transactions with high and low gross margins, and determine they were handled
appropriately, this provides additional corroboration that the control operated effectively.” Elena
responds, “It sounds like you have done this before. I like your logic.”

Cloud 9 - Continuing Case

On a previous audit, Ian tested IT-dependent manual controls in
the payroll cycle for a not-for-profit organization. These were hu-
man checks of the IT output, and Ian reperformed the control for
a sample of payroll transactions.
However, Ian is less sure about how they could test the IT
controls in the payroll system because the process at Cloud 9 is
fully automated. Josh explains that one possible test is to feed
dummy data into the system to see if an employee who is not
on the master file is rejected. Also, they can use software-based
techniques to test the client’s applications and produce reports to
diagnose the performance of that part of the application. Josh then
explains that if they rely on automated controls, they must test
the manual follow-up procedures that clear any exceptions that
are flagged by the software. The combination of software-based
techniques and reperformance of manual follow-up procedures
will be needed to test the automated controls.

Before You Go On
3.1  Explain five different techniques for testing controls and provide an example for each.
3.2 When would an auditor most likely perform observation and inquiry procedures on a
control?
3.3 Give an example of the package of evidence that is needed to test an IT application control
that matches every sales invoice to an underlying bill of lading to ensure that revenue is
properly recognized.

Selecting and Designing Tests of Controls

Lea rning Objective 4
Determine how to select and design tests of controls.

The section “Procedures for Testing Controls” discussed different procedures used to collect evi-
dence that internal controls are operating effectively. The auditor needs to match the appropriate
procedure to the control that has been selected for testing. Three additional areas that require
8-16  C h apte r 8  Risk Response: Performing Tests of Controls

a large degree of professional judgment are deciding (1) which controls should be selected for
testing, (2) the extent of tests of controls, and (3) the timing of when to perform tests of con-
trols. These areas are explained in the following sections.

Which Controls Should Be Selected for Testing?

When performing an integrated audit (to issue an opinion on the financial statements and
an opinion on ICFR), the auditor uses a top-down approach to determine which controls to
select (AS 2201.21). The auditor begins by understanding the entity and the business, and de-
termines the risk of material fraud or error at the financial statement level. The auditor then
focuses on entity-level controls (the control environment, the strength of risk assessment and
monitoring controls, and ITGCs). Effective monitoring controls can provide assurance that
transaction-level controls are effective and, therefore, monitoring can provide some evidence
about the effectiveness of transaction-level controls, thus reducing the testing of those con-
trols. The auditor then works down to transaction-level controls related to significant accounts,
disclosures, and related assertions that present a reasonable possibility of material misstate-
ment in the financial statements. The auditor needs to sufficiently perform tests of controls at
both the entity and transaction levels to provide reasonable assurance about whether material
weaknesses exist as of the date of management’s assessment of ICFR.
Auditors do not need to test each and every client control. Rather, auditors identify key
controls that might be relevant to financial statement assertions and WCGW. Illustration 8.5
summarizes key factors that influence the auditor’s decision about which controls should be
selected for testing. For example, if there is a high risk of material fraud related to an as-­
sertion, the auditor will want to test controls over that assertion. Where there are multiple
controls related to one assertion, the auditor will need to determine which control is most
likely to ensure that fraud or error does not occur if other controls fail. This would then be the
key control that the auditor would test. The auditor also needs to consider whether the effective-
ness of one control depends on the effectiveness of other controls. For example, if the auditor
wants to rely on IT application controls, the auditor needs to test the application control and the
IT general controls (to gain assurance that the software functioned as designed throughout the
period), and manual follow-up of exceptions that are noted by the software.

ILLUSTRATION 8.5  
Factors to consider when identifying controls to test:
Factors commonly considered
when identifying controls to
test
•  Points at which error or fraud could occur.
•  The nature of the control implemented by management.
•  The significance of each control in achieving the objectives of the control and whether more
than one control achieves a particular objective.
•  Factors that affect the risk that the control might not be operating effectively, such as:
º Whether there have been changes in the volume or nature of transactions that might
adversely affect control design or effectiveness.
º  Whether there have been changes in the design of the controls.
º  The degree to which the control relies on the effectiveness of other controls (e.g., the control
environment or IT general controls).
º Whether there have been changes in key personnel who perform the control or monitor its
performance.
º  Whether the control relies on the performance by an individual or it is automated.
º  The complexity of the control.

When looking for controls that are reliable, and have a high likelihood of operating as
intended, the auditor considers the following factors:

•  The competence (and integrity) of the person who performs the control.
•  The quality of the control environment, such as the potential for management to override
the control or for the control to be bypassed.
   Selecting and Designing Tests of Controls  8-17

•  Changes in the accounting system that may have occurred.

•  Unexplained changes in related account balances.
•  The auditor’s prior-period experiences with the engagement.

In the audit of a private company (when an auditor is only issuing an opinion on the
financial statements), an auditor’s tests of controls are largely dictated by the planned audit
strategy. When auditing a private company, it may sometimes be more efficient to forgo tests of
controls and test an assertion substantively. For other assertions, performing tests of controls
may allow the auditor to change the timing of substantive tests from year-end to an interim
date, change the nature of substantive tests, and reduce the extent of substantive testing. Also,
the best controls to test are those that address the WCGWs most effectively with the least
amount of testing required (efficient ­testing strategy).

The Extent of Tests of Controls

When testing controls, the auditor can use either statistically based sampling techniques or
nonstatistical techniques to determine the extent of testing. There are a number of factors to
consider when deciding on the extent of tests of controls. Illustration 8.6 summarizes the
factors that influence sample size for tests of controls.

illustration 8.6   Factors that influence the sample size when testing controls

Larger Samples Factor (Relationship to Sample Size) Smaller Samples

The smaller the rate of deviation from the
prescribed control procedure that the auditor
can tolerate, the larger the sample size.
Higher levels of assurance dictate larger sample
size.
The closer tolerable deviation rate and expected
deviation rate are to each other, the larger the
sample size.
The larger the population, the larger the sample
size.
Population size does not affect sample size.
Tolerable deviation rate of the
population to be tested (Inverse)
Desired level of assurance that
the tolerable rate of deviation is
not exceeded by the actual rate of
deviation in the population (Direct)
Expected rate of deviation of the
population to be tested (Direct)
The number of sampling units in the
population, if the population size is
very small (Direct)
Population size larger than 5,000
(No Effect)
The larger the rate of deviation from the
prescribed control procedure that the
auditor can tolerate, the smaller the
sample size.
Lower levels of assurance dictate smaller
sample size.
The greater the amount of difference
between tolerable deviation rate and
expected deviation rate, the smaller the
sample size.
The smaller the population, the smaller the
sample size.
Population size does not affect sample size.

First, the tolerable deviation rate is the maximum rate of deviation from a prescribed tolerable deviation rate  the
control that an auditor is willing to accept and still use the planned control risk. The AICPA maximum rate of deviation from
Audit Guide: Audit Sampling includes the guidelines presented in Illustration 8.7 for quan- a prescribed control that an
tifying an acceptable range for the tolerable deviation rate. Note the relationship between the auditor is willing to accept and
tolerable deviation rate and the planned assessed level of control risk. If the auditor plans to still use the planned assessed level
of control risk
assess control risk as low, for example, the tolerable rate should be between 2% and 7%. The
auditor will not be able to tolerate many deviations if the planned control risk is low.

Planned Control Risk Range of Tolerable Deviation Rate ILLUSTRATION 8.7    

Low 2%–7% AICPA guidelines for  

quantifying tolerable  
Moderate 6%–12% deviation rate
High 11%–20%
8-18  C h apte r 8  Risk Response: Performing Tests of Controls
desired level of assurance  Next, the auditor should consider the desired level of assurance that the tolerable rate
the confidence that the evidence
obtained is representative of
the underlying population from
which the sample was taken
expected rate of deviation in
the population  the rate at
which the auditor expects
controls not to function as
planned
ILLUSTRATION 8.8  
Example of an extent of
testing table
of deviation is not exceeded by the actual rate of deviation in the population. This addresses
the assurance the auditor wants from the performance of the controls, or confidence that
the evidence is representative of the population. There is a direct relationship between assur-
ance and sample size. The more assurance the auditor wants, the more representative a sample
should be of the population, and the more testing the auditor needs to do. That is, if the auditor
intends to assess control risk at a low level, he or she performs more testing than if he or she is
planning to obtain only limited assurance from tests of controls. Therefore, the assurance that
the tolerable rate of deviation is not exceeded by the actual rate of deviation is influenced by:
•  The degree to which the auditor intends to rely on the control as a basis for limiting sub-
stantive tests or for supporting an opinion on ICFR.
•  The existence of a combination of controls that may reduce the level of assurance that
might be needed from any one of the controls.
•  The relative importance of the WCGW issues being considered.
The expected rate of deviation in the population is the rate at which the auditor
expects controls to not function as planned. This is usually based on prior experience with
the entity, evidence obtained through a system walkthrough, and the auditor’s professional
judgment. Auditors often perform tests of controls only when the expected deviation rate is
very low (e.g., less than 1% or 2%). This may seem counterintuitive, but consider this. If you
expect a high rate of deviation in the population for a certain control, then why waste time
testing the control only to find out that you are right and the control fails at a high rate? In this
situation, it is more efficient for the auditors to take a primarily substantive strategy and focus
on auditing transactions and account balances instead of testing controls. Auditors only test
controls if the expected deviation rate in the population is very low. The control test will con-
firm (or deny) that the control is indeed working as expected. If the testing confirms that the
control can be relied upon, then the auditors can continue with a reliance on controls strategy.
When considering the size of the population, the auditors should determine how often
the control is performed. Not all controls are applied to every transaction. Some controls may
operate daily, monthly, or quarterly. Illustration 8.8 provides an example of how many tests
of each control might be performed depending on the frequency of the control in question,
and the assurance that the auditor wants that the tolerable rate of deviation is not exceeded
by the actual rate of deviation in the population. The selection of how many instances of a
control to test involves significant professional judgment. Illustration 8.8 is only an example,
and two different auditors are likely to design two different plans for determining sample size.
Also note that this illustration is based on an expectation that internal controls are strong, and
More Assurance Less Assurance
Reasonable More Than Limited Limited Assurance
Frequency of the Assurance from Assurance from from Tests of
Control Tests of Controls Tests of Controls Controls
Expected number of
deviations from the None None None
prescribed control
> 5,000 instances 45–50 25–30 10–15
Daily or multiple times 45–50 25–30 10–15
a day
Weekly 8 5 2
Monthly 3 2 1
Quarterly 2 2 1
Annually 1 1 1
IT application control 2 2 2
(effective ITGCs)
IT application control 45–50 25–30 25–30
(ineffective ITGCs)
   Selecting and Designing Tests of Controls  8-19

no deviations are expected. The sample size varies depending upon the assurance the auditor
wants from tests of controls. In other words, must the auditor issue an opinion on ICFR (for a
public company client), and to what degree does the auditor want to reduce substantive test-
ing based on reliance on controls relevant to an assertion?
For example, bank reconciliations are a monthly control. If the auditor wants to obtain
reasonable assurance that bank reconciliations are functioning as designed, the auditor might
select three bank reconciliations for tests of controls from throughout the year. If, however,
only a limited level of assurance from the controls testing is required, only one occurrence of
the control would be tested from throughout the year. In the latter case, the auditor will do
more substantive testing of cash balances.
Tests of various manual controls that are accompanied by an initial or signature of some-
one who performed the control would require (1) testing to see that the person performed
the control by leaving their initial and then (2) reperforming the checking routine itself (for
example, reperforming that the price, extensions, and totals have been checked). The extent
of such tests is a matter of professional judgment but, as seen in Illustration 8.8, very large
sample sizes are not necessary.
When the client has a strong system of internal control and the auditor expects that no
control exceptions or deviations will be observed, a random sample of, say, 45 to 50 items
provides evidence that controls operated as intended (that is, the control was effective). The
example sample sizes in Illustration 8.8 have been calculated using audit risk tables and a
technique called attribute sampling, a sampling technique used to reach a conclusion about attribute sampling  a
a population in terms of a rate (frequency) of occurrence. For instance, a sample of purchase sampling technique used to reach
vouchers can be examined for signatures of a manual control that the voucher was checked a conclusion about a population
for occurrence, accuracy, and account classification. Exceptions would be represented by in terms of a rate (frequency) of
either a missing signature, or by a voucher with a signature but with evidence that the good occurrence
or service received was recorded in incorrect quantities, the voucher had incorrect amounts,
or the voucher had an incorrect account classification. Each sample item provides one of only
two possible outcomes: (1) the attribute being tested (a signature, evidence of occurrence,
correct prices, and correct account coding) functioned effectively, or (2) it did not operate as
intended.
For example, let’s say a local government has a manual control where each purchase
transaction is reviewed by a second individual before payment is made, and there are approx-
imately 750 to 1,000 transactions a month (more than 5,000 transactions a year). The auditor
plans to rely on this control and assess control risk as low. The auditor can take a sample of
45 transactions out of the year to test this control. Note that the auditor expects no deviations,
based on the table in Illustration 8.8. If one deviation is found, the auditor cannot assess con-
trol risk as low. Depending on the number of deviations found, the auditor may have to assess
control risk as moderate or high.
Consider another example. The audit client may have an IT application control that com-
pares each purchase with underlying purchase order and receiving information. If there are
any discrepancies, the software should reject the transaction. The auditor can use test data
and test the programmed control with a sample size of two: one transaction that the software
should accept and one transaction that it should reject. If the software fails to properly process
either transaction, the control cannot be relied upon.
Attribute sampling by itself does not provide a direct estimate of dollar values, such as
the dollar amounts of exceptions. That is why attribute sampling is used for tests of controls
(rather than for a substantive test of account balances). Nevertheless, the auditor is able to
determine with a certain level of confidence (90% or more) that the error rate for control control exception (deviation) 
­exceptions (deviations) is acceptably low. If the audit objective is to obtain evidence directly an observed condition that
about a dollar amount being examined, the auditor is performing a substantive test, not a test provides evidence that the control
of controls. When determining whether there is a control exception or not, the auditor should being tested did not operate as
focus on whether the control functioned as designed, or not. If the control did not function intended
as designed, irrespective of whether the control failure resulted in a monetary misstatement,
there is a control exception and a deviation from the prescribed control.
The small sample sizes noted in Illustration 8.8 are based on the assumption that inter-
nal controls are strong, and the auditor does not expect any deviations from the prescribed
control procedures. If the auditor expects deviations, the auditor will use larger sample sizes.
Regardless of the size of the sample, all control exceptions (deviations), including those
8-20  C h apte r 8  Risk Response: Performing Tests of Controls

accompanied by monetary misstatements, are investigated by the auditor. The auditor should
be careful not to dismiss an observed control exception as a random or a nonsystematic oc-
currence. The detection of one control exception should result in the auditor extending the
sample size, amending the auditor’s decision to rely on that control, or considering whether
another control is available that can be substituted for the control being tested (often referred
to as a compensating control).

Cloud 9 - Continuing Case

Talking with Josh about the factors that have to be considered
when deciding how much control testing to do helps Ian appre-
ciate his task. He realizes that his previous understanding of a
reliance on controls strategy was too simple. Gathering evidence
about the effectiveness of controls in order to reduce reliance on
substantive testing does not mean that the auditor has to test every
control in the same way.
Ian realizes that if the evidence that would be produced
from testing a control is not very persuasive, there is little
point in devoting a lot of effort to testing that control. For
example, a preventive control that a supervisor authorizes a
transaction only produces evidence of the presence or absence
of a signature, not evidence of whether the supervisor was
performing the task of reviewing the transaction effectively. Is
it worth obtaining evidence by reperformance that the super-
visor’s signature was appropriately put on a form authorizing
a transaction?
Also, Ian is now starting to understand what Josh means by
“key control.” Josh wants to know which of the controls identified
for each assertion are likely to be the most effective at preventing
the WCGWs from occurring or detecting them if they do occur.
Josh would like to focus testing on these controls and gather suffi-
cient, appropriate evidence to justify reduced substantive testing
and to support an opinion on ICFR.
For example, several controls are usually designed to prevent
or detect errors and misstatements in inventory and sales. In the
wholesale sales area at Cloud 9, these controls include signed de-
livery receipts, and policies requiring undelivered goods to be re-
turned to the warehouse at night. Other controls include the use of
electronic scanners and matching and authorizing documents in
the dispatch and invoicing process. Ian must identify a key control
for each assertion in the sales cycle and inventory control cycle. At
the transaction level, Ian must identify one strong control for each
assertion, or a strong control that covers several assertions.

IT Application Controls
When the auditor decides to rely on IT application controls, the auditor must use a more com-
plex testing strategy. As noted in Illustration 8.8, the auditor can often test a key decision point
in a software application with a sample size of two. For example, if the auditor is testing an IT
application control that notes an exception of an employee who is not on the master payroll
file, the auditor can test the software with test data. Recognizing that IT application controls
operate in a systematic manner, the auditor will submit one transaction where an employee
is on the master payroll file and the software should process the transaction, and a second
transaction where an employee is not on the master payroll file and the transaction should be
rejected. This is sufficient to determine that the IT application control was functioning when it
was tested. However, the auditor must also test the operating effectiveness of:

1.  Controls over program changes, and/or access to data files. Here the auditor is testing the
ITGCs. The auditor may choose to test controls over any changes to the payroll program
to ensure changes are tested and appropriately approved.
2. Manual follow-up procedures that support the application control. The auditor must focus
on how the client follows up on exceptions. For example, if an employee is rejected be-
cause he or she is not on the master payroll file, what documentary follow-up is generated
to determine why the transaction was submitted to begin with?

If this combined testing strategy is not feasible, the auditor can still rely on IT application
controls by testing them throughout the period of reliance. Using the master payroll file exam-
ple above, assume the payroll is processed weekly. The auditor may choose to select a sample
of employees for weekly payroll processing from throughout the period and compare the em-
ployees with the master payroll file, instead of just testing at a single point in time. (Note: This
obtains assurance that the software is functioning correctly. The auditor must also test the
effectiveness of manual follow-up of any exceptions noted by the software.)
When the client relies on controls over program changes and/or access to data files
(ITGCs), it is efficient for the auditor to test these controls as they may support reliance on
   Selecting and Designing Tests of Controls  8-21

s­ everal other application controls (e.g., sales, purchases, payroll). For example, the auditor
may decide to do a system-wide test of access to data files for controls that apply to more than
one software application.
Regardless of which testing strategy is selected, the auditor establishes a basis for conclud-
ing that the underlying processing of data is complete and accurate. The procedures to test con-
trols over program changes and/or access to data files are similar to those used to test manual
controls, and they usually involve inquiry, observation, and examination of physical evidence.
When auditing a private company, the auditor does not need to issue an opinion on ICFR.
Therefore, the auditor may plan to obtain only a limited level of assurance from tests of con-
trols and obtain additional evidence from substantive testing. For example, the auditor may
plan to obtain evidence from a combination of substantive analytical procedures as well as
from substantive tests of details. Using more of a substantive strategy will be discussed in
depth in Chapter 9.

Cloud 9 - Continuing Case

Making sure that testing covers the key controls and provides
sufficient, appropriate evidence of the effectiveness of the con-
trols allows the auditor to support an opinion on ICFR and reduce
the control risk of the related assertion. Josh and Ian discuss how
they can design the control tests to be able to conclude that each
control:
•  Operated as it was designed.
•  Was applied throughout the period of intended reliance.
•  Was applied on a timely basis.
•  Encompassed all applicable transactions.
•  Was based on reliable information.
•  Resulted in timely correction of any errors that were ­identified.
Josh explains that if they can satisfy the above objectives in
their design and no exceptions are found when they perform their
tests, the control will be deemed to be effective. If any exceptions are
found, they need to investigate the circumstances. They need to be
careful not to dismiss any exception as a random event, or as unlikely
to be a symptom of more extensive problems. Further, they may
need to perform additional procedures to obtain sufficient assurance
to ensure that a material weakness does not exist. This latter action
might require additional testing of another compensating control.

Audit Reasoning Example  Extent of Tests of Controls

Tonya Tran is planning to test controls over cash disbursements for Midwest Wholesale Foods
(MWF). MWF has manual controls over accounts payable, where a payable clerk matches the
vendor invoice with the underlying purchase order and receiving report before booking the lia-
bility. This control happens on every transaction so there are approximately 500 to 750 instances
of the control in a month, and over 7,000 in a year. Tonya would like to assess control risk as low,
so she decides to test controls by taking a random sample of 45 purchase transactions during the
first 9 months.
Tonya finds two transactions where the client cannot produce vendor’s invoices. Tonya also
determined that there were no compensating controls. Tonya’s expected error rate was zero; with
two errors in 45 transactions, Tonya has determined that control risk should be assessed as high,
rather than low, and that substantive tests should be expanded based on the resulting decrease
in detection risk. Tonya also determines that this is a material weakness in internal controls that
should be reported to those charged with governance of the entity.

Timing of Tests of Controls

Illustration 8.9 lays out the timing of a typical audit for a client with a December 31 year-
end. Tests of controls will usually be carried out at an interim date, often about three months
prior to year-end. It is preferable to test entity-level controls and ITGCs early in the audit
process because the results of this testing could impact the nature, timing, and extent of tests
of controls or other procedures the auditor plans to perform. For example, if it is found that
the ITGCs are not effective and cannot be relied upon, more extensive testing of application
controls will need to be performed if the auditor is planning on relying on applications and
software-generated audit evidence.
8-22  C h apte r 8  Risk Response: Performing Tests of Controls
ILLUSTRATION 8.9   Timing of the audit
1/1/2022
benchmarking  an audit testing
strategy that can be used to allow
evidence obtained in prior audit
periods to support a conclusion
about IT application controls in
the current audit period
Year-end Issue
Risk assessment Interim substantive audit
and audit planning testing testing report
6/30 9/30 11/30 1/31
12/31/2022 2/15 3/31/2023
Period covered by the
2022 financial statements
The auditor will also want to complete control testing in time to allow for substantive
testing at an interim date. For example, if the auditor is able to conclude that internal controls
related to the occurrence of sales and the existence of receivables operated effectively during
the first nine months of the year, the auditor is likely to perform substantive tests related to the
existence of receivables (sending confirmations to customers) at the end of October.
When the auditor concludes that control risk is low at an interim date, the auditor also
needs to update that conclusion through to the year-end date. When updating a control risk
conclusion, the auditor should update the evaluation by identifying changes, if any, in the con-
trol environment and in the controls themselves. If changes are identified, consideration is
given to the effect of such changes on their evaluation of the controls. This update is often done
by inquiry, observation, and testing the control again at year-end. In most cases, a client may
not have made significant changes in the control environment or controls between completion
of the interim work and year-end. When this is the case and the auditors have noted an effective
control environment and strong monitoring controls, they may satisfy themselves by inquiry,
observation, and limited reperformance that controls continued to function throughout the
remainder of the period without the need for significant additional detailed tests of controls.
In summary, when the auditor decides on a reliance on controls strategy, tests of controls
are often performed at an interim date (often about three months prior to year-end). If tests of
controls demonstrate that internal controls are strong and function effectively at an interim
date, the auditor still must test the remaining period to ensure that controls functioned effec-
tively throughout the year.
Benchmarking
Benchmarking is an audit testing strategy that can be used to allow evidence obtained in
prior audit periods to support a conclusion about IT application controls in the current audit
period. It can also assist in reducing or eliminating certain substantive audit procedures in
the current and following audit periods. Benchmarking is based on the premise that software
will continue to perform any given procedure in exactly the same way until such time as the
program (or application) is changed. If the auditor can verify that a given program that executes
an application control has not changed since last tested by the auditor, he or she may decide
not to repeat direct tests of the application control in a subsequent period. This period might
extend, for example, from interim through to year-end, or beyond into future audit periods.
The auditor establishes the benchmark at a point in time (for example, at an interim date)
by performing a test of the application control using normal tests of controls (e.g., test data).
Then, at a later point in time (for example at year-end), the auditor determines that the appli-
cation has not been changed or modified since he or she performed the benchmark test of the
application control. In order to verify that there have been no changes, it may be necessary for
the audit team to use a team member with specialist IT assurance skills.
Benchmarking is appropriate when:
•  A programmed control can be matched to a defined program within an application (for
example, the auditor may be able to benchmark the specific program that performs the
invoice extension calculation or interest computation).
   Selecting and Designing Tests of Controls  8-23

•  The application is stable (that is, few changes have happened or are expected to happen
from period to period).
•  A reliable trail of program changes exists (refer to the previous discussion on ITGCs).
This record or trail of program changes is used to identify each change that has been
made to the application and how these changes might impact the audit approach.
It is a matter of professional judgment as to when it is necessary to re-benchmark an
application. Factors to consider in making this assessment are the effectiveness of the ITGCs,
the nature and timing of other related audit tests, and the consequence of misstatements asso-
ciated with application controls that are benchmarked. In some cases, the auditor may choose
to rely on benchmarked controls from year to year. In other instances, the auditor may choose
only to rely on benchmarked controls between interim and year-end.
It is worth noting that while the auditor may not directly test the application in the current
period, the auditor must still perform tests of ITGCs and tests of manual follow-up procedures.

Selecting and Designing Tests of Controls—

A Summary
Illustration 8.10 provides some examples of tests of controls. Examples are provided of both
entity-level controls and transaction-level controls. For each control, you will find a summary
of what can go wrong (WCGW), the control to prevent or detect and correct a misstatement, the
frequency of operation of the control, an example test of control (including sample size), the
evidence obtained, and what would represent an exception evidencing that the control was not
effective. Most of these examples represent the types of controls an auditor might find in a typi-
cal public company. The final example for the transaction-level control is more likely to be used
by a smaller private company. All tests of controls should be performed at an interim date, and
then performed again at year-end to update the conclusion reached at interim and determine
that controls functioned effectively throughout the year.
As you work through Illustration 8.10, ask yourself, “Would this be a key control?”
Cover up some of the columns before reading the full table, and ask yourself, “What would
the sample size be? What evidence would show that the control is effective?” Finally,
recall from this chapter’s section “The Extent of Tests of Controls” that a control exception
exists if (1) the control is not performed, or (2) if the control is performed in an ineffective
manner. Also recall that a control exception (or control deviation) exists if the control did
not function as designed. If the control results in a monetary error that is inconsequential
in magnitude, it is still a deviation from the prescribed control and should be considered a
control exception.

ILLUSTRATION 8.10   Selecting and designing tests of controls—Some examples

Exception
Frequency of to Effective
Entity-Level What Can Go Example Operation of Example Test Evidence Operation of
Controls Wrong Control the Control of Controls Obtained the Control
Control Poor ethics in Management sets Operates daily Make inquiries of Primarily inquiry Evidence from
Environment financial a strong tone at as important management and a of a variety of lower levels of
reporting. the top about the accounting variety of others in personnel to the organization
importance of decisions arise, or accounting about determine if about weak tone
accuracy in monthly as part the tone at the top answers are at the top. Also,
financial of accounting regarding accuracy consistent. Also any evidence of
reporting. decision making in financial report- inspection of pushing the
during month- ing. Also read any physical evidence envelope with
end closing memos regarding regarding any aggressive
procedures. important account- memos on accounting
ing decisions. important positions.
accounting
decisions.
(continued)
8-24  C h apte r 8  Risk Response: Performing Tests of Controls

ILLUSTRATION 8.10   Selecting and designing tests of controls—Some examples (continued)

Exception
Frequency of to Effective
Entity-Level What Can Go Example Operation of Example Test Evidence Operation of
Controls Wrong Control the Control of Controls Obtained the Control
Risk Management Management Quarterly, or Make inqui- Inspection of Evidence of
Assessment has not properly reviews risks between quarters ries about risks physical evidence failure to consider
assessed risk and quarterly (or as as significant identified between documenting significant risks,
may not have significant risks risks arise. quarters and ac- management’s or evidence of
effective controls emerge), and tions taken. Select risk assessment failure to place
for risks faced by documents con- two quarters and and implementa- internal controls
the entity. trols intended to inspect documenta- tion of any new in place to control
respond to risks. tion of formal quar- controls. significant risks.
terly risk assess-
ment to determine
the effectiveness of
the control.
Monitoring Management Internal auditor Various tests Randomly select Reperformance. In reperforming
does not know performs of control are tests of controls The auditor will tests of controls,
how effective regularly performed on a performed during reperform the the auditor
controls are. scheduled tests monthly sched- three months to tests performed reaches a different
of controls. ule, on rotating reperform the test by internal decision about the
basis throughout of controls per- auditors and effectiveness of
the year. formed by internal determine if the internal control
auditors. same conclusion based on the inter-
is reached. nal audit evidence.
Information Software All application By reviewing logs Randomly select Inspection of Any evidence
Technology applications changes are of application three application physical evidence that shows that
General (e.g., revenue monitored. All changes, the changes, interview including inspec- application
Controls application) may changes must auditor identifies, the personnel tion of logs of ap- changes were
not operate as be tested with for example, 10 involved in the plication changes, not appropriately
designed. test data and changes affecting change, and inquiry of person- approved, such
approved by user the accounting reperform controls nel involved in as lack of ap-
departments system through to confirm that reviewing and ap- proval of user
before the change the interim date. changes were ap- proving changes, departments.
is put into propriately tested and reperfor-
production with and approved. mance of controls
live data. over changes to
determine that
applications
were changed as
intended.
Exception
Transaction- Frequency of to Effective
Level What Can Go Example Operation of Example Test Evidence Operation of
Controls Wrong Control the Control of Controls Obtained the Control
IT Application Unauthorized Authorization of Each transaction. Test IT general con- Software-based Evidence that the
Control sales may be sales. The soft- trols to determine audit techniques. software applica-
made to cus- ware application that the program is Document the tion authorized
tomers that are checks to see that operating effec- results of sub- sales that should
significant credit the customer is tively. Submit two mitting test data not have been
risks. on the master transactions to test to test the sales authorized, or
customer file and the program itself: program. evidence that the
compares account one transaction to program rejected
balance to credit ensure the program transactions that
limit on the appropriately ac- should have been
customer master cepts a transaction, authorized based
file. and one to ensure on authorization
that the program criteria.
appropriately rejects
a transaction.
(continued)
   Selecting and Designing Tests of Controls  8-25

ILLUSTRATION 8.10   Selecting and designing tests of controls—Some examples (continued)

Exception
Transaction- Frequency of to Effective
Level What Can Go Example Operation of Example Test Evidence Operation of
Controls Wrong Control the Control of Controls Obtained the Control
Manual Software may Accounting Daily. Select one excep- Reperformance. Evidence that
Follow-Up of identify control assistant manager tion report from Document results items noted as
Exceptions failures or errors receives excep- each of 45 days, of tests of con- exceptions were
in processing that tion reports and and reperform the trols in a memo not appropriately
are not corrected. clears items on manual follow-up explaining sample corrected or
exception reports, procedures to deter- selected, reperfor- resolved on a
noting resolution mine that any errors mance performed, timely basis.
of each item. are appropriately and results of tests
corrected. of controls.
Segregation of Fraud risk is Segregation of Segregation of Observed segrega- Observation and Evidence that
Duties increased without duties between duties must be tion of duties while inspection of duties were
segregation of authorization of maintained for on the client’s documents. Write not adequately
duties. sales, shipping each transaction. premises. Also a memo explain- segregated, or
goods, and re- inspect documents ing results of that collusion
cording sales and showing evidence observation and or management
receivables. of appropriate seg- any inspection of override resulted
regation of duties documents show- in a breakdown
in the sales process. ing results of tests of segregation of
of segregation of duties.
duties.
Transaction-
Level Exception
Controls in Frequency of to Effective
a Private What Can Go Example Operation of Example Test Evidence Operation of
Company Wrong Control the Control of Controls Obtained the Control
IT -Dependent Revenue may be Accountant Each transaction. Select a sample Reperformance. Evidence that a
Manual recognized in the matches of 25 sales Document transaction was
Control wrong accounting software- transactions and results of tests not reviewed or
period. produced sales reperform the of controls in a tested for proper
invoices with manual control to memo explaining revenue recogni-
underlying bill validate that rev- sample selected, tion, or evidence
of lading and enue recognition reperformance that the employee
terms of sale on controls functioned performed, and review was incor-
sales order to effectively on each results of tests of rectly performed.
validate revenue sample item. controls.
recognition.

Cloud 9 - Continuing Case

Josh and Ian are going over a plan for tests of controls that Ian
has developed. As Ian reviews his ideas with Josh, he points
out that the plan for testing transaction-level controls in the
payroll process is contingent on strong entity-level controls.
Since the payroll system is automated, the effectiveness of IT
general controls will be important. Josh assures Ian that he and
Ian have already been testing IT general controls and other
entity-level controls, and that he believes that these controls are
effective.
Ian then walks Josh through tests of controls for each asser-
tion in the payroll process. Suzie suggests testing IT application
controls with test data; however, she notes that testing the appli-
cation controls directly is not enough. Based on her walkthrough,
when payroll is run twice a month, exception reports are gener-
ated. With a population size of 24 payroll periods, she suggests a
sample size of 4 payroll periods to reperform the manual follow-up
procedures. Josh is happy with the plan and feels that Suzie has a
much better understanding of how to design tests of controls.
8-26  C h apte r 8  Risk Response: Performing Tests of Controls

Before You Go On
4.1 Name five factors to consider when deciding the extent of tests of controls to be performed.
Give an example of how each factor would result in an increased sample size.
4.2 Explain the audit strategy for testing IT application controls. Why is a sample size of two
sufficient for testing an IT application control? What other tests allow the auditor to use this
smaller sample size?
4.3  Why does the auditor update the interim evaluation of controls at year-end?
4.4 Explain the concept of benchmarking. Why might it be appropriate not to test a key control
that is an IT application control every year?
4.5 Assume that you plan to test the following transaction-level control. In order to ensure that
revenue recognized on each sales invoice is accurate and in the correct amount, the software
application matches the sales invoice quantities with shipping information and prices with
the master price list. Discuss the following: (1) what can go wrong, (2) the frequency of oper-
ation of the control, (3) the sample size for tests of controls, and (4) the procedure you would
use to test the control.

Results of the Auditor’s Testing

Lea rning O bjective 5
Evaluate the results of tests of controls.

When performing tests of controls, the auditor makes a “yes or no” decision. For each sample
item, was the control effective or ineffective? As discussed previously, the auditor uses smaller
sample sizes when the auditor expects no deviations from the prescribed control procedures. Nev-
ertheless, the auditor must be alert for evidence that the control might be ineffective, even if only
once or twice. A control would be ineffective if it was not performed, or if it failed to function as
designed. An IT application control will be ineffective if it fails to put an invalid transaction on
an exception report. Manual follow-up procedures are ineffective if they are not acted upon on a
timely basis, or if client personnel fail to clear items noted on an exception report. For example,
when performing a bank reconciliation, an accountant might determine that interest received for
the month has not been recorded and note it as a reconciling item on the bank reconciliation. If,
however, an adjusting journal entry is not made to record the interest earned, the bank reconcili-
ation has not resulted in correcting the error noted (failure to record interest earned). The auditor
would conclude this is a control exception.
Illustration 8.11 illustrates the decision tree or thought process auditors go through
when assessing the results of their controls testing. If the results of tests of controls confirm
the auditor’s preliminary evaluation of controls, and control risk for the relevant assertion, the
planned substantive audit procedures are not modified.
If the test results do not confirm the preliminary evaluation of controls, the auditor will
consider whether there is a compensating control that might detect and correct a misstatement
missed by the original control being tested. If tests of controls demonstrate that a preventive
control that screens every transaction is not as effective as originally planned, it is possible that
a reconciliation control might detect and correct the same misstatement on a timely basis. For
example, the auditor tested a control that compared every sales bill of lading with each sales
invoice to ensure that all sales were recorded, but exceptions were noted—the control did
not function as planned. However, the auditor later determined that an independent client
employee reconciled total shipments with total billings on a daily basis, and this compensat-
ing control should have identified any unrecorded transactions. In this case, the auditor might
choose to perform tests of controls on the reconciliation control. If the compensating control
proves effective, the evidence now supports the auditor’s preliminary evaluation of controls,
and control risk and planned substantive audit procedures need no modification.
  Results of the Auditor’s Testing  8-27

ILLUSTRATION 8.11  
Do tests of Results of testing controls
controls show
NO
that controls are
effective?

For internal
control exceptions,
do compensating NO
controls
exist?

YES

YES

Do tests of
controls show
YES that compensating NO
controls are
effective?

Document results, the effect on

Document results and control risk assessment
year-end substantive testing,
and proceed with planned audit strategy
and the effect on ICFR report (if appropriate)

If the auditor extends the testing and another control exception is identified, the auditor
should change the decision to rely on that control. If another (compensating) control is not
available to be substituted for the control being tested, or it is not considered efficient to con-
tinue testing controls, the auditor should modify (and potentially increase) the nature, timing,
and extent of the planned substantive procedures. That is, the audit strategy is altered, and
detection risk is reduced.
In trying to determine whether there is a need for additional detailed tests of controls, the
following factors are considered:

•  Results of inquiries and observations. If, during inquiries or observations later in the audit
process, the auditor identifies that significant changes to processes and controls have
occurred, the auditor’s previous tests of controls may no longer provide a basis for relying
on those controls. Therefore, the auditor may need to identify and test other controls,
perform additional tests of controls, or change the nature or extent of substantive testing
performed at year-end. Changes to processes or controls are significant only if they have
implications for the continued functioning and effectiveness of controls on which the
auditor is relying in the first place.
•  Evidence provided by other tests. Tests of account balances (substantive testing) can often
provide evidence about the continued functioning of controls. For example, when the au-
ditor evaluates the results of confirmations of accounts receivable, and no exceptions are
found, the auditor has circumstantial evidence that controls over the occurrence of credit
sales and the existence of receivables continue to function. To the extent that the auditor’s
other audit procedures provide evidence of the effectiveness of controls from the date of
interim work to the end of the period under audit, additional tests that otherwise might
be necessary can be reduced.
•  Changes in the overall control environment. An effective entity-level control environ-
ment may allow the auditor to limit tests of controls to inquiry and observation during
the period between when they tested the controls (interim) and year-end. If the audi-
tor ­becomes aware of adverse changes in the overall control environment of the entity,
such as a loss of employees or management who perform key controls and who provide
8-28  C h apte r 8  Risk Response: Performing Tests of Controls

evidence as to the effectiveness of the overall entity control environment, additional tests
of controls may be necessary.

If the auditor determines that an effective compensating control does not exist, or tests
of controls show that the compensating control is not functioning as designed, the auditor
revises the overall audit risk assessment for the related account and assertion, and revises the
planned audit strategy. For example, if the tests of controls indicate that a detective control re-
lated to the occurrence of sales did not function as prescribed and compensating controls are
not available or were not effective, the auditor should revise his or her audit risk assessment
(increase control risk), reduce or eliminate the intended reliance on the control, and reduce
detection risk by designing more extensive substantive audit procedures related to the occur-
rence of revenues and the existence of accounts receivable.
The auditor always needs to investigate any control exceptions that he or she identifies
during testing to find out, to the extent practical, the causes, the amounts involved, the
financial statement accounts affected, and the potential effect on other audit procedures. The
auditor is required to document the resolution of any control exceptions, including the impact
on the remaining audit strategy.
Recall from Chapter 6 that the auditor must also determine whether an exception
­represents a significant deficiency or a material weakness. As noted in Illustration 8.12, the
auditor determines the severity of a control exception based on a combination of the like-
lihood of the control failing to prevent or detect a misstatement and the magnitude of the
potential misstatement to the financial statements. A material weakness and a significant
deficiency are defined as follows:
•  A material weakness is a deficiency, or combination of deficiencies, in internal control
such that there is a reasonable possibility that a material misstatement of the entity’s
financial statements will not be prevented, or detected and corrected, on a timely basis.
•  A significant deficiency is a deficiency, or combination of deficiencies, in internal control
that is less severe than a material weakness, yet important enough to merit attention by
those charged with governance.
Control exceptions that are not severe enough to be classified as a significant deficiency or a
material weakness would be categorized simply as a control deficiency.

ILLUSTRATION 8.12   Auditor Action

Internal control deficiencies Report on ICFR Report to:
and auditor action (public companies only) (public and private
companies)

High
Those charged with
Adverse
Material Material weakness governance of the entity
Opinion on ICFR
and to management.
Magnitude

Those charged with

Not material Unqualified
Significant deficiency governance of the entity
but significant Opinion on ICFR
and to management.

Neither material Unqualified

Control deficiency Management.
nor significant Opinion on ICFR

Low
Remote Reasonably possible or probable
(5% to 10%) (more than 5% to 10%)

Likelihood

If the auditor is engaged to perform an integrated audit and identifies either a significant
deficiency or a control deficiency, the auditor can issue an unqualified opinion on ICFR. How-
ever, if the auditor determines that a control deficiency is a material weakness, the auditor will
   Documenting Conclusions  8-29

issue an adverse opinion on the company’s ICFR if the material weakness is not remediated by
the fiscal year-end date. Remember, the auditors are performing most of the controls testing
during interim. Therefore, if a material weakness is identified, there is time for management
to correct the material weakness before year-end. Once corrected, management and the audi-
tors would test the control again to ensure it is operating effectively by year-end. If the auditors
are satisfied that enough time has passed to provide sufficient appropriate evidence that the
control is now operating effectively, the auditors can then issue an unqualified opinion.
Auditors of both public companies and private entities have a responsibility to report
internal control issues to those charged with governance of the entity. This is a requirement
of both PCAOB AS 2201 and AU-C 265 and is usually done through a management letter as
described in Chapter 6. The auditor includes a discussion of both material weaknesses and
significant deficiencies in the management letter. It is also important to note that all control
deficiencies should be reported to management. If a control deficiency is sufficiently small
that it is not reported to those charged with governance, it should still be verbally reported to
management at least one level above where the deficiency occurred.

Audit Reasoning Example  Results of Tests of Controls

Elena Hauge (an audit senior) and Tonya Tran (a seasoned audit staff member) are continuing their
tests of controls on the audit of Midwest Wholesale Foods (MWF). This time, Tonya is testing inter-
nal controls over accounts payable when she brings an issue to Elena. “MWF has a manual control
where every payable is double-checked. I took a sample of 45 transactions, and now I have two trans-
actions that have been signed off, but MWF cannot produce the vendor invoices. I’m concerned.
With two exceptions, we cannot assess control risk as low.” Elena chimes in, “This may be a bigger
issue. If the client cannot produce the vendor invoices, there may be an increased risk of fraud. You
need to dig deeper on these transactions. Follow through to the cash disbursements. MWF uses
electronic funds transfers. We need to make sure the disbursements actually went to the vendor. Dig
deeper and get back to me. Ultimately, we may need to communicate this to the board of directors.”

Before You Go On
5.1 What does the auditor do when he or she identifies control exceptions? Develop an example
of an internal control exception.
5.2  What is a compensating control? Develop an example of a compensating control.
5.3  Why does the auditor always investigate control exceptions?
5.4  What internal control deficiencies are communicated in an auditor’s report on ICFR?
5.5 What level of internal control deficiencies are reported to management? Explain your
reasoning. What level of internal control deficiencies are reported to those charged with gov-
ernance of the entity? Explain your reasoning.

Documenting Conclusions
Lea rning Objective 6
Document the results of tests of controls.

Once controls have been tested, the auditors document their work in a working paper.
Working paper documentation should include:

•  The auditors’ conclusion about control risk.

•  The basis for their conclusion (e.g., underlying evidence).
8-30  C h apte r 8  Risk Response: Performing Tests of Controls

In preparing a working paper for tests of controls, the auditor would ordinarily set out
the purpose of the tests of the controls identified. This assists in carrying out the testing by re-
minding the auditor of the overall purpose in testing the controls. If the auditor identifies any
exceptions or issues, the auditor should determine if there is an impact on the testing strategy
by considering whether the control exception means that the control no longer meets the ob-
jective of the test. For example, assume that the control selected for testing is a bank reconcili-
ation and the objective of the test is to verify that a review by the financial controller occurred
on a timely basis. When performing the testing, it was noted that while there was evidence of
the review (a signature), there was no date, so timeliness could not be verified. Therefore, the
auditor is able to conclude that the control operated but the auditor is not able to conclude as
to whether it operated on a timely basis. It would need to be determined whether a compen-
sating control should be tested, or whether the timeliness of the review is not critical to the
auditor’s ability to rely on the bank reconciliation as audit evidence.
The auditor also documents the test performed, the actual controls selected for testing,
and the results of the testing. There needs to be enough detail regarding the controls selected
to allow another auditor to review the working paper, reperform the steps (if necessary), and
reach the same conclusion as the auditor who prepared the working paper. The results are
often set out in a table to make it easier to review and identify quickly what (if any) exceptions
were identified during the testing. Prior to an overall conclusion being reached for each sec-
tion of work performed, the test results table also assists the person reviewing the working pa-
per to determine if enough work has been performed and if the right conclusion regarding the
controls testing has been reached. The working paper should also include a conclusion spe-
cific to whether the test results support the overall purpose of the test. This is the documenta-
tion standard required by AU-C 230 Audit Documentation and AS 1215 Audit Documentation.
Regardless of how the working papers are prepared and documented, the extent of the au-
ditor’s documentation will increase as the complexity of the client’s operations, systems, and
controls increases. Also, the more complex the client’s operations and its internal controls,
the more experienced the auditor who performs the work needs to be. Illustration 8.13 is an
example of a working paper relating to controls testing. Note that the working paper clearly
lays out the purpose of the test of the control, the nature and extent of the work performed at
an interim date, the results of the audit tests, and the auditor’s conclusion about control risk.

ILLUSTRATION 8.13   Example test of control working paper

Client: New Millennium Ecoproducts Bell & Bowerman, LLP Prepared by: DM 10/14/2022

Period-end:   12/31/2022 C1.1 – Bank Reconciliation Reviewed by: SO 10/21/2022

Controls Testing Reference: C1.1
Reviewed by: MM 10/25/2022

Purpose of test:
The purpose of this test is to verify that the bank reconciliation control was adequately designed and implemented through the date of interim
testing.
Work performed:
Selected three bank reconciliations from different months, tied the balance as per the bank statement on the bank reconciliation to the bank
statement, tied the balance as per the general ledger to the trial balance, and vouched all reconciling items between the bank statement and
the trial balance greater than $5,000 to supporting documentation to ensure valid reconciling items and that the reconciliation had been
performed correctly. Ensured the reconciliations had been prepared and reviewed on a timely basis, based on dates on the reconciliation,
inquiry, and observation of procedures in October 2022.
Findings/results of testing:
Selected bank reconciliations for the months of February, April, and September 2022. No errors noted in the preparation of the reconciliation.
All were dated and reviewed within seven days of month-end. Considered this to be on a timely basis.
Conclusion:
Based on testing performed, the bank reconciliations appear to have been designed, implemented, and operated effectively for the nine
months ended September 30, 2022. Control risk is assessed as low for the following assertions: existence of cash, completeness of cash, and
valuation of cash.
   Learning Objectives Review  8-31

After the auditor has completed testing controls, and drawn a conclusion about control
risk, the auditor will want to make decisions about the nature, timing, and extent of substan-
tive testing. These topics are discussed in Chapter 9.

Cloud 9 - Continuing Case

Josh and the rest of the audit team have finished testing and assess-
ing the controls at Cloud 9. In a few instances, they had to perform
additional testing to investigate the deviations or exceptions dis-
covered during initial testing. In these cases, they also tested com-
pensating controls that existed. They sent their completed working
papers to Sharon Gallagher, the audit manager, and Jo Wadley, the
partner. The more senior members of the audit team must review
the results of the controls testing and judge whether there is suf-
ficient appropriate evidence to support the decision to continue
to use a reliance on controls approach to the audit, and to assess
that there were no material weaknesses. Sharon Gallagher and Jo
Wadley are looking at the tests of controls from the perspective of
whether the team has tested the right entity-level controls, as well
as key controls for material assertions in the financial statements.
Josh has been busy over the past few days answering ques-
tions from Sharon and Jo about particular aspects of the controls
testing, but it now seems that all issues have been resolved satis-
factorily. Although the team has been concentrating on controls
testing, the plans for substantive testing are well advanced and
attention now turns to this phase of the audit.

Before You Go On
6.1 What information does the auditor need to include in the audit working papers when
­documenting the results of the controls testing?
6.2 Which auditing standard sets the minimum level of documentation required in the working
papers stored in the audit files?
6.3 What is the impact on the extent of required substantive testing if inherent risk is high and
no assurance has been obtained from controls testing?

Learning Objectives Review

1  Describe the steps in assessing control risk. 3  Explain the types of evidence that can be used to
support a test of controls.
The seven steps involved in assessing control risk are (1) understand
entity-level controls, (2) understand the flow of documents through
Five key procedures are used for testing controls: inquiry (questions
the system for each transaction cycle, (3) identify what can go wrong
are asked regarding the operation of the control), observation (the
(WCGW), (4) identify relevant controls to test, (5) perform tests of
operation of the control is observed as occurring), inspection (of
controls, (6) evaluate evidence and assess control risk, and (7) report
physical evidence resulting from the performance of the control),
findings to those charged with governance and, if relevant, in a report
reperformance (when the auditor reperforms the control to test its
on ICFR.
effectiveness), and software-assisted audit techniques (when the au-
ditor uses software to test automated controls).
2  Explain the different types of controls that an auditor
might encounter.
4  Determine how to select and design tests of controls.

There are two primary types of controls, manual and automated.

Types of automated, or IT, controls include IT general controls
(ITGCs), IT application controls, and IT-dependent manual controls.
Each of these types can be described as either a preventive control or
a detective control. Preventive controls, as the name suggests, prevent
errors from occurring. Detective controls detect the error after it has
occurred and rectify the error on a timely basis.
The selection of which controls to test is a matter of professional
judgment. Illustration 8.5 provides a list of factors that influence the
auditor’s decision about which controls to test. The extent of testing
of controls (that is, how many to test) is also a matter of professional
judgment, although sampling techniques are available. Illustration 8.6
explains the factors that influence sample size for a test of controls
8-32  C h apte r 8  Risk Response: Performing Tests of Controls
and Illustration 8.8 provides an example of how sample size is influ-
enced by the frequency at which the control is performed during the
year (e.g., some controls may function only monthly or quarterly).
Auditors usually perform tests of controls at an interim date, and
then they update their conclusions at year-end to ensure that the
controls continued to function as designed during the remainder of
the year. In some cases, the auditor may be able to use a benchmark-
ing technique to test use of software applications from prior years,
if the auditor is able to obtain evidence that the software application
has not changed.
5  Evaluate the results of tests of controls.
When performing tests of controls the auditor must determine in each
instance whether the control did or did not function as designed. If
tests of controls reveal exceptions (the control did not function as de-
signed), the auditor should consider whether compensating controls
exist, and whether the compensating control is likely to be effective.
If control exceptions are found, they should be classified as control
Key Terms Review
Attribute sampling Detective controls
Benchmarking Expected rate of deviation in the population
Control exception (deviation) Preventive controls
Desired level of assurance
Audit Decision-Making Example
Background Information
You are auditing the revenue process for Haven Company. Your
firm previously tested Haven’s IT general controls and determined
that these entity-level controls are effective. Also, tests show the
company has a sound control environment. Haven has IT appli-
cation controls that screen every sales transaction. The software
matches the information supporting the sales invoice with under-
lying shipping documents and the sales order before a sales invoice
is recorded. The customer information from the customer master
file is matched with the customer information on the bill of lading,
the quantities billed are matched with the packing slip, prices are
matched with the sales order, and the invoice date is matched with
the accounting period in which goods are shipped. If the transac-
tion does not exactly match the underlying information, it is not
processed, and it is printed on a daily exception report. A data con-
trol clerk investigates any items on the exception report each morn-
ing and corrects any errors to ensure that the invoice is correct.
Identify Audit Issues
Explain the tests of controls that need to be performed to assess con-
trol risk at a low level based on the internal controls described above.
Gather Additional Information and Evidence
The key issues are that tests of controls have shown a strong control
environment and strong IT general controls at the Haven Company.
deficiencies, significant deficiencies, or material weaknesses. Illus-
tration 8.12 summarizes how these classifications affect the auditor’s
decisions about what should be reported to those charged with gov-
ernance of the entity, and what should be reported in the auditor’s
report on ICFR.
6  Document the results of tests of controls.
The purpose of the tests of controls, selection of controls to test, re-
sults of the controls testing performed, and conclusion regarding
the design and implementation of the controls are all documented
in a working paper. This working paper is then reviewed by a more
experienced auditor to determine if sufficient work was performed
and if the appropriate conclusion was reached. Ultimately, the results
of tests of controls should influence the auditor’s audit strategy. If
the controls are effective, the auditor may continue with a reliance
on controls approach. If controls are ineffective, the auditor must
decide how to modify the nature, timing, and extent of substantive
tests.
Tests of controls (controls testing)
Tolerable deviation rate
What can go wrong (WCGW)
Analysis and Evaluation of Alternatives
To assess control risk as low, the auditor needs to test IT applica-
tion controls and related manual follow-up of exception reports.
Audit Conclusion
1. The auditor can test IT application controls with test data.
The auditor should submit the following:
•  Data where all information matches and the software
should process the transaction.
•  Data where information does not match at each decision
point (e.g., a transaction where customer information does
not match, a transaction where quantities do not match, a
transaction where prices do not match, and a transaction in
the incorrect accounting period).
2. The exception reports are printed daily (approximately 260
exception reports based on five per week for 52 weeks). To as-
sess control risk as low, the auditor should select 45 exception
reports at random (see Illustration 8.8), and reperform the
control to determine that each transaction appearing on the
exception report was correctly resolved and that the revenue
transactions were correctly recorded.

CPAexcel
CPAexcel questions and other resources are available in WileyPLUS.
Multiple-Choice Questions
1.  (LO 1, 4)  The auditor decides which controls to test by
considering:
a.  the points at which fraud or error can occur.
b.  the nature of controls implemented by management.
c.  the significance of each control in achieving its control
objective.
d.  All of these answer choices are correct.
2.  (LO 1, 4)  When obtaining an understanding of internal controls,
the auditor identifies important programmed application controls
over the occurrence of sales. However, the auditor also has serious
concerns about the adequacy of the control environment due to a
weak tone at the top about control consciousness. Which of the fol-
lowing best describes how the auditor should respond to this situation
when planning tests of controls related to the occurrence of sales?
a.  The auditor could assess control risk as low for an assertion
after performing software-based audit techniques on controls
relevant to that assertion.
b.  The auditor could assess control risk as low for an assertion
after performing software-based audit techniques on controls
relevant to that assertion and assessing the adequacy of seg-
regation of duties.
c.  The auditor will probably assess control risk at the maximum
irrespective of the quality of the programmed application
controls.
d.  T
 he auditor could assess control risk as low for an assertion if
ITGCs are tested and shown to be strong.
3.  (LO 2)  A software application will not allow a sale to be pro-
cessed if a customer is over its credit limit. This is an example of a(n):
a.  detective control.
b.  preventive control.
c.  IT general control.
d.  IT-dependent manual control.
4.  (LO 2)  The software application compares all sales invoices with
underlying shipping information on the bills of lading and packing
slips with sales invoices. If differences are revealed, a report is gen-
erated for review and follow-up by the billing supervisor. This is an
example of a(n):
a.  detective control.
b.  preventive control.
c.  IT general control.
d.  IT-dependent manual control.
5.  (LO 2)  ITGCs are important because they:
a.  prevent unauthorized personnel from having access to data
and applications.
  Multiple-Choice Questions  8-33
b.  impact the effectiveness of manual controls.
c.  prevent the reliability of electronic audit evidence.
d.  allow client staff to change programs without needing to
receive authorization for the change.
6.  (LO 2)  Which of the following represents an example of an IT
application control?
a.  T
 he assistant controller performs a monthly bank reconcilia-
tion and follow-up of unexpected outstanding items.
b.  The accounts receivable manager reviews credit balances in
accounts receivable quarterly to determine their causes.
c.  The software application compares all sales invoices with
underlying shipping information on the bills of lading and
packing slips with sales invoices. If differences are revealed,
a report is generated for review and follow-up by the billing
supervisor.
d.  All changes to software applications must be reviewed and
approved by the department affected by the application.
7.  (LO 3)  An auditor is going to test the client’s controls over bank
reconciliations. The auditor will perform which of the following audit
procedures for this test of controls?
a.  Software-based audit techniques using test data.
b.  Inquiry of the person performing the bank reconciliation.
c.  Reperformance of the bank reconciliation procedure.
d.  Inquiry of the person performing the bank reconciliation and
reperformance of the bank reconciliation procedure.
8.  (LO 4)  Which of the following would require the auditor to
increase the level of control testing for a particular control?
a.  The control is performed monthly instead of daily.
b.  There are several controls relating to a particular audit
objective.
c.  The WCGW addressed by the control is not very important.
d.  A high degree of reliance is to be placed on the control to
limit the amount of substantive testing required.
9.  (LO 4)  Benchmarking is a process that involves:
a.  comparing the effectiveness of one control with another
control.
b.  an audit strategy that allows an auditor to rely on IT applica-
tion controls if manual follow-up procedures are strong.
c.  an audit strategy that allows the auditor to use evidence from
testing an IT application control in a prior period, if the appli-
cation has not been changed.
d.  an audit strategy that allows the auditor to test only identified
key controls rather than all controls used by the client.
8-34  C h apte r 8  Risk Response: Performing Tests of Controls

10.  (LO 4)  If an auditor decides to assess control risk as low based
on IT application control procedures, which of the following would
not be part of the auditor’s strategy for testing controls?
a.  Testing the effectiveness of IT general control procedures.
12.  (LO 6)  Working papers:
b.  Testing the effectiveness of management review controls
used to monitor the results of operations.
c.  Testing the effectiveness of manual follow-up procedures.
d.  Testing the effectiveness of the application with test data.
11.  (LO 5)  If an auditor performs tests of controls and determines
that the control is not effective, what should the auditor’s next step in
testing controls be?
a.  Document the results of tests of controls and proceed with a
primarily substantive approach.
b.  Determine if a compensating control exists.
c.  Perform tests of controls on compensating controls.
d.  Document the results of tests of controls and proceed with
the planned audit strategy.
a.  document the auditor’s conclusion about control risk and the
basis for that conclusion.
b.  are necessary for the first-year auditor to keep track of the
daily work but are not important to the overall audit.
c.  document the results of the tests but not the purpose of the
control selected for testing.
d.  document the purpose of the control selected for testing and
the conclusion made by the auditor but not the results of
the test.

Review Questions
R8.1  (LO 1)  Identify the eight steps performed in assessing control
risk and place them in the proper order.
R8.2  (LO 2)  Explain the purpose of (a) preventive controls and
(b) detective controls. Why would it be important for an entity to have
both types of controls?
R8.3  (LO 2)  Explain why reconciliations, such as bank reconciliations,
are classified as detective controls.
R8.4  (LO 2)  Explain the difference between automated and manual
controls.
R8.5  (LO 2)  Explain the three types of ITGCs. Why are they “general”
controls? Explain why they are important controls.
R8.6  (LO 3)  What are the five procedures used for tests of controls?
Explain them and comment on the reliability of the evidence obtained
from each.
R8.7  (LO 4)  Does an auditor have to test every control? Explain
your answer.
R8.8  (LO 4)  What factors do auditors consider when deciding how
much control testing to do?
R8.9  (LO 4)  Explain the concept of benchmarking and its benefits
to the auditor.
R8.10  (LO 4)  Identify the factors that influence sample size in a test
of controls. Provide an example related to each factor in terms of how
it would potentially increase the level of control testing.
R8.11  (LO 5)  Explain the relationship between the results of tests
of controls and substantive testing.
R8.12  (LO 6)  Explain the process of documenting the auditor’s
conclusions. What must be documented?

Analysis Problems
AP8.1  (LO 1)  Basic   Assessing control risk and audit strategy  As an audit manager at Gung &
Ho, CPAs, you have been scheduled to serve as the discussion leader for an in-office training session on
consideration of the internal control structure in a financial statement audit. Gung & Ho’s audit practice
consists of audits of privately owned companies and not-for-profit organizations.

Required
Prepare an outline of comments you plan to make to indicate similarities and differences in how each
of the following items is handled under a primarily substantive approach versus a reliance on controls
approach.

a.  Understand entity-level controls.

b.  Understand the flow of transactions.
c.  Identify what can go wrong (WCGW) for financial statement assertions.
d.  Identify relevant controls to test.
e.  Determine preliminary audit strategy.
f.  Perform tests of controls.
g.  Evaluate audit evidence, assess control risk, and reevaluate audit strategy (if necessary).
h.  Report internal control weaknesses to those charged with governance.
  Analysis Problems  8-35

AP8.2  (LO 2)  Basic   IT controls—password  The client company assigns each new employee
a user profile and password for the client’s IT system. The first time new employees log onto a company
desktop computer, they are automatically forced to change their password. Passwords must be changed
every 30 days.

Required
Explain what type of control the above information describes. Discuss the control’s strengths and
weaknesses.

AP8.3  (LO 2)  Basic   IT controls—suppliers  Within the client’s IT system, supplier information is
contained in a supplier master file (SMF). Each supplier has a unique supplier code. If the purchasing
clerk attempts to place an order from a supplier not in the SMF, the order cannot be processed.

Required
Explain what type of control the above information describes. Discuss the control’s strengths and
weaknesses.

AP8.4  (LO 2)  Moderate   Preventive controls  Alabama Industries manufactures and wholesales
small tools. It sells the tools to a large group of regular customers and makes most sales by telephone to
this group. Additionally, it receives orders online by its sales team who signs up new customers within the
sales area. In the past, Alabama Industries has had trouble with customers who do not pay their accounts
on time. Despite instructing the sales team not to make sales to customers before their creditworthiness
has been assessed, sales are still being made to new customers before their limits have been set and to
existing customers beyond their credit limit. Also, an economic downturn has started to impact its cus-
tomers, and Alabama’s management is concerned about the possibility of increasing bad debts.

Required
a.  What sort of preventive control could be used to deal with the problems faced by Alabama
Industries? Explain how the control would work.
b.  Assume the preventive control is implemented, and during this year there have been no sales to
customers that have taken any customer beyond its credit limit. What are two possible explanations
for this that the auditor must consider?
c.  If an auditor finds two sales transactions during the year that exceed a customer’s credit limit at the
time of the sale, what conclusion would the auditor draw from this evidence? What other evidence
could the auditor consider before concluding that the preventive control has failed?

AP8.5  (LO 2, 3, 4)  Moderate   Testing bank reconciliation controls  You are testing the controls
over bank accounts for your audit client, Louisiana Liquidators. You note that the responsibility for bank
reconciliations has changed due to a corporate reorganization halfway through the current fiscal year.
Both the staff member performing the bank reconciliations and the supervisor have changed. You are
able to talk only to the current staff member and supervisor because the prior staff members took a vol-
untary severance package and left the client’s employment three months ago.

Required
a.  What procedures are available for you to gather evidence about the bank reconciliations? Explain
how you would use each procedure and comment on the quality of the evidence obtained from each.
b.  When you ask the employee responsible for bank reconciliations about how bank reconciliations are
performed, there is a possibility that you will not be told the whole truth about the performance of
the reconciliations. Given this, will you bother to ask? Explain.
c.  Explain the impact of the staff changes on your controls testing program.

AP8.6  (LO 2, 4)  Moderate   Inventory program controls  Dakota Drapers supplies custom-fitted
curtains and blinds to retail customers. It has recently expanded to offer a wide variety of home decorat-
ing products through its six stores across the state. After some initial problems with inventory control, the
client installed a new automated inventory system in April this year (the fiscal year end is December 31).
The system replaced another automated system that had been modified so often over the years that the
auditors had advised Dakota’s management that they did not regard it as reliable. That is, in the past, the
auditors were unable to rely on the old system sufficiently to assess control risk for inventory as anything
less than high.

Required
a.  Explain the normal process an auditor would expect to find in the client’s system governing changes
to software applications. Why is an auditor concerned about application changes?
8-36  C h apte r 8  Risk Response: Performing Tests of Controls

b.  Dakota Drapers’ fiscal year-end is December 31. Does the auditor need to obtain evidence about
the performance of the inventory control system from every month in the year or from a sample of
months? Explain.
c.  If the auditor conducts tests of the inventory controls at an interim date, is it appropriate to conclude
that the controls are effective up through the end of period date? Explain your reasoning.

AP8.7  (LO 4, 5)  Moderate   Internal controls from prior year  The first-year auditor on the en-
gagement has suggested that since no exceptions were detected in previous years, no work on internal
controls is required because last year’s evidence will be sufficient.

Required
a.  Explain why the first-year auditor’s suggestion may or may not be appropriate and outline what
work is required.
b.  Explain the concept of benchmarking. Why is it appropriate for an auditor to use a benchmarking
audit strategy that uses information from tests of controls performed in prior years?

AP8.8  (LO 5)  Basic   Public Company   Results of testing controls  The lead auditor was review-
ing the results of testing controls in the payroll expense area for a public company. The documentation
for the testing showed that there was one instance of a part-time staff member being paid an incorrect
hourly rate.

Required
a.  Explain why the result shows a control exception (deviation).
b.  Does the materiality of the exception influence the auditor’s conclusion about whether there is a
deviation?
c.  If the auditor selects a sample size of 45 for an IT-dependent manual control over payroll and finds
one exception, what should the auditor conclude?

AP8.9  (LO 6)  Challenging   Research   Comparison of standards  Explain the differences be-
tween an audit of internal controls as required by PCAOB AS 2201 and the testing of internal controls
for the purposes of expressing an opinion on the financial statements as mandated by AU-C 315. Refer to
the standards in your answer.

Audit Decision Cases

Virginia Creepers
Question C8.1 is based on the following case.

Arne Adams, the audit senior, is reviewing the working papers written by the audit staff on the audit
of Virginia Creepers, a garden nursery and retailer of garden accessories. Arne reads the following
description of the results of testing of inventory controls written by the audit staff member:

The inventory manager advises that no changes have been made to the inventory programs
during the current fiscal year. There are no documents on file authorizing program changes, 
so I conclude the inventory manager’s statement is true. The inventory manager also advises
that management did not attempt to override any controls relating to inventory. There are
no memoranda or emails from management on file instructing the inventory manager to go
against procedures, so I conclude the inventory manager’s statement is true. The audit staff
member concludes that the inventory controls have not been changed or overridden during the 
fiscal year, so the results of the interim testing of controls can be relied upon.

C8.1  (LO 3, 4, 5, 6)  Challenging   Control testing results and documentation

a.  Analysis: Examine the statements by the audit staff member. What deficiencies in the testing can
you identify?
b.  Evaluation: If the results of testing one control show that the control is not effective, does the auditor
have to increase substantive testing? What other options are available to the auditor?
  Audit Decision Cases  8-37

Frankel Factors
Question C8.2 is based on the following case.

The audit senior on the audit of Frankel Factors is preparing the audit plan for the year ended June 30,
2023. The following notes relate to the payroll application system that went live on January 1, 2023:
1. The new payroll application is more complex than the old system, but its reporting function pro-
vides more detail. For example, the new application calculates leave, pension, payroll tax, and em-
ployee benefit expenses, as well as the corresponding accruals.
2. Due to the brief time available to implement the new system, the previous application ceased opera-
tion on December 31, 2022, and the new application went live on January 1, 2023, without running
parallel with the previous application. Staff training and testing of the new application was limited.
3. Access to the master files is restricted to the payroll supervisor and her assistant. Access to transaction
files is restricted to payroll staff who are responsible for the processing of bi-weekly and monthly pay.
Prior to the introduction of the new payroll application system, the payroll master file and transaction
files were kept in a separate database from the general ledger application. At the end of each month,
the IT staff imported transaction data from the database into the general ledger. Management decided
to upgrade the existing accounting system due to the frequent problems encountered by IT staff when
importing data into the general ledger.

C8.2  (LO 2, 4)  Challenging   Payroll controls

a.  Analysis: Based on the information above, explain two concerns about the payroll application’s inte-
gration with the general ledger application.
b.  Analysis: Describe one IT application control to ensure the accuracy of the salaries and wages expenses
transaction.
c.  Analysis: Describe one IT application control to ensure the occurrence of the salaries and wages
expenses transaction.
d.  Evaluation: Design and describe in detail appropriate tests of controls you would use to satisfy your-
self about the effectiveness of these internal controls.

Mobile Security, Inc.

Question C8.3 is based on the following case.

Mobile Security, Inc. (MSI) has been an audit client of Leo & Lee, LLP for the past 12 years. MSI is a small,
publicly traded aviation company based in Cleveland, Ohio, where it manufactures high-tech unmanned
aerial vehicles (UAV), also known as drones, and other surveillance and security equipment. MSI’s prod-
ucts are primarily used by the military and scientific research institutions, but there is growing demand
for UAVs for commercial and recreational use. MSI must go through an extensive bidding process for
large government contracts. Because of the sensitive nature of government contracts and military prod-
uct designs, both the facilities and records of MSI must be highly secured.
In October 2022, MSI installed a new cloud-based inventory costing system to replace a system that
had been developed in-house. The old system could no longer keep up with the complex and detailed
manufacturing costing process that provides information to support competitive bidding. MSI’s IT de-
partment, together with the consultants from the software company, implemented the new inventory
costing system which went live on December 1, 2022. Key operational staff and the internal audit team
from MSI were significantly engaged in the selection, testing, training, and implementation stages.
The inventory costing system uses various manufacturing costing and unit of production inputs to
calculate and produce a database of all product costs and recommended sales prices. It also integrates
with the general ledger each time there are product inventory movements such as purchases, sales, waste,
and damaged inventory losses.
It is now February 2023 and you are beginning the audit planning for the June 30, 2023, annual
financial statement audit. You are assigned to assess MSI’s IT controls with particular emphasis on the
recent implementation of the new inventory costing system.

C8.3  (LO 3, 4)  Challenging   Public Company   IT application controls  Analysis: MSI’s new
inventory costing system integrates with its sales system. MSI integrated an IT application control that
checks each sales transaction to ensure that it is supported by shipping documents, packing slip and bill
of lading, before a sales invoice is created.
a.  How would you test the IT application control described above?
b.  What assertion is controlled by the IT application control described above?
c.  In order to rely on the IT application control, what other evidence is needed if the auditor wants to
assess control risk as low?
8-38  C h apte r 8  Risk Response: Performing Tests of Controls

Brookwood Pines Hospital

Question C8.4 is based on the following case.

Goodfellow & Perkins gained a new client, Brookwood Pines Hospital (BPH), a private, not-for-profit
hospital. The fiscal year-end for Brookwood Pines is June 30.  You are performing the audit for the 2023
fiscal year-end, and the audit is currently in the risk assessment phase.
The healthcare industry can be very complicated, especially in the area of billing for services pro-
vided. BPH contracts with private physician groups who use the hospital facilities, equipment, and nurs-
ing staff to treat patients. The physicians in the private group are not employees of the hospital; they are
simply using the hospital facilities to treat patients. For example, a group of urologists have their own
practice, separate from the hospital, where they treat their patients. If one of their patients needs a sur-
gical procedure that must be done at a hospital, then the attending urologist will approve the paperwork
required to admit the patient to BPH. BPH offers inducements to the urologists so they will refer patients
to BPH rather than a competing hospital. One of the inducements BPH offers is free office space in the
hospital for the doctors to use when they are treating their patients in the hospital.
After the doctor and hospital services are provided to the patient, the patient and/or the patient’s
insurance company is billed. The doctor will bill for the services he or she provided, and the hospital
will bill for the use of hospital facilities and staff. Doctors and hospitals bill using a coding system that is
standardized across the healthcare industry and consists of three main code sets: ICD, CPT, and HCPCS.
Using a coding system is more efficient and data-friendly compared to writing a narrative about the
procedures performed. However, the coding system is very complex, with thousands of different codes
for medical procedures and diagnoses. To complicate matters even more, for patients who are covered by
government-sponsored Medicare or Medicaid, doctors and hospitals must adhere to complicated govern-
ment regulations surrounding billings to Medicare and Medicaid.
As healthcare costs continue to rise each year, BPH administrators struggle to maintain consistent
profitability. They look for ways to keep costs low and also to collect from patients and insurance compa-
nies as quickly as possible. In addition, BPH must have a strong risk management team to handle unique
situations that may occur in hospitals such as malpractice lawsuits and periodic inspections by the state
department of health and hospitals. Negative publicity for BPH could lead to decreased revenues if phy-
sicians decide to contract with a competing hospital.

C8.4  (LO 2, 3, 4)  Challenging   Evaluating internal control  Analysis: Brookwood Pines has a
large number of employees and it is important for the payroll system to have controls to ensure that em-
ployees actually worked the hours they are paid for. Answer the following items:
a.  Determine the key assertion at risk.
b.  Describe a practical preventive internal control that would directly address the risk.
c.  Describe a practical detective internal control that would directly address the risk.
d.  Explain the test of controls you would perform to test the control in your answer to (b), including
the evidence that you would obtain.
e.  Describe the evidence of an exception to the internal control in your answer to (b).
f.  Explain the test of controls you would perform to test the control in your answer to (c), including
the evidence that you would obtain.
g.  Describe the evidence of an exception to the internal control in your answer to (c)

Cloud 9 - Continuing Case

Effective internal controls at the transaction level are designed to
prevent or detect and correct material misstatements that could
occur within the flow of transactions. In the case study assignment
in Chapter 6, you were required to identify potential misstate-
ments and affected assertions within the wholesale credit sales.
Answer the following questions based on the information
presented for Cloud 9 in the appendix to this text and the earlier
chapters. You should also consider your answers to the case study
questions in earlier chapters.
Required
a.  For each assertion related to wholesale credit sales, identify a
key control in Cloud 9’s system of internal control.
b.  For each key control identified in (a), explain how you would
test the control.
c.  For each control identified in (a), explain the evidence that
would lead the auditor to believe that the there was a devia-
tion from the prescribed control.
 Chapter 9
Risk Response
Performing Substantive Procedures

The Audit Process

Overview of Audit and Assurance

(Chapter 1)

Professionalism and Professional Responsibilities

(Chapter 2)

Client Acceptance/Continuance and Risk Assessment

(Chapters 3 and 4)

Gaining an Identify Significant

Set Planning
Understanding of Accounts and
Materiality
the Client Transactions

Gaining an Understanding of the

Make Preliminary
System of Internal Control
Risk Assessments
(Chapter 6)

Develop Responses to Risk and an Audit Strategy

Audit Data Analytics

Audit Evidence
(Chapter 5)

(Chapter 7)
Performing Tests of Controls Performing Substantive Procedures
(Chapter 8) (Chapter 9)

Audit Sampling for Substantive Tests

(Chapter 10)

Auditing the Auditing the Purchasing Auditing the Balance Sheet

Revenue Process and Payroll Processes and Related Income Accounts
(Chapter 11) (Chapter 12) (Chapter 13)

Completing and Reporting on the Audit

(Chapters 14 and 15)

Procedures Performed Near Drawing Audit

Reporting
the End of the Audit Conclusions

9-1
9-2  Ch apt e r 9  Risk Response: Performing Substantive Procedures
Learning Objectives
LO 1  Demonstrate how audit risk, management
assertions, and substantive procedures are linked.
LO 2  Describe methods of risk response at the financial
statement level.
LO 3 Explain and analyze factors that impact the
nature of substantive procedures at the assertion level,
including the use of audit data analytics.
Auditing and Assurance Standards
pcaob
AS 2301 The Auditor’s Responses to the Risks of Material
Misstatement
AS 2305  Substantive Analytical Procedures
AS 2501 Auditing Accounting Estimates
AS 2502 Auditing Fair Value Measurements and
Disclosures
AS 2810 Evaluating Audit Results
Cloud 9 - Continuing Case
Suzie Pickering has experience in the clothing and retail industry,
which is why she was assigned to the Cloud 9 audit. Suzie is men-
toring Ian Harper, a first-year staff on the audit team, and they are
working together on the detailed substantive test program.
Ian remembers that Suzie used analytical procedures in the
risk assessment phase and she explained to Ian how useful they
could also be in the risk response phase. Ian suggests that they
plan to rely extensively on analytical procedures for Cloud 9’s
LO 4 Explain and analyze factors that impact the timing
of substantive procedures at the assertion level.
LO 5 Explain and analyze factors that impact the extent
of substantive procedures at the assertion level.
LO 6 Explain and apply audit procedures used to audit
accounting estimates.
LO 7  Describe how auditors document the results of
substantive procedures.
auditing standards board
AU-C 240  Consideration of Fraud in a Financial
Statement Audit
AU-C 315  Understanding the Entity and Its Environment
and Assessing the Risks of Material Misstatement
AU-C 330  Performing Audit Procedures in Response
to Assessed Risks and Evaluating the Audit Evidence
Obtained
AU-C 450 Evaluation of Misstatements Identified During
the Audit
AU-C 510  Opening Balances—Initial Audit
Engagements, Including Reaudit Engagements
AU-C 520 Analytical Procedures
AU-C 540 Auditing Accounting Estimates, Including Fair
Value Accounting Estimates, and Related Disclosures
substantive tests. He is very enthusiastic and wants to put ana-
lytical procedures in the plan for all transaction processes and
major balances because he believes analytical procedures are
very efficient for the audit team to perform. Suzie is more cau-
tious. Although she will definitely plan to use some analytical
procedures, she knows they will also need other types of tests.
“Why?” asks Ian. “How do I know when to only use analytical
procedures? What other tests do we need?”
  Audit Risk and Substantive Procedures  9-3

Chapter Preview: Audit Process in Focus

Finding an appropriate combination of audit procedures to minimize an engagement’s audit
risk is a challenge. The purpose of this chapter is to describe the part of the risk response
phase often referred to as performing substantive procedures. The overall objective of substan-
tive procedures is to supplement risk assessment procedures and controls testing the auditor
may have performed (discussed in Chapters 3, 4, and 8), and ultimately to determine that the
underlying accounting records are fairly presented and reconcile to the financial statements.
In this chapter, we will revisit audit risk and management assertions, linking them to the
nature, timing, and extent of substantive audit procedures. The types of substantive proce-
dures we will discuss in this chapter include analytical procedures, substantive tests to follow
up on notable items identified when performing audit data analytics (ADA) as a risk assess-
ment procedure, and tests of details of transactions and balances, including ADA used as a
substantive test. We will also describe the nature of accounting estimates and procedures used
for the audit of accounting estimates. The last section of the chapter discusses the documen-
tation of substantive procedures in the audit working papers.

Audit Risk and Substantive Procedures

LEA RNING OBJECTI VE 1
Demonstrate how audit risk, management assertions, and substantive procedures
are linked.

As discussed in Chapter 3, an audit strategy is developed in response to the risk assessment for
each significant account and assertion using the formula for audit risk. An audit strategy can
take a reliance on controls approach, a substantive approach, or a combination of both. With a
substantive approach, auditors will rely more on substantive procedures. The term substantive substantive procedures  audit
comes from substantiate, which means auditors gather evidence to support the transactions, procedures designed to detect
account balances, and disclosures provided by management in the financial statements. material misstatements at the
After auditors have completed testing controls and drawn a conclusion about control risk assertion level and to gather
(Chapter 8), they make decisions about the nature, timing, and extent of substantive testing. evidence to support management
assertions
Illustration 9.1 diagrams the relationship between the risk of material misstatement (RMM)
and decisions about the nature, timing, and extent of substantive procedures. Recall that an

Combined assessed levels of inherent risk and control risk (RMM) ILLUSTRATION 9.1  
Maximum High Moderate Low Impact of risk of material
misstatement (RMM) on level
of substantive testing

Acceptable level of detection risk

Very low Low Moderate High

Substantive tests:
Nature (what evidence)
More effective Less effective

Timing (when to collect evidence)

Year–end Interim

Extent (how much evidence)

Larger sample sizes Smaller sample sizes
9-4  Ch apt e r 9  Risk Response: Performing Substantive Procedures

inverse relationship exists between the auditors’ assessed RMM (combined inherent and con-
trol risk) and detection risk. For example, when RMM is assessed as low, detection risk is high.
Look over the figure and then let’s consider an example.
As we discuss an example, refer to Illustration 9.1 and follow along. Let’s say the auditor
is auditing the existence of accounts receivable, and revenue recognition is a significant risk.
The auditor decides to assess inherent risk at the maximum. If internal controls are strong,
the auditor assesses control risk as low. Therefore, RMM is moderate to low, and detection risk
is moderate to high. This combination would fall on the right side of Illustration 9.1. When
making decisions about substantive testing, the auditor might send positive confirmations (a
more effective audit procedure), use smaller sample sizes, and perform the substantive test at
an interim date. When internal controls are strong and the auditor can obtain the appropriate
relevant and reliable data, the auditor might also consider using ADA as a substantive test. For
example, when auditing a hotel chain, an auditor obtains reliable electronic information about
room occupancy and compares room occupancy with revenue recognized on a daily basis.
However, if the auditor determines that internal controls are not functioning as designed
and a compensating control does not exist, the auditor will assess control risk and RMM as high
and set detection risk as low. This combination would fall on the left side of Illustration 9.1. The
auditor would send positive confirmations to customers using larger sample sizes at year-end.
Later sections of this chapter provide more in-depth discussion about the nature, timing, and
extent of substantive procedures.
As discussed in previous chapters, risk assessment is required to be performed at an asser-
tion level. Chapter 5 introduced and defined each of the management assertions as outlined
in AU-C 315 Understanding the Entity and Its Environment and Assessing the Risks of Material
Misstatement. The 13 assertions are reproduced in Illustration 9.2 and grouped to show the
assertions that have common objectives across each category of classes of transactions and
events, account balances at year-end, and presentation and disclosure.

illustration 9.2   Assertions About Assertions About Assertions About

Management assertions Classes of Transactions Account Balances at Presentation and
by category and Events Year-End Disclosure
Typically income statement Typically balance sheet Disclosures made in the
accounts and cash flow accounts financial statements
statement
Occurrence Existence Occurrence and rights
1
Cutoff Rights and obligations and obligations
Completeness
2 Completeness Completeness
Cutoff
Accuracy Accuracy and valuation
3 Classification Valuation and allocation Classification and
understandability

Illustration 9.2 shows how similar assertions across categories are related to each
other. Let’s look at row 1 and use the sales process as an example. The auditor needs to verify
that sales transactions recorded in the income statement occurred and relate to the entity (the
occurrence assertion) and that the sales transactions have been recorded in the correct ac-
counting period (the cutoff assertion). Those same sales transactions flow through to the cash
flow statement and to the accounts receivable balance on the balance sheet. Verifying that
the sales transactions occurred also provides evidence that the balance of accounts receivable
at year-end exists and the client holds the rights to those receivables (the existence and rights
and obligations assertions). The auditor can also use that evidence to verify that the balances
disclosed in the financial statements as sales revenue and accounts receivable occurred and
relate to the entity (the occurrence and rights and obligations assertions).
It is clear from this example that testing performed on the occurrence of sales transactions
also provides evidence on the existence of accounts receivable on the balance sheet and the finan-
cial statement disclosures. Rows 2 and 3 show the remaining assertions that still need to be tested
for the sales transactions and related accounts receivable balance and related disclosures.
  Risk Response at the Financial Statement Level  9-5

Be careful and do not assume that similar assertions across all three categories are exactly
the same. For example, classification for income statement accounts is not exactly the same as
classification and understandability in the financial statement disclosures. Classification as it
relates to transactions requires verification that transactions have been recorded in the proper
accounts within the general ledger. Classification and understandability as they relate to dis-
closures requires verification that information included in the financial statements is appro-
priately presented and described according to the applicable financial reporting framework,
and disclosures are clearly expressed.
The objective of auditors is to obtain sufficient appropriate audit evidence regarding the
assessed risks of material misstatement. This is accomplished by designing and implementing
appropriate responses to those risks at both the financial statement level and the assertion
level. Chapter 8 focused on responding to risk through the use of tests of controls. This chapter
continues the risk response discussion through the use of substantive procedures.

Cloud 9 - Continuing Case

Suzie emphasizes to Ian that their testing must respond to the risk
of material misstatement at the assertion level. For each asser-
tion, the audit team determines the level of detection risk, which
is based on the inherent risk assessment and the results of the
control testing. Auditors also have to consider a range of practical
factors, such as constraints on timing and the complexity of the
client’s systems. “Analytical procedures are always useful, but the
decision to use analytical procedures and/or other substantive pro-
cedures must consider risk and practical factors,” she says. “In an
audit, we have to decide what an acceptable level of detection risk
is, and how to achieve it, for every assertion about transactions,
account balances, and disclosures.”

Before You Go On
1.1 Explain the relationship between the risk of material misstatement and detection risk.
1.2 Describe why management assertions are important in the determination of detection
risk.

Risk Response at the Financial Statement Level

LEA RNING OBJECTI VE 2
Describe methods of risk response at the financial statement level.

We have discussed how important it is that auditors are knowledgeable about their client’s
operations for the purpose of identifying risks (refer to Illustration 4.2 for a refresher). Some
identified risks could impact the financial statements as a whole. For example, if a client is
relying heavily on debt financing and struggling to make debt payments, management may
feel pressure to maintain debt covenants. That pressure could lead to fraudulent financial re-
porting that is pervasive in the financial statements. Auditors should respond to that risk with
procedures that have an overall effect on how the audit is conducted. AU-C 330 Performing
Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained and
AS 2301 The Auditor’s Responses to the Risks of Material Misstatement provide the following
examples of responding to risk at the financial statement level:

•  Emphasize that audit team members should maintain professional skepticism.

•  Assign more experienced staff to areas of higher risk of material misstatement.
9-6  Ch apt e r 9  Risk Response: Performing Substantive Procedures

•  Provide more supervision.

•  Include more elements of unpredictability in the selection of audit procedures.
•  Make general changes to the nature, timing, or extent of audit procedures to obtain more
persuasive evidence.

Risk response at the financial statement level is affected by (1) the auditor’s understand-
ing of the entity’s control environment and (2) the assessed risk of material misstatement due
to fraud. An effective control environment suggests that management and those charged with
governance demonstrate a commitment to ethical values and strong internal control. Auditors
will have more confidence in internal controls and audit evidence generated internally with a
client that maintains an effective control environment. If the control environment is assessed
to be weak, auditors may respond by altering the audit plan to include more audit procedures
and expanding the scope of the audit to include more of the client’s locations.
After auditors have assessed control risk, they are in an ideal position to evaluate the risk
of fraud. Auditors will seriously consider the risk of fraud if control risk is high. They will
assess the risk of fraud by considering fraud risk factors that may be present, such as pres-
sure and opportunities for management to commit fraud (see “Fraud Risk” in Chapter 3).
If significant fraud risk exists, auditors should respond by including elements of unpredict-
ability in their audit plan. For example, auditors could perform audit procedures related to
accounts, assertions, or disclosures that they normally would not test because they are im-
material or considered low risk. They could also perform some procedures on a “surprise”
basis and vary the timing of when the procedures are performed. For clients with multiple
locations, auditors could vary which locations are tested each year and the type of audit
procedures that are performed at the different locations. Ultimately, auditors must exercise
professional skepticism and be prepared to modify the planned audit procedures, as needed,
to obtain more reliable evidence. They may also need to expand audit procedures to gather
evidence from independent sources to corroborate management’s explanations and other
internally generated evidence.

Audit Reasoning Example Risk Response at the Financial

Statement Level

Xiao Wang is the manager on the audit of Superior Corp., an oil and gas company located in
Houston. The price of oil has dropped due to an excess supply of oil in the market. A drop in
oil prices has caused a dramatic decrease in revenue for Superior, which in turn has caused a
significant drop in Superior’s stock price. To stay afloat, Superior has implemented some drastic
cost-cutting measures and laid off one-fifth of its workforce. Superior has also announced it will
suspend matching its employees’ 401(k) contributions until further notice. Xiao knows that when
a client is experiencing stressful times such as this, the audit team should be especially mindful of
an increased risk of fraud, particularly the risk of fraudulent financial reporting.
Xiao has worked on the Superior audit for the last five years and notes that Superior has an
effective control environment, and upper management has consistently shown a commitment
to integrity and ethical values. However, Xiao knows that even good people can be pushed to
extreme action in times of stress. What if management tries to overstate revenues or understate
expenses in an effort to improve profitability? Xiao calls a meeting with the audit team members
to discuss the situation. “Team, you are aware of the stress that Superior and other oil and gas
companies are feeling in this current market. I want to remind you to use professional skepticism
in all of your work, even in areas that we deem to be low risk. If you see anything unusual, please
let me know. Also, I will be more involved with testing revenue and closely supervising the work
in that area. We will assess inherent risk at the maximum level for revenue so that we are verifying
more transactions. Let’s get to work and please don’t hesitate to ask questions.”

In addition to considering risk response at the overall financial statement level, auditors
must plan to respond to risk at the assertion level for accounts, classes of transactions, and dis-
closures. This involves designing and implementing the nature, timing, and extent of specific
audit procedures to be performed at the assertion level.
   Nature of Substantive Procedures  9-7

Before You Go On
2.1 What factors affect the auditor’s risk response at the financial statement level?
2.2 How could auditors modify their audit procedures if there is increased risk of fraud?
2.3 How could auditors modify their audit procedures if a client has a poor control environment?

Nature of Substantive Procedures

LEA RNING OBJECTI VE 3
Explain and analyze factors that impact the nature of substantive procedures at the
assertion level, including the use of audit data analytics.

The nature of an audit procedure refers to its purpose (test of controls or substantive pro-
cedure) and its type. The different types were covered in Chapter 5 and include inspection,
observation, inquiry, confirmation, recalculation, reperformance, analytical procedures, scan-
ning, and ADA. When analytical procedures are used to obtain audit evidence during the risk
response phase, they are referred to as substantive analytical procedures. This will be discussed
further in the section “Substantive Analytical Procedures.” When the other types of proce-
dures are used to gather audit evidence, they are referred to as tests of details of classes of
transactions, account balances, and disclosures. Tests of details will be discussed further in
the section “Tests of Details.” Consideration of the nature of the audit procedure is the most
important factor when responding to the assessed risks (AU-C 330.A5).
Auditing standards provide guidance regarding the performance of substantive procedures.
AU-C 330 and AS 2301 state that auditors are required to perform substantive procedures for
all relevant assertions that have been identified during the risk assessment phase. Recall relevant assertions  assertions
from Chapter 5 that relevant assertions have a reasonable possibility of containing a mate- that have a reasonable possibility of
rial misstatement that would cause the financial statements to be materially misstated and, containing a material misstatement
therefore, have a meaningful impact on whether the account is fairly stated. Every audit will that would cause the financial
involve some amount of substantive testing because auditing standards require it for relevant statements to be materially
misstated and, therefore, have a
assertions.
meaningful impact on whether the
Further substantive testing for all other assertions will be based on the auditor’s overall
account is fairly stated
assessment of risk. For some assertions, an effective response may be for the auditor to per-
form primarily tests of controls. This would be following a reliance on controls strategy. For
other assertions, an effective response may be for auditors to only perform substantive proce-
dures. This would be following a substantive strategy. Auditors may choose a substantive strat-
egy because they have not identified any effective controls that are relevant to that assertion or
because testing controls would be inefficient. In many cases, auditors use a combined strategy
in which they use both tests of controls and substantive procedures to respond to identified
risks. If appropriate, auditors may design a test of controls and a substantive test of details
to be performed at the same time on the same transaction. This is called a dual-purpose dual-purpose test  a substantive
test. For example, auditors inspect a sample of vendor invoices for inventory purchases to test of a transaction and a test of
determine if they were properly authorized to be paid (test of controls). On the same sample control relevant to that transaction
of invoices, they can inspect and recalculate the cost of inventory items purchased to test the that are performed concurrently
valuation and allocation assertion (substantive test of details). Designing dual-purpose tests
helps improve the efficiency of the audit.
Once auditors have determined that using substantive procedures is the appropriate risk
response, the next step is to determine the type of procedure to use. What factors do auditors
consider when determining the type of substantive procedure to use? One factor is the as-
sessed level of risk for the assertion. When the risk of material misstatement for an assertion
is high, auditors must gather more reliable and persuasive evidence. Some types of procedures
9-8  Ch apt e r 9  Risk Response: Performing Substantive Procedures

significant risk  an identified
and assessed risk of material
misstatement that, in the auditor’s
judgment, requires special audit
consideration
lend themselves to gathering more reliable evidence. For example, to test the completeness
assertion for a contract, auditors decide to send a confirmation to the outside party on the
contract. Confirming the details of the contract with an outside third party provides more
reliable evidence than just inspecting the document and inquiring of management regarding
the details. For any risks that have been identified as significant risks, auditors are required to
perform substantive procedures that are specifically responsive to the significant risk. Recall
from Chapter 3 that a significant risk is an identified and assessed risk of material misstate-
ment that, in the auditor’s judgment, requires special audit consideration. For example, if the
client has complex derivative transactions that auditors have identified as being a significant
risk for material misstatement, the auditors’ response may be to use a specialist to perform
inquiry and recalculation procedures to test the accuracy assertion.
Another factor auditors consider is that certain types of procedures are more suited for
testing some assertions than others. For example, performing a recalculation of depreciation
expense for a newly acquired fixed asset may provide evidence for the accuracy and valuation
and allocation assertions, but it does not provide evidence that a newly acquired fixed asset
actually exists. To test the existence assertion for a fixed asset, auditors should personally
inspect the fixed asset and inspect supporting documentation of the purchase.
Auditors also consider the reasons for the level of assessed risk for an assertion when de-
termining the type of substantive procedures to use. For example, auditors may assess risk as
low for an assertion for a class of transactions because inherent risk is low. The class of trans-
actions may be uniform and tend to be predictable over time. A good example is the accuracy
assertion for interest expense on outstanding loans that have fixed interest rates with interest
payments due monthly. Even if controls do not exist for the transactions, the risk of material
misstatement is low due to the characteristics of the transactions. Auditors may determine
that performing only substantive analytical procedures will be sufficient to reduce audit risk
for the accuracy assertion to an acceptably low level. The section “Substantive Analytical Pro-
cedures” goes more in depth regarding the use of substantive analytical procedures to obtain
audit evidence.

Cloud 9 - Continuing Case

Ian is starting to realize that the standards and professional practice
would not allow him to rely exclusively on analytical procedures.
Cloud 9 has significant inventory balances (around 25% of total as-
sets) and receivables (around 28% of total assets), so the auditors will
need to gather persuasive evidence about the existence, valuation and
allocation, and rights and obligations assertions for these accounts.
Procedures such as confirming receivables balances and observing
inventory counts are definitely going to be included in the detailed
audit program.
Suzie warns Ian that it is not always the size of the account
that determines the use of analytical procedures or other proce-
dures. For example, in Cloud 9’s trial balance there is a derivatives
investment account that is around 5% of total assets. It is a smaller
portion of total assets, but since accounting for derivative invest-
ments is complex, they probably cannot rely solely on analytical
procedures, particularly regarding the valuation and allocation
assertion.

Initial Procedures
When auditing an account balance, auditors perform several initial procedures before apply-
ing other substantive procedures. First, auditors should simply recall their understanding of
the client’s business and industry and think about how those factors may impact the account
balance being audited. For example, a client that is a technology retailer faces a higher risk
of inventory obsolescence because technology items such as computers and smartphones be-
come obsolete if they are not sold quickly. Therefore, when applying substantive procedures
for the audit of inventory, auditors should keep the risk of inventory obsolescence in mind,
particularly when performing audit procedures related to the valuation and allocation and
existence assertions. Extensive knowledge of the client provides the appropriate context for
evaluating the results of substantive procedures.
Other initial procedures are fairly routine steps performed for all account balances. For
illustrative purposes, let’s consider a prepaid insurance account that includes the transactions
   Nature of Substantive Procedures  9-9

for all of a client’s insurance policies. The client must pay insurance premiums in advance as
required by the insurance provider, which creates the asset account of prepaid insurance. The
following initial procedures are performed:

1. Trace the beginning balance of the prepaid insurance account to the auditor’s working
papers from the prior year’s audit. The beginning balance should match the ending audited
balance reflected in last year’s working papers. (Note: If the auditors did not audit the cli-
ent last year, refer to AU-C 510 Opening Balances—Initial Audit Engagements, Including
Reaudit Engagements.)
2. Scan the transactions in the account for unusual items. An amount could be unusual be-
cause of its large dollar amount, its timing, or its source. For example, the client typically
pays its insurance premiums annually in the first quarter of the year. A large payment
made to an insurance provider in the third quarter would be unusual and warrant further
investigation.
3. Obtain a trial balance or other detailed report for the account. A trial balance shows the
balances of prepaid insurance for each insurance provider. The trial balance is typically
in electronic form and compiled from the client’s information system. It should be footed
for mathematical accuracy. If the detailed report is in another form, such as an Excel
spreadsheet, auditors should review the formulas and recalculate to ensure the formulas
are working as intended. The total on the trial balance should agree to the total in the
subsidiary ledger from which it was prepared, and it should agree to the total in the gen-
eral ledger. A sample of the individual insurance provider balances from the trial balance
should be compared to the corresponding detail in the subsidiary ledger and vice versa.
This procedure may seem redundant, but it helps to ensure the trial balance or report is
an accurate and complete representation of the account balance.

Once these initial procedures are completed and documented in the working papers, auditors
continue with the remaining substantive procedures detailed in the audit program.

Substantive Analytical Procedures

Analytical procedures are evaluations of financial information through analysis of plausi- analytical procedures  evalu-
ble relationships among financial and nonfinancial data. Some examples include ratio anal- ations of financial information
ysis, trend analysis, simple comparisons of data, and complex statistical analysis techniques. through analysis of plausible re-
The use of analytical procedures is required during risk assessment, as we learned in Chapter 4. lationships among both financial
Using analytical procedures as a substantive procedure during risk response is not required, and nonfinancial data; analytical
procedures also encompass such
but it is very common. AU-C 520 Analytical Procedures and AS 2305 Substantive Analytical
investigation, as is necessary, of
Procedures address the use of analytical procedures as a substantive procedure for gathering
identified fluctuations or relation-
evidence. AU-C 520 also addresses the auditor’s responsibility to perform analytical proce- ships that are inconsistent with
dures near the end of the audit to assist the auditor when forming an overall conclusion on other relevant information or that
the financial statements (AU-C 520.01). Using analytical procedures near the end of the audit differ from expected values by a
is required and is covered in Chapter 14. significant amount
When conducting a substantive analytical procedure, auditors develop an expectation,
or estimate, using data in the client’s records or data from reliable outside sources, and then
compare the expectation with the client’s recorded amount. If there is a difference, auditors
determine if it is significant and if further audit procedures need to be performed. Depending
on the risk factors for a particular assertion, auditors may determine that substantive analyti-
cal procedures can be used as follows:

•  As the only substantive test for a class of transactions or account balance.

•  In combination with tests of details.

Auditors use their professional judgment when deciding which substantive procedures to
use and will consider the effectiveness and efficiency of the procedures in reducing the
assessed risk of material misstatement to an acceptably low level. Factors that impact the
effectiveness and efficiency of using a substantive analytical procedure to respond to risk
9-10  C h apte r 9  Risk Response: Performing Substantive Procedures

include (1) the nature of the assertion, (2) the plausibility and predictability of the rela-
tionship, (3) the availability and reliability of the data used to develop the expectation, and
(4) the precision of the expectation (AU-C 520.A8 and AS 2305.11). Each of these factors
will be discussed next.
The use of a substantive analytical procedure may be more appropriate and provide more
persuasive audit evidence depending on the nature of the assertion. With some assertions,
potential misstatements may not be discovered by examining detailed evidence or detailed ev-
idence may not be available. For example, consider the accuracy and occurrence assertions for
salaries expense for the year. Auditors need to gather evidence that the amount recorded for
salaries expense transactions has been recorded appropriately and the transactions have oc-
curred. A substantive analytical procedure can be used by comparing the number of employ-
ees at fixed salaries to the total salaries expense for the period. If the actual salaries expense is
significantly more than the expectation from the comparison, it could indicate a misstatement
caused by error or unauthorized payments. This comparison may be more effective for the
accuracy and occurrence assertions then performing a detailed test of a sample of individual
payroll transactions. When using a sample, none of the transactions in the sample may reflect
any misstatements.
If the assessed risk of material misstatement for an assertion is high, auditors need to
gather more persuasive audit evidence. Results from substantive analytical procedures will
be more persuasive if relationships among data are more predictable. For example, rela-
tionships in a stable industry environment are usually more predictable than relationships
in an industry environment that is unstable or changing rapidly. Large volumes of similar
transactions tend to be more predictable over time than smaller volumes of more unique
transactions that may vary in occurrence and amount. Relationships involving income state-
ment accounts are usually more predictable than relationships involving only balance sheet
accounts because income statement accounts represent transactions over a period of time.
Balance sheet accounts represent an amount at a specific point in time (AU-C 520.A10 and
AS 2305.14). Relationships involving transactions that are subject to management discretion
are typically less predictable. For example, rather than incurring advertising expense on a
routine monthly basis, management may decide to only advertise when special sales are
being offered. Illustration 9.3 provides examples of substantive analytical procedures that
typically provide persuasive evidence.

ILLUSTRATION 9.3   Evidence Analytical Procedure

Examples of analytical
Material content of work in progress
procedures that provide
and finished goods
persuasive evidence
Overhead in ending inventory
Finished goods inventory pricing
Charges for depreciation
Payroll expense
Commission expense
Accruals for commissions or
royalties
Interest expense and related
accrual
Investment income
Total revenue for a school
Relate raw materials put into production and quantities sold
to normal yield factors
Relate actual overhead for the period to actual direct labor,
production volumes, or another appropriate measure
Refer to selling prices less selling costs and “normal” gross
margin
Refer to asset balance, effect of additions and disposals, and
average depreciation rate
Refer to days accrued and average daily payroll or subsequent
period’s gross payroll
Refer to commission rates and related sales
Refer to terms of agreements and payment dates
Refer to the average debt outstanding, weighted average
interest rate, and payment dates
Relate average amounts invested to an average interest rate
or yield
Relate school fee per each year level by number of students
in each respective level
   Nature of Substantive Procedures  9-11

Audit Reasoning Example  Substantive Analytical Procedures

Carmen is an audit senior on the audit of High Tide Automobile Corp., a company of car dealerships.
The year-end audit work is under way and she discusses the audit of commission expense with Ryan,
a first-year associate on the team. “Ryan, you will be auditing commission expense,” says Carmen.
“During risk assessment, we learned about the car sales commission rates for the sales staff of High
Tide. Do you remember what it is?” Ryan replies, “Yes, I remember. A salesperson receives a 25% com-
mission on the profit of a sale. Profit is defined as the selling price minus High Tide’s invoice price for
the vehicle. So if the profit on the sale of one car is $1,000, the salesperson will receive a commission
of $250.” “That is correct,” says Carmen. “One of the steps in the audit program is to use substantive
analytical procedures to develop an expectation of what commission expense should be for the year.
How do you think we calculate our expectation?” Ryan thinks for a moment, and then says, “We could
take High Tide’s total gross profit on vehicle sales and multiply it by 25%. That should give a pretty good
estimate of what commission expense is for the year.” “Yes, that is exactly what we do,” says Carmen.
“We also look at the relationship between sales revenue and commission expense. As sales revenue
increases, commission expense should also increase. If actual commission expense is significantly dif-
ferent from our expectation, we may need to perform additional tests of details.”

Before auditors can use substantive analytical procedures, they must consider the avail-
ability and reliability of data to be used to develop their expectation. Data may not be readily
available to develop expectations for some assertions. For example, to develop an expecta-
tion to test the completeness assertion for sales, auditors use data from budgets, forecasts,
or square feet of selling space. If this type of data is not available, it may be more effective to
perform a test of details using the client’s shipping records. Auditors should also consider the
reliability of the data being used to develop the expectation for the analytical procedure. If the
underlying data is not reliable, the expectation will not be reliable, and any evidence gathered
would not be considered reliable. Illustration 9.4 lists factors that auditors consider regard-
ing the reliability of data to be used for substantive analytical procedures.

Factor Explanation ILLUSTRATION 9.4  

Source of the data
Controls over the data
Current or prior year
testing of the data
Comparability of the data
Factors that affect the
Generally, data obtained from independent sources outside of the client
reliability of data to be used
are considered more reliable.
for substantive analytical
If the data are internally generated, are there adequate internal controls procedures
over the data? The auditors should test the effectiveness of the controls
over the data to determine that the underlying data are complete and
accurate. If controls over the data are effective, the data are considered
more reliable.
If the data have been subjected to audit testing in the current year or
prior year, they are considered more reliable than if they have not yet
been tested.
The data must be capable of being used to create an expectation that is
relevant to the entity. For example, if auditors plan to use industry aver-
ages for comparisons with client data, they must consider if the industry
data are too broad to provide a meaningful comparison. If the client is
more specialized within the industry, then using a broad industry aver-
age may not be reliable.

Finally, auditors must determine if the expectation that will be developed is precise
enough to identify misstatements at the assertion level. The amount of precision needed de-
pends on whether the substantive analytical procedure is being used as the only substantive
test of an assertion or if it is being used in conjunction with tests of details. If it is being used
as the only substantive test, then the expectation needs to be more precise to provide more re-
liable audit evidence. Expectations that are developed at a detailed level are more precise than
expectations developed at a broad level. For example, using monthly amounts will generally
provide a more precise expectation than using yearly amounts, or using data by business unit
will be more precise than using company-wide data. The level of detail needed to develop the
expectation will vary by client and depends on the size and complexity of the client.
9-12  C h apte r 9  Risk Response: Performing Substantive Procedures

If, after considering the factors discussed above, auditors decide that using a substantive
analytical procedure is appropriate for testing an assertion, next they consider how much of a
difference between the expectation and the client’s recorded amount they can accept without
performing further investigation. Auditors will consider materiality of any differences and
how persuasive the evidence needs to be. For example, if the substantive analytical proce-
dure is the only substantive test being performed for an assertion, then the evidence needs
to be persuasive. Therefore, the amount of difference auditors could tolerate decreases. If the
substantive analytical procedure is being used in conjunction with tests of details, then the
amount of difference auditors could tolerate would increase since other procedures would
also be used to gather evidence. If the difference is large enough to warrant further investi-
gation, auditors should first review the factors used in developing the expectation. They can
also inquire of management as to the reasons for the difference. However, any information
obtained from management should be corroborated with other evidence. If the differences
cannot be explained after performing additional procedures, auditors should consider it an
indication of increased risk of material misstatement for the assertion.
Auditors must document in the working papers the use of substantive analytical procedures.
This includes documenting the factors considered in developing the expectation, the results of the
comparison of the expectation with the client’s recorded amount, and any additional procedures
performed to investigate differences between the expectation and the client’s recorded amount.

Cloud 9 - Continuing Case

Ian and Suzie continue their discussion about using analytical
procedures. Ian is starting to feel more confident and suggests
that there are some factors to consider about the Cloud 9 audit
that would affect the use of the various procedures. “We could
use all of the usual techniques in the Cloud 9 audit, although we
have to be careful in making comparisons across years for a cou-
ple of reasons. We have only just taken over the audit, so although
prior-year data was audited, we are still building up our level of
familiarity with the data and don’t really understand all the con-
ditions that applied to the previous years. Also, the changes at
Cloud 9, in particular the opening of the retail store and the ad-
ditional borrowing to finance the purchase of the delivery trucks
that we discovered during our preliminary work, will impact the
data.”

Professional Environment  Interpreting the Results of Analytical Procedures

Before they can complete an audit, auditors need to evaluate the
causes of any unexpected fluctuations in a client’s financial state-
ments detected by the use of analytical procedures. Auditors have
to consider possible causes of the fluctuation, search for additional
information about these possible causes, evaluate the alternatives,
and decide which possible cause of the fluctuation is the correct
one. As part of this process, auditors can make inquiries of client
managers to obtain their explanations of the fluctuation’s cause.
Client managers could provide the correct explanation because of
their superior knowledge of the situation. However, it is possible
that management will give the auditors an incorrect explanation,
deliberately or not. The question then arises whether auditors will
be inappropriately influenced by management’s explanations that
are not consistent with audit evidence.
In an experiment using 61 Australian auditors from a large
accounting firm, Green investigated whether receiving an incorrect
management explanation affected auditors’ performance in deter-
mining the correct explanation for financial data fluctuations.1 The
subjects were required to complete a computerized experimental task
involving analytical procedures relating to an error in cost of sales.
The subjects in a control group did not receive a management expla-
nation while the other auditors received a management explanation
either before or after considering their own alternative explanations.
Green found that only 15 of the 61 auditors selected the cor-
rect cause of the data fluctuation, with the remainder either se-
lecting management’s explanation or another cause considered as
a possibility by the auditor.2 Although 47 of the auditors actually
considered the correct cause, 32 dismissed it in favor of another
alternative. The data showed that 14 auditors never even consid-
ered the correct cause as a possibility during their investigations.
Overall, Green concluded that receiving an incorrect expla-
nation from management affected the auditors’ performance by
influencing them to judge it as the correct cause. None of the au-
ditors in the control group, who did not receive the management
explanation, judged that explanation to be the correct one. Green
suggests that audit firms could consider offering more guidance to
auditors to develop their professional skepticism and prompt their
consideration of more alternatives. In addition, auditor training
could focus more on the evaluation of evidence, particularly in re-
lation to management explanations. However, it is possible that in
practice more experienced auditors, such as partners, would not
be so easily distracted by management’s explanations.

1
W. Green, “Are Auditors’ Analytical Procedures Judgements Affected by Receiving Management Explana-
tions?” Australian Accounting Review 15, no. 3 (2005), pp. 67–74.
2
Green 2005, p. 71.
   Nature of Substantive Procedures  9-13

Tests of Details
The phrase tests of details refers to the substantive procedures auditors use to test the details of
account balances, transactions, and disclosures. Recall that these tests of details are inspection,
observation, inquiry, confirmation, recalculation, reperformance, scanning, and ADA. One or
more tests of details may be used to test an assertion. Also, one or more tests of details may be
used in conjunction with a substantive analytical procedure for testing an assertion. Which
procedure or procedures to use will depend on auditor judgment, the assessed risk of material
misstatement, and the nature of the assertion being tested. The following paragraphs provide
some examples and other guidelines for using tests of details.
As we have already discussed, when an assertion has a higher assessed risk of material
misstatement, auditors need to gather more reliable and persuasive evidence. For example, due
to poor internal controls over accounts receivable, auditors have determined there is increased
risk that some recorded accounts receivable balances do not exist for a client. Auditors could
inspect the underlying documentation in support of recorded receivables, such as sales orders,
shipping documents, and customer invoices. But since these documents are generated internally
by the client, does inspection provide the most reliable evidence? No, it does not. Evidence that
is gathered from an independent source from outside of the client is considered more reliable.
Therefore, a more effective test of details would be to send confirmations to customers to verify
the existence of the accounts receivable balances. If a customer notes a discrepancy on the re-
turned confirmation, auditors can follow up with additional tests of details as needed, such as
recalculation of the balance, inspection of documents, and inquiry of management.
The nature of the assertion being tested affects the type of test of details that auditors
use. For example, what procedures will provide evidence that a client’s recorded inventory
balance actually exists? Auditors can observe the client counting the physical inventory at
year-end. Recall that the auditor’s direct knowledge through observation is more reliable than
indirect knowledge. Auditors can also inspect supporting documents by vouching a sample of
inventory purchases to receiving reports and purchase orders (requisitions). Would recalculat-
ing the mathematical accuracy of a sample of inventory purchases (price × quantity) provide
evidence for the existence assertion? No, it would not. Recalculation provides evidence for the
accuracy assertion, not the existence assertion. When selecting which tests of details to use,
auditors must select procedures that are appropriate for the assertion being tested.
Tests of details are also used to evaluate assertions related to the disclosures of the finan-
cial statements, referred to as the notes. It is management’s responsibility to prepare the note
disclosures. The objective of auditors is to determine if the notes are prepared in accordance
with the applicable financial reporting framework. Refer to Illustration 9.2 for the assertions
related to disclosures. Auditors should read and inspect the notes and recalculate amounts, as
needed, to gather sufficient appropriate evidence that:
•  Management has adequately disclosed the significant accounting policies applied in the
financial statements.
•  Information in the notes is accurate and does not contain errors or inconsistencies with
information presented in the financial statements.
•  Appropriate and understandable terminology is used, as prescribed by the applicable
financial reporting framework.
•  All disclosures that are required by the financial reporting framework have been included.
You may recall from your financial accounting courses that some note disclosures, such as
pensions, deferred income taxes, and stock options, require extensive detail. Therefore, it is
critical that auditors are very knowledgeable about the financial reporting framework used by
their client. That knowledge provides a context for auditors to evaluate whether the financial
statements and notes are presented fairly.

ADA and Substantive Procedures

We discussed in Chapter 5 how ADA has ushered in many changes regarding how audits are con-
ducted. Chapter 7 introduced using ADA both as a risk assessment procedure and as a substantive
procedure. At the risk response phase, the auditor may use substantive procedures to follow up on
9-14  C h apte r 9  Risk Response: Performing Substantive Procedures
confirmation bias  the tendency
to seek or interpret evidence in
ways that support pre-existing
beliefs or expectations
Timing of Substantive Procedures
the findings of an ADA procedure used during risk assessment. For example, during risk assess-
ment an auditor may have used ADA to identify slow-moving inventory. For the notable items in
inventory identified by ADA, the auditor may perform traditional substantive procedures regard-
ing the net realizable value of inventory. In other words, for these items the auditor might look at
how many of the items were sold between year-end and a date near the end of fieldwork. During
that period the auditor can determine if the company had to mark down items below cost in order
to sell them. The auditor might also identify that a significant portion of inventory has not sold and
may look at sales prices of similar items in the marketplace to determine the need to write down
inventory to its net realizable value. Essentially, the auditor uses ADA to identify items that are at
a high risk of material misstatement and will use traditional substantive tests to evaluate the high
risk balances or transactions.
At the risk response stage the auditor may have identified a specific fraud risk. For example, if
there is a weakness in access controls over a master vendor file, the auditor might use ADA to com-
pare vendor addresses with employee addresses. A match might be an indication that an employee
has put a fictitious vendor in the master vendor file, and invoices might be paid to a fictitious vendor.
Also, the auditor might use ADA as a substantive procedure. For example, a local trans-
portation district may hire primarily hourly workers under a union contract to drive and main-
tain buses. The transportation district has good internal controls over the master payroll file
and over capturing hours worked electronically. All hourly workers are paid every two weeks,
and all hourly pay is classified in the same payroll expense account. The auditor may use ADA
to recalculate gross payroll for hourly employees and this classification of payroll expense. The
auditor will still have to perform other payroll cutoff tests, but the auditor may use ADA to
substantiate the vast majority of payroll expense for the transportation district.
ADA, substantive analytical procedures, and tests of details are all powerful tools, but
they do not replace the need for professional judgment and skepticism. Auditors must use pro-
fessional judgment when designing the procedures, interpreting the results, and determining
how the results influence the nature, timing, and extent of other audit procedures. Auditors
must use their professional skepticism, being careful to prevent confirmation bias when inter-
preting results. Confirmation bias is the tendency to seek or interpret evidence in ways that
support pre-existing beliefs or expectations.3 If client management has already explained why
a transaction was an outlier or why an analytical procedure did not align with the auditor’s
expectation, auditors must be careful not to seek evidence that solely confirms management’s
explanation. Auditors need to exercise professional skepticism and consider all information,
whether it supports or contradicts the original explanation provided by management.
Before You Go On
3.1 Explain a dual-purpose test. Provide an example.
3.2 What factors impact the effectiveness and efficiency of using substantive analytical proce-
dures to respond to risk?
3.3 What are some advantages of using audit data analytics in the audit process?
3.4 How could confirmation bias impact an audit? Provide an example.
Lea rning O bje cti ve 4
Explain and analyze factors that impact the timing of substantive procedures at the
assertion level.
Chapters 3 and 8 have addressed the timing of performing both tests of controls and substantive
procedures. Recall that testing of internal controls is performed during an interim period, which
may be two or three months before the client’s year-end. Some substantive procedures can also
3
R. Fay and N. Montague, “I’m Not Biased, Am I?” Journal of Accountancy 2019, no. 2 (2015), pp. 26–31.
  Timing of Substantive Procedures  9-15

be performed at interim. For assertions that have a lower risk of material misstatement, it may
be more efficient for auditors to perform substantive procedures on those assertions prior to
year-end to allow more time for testing higher risk assertions at year-end. For example, during
the risk assessment phase, auditors determined that the occurrence assertion for a client’s pre-
paid expense transactions have a low risk of material misstatement. The auditors also tested
the effectiveness of internal controls over the recording of transactions in the prepaid expenses
account and concluded that controls are effective. Therefore, during the interim period, auditors
perform test of details by selecting a sample of prepaid expense transactions from the ledger
and vouching the transactions to supporting documentation to test the occurrence assertion for
the transactions. Note that since the vouching is being performed at interim, the transactions
available for testing are those that occurred from the beginning of the year through the interim
period, which is usually through the client’s third quarter. Illustration 9.5 lists factors auditors
consider when deciding to perform substantive tests at an interim date.

Factor
Internal controls
Assessed risk of material
misstatement
Availability of information to
perform procedures
Nature of the substantive
procedure
Nature of the account and
relevant assertions
Auditor’s ability to perform
additional procedures to
cover the remaining period
More Likely to Perform Substantive Tests at Interim If… ILLUSTRATION 9.5  
Factors to consider regarding
Internal controls, including the control environment, are effective.
the performance of substantive
Assessed risk of material misstatement is low. procedures at an interim date
Information is available during the interim period that may not be
readily available at year-end.
The type of procedure can be performed at interim. For example, inquiry
of management and inspection of fixed assets can be performed during
interim, but observation of the physical inventory count can only be per-
formed at the time scheduled by the client, which is typically at year-end.
Little change is expected in an account balance during the period
from interim to year-end.
Additional procedures can be performed during the period after
interim and after year-end, if necessary.

When substantive procedures are performed during an interim period, auditors perform
roll-forward procedures to update their audit findings from the time of the interim proce- roll-forward procedures 
dures through to year-end. The nature and extent of these roll-forward procedures are matters procedures performed at year-end
of judgment and are responsive to the risk assessment. When the entity’s control environ- on transactions occurring between
ment has been assessed as effective, controls have been tested, and no significant changes in an interim date and year-end (the
the control environment and controls have occurred, limited roll-forward procedures, such roll-forward period) to provide suf-
ficient appropriate audit evidence
as substantive analytical procedures or limited tests of details of transactions occurring be-
on which to base conclusions
tween the interim period and year-end, may be all that are necessary. For example, auditors
at year-end when substantive
used inspection of supporting documents, observation of physical assets, and inquiry of client procedures are performed at an
personnel to test the existence and completeness of fixed asset additions and disposals during interim date
the interim period, which was the end of the client’s third quarter. At year-end, auditors could
perform roll-forward procedures on any fourth-quarter activity by scanning fixed asset trans-
actions, inquiring about any unusual or large transactions and, if necessary, performing fur-
ther tests of details on fourth quarter transactions. Illustration 9.6 shows a timeline of when

Interim ILLUSTRATION 9.6  

substantive Roll-forward Illustration of roll-forward
testing on 1/1 procedures procedures
to 9/30 transactions for 9/30
and 9/30 account to 12/31
balances transactions

9/30/2022 1/31/2023
1/1/2022 12/31/2022

Period covered by the

2022 financial statements
9-16  C h apte r 9  Risk Response: Performing Substantive Procedures

the interim substantive testing is performed and when the roll-forward procedures are per-
formed for a December 31 year-end client.
Some substantive procedures can only be performed at year-end due to the nature of the
assertion or the timing of the transactions. For example, the client makes final adjusting en-
tries and closing entries at year-end to prepare the annual financial statements. Auditors will
inspect and recalculate the entries at year-end. They also reconcile the annual financial state-
ments with the underlying accounting records. Substantive tests of details to test the cutoff
assertion for sales transactions are also performed at year-end. The cutoff assertion for sales
means that transactions have been recorded in the proper accounting period. Auditors inspect
supporting documentation for sales transactions that occurred just before and after the year-
end date. They compare the dates on sales invoices with the dates of shipment of inventory
and the dates of recording the transaction in the sales journal to ensure that sales are recorded
in the proper accounting period.
Finally, if during risk assessment auditors have identified risks of material misstate-
ment due to fraud, they may consider changing the timing of audit procedures. For exam-
ple, the auditor may decide that due to the heightened risk, performing substantive pro-
cedures at interim would not be effective. Gathering evidence at year-end would provide
more reliable evidence in response to the assessed risk of material misstatement due to
fraud.

Before You Go On
4.1 What types of assertions are more likely to be tested at interim? Provide an example.
4.2 Explain roll-forward procedures.
4.3 Why can some substantive procedures only be performed at year-end? Provide an example.

Extent of Substantive Procedures

Lea rning O bje cti ve 5
Explain and analyze factors that impact the extent of substantive audit procedures
at the assertion level.

The extent of substantive procedures refers to how much testing will be performed within a
class of transactions or account balance. A key issue for the auditor to decide is whether to
screen 100% of the transactions using ADA, or whether to use an audit sampling approach.
Audit sampling is discussed in more detail in Chapter 10. In general, an auditor is more likely
to use ADA when the following conditions exist:

•  Evidence to support the audit test is available in electronic form.

•  T
 he audit population is large and the auditor’s tests are supported by reliable and relevant
data in electronic form, making ADA efficient.
•  Relevant data is reliable and internal controls over the reliability of data are strong.
•  Relevant data is clean or can be cleaned up easily.

Alternatively, the auditor is more likely to use audit sampling when:

•  P
 rofessional standards expect the auditor to perform certain audit procedures (e.g., ob-
serve inventory or confirm receivables).
•  Evidence to support the audit test is not available in electronic form.
  Extent of Substantive Procedures  9-17

•  The audit population is small and can efficiently be tested using traditional audit tests.
•  Relevant data is not reliable and internal controls over the reliability of data are weak.
•  Relevant data may be in different formats and is not easy to use.

When the auditor chooses to engage in audit sampling, Illustration 9.7 shows the link
between the assessment of inherent risk and control risk and how it impacts the amount
of substantive testing required to reduce detection risk to an acceptable level. For example,
if the combined inherent risk and control risk are high (bottom right shaded corner), the
amount of detection risk the auditor is willing to accept is very low and therefore extensive
substantive procedures are necessary to reduce detection risk. If the combined inherent risk
and control risk are low (top left shaded corner), the amount of detection risk the auditor is
willing to accept is high and therefore few substantive procedures are necessary to reduce
detection risk.

Control Risk (CR) Assessment ILLUSTRATION 9.7  

Low Medium High Linkage between inherent
Controls tested Limited controls No controls tested and risk, control risk, detection
extensively and able tested and able to be no assurance from risk, and substantive
to be relied upon relied upon controls procedures

Lower risk of Few substantive Some substantive Considerable

material errors if procedures required procedures required substantive procedures
Inherent Risk (IR)

Low

no controls in required
Assessment

DR = High DR = Medium
place DR = Low
Higher risk of Some substantive Considerable Extensive substantive
material errors procedures required substantive procedures procedures required
High

if no controls in DR = Medium required DR = Very Low

place DR = Low

Essentially, extent of substantive procedures is referring to sample size. For example,

if a client has 10,000 customers, how many customers should the auditor select to receive
confirmation requests? The answer will depend primarily on the assessed risk of material
misstatement for the account balance. If the risk of material misstatement is high (and
detection risk is low), then a larger sample size should be selected. If the risk of material
misstatement is low (and detection risk is high), then a smaller sample size should be
selected. Auditors will also consider qualitative factors when determining sample size.
For example, if there has been significant turnover in the accounts receivable department
and the client is concerned there may be errors, auditors may decide to increase the sam-
ple size. Or as another example, perhaps the client implemented a new discount program
to encourage customers to pay their accounts receivable balances early. Auditors may
decide to increase sample size to ensure that discounts on customer payments were ap-
propriately calculated and recorded according to the guidelines of the discount program.
When selecting a sample, auditors may decide to select all items (testing 100%) for substan-
tive tests of details (rather than ADA). For some account balances or classes of transactions, it
may be appropriate and feasible for auditors to test 100% of the population. Some account bal-
ances have a small population of transactions, but the transactions are large in dollar value. For
example, a retail clothing client has a prepaid advertising account. The client pays in advance
for social media advertising four times during the year. The amount of each payment is mate-
rial, but the payment amount varies during the year because of the seasonal nature of the
retail industry (i.e., more advertising occurs during the holiday season). Auditors will perform
substantive procedures on all four transactions for the year, such as inspection of advertising
invoices, inspection of contracts with the advertising vendors, and possibly confirming directly
with the advertising vendors the amount of prepaid advertising still available at year-end.
Another reason to test 100% of a population is because significant risk exists for a class
of transactions or account balance. Testing 100% of the population may be the most effective
way of gathering sufficient appropriate audit evidence. For example, a large beverage com-
pany may have acquired several smaller beverage companies during the year. As a result of
9-18  C h apte r 9  Risk Response: Performing Substantive Procedures

the acquisitions, the client has a material increase in intangible assets such as copyrights and
trademarks. Determining the useful life of some intangibles involves judgment which poses a
significant risk. Therefore, auditors may decide to audit 100% of the amortization transactions
for the intangible assets account.
If it is not feasible to select all items, auditors may decide to select specific items from a
population. Which items to select depends on auditor judgment, but a common method is
selecting high dollar value items or key items. Items may be selected because they have a high
dollar value or for some other characteristic, such as being unusual, suspicious, or having a
history of error. For example, to test the existence assertion of a client’s $3 million accounts
receivable balance, auditors will send confirmations to customers. The client has two key cus-
tomers whose accounts make up $2.1 million of the balance. By selecting these two key cus-
tomers to confirm, and assuming the customers’ replies, auditors can conclude that 70% of the
accounts receivable balance does exist.
Another method of selecting specific items from a population is to select items that are
over a certain dollar amount when testing for overstatement. By selecting items over a certain
amount, auditors are ensuring that a large portion of the account balance or class of trans-
actions is being included in the testing. For example, a client has 200 customers with a total
accounts receivable balance of $3 million. Thirty of the customers carry balances of at least
$75,000 while the remaining 170 customers have balances of less than $75,000. If auditors
send confirmations to the 30 customers with balances of at least $75,000, then at least 75%
of the accounts receivable balance is being confirmed ($75,000 × 30 = $2,250,000). Selecting
specific items involves auditor judgment, which means nonsampling risk is a factor. Non-
sampling risk is discussed in Chapter 10.
Finally, auditors can use statistical audit sampling to select a sample of items to test. By
using statistical sampling, auditors can draw conclusions about an entire population based on
the results of the sample testing. Statistical sampling can be used in addition to testing specific
items from a population. Chapter 10 continues a more in-depth discussion of statistical sam-
pling with substantive procedures.

Cloud 9 - Continuing Case

Ian and Suzie have decided that analytical procedures will not be suf-
ficient for all accounts. For each major transaction process and ac-
count balance they will also conduct tests of details of transactions.
For vouching tests, the auditors will sample transactions and balances
in the accounting records and go to the underlying documentation
(or physical assets) to confirm the recorded details. For example, for
sales recorded as being made prior to the fiscal year-end, they will
examine the invoices and shipping documents to gather evidence on
the date, amount, and other details of the transactions. If they find a
sales invoice with a February date has been included in the sales for
the year ended January 31, they have evidence of a misstatement in
the occurrence and cutoff assertions for sales.
They will also trace the details in a sample of documents
through to Cloud 9’s accounting records. This means that they will
start with the documents and then test how that transaction (or
asset or liability) is recorded in the client’s accounts. For example,
if they find a sales invoice with a January date that is not included
in the sales for the year, they will have evidence of a misstate­
ment in the completeness and cutoff assertions for sales. Suzie
advises Ian that the sample sizes and approach to sampling are
determined by the results of the controls testing and the resulting
expectations for errors.
Suzie also asks Ian to include tests of details of accounts,
such as accounts receivables and property, plant, and equipment
(PPE), in the detailed audit program. Where the risk is low, such as
PPE, they will perform these tests at an interim date.
Finally, Suzie informs Ian that the IT audit manager, Mark
Batten, is writing the ADA program.

Before You Go On
5.1 Describe two situations in which the auditors may decide to test 100% of a population.
5.2 What techniques can an auditor use to select specific items from a population to test?
5.3 What is an advantage of using statistical sampling?
  Auditing Accounting Estimates  9-19

Auditing Accounting Estimates

Lea rning Objecti ve 6
Explain and apply audit procedures used to audit accounting estimates.

Financial statements include a variety of items that cannot be measured precisely and must
be estimated by client management. An accounting estimate is an approximation of a mon- accounting estimate  an
etary amount when a precise means of measurement is not available. In your studies of fi- approximation of a monetary
nancial accounting you encountered examples of accounting estimates such as uncollectible amount when a precise means of
receivables, useful lives and residual values of fixed assets, and future warranty liabilities. measurement is not available
What is the auditor’s responsibility regarding accounting estimates made by management?
AU-C 540 Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Re-
lated Disclosures states the objective of the auditor is to obtain sufficient appropriate evidence
that (1) accounting estimates are reasonable and (2) related disclosures are adequate (AU-C
540.06). This section discusses the nature of accounting estimates, risk assessment procedures
related to estimates, and the auditor’s procedures for responding to risks associated with ac-
counting estimates. (Note: The PCAOB has two standards related to accounting estimates and
fair value measurements: AS 2501 Auditing Accounting Estimates and AS 2502 Auditing Fair
Value Measurements and Disclosures.)

Nature of Accounting Estimates

According to AU-C 540.03, there are two types of accounting estimates:

1. Forecasting the outcome of a transaction or event as required by a financial reporting

framework. Examples in this category include estimating uncollectible receivables and
estimating the probability and amount of litigation loss.
2. Determining fair value of a transaction or financial statement item for inclusion in the
financial statements and disclosure in the notes as required by a financial reporting framework.
Examples in this category include determining the fair value of goodwill and intangible
assets in a business combination and determining the fair value of complex financial
instruments that are not traded in an open market.

Once the final outcome of the transaction or event occurs, it is expected that there will be
a difference between the outcome of the accounting estimate and the amount originally
recognized or disclosed in the financial statements. This difference does not necessarily
constitute a misstatement, but rather the outcome of estimation uncertainty. Estimation estimation uncertainty  the
uncertainty is the susceptibility of an accounting estimate and related disclosures to an susceptibility of an accounting
inherent lack of precision in its measurement. For example, a client sells commercial-grade estimate and related disclosures
lawn mowers and offers a one-year warranty for any repairs that may be needed on the to an inherent lack of precision in
mowers. Based on past experience, the client estimates a future warranty liability of 5% of its measurement
sales revenue and records that on the balance sheet. Suppose over the next year the client
performs warranty repairs that total 6% of sales revenue, which is more than was estimated
on the prior-year balance sheet. Does that mean the prior-year balance sheet is misstated?
No, it just means that actual warranty repairs were more than originally estimated. Some
years the warranty repairs will be less than estimated. The most important factor is that
management monitors the amount of actual warranty repairs and adjusts its estimate each
year as needed.
Some accounting estimates involve more estimation uncertainty than others. The amount
of estimation uncertainty is affected by the nature of the accounting estimate, the subjectivity
of the assumptions used to make the estimate, and the extent to which a generally accepted
method or model is available to aid in developing the estimate. Illustration 9.8 provides ex-
amples of estimates that have lower estimation uncertainty and estimates that have higher
9-20  C h apte r 9  Risk Response: Performing Substantive Procedures

ILLUSTRATION 9.8   Lower Estimation Uncertainty Example

Estimation uncertainty with
Accounting estimates involving non-complex Estimating warranty liabilities for sales of a readily
accounting estimates
business activities available consumer product
Accounting estimates that are frequently made Estimating the allowance for doubtful accounts
and updated because they relate to routine
transactions
Accounting estimates derived from data that are Imputing the interest rates on receivables or
readily available payables using published interest rate data
Fair value accounting estimates in which the Using published market values of equity securities
method of measurement dictated by the applica- that are held as trading securities and must be
ble financial reporting framework is simple and reported at fair value on the balance sheet
easily applied to the asset or liability requiring
measurement at fair value
Fair value accounting estimates made using Using the Black-Scholes model to determine the fair
measurement models that are well-known or value of stock options granted to employees
generally accepted

Higher Estimation Uncertainty Example

Accounting estimates related to the outcome of
litigation
Fair value accounting estimates for financial
instruments not publicly traded
Fair value accounting estimates for which an
entity-developed model is used or for which there
are assumptions that cannot be observed in the
marketplace
Estimating a potential loss from a breach of
contract dispute with a vendor in which litigation
could continue for several years
Estimating the fair value for a derivative financial
instrument that is not traded on a public market
Estimating the fair value of highly specialized,
internally developed equipment that is being
offered as consideration in a nonmonetary
exchange of plant assets with another party in a
different line of business

Source: AU-C 540.A2-.A7.

estimation uncertainty. It is important for auditors to be aware of the degree of estimation

management bias  a lack of
neutrality by management in the
preparation and fair presentation
of information
uncertainty related to an accounting estimate. In general, accounting estimates with a high
degree of estimation uncertainty pose a greater risk of material misstatement. In contrast,
accounting estimates with lower estimation uncertainty have a lower risk of material
misstatement.
Accounting estimates, by their nature, involve subjective decision-making on the part
of management. Therefore, accounting estimates may be subject to management bias.
Management bias is a lack of neutrality by management in the preparation and fair presen-
tation of information. The lack of neutrality by management may be unintentional or inten-
tional. Intentional management bias is usually driven by pressure on management to achieve
a target result and could be an indicator of fraud. (See Chapter 3, “Incentives and Pressures to
Commit Fraud,” for more fraud risk factors.) AU-C 540.A134 states auditors should be aware
of indicators of possible management bias such as:

•  Changes in an accounting estimate, or the method for making it, that are based on sub-
jective assumptions.
•  Using management’s own assumptions for fair value estimates when they are inconsis-
tent with readily observable market assumptions.
•  Selecting or developing significant assumptions that yield an estimate more favorable for
management’s objectives.
•  Selecting an estimate that indicates a pattern of optimism or pessimism.

Auditors must exercise their professional skepticism and question management’s methods,
assumptions, and motivations for the accounting estimates included in the financial state-
ments and disclosures.
  Auditing Accounting Estimates  9-21

Cloud 9 - Continuing Case

Suzie asks Ian to consider Cloud 9’s estimated warranty lia-
bility. The estimated warranty liability is included in accrued
liabilities on the balance sheet and trial balance. Included in
accrued liabilities on the October 31, 2022 trial balance is an es-
timated warranty liability of $832,015, which is slightly higher
than the liability on the prior year’s October 31, 2021 trial bal-
ance of $808,326. Suzie asks, “What is the likelihood that the
liability is understated? Are there any reasons to believe there
are unidentified claims, and how would auditors detect such
claims?”
Ian does not know of any change in manufacturing condi-
tions that would affect the quality of Cloud 9’s product, and thus
the obligation under the warranty program. However, a new prod-
uct was introduced at the start of the previous year. “Because sales
of the new ‘Heavenly 456’ walking shoe are now 20% of total sales,
we should consider any possible effects on the warranty liability.
I recommend specific work be done to assess the claims from this
new product.”
“However, if we remove this product from the analysis, the
relationship between the warranty liability and sales is likely to
be similar to past years. Because warranties apply to products, the
amount of the warranty liability is determined by sales volume and
product quality. Therefore, if conditions affecting product quality
have not changed, and there is no change to the warranty program,
substantive analytical procedures are a useful way of testing the
reasonableness of the warranty liability.”
“Finally,” Ian concludes, “relying on substantive analytical
procedures to test the warranty liability is more justified if control
testing suggests that Cloud 9 has effective controls over warranty
claim estimation and identification of pending claims.”

Risk Assessment Procedures for

Accounting Estimates
We learned in Chapters 3 and 4 that auditors must perform risk assessment procedures to
gain an understanding of the entity and its environment for the purpose of assessing risk and
planning audit procedures. During the risk assessment phase, auditors gain an understanding
of the nature and type of accounting estimates made by management. Specifically, auditors
perform the following procedures:

1. Gain an understanding about what is required by the client’s financial reporting framework.
The financial reporting framework may specify conditions or methods for making accounting
estimates, require measurement of certain items at fair value, and require specific disclosures.
2.  Inquire of management regarding the process for identifying the need for accounting 
estimates. The process of identifying the need for accounting estimates is influenced by
management’s knowledge of the industry, management’s business strategies being imple-
mented during the period, and prior experience with management’s preparation of the
entity’s financial statements.
3.  Inquire of management regarding how accounting estimates are made. Auditors want to
gain a thorough understanding of management’s process for making the accounting esti-
mates. Specific examples of inquiries are:
a.  What is the method of measurement? In some cases, the financial reporting framework
may dictate the method of measurement, such as the use of a specific model. If the
financial reporting framework does not specify a method or model, then auditors con-
sider if management is using a method commonly used in its industry. If management
has developed its own model or has departed from what is commonly used in its indus-
try, there could be a greater risk of material misstatement for the accounting estimate.
b. What controls are in place? Auditors should inquire about the data being used to de-
velop the estimate. Are there controls to ensure the data is complete, relevant, and
accurate? The members of management tasked with making the estimate should be
competent and experienced, and there should be a review and approval process by ap-
propriate levels of management. There should be segregation of duties between those
tasked with making the estimate and those responsible for committing the entity to
the related transactions or events triggering the estimate. For example, sales staff who
interact with current and new customers to generate revenue should not also be tasked
with estimating bad debt allowances. If you are the salesperson who generated the
sale and related account receivable, you may not be objective when determining if the
account receivable is at risk of being a bad debt.
9-22  C h apte r 9  Risk Response: Performing Substantive Procedures

c.  W
 hat assumptions are used and how are they developed? Auditors should focus on the
most significant assumptions used by management. How does management deter-
mine the assumption is relevant and complete? Management may have information to
support assumptions that are used. Supporting information may come from external
sources, such as published interest rates, or from internal sources, such as previous
conditions experienced by the client. Management should fully document the assump-
tions used along with information supporting the use of the assumptions.
d. Has there been a change, or should there be a change, in the methods or assumptions
used to make an accounting estimate? Sometimes circumstances change, which brings
about change in the way an estimate is made. The change may be required by the
financial reporting framework or it may be caused by changes in the industry or eco-
nomic environment. If a change has been made, management must document support
for the change. If a change needs to be made but management has not altered its
method of estimation, then management should document its reasons for not altering
its estimation method.
e. Has management considered the effect of estimation uncertainty? There are several
ways management could assess the effect of estimation uncertainty on its estimates.
For example, management should consider alternative assumptions or outcomes to
determine how sensitive the estimate is to changes in assumptions. If there are several
different outcome scenarios for an accounting estimate, how does management deter-
mine which one to use? Also, management should monitor the outcomes of account-
ing estimates from the prior period and use information from that monitoring process
to improve upon future accounting estimates.
4.  Inspect the outcome of prior period accounting estimates. Since many accounting estimates
arise from routine and recurring transactions, such as estimating uncollectible accounts
receivable, it may not be necessary for auditors to review every accounting estimate from
the prior period. But for prior-period accounting estimates that had a high degree of esti-
mation uncertainty, auditors should review the outcome of the accounting estimate in the
current year or review the re-estimation of the item if the outcome has not yet occurred.
A review of prior period accounting estimates is also required by AU-C 240 Consideration
of Fraud in a Financial Statement Audit. If management bias is detected in prior-period
accounting estimates, it could represent an increased risk of material misstatement due
to fraud for the current year financial statements.

After performing these risk assessment procedures, auditors assess the risk of material
misstatement related to the client’s specific accounting estimates. Remember, every client is
unique, so the types of accounting estimates made by each client will vary. Auditors should
evaluate the degree of estimation uncertainty for each accounting estimate. Typically, those
with more estimation uncertainty will have a higher risk of material misstatement and be
more susceptible to management bias. Auditors must use their professional judgment and
professional skepticism to determine if any of the accounting estimates are considered signif-
icant risks. The level of assessed risk of material misstatement for each accounting estimate
will determine how auditors plan their risk response.

Risk Response Procedures for Accounting Estimates

Using the assessed risk of material misstatement determined from the risk assessment pro-
cedures, auditors plan the nature, timing, and extent of the procedures to be used during risk
response. The objectives of the audit procedures are (1) to determine if management appro-
priately applied the requirements of the applicable financial reporting framework and (2) to
determine if the methods used for arriving at the accounting estimate are appropriate. Auditors
use the knowledge gained about the industry and the applicable financial reporting framework
during risk assessment to evaluate management’s estimation processes. Risk response proce-
dures may include tests of controls, substantive procedures, or a combination of both.
If the client has well-designed, implemented, and documented controls over the prepa-
ration of accounting estimates, then an appropriate risk response would be to test the oper-
ating effectiveness of the controls. For example, a client has controls in place for the review
and approval of the accounting estimates by appropriate levels of management, and when
  Auditing Accounting Estimates  9-23

applicable, by those charged with governance. Auditors would test the control by inspecting
documentation that shows approval by the appropriate level of management.
If testing the operating effectiveness of controls alone does not provide sufficient appro-
priate audit evidence, auditors also conduct substantive procedures on the reasonableness of
accounting estimates. Some specific procedures include the following:

•  Inquire about the method of measurement. If the financial reporting framework does not
specify a method of measurement, then the method selected is a matter of professional
judgment. Auditors should inquire about management’s rationale for the method selected,
if the method is consistent with what is used in the industry, and if management consid-
ered other alternative methods.
•  Inquire about assumptions used by management. Auditors should evaluate the assump-
tions used by management in developing the accounting estimate. Items that auditors
should consider include reasonableness, consistency with assumptions used in prior
periods and, in the case of fair value accounting estimates, whether the assumptions
appropriately reflect observable market conditions.
•  Recalculate the accounting estimate. If management used a model recommended by the
financial reporting framework to develop the accounting estimate, auditors should also
use that model and recalculate the accounting estimate. If applicable, they may need
to test the data that is used as input for the model to ensure it is reliable and complete.
Performing a recalculation procedure provides evidence that the model was used cor-
rectly and that management’s estimate is reasonable.
•  Inspect events occurring after year-end and up to the date of the auditor’s report. Financial
statements are prepared after the client’s year-end with management using the best
information available near, or shortly after, the end of the year to prepare accounting
estimates. Since year-end audit work takes place during the six to eight weeks after the
client’s year-end date, events may occur after year-end, but before the audit is completed,
that provide more information regarding the accounting estimate. Sometimes, the
accounting estimate may even be resolved before the audit is complete. For example, a
client has three large accounts receivable balances that have been outstanding for over
90 days. Three weeks after year-end, two of the three accounts receivable balances are
paid in full, which provides audit evidence relating to the appropriateness of the estimate
of the allowance for doubtful accounts. In situations like this one, no further procedures
may be needed because sufficient appropriate evidence has been obtained.

For accounting estimates that have been identified as significant risks, auditors may perform
further substantive procedures. For example, the auditor should inquire how management
has addressed the effect of estimation uncertainty on the accounting estimate. Has manage-
ment used different methods or different assumptions to see how the accounting estimate is
impacted? If there is a large monetary difference in the estimate when different assumptions
are used, how did management choose which estimate to use? For accounting estimates that
are very specialized, such as some fair value accounting estimates, auditors have the option of
using a specialist to gather sufficient appropriate audit evidence that the accounting estimate
is reasonable. (See “Using the Work of a Specialist” in Chapter 5 for more information.)

Cloud 9 - Continuing Case

During their conversation about Cloud 9’s warranty liability, Suzie
asks Ian about how they would use other substantive procedures
to obtain evidence about the completeness assertion for the liabil-
ity balance. “For example,” Suzie asks, “would inspecting docu-
ments using vouching and tracing be useful and, if so, how would
you use them?” Ian is still keen on using substantive analytical
procedures but considers the question carefully. “I think we would
use vouching to get evidence about transactions or balances that
are recorded as warranty claims by Cloud 9. We could do this by se-
lecting transactions or items in the account balance and obtaining
the documentary evidence to support each one. However, it might
be more useful to consider tracing because this would allow us to
start with the documents and get evidence about how and whether
the transactions are recorded in the accounts. If we find a docu-
ment relevant to a warranty claim has not been recorded in the
accounting system, we would be concerned that the liability is un-
derstated, or not complete. Additionally, we would like to examine
transactions around the balance sheet date and make sure they are
recorded in the correct accounting period. This evidence relates to
the cutoff assertion and is part of considering completeness.”
9-24  C h apte r 9  Risk Response: Performing Substantive Procedures

Example of Auditing Accounting Estimates

Let’s walk through the risk assessment and risk response procedures for auditing account-
ing estimates by using an estimate you studied in a financial accounting course—recording
inventory at lower-of-cost-or-net-realizable-value (LCNRV). Your client is Hi-Tech Manu-
facturing (Hi-Tech), a company that manufactures parts for personal computers and tablets.
During risk assessment, you perform the following procedures regarding the estimate of
LCNRV:

1. Gain an understanding about what is required by the client’s financial reporting framework.
Your client is based in the United States and uses GAAP as the financial reporting frame-
work. Normally, inventory is recorded at cost. However, if net realizable value (NRV)
drops below cost, GAAP requires that inventory be written down to NRV. NRV is defined
as the net amount a company expects to realize from the sale of inventory. NRV is calcu-
lated as estimated selling price less costs associated with making the sale, such as adver-
tising, transportation costs, or further completion costs. The difference between cost and
NRV is recorded as a loss.
2.  Inquire of management regarding the process for identifying the need for an accounting
estimate. You have a meeting with the controller to discuss inventory valuation. Since the
IT industry is very competitive and quick to change, inventory obsolescence is a major
risk for Hi-Tech. New technologies are always being introduced to the market, which puts
current technologies at risk of being outdated and no longer preferred by consumers. The
controller is aware of the LCNRV rule and knows it must be considered in the preparation
of the financial statements.
3. Inquire of management regarding how the accounting estimate is made. The controller
goes on to tell you that every month he meets with the inventory manager, production
man­ager, and sales manager to discuss inventory valuation. If necessary, they meet
more often than once a month. The goal is to produce just enough inventory to meet
sales orders. To accomplish this goal, the sales team communicates frequently with
customers regarding how much inventory they need and any modifications Hi-Tech
should make to existing inventory items to keep them relevant. The sales team then
communicates with the production team to maintain tight control over production to
minimize producing items that cannot be sold or are at risk of being sold below cost.
Even with this process in place, Hi-Tech occasionally has inventory that becomes
obsolete if it is not sold fast enough or if it is returned by a customer. Inventory
warehouse personnel tag inventory that is slow-­moving or deemed obsolete, and move
it to a designated area in the warehouse. Each month, the inventory manager sends an
“obsolete report” to the controller with details about any inventory that is tagged as
obsolete. At the monthly meeting with the inventory, sales, and production managers,
the controller discusses the inventory on the obsolete report. As a team, they determine
the estimated NRV of the inventory shown on the report. Based on customer demand
for the product, the sales manager provides input on the estimated selling price. The
production manager provides input on any further costs to complete the inventory
item, and the inventory manager provides information on transportation costs. If the
estimated NRV is less than inventory cost, the controller calculates the difference and
proposes an adjusting entry to debit a loss and credit an inventory allowance account.
The proposed adjusting entry is then sent to the CFO for approval. Minutes are kept
at all of the monthly meetings to document the process of determining if inventory is
obsolete and for estimating NRV.
4.  I nspect the outcome of prior period accounting estimates. In the prior-year audit of
Hi-Tech, the financial statements included a write-down of some inventory to NRV.
However, the amount of last year’s write-down was not material to the overall inven-
tory account. The inventory that was written down in the prior year is no longer in the
warehouse for the current year. It was either sold at a price below cost or disposed of as
recycling. The client’s estimate of last year’s NRV was very close to the actual selling price
or disposal costs, which is to be expected since estimating NRV for inventory is a fairly
routine estimate that Hi-Tech makes in the ordinary course of business.
  Auditing Accounting Estimates  9-25

After performing these risk assessment procedures, you assess the risk of material mis-
statement related to Hi-Tech’s estimate of NRV for inventory items. Since the technology
industry exhibits a fast rate of change and fierce competition, it may be challenging to esti-
mate a reasonably accurate NRV for some inventory. On the other hand, inventory transac-
tions are routine and each year there are usually some items that have to be written down
to NRV. Therefore, you assess inherent risk for this estimate as medium. Hi-Tech appears
to have strong controls in place for how the estimate is determined, so your preliminary
assessment of control risk is low. These risks combined would equal a low to medium risk
of material misstatement for the estimate of NRV.
A couple of months later, your audit team is performing interim procedures at Hi-
Tech at the end of the third quarter. You are assigned to test controls over the estimate of
NRV for inventory. You inspect the minutes from the monthly meetings of the controller,
sales manager, inventory manager, and production manager. The minutes are very de-
tailed and provide good explanations for how the team determined the estimate of NRV.
You also inspect the monthly obsolete inventory reports from the beginning of the year
through the third quarter. There has been some obsolete inventory each month, but it has
been immaterial. You also inspect the controller’s proposed journal entries and see the
CFO’s signed approval for each month’s entry. You document your findings on the con-
trols testing and conclude that control risk is low for the process of estimating the NRV
for inventory.
Your team returns to conduct year-end fieldwork after Hi-Tech’s fiscal year is over. The
time frame for completing year-end work is six weeks. One of your tasks is to perform sub-
stantive procedures on the estimate of NRV for inventory. During the last month of the year,
Hi-Tech had identified more obsolete inventory than all previous months combined. The pri-
mary inventory item identified as obsolete in the last month was a lower-grade screen used in
some tablets. The companies that buy this part from Hi-Tech are phasing out the lower-grade
screens and using stronger screens that are more resistant to damage. Hi-Tech has halted pro-
duction of the lower-grade screen but has a large number of them on hand. After year-end,
the controller, sales manager, inventory manager, and production manager held the monthly
meeting to discuss the situation and prepare the estimate of NRV. The controller prepared an
adjusting entry, and the CFO approved it. You perform the following substantive procedures
on the year-end estimate:

1.  I nquire about the assumptions used by management. You are already familiar with the
process used by management to determine the estimate. Since this was a larger amount
of obsolete inventory than any other month, you speak with the controller about the sit-
uation. He provides you with the minutes of the meeting in which his team determined
the estimate. The sales manager had communicated with several customers to see if there
was any interest in the lower-grade screens. Based on feedback from the customers and
changing preferences for more durable screens, the sales manager recommended a NRV
that is 25% of cost. There are no further costs for completion and a minimal packaging
cost if they are sold.
2. Recalculate the estimate. You recalculate the estimate of NRV as 25% of cost and agree to
the amount calculated by the controller. You trace the adjusting entry from the general
ledger to inclusion in the financial statements.
3.  I nspect events occurring after year-end and up to the date of the auditor’s report. One
week before the audit fieldwork is completed, the controller tells you the entire stock
of lower-grade screen inventory was sold. A company that does tablet repairs and refur-
bishing bought all of the lower-grade screens. The final selling price was for 20% of cost.
Since the obsolete inventory situation is resolved before the financial statements are
issued, the controller can refine the estimate to 20% of cost for reporting in the year-end
financial statements. The controller prepares the adjusting entry, it is approved by the
CFO, and you verify the entry is made and the updated amounts appear in the financial
statements.

You thoroughly document all of your work in the working papers. You conclude that Hi-Tech’s
estimate of LCNRV is fairly stated in all material respects.
9-26  C h apte r 9  Risk Response: Performing Substantive Procedures
Documenting Results of Substantive Procedures
misstatement  a difference
between the amount, classification,
presentation, or disclosure of a
reported financial statement item
and the amount, classification,
presentation, or disclosure that
is required for the item to be in
accordance with the applicable
financial reporting framework;
misstatements can arise from error
or fraud
Before You Go On
6.1 Describe the concept of estimation uncertainty.
6.2 What are some indicators of possible management bias in accounting estimates?
6.3 Briefly describe some audit procedures that can be used as substantive tests for accounting
estimates.
LEA RNING OBJECTI VE 7
Describe how auditors document the results of substantive procedures.
As auditors perform their substantive procedures, they may identify misstatements.
A misstatement is a difference between what is reported in the client-prepared financial
statements and what is required for the item to be presented fairly in accordance with the
applicable financial reporting framework. The misstatement could occur with an account bal-
ance, transaction, classification, presentation, or disclosure and could be caused by error or
fraud. Examples of causes of misstatements include the following:
•  Intentional or unintentional omission of an amount or disclosure.
•  Incorrect accounting estimate caused by a misinterpretation of facts or by management bias.
•  Inappropriate selection of accounting policies.
•  Inaccuracies in gathering or processing data.
•  Disclosures not presented in accordance with the applicable financial reporting framework.
AU-C 450 Evaluation of Misstatements Identified During the Audit and AS 2810 Evaluating
Audit Results state the auditor’s objective is to evaluate the effect of identified misstatements
on the audit and the effect of uncorrected misstatements, if any, on the financial statements.
Auditors document and accumulate the misstatements identified during the audit. Ma-
terial, and in some cases immaterial, misstatements are accumulated. A misstatement may
be classified as material because of its quantity or because of a qualitative factor. Recall from
Chapter 3 that an item may be material because of its nature, not its magnitude. For exam-
ple, the discovery of fraud, no matter how small, is qualitatively material and would warrant
further investigation by the auditors. Many misstatements discovered by auditors may be im-
material on their own, but when aggregated with other misstatements could have a material
impact on the financial statements. AU-C 450.A3 provides guidance to auditors when evalu-
ating the type of misstatements accumulated during the audit. The standard includes three
categories of misstatements as follows:
•  F
 actual misstatements. There is no doubt it is a misstatement because there is no element
of judgment involved.
•  J udgmental misstatements. These differences are caused by management judgment
regarding accounting estimates the auditors feel are unreasonable or the selection of
accounting policies the auditors feel are inappropriate.
•  P
 rojected misstatements. These are the auditor’s best estimate of the misstatement in a
population based on the misstatement found in a sample drawn from the population.
(See Chapter 10 on audit sampling.)
The identification and resolution of misstatements is one of the auditor’s most important
responsibilities in an audit and is a critical step in the formulation of the audit opinion
   Learning Objectives Review  9-27

on the fairness of the client’s financial statements. This is discussed in greater detail in
Chapter 14.
When auditors perform substantive procedures and identify misstatements they did not
expect, they reconsider their audit strategy and audit plan, and determine if the nature, tim-
ing, or extent of substantive procedures need to be modified. For example, suppose auditors
tested a client’s controls over accounts receivable processing and collections and determined
that controls were effective. If controls are effective, auditors would expect few misstatements
in the accuracy of the customer account balances. As a substantive procedure, auditors se-
lect a small sample of customer accounts to confirm. On half of the returned confirmations,
customers have notated that a difference exists in the balance as compared with their own
records. If controls are effective, why are so many of the confirmations returned as being in-
correct? Perhaps the controls are not effective as originally determined. Auditors would revisit
their audit strategy by reviewing their controls testing to see if something was missed or not
performed correctly. They would also consider increasing the sample size on the substantive
procedure and send out more accounts receivable confirmations to determine if the first sam-
ple results were an anomaly or if the issue is widespread.
All substantive audit procedures performed are documented in the working papers. Doc-
umentation should include the objective of the test, the substantive procedure performed,
what items were selected for testing, and the results of the testing. How much detail to in-
clude is a matter of professional judgment, but there needs to be enough detail regarding the
procedures performed to allow another auditor to review the working paper, re-perform the
steps (if necessary), and reach the same conclusion as the auditor who prepared the working
paper. Typically, the more judgment that is involved in conducting the substantive procedures
and evaluating the results, such as with some accounting estimates, the more documentation
is needed.

Cloud 9 - Continuing Case

Suzie asks Ian to set up the working papers for the tests they will
perform. W&S Partners uses electronic working papers and there
are examples available for Ian to use as a base for the Cloud 9
working papers.
The priorities for Ian are to ensure that each test is de-
scribed in sufficient detail in the audit program so the audit
staff can perform the test correctly and identify any misstate-
ments. The working papers also have to provide for comments
to be included as the work is completed and reviewed by senior
staff.

Before You Go On
7.1 What is a misstatement?
7.2 List some possible causes of misstatements.
7.3 What information about substantive procedures should be documented in the working papers?

Learning Objectives Review

1  Demonstrate how audit risk, management asser-
tions, and substantive procedures are linked.
An inverse relationship exists between the auditor’s assessed risk
of material misstatement (combined inherent and control risk)
and detection risk. When the risk of material misstatement is high,
auditors will perform more substantive testing to keep detection
risk low. When the risk of material misstatement is low, auditors
may perform less substantive testing, which increases detection
risk. It is possible that the auditor performed ADA as a risk as-
sessment procedure, in which case, at the risk response phase the
auditor is following up on notable items detected while perform-
ing ADA. The determination of the risk of material misstatement
is made at the assertion level. The assertions are summarized in
Illustration 9.2.
9-28  C h apte r 9  Risk Response: Performing Substantive Procedures
2  Describe methods of risk response at the financial
statement level.
Some identified risks could have a pervasive effect on the financial
statements as a whole, such as the risk of fraudulent financial report-
ing. Risk response at the financial statement level is affected by (1) the
auditor’s understanding of the entity’s control environment and (2) the
assessed risk of material misstatement due to fraud. Some methods of
responding to risk at the financial statement level include emphasizing
professional skepticism, having more supervision of the audit team,
assigning more experienced audit staff, and including more elements
of unpredictability in the selection and timing of audit procedures.
3  Explain and analyze factors that impact the nature of
substantive procedures at the assertion level, including
the use of audit data analytics.
The nature of an audit procedure refers to its purpose (test of controls
or substantive procedure) and its type. Consideration of the nature
of the audit procedure is the most important factor when respond-
ing to the assessed risks. Auditors are required to perform substan-
tive procedures for all relevant assertions that have been identified
during the risk assessment phase. When auditing an account balance,
auditors perform initial procedures before applying other substantive
procedures, such as substantive analytical procedures and tests of de-
tails. When conducting a substantive analytical procedure, auditors
develop an expectation, or estimate, using data in the client’s records
or data from reliable outside sources, and then compare the expecta-
tion with the client’s recorded amount. Analytical procedures may be
the only substantive procedures used to test an assertion, or they may
be used in conjunction with tests of details. It is possible that the au-
ditor performed ADA as a risk assessment procedure. In this case, the
auditor often uses traditional substantive tests to follow up on notable
items. The nature of the substantive test will depend on the assertion
being tested. The auditor might also use ADA to follow up on a spe-
cific fraud risk and ADA may be effective at identifying if it is likely
that fraud has occurred. Finally, the auditor may use ADA as a sub-
stantive test. In this case, the auditor is using electronic information
to identify transactions or balances that are misstated.
4  Explain and analyze factors that impact the timing of
substantive procedures at the assertion level.
Some substantive procedures can be performed at interim. Illustra-
tion 9.5 lists factors that impact the decision to perform substantive
procedures at an interim date. When substantive procedures are per-
formed during an interim period, auditors perform roll-forward pro-
cedures to update their audit findings from the time of the interim
procedures through to year-end. Some substantive procedures can
only be performed at year-end due to the nature of the assertion or the
Key Terms Review
Accounting estimate Estimation uncertainty
Analytical procedures Management bias
Confirmation bias Misstatement
Dual-purpose test Relevant assertions
timing of the transactions. If auditors have identified risks of material
misstatement due to fraud, they may consider changing the timing of
audit procedures.
5  Explain and analyze factors that impact the extent of
substantive procedures at the assertion level.
The extent of substantive procedures refers to how much testing will
be performed, which essentially refers to sample size. A key question
involves whether the auditor wants to use ADA and audit 100% of
a large population to identify notable items, or whether the auditor
wants to use audit sampling. This topic is discussed briefly in this sec-
tion, and it is discussed in more depth at the beginning of Chapter 10.
The assessed risk of material misstatement for the account balance
or class of transactions will have the most influence on sample size.
If the risk of material misstatement is high, then a larger sample size
should be selected. If the risk of material misstatement is low, then a
smaller sample size can be selected. When selecting a sample, audi-
tors may decide to perform tests of details on all items (testing 100%),
select specific items, or use audit sampling.
6  Explain and apply audit procedures used to audit
accounting estimates.
An accounting estimate is an approximation of a monetary amount
when a precise means of measurement is not available. Two types of
accounting estimates are forecasting the outcome of a transaction or
event and determining the fair value of an item or transaction that is
required to be included in the financial statements. Accounting es-
timates are subject to management bias and estimation uncertainty.
During risk assessment, auditors gain an understanding of what is re-
quired of the financial reporting framework, inquire of management
regarding the process for identifying and determining the accounting
estimates, and inspect the outcome of the prior year’s accounting
estimates. During risk response, auditors inspect events occurring
after year-end that may provide more information about accounting
estimates made at year-end, recalculate estimates, and inquire
about management’s methods and assumptions used to prepare the
estimate.
7  Describe how auditors document the results of sub-
stantive procedures.
All substantive audit procedures performed are documented in the
working papers. The documentation should include the objective of
the test, the substantive procedure performed, what items were se-
lected for testing, and the results of the testing. Auditors document
and accumulate the misstatements identified during the audit. When
auditors identify misstatements they did not expect, they will recon-
sider their audit strategy and audit plan, and determine if the nature,
timing, or extent of substantive procedures need to be modified.
Roll-forward procedures
Significant risk
Substantive procedures

Audit Decision-Making Example
Background Information
Your client, Iberville Corp, is a publicly traded company that has
been operating for over 100 years. Iberville manufactures hand-
held tools such as hammers and screwdrivers. Iberville offers a
defined benefit (pension) plan for its employees. Full vesting in
the plan begins after 15 years of service. Iberville has an excel-
lent reputation as a great place to work, so employee turnover is
low. Many employees spend their entire career at Iberville and
have over 30 years vested in the pension plan. For the last decade,
Iberville’s board of directors has been concerned about the grow-
ing underfunded status of the pension plan. About one-quarter
of Iberville’s employees are from the baby boom generation and
will be retiring over the next two to seven years, so the board is
concerned about the viability of the pension plan to keep up with
retiree benefit payments.
Iberville has always used one external actuary to assist with
estimates related to the pension plan. For the current year under
audit, the CFO hired three different actuaries and requested a re-
port from each one regarding any necessary adjustments to the
pension benefit obligation (PBO liability). Two of the actuaries
recommended a material increase to the PBO liability primarily
due to increased life spans of future retirees. One of the actuaries
recommended a slight decrease to the PBO liability primarily due
to the trend of younger workers switching jobs more frequently
during their careers. Near the end of the year in early December,
upper management held a meeting and reviewed the three actuary
reports. Upper management decided to use the estimate that rec-
ommended a slight decrease to the PBO liability. Upper manage-
ment has not yet reported this information to the board of direc-
tors, but plans to do so at the upcoming board meeting in January.
Identify the Audit Issue
The issue is whether the PBO liability is complete and valued
appropriately.
Gather Information and Evidence
Important information includes:
•  Management is under pressure regarding a growing under-
funded pension liability.
CPAexcel
CPAexcel questions and other resources are available in WileyPLUS.
Multiple-Choice Questions
1.  (LO 1)  Designing substantive procedures responds to:
a.  the risk of material misstatement at the entity level.
b.  the risk of material misstatement at the assertion level.
c.  the risk of all types of misstatements at the assertion level.
d.  t he risk of all types of misstatements at the entity level.
  Multiple-Choice Questions  9-29
•  I t is common practice for a company to use an outside ac-
tuary to assist with determining an appropriate value for
the PBO liability. However, this is the first time that Iber-
ville has sought input from three different actuaries in the
same year.
•  It is not unusual for different actuaries to report different es-
timates; however, the estimates should be fairly consistent.
Your audit team should gather evidence about the objectivity
and competence of the three actuaries and carefully review
the reports provided by each one.
•  Estimating future pension liabilities carries a higher level of
estimation uncertainty than routine estimates such as esti-
mating the allowance for doubtful accounts.
Analysis and Evaluation of Alternatives
Analysis of risk and alternatives:
•  Risk of material misstatement is high or maximum for the
completeness and valuation and allocation assertions for the
PBO liability.
•  Management bias is most likely affecting management’s de-
cision in the selection of the estimate that lowers the PBO
liability rather than selecting an estimate that increases the
PBO liability. Management is under pressure to keep the un-
derfunded status of the pension plan from growing.
•  Since two out of the three actuaries recommended an in-
crease to the PBO liability, it seems that increasing the PBO
is the more conservative approach.
Audit Conclusion
Your team should inquire of management about the process it
used for selecting the estimate and thoroughly document man-
agement’s response in the audit working papers. You recommend
to management that using one of the estimates that increases the
PBO liability is more in alignment with the principle of conser-
vatism and with the applicable financial reporting framework. If
management does not act upon your recommendation, your team
should discuss the situation with the audit committee of the board
of directors.
2.  (LO 1)  Which assertion is typically related to income statement
accounts rather than balance sheet accounts or presentation and
disclosure?
a.  Completeness. c. Rights and obligations.
b.  Accuracy. d. Cutoff.
9-30  C h apte r 9  Risk Response: Performing Substantive Procedures
3.  (LO 2)  Which of the following would be the most likely reason
to include more unpredictability in the selection and performance of
audit procedures?
a.  Client has a strong internal control environment.
b.  Client was not audited in the previous year.
c.  There is heightened risk of fraud.
d.  Unpredictability provides the audit team with more
variety.
4.  (LO 3)  The nature of an audit procedure refers to:
a.  when the procedure is performed.
b.  the assessed level of detection risk.
c.  the sample size required to perform the procedure.
d.  its purpose and its type.
5.  (LO 3)  All of the following are initial procedures performed on
an account balance except:
a.  agreeing the opening balance to the audited ending balance
from the prior year’s working papers.
b.  footing a trial balance for mathematical accuracy.
c.  vouching items from the trial balance to supporting docu-
mentation.
d.  scanning account details for unusual items.
6.  (LO 3)  Analytical procedures:
a.  are required during the planning and substantive testing
phases of the audit.
b.  are substantive procedures and cannot be used at any other
stage of the audit.
c.  are used to test controls and are not substantive procedures.
d.  can be used as substantive tests but cannot be used as primary
tests of a balance.
7.  (LO 3)  Which of the following situations increases the reliability
of data being used for substantive analytical procedures?
a.  The source of the data is the client’s internal budget
reports.
b.  During the prior-year audit, the data was subjected to audit
testing.
c.  Controls over the data have not been tested.
d.  Broad industry averages will be used in comparison with the
client’s data.
8.  (LO 3)  When analyzing the results of substantive procedures,
auditors should beware of:
a.  professional skepticism.
b.  audit engagement deadlines.
Review Questions
R9.1  (LO 1)  Explain how the nature of a substantive test could
affect the decisions about when and how much substantive testing is
performed. How do these decisions relate to the overall risk assess-
ment for the item being tested?
c.  c onfirmation bias.
d.  weak internal controls.
9.  (LO 4)  Which of the following situations would most likely pre-
clude an auditor from performing substantive procedures during an
interim period?
a.  Internal controls are weak and the risk of material misstate-
ment is high.
b.  Internal controls are weak and the risk of material misstatement
is low.
c.  Internal controls are strong and the risk of material misstate-
ment is high.
d.  Internal controls are strong and the risk of material misstate-
ment is low.
10.  (LO 5)  Which of the following would not be a reason to increase
the extent of a substantive test?
a.  The risk of material misstatement is high.
b.  Qualitative factors suggest there may be errors in the account.
c.  Internal controls are weak.
d.  Auditors have time to test more items.
11.  (LO 6)  Which of the following characteristics of an accounting
estimate would lead to lower estimation uncertainty?
a.  Estimate is related to routine transactions.
b.  Estimate is derived from a model developed by the client.
c.  Estimate is related to complex transactions.
d.  Estimate involves assumptions that cannot be observed in a
public market.
12.  (LO 6)  Which of the following can be used as both a risk assess-
ment procedure and a substantive procedure for the audit of account-
ing estimates?
a.  Gain an understanding of what is required by the applicable
financial reporting framework.
b.  Inquire of management about the methods and assumptions
used in developing the estimate.
c.  Inspect documentation for proper approval of the accounting
estimate.
d.  Inspect events happening after year-end and up to the date of
the auditor’s report.
13.  (LO 7)  The auditor’s best estimate of the misstatement in a pop-
ulation based on the misstatement found in a sample drawn from the
population is called a:
a.  factual misstatement.
b.  judgmental misstatement.
c.  confirmation misstatement.
d.  projected misstatement.
R9.2  (LO 2)  Differentiate risk response at the financial statement
level with risk response at the assertion level.
R9.3  (LO 3)  What are substantive procedures designed to obtain
evidence about? What are the main types of substantive procedures?
  Analysis Problems  9-31

R9.4  (LO 3)  Using the inventory trial balance as an example, ex- R9.9  (LO 3)  What is confirmation bias? How can auditors minimize it?
plain the initial procedures that will be performed.
R9.10  (LO 4)  When is it appropriate to use roll-forward procedures?
R9.5  (LO 3)  What are analytical procedures? Describe how they can
R9.11  (LO 5)  Using the inventory trial balance as an example, ex-
be used as substantive procedures in an audit.
plain different techniques for selecting a sample of items for testing.
R9.6  (LO 3)  Why is it important to consider the quality of the data What are the advantages and disadvantages of each technique?
used in analytical procedures? How important to this question are cli-
R9.12  (LO 6)  Using the allowance for doubtful accounts as an ex-
ent controls over financial data?
ample, briefly explain the risk assessment procedures that would be
R9.7  (LO 3)  Develop an example of the type of substantive test performed on the accounting estimate.
an auditor might use to investigate notable items when ADA is per-
R9.13  (LO 7)  Provide an example of (1) a factual misstatement and
formed as a risk assessment procedure.
(2) a judgmental misstatement that could affect the balance of prop-
R9.8  (LO 3)  Does using audit data analytics remove the need to test erty, plant, and equipment.
the client’s internal controls?

Analysis Problems
AP9.1  (LO 1)  Basic   Public Company   Designing substantive procedures  Carla has been
asked to join the team responsible for designing the audit program for a new client, Gaskin Industries
Inc. (Gaskin), a manufacturing and wholesaling firm. Gaskin recently went public and is now listed on
the New York Stock Exchange. Carla has worked for the audit firm for a year and received a very high
performance rating from her supervisors on last year’s audit of Bryson LLP (Bryson), a private firm that
provides marketing and other consulting services. Gaskin and Bryson have total revenue of approxi-
mately the same amount, so Carla feels confident she can apply her knowledge to the new audit. She
takes a copy of the audit program for Bryson along to the first meeting, intending to suggest they use it
as the basis for the audit program for Gaskin. Carla thinks the Gaskin audit program could use the same
substantive procedures that were used on the Bryson audit.

Required
Discuss the problems with Carla’s idea of using Bryson’s audit program as a basis for designing substan-
tive procedures for Gaskin.

AP9.2  (LO 1)  Basic   Sales invoices and journal  James and Katie will be auditing the revenue ac-
count for their retail client, Go Big Tires. They disagree about how to test the occurrence assertion for the
revenue account. James thinks they should use Procedure A, while Katie thinks Procedure B is appropriate.
A. Select a sample of sales from the sales journal and agree the details in the journal to the invoices sent
to customers, shipping documents, and customer orders.
B. Select a sample of invoices sent to customers, shipping documents, and customer orders and agree
to the details recorded in the sales journal.

Required
Who do you agree with, James or Katie, and why? Which assertion does the other procedure provide
evidence about?

AP9.3  (LO 3)  Moderate   Payroll testing  Anna has the task of designing the audit program for the
payroll area. There have been no recent changes to the payroll system or to its interface with the general
ledger. Among other tests, Anna is considering using the following substantive analytical procedures to
gather evidence:

  1. Compare payroll tax expenses (such as state and federal unemployment taxes) to the annual payroll
multiplied by the statutory tax rates.
  2. Compare the relationship between direct labor costs and number of employees with prior periods.

Required
Evaluate the persuasiveness of the evidence obtained from each substantive analytical procedure.

AP9.4  (LO 1, 2, 3)  Moderate   Data for substantive analytical procedures  North West Paper Inc.
(North West) provides cardboard, paper, and plastic packaging materials to a large number of manufac-
turers and distributors in all states. The cardboard and paper division is a well-established business, but
9-32  C h apte r 9  Risk Response: Performing Substantive Procedures

North West has been providing plastic products only since its takeover of Plastic Products Inc. 18 months
ago. The takeover doubled North West’s revenue and caused changes in its management structure, add-
ing another two divisional managers. These new divisional managers are in charge of plastic product
sales to different areas of the country, Plastic (Eastern) and Plastic (Western), and they join the Paper
(Eastern) and Paper (Western) division managers in reporting directly to the CEO.
All internal operating reports are now structured along the four divisional reporting lines, al-
though external financial statements continue to be produced for the whole business. All purchasing
and billing systems are fully integrated, although it is possible to extract data along divisional lines,
and by state (as before). North West purchases bulk supplies of raw plastic and paper and makes boxes,
rolls, and sheets of these materials to fill customer orders. Production processes in the paper divisions
have not changed, and North West has made minimal changes to the production processes used by
Plastic Products Inc.

Required
a. Identify the inherent risks at the financial statement level caused by the takeover of Plastic Products
Inc. What procedures could the auditors take to respond to risk at the financial statement level?
b. Discuss the factors that would increase or decrease the reliability of data used in substantive analyt-
ical procedures at North West.

AP9.5  (LO 3, 4)  Challenging   ADA   Persuasiveness of evidence from substantive analytical
procedures  Iman has the task of reviewing the evidence from substantive analytical procedures con-
ducted by the audit associates on the audit of Smalley Services Inc. The audit associates have reported the
results of these substantive analytical procedures:
  1. Comparison of depreciation expense with the closing balance of each depreciable asset class in prop-
erty, plant, and equipment.
  2. Recalculation of sales commission expenses using the standard sales commission rate and total sales.
  3. Comparison of payroll expense with previous year payroll.

Required
a. If you were Iman, what review comments/questions would you have for each procedure? Comment
on the persuasiveness of evidence provided by each one.
b. For each item, describe one test of details that would provide additional evidence.
c. For each item, discuss how ADA could be used as a risk assessment procedure or as a substantive
test. Explain the evidence used to support an audit conclusion.

AP9.6  (LO 3, 5)  Moderate   ADA   Tests of details  Marty has to audit the sales transactions of
Okawa Inc. Okawa supplies tools to the mining industry and carries a large number of different makes
and models of standard mining tools. Okawa also designs and manufactures tools for special purposes
and for miners operating in difficult conditions. The custom-designed tools are made only on the signing
of a contract and receipt of a deposit, whereas standard tools are supplied to regular customers on receipt
of a phone or email order. Okawa’s sales transactions vary from a few dollars to millions of dollars de-
pending on the number of items sold, whether the individual items are large or small tools, and whether
the tools are standard items or custom designed.
Marty is instructed to gather evidence about the sales transactions using sampling and vouching.
This is explained in detail in the audit program.

Required
a. Explain how Marty would select a sample of sales transactions as well as vouch the sales transactions.
What primary assertion is Marty testing with the vouching procedure?
b. How could Marty use ADA as a substantive procedure? (You may want to refer to Illustration 7.8 to
help formulate your response.)

AP9.7  (LO 1, 3, 4, 5)  Challenging   Timing of substantive tests  Connie is the recently appointed
engagement partner of the audit of Camel Inc. Connie has just taken over the audit from Mathew Pate, a
partner who will be retiring soon. Mathew had a small portfolio of clients and completed most substan-
tive testing for Camel at year-end. Connie is unable to do this because she is facing difficulties with two of
her other large clients. These clients have just been advised that their financing arrangements with banks
may not be renewed, raising doubts about their ability to continue as going concerns. The banks will
make their financing decisions very close to the clients’ year-end, forcing Connie to spend considerable
time in this period with these clients.
  Analysis Problems  9-33

The financing problems at Connie’s existing clients have created demands on Connie’s audit
team that she must resolve. The accounting firm cannot provide her with the additional staff she has
requested for the year-end period because several other partners’ clients are also facing financing
difficulties.
It is too late to find new partners for any of her other clients, so Connie must find a way to con-
tinue with the audit and still meet all professional standards. So far, the audit team has conducted the
preliminary risk assessment for Camel and early control testing results confirm that Camel has excellent
controls.
Connie calls a meeting with her senior audit team members to discuss the issue.

Required
Explain how Connie could vary the timing of the substantive testing at Camel to help her meet her audit
obligations. Specifically:
a.  Propose different substantive procedures that could be performed prior to year-end.
b.  Discuss how Connie will use roll-forward procedures to complete the audit.
c.  Explain any other considerations that would affect the timing of substantive procedures for Camel.

AP9.8  (LO 4, 5)  Challenging   Selecting customers for substantive testing  Crescent City Fun
Park (Crescent City), an amusement park with thrilling rides and a water park, sells tickets onsite and
has a website that allows customers to purchase tickets in advance and bypass the long lines. Customers
who use the website include the general public and travel agents. Both individuals and travel agents can
purchase tickets online using a major credit card. Some travel agents prefer the option of using the web-
site to purchase tickets, but rather than pay with a credit card, be billed at the end of each month. To use
the billing option, a travel agent must contact a sales agent with Crescent City and complete a detailed
application with at least two references. Once an application is complete, the sales manager verifies the
information, contacts the references, and either approves or denies the application. If the application is
approved, the sales manager decides on a credit limit for the travel agent. Terms of payment for all travel
agent customers is 30 days from the invoice date.
The auditor performs tests of controls on the credit-granting process and gathers sufficient appro-
priate audit evidence to conclude that the process is working effectively. Credit is only granted after a
thorough credit check. However, Crescent City has continual problems collecting from the larger travel
agents within the 30-day period. Some of the largest travel agents regularly take 90 or more days to pay
an invoice. Crescent City allows this late payment habit to continue simply because of the volume of
business generated by the large travel agents. Crescent City has 398 travel agents as customers, with 42 of
them representing 81% of accounts receivable.

Required
a.  Recommend which customers should be selected for further testing and why.
b.  Explain when the testing of accounts receivable would take place and why.

AP9.9  (LO 6)  Moderate   Auditing accounting estimates  Crescent City Fun Park (Crescent City),
an amusement park with thrilling rides and a water park, sells tickets onsite and has a website that allows
customers to purchase tickets in advance and bypass the long lines. Customers who use the website in-
clude the general public and travel agents. Both individuals and travel agents can purchase tickets online
using a major credit card. Some travel agents prefer the option of using the website to purchase tickets,
but rather than pay with a credit card, be billed at the end of each month. To use the billing option, a
travel agent must contact a sales agent with Crescent City and complete a detailed application with at
least two references. Once an application is complete, the sales manager verifies the information, con-
tacts the references, and either approves or denies the application. If the application is approved, the sales
manager decides on a credit limit for the travel agent. Terms of payment for all travel agent customers is
30 days from the invoice date.
The auditor performs tests of controls on the credit-granting process and gathers sufficient appro-
priate audit evidence to conclude that the process is working effectively. Credit is only granted after a
thorough credit check. However, Crescent City has continual problems collecting from the larger travel
agents within the 30-day period. Some of the largest travel agents regularly take 90 or more days to pay
an invoice. Crescent City allows this late payment habit to continue simply because of the volume of
business generated by the large travel agents. Crescent City has 398 travel agents as customers, with 42 of
them representing 81% of accounts receivable.
Accounts receivable for the theme park consists of balances from travel agents only, not individual
customers. The accounts receivable (A/R) manager estimates bad debt expense and the allowance for
doubtful accounts each quarter, and then performs a final evaluation for the year-end financial state-
ments. The A/R manager submits the estimates to the controller for approval.
9-34  C h apte r 9  Risk Response: Performing Substantive Procedures

Required
a.  Compile a list of questions you would ask the A/R manager and controller during risk assessment to
gain an understanding of the process for estimating bad debt expense and the allowance for doubtful
accounts.
b.  What specific substantive procedures would you perform at interim and/or year-end on the bad debt
expense and allowance estimates?
c.  Evaluate the level of estimation uncertainty that is associated with this estimate. What factors im-
pact your assessment of estimation uncertainty?

AP9.10  (LO 6, 7)  Moderate   Evaluating substantive testing results  The following items are doc-
umented in the working papers:

  1. A sales transaction is included in the year ended December 2022, but evidence from the cutoff pro-
cedure suggests the sale should be dated January 1, 2023 ($1,250,000).
  2. At December 31, 2021, the balance of the Liability for Warranty Claims account was $100,000 (credit
balance). During 2022, $150,000 of warranty claims was processed. Inspection of correspondence
suggests that an additional $200,000 in warranty claims could result from ongoing disputes with
customers. No adjustment for these claims has been made. Management has booked a warranty
liability accrual at the end of December 2022 of $120,000.
  3. Restructuring expenses related to reorganization of head office administration were incorrectly
charged to rental expenses ($578,920).
  4. No expense for impairment of assets has been made by management. A drought-induced recession
has adversely impacted property values in regional cities where seven branch offices are located
(head office and two branch offices are located in the capital city). Total land and buildings in the
trial balance is $5,500,000.

Required
Evaluate each item and explain whether it is a factual misstatement or a judgmental misstatement.
Which accounts would be affected, and how, if an adjustment is made for each item?

AP9.11  (LO 1, 6, 7)  Moderate   Public Company   Research   PCAOB inspections  The PCAOB
staff prepares documents called Staff Inspection Briefs. The purpose of the briefs is to help auditors, audit
committees, investors, and preparers to understand the PCAOB inspection process and its results. Each
year, one of the briefs provides information about that year’s inspections of registered audit firms and their
audits of issuers. For example, for 2017, there is a brief entitled, “Staff Inspection Brief, Vol. 2017/3: Infor-
mation about 2017 Inspections (August 2017).” Go to the PCAOB website (www.pcaobus.org). In the top
menu, hover over Inspections and click on Staff Inspection Briefs to go to the Staff Inspection Briefs page.
For the most current year presented, select the brief that provides information about that year’s inspections.

Required
Read the brief and answer the following questions.
a.  How many firms was the PCAOB planning to inspect during the year? Does the brief provide any
descriptive characteristics of the firms being selected?
b.  What were the key areas of inspection focus for the year? For those related to substantive proce-
dures, documentation, or auditing accounting estimates, briefly summarize the PCAOB’s findings.

Audit Decision Cases

Mobile Security Inc.
Question C9.1 is based on the following case.

Mobile Security, Inc. (MSI) has been an audit client of Leo & Lee, LLP for the past 12 years. MSI is a small,
publicly traded aviation company based in Cleveland, Ohio, where it manufactures high-tech unmanned
aerial vehicles (UAV), also known as drones, and other surveillance and security equipment. MSI’s prod-
ucts are primarily used by the military and scientific research institutions, but there is growing demand
for UAVs for commercial and recreational use. MSI must go through an extensive bidding process for
large government contracts. Because of the sensitive nature of government contracts and military prod-
uct designs, both the facilities and records of MSI must be highly secured.
  Audit Decision Cases  9-35

MSI is known as being an innovator in the industry and holds 25 patents on its products. One
of its older patents is for the Covert Recorder, a listening device for land-line phones. Sales of the
Covert Recorder have slowly declined in the last decade, primarily due to increased use of smart
phones and other advances in technology. For the last few years, management has debated whether
the patent, which currently has a carrying value of $500,000, should be impaired. Management
conducted an analysis by estimating the future cash flows that will be generated from sales of
the Covert Recorder. Based on the analysis, management believes an impairment loss of $400,000
should be recorded and the patent balance written down for the current year.

C9.1  (LO 6)  Challenging   Public Company   Auditing accounting estimates

a.  Information gathering: Prepare a list of questions that the auditors would ask MSI managers regard-
ing how the impairment loss was determined.
b.  Analysis and evaluation: Comment on the level of estimation uncertainty that is involved with deter-
mining if the patent is impaired. What factors in this case affect estimation uncertainty?
c.  Analysis and evaluation: Explain the role of management bias in situations such as the impairment
issue with the patent.
d.  Analysis and evaluation: What substantive audit procedures should be performed for the audit of the
Covert Recorder patent balance?

Brookwood Pines Hospital

Question C9.2 is based on the following case.

Goodfellow & Perkins LLP is a successful mid-tier accounting firm with a large range of clients across
Texas. During 2022, Goodfellow & Perkins gained a new client, Brookwood Pines Hospital, a private, not-
for-profit hospital. The fiscal year-end for Brookwood Pines is June 30. You are performing the audit field
work for the June 30, 2023, fiscal year-end.
When doctors and other medical personnel provide services to patients, they record the procedures
performed in the patient’s medical chart using a code. The codes are standardized across the healthcare
industry and consist of three main code sets: ICD, CPT, and HCPCS. Using a coding system is more effi-
cient and data friendly compared to writing a narrative about the procedures performed.
The doctors and nurses that staff the emergency room department are all employees of BPH. They
are not contracted to use hospital facilities like specialty doctors. In September 2022, a nurse from the
emergency room unit reported to the accounting department that she suspected two doctors were “up-
coding.” Upcoding is a fraud that occurs when medical providers use codes for more complex procedures
than those that were actually performed. The result is the patient and/or patient’s insurance are charged
for the more complex and more expensive procedures. The hospital performed an internal investigation
and discovered that the doctors were upcoding. The two doctors were fired in early October 2022.

C9.2  (LO 1, 3, 4, 5)  Challenging   ADA   Planning substantive tests

a.  Information gathering: Describe how you would gather information about the incidence of upcoding
that occurred at the hospital.
b.  Analysis: Identify two key account balances likely to be affected by the upcoding fraud and identify
the key assertions most at risk for those account balances.
c.  Evaluation: Evaluate how the upcoding fraud impacts the nature, timing, and extent of substantive
procedures for the key account balances impacted by the fraud.
d.  Analysis: Formulate a plan for how ADA could be used as a substantive procedure for the key ac-
count balances impacted by the fraud.
9-36  C h apte r 9  Risk Response: Performing Substantive Procedures

Cloud 9 - Continuing Case

Answer the following questions based on the information pre-
sented for Cloud 9 in the appendix to this text and the current and
earlier chapters. You should also consider your answers to the case
study questions in earlier chapters.
Required
a.  Based on your conclusions from the case study questions in
previous chapters (particularly Chapters 3, 4, and 8), com-
plete the following worksheet to determine the risk of ma-
terial misstatement (RMM) and the acceptable detection
risk (DR).

Inherent Control Risk of Material Detection

Account Assertion Risk Risk Misstatement Risk
Sales—occurrence
Sales—completeness
Trade receivables—existence
Trade receivables—completeness
Cash—existence
Cash—completeness

b.  Scan the line items on the prior-year financial statements and estimates or fair value measurements. For each item, state
the current-year trial balance for Cloud 9. Using your knowl- whether estimation uncertainty is low or high and briefly
edge of financial accounting, identify line items that require explain why.
 Chapter 10
Risk Response
Evaluating Audit Data Analytics and
Audit Sampling for Substantive Tests

The Audit Process

Overview of Audit and Assurance

(Chapter 1)

Professionalism and Professional Responsibilities

(Chapter 2)

Client Acceptance/Continuance and Risk Assessment

(Chapters 3 and 4)

Gaining an Identify Significant

Set Planning
Understanding of Accounts and
Materiality
the Client Transactions

Gaining an Understanding of the

Make Preliminary Risk
System of Internal Control
Assessments
(Chapter 6)

Develop Responses to Risk and an Audit Strategy

Audit Data Analytics

Audit Evidence
(Chapter 5)

(Chapter 7)
Performing Tests of Controls Performing Substantive Procedures
(Chapter 8) (Chapter 9)

Audit Sampling for Substantive Tests

(Chapter 10)

Auditing the Auditing the Purchasing Auditing the Balance Sheet

Revenue Process and Payroll Processes and Related Income Accounts
(Chapter 11) (Chapter 12) (Chapter 13)

Completing and Reporting on the Audit

(Chapters 14 and 15)

Procedures Performed Near Drawing Audit

Reporting
the End of the Audit Conclusions

10-1
10-2  C ha pte r 10 Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

Learning Objectives

LO 1  Evaluate when to use audit data analytics versus
audit sampling.
LO 2  Define audit sampling and explain how audit
sampling is applied for substantive tests.
LO 3  Differentiate between sampling and nonsampling
risk.
LO 4  Differentiate between statistical and nonstatistical
sampling.
LO 5  Explain various sampling methods available to
auditors.
LO 6  Determine how sample size for substantive testing
is influenced by various factors.
LO 7  Explain a basic framework for selecting and
evaluating an audit sample for substantive testing.
LO 8  Apply probability-proportionate-to-size sampling
for a substantive test to draw an audit conclusion.
LO 9  Apply nonstatistical sampling for a substantive
test to draw an audit conclusion.
LO 10*  Apply classical variables sampling for a
substantive test to draw an audit conclusion.

Auditing and Assurance Standards

PCAOB Auditing Standards Board

AS 2315  Audit Sampling AU-C 530  Audit Sampling

Cloud 9 - Continuing Case

Ian Harper (first-year audit staff) asks Suzie Pickering (experienced
audit staff) to coffee. He wants her to explain how to plan audit
tests and write a detailed audit program, including instructions on
when to use audit data analytics versus audit sampling, how to
select a sample for a substantive test, and when the results of one
audit test will influence the work on other audit tests. It all seems
a bit circular to him and he is finding it difficult to grasp.
Suzie meets Ian that afternoon in the staff room. “The types
of tests we do, tests of controls and substantive tests, and when
and how we do them, depends on the quality of the client’s system
of internal control and accounting records. However, before we
talk about that, we probably should talk about when we use audit
data analytics versus audit sampling, and how we take samples.
Do you have a feel for when we use audit data analytics versus
audit sampling?” Ian is not sure.

Chapter Preview: Audit Process in Focus

The purpose of this chapter is twofold. First, the chapter reviews the discussion in Chapter 7
regarding audit data analytics (ADA) and then explores the question of when to use ADA
versus audit sampling. Second, the chapter explains how to apply audit sampling for substantive
testing. Recall that audit sampling for tests of controls was covered in Chapter 8.
In this chapter, we begin with a discussion of choosing between ADA and audit sam-
pling. We then explore the issues associated with the uncertainty that occurs any time the
auditor audits less than 100% of the population. This discussion also explains the concepts
of sampling risk and nonsampling risk, and provides a framework for applying a sampling
plan for a substantive test. We then review the factors and professional judgments that the
auditor should consider when making decisions about sample size when performing a sub-
stantive test.
   Using Audit Data Analytics versus Audit Sampling   10-3

The remainder of the chapter focuses on two types of audit sampling for substantive tests:
statistical probability-proportionate-to-size sampling and nonstatistical sampling. The appendix
to this chapter discusses a third type, applying classical variables sampling for substantive tests.

Using Audit Data Analytics versus Audit Sampling

LEA RNING OBJECT iVE 1
Evaluate when to use audit data analytics versus audit sampling.

When to Use Audit Data Analytics

An important audit planning question involves determining whether the auditor plans to use
ADA or audit sampling to evaluate an audit population. As discussed in Chapter 7, the auditor
is most likely to use ADA when:

•  Data is available that is relevant to an audit assertion of interest, whether as a risk assess-
ment procedure or a substantive test.
•  The available data is reliable and comes from a strong system of internal controls.
•  The available data is relatively clean and does not require significant work to make it usable.
•  ADA appears to be more effective or more efficient than using traditional audit tests.

Recall from Chapter 7 that when the auditor uses ADA as a risk assessment procedure
and the auditor identifies high-risk items, the auditor’s response may include applying a dif-
ferent ADA or another procedure that might more clearly identify those items that represent
a misstatement. The auditor often is sorting, screening, and analyzing the entire population
rather than performing traditional auditing procedures such as vouching, tracing, or confirm-
ing each item in the entire population.
For example, when auditing a construction company, the auditor might use ADA to deter-
mine the gross margin on each construction contract, including work in progress, and identify
contracts with unusually large or small gross margins for further investigation. Traditional
vouching or tracing might be used to further investigate construction contracts that are at
a high risk of material misstatement. Alternatively, the auditor might use ADA to identify
customers with a weak payment history when evaluating the allowance for doubtful accounts.
For example, an auditor might use ADA to screen every customer, looking for customers with
both past-due accounts and a deteriorating payment history. The auditor will audit these specific
customers in more detail to determine if the allowance for doubtful accounts is adequate.
A common characteristic of each of these applications is that the auditor has reliable
client data and the audit population is large. In addition, the auditor has a good understand-
ing of the underlying business processes, and the auditor uses that business knowledge to
evaluate an expected relationship or to look for a specific attribute within the population that
represents something that is unusual and of audit interest. ADA that might be used for one
client may not necessarily apply to another client because of the differences in business models
and processes. As a result, ADA is often customized to an audit situation. However, given that
auditors often develop specializations in certain industries, an audit firm may develop certain
ADA that might be used with many audit clients within a given industry.

When to Use Audit Sampling

The choice of using audit sampling or ADA is often a matter of what is most effective and ef-
ficient in determining whether an assertion is presented fairly, in all material respects. There
are several situations where using audit sampling is the clear choice. First, the auditor will
10-4  C ha pte r 10 Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

usually use audit sampling when certain audit procedures are required by professional standards.
Current professional standards normally require that the auditor physically inspect inventory to
determine that inventory recorded in the accounting records actually exists. Current professional
standards also recommend that the auditor confirms receivables. In these cases, the auditor will
select a sample of inventory to observe, or a sample of customers to send confirmations to.
Second, the auditor is more likely to use audit sampling when internal controls are weak
(as discussed in Chapters 6, 7, and 8) and reliable data does not exist to support ADA. An under-
lying requirement of ADA is that the client’s data is reliable. Client data is most reliable when
internal controls are strong. However, when internal controls are weak, the auditor will often
validate the client’s records by reference to reliable information, such as vouching a transaction
to a vendor’s invoice, or vouching a sale to underlying shipping documents.
Third, the auditor will need to have data that is relevant to the audit test. For example,
when auditing cost of goods sold, an audit client may have perpetual inventory information
for quantities of inventory, but not for the value of each item sold because the client calculates
cost of goods sold using a periodic inventory method. This will limit the audit questions that
might be answered using ADA.
Finally, the use of audit sampling may be a function of the efficiency and effectiveness of the
audit procedure. For example, when testing internal controls related to bank reconciliations, it
might be most effective to reperform the control on a sample basis. Further, some audit popula-
tions are also relatively small and easy to audit. For example, an audit client may have relatively
few notes payable, and confirming notes payable is an effective and efficient way to determine
the amount of notes payable that should be reported on the balance sheet. In contrast, a public
utility may have a very large population of small accounts receivable from consumers who are
unlikely to respond to a confirmation. These customers often pay their bills in full on a monthly
basis. Therefore, rather than sending a confirmation to a consumer, ADA might be a more
effective procedure to evaluate the appropriateness of revenue recognized by correlating billings
with subsequent cash receipts. In many cases, the choice of using audit sampling is a matter of
determining which audit procedure will be most effective and efficient in the circumstances.
Illustration 10.1 summarizes the settings in which the auditor might choose to use ADA
or to use audit sampling.

ILLUSTRATION 10.1   Situations When the Auditor   Situations When the Auditor
Factors that influence the Is Likely to Use ADA
choice of ADA versus audit   • Evidence to support the audit test is available
sampling in electronic form.
• The audit population is large, and the auditor’s
tests are supported by reliable and relevant
data in electronic form, making ADA efficient.
• Relevant data is reliable and internal controls
over the reliability of data are strong.
• Relevant data is clean or can be cleaned up
easily.
 
Is Likely to Use Audit Sampling
• Evidence to support the audit test is not available
in electronic form (e.g., observing the existence
of inventory).
• The audit population is small and can efficiently
be tested using traditional audit procedures.
• Relevant data is not reliable and internal controls
over the reliability of data are weak.
• Relevant data may be in different formats and
is not easy to use.

However, it is not always a choice of using ADA or audit sampling. In some cases, the audi-
tor may use both audit techniques. For example, the auditor may use ADA to identify abnormal
transactions or balances in a particular data set and then perform audit procedures on 100% of the
abnormal transactions or balances. In addition, the auditor may draw a sample from the transac-
tions or balances that fill in the normal range and perform audit procedures on the sample.

Cloud 9 - Continuing Case

Suzie and Ian are discussing the use of ADA versus audit sampling. professional standards require that we physically inspect inven-
­Suzie illustrates with a discussion of their audit of inventory. “Let tory. We will focus on Cloud 9’s distribution centers, and we will
me illustrate with a discussion of how we might audit two differ- select a sample of inventory at each distribution center. Electronic
ent assertions for inventory. When testing the existence assertion, data is not available that proves the existence of inventory. In this
   Audit Sampling Defined  10-5

case sampling is both appropriate and an effective audit technique
to draw a conclusion about the existence of inventory.
On the other hand, we are thinking about using ADA to
audit inventory obsolescence. Cloud 9 has a large amount of
inventory. Most of it turns over pretty fast, but we need to be alert
to slow-moving inventory. Cloud 9 has good data on inventory
quantities sold and on hand for each location. ADA may be a way
to investigate a large amount of inventory, to look at how much
inventory is on hand for each item in inventory, and to see how
fast each inventory item is being sold. This can be an effective way
to identify slow-moving inventory or inventory with lower-of-cost-
or-net-realizable-value problems.”

Before You Go On
1.1 Explain when ADA might be most efficient and effective, and illustrate with an example.
1.2 Explain when audit sampling might be most efficient and effective, and illustrate with an
example.

Audit Sampling Defined

LEA RNING OBJECTI VE 2
Define audit sampling and explain how audit sampling is applied for substantive tests.

AS 2315 Audit Sampling and AU-C 530 Audit Sampling provide guidance on audit sampling.
When creating an audit program and designing audit procedures, an auditor also decides how
to select appropriate items for testing. When an audit procedure is tested on an entire group of
transactions (for example, all borrowing activities) or 100% of items within an account balance
(for example, all loan balances), sampling is not required. However, when there are numerous
transactions or items within an account balance, an auditor must decide how best to select a
sample that is representative of the entire population of items. Audit sampling occurs when audit sampling  the selection
an auditor selects less than 100% of a population (on a basis where the sample is representative and evaluation of less than 100% of
of the population) that the auditor expects is likely to provide a reasonable basis for drawing a the population of audit ­relevance
conclusion about an entire population. For example, an auditor might take a sample of inven- such that the auditor expects the
tory for the purpose of drawing a conclusion about the existence of all of the inventory recorded items selected (the sample) to be
representative of the population
in the client’s accounting records.
and, thus, likely to provide a
In some cases, it is feasible to audit the entire population. This decision depends on
reasonable basis for conclusions
the assertion and the evidence available to support the assertion. Sometimes, an audit pop- about the population
ulation may be sufficiently small that the auditor can audit every item in the population.
For example, a client may have a large balance of notes payable but with only a few banks.
The auditor might audit the outstanding balance on each note payable as there are just a
small number of banks, and it is easy to send confirmations to each bank holding a note
payable. As a result, the auditor is able draw a conclusion about the notes payable balance
with certainty.
Alternatively, it may be more efficient to select a sample of receivables to confirm the
existence of receivables. Similarly, it may be more efficient to select a sample of inventory for
validating the existence of inventory. Whenever the auditor draws a conclusion about the entire
population (total accounts receivable) based on a sample (a selection of receivables from a limited
number of customers), there is some level of uncertainty about the auditor’s conclusion. The au-
ditor’s conclusion based on the sample may be different than the conclusion drawn if the auditor
had audited the entire population. This uncertainty is referred to as sampling risk and is discussed
in the following section.
10-6  C ha pte r 10 Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

Before You Go On
2.1 What is audit sampling?
2.2 When is it appropriate to use audit sampling?
2.3 How does audit sampling relate to audit risk?

Sampling Risk and Nonsampling Risk

LEA RNING OBJECTI VE 3
Differentiate between sampling and nonsampling risk.

sampling risk  the risk that the
auditor’s conclusion based on a
sample may be different from the
conclusion if the entire popula-
tion were subjected to the same
audit procedure
Sampling risk is the risk that the sample chosen by the auditor is not representative of the
population of transactions or items within an account balance and, as a consequence, the
auditor arrives at an inappropriate conclusion (AU-C 530, AS 2315). There are two conse-
quences of sampling risk: (1) the risk that the audit will be ineffective (fail to find material
misstatements) and (2) the risk that the audit will be inefficient (the auditor will do more
audit work than is necessary).
When conducting substantive tests, sampling risk is the risk that an auditor concludes that
a material misstatement does not exist when it actually does, or an auditor concludes that a
material misstatement exists when it actually does not. Illustration 10.2 provides details of
sampling risk when conducting substantive tests and the implications of that risk for the audit.

ILLUSTRATION 10.2   Sampling Risk Implications for the Audit

Sampling risk when   Risk of incorrect acceptance. This is the risk
conducting substantive tests that the auditor concludes, based on sample
results, that a material misstatement does not
exist when it does exist.
Risk of incorrect rejection. This is the risk that
the auditor concludes, based on sample results,
that a material misstatement exists when it does
not exist.
An increased audit risk (i.e., there is a risk that
the audit will be ineffective).
An increase in audit effort when not required
(i.e., there is a risk that the audit will be
inefficient).

risk of incorrect acceptance  The risk of incorrect acceptance represents a situation where the auditor has conducted
the risk that the auditor concludes substantive procedures on a sample and concluded that there is no material misstatement, when
that a material misstatement does in fact there is a material misstatement. As a consequence, the auditor will conclude that an
not exist when it does assertion is presented fairly in all material respects, when the assertion is actually materially
misstated (i.e., the audit is ineffective). For example, a client has warehouses in four major cities.
The auditor chose to select a sample of inventory items for testing from two warehouses near the
client’s corporate office and concluded that the client’s inventory balance is materially correct
based on that sample. The auditor did not test material inventory items held at the other two
warehouses. As a consequence, the auditor did not detect a significant error in valuing inventory
at one of the warehouses. If the auditor had selected a sample for testing from each warehouse,
the risk of arriving at an incorrect conclusion would have been reduced, though not eliminated.
The auditor uses the audit risk model and decisions about detection risk to determine the appro-
priate risk of incorrect acceptance when using audit sampling for substantive tests.
risk of incorrect rejection  The risk of incorrect rejection represents a situation where the auditor has conducted
the risk that the auditor concludes substantive procedures on a sample and concluded that there is a material misstatement in
that a material misstatement an assertion, when in fact there is no material misstatement. This usually happens when the
exists when it does not known misstatements in the sample are immaterial, but they project to a material amount
of misstatements in the population. Often, the client will ask the auditor to conduct more
   Sampling Risk and Nonsampling Risk  10-7

extensive testing as the client believes that material misstatements do not exist, and only
immaterial misstatements have been found in the sample. If the auditor expands audit testing
only to find that there is not a material misstatement, the audit is inefficient. For example, an
auditor may find a few misstatements when confirming receivables that project to a material
misstatement in receivables. As a consequence, the auditor increases the testing of receivables
to determine if additional misstatements exist. If the known misstatements are unique and
not repeated throughout the population, the audit will be inefficient due to the increased audit
work, but the auditor will eventually reach the correct conclusion about the audit population.
Once again, the more significant risk for the auditor is the risk of incorrect acceptance,
as this risk results in an ineffective audit. This important audit judgment is directly related to
decisions about detection risk in the audit risk model. The risk of incorrect acceptance is not
related to audit risk. Rather, the risk of incorrect acceptance should consider the auditor’s
assessment of inherent risk, control risk, and the assurance obtained from other substantive
tests. Therefore, the risk of incorrect acceptance for a substantive test is related to the auditor’s
determination of detection risk in the audit risk model.
Nonsampling risk is the risk that an auditor arrives at an inappropriate conclusion for a nonsampling risk  the risk
reason unrelated to sampling issues. One nonsampling risk is the risk that an auditor relies too that the auditor reaches an
heavily on less persuasive or unreliable evidence. For example, an auditor may rely too heavily on ­erroneous conclusion for any
management representations through inquiry without gathering independent corroborating evi- reason not related to sampling
dence. Another nonsampling risk is when an auditor spends most of his or her time testing asser- risk
tions where the risk of material misstatement is modest, and ignores or spends insufficient time
testing assertions most at risk of material misstatement. For example, a client sells diamonds.
There is a significant risk that recorded inventory does not exist, yet the auditor spends more
time testing the completeness assertion. A third nonsampling risk occurs when the auditor uses
an inappropriate audit procedure or performs the procedure incorrectly. For example, an auditor
sends accounts receivable confirmations to 30 customers of the client. When three immaterial
customers fail to reply, the auditor concludes that the customers are immaterial and no further
work is required in relation to the accounts receivable confirmations. When a customer fails to
reply and the auditor is unable to obtain other evidence about the existence of the receivable,
the auditor must conclude that those customer balances are 100% misstatements and project the
misstatements on the remaining portion of the population. The fact that three customers did not
respond means that further testing for the existence of customer receivables may be warranted.
Nonsampling risk is typically controlled by a firm’s quality control procedures and the
review of audit work performed by a manager or partner on the audit team or an engagement
quality control reviewer.

Audit Reasoning Example  Nonsampling Risk

Carrie Paulson, an audit manager, works in a one-office CPA firm that has about 30 professional
staff. Carrie has been given the task of preparing a staff training session on audit sampling. Carrie
is talking with Patrick O’Hara (a partner and the office’s engagement quality control reviewer)
about common quality control issues. Carrie asks, “What are the most common problems you
see in our audit sampling applications?” Patrick responds, “To be frank, I see more problems
with nonsampling risk than anything else. Our staff members are pretty good about using audit
software to select and evaluate samples. The bigger problem involves staff who try to rationalize
internal control breakdowns or who do not recognize a misstatement. For example, staff might
take a sample of 45 and find one instance of a breakdown of internal control. They want to con-
clude that it is an isolated instance. This does not work. Staff need to assume the results of the
sample will happen proportionately in the unsampled portion of the population, as in their audit
sample. Also, sometimes staff don’t recognize a misstatement when it is actually part of the
evidence. For example, a staff member evaluated confirmation results and found a cutoff error.
The client found the error after the fact and corrected it, so the staff member assumed that it
was not a problem. However, as of the confirmation date the account balance was misstated,
even though it was subsequently corrected, and that misstatement needed to be projected on the
unsampled portion of the population. I would recommend that you spend significant time on the
potential for nonsampling risk with our staff and illustrate with examples like the ones I have just
explained. It would make my job as a quality reviewer a lot easier.”
10-8  C ha pte r 10 Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

Cloud 9 - Continuing Case

Ian and Suzie are talking about sampling risk. Ian is a bit disap-
pointed. “I thought that if you took a random sample and did not
find any misstatements, you could conclude that there was defi-
nitely no misstatement in the overall population. But you are say-
ing that there is still a risk that the population is misstated.”
“That’s right,” says Suzie. “Unless you test every item in the
population, you will still have a statistical chance of making the
wrong conclusion simply because you took a sample. Also, if you
take a sample in a way that is biased, it is difficult to conclude
that the sample results say anything at all about the population.
That’s why it is so important junior staff don’t just take the nearest,
or most convenient, sample of items in inventory to test. Another
big trap is that conditions may change during the accounting pe-
riod when transactions are being tested. Perhaps a key member
of the client’s staff is on leave. The auditor should select a sample
from both times when that key member is present and when that
key member is on leave. We know that Cloud 9 opened a new San
Francisco store on the first of June. Obviously, inventory levels
will be different around this time, so we have to plan to handle
these different conditions with our sampling.”

Before You Go On
3.1 What is sampling risk?
3.2 How does sampling risk relate to substantive testing? Illustrate with an example related to
sales and accounts receivable.
3.3 What is nonsampling risk? Illustrate with an example related to sales and accounts receivable.

Statistical and Nonstatistical Sampling

LEA RNING OBJECTIVE 4
Differentiate between statistical and nonstatistical sampling.

statistical sampling  an
approach to sampling that
involves a random selection of
sample items and the use of an
appropriate statistical technique
to determine sample size and
evaluate the sample results,
including a measurement of
sampling risk
nonstatistical sampling    Nonstatistical sampling involves any sample selection and evaluation method for
involves any sample selection
method and evaluation method that
does not have the characteristics of
statistical sampling
According to AU-C 530, “statistical sampling is an approach to sampling that involves a
random selection of sample items and the use of an appropriate statistical technique to deter-
mine sample size and evaluate sample results, including measurement of sampling risk.” As a
result, sample size is determined objectively, or quantitatively, using appropriate statistics. The
sample should be selected randomly, which is the auditor’s best estimate of a representative
sample. Finally, the sample results should be evaluated mathematically, using the appropriate
statistical technique (examples are provided later in the chapter). This evaluation includes
both an estimate of the audited value of the population (or the amount of misstatements
in the population) and an estimate of a statistical confidence interval associated with the
estimate. Any sample selection method that does not have these characteristics is not statisti-
cal sampling, for example, an auditor using judgment alone to select a sample for testing. An
advantage of statistical sampling is that it allows an auditor to measure sampling risk. Using
statistical sampling also involves some modest cost and time to set up, select, and evaluate
the sample. However, this is often relatively easy to do with generalized audit software if the
client’s data is in electronic form. Using statistical sampling also requires learning the statisti-
cal technique and professional judgments involved in planning and setting up the sample, as
well as in evaluating sample results.
which the auditor does not use a formal statistical technique to select the sample or to eval-
uate the sample results. In nonstatistical sampling, the auditor determines sample size and
selection methods and evaluates the sample results entirely on the basis of professional judg-
ment and the auditor’s own experience. The auditor cannot quantify sampling risk when
using a nonstatistical sampling technique. Nonstatistical sampling is considered easier to
   Sampling Methods  10-9

use than statistical sampling, requires less staff training, and allows an auditor to select a
sample he or she believes is appropriate. Most audit firms use a combination of statistical
and nonstatistical sampling (discussed in the next section). In any case, the auditor should
attempt to choose a random sample, as that is the auditor’s best estimate of a sample that is
representative of the population. It is also important that the auditor understand how to use
professional judgment to estimate a confidence interval when evaluating sample results. This
is discussed further in the section “Applying Probability-Proportionate-to-Size Sampling for
Substantive Testing.”

Before You Go On
4.1 What is statistical sampling? What are the specific characteristics of a statistical sample?
4.2 What is nonstatistical sampling? How does a nonstatistical sample differ from a statistical
sample?

Sampling Methods
LEA RNING OBJECTI VE 5
Explain various sampling methods available to auditors.

An important aspect of selecting a sample involves determining the population and sampling
unit. When performing a substantive test, the population consists of the class of transactions population  the class of
or the account balance to be tested. For each population, the auditor should decide whether all transactions or the account
the items should be included. For example, when auditing accounts receivable balances, ac- balance to be tested
counts receivable could be divided into four possible groups based on account balances in the
accounts receivable ledger: (1) all balances, (2) only debit balances, (3) only credit balances,
and (4) zero balances.
Alternatively, the auditor could break down an accounts receivable population into
sampling units. A sampling unit is a subset of a population that is the basis for sampling. Ac- sampling unit  a subset of the
counts receivable could be broken down in two different ways. First, the auditor could define population that is the basis for
the population as each customer account balance and the account balance would be the sam- sampling
pling unit. Second, the auditor could define the population as each outstanding invoice and
the unpaid invoice from a customer would be the sampling unit. In some cases, it is easier for
customers to confirm individual invoices than the entire account balance outstanding. Ulti-
mately, auditors start with defining the population that they want to draw a conclusion about,
and then they can determine the appropriate sampling unit. Then auditors can move on to
determine the method of selecting the sampling units from the entire population. Different
sampling techniques available to the auditors include random selection, systematic selection,
haphazard selection, and block selection.

Random Selection
As explained earlier, statistical sampling requires a sample be selected randomly and the results
of the test be evaluated using probability theory. Random selection requires that the person random selection  involves
selecting the sample does not influence the choice of items. For example, when inspecting selecting a sample that is free
the contents of inventory in stacks of boxes, the auditor does not want to just select the top from bias and for which each
item in each stack of boxes. This may be easy, but it is systematically biased, and it may not be item in a population has an equal
representative of the population. A random sample is free from bias and each item within the chance of selection
population has an equal chance of being selected for testing. Random number generators can
be used to select a sample.
10-10  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

stratification  a process of
dividing a population into groups
of sampling units with similar
characteristics that are more
homogeneous
Stratification can be used prior to random selection to improve audit efficiency. This
means that an auditor subdivides a population before sampling. Consider the example in
Illustration 10.3. In this case, the auditor partitions the population of accounts receivable
into three groups: (1) all receivables with balances over $50,000, (2) receivables with balances
between $15,000 and $50,000, and (3) all receivables with balances less than $15,000. The
auditor tests all of the receivables over $50,000, selects a random sample of 15 items out of
110 in the second stratum, and selects a random sample of 25 items out of 500 items in the
third stratum. Notice that no sampling is being used in stratum 1 because all items are being
tested. The auditor is only sampling out of strata 2 and 3 and can draw a conclusion about

two strata were combined. Finally, the auditor has audited 38% ($2,850,000 ÷ $7,500,000) of
stratum 1 with certainty. Also, stratum 2 and stratum 3 are more homogeneous than if the

the dollars by auditing 9.5% (60 ÷ 630) of the items in the population. This strategy might be
particularly effective if the auditor is concerned about the population being overstated.

ILLUSTRATION 10.3   Example stratified sample

% of $ % of
Dollar Value of Book Value (BV) % of Items in BV of Sample Stratum Items
Stratum Receivables of Stratum Popn $ Popn (N) % of N Sample Items (n) Audited Audited
1 Greater than $50,000 $2,000,000 26.7% 20 3.2% $2,000,000 20 100% 100.0%
2 $15,000 to $50,000 3,000,000 40.0% 110 17.5% 600,000 15 20% 13.6%
3 Less than $15,000 2,500,000 33.3% 500 79.4% 250,000 25 10% 5.0%
$7,500,000 100.0% 630 100.0% $2,850,000 60 38% 9.5%

Stratification can be used to ensure the sample includes items that have the characteristics
required by the auditor, such as the inclusion of material or risky items in the ­sample (e.g., large
dollar-value items). Stratification can be used with both statistical and nonstatistical techniques.

systematic selection  involves
the selection of a sample for
testing by dividing the number
of items in a population by
the sample size, determining a
sampling interval (n), and then
selecting every nth item in the
population
Systematic Selection
Systematic selection involves the selection of a sample for testing by dividing the number
of items in a population by the sample size, resulting in the sampling interval (n). Once the
sampling interval has been determined, a starting point is selected, which is an item in the
population below the sampling interval. Then, the sample is selected by selecting the first item
and then every nth item after that.
For example, a client has 600 customers. The auditor has decided that the sample size
when testing customer receivables is 20. To determine the sampling interval, the following
formula is used.

Sampling interval =
Population size
Sample size
=
600

= 30
20

This means that every 30th item will be selected for testing. An item within the first 30
in the list of customers is selected as the starting point. From then, every 30th item is selected
for testing. The first item is usually randomly selected. If the randomly selected first item is
customer number 15, then the following items will be tested: 15, 45, 75, 105, 135, 165, 195, 225,
255, 285, 315, 345, 375, 405, 435, 465, 495, 525, 555, and 585. If the starting item is selected
randomly and the population is not arranged in any particular order, systematic selection can
be considered a statistical sampling technique.
The risk in using systematic selection is that items will be listed in such a way that by select-
ing every nth item, the auditor is selecting items that are somehow related. For example, assume
a company pays 100 employees each week, and you select payroll for testing from the entire year
with a sampling interval of 50. If employees are ordered by employee number, it is possible that
   Factors That Influence the Sample Size—Substantive Testing  10-11

the auditor will select the same two employees every time. This risk can be reduced by reviewing
the items in a population for any systematic bias before selecting a sample. If the auditor iden-
tifies systematic bias, the audit might use haphazard (see below) or random sampling instead.

Haphazard Selection
Haphazard selection involves the selection of a sample by an auditor without using a me- haphazard selection  the
thodical technique. While this technique appears to have much in common with random se- selection of a sample without use
lection, there is a risk that an auditor will avoid selecting some items or ensure other items are of a methodical technique
included in the sample. For example, an item that is going to be difficult to test because the
documentation is held in another location may be purposefully omitted by the auditor, while an
item that looks unusual and catches the auditor’s eye may be purposefully included. This is both
a nonstatistical and a non-random technique because human bias impacts the sample selected.

Professional Judgment in Selecting and

Evaluating Sample Items
Auditors should understand that professional judgment is needed in applying both statistical and
nonstatistical sampling. The next section discusses the factors that influence sample size. Making
appropriate decisions about these factors involves significant professional judgment. Professional
judgment is also needed in evaluating the evidence obtained by sampling and in drawing an ap-
propriate conclusion about the population based on sample evidence. Whether using a statistical
or nonstatistical selection method, auditors need to consider the traits of the population. When
conducting substantive testing, judgment may be used to evaluate stratification of a sample to
include large or unusual items. All sampling methods require the use of professional judgment.

Cloud 9 - Continuing Case

“We are going to use random selection for sales invoices and cash in sales made to department stores during different times of the
receipts at Cloud 9,” Suzie tells Ian. “We will select our sample year. Obviously, part of the sampling process includes processes to
from the entire year because we do not expect different conditions protect against any potential bias in the sample selection.”

Before You Go On
5.1 How should the auditor go about defining the population and sampling unit?
5.2 What is the difference between random and haphazard sample selection?

Factors That Influence the Sample Size—Substantive Testing

LEA RNING OBJECTI VE 6
Determine how sample size for substantive testing is influenced by various factors.

The auditor must recognize when the concepts associated with audit sampling apply or do
not apply to substantive tests. In a few instances, the logic behind audit sampling does not
apply to substantive tests. For example, audit sampling does not apply to initial procedures,
substantive analytical procedures, and many tests of details of accounting estimates and tests
of details of disclosures. For instance, an auditor might audit the allowance for doubtful
10-12  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

accounts by using ADA to identify and analyze the payment history of every customer with
receivables more than 30 or 60 days past due.
It is common to use audit sampling when performing substantive tests on a population
of transactions or account balances, such as taking a sample of total sales or a sample of total
receivable balances. AU-C 530.A13 identifies a number of factors that will influence the sam-
ple size when testing transactions and balances. These are summarized in Illustration 10.4.

ILLUSTRATION 10.4   Factor (Relationship

Factors that influence   Larger Samples
sample size when testing   • Higher levels of assurance
transactions and balances should result in larger
sample sizes.
• Higher levels of risk of
material misstatement and
lower levels of detection risk
will result in auditors needing
higher levels of assurance
from substantive tests.
• The auditor also needs larger
samples when assurance
is not obtained from other
substantive tests.
If the auditor can only tolerate
small amounts of misstatement
and conclude that the account
balance is presented fairly, the
auditor will need larger sample
sizes.
Larger amounts of expected
misstatements in the
population will result in larger
sample sizes.
to Sample Size) Smaller Samples
Desired level of • Lower levels of assurance
should result in smaller sample
assurance that tolerable
misstatement is not sizes.
exceeded by the actual • Lower levels of risk of material
misstatement in the misstatement and higher
population levels of detection risk will
result in the auditor needing
(Direct) lower levels of assurance from
substantive tests.
• The auditor also can accept
smaller samples when
assurance is obtained from
other substantive tests.
Tolerable misstatement If the auditor can tolerate larger
amounts of misstatement and
(Inverse)
conclude that the account
balance is presented fairly,
the auditor will accept smaller
sample sizes.
The amount of expected Smaller amounts of expected
misstatement the misstatements in the population
auditor expects to find will result in smaller sample
in the population sizes.

High variability in an audit
population that is not stratified
will result in larger sample
sizes.
(Direct)
Stratification of the Stratification of a population into
population when relatively homogeneous subgroups
appropriate is an effective way to reduce
sample size for substantive tests.

desired level of assurance  The first factor listed in Illustration 10.4 is the auditor’s desired level of assurance that
the level of assurance that the
sample is representative of the
population; the auditor wants
to choose a level of assurance
so tolerable misstatement is less
likely to be exceeded by the actual
misstatement in the population
tolerable misstatement is not exceeded by the actual level of misstatement in the population. High
levels of assurance mean lower levels of sampling risk that the sample is not representative of
the population. Auditors use the audit risk model to guide them on making decisions about the
levels of assurance needed from substantive tests. If the risk of material misstatement is low (e.g.,
the combined inherent risk and control risk assessments are low), then the auditor does not need
as much assurance from substantive tests, and the auditor can reasonably accept a lower level
of assurance from substantive tests and use smaller sample sizes for substantive testing. Alter-
natively, if the risk of material misstatement is high due to a combined assessment of inherent
risk and control risk as high, the greater is the risk that a material misstatement exists and the
more an auditor must rely on substantive tests of transactions and balances to identify potential
material misstatements. When an auditor decides to increase his or her reliance on substantive
procedures, he or she will increase the sample size.
When considering the desired level of assurance that the auditor should obtain from tests
of details of transactions or account balances, the auditor will also consider the assurance
obtained from other substantive procedures directed toward the same assertion. When testing
transactions and balances, an auditor will use a number of audit procedures. The more proce-
dures that are directed to the same audit assertion, the less an auditor will need to rely on the
evidence provided by one test alone and the smaller the sample size required. For example,
when testing interest expense, the auditor may use analytical procedures to evaluate the over-
all fairness of interest expense given average principal balances and average interest rates. If
analytical procedures provide evidence that interest expense is presented fairly, the auditor
   Factors That Influence the Sample Size—Substantive Testing  10-13

can appropriately limit the assurance needed from tests of details of transactions and decrease
sample size when testing interest expense.
The second factor listed in Illustration 10.4 is the auditor’s assessment of tolerable misstate- tolerable misstatement
ment, which is the maximum dollar amount of misstatement that an auditor is willing to accept in (TM)  the maximum dollar
a transaction class or an account balance, and still conclude that the population is presented fairly. amount of misstatement that
Tolerable misstatement is the application of performance materiality to a particular sampling pro- an auditor is willing to accept
cedure. Hence, tolerable misstatement is equal to or less than the performance materiality level within the population tested, and
conclude that the population is
set for the class of transactions or balances being tested. For example, if a receivable population
presented fairly when performing
amounts to $100 million, the auditor’s sample size will be larger if tolerable misstatement is set at
a substantive test
$4 million than if it is set at $5 million, in order to support a more precise conclusion.
The third factor listed in Illustration 10.4 is expected misstatement, or the amount of expected misstatement (EM) 
misstatement the auditor expects to find in the population. When an auditor believes that there the amount of misstatement the
is likely to be a material misstatement in the population of transactions or amounts making auditor expects in a transaction
up an account balance, he or she will increase the sample size to gain a better estimate of the class or account balance when
actual misstatement in the population. This will occur when an account is at risk of material performing a substantive test
misstatement, such as when it requires estimation (for example, the allowance for doubtful
accounts), when it requires complex calculations (for example, foreign exchange translations),
or when it requires difficult valuation techniques (for example, fair market values). This will
also occur when the auditor has assessed that control risk is high and the client’s control pro-
cedures are inadequate. The auditor may be able to estimate the amount of misstatement that
the auditor expects to find in the population based on prior audit experience with the entity.
The fourth factor listed in Illustration 10.4 is stratification of the population. When there
is a wide range in the monetary size of items in the population (e.g. the population has a high
degree of variability), stratification of the population is a way to group the population into
more homogeneous subgroups, which will result in more efficient sampling and reduce the
sample size required.

Cloud 9 - Continuing Case

Suzie and Ian are discussing how sample size might change from
the prior year when performing substantive tests of transactions
related to total sales. At an interim date when Suzie and Ian are
planning the audit, Cloud 9 has increased its revenues by approxi-
mately 10%. Ian notes that he expects that the increase in revenue
will cause an increase in sample size. However, Suzie observes that
the increase in the total revenues also caused an increase in the
auditor’s level of tolerable misstatement. As a result, these two
changes may offset each other and have little effect on sample size.
Ian also asserts that because top-line revenues are so import-
ant to many financial statement users, the auditor should want a
high level of assurance that tolerable misstatement is not exceeded
by expected misstatement. Suzie responds with a question. “Based
on our planning work, how strong are internal controls? And how
will our control risk assessment affect the assurance that we need
from substantive tests of revenues?” As Ian attempts to answer
this question, he suggests, “Inherent risk is probably maximum for
sales revenues, but internal controls are expected to be strong, so
overall risk of material misstatement is low. Because risk of mate-
rial misstatement is low, we can allow ourselves to obtain a higher
detection risk that the actual misstatements do not exceed tolerable
misstatement, which allows for a smaller sample size for substan-
tive tests of revenue transactions.” Suzie likes Ian’s reasoning.
Now she asks, “Is there anything else we need to consider?”
Ian thinks for a minute and then suggests that they also need to
consider the expected amount of misstatement in the population:
“If internal controls are good, then the expected amount of mis-
statement should be fairly low. I now see that good internal controls
are really important to our audit strategy, and we will need to empha-
size testing controls, and strong controls will allow us to minimize
the sample sizes we need for substantive testing.”
Finally, Suzie asks Ian if they should stratify their sample
selection regarding sales. Ian suggests that before answering that
question, he really needs to understand the variation in the size
of sales made to various customers. Suzie likes the fact that this
needs to be determined based on Cloud 9’s sales history. How-
ever, she notes that, based on prior experience, some large cus-
tomers have many stores, but the average invoice for each store is
relatively similar. Suzie suggests that stratification may be more
important for testing accounts receivable than for testing sales.
They agree to quickly investigate this more and then reach a final
conclusion.

Before You Go On
6.1 What are the factors that influence sample size when conducting substantive procedures?
6.2 What influences an increase in the auditor’s assessment of desired level of assurance that
tolerable misstatement is not exceeded by the actual misstatement in the population?
6.3 Explain why effective stratification reduces sample size.
10-14  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

A Basic Framework for Audit Sampling

LEA RNING OBJECTI VE 7
Explain a basic framework for selecting and evaluating an audit sample for substantive
testing.

Many aspects of planning and evaluating a sample are not affected by the choice of statis-
tical or nonstatistical sampling. The choice of statistical or nonstatistical sampling does not
affect the selection of procedures or the competence of evidence obtained about individual
sample items. These matters require the exercise of professional judgment when applying
either statistical or nonstatistical sampling. The relationship between statistical and non-
statistical sampling is shown graphically in Illustration 10.5. The following discussion
focuses on the first four steps. These steps are common to all sampling methods. Steps 5 to
10 are discussed in the next sections, which discuss probability-proportionate-to-size sam-
pling and nonstatistical sampling for substantive tests. Appendix 10A discusses classical
variables sampling.

Step 1: Determine the Objectives of the

Substantive Test
The ultimate purpose of a substantive test is to obtain reasonable assurance that an as-
sertion is presented fairly in all material respects. The auditor can use audit sampling for
this goal by either (1) estimating the total dollar amount of a population or (2) estimating
the dollar amount of misstatement in a population. For example, the auditor might use
a sampling tool to develop an estimate of the audited value of total accounts receivable
or total inventory. If this estimate is within a range of the book value of the client’s ac-
count balance plus or minus tolerable misstatement, then the auditor can conclude the
population is materially correct. Alternatively, the auditor might estimate the amount of
misstatement that might be present in an audit population. If this estimate is less than tol-
erable misstatement for the account, then the auditor can conclude the account balance
is materially correct. At the outset, the auditor needs to determine the population being
tested, the assertion or assertions being tested, and if the auditor is trying to estimate the
total dollar value of the population or the total amount of misstatement that might exist
in the population.

Step 2: Determine the Substantive Audit

Procedures to Perform
Important substantive procedures include tests of details of transactions and tests of de-
tails of balances. These are the most common procedures where the auditor would use
audit sampling for substantive tests. For example, the auditor might audit the existence of
accounts receivable by sending confirmations or audit the existence of inventory by physi-
cally inspecting inventory. The auditor might focus audit procedures related to the existence
of property, plant, and equipment (PP&E) by (1) starting with a beginning audited bal-
ance and then (2) auditing changes to PP&E. The auditor might test the additions to PP&E
by vouching to the documentation underlying the transaction. Chapter 9 explained the
nature, timing, and extent of substantive procedures. In addition, Chapters 11, 12, and 13
explore developing substantive tests for the revenue, purchases, and payroll processes, and
for cash, inventory, PP&E, and financing activities. It is important to make sure the evi-
dence obtained is relevant to the assertion. More extensive audit procedures are of no audit
value if the evidence is not relevant to the assertion being tested.
   A Basic Framework for Audit Sampling  10-15

ILLUSTRATION 10.5  
Determine the objectives
Step 1 Steps in planning and  
of the substantive test
executing a statistical or  
nonstatistical sample
Determine the
Step 2 substantive audit
procedures to perform

Determine
whether to audit a All items
Step 3
sample or the entire
population

A sample

Define the population

Step 4
and sampling unit

Statistical Choose the audit Nonstatistical

Step 5
sampling technique

Determine sample size Determine sample

Step 6 from model explicitly size using professional
recognizing relevant factors judgment

Randomly select Judgmentally select

Step 7 representative representative
sample sample

Apply audit Apply audit

Step 8
procedures procedures

Evaluate results statistically Evaluate results

Step 9
and judgmentally judgmentally

Document
Step 10
conclusions

Step 3: Determine Whether to Audit a Sample

or the Entire Population
A critical step is to determine if the auditor will audit the entire population, apply an ADA
technique to the entire population, or use sampling. As we have noted previously, when
an audit population is sufficiently small, the auditor might easily audit the entire popula-
tion with traditional audit procedures. For large populations, if reliable data is available in
10-16  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests
reciprocal population  a
population that is overstated if
the population of interest is
understated (or vice versa)
Applying Probability-Proportionate-to-Size Sampling
for Substantive Testing
electronic form and controls over the data are strong, then ADA could be used to analyze
data and search for anomalies. If electronic data is not available and/or not reliable and
controls over the data are weak, then the auditor is more likely to use audit sampling.
These and other factors that influence the choice of ADA versus audit sampling were
summarized in Illustration 10.1. The remainder of the discussion of a basic framework
for audit sampling focuses on when the auditor chooses to use audit sampling rather than
testing an entire population.
Step 4: Define the Population and
Sampling Unit
As discussed in the “Sampling Methods” section, an important step is determining the pop-
ulation and the appropriate sampling unit. Sometimes an auditor will audit a reciprocal
population. A reciprocal population is a population that is overstated if the population
of interest is understated (or vice versa). For example, if accounts payable at year-end is
understated, it is likely that the transaction is recorded in the next month, and subsequent
recording of purchases is overstated. The unrecorded liability gets paid, but the transac-
tion is recorded in the wrong accounting period. Hence, the auditor may often look at the
population of purchases in January searching for items that should have been recorded as
accounts payable at the end of December.
Steps 5 to 10 are discussed in each application of audit sampling in the remainder of this
chapter and its appendix.
Before You Go On
7.1 List the 10 steps associated with planning, selecting, and evaluating a sample for substantive
testing.
7.2 Explain the importance of determining the objectives of the substantive test.
7.3 Assume that you are auditing accounts payable. Identify and explain several different ways
you might define the population being tested.
LEA RNING OBJECTI VE 8
Apply probability-proportionate-to-size sampling for a substantive test to draw an
audit conclusion.
The following discussion applies the framework described in Illustration 10.5 to probability-
proportionate-to-size (PPS) sampling. Steps 1 through 4 were discussed previously. The
following discussion focuses on Steps 5 through 10, and focuses on the audit judgments
involved in applying PPS sampling for substantive tests.
   Applying Probability-Proportionate-to-Size Sampling for Substantive Testing   10-17

Step 5: Choose the Audit Sampling Technique

Probability-proportionate-to-size (PPS) sampling, sometimes called dollar-unit sampling or probability-proportionate-to-
monetary-unit sampling, uses attribute sampling theory to ­express a conclusion in dollar amounts. size (PPS) sampling  an
With this sampling technique, the probability that a particular sampling unit will be chosen in the approach to sampling that uses
sample is proportionate to the monetary size of the item. This form of sampling may be used in attribute sampling theory to express
substantive tests of both transactions and balances. The PPS sampling approach illustrated in a conclusion in dollar amounts;
with this sampling technique,
this chapter is based on the PPS sampling model described in the AICPA’s Audit Guide: Audit
the probability that a particular
Sampling.1 The model in the Audit Guide: Audit Sampling is primarily applicable in testing transac-
sampling unit will be chosen in
tions and balances for overstatement. It may be especially useful in tests of: the sample is proportionate to the
•  Receivables when unapplied credits to customer accounts are insignificant. monetary size of the item
•  Investment securities.
•  Inventory price tests when few differences are anticipated.
•  Plant asset additions.
The AICPA’s Audit Guide: Audit Sampling identifies several advantages and disadvan-
tages of PPS sampling. The advantages of PPS sampling are:
•  It is generally easier to use than classical variables sampling because the auditor can calculate
sample sizes and evaluate sample results by hand or with the assistance of tables.
•  The size of a PPS sample is not based on any measure of the estimated variation of audit
values.
•  PPS sampling automatically results in a stratified sample because items are selected in
proportion to their dollar values.
•  PPS systematic sample selection automatically identifies any item that is individually
significant if its value exceeds an upper monetary cutoff.
•  If the auditor expects no misstatements, PPS sampling will usually result in a smaller
sample size than under classical variables sampling.
•  A PPS sample can be designed more easily, and sample selection may begin before the
complete population is available.
In contrast, PPS sampling has the following disadvantages:
•  It includes an assumption that the audit value of a sampling unit should not be less than
zero or greater than book value. When understatements or audit values of less than zero
are anticipated, special design considerations may be required.
•  If understatements are identified in the sample, the evaluation of the sample may require
special considerations.
•  The selection of zero balances or balances of a different sign (e.g., credit balances for asset
accounts) requires special consideration.
•  PPS evaluation may overstate the allowance for sampling risk when misstatements are
found in the sample. As a result, the auditor may be more likely to reject an acceptable
book value for the population.
•  As the expected number of misstatements increases, the appropriate sample size increases.
Thus, a larger sample size may result than under classical variables sampling.
Professional judgment should be exercised by the auditor in determining the appropriate-
ness of this approach in a given audit circumstance. Most generalized audit software, such as
Idea or ACL, allows for the easy use of statistical sampling, provided the auditor understands
the logic behind the statistics being used.
When using PPS sampling, the population consists of the class of transactions or the
account balance to be tested. For each population, the auditor should decide whether all the
items should be included. For example, four populations are possible when the population is
based on account balances in the accounts receivable ledger: (1) all balances, (2) only debit
balances, (3) only credit balances, and (4) zero balances. The following discussion will develop
an example sampling plan for New Millennium Ecoproducts. In this example, the auditor uses
customer receivables with debit balances only.

1
Audit Guide: Audit Sampling (AICPA: New York, NY, 2017).
10-18  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests
logical sampling unit  the item
snagged by the sampling plan
for audit, such as an individual
customer or individual sales
invoice; auditing procedures are
performed on the logical sampling
unit
In PPS sampling, the sampling unit is the individual dollar, and the population is consid-
ered a number of dollars equal to the total dollar amount of the population. Each dollar in the
population is given an equal chance of being selected in the sample. Although individual dol-
lars are the basis for sample selection, the auditor does not actually examine individual dollars
in the population. Rather, the auditor examines the account, transaction, document, or line
item associated with the dollar selected. In the case developed in the following discussion, the
auditor will select individual dollars and use that information to “hook” individual customers
when auditing accounts receivable. The item snagged (e.g., a customer receivable) is known
as a logical sampling unit. It is this feature that gives PPS sampling its name. The more dollars
associated with a logical unit, the greater its chance of being chosen. Thus, the likelihood of
selection is proportional to its size.
This feature is also responsible for two limitations of PPS sampling. First, in testing assets,
zero and negative balances should be excluded from the population because such balances
have no chance of being selected in the sample. The example below will use customers with
debit balances only. Customers with zero balances or credit balances will have to be audited
separately.
Second, PPS sampling is not suitable in testing liabilities (when the auditor is con-
cerned about looking for understatements) because the more an item is understated, the
less likely it is to be included in the sample. PPS sampling is biased against selecting very
small items that might, if understated, be very large. As a result, many auditors using PPS
sampling think about how to identify a reciprocal population that will be overstated if the
account balance being audited is understated. For example, if accounts payable at year-end
is understated, the voucher register for the period subsequent to year-end will likely be
overstated because liabilities that are unrecorded at year-end are normally recorded in the
subsequent period.
The item chosen (e.g., individual customer receivable) and tested by the auditor is
known as the logical sampling unit. If the auditor intends to seek confirmation of customer
account balances, he or she would ordinarily choose the customer account as the logical unit.
Alternatively, the auditor might choose to seek confirmation of specific transactions with cus-
tomers. In that case, the auditor might choose sales invoices as the logical unit. The auditor
then selects the sample items from a physical representation of the population, such as the in-
voices making up the client’s accounts receivable trial balance. Audit software (such as Idea)
may be used to select the sample items directly from a machine-readable form of the physical
representation. Before selecting the sample, the auditor should determine that the physical
representation is complete. Using the software to reconcile a machine-readable file to a gen-
eral ledger control total usually accomplishes this task.
In the following discussion, we will develop an example for New Millennium Ecoprod-
ucts where:
1. The population is defined as customer receivables with debit balances.
2. The aggregate book value of these accounts is $600,000.
3. The customer account is defined as the logical sampling unit.
4. The electronic file from which the accounts are to be selected has been reconciled to the
general ledger account balance of $600,000 referred to in (2).
Step 6: Determine Sample Size Using
Professional Judgment
The same basic factors should be considered whenever the auditor determines sample size.
Illustration 10.6 provides an overview of the factors that influence sample size when the au-
ditor uses PPS sampling. These factors are similar to those discussed in Illustration 10.4 except
for the book value of the population. When selecting a PPS sample, book value does influence
sample size. The risk of incorrect acceptance is related to the desired level of assurance the
auditor wants from the sample. Lower risk of incorrect acceptance is equivalent to having a
higher desired level of assurance from the sample. Tolerable misstatement and expected mis-
statement behave the same as discussed in Illustration 10.4.
   Applying Probability-Proportionate-to-Size Sampling for Substantive Testing   10-19

ILLUSTRATION 10.6   Factors that influence sample size for PPS sampling

Factor
Larger Samples (Relationship to Sample Size) Smaller Samples
Larger populations with higher book values Book value of the population Smaller populations with lower book values
should result in a larger sample size. should result in a smaller sample size.
(Direct)
Smaller amounts of sampling risk should result in Risk of incorrect acceptance Larger amounts of sampling risk should result in
a larger sample size. a smaller sample size.
(Inverse)
The smaller the amount of misstatement that the Tolerable misstatement The larger the amount of misstatement the
auditor can tolerate, the larger the sample size. auditor can tolerate, the smaller the sample size.
(Inverse)
The closer tolerable misstatement and expected Expected misstatement The greater the difference between tolerable
misstatement are to each other, the larger the misstatement and expected misstatement, the
(Direct)
sample size. smaller the sample size.

Once the auditor has made professional judgments about these factors, the following
formula is used to determine sample size (n) in PPS sampling:

BV × RF
n=
TM − (EM × EF)

where
  BV = book value of population tested
  RF = reliability factor for the specified risk of incorrect acceptance
  TM = tolerable misstatement
  EM = expected misstatement
  EF = expansion factor for expected misstatement

Each of these factors is explained below.

Book Value of Population Tested

The book value specified in determining sample size must relate to the definition of the
population. In our example, the book value of total accounts receivable with debit bal-
ances for New Millennium Ecoproducts is $600,000. The amount of the book value has a
direct effect on sample size—the larger the book value being tested, the larger the sample
size.

Reliability Factor for Specified Risk of Incorrect Acceptance

In specifying an acceptable level of risk of incorrect acceptance, the auditor should consider
(1) the level of audit risk that he or she is willing to take that a material misstatement in the
account will go undetected, (2) the assessed levels of inherent and control risks, and (3) the
results of other tests of details and substantive analytical procedures that are relevant to
the assertion. Therefore, the risk of incorrect acceptance is determined using the audit risk
model as shown below.

AR
Risk of incorrect acceptance =
IR × CR × OSP

where
AR = audit risk
IR = inherent risk
 

CR = control risk
 

OSP = assurance from other substantive procedures

 
 
10-20  C h a pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

Further, the risk of incorrect acceptance has an inverse effect on sample size—the lower
the specified risk, the larger the sample size. For example, the auditor concludes that inherent
risk is at the maximum, and control risk is low. If other substantive procedures provide mod-
erate assurance that the book value being tested is not materially misstated, the auditor will be
willing to accept a higher risk of incorrect acceptance, perhaps up to 40%, for the PPS sample.
Now suppose the auditor concludes inherent risk is maximum, and control risk is high. If other
substantive procedures provide little assurance about the account being tested, then greater as-
surance must be obtained from the test and the auditor will specify a low risk, perhaps as low as
5%, of incorrect acceptance. The audit risk model, experience, and professional judgment must
be used in making these determinations.
Risk of incorrect acceptance is used to determine the reliability factor (RF), and this is
obtained from Illustration 10.7. It is based on the risk of incorrect acceptance specified by
the auditor and zero number of misstatements, regardless of the number of misstatements
expected. In New Millennium Ecoproducts, the auditor specifies a 5% risk of incorrect
acceptance, implying that the auditor is not relying on internal controls and is getting all of
the assurance from substantive tests of details. Therefore, the reliability factor is 3.0.

ILLUSTRATION 10.7   Risk of Incorrect Acceptance

Reliability factors for zero 1% 5% 10% 15% 20% 25% 30% 37%
overstatements
Reliability factors 4.61 3.00 2.31 1.90 1.61 1.39 1.21 1.00

Source: AICPA Audit Guide: Audit Sampling.

Tolerable Misstatement
Tolerable misstatement (TM) is the maximum misstatement that can exist in an account be-
fore it is considered materially misstated. Some auditors use the term performance materiality
(or material amount) as an alternative to TM. In specifying this factor, the auditor should real-
ize that misstatements in individual accounts, when aggregated with misstatements in other
accounts, may cause the financial statements as a whole to be materially misstated.
TM has an inverse effect on sample size—the smaller the TM, the larger the sample size. For
New Millennium Ecoproducts, the auditor specifies a TM equal to 5% of book value, or $30,000.

Expected Misstatement and Expansion Factor

In PPS sampling, the auditor does not quantify the risk of incorrect rejection. This risk is
controlled indirectly, however, by specifying the expected misstatement (EM) that is inversely
related to the risk of incorrect rejection and directly related to sample size. EM is the amount
of misstatement the auditor expects to occur in the population. The auditor uses prior experi-
ence, knowledge of the client, and professional judgment in determining an amount for EM.
The auditor must bear in mind that an excessively high amount will unnecessarily increase
sample size, whereas too low an estimate will result in a high risk of incorrect rejection. For
New Millennium Ecoproducts, the auditor specifies EM of $6,000 based on knowledge from
the audit in the prior year.
The expansion factor (EF) is required only when misstatements are expected. It is ob-
tained from Illustration 10.8 using the auditor’s specified risk of incorrect acceptance. The
smaller the specified risk of incorrect acceptance, the larger the EF. Like expected misstate-
ment, the EF has a direct effect on sample size. In New Millennium Ecoproducts, the EF for
expected misstatement is 1.6. The combined effect of expected misstatement and EF is then
subtracted from tolerable misstatement in determining sample size.

ILLUSTRATION 10.8 Risk of Incorrect Acceptance

Expansion factors for PPS 1% 5% 10% 15% 20% 25% 30% 37%
sampling
Expansion factor 1.90 1.60 1.50 1.40 1.30 1.25 1.20 1.15

Source: AICPA Audit Guide: Audit Sampling.

   Applying Probability-Proportionate-to-Size Sampling for Substantive Testing   10-21

Calculation of Sample Size

The factors for determining sample size for New Millennium Ecoproducts are BV = $600,000,
RF = 3.0, TM = $30,000, EM = $6,000, and EF = 1.6. Thus, sample size is 88, computed as
follows:

$600,000 × 3.0
n= = 88
$30,000 − ($6,000 × 1.6)

Step 7: Select a Representative Sample

The process of selecting a sample should be unbiased and the auditor should attempt to obtain
a representative sample of the items in the balance or transaction class being sampled. The
auditor can never be certain that a representative sample has been achieved. The concept of
sampling risk (risk of incorrect acceptance) is a measure of whether the sample is representative
or not. The auditor’s best opportunity to obtain a representative sample is to select a random
sample. The following discussion explains the methodology for selecting a random sample
using PPS sampling.

Calculate Sampling Interval

The most common selection method used in PPS sampling is systematic selection. This
method divides the total population of dollars into equal intervals of dollars. A logical unit is
then systematically selected from each interval. Thus, a sampling interval (SI) must be calcu-
lated as follows:

BV
SI =
n

In New Millennium Ecoproducts, the sampling interval is $6,818 ($600,000 ÷ 88).

Select Random Sample

The initial step in the selection process is to pick a starting random number between 1
and the sampling interval of 6,818. The sample will then include each logical unit that
contains every 6,818th dollar thereafter in the population. A random number can be de-
termined by using the @ random function in Microsoft Excel, by using an audit software
application like Idea, or by using the serial number on a dollar bill. In the selection pro-
cess, it is necessary to determine the cumulative balance of the book values of the logical
units to determine which logical units are “hooked” or “snagged” by the individual dollar
units selected. The process is illustrated for New Millennium Ecoproducts in Illustra-
tion 10.9, where (1) the customer account number is used to identify the logical units
and (2) the starting random number is 5,082. Note that the amounts in the Dollar Unit

selected is the item with the cumulative dollar value of $11,900 (5082 + 6818 = 11,900).
Selected column represent every 6,818th dollar after 5,082. For example, the second item

This was customer 1004. The first dollar of this customer was $9,834 and the last dollar
of this customer was $13,108. Since $11,900 falls between these numbers, customer 1004
was the second customer selected for confirmation. The dollar unit selected causes the
entire book value of the related logical sampling unit (customer) to be included in the
sample. It is important to note that the selection process will result in the selection of all
logical units with book values equal to or greater than the sampling interval ($6,818 in
this case). These items become a certainty stratum, and the auditor can draw a conclusion
about that sampling interval with certainty as the auditor will audit every dollar in the
sampling interval. Most auditors use generalized audit software (e.g., Idea) to accom-
plish this task.
10-22  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

ILLUSTRATION 10.9   PPS systematic selection process

Accounts Receivable
Logical Unit Dollar Unit Selected Book Value of
(Customer Book Cumulative First Dollar of Last Dollar of Random Start = $5,082 “Hooked”
Number) Value Balances Logical Unit Logical Unit Sampling Interval = $6,818 Sample Item
1001 $   1,200 $  1,200 $   1 $  1,200
1002 6,443 7,643 1,201 7,643 $  5,082 $6,443
1003 2,190 9,833 7,644 9,833
1004 3,275 13,108 9,834 13,108 11,900 ($5,082 + $6,818) 3,275
1005 980 14,088 13,109 14,088
1006 1,647 15,735 14,089 15,735
1007 4,260 19,995 15,736 19,995 18,718 ($11,900 + $6,818) 4,260
1008 480 20,475 19,996 20,475
1009 7,150 27,625 20,476 27,625 25,536 ($18,718 + $6,818) 7,150
°
°
Total $600,000

Step 8: Apply Audit Procedures

Once the auditor selects a sample, the auditor should apply audit procedures to determine
the magnitude of misstatement in the items selected for auditing. In Step 2, the auditor deter-
mined the evidence that would support a conclusion about whether the account balance or
transaction class was correct or whether it contained a misstatement. If the auditor is sending
confirmations, the auditor must use professional judgment to evaluate each confirmation (see
a further discussion of confirmation follow-up procedures in Chapter 11).
In the New Millenium Ecoproducts example, the auditor has chosen to send confirma-
tions of accounts receivable to 88 customers. Assume that five of the 88 confirmations were
either returned with customer disagreements with the amount or the confirmation was
never returned. After the auditor performs follow-up procedures on the five items, he or
she documents the results. In all five cases, the audit value is less than the recorded book
value, as noted in the following table.

Customer Number Book Value (BV) Audit Value (AV)

1031 $  950 $   855
1042 2,500 1,250
1098 7,650 6,885
1157 5,300 5,035
1210 8,000 0

Step 9: Evaluate Sample Results

upper misstatement limit  In evaluating the results of the sample, the auditor calculates an upper misstatement limit
a statistical estimate of the (UML) from the sample data to develop a statistical estimate of the maximum misstatement
maximum misstatement in the in the population based on the sample. The auditor can then compare the UML with tolerable
population based on the sample misstatement specified in designing the sample. The sample results support the conclusion
that the population book value is not misstated by more than the UML at the specified risk
   Applying Probability-Proportionate-to-Size Sampling for Substantive Testing   10-23

of incorrect acceptance. If the UML is less than TM, then the auditor accepts the population
as being materially correct. The auditor may also want to consider whether the UML may
aggregate with other misstatements found in the audit in a way that aggregates to a material
misstatement.
The upper misstatement limit (UML) is calculated as follows:

UML = PM + ASR

 PM = projected misstatement, which is a projection of the misstatement in the popula-

where
projected misstatement (PM) 

 ASR = a llowance for sampling risk which measures the uncertainty associated with not
tion based on the findings in the sample a projection of the misstatement
in the population based on the
sampling the entire population findings in the sample
allowance for sampling
risk (ASR)  a measure of the
No Misstatements Found in the Sample uncertainty associated with not
sampling the entire population
The results of the sample are used to estimate the total projected misstatement (PM) in the
population. When no misstatements are discovered in the sample, the PM factor in the for-
mula above is zero dollars.
In the case of no misstatements, the allowance for sampling risk (ASR) factor consists of
one component sometimes referred to as basic precision (BP), which is the amount of esti- basic precision (BP)  the
mated misstatement in the population, even if no misstatements are detected in the sample. amount of estimated misstate-
The amount is obtained by multiplying the reliability factor (RF) for zero misstatements at ment in the population, even if no
the specified risk of incorrect acceptance (Illustration 10.7) times the sampling interval (SI). misstatements are detected in the
Ordinarily, the auditor uses the same risk of incorrect acceptance in this calculation that was sample
specified in determining sample size (5%). Thus, in the New Millennium Ecoproducts exam-
ple, basic precision is $20,454, computed as follows:

BP (or ASR if no misstatements) = RF0 × SI

= 3.0 × $6,818
= $20,454

Now we know ASR, and PM is zero if no misstatements were found. We can then calculate
the UML as follows:

UML = PM + ASR
= 0 + $20,454
= $20,454

The UML of $20,454 is less than the $30,000 TM specified in the sample design. As a
general rule, if no misstatements are in found in the sample and expected misstatement (EM)
was specified as zero, the ASR and the UML will always equal TM. If EM was greater than
zero, as was the case for New Millennium Ecoproducts, the ASR and the UML will be less
than TM. When making this statistical calculation, if no misstatements were found for New
Millennium Ecoproducts, the auditor could conclude that the book value of the population is
not overstated by more than $20,454 at a 5% risk of incorrect acceptance.

Some Misstatements Found in the Sample

If misstatements are found in the sample, the auditor must calculate both the total PM in the
population and the ASR to determine the UML for overstatements. The UML is then com-
pared with TM.
A projected misstatement (PM) amount is calculated for each logical unit (each cus-
tomer) where a misstatement is found by the auditor. Individual projected misstatements are
then summed to arrive at the PM for the entire population. The PM is calculated differently
for (1) logical units with book values less than the sampling interval and (2) logical units with
book values equal to or greater than the sampling interval.
10-24  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

For each logical unit with a book value less than the sampling interval that contains a mis-
statement, a tainting percentage (TP) and projected misstatement are calculated as follows:

Tainting percentage = (Book value – Audit value) ÷ Book value

Projected misstatement = Tainting percentage × Sampling interval

The calculations recognize that each logical unit included in the sample represents one sam-
pling interval of the dollars in the population’s book value. Thus, the degree to which a logical
unit is “tainted” with misstatement is projected to all of the dollars in the sampling interval
it represents.
For each logical unit where the book value is equal to or greater than the sampling interval,
the projected misstatement is the amount of misstatement found in the logical unit (Book value –
Audit value). Because the logical unit itself is equal to or greater than the sampling interval, a
tainting percentage to project the misstatement to the interval is unnecessary. Rather, the ac-
tual amounts of such misstatements are used in arriving at PM for the population as a whole.
Illustration 10.10 shows the calculation of projected misstatement for the five misstate-
ments in the New Millennium Ecoproducts example.

ILLUSTRATION 10.10   Projected

Determination of projected   Tainting   Sampling Misstatement
misstatement for New   Customer Book   Auditing Percentage (TP)  Interval TP × SI or  
Millennium Ecoproducts Number Value (BV) Value (AV) (BV – AV)/BV (SI) (BV – AV)
1031 $   950 $   855 10% $6,818 $   682
1042 2,500 1,250 50% 6,818 3,409
1098 7,650 6,885 N/A* N/A* 765
1157 5,300 5,035 5% 6,818 341
1210 8,000 0 N/A* N/A* 8,000
$24,400 $14,025 $13,197

*Book value of the logical sampling unit is greater than sampling interval; therefore, projected misstatement
equals actual misstatement (BV – AV).

Note that the first, second, and fourth logical units containing misstatements have book
values less than the sampling interval of $6,818. Accordingly, the tainting percentages (TP) have
been calculated and used to determine the projected misstatements. The third and fifth units
have book values greater than the sampling interval. Therefore, the projected misstatement for
each is the difference between the book value and the audit value. The total misstatement in
the sample is $10,375 ($24,400 – $14,025), and the total PM in the population is $13,197.
The allowance for sampling risk (ASR) for samples containing misstatements has two
components as indicated in the following formula:

ASR = BP + IA

  BP = basic precision
where

  IA = incremental allowance for sampling risk

The calculation of BP is the same whether or not misstatements are found in the sample.
Thus, in New Millennium Ecoproducts, this component is again $20,454, based on the RF of
3.0 (for zero errors and a 5% risk of incorrect acceptance) multiplied by the SI of $6,818.
To calculate the incremental allowance for sampling risk (IA), the auditor must consider
separately the logical units with book values less than the sampling interval and those with
book values equal to or greater than the sampling interval. For all logical units equal to or
greater than the sampling interval, the auditor has examined 100% of the sampling interval,
and the auditor can draw a conclusion about these sampling intervals with certainty. There
is no sampling risk associated with these items. Consequently, the calculation of IA involves
only misstatements related to logical units with book values less than the sampling interval.
   Applying Probability-Proportionate-to-Size Sampling for Substantive Testing   10-25

The calculation of IA involves the following steps:

•  Determine the appropriate incremental change in reliability factors.

•  Rank the projected misstatements for logical units less than the sampling interval from
highest to lowest.
•  Multiply the ranked projected misstatements by the appropriate factor and sum the products.

Illustration 10.11 illustrates the first step.

5% Risk of Incorrect Acceptance ILLUSTRATION 10.11

Number of  Reliability Incremental Change Incremental Change in Incremental change for  
Overstatements Factor in Reliability Factor Reliability Factor Minus One allowance for sampling risk

0 3.00 — —
1 4.75 1.75 0.75
2 6.30 1.55 0.55
3 7.76 1.46 0.46
4 9.16 1.40 0.40

Source: AICPA Audit Guide: Audit Sampling.

The data in the first two columns in Illustration 10.11 are taken from Illustration 10.12 for
the specified risk of incorrect acceptance (5% in this illustration). Each entry in the third column
in Illustration 10.11 is the reliability factor on the same line less the reliability factor on the previ-
ous line. The factors calculated in the fourth column are obtained by subtracting one from each of
the third column factors.

ILLUSTRATION 10.12   Reliability factors for evaluating PPS samples

Number of Risk of Incorrect Acceptance

Overstatements 1% 5% 10% 13% 15% 20% 25% 30% 37%
0 4.61 3.00 2.31 2.00 1.90 1.16 1.39 1.21 1.00
1 6.64 4.75 3.89 3.56 3.38 3.00 2.70 2.44 2.14
2 8.41 6.30 5.33 4.94 4.72 4.28 3.93 3.62 3.25
3 10.05 7.76 6.69 6.25 6.02 5.52 5.11 4.77 4.34
4 11.61 9.16 8.00 7.53 7.27 6.73 6.28 5.90 5.43
5 13.11 10.52 9.28 8.77 8.50 7.91 7.43 7.01 6.49
6 14.57 11.85 10.54 10.00 9.71 9.08 8.56 8.12 7.56
7 16.00 13.15 11.78 11.21 10.90 10.24 9.69 9.21 8.63
8 17.41 14.44 13.00 12.41 12.08 11.38 10.81 10.31 9.68
9 18.79 15.71 14.21 13.59 13.25 12.52 11.92 11.39 10.74
10 20.15 16.97 15.41 14.77 14.42 13.66 13.02 12.47 11.79

Source: AICPA Audit Guide: Audit Sampling.

The second and third steps are illustrated below.

Incremental Change
Ranked Projected in Reliability   Incremental 
Misstatements Factor Minus One Allowance
$3,409 0.75 $2,557
682 0.55 375
341 0.46 157
$3,089
10-26  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

Observe that (1) only the projected misstatements from Illustration 10.10 for logical units with
book values less than the sampling interval are ranked, and (2) the appropriate reliability factor is
obtained from the fourth column of Illustration 10.11. The incremental allowances for the projected
misstatements are then added to determine the total incremental allowance of $3,089. Thus, the
total allowance for sampling risk for New Millennium Ecoproducts is $23,543, computed as follows:

ASR = BP + IA
= $20,454 + $3,089
= $23,543

Finally, the UML is calculated as:

UML = PM + ASR
= $13,197 + $23,543
= $36,740

The auditor may conclude (a quantitative conclusion) that the book value is not overstated
by more than $36,740 at a 5% risk of incorrect acceptance. For New Millennium Ecoproducts,
the UML exceeds the TM of $30,000 specified in designing the sample. When this occurs, the
auditor should consider several possible reasons and alternative courses of action. These mat-
ters are discussed next.

Qualitative Considerations
Whether UML is less than, equal to, or greater than TM, certain qualitative considerations
should be made prior to reaching an overall conclusion. Misstatements may be due to (1) dif-
ferences in principle or application, (2) errors, or (3) fraud. Consideration should also be given
to the relationship of the misstatements to other phases of the audit. For example, if misstate-
ments are discovered in substantive tests in amounts or frequency that provide evidence that in-
ternal controls are not functioning as expected, and the control risk assessment used in arriving
at the risk of incorrect acceptance specified for the sample is inconsistent with the subsequent
evidence, the auditor should consider whether that assessment of control risk is still appropriate.
If it is not appropriate, the auditor should redesign the sampling plan. If the auditor detects fraud
in the sample, the auditor may want to perform additional procedures, even if the amount of
the UML is less than tolerable misstatement. The nature of the fraud, particularly evidence of
management fraud, may also have implications for other aspects of the audit (see Chapter 4).
The auditor uses professional judgment in combining evidence from several sources to
reach an overall conclusion about whether an account balance is free of material misstatement.
When (1) the results of a PPS sample reveal the UML to be less than or equal to TM, (2) the
results of other substantive tests do not contradict this finding, and (3) analysis of the qualita-
tive considerations reveals no evidence of fraud, the auditor can generally conclude that the
population is not materially misstated. However, if the UML is greater than TM, if the results
of other tests contradict the results of the PPS sample, or if qualitative issues arise in the sam-
ple evidence, further evaluation of the circumstances is necessary.
For example, if the UML is greater than TM, the auditor should consider the following
possible reasons and actions:

•  The sample is not representative of the population. The auditor might suspect this is the
case when the sample contains immaterial misstatements that result in a projected UML
that exceeds tolerable misstatement. In this case, the auditor might examine additional
sampling units or perform alternative procedures to determine whether the population
is misstated. (Note: A simple way to expand the sample is to divide the sampling interval
in half. This will produce a sample containing all the units in the original sample plus an
equal number of additional units.)
•  The amount of expected misstatement specified in designing the sample may not have
been large enough relative to tolerable misstatement to adequately limit the allowance
for sampling risk. That is, the population may not be misstated by more than TM, but
because the amount of misstatement in the population is greater than expected, more
precise information is needed from the sample. In this situation, the auditor may examine
   Applying Probability-Proportionate-to-Size Sampling for Substantive Testing   10-27

additional sampling units and reevaluate or perform alternative audit procedures to de-
termine whether the population is misstated by more than TM.
•  The population is misstated by more than TM. In this case, the auditor may request the client
investigate the misstatements found in the sample and, if appropriate, adjust the book value.
As a result of any of these courses of action, the client’s book value might be adjusted. If
the UML after adjustment is less than TM, the sample results would support the conclusion
that the population, as adjusted, is not misstated by more than TM at the specified risk of incor-
rect acceptance. For example, in the New Millennium Ecoproducts sample, one receivable with
a book value of $8,000 was found to have an audit value of zero. If this account was adjusted to
the audited value, the PM for the population would be $5,197 ($13,197 – $8,000). The allowance
for sampling risk would remain the same at $23,543, and UML would become $28,740 ($5,197 +
$23,543), which is less than the $30,000 TM specified in designing the sample.

Step 10. Document Conclusions

Illustration 10.13 provides an example of how the application of PPS sampling in the audit of
New Millennium Ecoproducts receivables might be documented. This example shows how the
sample was designed, the specific audit evidence that was obtained, and the conclusions that
were reached about the account balance. The working papers also cross-reference to other work-
ing papers where important audit planning decisions and other audit evidence are documented.

ILLUSTRATION 10.13   PPS sampling plan working paper

Client:  New Millennium Ecoproducts Bell & Bowerman, LLPrepared by: A.J.D. 1/7/23
Period-end: 12/31/22 Reference: B-2 Reviewed by: C.W.B. 1/9/23
Evaluation of Confirmation Results
Objective: To obtain evidence to determine whether the aggregate book value of customer accounts with debit balances as of 12/31/22 is,
or is not, materially misstated. See W/P B-4 for procedures performed on zero and credit balances, which found no exceptions.
Population and Sampling Unit: The population is defined as the total book value of accounts receivable with debit balances per master
file. The logical sampling unit is the customer account.
Sample Size: Book Value of the Population $600,000 (BV)
Risk of Incorrect Acceptance GF - 8 5% RF = 3.00
Tolerable Misstatement GF - 4 $30,000 (TM)
Expected Misstatement $6,000 (EM) EF = 1.60
Sample Size 88 (n)
Sample Selection: Sampling Interval = BV/n $6,818
Random Start $5,082
Logical Sampling Units Selected Listed on W/P B-3
Evaluation of  Audit Procedures Applied Listed on W/P B-1
Sampling Plan: Book and Audit Values for Sample Items with Misstatements Listed Below
Evaluation of Projected Misstatement
Sample Results:
Tainting Projected
Book Value Audit Value Percentage (TP) Sampling Misstatement
Customer Number (BV) (AV) (BV − AV)/BV Interval (SI) TP * SI or (BV − AV)
1031 $  950 $ 855 10.0% $6,818 $   682
1042 2,500 1,250 50.0% 6,818 3,409
1098 7,650 6,885 N/A N/A 765
1157 5,300 5,035 5.0% 6,818 341
1210 8,000 – N/A N/A 8,000
 13,197 (PM)
Allowance for Sampling Risk:
Basic Precision = RF * SI $20,454 (BP)

(continued)
10-28  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

ILLUSTRATION 10.13   (continued)

Incremental Allowance for Sampling Risk

Ranked Incremental Change in
Projected Reliability Factor
Misstatements Minus One
1 $3,409 0.75 $ 2,557
2 682 0.55 375
3 341 0.46 157
4 – –
5 – –
 3,089 (IA)
Upper Misstatement Limit (PM + BP + IA) $36,740  (UML > TM)

Conclusion: The UML of $36,740 exceeds TM of $30,000. Client subsequently agreed to adjust customer number 1210 to the audited value
of $0. This item was larger than the sampling interval and the misstatement was known with certainty. This reduces both PM and UML
by $8,000, making UML $28,740 which is less than TM. See adjusting entry on w/p AE-1. After the client adjustment, the results support a
conclusion that the aggregate book value of customer accounts with debit balances, as adjusted, is materially correct.

Before You Go On
8.1 Explain the advantages and disadvantages of using PPS sampling.
8.2 Distinguish between the sampling unit and the logical sampling unit in PPS sampling.
8.3 Explain why, when auditing accounts receivable with PPS sampling, zero balances and credit
balances must be audited separately.
8.4 Give the formula for calculating sample size in PPS sampling. Explain what each element in
the formula represents and how a change in each element, holding other elements constant,
affects sample size.
8.5 Explain the terms tainting percentage and projected misstatement as they pertain to PPS sampling.
8.6 Explain the two components of allowance for sampling risk in PPS samples.

Applying Nonstatistical Sampling for Substantive Testing

LEA RNING OBJECTIVE 9
Apply nonstatistical sampling for a substantive test to draw an audit conclusion.

The basic steps associated with any sampling plan are summarized in Illustration 10.5. This
section picks up the unique aspects of applying Steps 5 through 10 in the context of executing
a nonstatistical sample for a substantive test.

Step 5: Choose the Audit Sampling Technique

The auditor may choose to use nonstatistical sampling in certain substantive testing
applications. Nonstatistical sampling is an approach to audit sampling that relies on the
auditor’s judgment to determine sample size, select the sample, project sample results on
the population, and evaluate any allowance for sampling risk.
The major advantages of nonstatistical sampling include:
•  Decreased complexity.
   Applying Nonstatistical Sampling for Substantive Testing  10-29

•  Lower training cost.

•  May be less time-consuming.
The major disadvantages of nonstatistical sampling are that the auditor:
•  Cannot quantify sampling risk.
•  Cannot measure the sufficiency of evidence.
•  May not get the most efficient sample.

Step 6: Determine Sample Size Using

Professional Judgment
Recall that AU-C 530.A13 identifies the following factors that influence sample size:
•  The desired level of assurance that tolerable misstatement is not exceeded by the actual
misstatement in the population.
•  Tolerable misstatement.
•  The amount of expected misstatement in the population.
•  Stratification of the population into more homogeneous subgroups.
Each of these factors and their influence on sample size were summarized in Illustration 10.4.
When the auditor uses professional judgment to determine sample size, it is important that
the audit firm applies judgment consistently within an audit, and from audit to audit.
In the following example, the auditor is auditing accounts receivable. The book value of
total receivables is $7,500,000, and the auditor sets tolerable misstatement at $375,000 (5% of
the book value of the population). The auditor also stratifies the customer receivables into
three groups: (1) all receivables with book values greater than $150,000, (2) receivables with
book values between $15,000 and $150,000, and (3) all receivables with book values less than
$15,000 (including zero and credit balances). The auditor then determines to audit 100% of
the items greater than $150,000, which amount to $1,750,000. There is no sampling risk in this
first stratum and the auditor will draw a conclusion about this stratum with certainty. This
leaves a remaining population of $5,750,000 in two strata. The auditor judgmentally deter-
mines to select 15 of the 90 customers in stratum 2, and 25 of the 400 items in stratum 3. This
sampling plan audits more of the larger receivables and may favor finding overstatements
than understatements as a result.

Number of Percent of
Book Value Percent Sampling Sampling Sample
Dollar Value of of the of Book Units in the Units in the Selected Percent of
Stratum Receivables Population Value Population (N) Population (n) the Sample
1 Greater than $150,000 $1,750,000 23% 10 2% 10 20% (10/50)
2 $15,000 to $150,000 3,000,000 40% 90 18% 15 30% (15/50)
3 Less than $15,000 2,750,000 37% 400 80% 25 50% (25/50)
$7,500,000 100% 500 100% 50 100%

Step 7: Select a Representative Sample

The process of selecting a sample should be unbiased; the auditor should attempt to obtain a rep-
resentative sample of the items in the balance or transaction class being sampled. The auditor
can never be certain that a representative sample has been achieved. Usually, the auditor’s best
opportunity to obtain a representative sample is to select a random sample of receivables from
each stratum. Alternatively, the auditor might judgmentally draw a haphazard sample from
each stratum. Let’s assume that the auditor draws a haphazard sample of 15 customers out of
stratum 2 and 25 customers out of stratum 3, and gets the following results in terms of the book
value of the sample.
10-30  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

Dollar Value of Book Value of Book Value of % of BV of

Stratum Receivables the Population % of BV N % of N n % of n the Sample Sample
1 Greater than $150,000 $1,750,000 23% 10 2% 10 20% (10/50) $1,750,000 62%
2 $15,000 to $150,000 3,000,000 40% 90 18% 15 30% (15/50) 910,000 32%
3 Less than $15,000 2,750,000 37% 400 80% 25 50% (25/50) 170,000 6%
$7,500,000 100% 500 100% 50 100% $2,830,000 100%

In this case, the auditor will confirm 10% (50 ÷ 500) of the customers in the population,
and the auditor is auditing 38% ($2,830,000 ÷ $7,500,000) of the dollars in the population.

Step 8: Apply Audit Procedures

Applying audit procedures is the same for statistical and for nonstatistical sampling. In this case,
the auditor is auditing accounts receivable and decides to send confirmations to customers for
the purpose of determining the audited value of each customer receivable confirmed. To con-
tinue the example discussed above, the following table shows the audited values for the sample
selected from strata 1, 2, and 3. For illustration purposes, each stratum is overstated by $10,000.

Dollar Value of Book Value of Book Value Audited Value

Stratum Receivables the Population n of the Sample of the Sample
1 Greater than $150,000 $1,750,000 10 $1,750,000 $1,740,000
2 $15,000 to $150,000 3,000,000 15 910,000 900,000
3 Less than $15,000 $2,750,000 25 $  170,000 $  160,000

Step 9: Evaluate Sample Results

ratio method  a method of
estimating the audited value of
the population where the auditor
estimates the audited value of the
population based on the ratio of
the audited value in each stratum
divided by the book value of the
sample in each stratum
difference method  a method
of estimating the audited value of
the population where the auditor
adds (or subtracts) the projected
difference between the audited
value and book value of the
sample to the book value of each
stratum
When evaluating sample results, the auditor should (1) project misstatement found in
the sample to the audit population and (2) consider sampling risk when evaluating sample
results. Two acceptable methods of projecting misstatements in nonstatistical sampling are:
•  A ratio method where the auditor estimates the audited value of the population (or each
stratum) based on a ratio of the audited value of the sample divided by the book value of
the sample.
•  A difference method where the auditor estimates the audited value of the population
by adding (or subtracting) the projected difference between audited value and book value
of each stratum to the book value of that stratum.
To illustrate, the following discussion continues with the data discussed above.
Under the ratio method, the auditor would determine the audited value (AV) of each
stratum using the following formula (as illustrated for the second stratum).
AV of sample × BV of population
Estimated AV of population =
BV of sample
$900,000 × $3,000,000
=
$910,000
= $2,967,033

The estimated audited value for each stratum using the ratio method is summarized as follows:

Total Estimated 
Dollar Value   Book Value of Book Value of Audited Value Estimated Value Overstatement
Stratum of Receivables the Population the Sample of the Sample of the Population of Population
1 Greater than $150,000 $1,750,000 $1,750,000 $1,740,000 $1,740,000 $  10,000
2 $15,000 to $150,000 3,000,000 910,000 900,000 2,967,033 32,967
3 Less than $15,000 2,750,000 170,000 160,000 2,588,235 161,765
$7,500,000 $7,295,268 $204,732
   Applying Nonstatistical Sampling for Substantive Testing  10-31

Under the difference method the auditor would determine the audited value (AV) of each
stratum using the following formula (as illustrated for the second stratum).

Estimated AV of population = BV of population − D of population, where

(AV of population − BV of population)

D= ×N
n
[($900,000 − $910,000) × 90]
= $3,000,000 − = $2,940,000
15

Estimated
Audited Audited Total Estimated 
Dollar Value   Book Value of Book Value   Value of Value of the Overstatement
Stratum of Receivables the Population N n of the Sample the Sample Population of Population
1 Greater than $150,000 $1,750,000 10 10 $1,750,000 $1,740,000 $1,740,000 $  10,000
2 $15,000 to $150,000 3,000,000 90 15 910,000 900,000 2,940,000 60,000
3 Less than $15,000 2,750,000 400 25 170,000 160,000 2,590,000 160,000
$7,500,000 500 50 $7,270,000 $230,000

One hundred percent of stratum 1 was audited, so the projected misstatement under each
method was $10,000. The auditor knows this conclusion with certainty because 100% of this
stratum was audited.
Under both the ratio and difference methods, the $10,000 misstatement in stratum 2 proj-
ects to a smaller estimated misstatement than in stratum 3 because a higher proportion of
stratum 2 is sampled and the auditor is projecting the misstatement on a smaller unsampled
portion of the stratum.
Recall that an allowance for sampling risk (ASR) is a measure of the uncertainty associated
with not sampling the entire population. In nonstatistical samples, the auditor cannot calculate
an allowance for sampling risk for a specific measurable level of risk of incorrect acceptance.
However, the difference between projected misstatement (or estimated overstatement in this
case) and tolerable misstatement may be viewed as an allowance for sampling risk. If tolerable
misstatement exceeds projected misstatement by a large amount, the auditor may be reasonably
assured that there is an acceptable low sampling risk that the actual misstatement exceeds tolera-
ble misstatement. In the above example, tolerable misstatement exceeds projected misstate­ment
by $170,268 ($375,000 – $204,732) using the ratio method, and by $145,000 ($375,000 – 230,000)
using the difference method. Most auditors would conclude that these differences are sufficient to
conclude that with respect to the assertions being audited (existence of receivables and valuation
of receivables at their gross amount), the book value is materially correct.
However, what would the auditor conclude if he or she found different results that
showed an estimated overstatement of $345,000? In this case, while this overstatement is less
than tolerable misstatement of $375,000, $345,000 of misstatement is so close that it does not
allow for a reasonable allowance for sampling risk. In this case, the auditor is likely to extend
the sample size and perform additional audit procedures to obtain a higher level of certainty
(lower level of sampling risk) with respect to the auditor’s conclusion.
When the results of a nonstatistical sample do not appear to support the book value, the audi-
tor may (1) examine additional sample units and reevaluate, (2) apply alternative auditing proce-
dures and reevaluate, or (3) ask the client to investigate and, if appropriate, make an adjustment.
In audit sampling, prior to reaching an overall conclusion, consideration should be
given to the qualitative characteristics of the misstatements. If evidence of fraud is found,
the auditor must not only consider the implications for the account balance and transaction
class being audited, but the auditor should also consider whether fraud may have occurred
in other audit areas. Given the nature of the fraud and the perpetrators of the fraud, the
auditor needs to consider what other audit issues might be influenced by the perpetrators of
the discovered fraud. In addition, the auditor should consider whether the evidence is con-
sistent with previous assessments of inherent and control risks. For example, if the auditor
assesses control risk as low but finds multiple misstatements when performing substantive
tests, the auditor should reassess control risk, and increase the degree of substantive testing
accordingly.
10-32  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

Step 10: Document Conclusions

Once the auditor has completed the sampling process, it is important that the auditor docu-
ment the results of substantive tests in his or her working papers. The auditor might prepare
a working paper similar to the one in Illustration 10.14.

ILLUSTRATION 10.14   Example nonstatistical sampling plan working paper

Client:  G.J. Manufacturing Bell & Bowerman, LLP Prepared by: W.M.F. 2/8/23
Period-end: 12/31/22 Reference: B-2 Reviewed by: C.W.B. 2/18/23
Evaluation of Confirmation Results
Objective: To obtain evidence regarding the existence of accounts receivable and the valuation of receivables at their gross amount.
Population and Sampling Unit: Total book value of accounts receivable is $7,500,000 per the customer master file. Logical sampling unit is
the customer account.
Sample Size and Selection: We are planning moderate reliance on this sample. No reliance is placed on internal controls, and moderate
reliance is placed on substantive analytical procedures. Receivables were confirmed as of year-end. Tolerable misstatement is set at $375,000,
and individually significant items were determined to be $150,000 or greater.
The population was sorted into three strata: (1) all receivables greater than $150,000, (2) all receivables between $150,000 and $15,000, and
(3) all receivables less than $15,000 (including zero balances and credit balances). All individually significant items were confirmed 100%. A
total sample size was judgmentally determined to be 50, with 10 items in stratum 1, 15 items haphazardly selected from stratum 2, and 25
items haphazardly selected from stratum 3 to include zero balances and credit balances.
Confirmation procedures were applied to 38% of the dollars in the population, and 10% of the customers in the population.
Audit Procedures Applied: The results of confirmation procedures are documented on workpaper B-3.
Evaluation of Sample Results:
Ratio Method
Estimated Expected
Stratum BV N n $ $ AV Audited Value Misstatement
1 > $150,000 $1,750,000 10 10 $1,750,000 $1,740,000 $1,740,000 $ 10,000
2 $15,000 - $150,000 3,000,000 90 15 910,000 900,000 2,967,033 32,967
3 < $15,000 2,750,000 400 25 170,000 160,000 2,588,235 161,765
$7,500,000 500 50 $2,830,000 $7,295,268 $204,732

% of $ audited 37.7%
% of customers audited 10.0%

Difference Method
Estimated Estimated
Stratum BV N n $ $ AV Audited Value Difference
1 > $150,000 $1,750,000 10 10 $1,750,000 $1,740,000 $1,740,000 $ 10,000
2 $15,000 - $150,000 3,000,000 90 15 910,000 900,000 2,940,000 60,000
3 < $15,000 2,750,000 400 25 170,000 160,000 2,590,000 160,000
$7,500,000 50 $7,270,000 $230,000

Conclusion: The estimated misstatement in the population is $204,732 using the ratio method and $230,000 using the difference method.
This is sufficiently below tolerable misstatement to allow for a judgmental determination of an allowance for sampling risk and conclude
that there is not more than $375,000 in misstatement in the population. As a result, I conclude that audit objectives cited above for accounts
receivable are presented fairly in all material respects.

Before You Go On
9.1 How does the process of determining sample size differ in a statistical versus a nonstatistical
sampling plan for substantive tests?
9.2 Explain two acceptable methods for projecting misstatements found in a nonstatistical sample.
9.3 Explain how the auditor evaluates an allowance for sampling risk in a nonstatistical sample.
 Appendix 10A: Applying Classical Variables Sampling for Substantive Testing  10-33

  Applying Classical Variables Sampling for

Appendix 10A

Substantive Testing
LEARNING OBJECTIVE 10*
Apply classical variables sampling for a substantive test to draw an audit conclusion.

After studying this appendix, you should be able to apply classical variables sampling for sub-
stantive tests following Steps 5 to 10 in Illustration 10.5, and draw an audit conclusion.

Step 5: Apply Classical Variables

Sampling
The auditor may use a classical variables sampling approach in substantive testing. Classical classical variables sampling  a
variables sampling uses normal distribution theory to select a sample and evaluate the sampling method that uses nor-
characteristics of a population based on the results of a sample drawn from the population. mal distribution theory to select
Classical variables sampling may be useful to the auditor when the audit objective relates to a sample from a population and
evaluate the characteristics of a
either the possible under- or overstatement of an account balance and other circumstances
population based on the results of
when PPS sampling is not appropriate or cost-effective.
the sample
The following three techniques may be used in classical variables sampling: (1) mean-­
per-unit (MPU), (2) difference, and (3) ratio. All three techniques require the determi-
nation of the total number of units in the population and an audit value for each item in
the sample. The AICPA Audit Guide: Audit Sampling identifies the following constraints
that should be considered in selecting the technique that is most appropriate in the
circumstances:

•  The ability to design a stratified sample. Stratification may significantly reduce sample size
under the MPU method but may not materially affect sample size under the difference
or ratio techniques.
•  The expected number of differences between audit and book values. A minimum number
of differences must exist between these values in the sample to use either the difference
or ratio techniques.
•  The available information. Book values must be available for each sampling unit in ratio
and difference estimation. Book values are not required with the MPU technique.
When all the constraints can be satisfied by any of the methods, the auditor ordinarily
will prefer either difference or ratio estimation because these methods generally require a
smaller sample size than the MPU method. Thus, they are more cost-effective in meeting the
auditor’s objectives. The sampling plan for each technique involves the same steps required
in PPS sampling.

Mean-per-Unit Estimation
MPU estimation sampling involves determining an audit value for each item in the sample. MPU estimation  a sampling
An average (or mean) of these audit values is then calculated and multiplied by the number method that involves determining
of units in the population to obtain an estimate of the total population value. An allowance an audit value for each item in
for sampling risk associated with this estimate is also calculated for use in evaluating the the sample; an average (or mean)
sample results. The mean-per-unit method is illustrated by the audit of loans receivable for of these audit values is then
calculated and multiplied by the
Ace ­Finance Company. The population is defined as 3,000 individual loans receivable, the
number of units in the population
recorded book value of these receivables is $1,340,000, individual loans are defined as the
to obtain an estimate of the total
sampling unit, and the physical representation from which sample items are selected is an population value
electronic file listing all loans receivable.
10-34  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

Step 6: Determine the Sample Size

Illustration 10A.1 provides an overview of the factors that influence sample size when the
auditor uses MPU sampling. Some factors are similar to those discussed in Illustration 10.4,
but others are unique to classical variables sampling. We will discuss each factor in Illustra-
tion 10A.1 in detail.

Illustration 10A.1   Factors that influence sample size for classical variables sampling using MPU estimation

Factor
Larger Samples (Relationship to Sample Size) Smaller Samples
Larger populations with larger numbers of Population size in number of units Smaller populations with fewer number of units
units should result in a larger sample size. (Direct) should result in a smaller sample size.

The larger the standard deviation in the
population, the larger the sample size.
Smaller amounts of sampling risk should result
in a larger sample size. The risk of incorrect
rejection influences sample size through the
planned allowance for sampling risk.
Smaller amounts of sampling risk should
result in a larger sample size. The risk of incor-
rect acceptance influences sample size through
the planned allowance for sampling risk.
If the auditor desires more precise estimates, the
sample size will be larger.
Estimated population
standard deviation
(Direct)
Risk of incorrect rejection
(Inverse)
Risk of incorrect acceptance
(Inverse)
Planned allowance for sampling risk
(Inverse)
The smaller the standard deviation in the
population, the smaller the sample size.
Larger amounts of sampling risk should result
in a smaller sample size. The risk of incorrect
rejection influences sample size through the
planned allowance for sampling risk.
Larger amounts of sampling risk should result
in a smaller sample size. The risk of incorrect
acceptance influences sample size through the
planned allowance for sampling risk.
If the auditor can tolerate less precise estimates,
the sample size will be smaller.

The smaller the amount of misstatement that the Tolerable misstatement The larger the amount of misstatement that the
auditor can tolerate, the larger the sample size. (Inverse) auditor can tolerate, the smaller the sample size.

Population Size
It is critical to have accurate knowledge of the number of units in the population because
this factor enters into the calculation of both the sample size and sample results. Population
size directly affects sample size—that is, the larger the population, the larger the sample
size. As noted earlier, the population for Ace Finance Company consists of 3,000 loans
receivable.

Estimated Population Standard Deviation

In MPU estimation, the sample size required to achieve specified statistical objectives is re-
lated directly to the variability of the values of the population items. The more variability in
an audit population, the larger the sample size. The measure of variability used is the standard
deviation. If an audit value is not obtained for every population item, the standard deviation
of the audit values for the items in the sample is used as an estimate of the population stan-
dard deviation. But because the sample standard deviation is not known before the sample is
selected, it also must be estimated.
There are three ways to estimate this factor. First, in a recurring engagement, the stan-
dard deviation found in the preceding audit may be used to estimate standard deviation for
the purpose of determining sample size. Second, the standard deviation can be estimated
from available book values. Third, the auditor can take a small presample of 30 to 50 items
and base the estimate of the current year’s population standard deviation on the audit val-
ues of these sample items. When this is done, the presample may be made a part of the final
sample. Software for MPU estimation sampling includes a routine to calculate the estimated
standard deviation. Microsoft Excel also provides a formula for the standard deviation of a
sample.
 Appendix 10A: Applying Classical Variables Sampling for Substantive Testing  10-35

If it must be calculated manually, the formula for calculating the standard deviation is:

n
( x j − x )2
Sx j = ∑ n –1
j=1

where
n
∑ = sum of sample values; j = 1 means the summary should begin with the first item and
j =1
n means that the summary should end with the last item in the sample
xj = audit values of individual sample items
x = mean of the audit values of sample items
n = number of items audited
A primary concern of the auditor in MPU sampling is whether the population should be
stratified into relatively homogeneous groups or strata. A homogeneous group in this context
is one that has little variability in the values of the items comprising the group or stratum.
Sampling is performed separately on each stratum, and sample results for each stratum are
subsequently combined to evaluate the total sample.
Stratification may be advantageous because the combined sample size often will be sig-
nificantly less than a single sample size based on an unstratified population. This follows
from the fact that sample size decreases as the variability of the population decreases. In fact,
a change in the variability of a population affects sample size by the square of the relative
change. Consequently, when the variation in the population changes from 200 to 100 (i.e.,
halved), the sample size required to meet the same statistical objectives is decreased by a factor
of 4 (one-half squared equals one-fourth).
The optimal number of strata depends on the pattern of variation in the population
values and the additional costs associated with designing, executing, and evaluating each
stratified sample. Because of the complexity of the procedure, stratification is generally
used only when appropriate software is available. To simplify subsequent illustrations in
this appendix, unstratified samples are used. In practice, when population values are highly
variable and stratification is not feasible, the auditor may choose another sampling method.
Ace Finance Company limits loans to a maximum of $500 per customer. Thus, variability
is low and the auditor concludes there is no need to stratify the population. Based on the prior
year’s audit, the auditor estimates a standard deviation of $100.

Risk of Incorrect Rejection

The risk of incorrect rejection is the risk the sample results will support the conclusion that
the recorded account balance is materially misstated when it is not. The principal conse-
quence of this risk is additional costs associated with expanded audit procedures following
the initial rejection. However, the additional auditing procedures should ultimately result in
the conclusion that the balance is not materially misstated.
In contrast to PPS sampling, the auditor must quantify the risk of incorrect rejection in
MPU sampling as well as the risk of incorrect acceptance. The risk of incorrect rejection has
an inverse effect on sample size. If the auditor specifies a very low risk of incorrect rejection,
the size and cost of performing the initial sample will be larger. Therefore, the auditor’s expe-
rience and knowledge of the client should be used to specify an appropriate risk of incorrect
rejection to balance the costs associated with the initial sample and the potential costs of later
expanding the sample.
In many software applications, the auditor inputs the risk of incorrect rejection directly as
a percentage figure. Other applications require the auditor to input a confidence or reliability
level, which is the complement of the risk of incorrect rejection. In either case, the software
then converts the percentage into an appropriate standard normal deviate or UR factor for
use in calculating the sample size. If the sample size is being calculated manually, a UR factor
for the specified risk of incorrect rejection is obtained from a table like the one illustrated in
Illustration 10A.2.
10-36  C h a pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

Illustration 10A.2   Risk of Incorrect Standard Normal Corresponding Confidence

Selected risk of incorrect Rejection Deviate (UR Factor) or Reliability Level
rejection percentages and 30% ±1.04 70%
corresponding standards 25% ±1.15 75%
normal deviates or UR factors
20% ±1.28 80%
15% ±1.44 85%
10% ±1.64 90%
05% ±1.96 95%
01% ±2.58 99%

The auditor decides to specify a 5% risk of incorrect rejection in the Ace Finance Com-
pany audit. Thus, the UR factor is 1.96.

Risk of Incorrect Acceptance

The factors to be considered in specifying the risk of incorrect acceptance are the same as in
PPS sampling. The risk of incorrect acceptance of a materially misstated balance is ordinarily
specified in the range from 5 to 30%, depending on the auditor’s evaluation of the elements of
the audit risk model, such as inherent risk, the assessed level of control risk, and the assurance
expected from other substantive tests. The risk of incorrect acceptance has an inverse effect on
sample size—the lower the specified risk, the larger the sample size. In the Ace Finance audit,
the auditor specifies a 20% risk of incorrect acceptance.

Planned Allowance for Sampling Risk

The planned allowance for sampling risk has an inverse relationship to sample size. Higher
levels of sampling risk in which the auditor can tolerate less precise estimates leads to smaller
sample sizes. The planned allowance for sampling risk (sometimes referred to as “desired
precision”) is derived from the following formula:
A = R × TM

  A = desired or planned allowance for sampling risk

where

  R = ratio of desired allowance for sampling risk

  TM = tolerable misstatement
The ratio for the R factor is based on the specified risks of incorrect acceptance and incorrect
rejection. The amount of the ratio is obtained from the table shown in Illustration 10A.3. In
the Ace Finance Company example, the foregoing risks have been specified at 20% and 5%.
Thus, the R factor is 0.70. This factor is then multiplied by the TM of $60,000 to produce an
allowance for sampling risk of $42,000.

ILLUSTRATION 10A.3   Risk of Risk of Incorrect Rejection

Ratio of desired allowance Incorrect Acceptance 20% 10% 5% 1%
for sampling risk to tolerable 1.0% 0.355 0.413 0.457 0.525
misstatement
2.5% 0.395 0.456 0.500 0.568
5.0% 0.437 0.500 0.543 0.609
7.5% 0.471 0.532 0.576 0.641
10.0% 0.500 0.561 0.605 0.668
15.0% 0.511 0.612 0.653 0.712
20.0% 0.603 0.661 0.700 0.753
25.0% 0.653 0.708 0.742 0.791
30.0% 0.707 0.756 0.787 0.829
35.0% 0.766 0.808 0.834 0.868
40.0% 0.831 0.863 0.883 0.908
45.0% 0.907 0.926 0.937 0.952
50.0% 1.000 1.000 1.000 1.000
Source: AICPA Audit Guide: Audit Sampling.
 Appendix 10A: Applying Classical Variables Sampling for Substantive Testing  10-37

Tolerable Misstatement
The considerations applicable to tolerable misstatement (TM) are the same in MPU sampling
as in PPS sampling. TM has an inverse effect on sample size. In the Ace Finance Company
example, the auditor specifies a TM of $60,000.

Sample Size Formula

The following formula is used to determine sample size for an MPU estimation sample:
 N ⋅U R ⋅ S x j 
2

n= 
 A
where
  N = population size
  UR = the standard normal deviate for the desired risk of incorrect rejection
  S x j = estimated population standard deviation
  A = desired or planned allowance for sampling risk
In the Ace Finance Company example, these four factors are 3,000, 1.96, $100, and
$42,000, respectively. Thus, the sample size is 196, computed as follows:
2
 3,000 × 1.96 × $100 
n=  = 196
 42,000
This formula assumes sampling with replacement (i.e., an item once selected is put back into
the population and is eligible for selection again). When sampling without replacement, a
finite correction factor is recommended when the relationship between n (sample size) and N
(population size) is greater than 0.05. The adjusted sample size (n′) is determined as follows:
n
n′ =
 n
 1 + 
N
Because n/N is greater than 0.05 (196 ÷ 3,000 = 0.065) in Ace Finance, the adjusted sam-
ple size is
196
n′ = = 184
 196 
1 +
 3,000 

Step 7: Select a Random Sample

Either the simple random number selection method or the systematic selection method may
be used in selecting the sample under the MPU technique. In the Ace Finance Company ex-
ample, the auditor decides to use generalized audit software to randomly identify the 184
loans receivable to be examined.

Step 8: Apply Audit Procedures

The execution phase of an MPU estimation sampling plan includes the following steps:
•  Perform appropriate auditing procedures to determine an audit value for each sample
item.
•  Calculate the following statistics based on the sample data:
̥  The average of the sample audit values (x).
̥  The standard deviation of the sample audit values (S x ).
j

The average and standard deviation statistics for the sample may be computed manually
or with software.
For the Ace Finance sample, the sum of the audit values is determined to be $81,328,
­resulting in an average audit value of $442 ($81,328 ÷ 184). The standard deviation of the audit
values is determined to be $90.
10-38  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

Step 9: Evaluate the Sample Results

Evaluating sample results involves making both a quantitative and a qualitative assessment of
the results in order to reach an overall conclusion.

Quantitative Assessment
In making this evaluation in an MPU sampling plan, the auditor calculates:

•  The estimated total population value.

•  The achieved allowance for sampling risk, sometimes referred to as achieved precision.
•  A range for the estimated total population value, sometimes referred to as the precision
interval.
The estimated total population value (X̂) is calculated as follows:
Xˆ = N ⋅ x
Thus, the estimated total population value for Ace Finance Company’s 3,000 loans receiv-
able is:
X̂ = 3,000 × $442 = $1,326,000
The basic formula for calculating the achieved allowance for sampling risk ( A ′) is:
Sx j
A′ = N ⋅U R ⋅
n
where S x j is the standard deviation of the sample audit values. Note that the value for S x j is
based on the standard deviation of the audited values, not the value for S x j used in determining
sample size.
When the finite correction factor has been used in determining sample size, the formula
is modified as follows:
n′
Sx j 1 −
N
A′ = N ⋅U R ⋅
n′
Therefore, the achieved allowance for sampling risk for Ace Finance is:

184
$90 1 −
3,000
A ′ = 3,000 × 1.96 × = $37,798
184

The range for the estimated total population value is calculated by adding and subtracting
the achieved allowance for sampling risk to the estimated total population value. The range is:
Xˆ ± A ′
For Ace Finance Company, the calculation is as follows:
Range = $1,326,000 ± $37,798
= $1,288,202 to $1,363,798
If the book value falls within this range, the sample results support the conclusion that the
book value is not materially misstated. The book value of loans receivable for Ace Finance
is $1,340,000. Therefore, the auditor can conclude that the population is fairly stated in all
material respects.
It should be recognized that the sample results may support the conclusion that the book
value is not materially misstated but not within the level of risk of incorrect acceptance spec-
ified by the auditor. To stay within the desired risk, achieved allowance for sampling risk ( A ′)
must be equal to or less than planned allowance for sampling risk (A). A ′ will be greater than
A whenever the standard deviation of audit values is greater than the estimated population
standard deviation used in determining sample size. For example, if the standard deviation of
audit values in the Ace Finance example had been $110, A ′ would have been $46,197, which
is greater than the $42,000 specified for A. In such a case, the auditor computes the adjusted
 Appendix 10A: Applying Classical Variables Sampling for Substantive Testing  10-39

achieved allowance for sampling risk ( A ′′) by the following formula where TM is the tolerable
misstatement specified in the sampling plan:

 A′ 
A ′′ = A ′ + TM  1 − 
 A
 $46,197 
A ′′ = $46,197 + $60,000  1 −
 $42,000 
A ′′ = $40,197

Note that A ′′ ($40,197) is less than A, ($42,000). A ′′ is then substituted for A ′ in the for-
mula used to calculate the range for the estimated population value. Using A ′′, the estimated
population range is $1,326,000 ± $40,197, or $1,285,803 to $1,366,197. Because the book value
of $1,340,000 falls within the range, the sample results indicate that the book value is not
materially misstated at the planned risk of incorrect acceptance.
The book value may fall outside the range because the achieved allowance for sampling
risk is significantly smaller than the planned allowance. When this occurs, the auditor (1) cal-
culates the difference between the book value and the far end of the range and (2) compares
the difference to TM. If the difference is equal to or less than TM, the sample results indicate
that the book value is not materially misstated. For example, if the achieved allowance in
Ace Finance Company is $12,000, the range becomes $1,314,000 to $1,338,000 and the book
value ($1,340,000) falls outside the precision interval. The difference between the book value
and the far end of the range is $26,000 ($1,340,000 – $1,314,000). Because this is less than the
TM of $60,000, the book value is supported.

Qualitative Assessment
Prior to reaching an overall conclusion, the auditor should consider the qualitative aspects of
the sample results. These considerations are the same in MPU sampling as in PPS sampling,
and the auditor should consider the underlying cause of all misstatements found. For ex-
ample, misstatements may be due to (1) differences in principle or application, (2) errors, or
(3) fraud. Consideration should also be given to the relationship of the misstatements to other
phases of the audit.

Reaching an Overall Conclusion

When either the auditor’s quantitative (statistical) or qualitative assessments of sample results
support the conclusion that the population is materially misstated, professional judgment
should be used in deciding an appropriate course of action. The possible causes and actions
are as follows:

Causes
1. The sample is not representative of the
population.
2. The achieved allowance for sampling risk
may be larger than the desired allowance
because the sample size was too small.
3. The population book value may be misstated
by more than tolerable misstatement.
Actions
Expand the sample and reevaluate the results.
Expand the sample and reevaluate the results.
Have client investigate and, if warranted, adjust
the book value and reevaluate the sample results.

Step 10: Document Results

Illustration 10A.4 summarizes the steps performed in designing, executing, and evaluating
the MPU sampling plan to test the book value of Ace Finance Company’s loans receivable and
illustrates how these steps can be documented in a working paper.
10-40  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

ILLUSTRATION 10A.4   Mean-per-unit sampling plan working paper

Client:  Ace Finance Company Bell & Bowerman, LLPrepared by: W.M.F. 2/22/23
Period-end: 12/31/22 Reviewed by: C.W.B. 2/25/23
Reference: C-2
MPU Sample – Loans Receivable
Objective: To obtain evidence that the aggregate book value of loans receivable as of 12/31/22 was not materially misstated.
Population and Sampling Unit: 3,000 loans on electronic listing prepared from master file. The sampling unit was the individual loan
receivable.
Sample Size: Population Size 3,000 (N)
Estimated Standard Deviation $100 (S ) xj

Tolerable Misstatement $60,000 (TM)

Risk of Incorrect Rejection 5% UR = 1.96
Risk of Incorrect Acceptance 20%
Ratio of Desired Allowance for Sampling Risk 0.700 (R)
Desired Allowance for Sampling Risk = R x TM $42,000 (A)

 N ⋅ UR ⋅ S x
2

n = j
 196 (n)
 A 

n 184 (n′)
n′ =
 n
1 + N 
 

Sample Selection: Simple random using software-generated random numbers list C-5
to correspond to loan numbers. Sampling units selected are listed
on W/P C-5
Execution of Audit Procedures Applied Listed on W/P C-6
Sampling Plan Audit Values of Sample Items Shown on W/P C-6
Sum of Sample Audit Values $81,328
Average of Sample Audit Values $442.00 X
Standards Deviation of Sample Audit Values $90.00 Sx
j

Evaluation of Estimated Total Population Value $1,326,000 X̂

Sample Results Achieved Allowance for Sampling Risk $37,798 A′
Range: Xˆ ± A′ $1,288,202 to
 $1,363,798
Conclusion: The total book value of $1,340,000 falls within the calculated range for the estimated total population value. Sample results
support the conclusion that the loans receivable are materially correct.

Before You Go On
10.1 What information must the auditor have about the population to be audited in order to use
classical variables sampling?
10.2 Identify the factors that influence sample size in a classical variables sample, and explain
how each factor influences sample size, holding other factors constant.
10.3 After calculating the achieved allowance for sample risk, explain how the auditor uses this
value when evaluating sample results.

Learning Objectives Review
1  Evaluate when to use audit data analytics versus
audit sampling.
When developing an audit plan for an assertion, the auditor needs
to determine whether it is more appropriate to use audit data an-
alytics (ADA) or audit sampling for the purpose of collecting and
evaluating evidence. When considering the use of ADA, the audi-
tor needs to consider whether ADA will be used as a risk assess-
ment procedure or as a substantive test, how reliable the underly-
ing data is, and how the ADA relates to the account balance and
assertion being audited. Often the auditor will use ADA to look
for particular characteristics in the underlying data (e.g., items
where there is too much inventory on hand), or the auditor might
use ADA to predict the relationship between two variables (e.g.,
sales and accounts receivable). The auditor might be more likely
to use audit sampling when certain audit procedures are required
by professional standards (e.g., observing inventory or confirming
receivables), when internal controls are poor (leading to poor qual-
ity data), or when auditing smaller audit populations that can be
easily sampled.
2  Define audit sampling and explain how audit sam-
pling is applied for substantive tests.
Audit sampling is the auditor selecting and evaluating less than 100%
of the population of audit relevance such that the auditor expects the
items selected (the sample) to be representative of the population and,
thus, likely to provide a reasonable basis for conclusions about the
population. In some cases, the auditor might also audit 100% of the
population when there are few sampling units in a population, such
as the balance of notes payable when notes are from only a few banks.
Sampling may be more effective when there are a large number of
sampling units in a population, such as when confirming receivables
or observing inventory.
3  Differentiate between sampling and nonsampling risk.
Sampling risk is the risk that the auditor’s conclusion based on a
sample may be different from the conclusion if the entire population
were subjected to the same audit procedure. Sampling risk is caused
by a sample not being representative of the entire population. Non-
sampling risk involves any risk that is not due to sampling, such as
collecting evidence that is not relevant to the assertion, or incorrectly
evaluating audit evidence. Nonsampling risk is typically controlled by
a firm’s quality control procedures and the review of audit work per-
formed by others in the audit firm.
4  Differentiate between statistical and nonstatistical
sampling.
Statistical sampling is an approach to sampling that involves a
­random selection of sample items and the use of an appropriate
­statistical technique to determine sample size and evaluate sample
results, including measurement of sampling risk. Nonstatistical
  Learning Objectives Review  10-41
sampling involves any sample selection and evaluation method that
does not have the characteristics of statistical sampling. In nonsta-
tistical sampling, the auditor determines sample size, chooses sam-
ple selection methods, and evaluates sample results entirely on the
basis of the professional judgment and the experience of those on
the audit team.
5  Explain various sampling methods available to
auditors.
The most common methods used by auditors to select a sample are
random selection, systematic selection, and haphazard selection.
Random selection involves a sample that is free from bias and each
item in a population has an equal chance of being selected. Systematic
selection involves the selection of a sample for testing by dividing the
number of items in the population by the sample size, ­determining
a sampling interval, and then selecting one item from the sampling
interval using random or haphazard selection. Haphazard selection is
a method where the auditor does not use a formal selection technique
but haphazardly attempts to select a sample without bias. An audi-
tor might also stratify a population into more homogeneous groups
prior to selecting a sample using random, systematic, or haphazard
selection.
6  Determine how sample size for substantive testing is
influenced by various factors.
AU-C 530.A13 identifies the following factors that influence sample
size in a substantive test:
•  The desired level of assurance that tolerable misstatement is not
exceeded by the actual misstatement in the population.
•  Tolerable misstatement.
•  The amount of expected misstatement in the population.
•  Stratification of the population into more homogeneous subgroups.
This section of the chapter discusses how each of these factors influ-
ences sample size (while holding other factors constant).
7  Explain a basic framework for selecting and evaluat-
ing an audit sample for substantive testing.
Illustration 10.5 outlines a basic framework that is used in the re-
mainder of the chapter for selecting and evaluating a sample. This
framework involves 10 steps, which are:
1. Determine the objectives of the substantive test.
2.  Determine the substantive audit procedures to perform.
3. Determine whether the auditor will audit a sample or the entire
population.
4. Define the population and sampling unit.
5. Determine whether the auditor will use statistical or nonsta-
tistical sampling and what method will be used to sample the
population.
 10-42  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests
6. Determine sample size based on the sampling method used.
7. Select a representative sample.
8. Apply audit procedures to the sampled items.
9. Evaluate sample results and draw a conclusion about the
population.
10. Document conclusions.
Steps 1 through 4 are common to all sampling plans.
8  Apply probability-proportionate-to-size sampling for
a substantive test to draw an audit conclusion.
PPS sampling uses attribute sampling theory to express a conclusion
in dollar amounts. The sampling technique is such that the prob-
ability that a particular sampling unit will be chosen in the sam-
ple is proportionate to the monetary size of the item. This form of
sampling may be used in substantive tests of both transactions and
balances. This section explains the advantages and disadvantages of
using PPS sampling and explains Steps 5 through 10 in the applica-
tion of probability-proportionate-to-size sampling.
Key Terms Review
Allowance for sampling risk (ASR) *MPU
  estimation
Audit sampling Nonsampling risk
Basic precision (BP) Nonstatistical sampling
*Classical
  variables sampling Population
Desired level of assurance Probability-proportionate-to-size (PPS) sampling
Difference method Projected misstatement
Expected misstatement Random selection
Haphazard selection Ratio method
Logical sampling unit Reciprocal population
Audit Decision-Making Example: Determining Sample Size
Background Information
Gregory Ness has been assigned to the audit of Mainstream Kayak,
Inc. Mainstream is a privately owned company that manufactures
kayaks from one location in Minnesota and ships its products to re-
tailers throughout the United States and Canada. Mainstream has
had a good year. Sales amounted to $35.1 million, which represents
almost a 25% growth over the previous year. Mainstream has approx-
imately 1,500 customers. Individual accounts receivables at year-
end range from Mainstream’s largest account receivable of $250,000
to its smallest receivable of $500. Receivables have grown by only
20% to $3,950,000, so receivable collections have been strong.
Gregory has completed a system walkthrough for the rev-
enue process and has determined the company has very consci-
entious accounting staff. However, the owner has not invested in
significant internal controls. There is weak segregation of duties,
but the owner regularly reviews receivables, cash balances, and
cash disbursements on a timely basis. The owner also monitors
inventory levels carefully. In the prior year, confirmations showed
misstatements in accounts receivable and a proposed audit ad-
justment in the amount of $680,000 (reducing receivables and
revenues).
9  Apply nonstatistical sampling for a substantive test
to draw an audit conclusion.
Nonstatistical sampling is an approach to audit sampling that relies on
the auditor’s judgment to determine sample size, select the sample, proj-
ect sample results onto the population, and evaluate any allowance for
sampling risk. This section explains the advantages and disadvantages of
using nonstatistical sampling and explains steps 5 through 10 with the ap-
plication of ratio and difference analysis for evaluating the sample results.
10*  Apply classical variables sampling for a substantive
test to draw an audit conclusion.
Classical variables sampling uses normal distribution theory to select
a sample and develop a conclusion in dollar amounts. This form of
sampling may be used in substantive tests of both transactions and
balances. This section explains the advantages and disadvantages of
using classical variables sampling and explains steps 5 through 10 in
the application of classical variables sampling to select and evaluate a
sample for a substantive test.
Risk of incorrect acceptance
Risk of incorrect rejection
Sampling risk
Sampling unit
Statistical sampling
Stratification
Systematic selection
Tolerable misstatement
Upper misstatement limit
Gregory now needs to develop a preliminary audit plan for
the audit of the revenue process. He has not performed tests of
controls over receivables and therefore has determined receivables
should be confirmed as of year-end. Gregory plans on using a non-
statistical sampling plan. Following his audit firm’s methodology,
tolerable misstatement for accounts receivable has been set at
$190,000 (4.8% of accounts receivable).
Identify Audit Issues
What should Gregory consider when making a decision about sam-
ple size for testing the existence of accounts receivable? Discuss
each factor that influences sample size, what Gregory knows about
Mainstream, and how this should influence his decision.
Gather Additional Information and Evidence
The key factors that influence sample size in a substantive test are:
•  The desired level of assurance that tolerable misstatement is
not exceeded by actual misstatements in the population.
•  Tolerable misstatement.
•  Expected misstatement.
•  Stratification of the population (if appropriate).

Analysis and Evaluation of Alternatives
Inherent risk is high due to the fact that receivables would be af-
fected if revenue recognition problems exist. Control risk is depen-
dent on the strength of owner controls and review of receivables
and cash balances. If owner controls are not tested, control risk
should also be set at maximum given the problems with weak seg-
regation of duties. As a result, detection risk should be set at low.
Audit Conclusion
The auditor needs a high level of assurance that tolerable mis-
statement is not exceeded by actual misstatement in the pop-
ulation given that detection risk is set at low. Based on prior
CPAexcel
CPAexcel questions and other resources are available in WileyPLUS.
Note: All asterisked material relate to the appendix to the chapter.
Multiple-Choice Questions
1.  (LO 1)  Which of the following factors would most likely cause an
auditor to use audit sampling versus audit data analytics?
a.  Evidence to support the audit test is not available in electronic
form.
b.  The audit population is large, and the auditor’s tests are
­supported by reliable and relevant data in electronic form,
making ADA efficient.
c.  Relevant data are reliable and internal controls over the
­reliability of data are strong.
d.  Relevant data are clean or can be cleaned up easily.
2.  (LO 2)  Audit sampling is defined as a situation where:
a.  the auditor tests a subset of the population to draw a
­conclusion about a subset of the population.
b.  the auditor screens 100% of the population to identify a subset
with particular risk traits.
c.  the auditor tests a representative group that is less than 100%
of the population for the purpose of drawing a conclusion
about the entire population.
d.  the auditor screens less than 100% of the population to
­identify a subset with particular risk traits.
3.  (LO 3)  Sampling risk:
a.  is the risk that the sample chosen by the auditor is not
­representative of the population of transactions.
b.  is the risk that the results of the test will be misinter­preted
by the auditor.
c.  can be eliminated by taking a random sample.
d.  applies only to samples for substantive testing.
4.  (LO 3)  Nonsampling risk:
a.  only occurs if you test every item of the population.
b.  only applies to samples taken for the purposes of substantive
testing.
c.  does not occur if an auditor relies on unreliable evidence.
  Multiple-Choice Questions  10-43
experience, expected misstatements are significant and may ex-
ceed tolerable misstatement. Each of these factors leads to se-
lecting a larger sample size. The population appears to have a
high degree of variance, with receivables ranging from $500 to
$250,000. Hence, Gregory should consider using a stratified sam-
pling plan. Gregory might select the 10–20 largest accounts for
100% confirmation and then stratify the remaining receivables
into two or three relatively homogeneous groups. Using this for-
mat, Gregory might be able to audit 50% to 60% of the total dol-
lars of accounts receivable while only confirming 10% to 15% of
the customer receivables, or perhaps sending confirmations to
200 out of 1500 customers.
d.  is the risk that an auditor arrives at an inappropriate conclu-
sion for a reason unrelated to sampling issues.
5.  (LO 4)  The critical difference between statistical and nonstatisti-
cal sampling is:
a.  the required use of judgment in nonstatistical sampling.
b.  the elimination of nonsampling risk with statistical
­sampling.
c.  the use of the laws of probability in statistical sampling to de-
termine sample size and develop a confidence interval around
the results of the sample.
d.  that more representative samples are attained with statistical
sampling.
6.  (LO 5)  An auditor is testing accounts receivable for a client
that has 1,000 customers with customer balances that range from
$150 to $185,000. The auditor subdivided the receivables into three
groups: group 1 has all customers with receivable balances between
$185,000 and $100,000, group 2 has all customers with receivable
balances between $100,000 and $25,000, and group 3 has all custom-
ers with receivable balances less than $25,000. The auditor then ran-
domly selects customers out of each group. This is known as:
a.  random selection.
b.  stratified sampling.
c.  haphazard selection.
d.  block selection.
7.  (LO 6)  Holding all other factors constant, which of the following
factors results in an increase in sample size for substantive tests?
a.  A decrease in the amount of expected misstatement in the
population to be tested.
b.  Stratifying the population when appropriate.
c.  An increase in the amount of tolerable misstatement.
d.  An increase in the desired level of assurance that the toler-
able misstatement is not exceeded by the actual amount of
misstatement in the population.
10-44  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

8.  (LO 7)  When defining the population and sampling unit, some-
times an auditor must look for a reciprocal population. A reciprocal
population is:
a.  a class of transactions or the account balance to be tested.
b.  a class of transactions related to the account balance being
tested (e.g., sales to accounts receivable).
10.  (LO 9)  An auditor uses nonstatistical ratio estimation to evalu-
ate the results of a sample. The population book value was $2,000,000
and contained 350 items. The auditor selected 100 items with a book
value of $500,000. The audited value of the sample was $480,000. The
estimated audited value of the population is:
a.  $1,980,000.

c.  a subset of the population that is the basis for sampling. b.  $1,930,000.

d.  a population that is overstated if the population of interest is c.  $1,920,000.

understated (or vice versa). d.  $1,900,000.
9.  (LO 8)  The auditor’s decision about the risk of incorrect ac- *11. 
  (LO 10)  When planning a classical variables sample, the risk of
ceptance affects which of the following factors in a statistical PPS incorrect acceptance and the risk of incorrect rejection are related to
sample? what general factor that influences sample size?
a.  Tolerable misstatement. a.  The desired level of assurance from the sample.
b.  Reliability factor. b.  Tolerable misstatement.
c.  Book value of the population. c.  Expected misstatement.
d.  Expected misstatement. d.  The use of stratification when sampling.

Review Questions
R10.1  (LO 1)  Assume that you are auditing inventory for a com-
puter manufacturer with strong internal controls. Identify one assertion
where the auditor is likely to use audit sampling. Explain your reason-
ing. Then identify another assertion where the auditor is likely to use
audit data analytics. Explain your reasoning.
R10.2  (LO 2)  Using your example of audit sampling in the answer
to R10.1, what items make up the population? What items are subject
to being sampled? When the sample is complete, is the auditor draw-
ing a conclusion about the sample or the population? Explain your
reasoning.
R10.3  (LO 3)  Assume an auditor finds total errors of $25, 300 in a
sample of sales invoices. Why is it not appropriate to conclude that
sales are misstated by $25, 300?
R10.4  (LO 3)  Explain the difference between the two types of
sampling risk for substantive tests: the risk of incorrect accep-
tance and the risk of incorrect rejection. What are the errors’ dif-
ferent implications for the audit? Which is the more serious risk?
Explain.
R10.5  (LO 3)  Why does nonsampling risk exist for all types of tests
in all audits? Explain.
*R10.15
R10.6  (LO 4)  What are the advantages of nonstatistical sampling
over statistical sampling?
R10.7  (LO 4)  Explain the advantages of statistical sampling over
nonstatistical sampling.
R10.8  (LO 5)  Explain the risk associated with using systematic
­sample selection.
R10.9  (LO 5, 7)  Explain the role of professional judgment in select-
ing and evaluating a sample.
R10.10  (LO 6)  What influences the auditor’s assessment of tolera-
ble misstatement?
R10.11  (LO 6)  What influences the auditor’s assessment of expect-
ed misstatement in the population?
R10.12  (LO 7)  Explain the importance of determining the appropri-
ate audit procedure to perform. What is the risk if the audit procedure
is not appropriate for the assertion being tested? Does this step relate
to sampling risk or nonsampling risk?
R10.13  (LO 8)  Explain the advantages and disadvantages of using
probability-proportionate-to-size sampling when testing the existence
of accounts receivable.
R10.14  (LO 9)  Explain the advantages and disadvantages of using
nonstatistical sampling when testing the existence of accounts receivable.
 
  (LO 10)  What conditions should exist if the auditor plans to
use difference estimation or ratio estimation techniques with classical
variables sampling?

Analysis Problems
AP10.1  (LO 1)  Basic   ADA   Audit data analytics and audit sampling  You are auditing
Northeastern Food Wholesalers (NFW). NFW purchases a full line of various grocery products and sells
them to independent grocery stores in six Northeastern states. NFW has one distribution center and
approximately 900 customers. On average NFW turns its inventory approximately every 21 days, and it
takes approximately 35 days to collect receivables.
   Analysis Problems  10-45

Required
a.  Identify a potential application for audit data analytics in the audit of NFW. Explain the application
and the assertion(s) tested by the application.
b.  Identify a potential application for audit sampling in the audit of NFW. Explain the application and
the assertion(s) tested by the application.

AP10.2  (LO 3)  Basic   Uncertainties in audit sampling  One of the generally accepted auditing
standards states that sufficient competent evidential matter is to be obtained through inspection,
observation, inquiries, and confirmation to afford a reasonable basis for an opinion regarding the
financial statements under examination. Some degree of uncertainty is implicit in the concept of
“a reasonable basis for an opinion,” because the concept of sampling is well established in auditing
practice.

Required
a.  Explain the auditor’s justification for accepting the uncertainties that are inherent in the sampling
process.
b.  Discuss the uncertainties that collectively embody the concept of audit risk.
c.  Discuss the nature of sampling risk and nonsampling risk. Include the effect of sampling risk on
tests of controls in the auditor’s study and evaluation of the internal control structure.

 (AICPA adapted)

AP10.3  (LO   3)  Moderate   Sampling and nonsampling risk for substantive testing  Fred
Hutchinson is auditing revenue for Urban Homes, a home builder in California. Urban Homes usually
has between 450 and 600 home construction projects going at any point in time, for between 300 and 500
customers. Urban Homes recognizes revenue on a percentage-of-completion basis. Fred has to determine
the appropriateness of revenue recognition for Urban Homes. Fred has previously tested controls and
assessed control risk as moderate.

Required
a.  What population(s) would be relevant to Fred’s substantive tests of revenue recognition?
b.  Explain the potential implications of sampling risk for the audit of revenue recognition.
c.  What possible nonsampling risks exist in this case?

AP10.4  (LO 2, 3, 4, 5)  Basic   Judgment in statistical sampling  The use of statistical sampling
techniques in an audit of financial statements does not eliminate judgmental decisions.

Required
a.  Identify and explain four areas in which judgment may be exercised by a CPA when planning a sta-
tistical sampling for testing the existence of inventory.
b.  Assume that a CPA’s sample shows two differences between inventory counted in the sample and
the inventory recorded on the books for those items. Describe the various actions that he or she may
take based on this finding.
c.  A nonstratified sample of 80 accounts payable vouchers is to be selected from a population of 3,200.
The vouchers are numbered consecutively from 1 to 3,200 and are listed, 40 to a page, in the voucher
register. Describe two different techniques for selecting a sample of vouchers for substantive tests
of transactions.

 (AICPA adapted)

AP10.5  (LO 6)  Moderate   Factors that influence sample size.  Jennifer Jones has been assigned to
audit inventory for Consumer Home Electronics Warehouse. Consumer Home Electronics Warehouse is a
retailer of a variety of home electronics and appliances (ranging from refrigerator and stoves, washers and
dryers, televisions, computers, and cell phones). Consumer Home Electronics Warehouse has 25 locations
located in larger cities in the midwestern United States. Jennifer plans to audit the existence of inventory.
The book value of inventory is $35 million, which is very material to the company’s financial statements.
A few items in inventory are very high in dollar value, but there is no individual item larger than tolerable
misstatement. About 5% of the items in inventory have costs over $1,000. About 45% of the individual items
in inventory have a cost between $500 and $1,000. The remainder of the inventory has individual costs of less
than $500. Tolerable misstatement is set at $1,600,000. Jennifer has determined that Consumer Electronics
has excellent internal controls over inventory and tests of controls noted no deviations or exceptions.
10-46  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

Required
a.  Identify the factors that influence sample size for a substantive test.
b.  In the case of Consumer Home Electronics Warehouse, identify how each item might influence
sample size (while holding the other items constant).

AP10.6  (LO 7)  Basic   Steps in executing a substantive sampling plan   Jennifer Jones has been
assigned to audit inventory for Consumer Home Electronics Warehouse. Consumer Home Electronics
Warehouse is a retailer of a variety of home electronics and appliances (ranging from refrigerator and
stoves, washers and dryers, televisions, computers, and cell phones). Consumer Home Electronics Ware-
house has 25 locations located in larger cities in the midwestern United States.

Required
Jennifer plans to audit the existence of inventory. Put the following steps associated with planning and
executing a sample of inventory in the proper order.
a. Choose the number of items to be examined.
b. Document conclusions.
c. Select a representative sample.
d. Determine the objectives of the substantive test.
e. Determine the type of sampling to be used.
f. Determine the substantive procedures that will meet objectives.
g. Determine sample size.
h. Apply audit procedures.
i. Define the population and sampling unit.
j. Evaluate results of the sample.

AP10.7  (LO 8)  Challenging   PPS sampling  Edwards has decided to use probability-proportion-
al-to-size (PPS) sampling in the audit of a client’s accounts receivable balance. Few, if any, errors of
overstatement are expected.
Edwards plans to use the following PPS sampling table:

5% RELIABILITY FACTORS FOR OVERSTATEMENTS

Number of Risk of Incorrect Acceptance

Overstatements 1% 5% 10% 15% 20%
0 4.61 3.00 2.31 1.90 1.61
1 6.64 4.75 3.89 3.38 3.00
2 8.41 6.30 5.33 4.72 4.28
3 10.05 7.76 6.69 6.02 5.52
4 11.61 9.16 8.00 7.27 6.73

Required
a.  Identify the advantages of using PPS sampling over classical variables sampling.
b.  Calculate the sampling interval and the sample size Edwards should use, given the following
information:
Tolerable misstatement $15,000
Risk of incorrect acceptance 5%
Number of misstatements allowed 0
Recorded amount of accounts receivable $300,000

c.  Calculate total projected misstatement if the following three misstatements were discovered in a
PPS sample:

Recorded Amount Audit Amount Sampling Interval

1st misstatement $ 400 $ 320 $1,000
2nd misstatement 500 0 1,000
3rd misstatement 3,000 2,500 1,000

 (AICPA adapted)
   Audit Decision Cases  10-47

AP10.8  (LO 8)  Challenging   Evaluating a PPS sample  Assume the following misstatements were
found in a PPS sample:

Sample Item Book Value Audit Value

1 $ 650 $ 585
2 540 0
3 1,900 0
4 2,200 1,650
5 2,800 2,660

Required
a.  Calculate the projected misstatement assuming:
1.  The sampling interval was $1,800.
2.  The sampling interval was $2,000.
b.  If a risk of incorrect acceptance of 15% is specified in the sample design, the sampling interval is
$2,000, and five misstatements are found as enumerated above, calculate:
1.  Basic precision.
2.  The incremental allowance for sampling risk.
3.  The upper misstatement limit.
c.  If tolerable misstatement were $50,000 and expected misstatement were $10,000, what conclusion
would you reach based on your results in (b) above?

AP10.9  (LO 5, 6, 7, 9)  Challenging   Fraud   Research   Fine Host Corporation (FHC)  The
following research question focuses on the audit of Fine Host Corporation (FHC), a Connecticut-
based company that provided food and beverages concession, catering, and other services in ap-
proximately 400 facilities in 38 states. Start by locating and reading SEC Accounting and Auditing
Releases 1482 and 1483 related to the audit of FHC.

Required
a.  How were the financial statements of FHC misstated?
b.  Make a list of the defects in the audit of FHC as it relates to audit sampling. For each defect
that you note, suggest an alternative that would have allowed the auditor to follow professional
standards.

Audit Decision Cases

Red Cedar Office Furniture
Question C10.1 is based on the following case. The data file needed to complete this case is available in
WileyPLUS.

Bob Downe is auditing Red Cedar Office Furniture (RCOF), a manufacturer of office furniture and
custom cabinets. RCOF was founded 25 years ago by a husband-and-wife team and has grown rapidly
in the last five years as solid, environmentally friendly, wooden furniture has grown in popularity. The
company has inventory consisting of raw materials, work in process, and finished goods with a book
value of $6,719,028.95. You have been assigned the task of testing the accuracy of the final inventory
compilation for RCOF. You may assume that you have separately observed the inventory and that you
are satisfied that the inventory was accurately counted. However, you need to test that quantities were
accurately transcribed to the final accumulation and valuation of inventory and that the inventory is
correctly priced and accumulated. A file showing the client’s accumulation of inventory is available in
WileyPLUS.
This case will guide you through the process of selecting a sample from the client’s inventory,
comparing audited values with book values, and drawing a conclusion about the fair presentation of
inventory.
10-48  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

C10.1  (LO 8)  Challenging   PPS sampling audit case

Part 1. Determine the objectives of the test. You are auditing both quantities and pricing of the final
inventory accumulation.
a.  Explain the assertions that you are testing.
b.  Explain the evidence that you would obtain to test those assertions.
Part 2. Determine sample size based on the following judgments (round sample size to the nearest whole
number).
a.  Tolerable misstatement is assessed at $325,000.
b.  The risk of incorrect acceptance is assessed at 37%.
c.  Expected misstatement is assessed at $100,000.
Whether the auditor uses nonstatistical sampling or statistical sampling, the same basic factors are
considered in determining sample size. Once the auditor has made professional judgments about these
factors, the following formula is used to determine sample size in PPS sampling:
(BV × RF )
n=
[TM − (EM × EF)]
where
  BV = book value of population tested
  RF = reliability factor for the specified risk of incorrect acceptance assuming zero overstatements (see
the following table Reliability Factors for Overstatements)
  TM = tolerable misstatement
  EM = expected misstatement (see the subsequent table Expansion Factors for Expected Misstate-
ments)
  EF = expansion factor for expected misstatement
Document your determination of sample size.

Reliability Factors for Overstatements

Number of Risk of Incorrect Acceptance

Overstatements 1% 5% 10% 13% 15% 20% 25% 30% 37%
0 4.61 3.00 2.31 2.00 1.90 1.16 1.39 1.21 1.00
1 6.64 4.75 3.89 3.56 3.38 3.00 2.70 2.44 2.14
2 8.41 6.30 5.33 4.94 4.72 4.28 3.93 3.62 3.25
3 10.05 7.76 6.69 6.25 6.02 5.52 5.11 4.77 4.34
4 11.61 9.16 8.00 7.53 7.27 6.73 6.28 5.90 5.43
5 13.11 10.52 9.28 8.77 8.50 7.91 7.43 7.01 6.49
6 14.57 11.85 10.54 10.00 9.71 9.08 8.56 8.12 7.56
7 16.00 13.15 11.78 11.21 10.90 10.24 9.69 9.21 8.63
8 17.41 14.44 13.00 12.41 12.08 11.38 10.81 10.31 9.68
9 18.79 15.71 14.21 13.59 13.25 12.52 11.92 11.39 10.74
10 20.15 16.97 15.41 14.77 14.42 13.66 13.02 12.47 11.79

Expansion Factors for EXPECTED Misstatements

Risk of Incorrect Acceptance
1% 5% 10% 15% 20% 25% 30% 37%
Expansion factor 1.90 1.60 1.50 1.40 1.30 1.25 1.20 1.15

Part 3. Develop a scenario that supports the auditor’s conclusion that the appropriate risk of incorrect
acceptance is 37%.
   Audit Decision Cases  10-49

Part 4. Select a sample and apply audit procedures. Select the PPS sample using the sample size deter-
mined in Part 2 above. Choose your own random start based on the size of the sampling interval (each
student should have a different random start). Determine the book value and audited value for each item
in your unique sample. Document your sample, the book values and the audited values.
Part 5. Compute the upper misstatement limit (UML) for the sample you selected. Follow the procedures
outlined in the chapter. You can use the Reliability Factors for Overstatements table to determine the
factors to use for the “Upper Misstatement Limit.” Document your calculation of UML.
Part 6. Evaluate your results both quantitatively and qualitatively. Develop both a statistical conclu-
sion and an audit conclusion based on your sample. Document your conclusions about your inventory
tests.

Wholesale Plumbing Supply

Question C10.2 is based on the following case.

Assume that you have selected the following nonstatistical sample for selecting accounts receivable
for confirmation. The total book value of the population is $9,000,000, and tolerable misstatement is
$350,000. You have decided to audit every item over $50,000 and randomly select items in two groups
under $50,000, as the following shows. You selected the following sample.

Book Value of Book Value of Audit Value

Stratum N n Stratum Sample of Sample
> $50,000   20 20 $3,000,000 $3,000,000 $2,948,000
$50,000 > x > $5,000 100 30 3,000,000 1,000,000 970,000
< $5,000 300 30 3,000,000 300,000 280,250
$9,000,000 $4,300,000 $4,198,250

C10.2  (LO 9)  Moderate   Evaluating substantive testing results

a.  Evaluate results judgmentally: Determine the estimated audited value of the population using non-
statistical ratio analysis.
b.  Document conclusion: What audit conclusion can you draw based on the evidence above?

Fabrication Holdings, Inc.

Questions C10.3 and C10.4 are based on the following case.

Fabrication Holdings, Inc. (FHI) has been a client of McDonald and McGee LLP for many years. You
are an audit senior and have been assigned to the FHI audit for the first time for the financial year
ending June 30, 2022. During March 2022, you are completing the audit planning for the property,
plant, and equipment (PPE) account class, which is one of FHI’s most material balances. You are
also aware that FHI has made a large investment in a new manufacturing process to place itself
in a more competitive position. Your analytical procedures indicate an increase in acquisitions
of PPE.
You are testing the appropriateness of the depreciation rate assigned to PPE, and whether it is
consistent with the present condition and expected use of the assets over their remaining lives. You
have sampled 35 PPE items, with a total dollar value of $1, 145, 000. The results show that, for the
sample items, some depreciation rates were too low and/or the remaining useful life of the equipment
was overstated by management. Together, these issues produce an error in the sample of $48, 500. FHI
has a profit before tax for the current year of $1, 875, 000, and a PPE account balance at the end of the
year of $11, 345, 000.

C10.3  (LO 4, 5)  Challenging   Sampling methods and risk analysis  Analysis: Discuss the ap-
propriate method of sampling PPE for the planned tests of depreciation. Define the population. What
assertions are most at risk?

C10.4  (LO 9)  Challenging   Projecting errors for PPE  Evaluation and conclusion: What conclu-
sion would you draw about valuation and allocation of PPE from the above information? Justify your
conclusion.
10-50  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

MPU Sampling Plans

Question C10.5 is based on the following case.

Data relative to three MPU sampling plans are presented below.

1 2 3
Tolerable misstatement $110,000 $140,000 $170,000
Size of population 5,000 6,000 8,000
Risk of incorrect rejection 10% 5% 10%
Estimated population standard deviation $80 $105 $125
Risks that misstatements accumulating to greater than tolerable
misstatements will not be detected by:
  Internal control 50% 40% 40%
  Analytical and other substantive
  procedures (excluding this test of details) 25% 50% 85%
  Desired overall audit risk 5% 5% 5%
  Inherent risk 100% 100% 100%

*C10.5 
  (LO 10)  Challenging   Classical variables mean-per-unit sampling
a.  Analysis: Determine an appropriate risk of incorrect acceptance for each population.
b.  Determine sample size: Calculate sample size in each of the plans. Show computations.

Company X, Company Y
Question C10.6 is based on the following case.

Data relevant to the December 31, 2022, audit of accounts receivable in two of your clients is presented
in the tabulation below.
Company X Company Y
Client’s book value $90,000 $200,000
Population size 1,000 2,000
Desired risk of incorrect acceptance 20% 30%
Desired risk of incorrect rejection 10% 5%
Tolerable misstatement $9,000 $10,000
Estimated standard deviation $50 $25

*C10.6 
  (LO 10)  Challenging   Mean-per-unit sampling
a.  Determine sample size: Determine sample size for each company using classical variables MPU
estimation sampling.
b.  Analysis and evaluation: Assume the total audited value of the Company X sample is $13,600 and the
standard deviation is $52. Evaluate the sample results.
c.  Analysis and evaluation: Assume the average of the sample audit values in the Company Y sample is
$90 and the standard deviation is $30. Evaluate the sample results.

Cloud 9 - Continuing Case

Answer the following questions based on the information for c. What changes would you expect to see in inventory trans-
Cloud 9 presented in the appendix to this text and the current and actions and balances as Cloud 9 changes from a wholesale-
earlier chapters. You should also consider your answers to the case only business to a retail and wholesale business? Be specific
study questions in earlier chapters. in your answer.

Required d. Which inventory balance and transaction assertions would be

most affected? Explain.
a. Consider and explain the effects of the opening of Cloud 9’s
first retail store on its accounts. e. Describe the population(s) and suggest a sampling approach
for substantive testing for inventory.
b. Describe how this business change would affect the compo-
nents of audit risk.
 Chapter 11
Auditing the Revenue
Process

The Audit Process

Overview of Audit and Assurance

(Chapter 1)

Professionalism and Professional Responsibilities

(Chapter 2)

Client Acceptance/Continuance and Risk Assessment

(Chapters 3 and 4)

Gaining an Identify Significant

Set Planning
Understanding of Accounts and
Materiality
the Client Transactions

Gaining an Understanding of
Make Preliminary Risk
the System of Internal Control
Assessments
(Chapter 6)

Develop Responses to Risk and an Audit Strategy

Audit Data Analytics

Audit Evidence
(Chapter 5)

(Chapter 7)
Performing Tests of Controls Performing Substantive Procedures
(Chapter 8) (Chapter 9)

Audit Sampling for Substantive Tests

(Chapter 10)

Auditing the Auditing the Purchasing Auditing the Balance Sheet

Revenue Process and Payroll Processes and Related Income Accounts
(Chapter 11) (Chapter 12) (Chapter 13)

Completing and Reporting on the Audit

(Chapters 14 and 15)

Procedures Performed Near Drawing Audit

Reporting
the End of the Audit Conclusions

11-1
11-2  C h a pte r 11 Auditing the Revenue Process

Learning Objectives

LO 1 Explain the nature of the revenue process.
LO 2 Evaluate how an auditor’s understanding of
an entity and its environment affects audit planning
decisions in the revenue process.
LO 3  Determine inherent risk for various assertions in
the revenue process.
LO 4 Evaluate control activities for credit sales
transactions.
LO 6 Evaluate control activities for sales adjustment
transactions and revenue process disclosures.
LO 7  Determine how to design and perform tests of
controls in the revenue process and connect the results
of control testing to audit strategy.
LO 8 Assess detection risk and design substantive
tests, including audit data analytics, to address various
assertions in the revenue process.

LO 5 Evaluate control activities for cash receipt transactions.

Auditing and Assurance Standards

PCAOB Auditing Standards Board

AS 2310 The Confirmation Process AU-C 505 External Confirmations

Cloud 9 - Continuing Case

Sharon Gallagher (audit manager), Josh Thomas (audit senior),
and Suzie Pickering (audit staff) are discussing the audit of reve-
nues for Cloud 9. Previously, Suzie learned that senior members of
management, including a number in the accounting and finance
section, will receive stock options if revenue targets are reached.
In addition, the company is opening a new company-owned store
in a major market. The audit team is considering what other aspects
of the business and industry Suzie needs to understand in order to
carefully plan the audit of the revenue process. The company has
set aggressive goals to increase market share in a very competi-
tive industry. Suzie recognizes that she needs to complete work in
understanding the business and industry to evaluate the results
of analytical procedures relative to revenues and receivables.
Sharon asks Josh and Suzie to suggest other key factors the audit
team will have to consider when designing the substantive proce-
dures for the revenue process.

Chapter Preview: Audit Process in Focus

Finding an appropriate combination of audit procedures to achieve a low level of audit
risk at an acceptable cost is a constant challenge facing most audit teams. This chapter
focuses on making decisions about appropriate audit procedures in the revenue process.
We begin with a discussion of the nature of the revenue process. We then address the pro-
cess of understanding the entity and its environment in the context of the revenue process
and using this knowledge to assess inherent risk in the revenue process. The chapter then
moves on to a discussion of evaluating internal controls in the revenue process, including
understanding entity-level controls, understanding the document trail, evaluating what can
go wrong (WCGW), identifying controls to test, performing tests of controls, and evaluating
control risk and the risk of fraud. At this point, the auditor often confirms or revises his or
her preliminary audit strategy and then executes substantive tests to reduce audit risk to an
acceptable level. This chapter will walk you through key audit decisions in the context of
the revenue process.
   Nature of the Revenue Process  11-3

Nature of the Revenue Process

LEA RNING OBJECTI VE 1

Explain the nature of the revenue process.

An entity’s revenue process consists of activities related to credit sales with customers
and the collection of accounts receivable. For a merchandising company, the classes of
transactions in the revenue process include (1) credit sales, (2) cash receipts (collection
of receivables and cash sales), and (3) sales adjustments (discounts, sales returns and
allowances, and adjustments for bad debts). These transactions are depicted in Illustra-
tion 11.1.

Revenue Transactions Debit Credit ILLUSTRATION 11.1  

Revenue transactions
Credit sales Accounts Receivable Sales
Cost of Goods Sold Inventory
Cash receipts (primarily focused Cash Accounts Receivable
on collection of receivables) Sales Discounts
Sales adjustment transactions
  Sales returns and allowances Sales Returns and Accounts Receivable
Allowances
  Provision for bad debts Bad Debt Expense Allowance for Doubtful
Accounts
  Write-off of bad debts Allowance for Doubtful Accounts Receivable
Accounts

For companies that sell goods or services on account, there is significant interaction be-
tween sales and accounts receivable. If revenue is recognized prematurely, both sales and
accounts receivable will be overstated. The same interaction also exists between cash receipt
transactions and accounts receivable, and a misstatement of cash receipts will result in a mis-
statement of accounts receivable. Further, if discounts are given for early payment, sales dis-
counts are recorded when recording the cash receipt and reducing a customer’s receivable.
The highest volume of transactions usually occurs with credit sales and cash receipts, as well
as a series of transactions that fall under the broad category of sales adjustment transactions:
sales returns and allowances, the provision for bad debts, and the write-off of bad debts. Usu-
ally, sales returns represent a much smaller volume of transactions. Further, a critical aspect of
sales return transactions is the receipt of returned goods in the warehouse. Transactions pro-
viding for bad debts, or the write-off of receivables, often occur during month-end or quarter-
end adjustments. Finally, three of these accounts, inventory, cost of goods sold, and cash, are
also affected by transactions in other processes. The audit of these accounts is deferred to
Chapter 13.
The auditor should obtain sufficient appropriate evidence for the transaction classes,
balances, and disclosures outlined in Illustration 11.2. While the auditor must obtain
sufficient appropriate evidence for all assertions, the auditor is often concerned about the
overstatement of revenues and receivables. Hence, the auditor is particularly concerned
about the occurrence, accuracy, and cutoff of revenues, and the existence, right to, and
valuation and allocation of receivables. The discussion in this chapter will focus primarily
on credit sales transactions (rather than on cash sales).
11-4  C h a pte r 11 Auditing the Revenue Process

ILLUSTRATION 11.2   Key revenue process assertions

Relevant Transaction Classes Relevant Account Balances Relevant Disclosures

Sales Accounts receivable Receivable disclosures
Cash receipts Allowance for doubtful accounts Revenue disclosures
Sales adjustment transactions
• Sales returns and allowances
• Adjustment for bad debts
• Write-off of bad debts

Assertions Assertions Assertions

Occurrence Existence Occurrence and rights and
Completeness Rights and obligations obligations
Accuracy Completeness Completeness
Cutoff Valuation and allocation Classification and
Classification • Valuation at historical cost understandability
• Valuation at net realizable value Accuracy and valuation

Before You Go On
1.1 Identify two major transaction classes with significant volumes of transactions in the revenue
process.
1.2 Explain the interaction of sales and cash receipts with accounts receivable. Further, if cash
receipts are understated, what are the implications for accounts receivable?
1.3  What is the usual timing of recording charges to bad debt expense?

Understanding the Entity and Its Environment

LEA RNING OBJECTI VE 2

Evaluate how an auditor’s understanding of an entity and its environment affects
audit planning decisions in the revenue process.

Chapters 3 and 4 explained the importance of understanding the entity and its environment,
and how this understanding is important to assessing inherent risk. As inherent risk factors
vary from industry to industry, from client to client, and from year to year, each audit must be
custom-made to address unique risks. The following discussion will address the importance of
understanding the entity and its environment in the context of the revenue process, analytical
procedures commonly used in the revenue process, other issues associated with the entity and
its environment, and the resultant assessment of inherent risk.

Understanding the Client’s Revenue Process

The process of earning and recognizing revenues will vary from entity to entity. It is partic-
ularly important that the auditor be knowledgeable about the entity, how the entity earns
revenues, and what particular revenue recognition issues may be relevant to the entity. Under-
standing how the entity earns and recognizes revenues assists the auditor in:

•  Developing an expectation of total revenues by understanding the client’s capacity, mar-

ketplace, and customers.
   Understanding the Entity and Its Environment  11-5

•  Developing an expectation of gross margin by understanding the client’s market share

and competitive advantage in the market.
•  Developing an expectation of net receivables based on the average collection period for
the client and for the industry.

In addition, the process of generating revenues drives many expenses (e.g., cost of goods sold
or selling expenses), so understanding the revenue process assists in developing expectations
of the entity’s expenses associated with other transaction processes and assessing the risk that
unaudited earnings contain material misstatements.
Illustration 11.3 illustrates the importance of understanding the revenue process for
five different industries, which will be discussed in this chapter, as well as Chapters 12 and
13. These industries were chosen for their variety based on the North American Industry
Classification System (NAICS). These include the manufacture of oil and gas field machin-
ery and equipment (NAICS 333132), the manufacture of electronic computer equipment
(NAICS 334111), supermarkets and other grocery stores (NAICS 445110), hotels and motels
(NAICS 721110), and colleges, universities, and professional schools (NAICS 611310). These
examples define a wide spectrum of underlying business practices and an equally wide spec-
trum of risk for the auditor. The auditor would normally obtain this understanding through
previous experience with the entity; information from trade associations, business period-
icals, and newspapers; and from publishers of industry information such as Robert Morris
Associates or Value Line.

ILLUSTRATION 11.3   Understanding an entity’s revenue process

Example Industry Traits
Oil and Gas Field Machinery and   Sales to Total Assets: 1.6
Equipment Manufacturing
• Tied to extract industries that are depen-
dent on oil prices
• Depends on opportunities for export and
competitive pricing
Electronic Computer Manufacturing
• Sells products ranging from network
servers to personal computers and tablets
• Consulting services may represent a
significant component of revenues
• Margins depend on competing technologies
Supermarkets and Other Grocery Stores
• Numerous products where product
differentiation is difficult
• Companies are improving margins by leasing
space to banks and coffee companies
• Intense competition from club stores and
other competitors
Hotels and Motels
•  Importance of brand development
• Generates revenues from hotel occupancy
and services (food and conferences),
franchise fees, and property management
Developing a Knowledgeable
Perspective About the Entity’s
Financial Statements (Median
Industry Data)
Sales to Net Fixed Assets: 10.3
Gross Profit: 36.9%
Net Operating Profit: 12.0%
Collection Period: 61 days
Sales to Total Assets: 2.7
Sales to Net Fixed Assets: 49.2
Gross Profit: 39.2%
Net Operating Profit: 5.2%
Collection Period: 41 days
Sales to Total Assets: 2.7
Sales to Net Fixed Assets: 5.3
Gross Profit: 26.7%
Net Operating Profit: 1.5%
Collection Period: 4 days
Sales to Total Assets: .5
Sales to Net Fixed Assets: .6
Gross Profit: Not Reported
Net Operating Profit: 17.2%
Collection Period: 2 days
Assessing the Risk of Material
Misstatement
• Concerns about terms of sales and moving
inventory during a period of low oil prices
• Sales may be dependent on policies of foreign
governments
• Collection risk associated with selling to foreign
entities
• Significant revenue recognition issues associated
with bundled products
• Cash collection may precede revenue recognition
resulting in unearned revenues
• Competitive environment significantly affects
selling prices and gross margins
•  Normal concerns about collection risk
•  Sales volume coverage of fixed costs
• Gross margins related to product mix and space
utilization
• Receivables usually relate to pharmacy
receivables from insurance companies and
miscellaneous trade receivables
• Revenue recognition for accounting for hotel
transactions versus property ­management
• Revenue tied to sales volumes, prices, and
occupancy rates
• Major hotel companies that enter into agreements
to manage properties for others experience a
higher degree of collection risk

(continued)
11-6  C h a pte r 11 Auditing the Revenue Process
ILLUSTRATION 11.3   (continued)
Example Industry Traits
Colleges, Universities, and Professional
Schools
• Concerns about the degree of tuition
discounting through scholarships
• Importance of accreditation and access to
federal student loans
• Enrollment sensitive to demographics and
unemployment levels
ILLUSTRATION 11.4   Analytical procedures commonly used for the revenue process
Ratio
Sales to capacity
Market share
Sales to total assets
Accounts receivable growth to
sales growth
Accounts receivable turnover
in days
Developing a Knowledgeable
Perspective About the Entity’s
Financial Statements (Median Assessing the Risk of Material
Industry Data) Misstatement
Sales to Total Assets: .5 •  Revenue recognition is straightforward
Sales to Net Fixed Assets: 1.0 •  Low collection risk if accredited
Gross Profit: Not Reported
• Business risk associated with high fixed costs and
Net Operating Profit: 10.2%
enrollment declines
Collection Period: 16 days
It is important for the auditor to understand the nature of the client’s revenue process. The
demand for oil and gas field machinery equipment can be significantly impacted by (1) oil
prices or decisions made by foreign countries to invest in or support oil and gas extraction, or
(2) political factors that influence a government’s ability to sell oil and gas. The companies
that manufacture computers may bundle services and service contracts with their products
resulting in more complex revenue recognition accounting. While the accounting for revenues
in the grocery industry might be uncomplicated, hotel and motel operations may include man-
aging properties for others, which requires recognition of only the management commission
and not the gross receipts of the managed properties. Therefore, the audit of each company
must be custom-made, and inherent risks will often differ from one audit to the next. Finally,
understanding an entity's revenue process provides the basis for developing expectations about
revenue and receivables that an auditor uses in performing analytical procedures.
Analytical Procedures
Analytical procedures are required in every audit as part of the risk assessment process
during audit planning, which often occurs during the client’s second or third quarter. They
are cost-effective, and they are often effective in identifying potential misstatements in the
financial statements. The most effective analytical procedures rely on the auditor’s knowl-
edge of the business and industry. Some example analytical procedures that may apply to
the revenue process are presented in Illustration 11.4.
Formula Audit Significance
Net sales Helpful in assessing the reasonableness of total revenues.
Nonfinancial measure of capacity
Client’s net sales Helpful in assessing the reasonableness of both total
Net sales of industry revenues and gross margins. Larger market share is often
associated with larger gross margins.
Sales This ratio is useful for manufacturing and other asset-based
Average total assets companies. Describes the relationship between assets and sales
revenues.
(Accounts receivableCurrent Year
Accounts receivablePrior Year )
 − 1
Ratios larger than 1.0 indicate that receivables are growing
faster than sales. Large ratios may indicate possible collec-
tion problems.
( SalesCurrent Year
SalesPrior Year )
 − 1
365 days ÷   ( Net credit sales
Average net receivables ) Useful in comparing with industry averages. Longer collection
periods may indicate collection problems. Prior experience and
current sales volumes may be useful in estimating current net
receivables.
(continued)
   Understanding the Entity and Its Environment  11-7

ILLUSTRATION 11.4   (continued)

Ratio Formula Audit Significance

Uncollectible accounts
expense to net credit sales
Uncollectible accounts
expense to accounts receivable
write-offs
New product revenues to total
revenues
Uncollectible accounts expense
Net sales
Uncollectible accounts expensePrior Year
Actual accounts receivable write-offsCurrent Year
Revenues from new products
introduced during the year
Total revenues
Useful in evaluating the reasonableness of uncollectible
accounts expense. Smaller ratios may indicate an inadequate
provision for uncollectible accounts.
Useful in evaluating the reasonableness of prior period’s
uncollectible accounts expense. Smaller ratios may indicate
an inadequate estimation process.
Companies with a high proportion of revenues from new
products may earn a premium gross margin due to their
ability to innovate.

The first step in performing analytical procedures is obtaining an understanding of total

revenues given (1) the client’s capacity and (2) the client’s marketplace for those products. The
auditor should understand the entity’s capacity, which is the maximum volume of sales that it
could generate if it fully utilized its facilities and employees to manufacture and deliver products
and services. Auditors should be sensitive to the volume of sales that an entity records given its
maximum capacity, the number of shifts that an entity operates, and seasonal variations in the
industry. In today’s audit environment, effective analysis of either analytical procedures or data
analytics is tied directly to the auditor’s business acumen. It is much more effective to evaluate
total revenues against a measure of business activity than to compare current revenues with
prior-year revenues. Auditors must be sensitive to how the business environment is changing,
not just how the financial numbers are changing. Therefore, the auditor will often tailor analyt-
ical procedures to the client’s industry that compare revenues with measures of the process that
produces revenues. For example, the auditor might evaluate the following trends:

•  Revenue per number of manufacturing employee labor hours, for a labor-intensive man-
ufacturing process.
•  Revenue to plant assets in a capital-intensive manufacturing process.
•  Revenue per square foot of retail space for a grocer.
•  Revenue compared to occupancy rates for industries such as hotels or airlines.
•  Revenue per student for a college.

When evaluating these trends, the auditor must also be sensitive to seasonal demand or
other trends in the marketplace for the client’s products. For example, the auditor must be able
to assess the reasonableness of revenue increases for a household appliance manufacturer when
national housing starts are declining, or the reasonableness of occupancy rates and room prices
for a hotel chain when new competitive properties have entered key markets. One important
analytical procedure is understanding the client’s market share, which compares the client’s
revenues with total revenues in the market for the client’s product. This is particularly important
because companies with dominant market shares often obtain premium gross margins.
Finally, it is important for the auditor to evaluate the client’s accounts receivable turnover
in days, or average collection period, and be able to compare the collection period with indus-
try norms. Companies may be able to speed up collection times when products are in high
demand. Increases in the client’s collection period indicate that receivables are growing faster
than sales volumes, which consumes operating cash flows and may lead to liquidity problems.
It is particularly important in growth companies for auditors to monitor the entity’s collection
period because any growth in sales is usually accompanied by receivable growth that con-
sumes operating cash. If receivables are growing faster than sales, it may be an indication that
the company is accomplishing sales growth by taking on increased credit risk.
Other analytical procedures an auditor might assess in the revenue process include:

•  Sales turnover, a ratio of sales to average total assets.

•  Trends in gross margins compared with trends in market share.
•  Estimates of accounts receivables given knowledge of the company’s sales volumes,
prices, and historical collection period.
11-8  C h a pte r 11 Auditing the Revenue Process

•  Comparison of accounts receivables to the receivables estimate in the company’s cash

budgets.
•  Uncollectible accounts expense to net credit sales.
•  Uncollectible accounts expense to actual uncollectible accounts written off.

Other Considerations Regarding the Entity

and Its Environment
Recall from Chapter 4 (see Illustration 4.1) that there are numerous issues an auditor should
understand about the entity and its environment. Illustration 11.5 summarizes revenue issues
that have not yet been covered in this chapter, and it provides examples of the settings in which
these factors might lead to either a higher assessment of inherent risk or a lower assessment of
inherent risk. It is important for auditors to recognize that these factors may change for a given
client over time and that each audit should be viewed independently from previous audits.

ILLUSTRATION 11.5   Understanding the entity and its environment in the revenue process

Key Factors Regarding the

Higher Inherent Risk
Significant legal compliance issues exist when
making sales, delivering on contracts, and
collecting sales (e.g., HIPAA compliance in the
medical industry, or legal compliance in defense
contracting).
The client only informally compares revenues
with underlying business activity.
A significant amount of revenue transactions
is with affiliated companies or other related
parties.
There is little or no independent oversight of
management, the revenue accounting process,
or accounting estimates in the revenue process.
Revenue recognition is complex and requires
significant adjustments at period-end.
Entity and Its Environment
Compliance with laws and
regulations
Client performance measurement
Related party transactions
Corporate governance
Month-end, quarter-end, and
year-end closing procedures
Lower Inherent Risk
Nominal legal compliance issues exist when
making and collecting sales.
The client carefully monitors revenue
recognized compared to underlying
business activity.
There are few or no revenue transactions
with affiliated companies or other related
parties.
There is strong corporate governance
with oversight of revenue recognition
and accounting estimates in the revenue
process.
Revenue recognition is not complicated and
requires little period-end adjustment, if any.

Audit Reasoning Example Indicators of Misstatements in the

Revenue Process

Chris Spenser is the senior on the audit of Cloud Materials, Inc. (CMI). CMI manufactures a va-
riety of computer hardware used in server farms and computer networks, and this year it started
bundling software with the products to more seamlessly handle the problems associated with large
data storage and retrieval. CMI is also starting to invest in data analytics software to better serve
its clients. Chris has noticed two significant warning signs: (1) the company has improved its gross
margins to a point where they are significantly above industry averages, and (2) the company is sig-
nificantly lagging behind the rest of the industry in collecting its receivables. Chris wonders if this
makes sense in a price-competitive industry. Is the combination of increasing gross margins and
increasing collection periods a sign of premature revenue recognition? As Chris talks about this
with his audit manager, they decide that these are warning signs that need specific investigation.
They need to determine if the system of internal control kept up with changes in business prac-
tices. Also, they need to focus attention on how revenue is recognized on bundled hardware and
software sales, as well as whether there have been significant profit increases in the fourth quarter.
   Inherent Risks in the Revenue Process  11-9

Before You Go On
2.1 Explain how auditing the revenue process might be different for a hotel client than for an oil
and gas field equipment manufacturer.
2.2 Assume that, when performing analytical procedures, an auditor notices that revenue grows
10% while receivables grow at a 30% rate. What assertions might be misstated?
2.3 Explain how quarter-end closing procedures might increase inherent risk in the revenue
process.

Inherent Risks in the Revenue Process

LEA RNING OBJECTI VE 3

Determine inherent risk for various assertions in the revenue process.

In assessing inherent risk for revenue process assertions, the auditor should consider pervasive
factors that may affect assertions in several processes, including the revenue process, as well as
factors that may pertain only to specific assertions in the revenue process. Accounting for var-
ious revenue transactions under ASC 606 Revenue from Contracts with Customers is complex;
revenue should only be recognized when a company satisfies its performance obligations. This
is particularly true when there are multiple performance obligations, such as when the sale
of goods and services are bundled together. Further, management often has more incentive to
overstate revenues than to understate revenues. Factors that incentivize management to mis-
state revenue process assertions and commit fraudulent financial reporting include:

•  Pressures to overstate revenues to achieve revenue or profitability targets that were not
achieved in reality owing to such factors as global, national, or regional economic condi-
tions; the impact of technological developments on the entity’s competitiveness; or poor
management.
•  Pressures to overstate cash and gross receivables or understate the allowance for doubt-
ful accounts in order to report a higher level of working capital in order to meet debt
covenants.

The auditor should maintain an appropriate attitude of professional skepticism and be

alert to some of the following devices that have been used by companies to overstate revenues:
consignment sales, refund rights, and bill-and-hold transactions. consignment sales  may occur
Consignment sales. Sale arrangements that have the characteristics of a consignment in a transaction between a man-
sale include giving the buyer a lengthy right of return, having substantial payment made upon ufacturer and a wholesaler, when
the resale of the product, requiring sellers to repurchase inventory at a specified price, or the seller retains title to inventory
allowing the buyer not to assume risks of ownership due to future pricing concessions. For in the wholesaler’s possession,
example, if a manufacturer promises a wholesaler future price concessions based upon hold- and the sale is completed when
the wholesaler sells the inventory
ing and financing costs for the length of time between purchase and sale, the sale should be
forward; a consignment sale may
accounted for as a consignment sale, and revenue should be deferred.
be created in economic substance
Refund rights. When rights of return exist or are likely to be accepted, a reasonable when the terms of sale create
estimate of refunds should be made when revenue is recognized. In determining the amount uncertainties about whether the
of the estimated refunds, management should consider competition, obsolescence, and the wholesaler assumes risk of own-
length of time over which the product can be returned. However, if a reasonable estimate ership upon receipt of goods
cannot be made, revenue should not be recognized until the material uncertainty is resolved. refund rights  a sale is made
Further, if a seller changes the right of return near the end of the period to offer more gener- with the right to return the goods
ous terms, the seller should not be able to recognize revenue until material uncertainties are for a full refund, even if the goods
resolved and subsequent cash collections are assured. are not defective
11-10  C h a pte r 11  Auditing the Revenue Process
bill-and-hold transactions  a
customer is billed for goods, but
goods are not shipped; account-
ing principles have very narrow
criteria for when revenue can be
recognized for a bill-and-hold
transaction; the transaction must
be initiated by the customer, and
the customer must have a sound
economic reason for purchasing
the goods and asking the seller to
continue to hold the goods
gross sales  total revenues
before any deductions, such as
deductions for sales returns and
allowances
Bill-and-hold transactions. These are transactions in which a company bills cus-
tomers without shipping goods. Sunbeam Corporation was the first to use this method to
inflate revenue. For example, assume that a manufacturer leases a portion of its facility
to a customer and records revenue on sales to this customer when products are delivered
to the customer’s portion of the facility. The SEC now has very strict rules for revenue
recognition related to bill-and-hold sales. ASC 606 Revenue from Contracts with Customers
also has specific conditions that must be met for the seller to recognize revenues.
Problems associated with booking consignment sales, refund rights, and bill-and-hold
transactions usually result in problems associated with the occurrence of revenues and the
existence of receivables.
An additional problem that auditors have experienced involves the correctness of gross
sales. Many companies, particularly growth companies, pay considerable attention to top-
line revenues. Companies may award bonuses based on gross revenues, and companies have
been valued based on multiples of revenues. Consider the hotel chain that manages proper-
ties that it does not own. It should not record revenues from managed properties in a simi-
lar fashion to owned properties and then record related expenses of property management.
Rather, management should record revenue only in the amount of the commission earned.
Recently, Groupon restated earnings when it went public because it had booked revenue
in the amount of the gross value of products sold through Groupon, rather than merely
the commission that Groupon received on the sale of the product for customers. In this
case, there was an overstatement of revenues and an overstatement of expenses. Operating
income was correctly reported, but significant misreporting of the amounts of revenues and
expenses existed. In the Groupon case, the problem is with the occurrence of revenue and
the occurrence of expenses.
Other factors that contribute to misstatements in the revenue process include the
following:
•  The volume of sales, cash receipts, and sales adjustment transactions is often high, result-
ing in numerous opportunities for errors to occur.
•  The timing and amount of revenue to be recognized (occurrence and cutoff of revenues)
may be contentious owing to factors such as complex accounting standards, the need
to make estimates, the complexity of the calculations involved, and purchasers’ rights
of return.
•  When receivables are factored with recourse, the classification of the transaction as a sale
may be incorrect.
•  Receivables may be misclassified as current or noncurrent owing to difficulties in esti-
mating the likelihood of collection within the next year or events upon which collection
is contingent.
•  Cash receipt transactions generate liquid assets that are particularly susceptible to misap-
propriation (completeness of revenues or cash receipts).
•  Sales adjustment transactions may be used to conceal thefts of cash received from cus-
tomers by overstating discounts, recording fictitious sales returns (occurrence or accuracy
of discounts or sales returns), or writing off customers’ balances as uncollectible (occur-
rence of write-off of accounts receivable).
Because of the variety and potential magnitude of the misstatements that can occur
in the absence of effective controls, the auditor must always give careful consideration to
inherent risks in the revenue process. Risks associated with revenue recognition are such
that auditors often consider the occurrence of revenues and the existence of receivable
assertions to be a significant inherent risk. In many cases, management adopts extensive
internal controls to address these issues through its own risk assessment procedures.
Finally, when auditors perform analytical procedures during risk assessment, they should
develop a skill in analyzing the likely assertions that might be misstated based on the data. For
example, consider the information in Illustration 11.6. Take a moment, study the data, and
consider what assertions might be at an increased risk of misstatement.
   Inherent Risks in the Revenue Process  11-11

Current Year Prior Year ILLUSTRATION 11.6  

$000 Percentage $000 Percentage Example analytic procedures
in the revenue process
Revenues $5,638 100.0% $3,780 100.0%
Cost of goods sold $2,691 47.7% $1,975 52.2%
  Gross profit $2,947 52.3% $1,805 47.8%

Accounts receivable, net $1,335 $837

Revenue growth   49%   33%

Accounts receivable growth   59%   30%
Cost of goods sold growth   36%   34%

Accounts receivable turnover in days   86 days   81 days

Inventory turnover in days 180 days 189 days

The data show a company that is clearly experiencing rapid growth. Revenues have
grown by nearly 50%, receivables are growing faster than sales, and gross margins are improv-
ing. This fast growth, combined with the slow accounts receivable turnover, should cause the
auditor to heighten professional skepticism with respect to revenue recognition. Recognizing
revenues without shipping goods will cause gross margins to improve and accounts receivable
turnover in days to slow. The significant accounts receivable growth should also cause con-
cerns about the collectibility of receivables. In summary, significant inherent risks exist for
the occurrence of revenues, the existence of receivables, and for the valuation of receivables
at their net realizable value.

Audit Reasoning Example  Right of Return and Revenue Recognition

Keila Hirata is a senior auditor on Eastern Automotive, a small automotive parts company. She
has worked on this audit since she started with the audit firm, and she has developed a good
understanding of the company and its market. She has been monitoring the company’s monthly
financial statements and has been watching a build-up in inventory. Two months before year-end,
she talks to Eastern’s CFO about the problem; the CFO is wondering if Eastern will have to start
marking down inventory to move it out. Then in the last month of the year, inventory drops, rev-
enue increases, and things look normal again. However, looking at the results of a data analytics
test, Keila notices that more goods have been shipped in the last month than have been ordered
by customers. What would explain this? Digging deeper in the shipping department, she finds
several large shipments to some of Eastern Automotive’s larger customers. The problem is that
the goods have not been ordered by the customers. Keila finds that the goods were shipped with a
full right of return if the customer cannot sell the products forward. This is a significant revenue
recognition problem that will result in taking revenue and receivables off the books and putting
inventory back on the books with a concurrent reduction in cost of sales.

Professional Environment  Restatements of Revenues

Audit Analytics1 recently reported a summary of restatements recognition of revenue. Many of these restatements originated from
due to revenue recognition issues for a 17-year period ending a failure to properly interpret sales contracts for hidden rebates,
in 2017. The revenue recognition issues consist of misstatements returns, or barter or resale clauses. Some of the restatements also
in approach, understanding, or calculation associated with the relate to the treatment of sales returns, credit, and other allowances.

1
Don Whalen, Olga Usvyatsky, and Dennis Tanona, 2017 Financial Restatements, A Seventeen Year Comparison
(Audit Analytics: Sutton, MA, 2018).
11-12  C h a pte r 11  Auditing the Revenue Process

Disclosure Year 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
Revenue restatements 169 194 226 173 173 120 86 86 89 90 119 104 90 96 77
% of all financial 21.4% 20.4% 14.3% 9.3% 13.5% 12.4% 10.4% 10.1% 10.5% 10.6% 13.6% 12.1% 11.9% 14.1% 13.9%
statement restatements

Overall, restatements due to revenue recognition problems
were the second most common source of restatements during
the 17-year period. In the early years of this time series, revenue
restatements amounted to over 20% of all restatements. In the
subsequent period, revenue restatement declined as a percent-
age of total restatements. From 2009–2012, revenue restatements
amounted to only about 10.5% of all restatements, and from 2013
onward revenue restatements have increased, ranging from 11.9%
to 14.1% of all restatements. Based on restatements of earnings
due to revenue recognition problems, revenue recognition contin-
ues to be a significant inherent risk.

Cloud 9 - Continuing Case

As Josh and Suzie review what they know about Cloud 9’s busi-
ness and industry, they know that senior employees will receive
stock options if revenue targets are met. Those targets are asso-
ciated with opening a new company-owned store and making
more sales through existing channels. Analytical procedures per-
formed during interim planning show that inventory levels have
increased. Further investigation has revealed that, while the econ-
omy has been strong, the company appears to have been aggres-
sive in its forecasting and overestimated the demand for certain
products. Suzie is concerned about how this might affect account-
ing in the revenue process. Josh also wants Suzie to pay careful at-
tention to period-end closing procedures. Finally, Josh asks Suzie
to think about the assertions where inherent risk will be high or
maximum. Then, they can consider what they know about Cloud
9’s system of internal control when assessing the overall risk of
material misstatement.

Before You Go On
3.1 Explain how sales adjustment transactions may be used to conceal thefts of cash.
3.2 Ron Fisher owns Fisher’s Bar and Grill. Ron is particularly concerned about generating ad-
equate cash flow but also places a real emphasis on minimizing the entity’s income taxes.
If you were to audit Fisher’s Bar and Grill, address the inherent risks that might exist in the
revenue process.

Control Activities for Credit Sales

LEA RNING OBJECTI VE 4

Evaluate control activities for credit sales transactions.

Recall from the section “Entity-Level Internal Controls” in Chapter 6 that when evaluating
internal controls in the revenue process, it is important to understand a number of entity-
level controls. Entity-level controls establish a background and environment for transaction-
level controls. For example, the control environment may enhance or negate the effective-
ness of transaction-level controls. A key control environment factor in reducing the risk
of fraudulent financial reporting through the overstatement of revenues and receivables is
management’s adoption of and adherence to high standards of integrity and ethical ­values.
   Control Activities for Credit Sales  11-13

One related aspect is eliminating incentives that encourage dishonest reporting, such as man-
agement’s undue emphasis on meeting unrealistic sales or profit targets. Another related as-
pect is the supporting activities of an effective board of directors and audit committee. The
auditor might also be interested in how the entity’s risk assessment process responds to risks
that arise from changed circumstances, such as implementing new accounting standards for
revenue transactions. The discussion for the remainder of the chapter focuses on transaction-
level controls.
Recall from Chapter 6 that the process used for developing an audit strategy for various
assertions involves the following six steps:

1.  Understanding the flow of transactions in a given transaction process.

2. Identifying what can go wrong from initiating the transaction to the recording in the
general ledger. The auditor needs to link what can go wrong to assertions.
3.  Assessing whether controls exist to mitigate what can go wrong.
4.  Identifying relevant controls, performing tests of controls, and evaluating results.
5. Reporting internal control weaknesses to those charged with governance of the entity,
based on controls that are absent or controls that are not operating effectively.
6.  Determining an audit strategy at the assertion level.

Now think about the five industries that were mentioned at the beginning of this chap-
ter. Is it reasonable to expect that the flow of transactions would be the same for a manufac-
turer of oil and gas field equipment as for a grocery store or a hotel? The following examples
are more likely to fit a manufacturing company that sells manufactured goods on credit.
However, be alert to comments that might apply to a retail grocer, a hotel chain, or a college/
university. Auditors usually understand the flow of transactions in a given process by per-
forming a walkthrough of a transaction process, such as the sales process or the cash re-
ceipts process. The walkthrough is important as different companies often have different
documents and transaction flows. During a walkthrough, the auditor will interview client
personnel, review the documents and electronic files used by the client, and understand
how the entity uses information technology to support transaction-level controls. The
auditor will ask questions of the entity’s personnel about their understanding of their
responsibilities. Through inquiry and observation, the auditor obtains an understanding
of transaction-level controls as well as the adequacy of segregation of duties. The discus-
sion below provides examples of the flow of transactions in the credit sales process from
initiating a transaction, to exchanging title to a good or service, to recording the transac-
tion in the general ledger. This is followed by a discussion of the flow of transactions in
the cash receipts processes. These two transaction streams often have a high volume of
transactions.

Example Transaction Flows—Sales Process

The transaction flow in a typical sales process for a client that sells goods includes processing
and approving credit and sales orders, shipping goods, invoicing customers, and recording
sales and trade receivables. The transaction flow for a client that sells services is similar, but
instead of shipping goods, the client performs the services. When selling services, recordkeep-
ing regarding services performed (number of rooms used daily at a hotel or course enrollment
at a college) is important to documenting the revenue process.
Common documents and files that are found in the process of selling goods include:

Source Documents and Related Electronic Files

•  Customer master file—Usually part of the sales process database with information on
approved customers, customer shipping and billing information, and the customer credit
limit. Access to the customer master file and changes to this file should be tightly con-
trolled by the entity.
•  Master price file—Usually part of the sales process database with information on approved
prices and discounts, such as volume discounts, that are allowed for any customer.
11-14  C h a pte r 11  Auditing the Revenue Process

•  Sales order—Client-prepared prenumbered document that includes customer informa-

tion, description and quantity of what was ordered, and terms of sale.
•  Bill of lading—Client’s shipping document that serves as acknowledgement of receipt of
goods for delivery by a freight carrier.
•  Packing slip—Client-prepared document with the details of items included in a shipment.

Recording Document

•  Sales invoice—Client-prepared document stating the particulars of a sale, including the

amount owed, terms, and date of sale. It is used to bill customers, and it provides the basis
for recording a sale in the sales journal.
•  Sales journal—The journal of original entry where each sale is recorded.

Important Databases or Other Documents

•  Sales process database—Electronic files that accumulate data on sales, cash receipts, and
accounts receivables.
•  Monthly statements of receivable balances—Client-prepared report sent to each customer
showing the beginning receivable balance, transactions during the month, and the end-
ing receivable balance (even if it is zero).

An example of how these documents commonly flow is illustrated in Illustration 11.7.

Illustration 11.7 is followed by a brief discussion of how credit sales are processed in many
companies. It is helpful to understand the documents and what information might be included

illustration 11.7   Example flow of transactions for credit sales

Process Documents Files and Databases

Authorization
Receive customer Customer
order for goods Master
master
price list
file

Prepare internal Sales process

Sales order and G/L database
sales order

Shipping
Prepare shipping
Sales process
documents and Packing slip Bill of lading
and G/L database
ship goods
Recording
Prepare sales invoice
Sales invoice
to bill customer
Sales process
and G/L database

Record in sales
journal

Post to general
ledger

Record in A/R Monthly

subsidiary ledger statement
   Control Activities for Credit Sales  11-15

on each document. The flow of transactions that is visualized in this illustration might be
represented by documents being received from, or sent to, the customer in either paper or
electronic form (by way of electronic data interchange). Nevertheless, the following functions
are standard functions in the revenue process.

Initiating and Authorizing Credit Sales

Initiating a transaction represents the process of agreeing to sell goods or services to an inde-
pendent third party (or to a related party).
Accepting customer orders. Sales orders from customers should be accepted only in ac-
cordance with management’s authorized criteria. The criteria generally provide for specific
approval of the order in the sales order department, using a software application to determine
that the customer exists in a customer master file with approved credit limits. If the customer
is not in the master file, many companies ask for a credit card, or they ship on a collect-on-
delivery basis to establish a history with a new customer. In many companies, the next step
involves the client preparing a prenumbered sales order form. The prenumbered sales order
form enables following each transaction from initiation, to delivery of goods or services, to
recording the sale, to receipt of final consideration. The sales order represents the start of the
transaction trail of documentary evidence. Information on open (unfilled) and filled sales
orders is usually maintained in appropriate electronic files and monitored to ensure ordered
goods are shipped to customers. Usually, the software can be programmed to compare a cus-
tomer’s outstanding receivable balance, plus the anticipated sale, with the customer’s credit
limit in the approved customer master file. Segregating responsibility for initiating a sale and
approving sales that exceed a credit limit prevents sales personnel from subjecting the com-
pany to undue credit risks to boost sales.
Approving credit. Today, most companies ask first-time customers to pay in cash, pay on a
cash-on-delivery basis, or pay with credit cards or some form of electronic funds transfer. This
allows the company to make the sale and begin to establish a relationship with new custom-
ers. After some history with a new customer, a company may begin steps to approve credit in
small amounts and increase credit limits based on a customer’s payment history. Controls over
approving credit are designed to reduce the risk of initially recording a revenue transaction
at an amount in excess of the amount of cash expected to be realized from the transaction.
Thus, these controls also relate to the valuation and allocation assertion associated with the
allowance for uncollectible accounts.

Shipping Goods
Delivery of goods or services is the economic event that results in a change in title and estab-
lishes revenue recognition and the right to a receivable.
Filling sales orders. Company policy generally prohibits the release of any goods from
the warehouse without an approved sales order. Further, the software may be programmed to
match items taken from the perpetual inventory with items on an approved sales order. This
control procedure is designed to prevent the unauthorized removal of items from inventory.
The warehouse may receive an electronic copy of the approved sales order as authorization to
fill the order and release the goods to the shipping department. When goods are pulled from
inventory, a packing slip is normally produced to detail the items that will be shipped to the
customer and the quantity of each item shipped.
Shipping sales orders. Segregating the responsibility for shipping from approving and fill-
ing orders helps to prevent shipping clerks from making unauthorized shipments. In addition,
an important manual control requires that shipping clerks make independent checks to de-
termine (1) that goods pulled from the warehouse are accompanied by appropriate authoriza-
tion, and (2) that the order was properly filled (goods taken from the warehouse agree with the
details of the sales order). The shipping function also involves preparing multicopy shipping
documents, such as a bill of lading. Shipping documents are often produced by the software
application using order information already in the program and adding appropriate shipping
data such as quantities shipped, carrier, freight charges, and so on. Daily software application
checks are often run to (a) account for all shipping documents, (b) determine that all sales
11-16  C h a pte r 11  Auditing the Revenue Process

orders result in shipments, and (c) determine that a sales invoice was subsequently prepared
for each shipping document. These checks provide an important control for the completeness
assertion.

Recording Sales
The process of recording sales involves preparing and sending prenumbered sales invoices
to customers (billing customers) and recording sales invoices accurately and in the proper
accounting period (recording sales). The auditor’s primary concerns regarding recording
sales are that sales invoices are recorded accurately and in the proper period. The latter
pertains to when the revenue is earned, which is usually when the goods are shipped. The
auditor’s primary concerns regarding billing are that customers are billed (1) for all ship-
ments, (2) only for actual shipments (no duplicate billings or fictitious transactions), and
(3) at authorized prices.

Identify What Can Go Wrong (WCGW) and Identify

Key Controls—Credit Sales and Accounts Receivable
Once the auditor understands the flow of transactions, the auditor should evaluate what can
go wrong, identify potential controls that management has placed in operation, and then
choose key controls to test. Illustration 11.8 summarizes the flow of transactions through
the revenue process, key documents and files, what can go wrong, and example controls
for a manufacturing client making credit sales. There is likely to be a different analysis of
what can go wrong for a hotel that receives cash in advance of providing the service and
has significant unearned revenues. As you review Illustration 11.8, notice that most of the
controls are IT application controls; try to associate particular controls with the assertions
being controlled.

ILLUSTRATION 11.8   Credit sales transactions—WCGW and example controls

Documents  
Transaction and Files Risks (WCGW) Example Control
Initiating credit Customer master Sales may be made to Only a limited number of individuals can change the
sales file unauthorized customers. customer master file and all file changes are reviewed
by appropriate levels of management. These duties
should be segregated from shipping goods or recording
transactions.
Sales order Sales may be made to The software application matches the customer on
unauthorized customers. the sales order with the customer master file.
Sales order Sale may be made without The software application matches amount of sales
credit approval. order with credit authorization on the customer
master file.
Appropriate level of regular review of sales analysis
(by product, division, salesperson or region) and
comparisons with budgets.
Delivering goods Perpetual inventory Goods may be released from The software application matches all goods pulled
warehouse for unauthorized from inventory (perpetual inventory) to approved
orders. sales orders.
Bill of lading and Products may be shipped The software application generates packing slip and
packing slip without shipping documents delivery documentation when order is processed.
being generated.
Bill of lading and Goods ordered may not be The software application prints a report of all unfilled
packing slip shipped. sales orders.
(continued)
   Control Activities for Credit Sales  11-17

ILLUSTRATION 11.8   (continued)

Documents  
Transaction and Files Risks (WCGW) Example Control
Recording sales Sales invoice and Some shipments may not be The software application prints a report of all goods
sales process billed. shipped but not billed.
database Invoices are prenumbered and accounted for.
The software application prints a report of all bills of
lading not matched with sales invoices.
Sales invoice and Billing may be made for ficti- The software application matches sales invoice
sales process tious transactions, or duplicate information with underlying shipping information.
database billing may be made.
Sales invoice and Sales invoices may be recorded The software application matches sales invoice date
sales process in the incorrect accounting with accounting period in which goods are shipped.
database period.
Sales invoice and Sales invoices may be recorded The software application matches sales invoice
sales process in the incorrect amount quantities with shipping information and prices
database (incorrect quantities or prices). with master price list.
Sales invoice and Invoices may not be The software application checks run-to-run total of
sales process journalized or posted to beginning receivables, plus sales transactions with the
database customer accounts. sum of ending receivables.
Sales invoice and Sales invoices may be billed to The software application matches customer number
sales process the wrong customer. on sales invoice with customer number of sales order
database and bill of lading.
Monthly receivable Customers may be billed An individual reviews monthly statements to custom-
statements incorrect amounts. ers before they are mailed, reporting any exceptions
to a designated accounting supervisor not otherwise
involved in the execution or recording of revenue
process transactions.
Statements are mailed monthly, with follow-up on
customer complaints independent from the recording
process.

Many clients build in redundant controls such that if one control does not find a mis-
statement, another control will detect the problem. However, auditors cannot efficiently test
all controls that exist. The auditor will find a key control by identifying the most important
control for each assertion. Following are example key controls that auditors often identify. The
examples rely significantly on IT application controls to flag potential misstatements. The au-
ditor should understand the logic behind the IT application controls and how client personnel
manually follow up on exceptions on a timely basis.
Completeness of sales. The software application starts with a population of daily shipping
documents and develops a one-for-one match with sales invoices to ensure that each shipment
results in a sales invoice. A report is generated daily of any shipments that have not resulted
in a recorded sales invoice.
Occurrence of sales. The software application starts with the population of daily sales in-
voices and develops a one-for-one match with underlying shipping documents to ensure that
each sales invoice is supported by a bill of lading. A report is generated daily of any sales
that are not supported by shipments. Many larger companies that are heavily computerized
have a control that does a three-way match. A “three-way match” means matching a sales
invoice with underlying shipping documents and the customer’s sales order. In many compa-
nies where title passes when goods are shipped, revenue is appropriately recognized when all
three sets of documents match. Nevertheless, the auditor should always be alert to changes in
the terms of sale that might mean revenue should not be recognized, even though goods have
been shipped.
Accuracy of sales. The software application starts with the population of daily sales in-
voices and compares quantities with the underlying packing slips, compares prices to the un-
derlying sales order, and checks the mathematical accuracy of the sales invoice. A report is
11-18  C h a pte r 11  Auditing the Revenue Process

generated daily of any prices or quantities on the sales invoices that are not supported by
underlying documents or files.
Cutoff of sales. The software application starts with the population of daily sales invoices and
compares the date on the sales invoice with the date on the underlying bill of lading. A report is
generated daily of any sales invoices not recorded in the same accounting period as the shipment.
Classification of sales and receivables. The software application starts with the population
of daily sales invoices and compares customer numbers with the sales order. Both customer
account coding and general ledger coding are compared with the sales order if a sales invoice
bills for both goods and services, as these need to be recorded in separate accounts. A report
is generated daily of any sales invoices showing incorrect account coding, for example, billing
the wrong customer or recording revenue for selling goods when services are sold.
Existence of receivables, valuation of receivables at historic cost, and possible completeness of
accounts receivable. Monthly statements are sent to customers. An independent process is set
up so that customers can lodge a complaint with a person in the company who is independent
of recording sales and receivables. Customers will complain if they are billed for items that
were not ordered or not received.
Rights and obligations of accounts receivable. If receivables are factored or sold with re-
course, an independent process is set up to monitor monthly statements received from the
factoring agent and monitor payments made by customers to the factoring agent (or payments
made to the client in error).

Before You Go On
4.1 How are financial statements misstated if there is a material misstatement in the complete-
ness assertion regarding credit sales? Describe a key control to detect and correct this problem.
4.2 How are financial statements misstated if there is a material misstatement in the occurrence
assertion regarding credit sales? Describe a key control to detect and correct this problem.
4.3 How are financial statements misstated if there is a material misstatement in the existence of
accounts receivable? Describe a key control to detect and correct this problem.

Control Activities for Cash Receipts

LEA RNING OBJECTI VE 5

Evaluate control activities for cash receipt transactions.

The cash receipts function involves the following subfunctions: (1) receiving cash, (2) deposit-
ing cash, and (3) recording the receipts. As in the case of credit sales transactions, segregation
of duties in performing these subfunctions is an important internal control. Today, many cash
receipts involve the electronic transfer of funds. Funds are received directly by the bank, and
the bank establishes controls over receiving cash. Alternatively, customers may send checks to
a client, and the client sets up a lockbox opened by the bank. In this case, the checks are once
again received directly by the bank, which is responsible for both receiving and depositing cash.
This system is described in the following section, “Example Transaction Flows—Cash Receipts.”
If a company receives cash or checks directly from customers (such as at a college/university),
it must establish initial control over the receipt of cash. In this case, the client creates its own
remittance report (independent of the process of recording cash) and makes a detailed list of
customers who paid via cash or check and the amounts received. A major risk in processing
cash receipt transactions is the possible theft of cash before a record is made of the cash receipt;
thus, control procedures should provide reasonable assurance that documentation establishing
accountability is created at the moment cash is received and cash is subsequently safeguarded.
   Control Activities for Cash Receipts  11-19

Example Transaction Flows—Cash Receipts

Common documents and files that are found in the cash receipts process include:
Source Documents
•  Remittance advice—A document received from the customer showing details of payments
made by the customer.
•  Remittance report from the bank—A document prepared by the bank showing the details
of electronic funds transfers received by the bank from customers.
•  Bank deposit slip—A receipt from the bank showing the total amount deposited to the
client’s account at the bank.
Recording Cash Receipts
•  Daily remittance report (or daily cash receipts journal)—A daily report showing cash re-
corded in the cash receipts journal that identifies customers making payments on account
and the amounts received. This report could be prepared by a bank or prepared by a client
that receives cash and checks from customers.
Important Databases or Other Documents
•  Sales process database—Electronic files accumulating data on sales, cash receipts, and
accounts receivables.
•  Monthly statements of receivable balances—A report sent to each customer showing the begin-
ning receivable balance, transactions during the month, and the ending receivable balance.
An example of how these documents commonly flow through the cash receipts process is
presented in Illustration 11.9. Illustration 11.9 is followed by a brief discussion of how cash
receipts may be processed in many companies.

illustration 11.9   Example flow of transactions for cash receipts

Process Documents Files and Databases

Receiving
and Electronic funds Remittance
depositing transfer directly to report Deposit
cash bank from bank slip

or

Remittance
Check sent to
report Remittance
lockbox Deposit
from bank advice
slip

Recording

Prelist of Daily remittance Customer

Sales process
cash receipts report master
and G/L database
file

Record in cash
receipts journal

Post to general
ledger

Record in A/R Monthly

subsidiary ledger statement
11-20  C h a pte r 11  Auditing the Revenue Process
lockbox system  cash is
received at a post office box that
is controlled by the client’s bank;
the bank picks up the mail daily
(or more frequently) and deposits
the checks in the company’s bank
account
Receiving Cash
A major risk in processing cash receipt transactions is the possible theft of cash before or after
a record of the receipt is made. Control procedures should provide reasonable assurance that
documentation establishing accountability is created at the moment cash is received and that
the cash is subsequently safeguarded.
Electronic funds transfer and lockboxes. Today, the most common form of cash receipts
involves either electronic funds transfer (EFT) or physical checks received directly by the
bank through a lockbox system. With an electronic transfer of funds, cash goes from the
customer’s bank account to the client’s bank account. However, the U.S. economy still uses
written checks in significant amounts. Companies that receive checks often receive them
through a lockbox (a post office box that is controlled by the company’s bank). The bank
picks up the mail daily, deposits the checks in the client’s bank account, and sends to the
client the remittance advices, a remittance report listing each individual cash receipt, and a
deposit slip. When the bank receives electronic funds transfers, the bank also prepares a re-
mittance report listing each individual cash receipt and a deposit slip. The remittance report
is used by the client as a source document to record cash receipts and update accounts receiv-
able. These systems expedite the depositing of funds from customers, permit the company to
receive credit for the receipts sooner, and provide external evidence of the existence of the
transactions. They also eliminate the risk of theft of the receipts by company employees or
the failure to record cash receipts.
Cash received by the company. It is less common for larger companies to process their
own mail receipts, but this continues to occur in small businesses, governments, and not-
for-profit organizations. In these cases, an independent individual with cashier responsi-
bilities should (1) immediately restrictively endorse checks for deposit only (increasing the
likelihood that receipts will be deposited and recorded) and (2) list the checks on a remit-
tance report. The latter may be done manually or using software. Immediate preparation
of the remittance report establishes accountability for the receipts and provides a batch or
control total for use in independent checks on the completeness and accuracy of processing
cash receipts. Remittance advices received with the checks, and a copy of the remittance re-
port, are then forwarded to the client’s accounting department for use in updating customer
accounts.
Over-the-counter receipts. For over-the-counter receipts, a cash register or point-of-sale
terminal is indispensable. These devices provide:
•  Immediate visual display for the customer of the amount of the cash sale and the cash
tendered.
•  A printed receipt for the customer and an internal record of the transaction on an elec-
tronic file or a tape locked inside the register.
•  Printed control totals of the day’s receipts processed on the device.
The customer’s expectation of a printed receipt and supervisory surveillance of over-
the-counter sales transactions helps to ensure that all cash sales are processed through the
cash registers or terminals (completeness and accuracy of cash received). In addition, super-
visors may be assigned responsibility for performing independent checks on the accuracy
of cash count sheets and verifying agreement of cash on hand with the totals printed by
the register or terminal. The cash, count sheets, and register- or terminal-printed totals are
then forwarded to the cashier’s department for further processing and inclusion in the bank
deposit.
Proper physical controls over cash also require that all cash receipts be deposited
daily. This control reduces the risk that receipts will not be recorded, and the resulting
bank deposit record establishes evidence of the occurrence of the recorded transactions.
When over-the-counter and mail receipts are received by the cashier, an independent
check should be made to determine their agreement with the accompanying cash count
sheets and remittance report, respectively. The totals for each are then entered on a daily
cash summary, and the deposit is prepared. After making the deposit, the daily cash sum-
mary and validated deposit slip should be forwarded to general accounting for posting to
accounts receivable.
   Control Activities for Cash Receipts  11-21

Recording Cash Received

Recording cash receipts involves journalizing cash received by a bank, over the counter,
and by mail and posting receipts to customer accounts. Controls should ensure only valid
receipts are entered, all actual receipts are entered, and entries are at the correct amounts.
Over-the-counter receipts are generally recorded in general accounting based on the daily
cash summary received from the cashier. In most cases, a company will receive an electronic
file from the bank that it may use to update the sales and accounts receivable database. If
cash or checks are received by the entity, it is common for accounts receivable clerks to use
software to enter cash received from an internal prelist into the sales and accounts receiv-
able database.

Granting Cash Discounts

Cash discounts are commonly granted for timely receipt of payments from customers, such
as a 1% discount granted if cash is received within 10 days of the invoice date. Trade terms
are often stated on the invoice and the software application can test the appropriateness and
the accuracy of the discount by comparing the cash receipts date with the invoice date and
recomputing the cash discount.

Identify WCGW and Identify Key

Controls—Cash Receipts
Once the auditor understands the flow of transactions for cash receipts, the auditor should
evaluate what can go wrong, identify potential controls management has placed in operation,
and then identify key controls the auditor wants to test. Illustration 11.10 summarizes the
flow of transactions through the revenue process, key documents and files, what can go
wrong, and example controls. As you review Illustration 11.10, try to associate particular con-
trols with the assertions they are controlling.

ILLUSTRATION 11.10   Cash receipts transactions: WCGW and example controls

Documents
Transaction and Files Risks (WCGW) Example Control
Receiving and Remittance advice Mail receipts may be lost or Electronic funds transfer directly to bank or
depositing from customer, bank misappropriated after receipt. establish a lockbox arrangement with the bank.
cash remittance report, Cash may be taken (skimmed) or not
deposit slip be deposited intact daily.
Inappropriate cash discounts may be The client’s software application can recalculate
taken by customers. cash discounts taken by customers.
Cash received Cash sales may not be recorded. Use of cash registers or point-of-sale devices.
by the client
Prelist of cash receipts Mail receipts may be lost or Immediate preparation of prelist of mail
misappropriated after receipt. receipts. Restrictive endorsement of checks
immediately upon receipt.
Prelist of cash receipts, Checks received may not agree with Independent check of agreement of remittance
remittance advices prelist of cash. advices with prelist of cash received.
Cash depos- Bank deposit slip, Cash may not be deposited intact daily. Independent check of agreement of prelist of
ited by the prelist of cash receipts, cash receipts or bank remittance report with
client bank remittance report validated deposit slip.
Recording Sales database, prelist Cash receipts may be recorded in error. Software agreement of amounts journalized
cash receipts of cash receipts, bank and posted with the prelist of cash receipts or
remittance report bank remittance report.
Independent bank Errors may be made in journalizing Preparation of periodic independent bank
reconciliation cash receipts. reconciliations.
Monthly statement to Receipts may be posted to the wrong Mailing of monthly statements to customers.
customers customer account.
11-22  C h a pte r 11  Auditing the Revenue Process

As noted earlier, auditors cannot efficiently test all controls that exist. Instead, auditors
will find a few key controls and attempt to identify the most important control for each asser-
tion. Following are example key controls auditors often test for cash receipts transactions. The
examples rely significantly on IT application controls to flag potential misstatements. In this
case, the auditor must understand both the IT control and how clients manually follow up on
exceptions on a timely basis.
Completeness of cash receipts. The software application compares each item in the bank re-
mittance report (or the prelist of cash receipts if cash and checks are received by the client) to de-
velop a one-for-one match with recorded cash receipts in the daily remittance report. An exception
report is generated daily of any cash receipts that have not been recorded. However, the strength
of these controls depends on adequate segregation of duties and controls establishing immediate
recorded accountability for all cash receipts to prevent the diversion or skimming of cash receipts.
Occurrence of cash receipts. The software application starts with the population of daily cash
receipts recorded in the daily remittance report (daily cash receipts journal) and develops a one-
for-one match with the bank remittance report (or prelist of cash received). An exception report
is generated daily of any recorded cash receipts not supported by the bank remittance report.
Accuracy of cash receipts. The software application starts with the population of daily cash re-
ceipts recorded in the daily remittance report (daily cash receipts journal) and compares the dollar
amount of each recorded cash receipt with the bank remittance report (or prelist of cash received).
The accuracy of any discounts for early payment by customers is double-checked by the software
application. An exception report is generated daily for any recorded values of cash received not sup-
ported by a remittance report or for inappropriate discounts taken by customers for early payment.
Cutoff of cash receipts. The software application starts with the population of daily cash
receipts recorded in the daily remittance report (daily cash receipts journal) and compares the
date recorded in the daily remittance report with the date received and deposited by the bank
(or date on the prelist of cash receipts). An exception report is generated daily for any cash
receipts recorded in the incorrect time period.
Classification of cash receipts. The software application starts with the population of daily
cash receipts recorded in the daily remittance report (daily cash receipts journal) and com-
pares customer account numbers on the daily remittance report (cash receipts journal) with
the customer numbers on the bank remittance report. An exception report is generated daily
of any cash receipts posted to the incorrect customer.

Audit Reasoning Example  Diverting Cash Receipts

Lucas (audit manager) and Robert (audit staff) are working on the audit of a political campaign.
Robert has just assessed control risk as low for cash receipts. Lucas asks Robert: “Did you consider
the highest risk of fraud in cash receipts happens when an individual is able to divert cash receipts
before funds are deposited and recorded in the accounting records? I recall reading a story about a
campaign treasurer who received a donation and diverted it for personal use, without depositing
the funds in the political campaign. Do you think this could be a problem?” Robert responds that
he had not considered cash being diverted before being received by the client. Lucas goes on, “We
have several clients who own restaurant chains. Do you think this is a problem for them?” Robert
thinks for a moment and then responds. “Now that I think about it, this is a problem. I recall
paying for a meal at a small restaurant in cash and getting change, but not a receipt. I guess that
also is a way to divert cash and not record the transaction. I suppose the completeness assertion is
a high inherent risk assertion for most restaurants.” Lucas responds, “You are right, Robert. Now
let’s go back and revisit this campaign’s internal control over collecting cash.”

Before You Go On
5.1 How are financial statements misstated if there is a material misstatement in the completeness
assertion regarding cash receipts? Describe a key control to detect and correct this problem.
5.2 How are financial statements misstated if there is a material misstatement in the cutoff
assertion regarding cash receipts? Describe a key control to detect and correct this problem.
   Control Activities for Sales Adjustments and Revenue Process Disclosures   11-23

Control Activities for Sales Adjustments

and Revenue Process Disclosures
LEA RNING OBJECTI VE 6
Evaluate control activities for sales adjustment transactions and revenue process
disclosures.

Sales adjustments involve adjustments for goods returned by the customer, discounts given
to customers associated with defects in goods received by the customer, and period-end
adjustments to record a provision for bad debt expense or to record the write-off of accounts
receivable. Important documents and records used in processing sales adjustments include
the following:

•  Sales return authorization—A form showing the description, quantity, and other
data pertaining to goods the customer is authorized to return. It serves as the basis
for initiating the sales return and internal processing of the customer return by the
seller.
•  Authorization for accounts receivable write-off—A form showing the procedures taken to
attempt collection and to document authorization of accounts receivable write-off.
•  Receiving report—A report prepared on the receipt of goods from customers showing the
kinds and quantities of goods received.
•  Credit memo—A form stating the particulars of a credit to accounts receivable,
includ­ing the specific items returned, prices, and amount credited to a customer’s
account. It provides the basis for recording the sales return or a sales adjustment for
damaged goods.
•  Journal entry—A document used to record adjustments such as a provision for bad debt
expense or an accounts receivable write-off in the general ledger.
•  Cash receipts journal—A journal listing cash receipts from cash sales and collections on
accounts receivable.

In many companies, the number and dollar value of sales adjustments is immaterial. How-
ever, in some companies, the potential for misstatements resulting from errors and fraud in
the processing of these transactions is considerable.

Granting Sales Returns and Allowances

The possibility of fictitious sales adjustment transactions being recorded is a primary concern
because it may be used to conceal fraud in processing cash receipts. For example, an employee
might misappropriate cash received from a customer and cover up the fraud by writing a
credit memo to reduce the receivable from the customer. Accordingly, control activities useful
in reducing the risk of fraud focus on establishing the occurrence of such transactions and
include the following:

•  All sales returns should be authorized by sales management.

•  Goods should be received only with a proper sales return authorization, and an indepen-
dent count of goods returned should be recorded on a receiving report.
•  The software application should match the credit memo information with the sales order,
authorization of sales return, and receiving report.
11-24  C h a pte r 11  Auditing the Revenue Process
disclosure committee  a
committee often led by the CFO
or chief legal officer with the
purpose of helping ensure that
financial statement disclosures
are accurate, complete, and fairly
presented in all material respects
Further, there should be adequate segregation of duties for authorizing sales returns, receiv-
ing goods, and recording credit memos. Usually, the business unit that makes the sale will
have the responsibility of authorizing sales adjustment transactions.
When there is the potential for material misstatements from sales adjustments trans-
actions, the auditor should obtain an understanding of all relevant aspects of the internal
control components and consider the factors that affect the risk of such misstatements. If a
provision for sales returns is estimated at quarter-end, management should establish controls
to ensure adjustments are made based on reliable information and adjustments are consistent
from quarter to quarter. In larger public companies, a disclosure committee reviews these
estimates if they could aggregate with other adjustments to an amount that is material to the
financial statements. A disclosure committee is typically led by the CFO and includes individ-
uals in management who are knowledgeable about the condition of the company and required
financial reporting disclosures relevant to the revenue process.
Determining Uncollectible Accounts
Strong internal controls over the write-off of uncollectible accounts are important to prevent
write-offs from being used to conceal fraud in processing cash receipts. For example, an em-
ployee might misappropriate cash received from a customer and cover up the fraud by writing
off the customer’s account against the allowance for uncollectible accounts. Strong internal
controls include:
•  All write-offs of uncollectible accounts should be authorized by an appropriate level of
management and supported by documentation, such as correspondence with the cus-
tomer or collection agencies.
•  Journal entries for write-offs should be reviewed by management to ensure the appropri-
ateness of the transaction.
In addition, management should establish controls over accounting estimates such as
the provision for bad debt expense. Management should ordinarily establish a process for
monitoring aging and the collectibility of receivables. Hindsight should be used to evaluate
the adequacy of prior provisions for bad debt expense compared with subsequent receivables
that went uncollectible. It is essential that the data used to develop a provision for bad debt
expense (the history of accounts written off) be reliable. In addition, a qualified and indepen-
dent disclosure committee should review the allowance on a regular basis. These controls are
necessary to determine the adequacy of the allowance.
Other Controls in the Revenue Process
The previous discussion focused on controls over transactions. It is also important to control
balances and disclosures. The primary account balance in the revenue process is accounts
receivable. If strong controls exist over credit sales, cash receipts, and sales adjustments, the
accounts receivable balance should also be controlled, as it is the product of recording these
transactions. Most companies control the completeness, existence, and valuation of receiv-
ables at historical cost by sending monthly statements to customers. The function of following
up on issues raised by customers should be independent of accounts receivable personnel.
Controls over the rights and obligations assertion relate to whether the company has a
legal claim to receivables. A company normally gives up claims to collection of receivables
when it sells the receivables or pledges receivables as collateral. These transactions may not
exist in many entities. However, if an entity sells its receivables with recourse, it should keep a
documentary record of receivables that have been sold. This record should be compared with
monthly statements sent by a bank or factoring company. This provides an independent check
on the accuracy of the company’s records.
Finally, management should establish controls over the occurrence and rights and obliga-
tions of disclosures, the completeness of disclosures, the classification and understandability
  Tests of Controls in the Revenue Process and Audit Strategy   11-25

of disclosures, and the accuracy and valuation of information included in disclosures. Com-
mon disclosures in the revenue process include:
•  Reclassification of material credit balances in accounts receivable as accounts payable.
•  Segregation of short-term trade receivables from long-term trade receivables.
•  Disclosure of major customers.
•  Disclosure of sales by geographic regions or major product lines.
•  Disclosure of receivables from officers, directors, employees, or related parties.
Public companies normally accomplish this task with a disclosure committee that works with
the CFO or controller to review disclosures. Many companies use a current GAAP disclosure
checklist to assist in this process.

Before You Go On
6.1 Explain the fraud that might be covered up by granting inappropriate sales adjustments or
by inappropriately writing off accounts receivable. Describe an internal control to detect and
correct this problem.
6.2 Explain appropriate controls over journal entries to provide for bad debt expense.
6.3 Explain an appropriate control over revenue process disclosures.

Tests of Controls in the Revenue Process and

Audit Strategy

LEA RNING OBJECTI VE 7

Determine how to design and perform tests of controls in the revenue process and
connect the results of control testing to audit strategy.

The following discussion identifies potential tests of controls that may be used to determine if
a client’s controls in the revenue process are effective. Once the auditor has evaluated the
quality of the system of internal control, the audit team is in a good position to evaluate the
opportunity for fraud risk. The fraud risk assessment should be approached with professional
skepticism. Finally, this section focuses on the links between risk of material misstatement
(RMM) and subsequent strategy for substantive testing.

Tests of Controls in the Revenue Process

Most auditors plan to test controls in the revenue process because of the high volume of
routine transactions in this process. Public company auditors test controls to support an
opinion on internal control. Auditors of private companies will test controls that appear to
be effective because of the audit efficiencies that exist when the client has effective controls
in place.
If the client relies on IT controls and the auditor plans to assess control risk as low for
revenue process assertions, the auditor will usually:

•  Test the effectiveness of IT general controls.

•  Use generalized audit software to evaluate the effectiveness of IT application controls.
11-26  C h a pte r 11  Auditing the Revenue Process
lapping  a scheme where an
accounting clerk incorrectly
classifies cash receipts from one
customer to another in order to
cover up the diversion of funds
from a customer for personal gain
•  Test the effectiveness of manual procedures to follow up on exceptions identified by IT
application controls.
The auditor will usually test the effectiveness of IT general controls as part of testing
entity-level controls. For example, when testing the control environment, the auditor might
pay particular attention to making inquiries and collecting supporting evidence regarding
employee awareness of IT security issues. If the auditor is testing issues regarding controls
over program changes, the auditor might determine how program access is controlled and
monitored, look at logs of program access or incident reports, and talk to users about their
involvement in program changes affecting their responsibilities. The auditor will want to pay
attention to segregation of duties regarding access to programs and access to data, the effec-
tiveness of password controls, and the follow-up of any incident reports regarding unautho-
rized access. The auditor will also want to understand controls over back-up and recovery of
programs and data, and test the effectiveness of these controls. These tests are often performed
by an IT audit specialist.
Auditors often use test data to test IT application controls and determine whether ex-
pected results appear on exception reports. For example, in the revenue process, the auditor
might submit:
•  A missing or invalid customer code.
•  An invalid product code.
•  An order that exceeds a customer’s credit limit.
•  Transactions reporting shipments in quantities different from the amount ordered (both
over and under).
•  Prices, vendor numbers, or other information on sales invoices that do not match infor-
mation on the sales order.
•  Invoice quantities that do not match quantities on shipping documents.
The auditor might also use generalized audit software to perform sequence checks and
print lists of sales orders, shipping documents, or sales invoices whose numbers are missing
in designated sequences of prenumbered documents.
Finally, the auditor will need to test the appropriateness of manual follow-up of excep-
tions noted by the software application. If exception reports are printed daily, the auditor
might select a sample of exception reports to determine if exceptions are cleared on a timely
basis. The auditor might make inquiries of personnel responsible for clearing exceptions to de-
termine their awareness of the types of misstatements that might appear on exception reports.
The auditor should also follow through on previously noted exceptions to determine they were
cleared appropriately and on a timely basis.
Fraud Risk Assessment
After evaluating inherent risk and control risk, the auditor is in a position to evaluate fraud
risk. The auditor will consider incentives and pressures on management that may push
management toward fraudulent financial reporting, such as the nature of management
compensation plans, or whether management is trying to show a growth trend to investors
or meet previously forecasted revenue targets. The auditor should also be alert to situations
where an employee may have personal reasons to misappropriate assets, such as affording
the costs of private schools or universities. Ultimately, a key aspect of fraud risk relates to
the opportunity that may or may not present itself based on the quality of the system of
internal control. An auditor’s concerns are heightened when the control environment is
weak, or control activities are nonexistent. In not-for-profit organizations, smaller com-
panies, or governments, segregation of duties may be weak or nonexistent. In these cases,
the auditor with appropriate professional skepticism should consider fraud risk to be high.
A common scheme to conceal the misappropriation of cash receipts is called lapping.
The opportunity for a lapping scheme begins when a customer pays cash toward an accounts
receivable balance. Then, an employee steals the cash that is received from the customer. Say
an employee is able to steal a $1,000 payment from Customer A. To prevent Customer A from
  Tests of Controls in the Revenue Process and Audit Strategy   11-27

complaining, when $1,500 is received from Customer B, it is accounted for as $1,000 from
Customer A and $500 from Customer B. Subsequently, the accounts receivable clerk must
cover the shortage from Customer B with funds from another customer, and so on. Sometimes
the fraudster can solve the problem of keeping this going by falsifying a sales adjustment to re-
duce the receivable, or by writing off part of a customer’s balance through a journal entry. The
auditor should be alert to the possibility of fraud when a cash receipt is credited to the wrong
customer, or there is little or no justification for a sales adjustment or receivable write-off.

Audit Data Analytics as a Risk Assessment

Procedure
Audit data analytics is often used to identify transactions or balances with a significant risk of
material misstatement. The first step in planning the use of ADA is determining the overall
purpose of the test. This first step requires business acumen, knowledge of the client, and
an understanding of how ADA might be effective in the audit of revenues and receivables.
For example, if the client is in the construction industry (using the percentage-of-completion
method for revenue recognition), the auditor might use ADA to investigate work in progress
and the gross margins on each project in the fourth quarter compared to gross margins on
completed projects. This may be a way to identify projects with unusually high (or low) gross
margins and focus more tests of details on these contracts.
Alternatively, if the auditor is concerned about fraud risk and premature revenue recognition,
the auditor might use ADA to identify customers with no sales representatives assigned to the
customer, sales transactions with no sales commissions codes, or customers having no cash
receipts during the period. Because anomalies may vary significantly from one client to the
next, ADA are often custom-made to the client’s circumstances.

Audit Reasoning Example Detailed Analysis of Contracts Reveals

Problems at a Construction Company

Toni Koyama is working on the audit of a construction company. Shortly after the fourth quarter
ended, Toni ran some data analytics and has the following information:
Quarter 1 Quarter 2 Quarter 3 Quarter 4
Gross margin on work in progress 15.5% 15.9% 16.6% 18.9%
Gross margin on completed contracts 20.8% 20.1% 12.3% 6.9%

Toni notes the gross margin on completed contracts declines quarter by quarter. Gross mar-
gin on work in progress actually increases in the fourth quarter. Toni wonders where to look next.
Receivables from customers are increasing, and work in progress inventory is also increasing. Toni
is now concerned in two ways. Does the client have a problem with (1) premature revenue recog-
nition, (2) the capitalization of costs that should be expensed, or (3) both? Two risks have clearly
been identified. Now, more tests of details of revenues recognized along with work in progress
inventory are warranted.

The Risk of Material Misstatement and

Audit Strategy
Once the auditor has tested internal controls, the auditor will determine whether the auditor’s
expectations regarding the effectiveness of internal controls are confirmed. Tests of controls
are performed when the auditor expects that internal controls are effective. If the auditor’s
expectations regarding effective controls are not confirmed, the auditor will need to evaluate
the significance of the deficiencies noted and determine if the client has a compensating con-
trol in place that the auditor might rely on. If no compensating control exists, the auditor will
need to revise the audit strategy as control risk is now higher than initially planned, determine
11-28  C h a pte r 11  Auditing the Revenue Process

if fraud risk is increased as a result of the internal control deficiency, and determine how to
revise planned substantive tests for the revenue process. The auditor may need to change
the timing of planned substantive tests related to an assertion from interim testing to testing
year-end balances. The auditor may also have to consider increasing sample sizes when
sampling is involved. If internal controls related to an assertion are ineffective, the auditor
will need to communicate significant deficiencies or material weaknesses to management
and to those charged with governance of the entity.

Cloud 9 - Continuing Case

As Josh and Suzie consider the risk of material misstatement,
Suzie notes they have conducted extensive testing of Cloud 9’s
controls over sales, cash receipts, and sending monthly state-
ments to customers, and many of these were dual-purpose tests.
Therefore, they have assurance about both the quality of internal
c­ ontrols and the fact that tested transactions were recorded cor-
rectly. As they plan substantive tests, Josh confirms that Suzie is
thinking correctly, and that they have already done significant
tests of transactions at an interim date. They will, however, need
to update these tests for the period remaining in the fiscal year.

Before You Go On
7.1 If the auditor has identified an IT application control related to the completeness of revenues,
and IT general controls have already been determined to be effective, suggest how the auditor
might test the effectiveness of such IT application controls and related manual follow-up.
7.2 Explain lapping. What might be evidence that lapping has occurred?
7.3 Assume an auditor is auditing a private company that sells computer hardware and offers
servicing contracts to maintain the computer. If internal controls are weak, what are the
implications for developing an audit strategy in the revenue process?

Substantive Tests for the Revenue Process

LEA RNING OBJECTI VE 8
Assess detection risk and design substantive tests, including audit data analytics, to
address various assertions in the revenue process.

At this stage the auditor has evaluated inherent risks, evaluated and tested the system of inter-
nal control in the revenue process, and developed an audit strategy. What remains is perform-
ing substantive tests. The following discussion focuses on identifying the appropriate substan-
tive tests for relevant assertions in the revenue process. It further addresses performing initial
procedures, performing analytical procedures as a substantive test, considering when the au-
ditor would want to audit an entire population, performing tests of details of transactions,
performing tests of details of account balances, and performing tests of details of presentation
and disclosure assertions. Illustration 11.11 presents a suggested audit program for substan-
tive tests of revenue process assertions, which is followed by a discussion of each of the steps.
The audit procedures in Illustration 11.11 are most likely to be associated with manufac-
turing companies or wholesalers. If the auditor is auditing a retail grocery store, it is unlikely
to have significant receivables. A hotel is more likely to have significant unearned revenue
than accounts receivable, and the auditor will have to determine the best way to evaluate un-
earned revenues. Finally, a college is less likely to have significant receivables from students.
In many cases, students use student loans from sources other than the college or university.
   Substantive Tests for the Revenue Process  11-29

ILLUSTRATION 11.11   Substantive tests in the revenue process

Relevant
Category Substantive Test Assertion
Initial 1.  Obtain an understanding of the business and industry and determine: All
procedure a.  the significance of revenues and accounts receivable to the entity
b.  key economic drivers that influence the entity’s sales, margins, and collections
c.  standard trade terms in the industry, including seasonal dating, collections period, etc.
d.  the extent of concentration of activity with customers
2. Perform initial procedures on accounts receivable balance and records that will be subjected to Valuation and
further testing. allocation, Rights
a.  Trace beginning balance for accounts receivable to prior year’s working papers. and obligations
b. Scan the activity in the general ledger account for accounts receivable and investigate entries
that appear unusual in amount or source.
c. Obtain accounts receivable trial balance and determine that it accurately represents the Valuation and
underlying accounting records by: allocation
i. footing the trial balance and determining agreement with (1) the total of the subsidiary led-
ger or accounts receivable master file, and (2) the general ledger balance
ii. verifying agreement of customer balances listed on the trial balance with those included in
the subsidiary ledger or master file
Analytical 3.  Perform analytical procedures: All
procedures a. Develop an expectation for accounts receivable using knowledge of the entity’s business
activity, market share, normal trade terms, and its history of accounts receivable turnover
in days.
b.  Calculate ratios:
i.  compare sales to the entity’s capacity
ii.  compare sales growth and receivable growth
iii.  accounts receivable turnover in days
iv.  uncollectible accounts expense to net credit sales
v.  uncollectible accounts expense to accounts receivable write-offs
c. Analyze ratio results relative to expectations based on prior years, industry data, budgeted
amounts, or other data.
Tests of 4.  Vouch a sample of recorded revenue process transactions to supporting documentation. Occurrence,
details of a. Vouch recorded revenue transactions to supporting sales invoices, shipping documents, and sales Accuracy,
transactions orders. Cutoff,
Classification
b. Vouch cash receipt transactions to supporting bank remittance reports and remittance
advices.
c. Vouch sales adjustment transactions to authorizations for sales returns and allowances or
uncollectible account write-offs.
5. Trace a sample of revenue transactions from shipments to recording in the sales journal. Also trace Completeness
a sample of cash receipts and sales returns to their recording in the accounting records.
6.  Perform cutoff test for sales and sales returns. Cutoff
a. Select a sample of recorded sales transactions from several days before and after year-end and
examine supporting sales invoices and shipping documents to determine sales were recorded in
the proper period.
b. Select a sample of credit memos issued after year-end, examine supporting documentation such
as dated receiving reports, and determine that returns were recorded in the proper period. Also
consider whether volume of sales returns after year-end suggest possibility of unauthorized
shipments before year-end.
7.  Perform cash receipts cutoff test. Cutoff
a. Observe that all cash received through the close of business on the last day of the fiscal year is
included in cash on hand or deposits in transit and that no receipts of the subsequent period are
included, or
b. Scan documentation such as daily cash summaries, duplicate deposit slips, and bank statements
covering several days before and after year-end for proper cutoff.
(continued)
11-30  C h a pte r 11  Auditing the Revenue Process

ILLUSTRATION 11.11   (continued)

Relevant
Category Substantive Test Assertion
Tests of details 8.  Confirm accounts receivable. Existence,
of balances a.  Determine the form, timing, and extent of confirmation requests. Valuation and
allocation,
b.  Select and execute sample and investigate exceptions.
Completeness
c. For positive confirmation requests for which no reply was received, perform alternative
follow-up procedures:
• Vouch subsequent cash receipts identifiable with items comprising account balance at
confirmation date to supporting documentation.
• Vouch items comprising balance at confirmation date to documentary support such as sale
orders and shipping documents.
9.  a.  Inquire about the sale, factoring, or pledging of accounts receivable. Rights and
b. Send confirmations to entities that have purchased accounts receivable or hold accounts obligations
receivable as collateral.
10.  Evaluate adequacy of allowance component for each aging category and in the aggregate. Valuation and
a.  Foot and crossfoot the aged trial balance of receivables and agree total to the general ledger. allocation
b.  Vouch amounts in aging categories for a sample of accounts to supporting documents.
c.  For past–due accounts:
• Examine evidence of collectibility, such as correspondence with customers and outside
collection agencies, credit reports, and customers’ financial statements.
• Inquire about collectibility of accounts with appropriate management personnel.
d. Evaluate management’s process for estimating the allowance for doubtful accounts using
hindsight.
e.  Evaluate the adequacy of the allowance given information about
• industry trends
• aging trends
• collection history for specific customers
Tests of 11.  Compare statement presentation with GAAP.
details of a. Compare disclosures related to existence and rights and obligations of receivables to the results Occurrence and
presentation of tests performed above. rights and
and obligations
disclosure
b. Verify that receivables are properly identified and classified as to type and expected period of Classification and
realization. understandability
c. Verify whether there are credit balances that are significant in the aggregate and that should Classification and
be reclassified as liabilities. understandability
d. Verify the appropriateness of disclosures and accounting for related party, pledged, assigned, or Occurrence and
factored receivables. rights and
obligations
e. Verify the need for disclosures regarding significant customers or sales by line of business. Completeness
f. Evaluate the completeness of presentation and disclosures for receivables in drafts of financial Completeness
statements to determine conformity to GAAP by reference to disclosure checklist.
g. Read disclosures and independently evaluate their understandability.
h. Vouch the accuracy of receivable disclosures to tests performed above. Classification and
understandability,
Accuracy and
valuation

Initial Procedures
The starting point for every audit test is obtaining an understanding of the business and industry.
As previously discussed, it is important to understand the entity’s policies regarding revenue rec-
ognition, as well as the entity’s underlying economic drivers that impact total revenues and gross
margin. The auditor should also understand standard trade terms, industry and client collection
   Substantive Tests for the Revenue Process  11-31

experience, seasonal aspects of the industry, and the extent of concentration of business with
particular customers. This knowledge provides the context for evaluating the results of analyti-
cal procedures, tests of controls, and substantive tests. For example, the evidence obtained when
performing detail tests of transactions and balances, such as invoice prices or size of receivables
for particular customers, should be consistent with expectations about industry competitiveness,
the entity’s productive time capacity, and the existence of major customers.
An important initial procedure for verifying accounts receivable and the related allow-
ance account is tracing the current period’s beginning balances to the ending audited balances
in the prior year’s working papers (when applicable). Next, the current period’s activity in the
general ledger control account and related allowance account should be scanned for any signif-
icant entries that are unusual in nature or amount and that may require special investigation.
For example, the auditor should investigate any receivables and revenues that are not booked
by way of recording sales invoices in the sales journal. In addition, a listing of all customer
balances, called an accounts receivable trial balance, is obtained (usually in digital form). The
auditor uses generalized audit software to foot the accounts receivable trial balance and the
total should be compared with (1) the total of the subsidiary ledger or master file from which
it was prepared and (2) the general ledger control account. The auditor should also compare a
sample of the customer balances shown on the trial balance with that in the subsidiary ledger
and vice versa to determine that the trial balance is an accurate and complete representation
of the underlying accounting records. It can then serve as the physical representation of the
population of accounts receivable to be subjected to further substantive testing.
Alternatively, the auditor can produce the accounts receivable trial balance directly from
the client’s master file using audit software. If the auditor can obtain the client’s records in
­machine-readable form, the auditor can also use generalized audit software to identify sig-
nificant customers, analyze the volume of transactions with customers, and identify unusual
transactions or a high volume of transactions near year-end. The initial procedures in verify-
ing the accuracy of the trial balance and determining its agreement with the general ledger
balance relate primarily to the valuation and allocation assertion.

Substantive Analytical Procedures

As discussed extensively in Chapter 9, auditors can use analytical procedures as a substantive
procedure to gather evidence in support of assertions related to account balances or transactions.
However, analytical procedures are not required to be used as a substantive procedure.
Illustration 11.4 provided examples of analytical procedures that are commonly used in the
revenue process. When these analytical procedures are used during risk assessment, the audi-
tors are using data up through the clientʼs second quarter and possibly into the third quarter.
If analytical procedures are used as a substantive procedure during risk response, the auditors
are using data through the clientʼs third quarter or even the entire year if it is after year-end.
Therefore, when used as a substantive procedure, the auditor typically has more data to an-
alyze and can develop more precise expectations of the accounts receivable balance, of the
relationship of accounts receivable to sales, and of the clientʼs gross margins.
The auditor may also want to develop analytical procedures that are custom-made for the
client. The more reliable the data, and the more predictable the analytical model, the more
assurance the auditor might obtain from substantive analytical procedures, thus reducing the
extent of tests of details of transactions or balances. For example, analytical procedures com-
paring production with revenues may be an effective way to test the completeness of sales and
receivables. If these procedures show that sales are consistent with capacity utilization, the
auditor can reduce the extensiveness of tests of transactions.

Audit Data Analytics as a Substantive Test

The right ADA may be a very effective substantive test of details. For example, many public util-
ities have a very high percentage of customers that pay the amount billed each month. Matching
subsequent cash receipts with billings may be a very effective way of testing the occurrence of
revenue and the existence of receivables for consumers that may not respond to confirmations.
The auditor may also learn a great deal by following up on customers with no payments.
11-32  C h a pte r 11  Auditing the Revenue Process
FOB shipping point  title
passes from seller to buyer when
goods are shipped
FOB destination  title passes
from seller to buyer when goods
arrive at the customer’s
warehouse
If a merchandising client has strong internal controls, the auditor might consider matching
electronic information from the sales order, the shipping documents, and the sales invoice to
test the occurrence and completeness of revenue. The ­effectiveness of this procedure might
depend on how often items are backordered. Each time an item must be backordered, and an
order is not shipped in its entirety, the transaction will likely require further investigation.
Tests of Details of Transactions
Tests of details of transactions may be performed during interim work along with tests of
controls in the form of dual-purpose tests. Alternatively, tests of details of transactions may
be performed separately. This section describes key tests of details of transactions and the
assertions they are designed to test. Further, this section describes cutoff tests that are usually
performed as part of year-end work.
Vouch Revenue Transactions
To vouch revenue transactions, the auditor will select a sample of sales invoices (see Illustra-
tion 11.7) to vouch to the supporting source documents to provide evidence pertaining to the
occurrence, accuracy, classification, and cutoff assertions. Credit memos can be vouched to
receiving reports and sales adjustment authorizations. These tests will be performed more ex-
tensively when the applicable level of detection risk to be achieved is low, when confirmation
procedures are not practicable, or to supplement confirmation procedures.
Transactions might be selected for vouching by way of a random sample. Alternatively,
the auditor might use ADA to screen 100% of transactions and identify unusual transactions
that do not fit the norm for the company. Determining what fits or does not fit the norm is
a matter of considerable professional judgment that relies on the auditor’s knowledge of the
company and the industry. For example, the auditor of a hotel might review all transactions to
identify unusual amounts of revenues per room and follow up on only high-risk transactions.
The auditor would then vouch the group of high-risk (unusual) transactions.
Trace Revenue Transactions
To test the completeness assertion, the auditor should trace a sample of sales, cash receipts,
and sales adjustment transactions to their recording in the accounting records. For sales, the
auditor should start with a sample of shipping documents (see Illustration 11.7) and trace
transactions to the sales journal. For cash receipts, the auditor would sample items from the
prelist of cash (see Illustration 11.9) and trace them forward to the cash receipts journal. For
sales returns, the auditor would normally start with the sale returns authorization and trace
forward to the receiving report and the entry in accounting records. The completeness of sales
returns may be a particular concern if management has incentives to overstate revenues, and
internal controls over sales returns are weak.
Perform Cutoff Tests for Sales and Sales Returns
The sales cutoff test is designed to obtain reasonable assurance that (1) sales and accounts re-
ceivable are recorded in the accounting period in which the transactions occurred and (2) the
corresponding entries for inventories and cost of goods sold are made in the same period.
Sales should be recorded in the period in which legal title to the goods passes to the buyer.
When goods are shipped from inventory FOB (free on board) shipping point, title passes
on the date of shipment. When the terms of sale are FOB destination, title does not pass
until the buyer receives the goods. As a practical matter, the seller may add one to a few days
to the shipping date to estimate the date the goods will arrive at their destination as a basis for
determining the date on which to record the sale.
The sales cutoff test is made as of the balance sheet date. For sales of goods from inven-
tory, the test involves comparison of a sample of recorded sales from the last few days of the
current period and the first few days of the next period with shipping documents to determine
whether the transactions were recorded in the proper period. When prenumbered shipping
documents are issued in sequence and the auditor is on hand to observe the number of the
last shipping document used in the current period, he or she should make a record of these
   Substantive Tests for the Revenue Process  11-33

numbers in the audit documentation. The auditor can subsequently determine that each sales
transaction recorded prior to year-end is supported by a shipping document with a number is-
sued in the current period and that each sales transaction recorded after year-end is supported
by a shipping document with a number issued in the subsequent period. Illustration 11.12
provides some examples of potential sales cutoff issues, assuming the shipping terms are FOB
shipping point. For a calendar-year client, if January sales are recorded in December, there is
a misstatement of the occurrence assertion. Conversely, if December sales are not recorded
until January, there is a misstatement of the completeness assertion.

Date on the Shipping Date on the ILLUSTRATION 11.12    

Documents Sales Invoice Potential Misstatement Potential sales cutoff issues

December 30, 2022 December 31, 2022 No problem

December 30, 2022 January 3, 2023 Completeness of revenues and receivables
January 3, 2023 December 30, 2022 Occurrence of revenues and existence of receivables

The sales return cutoff test is similar and is particularly directed toward the possibility
that returns made prior to year-end are not recorded until after year-end, resulting in the
overstatement of receivables and sales. The correct timing can be determined by examining
dated receiving reports for returned merchandise and correspondence with customers. The
auditor should also be alert to the possibility that an unusually heavy volume of sales returns
after year-end (perhaps up to the end of fieldwork and report date) could signal unauthorized
shipments before year-end to inflate recorded sales and receivables.

Perform Cash Receipts Cutoff Test

The cash receipts cutoff test is designed to obtain reasonable assurance that cash receipts are
recorded in the accounting period in which they are received. A proper cutoff at the balance
sheet date is essential to the correct presentation of both cash and accounts receivable. For
example, if December collections from customers are not recorded until January, accounts
receivable will be overstated and cash will be understated at the balance sheet date. Conversely,
if January collections from customers are recorded in December, cash will be overstated and
accounts receivable will be understated. Thus, this test relates to the existence or occurrence
and completeness assertions for both cash and accounts receivable. When most cash receipts
are received by way of electronic funds transfer or through a lockbox, the process begins by
reconciling the timing of receipt by the bank with recording in a cash receipts journal. The
objective of this procedure is to determine that the deposit slip total agrees with the receipts
shown on the daily cash summary, and that individual cash receipts are properly allocated to
each customer in the correct time period.

Tests of Details of Balances

Two primary sets of procedures in this category of substantive tests for accounts receivable
are discussed below: (1) confirmation of receivables and the related follow-up procedures and
(2) procedures for evaluating the adequacy of the allowance for uncollectible accounts.

Confirmation of Accounts Receivable

Confirmation of accounts receivable involves direct written communication between the
client’s customers and the auditor. The confirmation of receivables is a generally accepted
audit procedure. PCAOB AS 2310 The Confirmation Process and AU-C 505 External Confirma-
tions state there is a presumption that the auditor will request the confirmation of receivables
during an audit unless:

•  Accounts receivable are immaterial to the financial statements.

•  The use of confirmations would be ineffective as an audit procedure.
11-34  C h a pte r 11  Auditing the Revenue Process

•  The auditor’s assessed level of risk of material misstatement at the relevant assertion
level is low, and the other planned substantive procedures address the assessed risk.

An auditor who does not request confirmation of receivables should document in the
working papers how he or she overcame the presumption that confirmations should be re-
quested. For example, the auditor might state the conclusion, based on the prior year’s audit
experience on that engagement, that it is expected the responses would be unreliable or the
response rates would be inadequate in the current year.
Occasionally, clients have prohibited auditors from confirming any or certain accounts
receivable. Complete prohibition represents a serious limitation on the scope of the audit that
generally results in a disclaimer of opinion on the financial statements. The effect of partial
prohibition should be evaluated on the basis of management’s reasons and whether the audi-
tor can obtain sufficient evidence from other auditing procedures. Finally, the auditor must
make a decision about the use of positive or negative confirmations. The section “Confirmation”
in Chapter 5 discussed the difference between positive and negative confirmations, and the
desirability of using positive confirmations in most circumstances.
Illustration 11.13 provides an example of a positive confirmation. While confirmations
are signed by the client, they should be controlled and mailed by the auditor. Today, there are
services that can assist the auditor in providing electronic delivery and receipt of confirmations.
A positive confirmation sent electronically will be similar to the confirmation shown in Illustra-
tion 11.13. However, the service allows for the customer to send an electronic response securely
and confidentially to the audit firm. The use of electronic confirmations is increasing rapidly.

ILLUSTRATION 11.13    
Example positive confirmation G.J. Manufacturing
P.O. Box 1922, Denver, Colorado 80123

Industrial Automotive
P.O. Box 131
Spring Green, Wisconsin 53558

This request is being sent to you to enable our independent auditors to confirm the correctness of
our records. It is not request for payment.

Our records on December 31, 2022, showed an amount of $16,421.08 receivable from you. Please
confirm whether this agrees with your records on that date by signing and returning this form
directly to our auditors. An addressed envelope is enclosed for this purpose. If you find any differ-
ence, please report details directly to our auditors in the space provided below.

Emily Paulson
Chief Financial Officer

The above amount is correct. □

The above amount is incorrect for the following reasons:

Signature and Title of Individual Responding to the Confirmation:

Date:

Please examine this carefully and advise our auditors as to any exceptions at the following
address:
Bell & Bowerman, LLP
Certified Public Accountants
822 17th St., Suite 2200
Denver, CO 80202
A self-addressed envelope is enclosed for your convenience.

THIS IS NOT A REQUEST FOR PAYMENT

   Substantive Tests for the Revenue Process  11-35

Timing and Extent of Requests  When the level of detection risk is low, the auditor
ordinarily requests confirmation of receivables as of the balance sheet date. If the risk of
material misstatement is low, the auditor is willing to accept a higher level of detection risk,
and the confirmation date may be one or two months earlier. In such a case, the auditor is
expected to evaluate material changes between the confirmation date and balance sheet date.
In some cases, the auditor may elect to reconfirm accounts with unusual changes during the
roll-forward period.
The extent of confirmation requests, or sample size, is related to the factors discussed
in Chapter 10 (Illustration 10.4). Stratification may also affect sample size. For example, au-
ditors frequently seek confirmation of all accounts in excess of a certain dollar amount (less
than or equal to tolerable misstatement) and select a random sample of all other accounts.
Sample size may be determined judgmentally or with the aid of a statistical sampling plan, as
explained in Chapter 10.

Disposition of Exceptions  Confirmation responses will inevitably contain some excep-

tions. Exceptions may be attributed to goods in transit from the client to customers, returned
goods, payments in transit from customers to the client, items in dispute, errors, and irregular-
ities. All exceptions should be investigated by the auditor and their resolution indicated in the
auditor’s documentation. For example, an auditor might vouch customer payments in transit
to cash receipts after confirmation date by the client.

Alternative Procedures for Dealing with Nonresponses  When no response has

been received after a confirmation request to a customer, alternative procedures should or-
dinarily be performed. The two main alternative procedures are (1) examining subsequent
collections and (2) vouching open invoices comprising customer balances. The best evidence of
existence and collectibility is the receipt of payment from the customer. Before the conclusion
of the audit fieldwork, the client will receive payments from many customers on amounts owed
at the confirmation date. The matching of such collections back to unpaid invoices comprising
the customers’ balances at the confirmation date establishes the existence and collectibility of
the accounts. In performing this test, the auditor should recognize the possible adverse implica-
tions of collections that cannot be matched to specific transactions or balances. For example, a
round sum amount may, on investigation, reveal items in dispute, and token payments on large
balances may indicate financial instability on the part of the customer. If the customer has not
paid the receivable, the auditor can vouch the receivable to underlying customer orders and
shipping documentation to provide evidence that the receivable exists.
Professional standards acknowledge that the omission of such procedures may be
acceptable when both of the following conditions apply:

•  There are no unusual qualitative factors or systematic characteristics related to the non-
responses, such as that all nonresponses pertain to year-end transactions.
•  The nonresponses, projected as 100% misstatements to the populations and added to the
sum of all other unadjusted differences, would not affect the auditor’s decision about
whether the financial statements are materially correct.

Audit Reasoning Example  Evaluating Confirmation Exceptions

Brian McIntosh is working on accounts receivable confirmations. Confirmations are sent as
of the interim date of October 31 on a December 31 year-end client. One confirmation comes
back with the customer claiming it was overbilled on an October 29 invoice and the receivable
is overstated as of October 31. Upon investigation with the client, Brian discovers that the
error was actually recognized by the client before the customer noted it, and the client issued
a credit memo on November 4. Brian also recognizes that in spite of the client’s efforts, this
is evidence of a misstatement as of October 31; this will have to be analyzed as a misstate-
ment in the sample, and the misstatement will be projected on the unsampled portion of the
population.
11-36  C h a pte r 11  Auditing the Revenue Process

Summarizing and Evaluating Results  The auditor’s working papers should contain a
summary of results from confirming accounts receivable. The summary should provide data
on:

•  The number and dollar value of confirmations sent and responses received.
•  The proportion of the population total covered by the sample.
•  The relationship between the audited and book values of items included in the sample.

Statistical and nonstatistical procedures may be used to project misstatements found in the
sample to the population, as explained in Chapter 10. The combined evidence from the confir-
mations, alternative procedures performed on nonresponses, and other tests of details and ana-
lytical procedures are evaluated to determine whether sufficient evidence has been obtained to
support management’s assertions about gross accounts receivable. Illustration 11.14 provides
an abbreviated example of a working paper evaluating confirmations. (Note: This supports the
analysis working paper shown in Illustration 10.14.)

ILLUSTRATION 11.14   Evaluation of individual confirmations

Client: G.J. Manufacturing Bell & Bowerman, LLP Prepared by: W.M.F. 2/8/23
Period-end: 12/31/22 Reviewed by: C.W.B. 2/18/23
Evaluation of Confirmation Results Reference: B-3
Objective: Evaluation of Accounts Receivable Confirmations
Confirmation # Book Value Confirmed Value Audited Value Misstatement Explanation
1 $165,000 $165,000 $165,000
2 310,000 300,000 300,000 $10,000 $10,000 of goods returned. Received on
Stratum 1
12/29/22. Credit memo issued 1/3/23.
10 187,500 NR 187,500 ¥,€
11 42,000 NR 42,000 ¥,€
12 20,000 20,000 20,000
Stratum 2

25 35,000 25,000 25,000 10,000 Goods were billed at the incorrect

price, resulting in an overcharge of
$10,000.
26 12,000 2,000 2,000 10,000 Incorrect quantity entered on invoice
resulting in an overcharge of $10,000.
Stratum 3
27 7,600 7,600 7,600
50 5,400 5,400 5,400
Legend:
NR No response from customer
¥ Vouched to bill of lading
€ Vouched to subsequent cash receipt

Applicability to Assertions  Confirmations are the primary source of evidence in meet-

ing the existence assertion for accounts receivable. Acknowledgment of the debt by the cus-
tomer in the response confirms that the client has a legal claim on the customer. This test
also provides evidence concerning the rights and obligations assertion. The confirmation of
accounts receivable is not a request for payment, so it does not provide evidence as to the
collectibility of the balance due. However, the responses may reveal previously paid items
   Substantive Tests for the Revenue Process  11-37

or disputed items that affect the proper valuation of the amount due. While confirmations
may provide indications of collectibility problems, the confirmation of accounts receivable
relates only to the valuation and allocation assertion for gross accounts receivables. When a
customer’s response indicates agreement with the book balance, there is evidence that the bal-
ance is complete. However, the evidence about the completeness assertion is limited because
(1) unrecorded receivables cannot be confirmed and (2) customers are more likely to report
errors of overstatement than errors of understatement.

Evaluating the Allowance for Doubtful Accounts

The key accounting estimate involved in the revenue process is the allowance for doubtful
accounts. Audit procedures for this accounting estimate include:

•  Using generalized audit software to foot and crossfoot the aged trial balance of accounts
receivable and agreeing the total to the general ledger balance.
•  Testing the accuracy of the client’s aging by vouching to underlying sales invoices and
shipping documents.
•  Considering evidence concerning the collectibility of past-due amounts by, for example,
inspecting correspondence from customers.
•  Identifying customers with past-due balances and calculating credit histories for custom-
ers with past-due balances.
•  Evaluating prior estimates of uncollectible accounts with subsequent experience and the
benefit of hindsight.
•  Using the evidence obtained above to assess the reasonableness of the percentages used
to compute the allowance component required for each aging category and the adequacy
of the overall allowance.

Auditing the allowance for doubtful accounts may be a good place to use ADA to
evaluate the adequacy of the allowance for doubtful accounts. Consider this example in
the context of Illustration 7.8. The auditor can use generalized audit software to generate
an aging of the client’s master file. The auditor can then use the same aging to identify
customers that do not fit the norm for the client’s normal collection history (e.g., over
90 past due). Within this population of customers taking over 90 days to pay, the audi-
tor might identify customers that normally take 90 to 120 days to pay, but pay regularly.
This would be an acceptable variation from the norm. Alternatively, the auditor wants to
pay close attention to customers that demonstrate deteriorating payment history as the
year progresses. For this final grouping, auditors might also examine correspondence with
customers or correspondence with outside collection agencies, review customers’ credit
reports and financial statements, and discuss the collectibility of specific accounts with
appropriate management personnel. Ultimately, the auditor must determine if the poten-
tial misstatement of the allowance for doubtful accounts could aggregate to an amount
greater than or equal to tolerable misstatement. Finally, the auditor may want to use as
much hindsight as possible to evaluate whether outstanding receivables are subsequently
collected.
The allowance for uncollectible accounts is an accounting estimate made by manage-
ment that involves both objective and subjective considerations. In essence, it is a prospective
estimate of receivables that will not be collected in the future. The auditor’s responsibility
is to judge the reasonableness of the allowance and the related provision for uncollectible
accounts expense. From the aging data, information about collectibility, and analysis of the
client’s prior experience with uncollectible accounts, the auditor can assess the reasonable-
ness of management’s method used to determine an appropriate allowance. An important
aspect of evaluating prior experience with the entity involves using hindsight to evaluate prior
estimates of the allowance and subsequent experience in collecting receivables outstanding
at the date of the estimate. When the client’s controls over (1) granting credit and (2) writing
off uncollectible accounts are strong, fewer substantive tests will be required in making this
assessment than when controls are weak.
11-38  C h a pte r 11  Auditing the Revenue Process

Tests of Details of Presentation and Disclosure

Illustration 11.11 describes a number of tests of disclosures for the revenue process. It is
common for auditors who are knowledgeable about the company and accounting principles
to carefully read the financial statements and related disclosures. The auditor who reads the
financial statements might also use a disclosure checklist to ensure that all required disclo-
sures are present. For example, auditors should be alert to the following issues if they are
material:

•  Classification and disclosure requirements include proper identification and classifica-

tion for receivables, such as separating trade receivables from other receivables such as
receivables from employees, officers, affiliated companies, and other related parties that
should be separately disclosed.
•  Credit balances in accounts receivable (customers who overpay) should be reclassified as
current liabilities.
•  GAAP requires proper classification of receivables not due within one year to be classi-
fied as noncurrent.
•  GAAP requires disclosures concerning the pledging, assigning, or factoring of receiv-
ables.
•  Disclosures may be required regarding significant customers or sales by significant lines
of business.

Evidence relevant to these matters might be obtained by inquiring of management and

reviewing minutes of board of directors’ meetings and loan agreements. Evidence is also ob-
tained through the audit procedures performed to test other assertions.

Cloud 9 - Continuing Case

Josh and Suzie are finalizing their plans for substantive tests. A
significant number of tests of transactions were accomplished
with dual-purpose tests for testing controls, and additional tests
of transactions will be planned after the end of the year for the
portion of the year that was not covered by tests of controls. They
plan to send positive confirmations at two months prior to year-
end, and they will use a service that allows for electronic submis-
sion of confirmations by customers. They also concluded that they
will use generalized audit software to evaluate the allowance for
doubtful accounts by analyzing every account over 90 days past
due to determine if some customers regularly take long times to
pay and are low credit risk, or if customers are showing signs of
deteriorating payment history and are high credit risk. At this
point they believe they have a plan for the remaining substantive
tests. Now it is time to perform the substantive tests and draw an
audit conclusion.

Before You Go On
8.1 What is involved in vouching sales transactions to supporting documentation? What docu-
ments would the auditor look at when vouching sales transactions and what assertions are
met by vouching sales?
8.2 What cutoff tests are performed for sales and cash receipts? How are they performed and
what assertions are met by these tests?
8.3 When positive confirmations are used, how does the auditor deal with nonresponses?
8.4 What steps should the auditor perform when auditing the accounting estimate associated
with the allowance for doubtful accounts?
8.5  List several common disclosures required for sales or accounts receivable.

Learning Objectives Review
1  Explain the nature of the revenue process.
The revenue process includes three major classes of transactions:
(1) credit sales, (2) cash receipts, and (3) sales adjustments. The pri-
mary balance sheet account in the revenue process is accounts re-
ceivable, net of the allowance for doubtful accounts. Illustration 11.1
summarizes the transactions that go through the revenue process,
and Illustration 11.2 identifies the assertions relevant to the revenue
process. Remember, the auditor must obtain sufficient appropriate
evidence for each material assertion, and an audit strategy for one as-
sertion may be different from the audit strategy for another assertion.
2  Evaluate how an auditor’s understanding of an entity
and its environment affects audit planning decisions in
the revenue process.
Different companies in different industries experience various risks
associated with the revenue process. Revenue recognition is more
problematic in some industries, and some industries have signifi-
cant transactions that result in cash collection in advance of earning
revenues. Illustration 11.3 provides examples of five different indus-
tries and how knowledge of the entity and its environment can be
used to develop expectations of the financial statements and to as-
sess the risk of material misstatement. This section also addresses
common analytical procedures that (1) help the auditor understand
the business and (2) may identify significant inherent risks in the
financial statements. Illustration 11.5 provides examples of other
key factors associated with understanding the entity and its envi-
ronment and how these factors may influence inherent risk in the
revenue process.
3  Determine inherent risk for various assertions in the
revenue process.
Common inherent risks in the revenue process relate to the occur-
rence of revenue and the existence of receivables. This section reviews
a number of methods that have been used by companies to overstate
revenues. This section also provides an example of how analytical
procedures might flag an increased risk of material misstatement for
some revenue process assertions. In using professional skepticism, an
auditor should be able to recognize factors that increase inherent risk
in the revenue process, so that the audit is responsive to these risks.
4  Evaluate control activities for credit sales transac-
tions.
Each entity has a unique system of internal control that is tailored to
the entity’s business model and how it brings in revenues. It is impor-
tant for the auditor to (1) understand the flow of transactions in the
revenue process, (2) identify what can go wrong in the revenue pro-
cess, and (3) assess whether the client has controls to mitigate what
can go wrong. Illustration 11.7 provides an example of the flow of
transactions for credit sales; Illustration 11.8 addresses what can go
wrong in the process of making credit sales and common controls that
might be found to mitigate these risks. This section concludes with
  Learning Objectives Review  11-39
a discussion of key controls that are often found related to relevant
assertions for credit sales and accounts receivable.
5  Evaluate control activities for cash receipt transac-
tions.
This section continues the discussion of understanding the flow of
transactions related to cash receipts. While many companies now re-
ceive cash either by electronic funds transfer or a lockbox, this section
also discusses how a company should establish initial control over
cash and checks if they are received directly from customers. Illus-
tration 11.10 summarizes what can go wrong in the process of receiv-
ing cash along with common controls that might mitigate these risks.
This section concludes with a discussion of key controls that might be
found related to relevant cash receipt transaction assertions.
6  Evaluate control activities for sales adjustment trans-
actions and revenue process disclosures.
The final section on revenue transactions discusses common docu-
ments found when goods are returned, and credit is given to custom-
ers. Common controls over granting credit for sales returns and allow-
ances, controls over determining uncollectible accounts, controls over
selling receivables, and controls over disclosures are also discussed in
this section of the chapter.
7  Determine how to design and perform tests of con-
trols in the revenue process and connect the results of
control testing to audit strategy.
This final section related to controls in the revenue process discusses
the process of testing the controls identified for relevant assertions in
the financial statements. Remember, when the entity relies on signifi-
cant IT application controls, the auditor must test (1) the effectiveness
of IT general controls, (2) the effectiveness of the IT application con-
trols, and (3) the effectiveness of manual procedures to follow up on ex-
ceptions. Once the auditor has evaluated controls, the auditor should
consider fraud risk in the revenue process. The discussion related to
fraud risk addresses the risk of lapping techniques, its tie to misappro-
priation of cash, and various risks of fraudulent financial reporting
techniques that the auditor should be alert to. Once the auditor has
determined the risk of material misstatement of each assertion, the
auditor can make decisions about what substantive tests to perform,
the timing of substantive tests, and the extent of substantive tests.
8  Assess detection risk and design substantive tests,
including audit data analytics, to address various asser-
tions in the revenue process.
The final section of this chapter outlines common substantive tests in
the revenue process. Illustration 11.11 provides a common audit pro-
gram for substantive tests that might be found in the revenue process,
and this section explains the importance of each of these tests. The
section also reviews professional standards related to sending con-
firmations to customers and the importance of follow-up procedures
when customers fail to respond to confirmations.
11-40  C h a pte r 11  Auditing the Revenue Process
Key Terms Review
Bill-and-hold transactions FOB destination
Consignment sales FOB shipping point
Disclosure committee Gross sales
Audit Decision-Making Example
Background Information
Assume that, for the third year, you are auditing sales and ac-
counts receivable of the manufactured products division of
United Plastics, Inc. (UPI). You know the following from your
risk assessment procedures.
•  The CFO implemented a new computerized account-
ing system during the prior fiscal year. Tests of controls
performed in the prior year’s audit showed that IT ap-
plication controls were designed effectively and operated
effectively.
•  UPI is experiencing significant competition from overseas.
As a result, UPI extended an unlimited right-of-return pol-
icy to two months to keep sales volume at an economical
level since there has been a decline in demand for the
company’s manufactured products. This change was made
with the knowledge and agreement of the UPI board of
directors.
•  All sales are booked upon shipment with sales terms of FOB
shipping point.
•  Management continues to receive significant bonuses based
on attaining sales volume and profitability targets.
•  The company has strong controls over cash receipts.
•  An IT specialist has determined that UPI’s IT general con-
trols are strong.
•  During the current-year system walkthrough, you learned
the company has placed in operation the following pro-
grammed control activities: exceptions are printed on an ex-
ception report and the transactions are held in a suspense
file for follow-up. Manual follow-up procedures appear to be
effective based on a system walkthrough.
•  The amount of a sale plus the customer’s accounts receivable
balance are compared with the customer’s credit limit before
a sales order is approved.
•  All goods taken from inventory are matched with approved
sales order information.
•  The software application compares quantities on every sales
invoice against shipping information and prices are checked
against the master price file.
•  The software application compares the date on the sales
invoice with the date on shipping records.
•  The software application matches every sales invoice with
an underlying bill of lading, and then it electronically flags
the bill of lading so it cannot be matched with another sales
invoice.
Lapping
Lockbox system
Refund rights
•  The company generates a monthly aging of accounts receiv-
able report.
•  The company sends monthly statements to customers.
•  An individual independent of sales, accounts receivable, and
cash receipts is assigned to follow-up exceptions noted by the
software application. Manual follow-up appears to be effec-
tive based on system walkthrough.
Identify the Issues
Develop an audit strategy for the occurrence of revenues and the
existence of receivables.
Gather Information and Evidence
Important information includes:
•  The unlimited two-month right of return policy affects reve-
nue recognition. No internal controls appear to address this
issue.
•  Bonuses provide incentives for management to maximize
revenues.
•  Prior experience shows that internal controls are effective
(except for new policies regarding right of return).
•  Current-year tests of IT general controls show that general
controls are strong.
•  A preliminary evaluation based on system walkthrough
show a number of programmed control procedures in the
revenue process.
•  Manual follow-up appears to be effective based on system
walkthrough.
Analysis and Evaluation of Alternatives
•  Significant inherent risk indicators include (1) the new pol-
icy regarding extended right of return and (2) bonuses for
maximizing revenues.
•  With the exception of problems associated with the right of
return, internal controls appear to be strong. However, reve-
nue appears to have been booked when goods were shipped.
•  For sales made during the last two months, consider using
ADA to match cash receipts with sales. Any sales in the last
two months that have not been sold through by customers
(for which cash has been received) should be treated as con-
signment sales. Revenue cannot be booked and inventory
should be placed back on the books using information from
the sales system.

Conclusions Regarding Internal Controls and Audit
Strategy in the Revenue Process
•  Inherent risk assessment. Assess inherent risk at the maxi-
mum due to right-of-return issues and incentives for man-
agement to overstate revenues (and receivables).
•  Control risk and planned tests of controls. Plan to test the fol-
lowing IT application controls related to revenues and sales:
(1) comparison of date on sales invoice with date on shipping
records, (2) match of every sales invoice with underlying bill
of lading, (3) sending of monthly statements to customers.
Also, plan to test manual follow-up of exceptions noted by
the software application. Review any correspondence with
CPAexcel
CPAexcel questions and other resources are available in WileyPLUS.
Multiple-Choice Questions
1.  (LO 1)  An auditor wants to determine that all sales adjustments
are recorded. This relates to which of the following transaction-class
assertions?
a.  Occurrence.
b.  Completeness.
c.  Accuracy.
d.  Classification.
2.  (LO 1)  If a customer pays its receivable in full but a client fails to
record cash received from the customer, which of the following ac-
count balance assertions related to accounts receivable is misstated?
a.  Completeness.
b.  Rights and obligations.
c.  Valuation at net realizable value.
d.  Existence.
3.  (LO 2)  Assume that an auditor is auditing a public company cli-
ent that manufactures computer hardware and markets significant
maintenance and consulting services. The auditor should be con-
cerned about which of the following?
a.  Appropriate accounting for commissions on sales.
b.  Significant revenue issues associated with bundling products
and services.
c.  More than the usual concern about collection risk.
d.  Significant concerns about the completeness of revenues.
4.  (LO 2)  An auditor is studying a ratio of accounts receivable
growth rate to sales growth rate. Which of the following indicates a
potential risk of collection problem in accounts receivable?
a.  Sales grew by 10% and receivables grew by 11% from year one
to year two.
  Multiple-Choice Questions  11-41
customers disputing items on monthly statements indicating
a breakdown in internal control.
•  Detection risk. Plan to send confirmations to customers
at an interim date if preliminary assessment of internal
controls is confirmed. Receivables confirmed also repre-
sent a test of transactions for sales confirmed. Plan to use
ADA to match cash receipts with all sales made during
the last two months. Any sales in the last two months
that have not been sold through by customers (for which
cash has been received), should be treated as consignment
sales. Revenue cannot be booked and inventory should be
placed back on the books using information from the sales
system.
b.  Sales declined by 2% and receivables declined by 7% from year
one to year two.
c.  Sales grew by 10% and receivables declined by 2% from year
one to year two.
d.  Sales grew by 5% and receivables grew by 17% from year one
to year two.
5.  (LO 3)  An audit client that manufactures and sells goods to a net-
work of authorized dealers may create the equivalent of a consign-
ment sale if the client:
a.  only allows goods to be returned if they are damaged.
b.  allows a cash discount if the receivable is paid within
30 days.
c.  allows an unconditional right of return at any time until the
goods are sold by the dealer.
d.  ships goods only on a collect on delivery (C.O.D.) basis.
6.  (LO 4)  Which of the following control activities would most
likely assure that no fictitious billings have been posted to the sales
journal?
a.  The accounts receivable master file is compared with the
general ledger control account.
b.  Each shipment on credit is supported by a prenumbered sales
order.
c.  The software application compares each sales invoice
with the supporting shipping documents and notes any
discrepancies.
d.  The software application compares prices on the sales in-
voices with prices on the master price list and notes any
discrepancies.
11-42  C h a pte r 11  Auditing the Revenue Process
7.  (LO 4)  Which of the following control activities would be a rea-
sonable control over the accuracy of recorded sales?
a.  The software application matches sales invoice quantities with
the underlying packing slip and prices with the sales order.
b.  The software application prints a report of unfilled sales
orders.
c.  The software application prints a report of all bills of lading
not matched with a sales invoice.
d.  The software application matches the customer number
on the sale invoice with the customer number on the sales
order.
8.  (LO 4)  Which of the following is a good example of an IT applica-
tion control over the occurrence of revenue transactions?
a.  Physical access to computer systems is limited only to specific
personnel who work in the revenue process.
b.  The software application compares information on a sales in-
voice with information from the bill of lading to ensure that sales
invoices are only prepared for actual shipments. Any exceptions
are not processed and are set aside for manual follow-up.
c.  Computer system changes to the revenue program must be
tested and authorized before they are allowed to be used with
live data.
d.  Strong segregation of duties exists between computer opera-
tions and computer program development.
9.  (LO 5)  A small manufacturing company makes only credit sales.
If cash receipts from sales are misappropriated, which of the follow-
ing acts would most likely conceal this fraud?
a.  Understating the accounts receivable control account.
b.  Understating the accounts receivable subsidiary ledger.
c.  Overstating the sales journal.
d.  Understating the cash receipts journal.
10.  (LO 6)  Sound control activities dictate that defective merchan-
dise returned by customers should be presented initially to:
a.  the receiving department.
Review Questions
R11.1  (LO 1)  If there is a completeness problem with cash receipts,
are accounts receivable overstated or understated? Explain.
R11.2  (LO 1)  List three common revenue recognition problems. Il-
lustrate each with an example.
R11.3  (LO 2)  How might the risk of material misstatement in the
revenue process differ for a manufacturer of oil and gas field machin-
ery equipment and a retail grocer?
R11.4  (LO 2)  Identify one or two financial ratios that you believe
would be useful in identifying revenue recognition problems. Explain
your reasoning.
R11.5  (LO 3)  Explain two common inherent risks in the revenue
process and explain how each risk is likely to affect the financial state-
ments (e.g., identify the accounts that are likely to be overstated or
understated and explain why).
R11.6  (LO 4)  Briefly explain a likely flow of transactions related to au-
thorizing and recording credit sales for a manufacturer that sells its prod-
b.  the sales manager.
c.  the accounts receivable supervisor.
d.  the credit manager.
11.  (LO 7)  Which of the following situations increases the risk of
fraud due to “lapping?”
a.  The sales manager can approve credit limits for customers.
b.  The accounts receivable clerk also has responsibilities for
writing a sales invoice.
c.  The shipping clerk in the warehouse has read-only access to
sales orders.
d.  The accounts receivable clerk also has responsibilities for
receiving cash.
12.  (LO 8)  A cutoff test designed to detect credit sales made before
the end of the fiscal year that have been recorded in the subsequent
year provides assurance about which of the following management
assertions?
a.  Completeness.
b.  Occurrence.
c.  Accuracy.
d.  Classification.
13.  (LO 8)  When sending positive confirmations, which of the fol-
lowing would not be an appropriate way to address nonresponse by
a customer?
a.  Search for evidence of subsequent cash receipt from the
customer.
b.  Match open invoices to underlying bills of lading and
customer orders.
c.  If the customer’s account balance is individually im-
material, conclude that no further work or analysis is
necessary.
d.  Assume that the nonresponse is 100% in error and project the
misstatement on the population.
ucts on credit. Identify the documents involved and explain the process
from authorizing the transaction through recording in the general ledger.
R11.7  (LO 4)  Explain a sound control over revenue recognition in
the process of making credit sales for a manufacturing company.
R11.8  (LO 4)  Identify a risk of fraudulent financial reporting in the
revenue process. Describe a sound internal control that would detect
and correct the misstatement on a timely basis.
R11.9  (LO 5)  Identify a risk of misappropriation of assets in the rev-
enue process. Describe a sound internal control that would detect and
correct the misstatement on a timely basis.
R11.10  (LO 5)  Briefly explain a likely flow of transactions related
to receiving cash from a customer received by way of electronic funds
transfer, from the customer’s payment being made through recording
in the general ledger.
R11.11  (LO 5)  Explain a sound control over the completeness of cash
receipts associated with the situation described in the previous question.
  Analysis Problems  11-43

R11.12  (LO 6)  Explain a sound control over a public company’s process R11.15  (LO 8)  Explain an effective substantive test related to the
for controlling the appropriateness of the allowance for doubtful accounts. cutoff of sales at year-end.

R11.13  (LO 7)  Assume you are auditing a public company with R11.16  (LO 8)  Develop an example of the use of audit data analyt-
sound IT controls over the occurrence of revenue. Describe the IT con- ics in the audit of accounts receivable.
trol over the occurrence of revenue and how you would test the control.
R11.17  (LO 8)  Explain the audit procedures used to test the adequacy
R11.14  (LO 8)  Explain several important initial procedures in the of the allowance for doubtful accounts.
revenue process. Why should these be performed prior to other sub-
stantive procedures?

Analysis Problems
AP11.1  (LO 1, 2)  Basic   Understanding the entity and its environment  Your client is a regional
motel chain. It owns 27 properties in your region and manages another 40 properties for absentee owners.
All the motels are located on interstate highways and achieve at least 60% of capacity on a regular basis. In
the past, many motels have been fully booked during the summer travel season; however, the economy
has taken a turn for the worse and people are traveling less.

Required
Explain how your knowledge of the business and industry would impact your audit of total revenues and
accounts receivable for the client.

AP11.2  (LO 2)  Moderate   Analytical procedures  The following data was taken from the produc-
tion and accounting records for Casuccio Manufacturing, Inc.

Unaudited Audited Audited

2023 2022 2021
Operating Data
Capacity in units 450,000 450,000 450,000
Production in units 450,000 400,000 300,000
Inventory in units 32,000 28,000 21,000
Financial Data ($000)
Total revenues $ 35,200 $ 27,500 $ 21,200
Total assets $ 23,000 $ 19,500 $ 15,700
Accounts receivable, net $ 5,900 $ 4,300 $ 3,900
Bad debt expense $ 175 $ 135 $ 105
Accounts receivable written off $ 165 $ 125 $ 100

Required
a.  Calculate the following ratios for 2023, 2022, and 2021:
1.  Sales to total assets.
2.  Sales to production.
3.  Revenue per unit sold.
4.  Accounts receivable growth to sales growth.
5.  Uncollectible accounts expense to net credit sales.
6.  Uncollectible accounts expense to accounts receivable written off.
7.  Accounts receivable turnover in days.

b. 1.  Describe the implications of the resulting ratios for the auditor’s audit strategy for the year 2023.
2.  What specific assertions are likely to be misstated?
3.  How should the auditor respond in terms of potential audit tests?

AP11.3  (LO 5)  Moderate   Controls over cash receipts  You have been asked by the board of trust-
ees of a local church to review its accounting procedures. As a part of this review, you have prepared the
11-44  C h a pte r 11  Auditing the Revenue Process

following comments relating to the collections made at weekly services and recordkeeping for members’
contributions:
1. The church’s board of trustees has delegated responsibility for financial management and audit of
the financial records to the finance committee. This group prepares the annual budget and approves
major disbursements but is not involved in collections or recordkeeping. No audit has been con-
sidered necessary in recent years because the same trusted employee has kept church records and
served as financial secretary for 15 years.
2. The collection at the weekly service is taken by a team of ushers. The head usher counts the col-
lection in the church following each service. He then places the collection and a notation of the
amount counted in the church safe. The next morning, the financial secretary opens the safe and
counts the collection again. She withholds about $100 to meet cash expenditures during the coming
week and deposits the remainder of the collection intact. To facilitate the deposit, members who
contribute by check are asked to make their checks payable to “cash.”

Required
Describe the weaknesses and recommend improvements in procedures for collections made at weekly
services. Organize your answer using the following format:

Weakness Recommended Improvement(s)

AP11.4  (LO 8)  Moderate   Substantive tests of accounts receivable  The following situations were
not discovered by an inexperienced staff auditor in the audit of the Parson Company.
1. Several accounts were incorrectly aged in the client’s aging schedule.
2. The accounts receivable turnover ratio was far below expected results.
3. Goods billed were not shipped.
4. Some year-end sales were recorded in the wrong accounting period.
5. Several sales were posted for the correct amount but to the wrong customers in the accounts
receivable ledger.
6. The allowance for uncollectible accounts was understated.
7. Several sales were entered and posted at incorrect amounts.
8. Mathematical errors were made in totaling the accounts receivable ledger.
9. An unrecorded sale at the balance sheet date was collected in the next month.
10. Several fictitious sales were recorded.
11. The pledging of some customer accounts as security for a loan was not reported in the balance
sheet.
12. Some year-end cash receipts were recorded in the wrong accounting period.

Required
(Use a tabular format for your answers with one column for each part.)
a.  Identify the substantive test that should have detected each error.
b.  For each substantive test identified in a., indicate the account balance assertion to which it
pertains.

AP11.5  (LO 3, 8)  Challenging   Fraud   Research   Inflating advertising revenues—Homestore,

Inc.  In 2003, the Securities and Exchange Commission released an Accounting and Auditing Enforcement
Release (AAER) describing charges and discipline against five former executives of Homestore, Inc.,
including the company’s former CEO and CFO. The charges claim the executives developed a scheme to
inflate advertising revenues.

Required
Find and read the 2003 AAER related to Homestore, Inc. Explain the scheme that the company used to
inflate advertising revenues. What is meant by the term “round-trip” transactions? How were the com-
pany’s vendors involved?
  Audit Decision Cases  11-45

Audit Decision Cases

King Companies, Inc.
Questions C11.1 and C11.2 are based on the following case.

King Companies, Inc (KCI) is a private company that owns five auto parts stores in urban Los Angeles,
California. KCI has gone from two auto parts stores to five stores in the last three years, and it plans con-
tinued growth. Eric and Patricia King own the majority of the shares in KCI. Eric is the chairman of the
board of directors of KCI and CEO, and Patricia is a director as well as the CFO. Shares not owned by Eric
and Patricia are owned by friends and family who helped the Kings get started. Eric started the company
with one store after working in an auto parts store. To date, he has funded growth from an inheritance
and investments from a few friends. Eric and Patricia are thinking about expanding by opening three to
five additional stores in the next few years.
In October 2021, Eric approached your accounting firm, Thornson & Danforth, LLP, to conduct an
annual audit of KCI for the year ended December 31, 2022. KCI has not been audited before, but this year
the audit has been requested by the company’s bank because of anticipated bank loans and by a new
private equity investor that has just acquired a 20% share of KCI.
KCI employs 20 full-time staff. These workers are employed in store management, sales, parts delivery,
and accounting. About 40% of KCI’s business is retail walk-in business, and the other 60% is regular
customers where KCI delivers parts to their locations and bills these customers on account. During peak
periods, KCI also uses part-time workers.
Eric is focused on growing revenues. In his opinion, revenue growth is particularly important to
obtaining bank financing. Patricia trusts the company’s workers to work hard for the company, and she
feels they should be rewarded well. The accounting staff, in particular, is very loyal to the company. Eric
tells you that accounting staff enjoy their jobs so much they have never taken any annual vacations, and
hardly any workers ever take sick leave.
There are two people currently employed as accounting staff, the most senior of whom is Jonathan
Jung. Jonathan heads the accounting department and reports directly to Patricia. He is in his late fifties
and hopes to retire in two or three years and move away from Los Angeles. Jonathan keeps a close watch
on accounting and does many activities himself; including opening mail, cash receipts and vendor pay-
ments, depositing funds received, performing reconciliations, posting journals, and performing the payroll
function. His second employee, Abby Owens, is a recent college graduate who just passed the CPA exam.
Abby is responsible for the payroll functions and posting all journal entries into the accounting system.
Jonathan and Abby often help each other out in busy periods.

C11.1  (LO 3, 5)  Challenging   Fraud risk

a.  Analysis: Consider the risk of fraud regarding the diversion of cash receipts from customers. How does
this impact your decisions regarding which audit procedures to perform, the timing of audit proce-
dures, or the extent of procedures associated with auditing revenue assertions? If cash were diverted
from customers, how might Eric or Patricia identify the problem?
b.  Analysis: Explain your assessment of the risk associated with fraudulent financial reporting. How
does this impact your decisions regarding which audit procedures to perform, the timing of audit
procedures, or the extent of procedures associated with auditing revenue assertions?

C11.2  (LO 8)  Challenging   ADA   Audit data analytics for revenue  Analysis: You have been
asked by your audit manager to consider how the audit firm might audit revenues by using audit data
analytics to evaluate 100% of the revenue transactions. Where do you feel that it would be most effective
to audit 100% of the transactions using ADA? In addition to the sales information, what other informa-
tion should you consider in your analysis? Develop a specific audit strategy for how you would screen
100% of the revenues, how you would identify exceptions, and how you might consider what would be
acceptable variations from your expectation norm versus unacceptable variations.

Mobile Security, Inc.

Question C11.3 is based on the following case.

Mobile Security, Inc. (MSI) has been an audit client of Leo & Lee, LLP for the past 12 years. MSI is a small,
publicly traded aviation company based in Cleveland, Ohio, where it manufactures high-tech unmanned
aerial vehicles (UAV), also known as drones, and other surveillance and security equipment. MSI’s prod-
ucts are primarily used by the military and scientific research institutions, but there is growing demand
for UAVs for commercial and recreational use. MSI must go through an extensive bidding process for
11-46  C h a pte r 11  Auditing the Revenue Process

large government contracts. Because of the sensitive nature of government contracts and military prod-
uct designs, both the facilities and records of MSI must be highly secured.
In October 2022, MSI installed a new cloud-based inventory costing system to replace a system that
had been developed in-house. The old system could no longer keep up with the complex and detailed
manufacturing costing process that provides information to support competitive bidding. MSI’s IT de-
partment, together with the consultants from the software company, implemented the new inventory
costing system which went live on December 1, 2022. Key operational staff and the internal audit team
from MSI were significantly engaged in the selection, testing, training, and implementation stages.
The inventory costing system uses various manufacturing costing and unit of production inputs to
calculate and produce a database of all product costs and recommended sales prices. It also integrates
with the general ledger each time there are product inventory movements such as purchases, sales, waste,
and damaged inventory losses.
The following list of sales invoices are entered in the sales journal for the months of June 2023 and
July 2023, respectively. All goods are shipped FOB shipping point.

Sales Sales Cost of

Invoice Invoice Merchandise
Amount Date Sold Date Shipped
June
a. $ 30,000 June 21 $20,000 June 29
b. 20,000 June 30 8,000 June 20
c. 10,000 June 29 6,000 June 30
d. 40,000 June 30 24,000 July 3
e. 100,000 June 30 56,000 June 30 (shipped to consignee)
July
f. $ 60,000 June 30 $40,000 July 1
g. 40,000 July 2 23,000 July 1
h. 80,000 July 3 55,000 June 30

C11.3  (LO 8)  Challenging   Public Company   Sales cutoff tests  Analysis and evaluation: Analyze
the eight transactions shown above. Based on a sales cutoff analysis, record necessary adjusting journal
entries at June 30 in connection with the foregoing data.

Brookwood Pines Hospital

Question C11.4 is based on the following case.

Goodfellow & Perkins LLP is a successful mid-tier accounting firm with a large range of clients across Texas.
During 2022, Goodfellow & Perkins gained a new client, Brookwood Pines Hospital (BPH), a private, not-for-
profit hospital. The fiscal year-end for Brookwood Pines is June 30. You are performing the audit for the 2023
fiscal year-end.
The healthcare industry can be very complicated, especially in the area of billing for services pro-
vided. BPH contracts with private physician groups who use the hospital facilities, equipment, and nurs-
ing staff to treat patients. The physicians in the private group are not employees of the hospital; they are
simply using the hospital facilities to treat patients. For example, a group of urologists have their own
practice, separate from the hospital, where they treat patients. If one of the patients needs a surgical pro-
cedure that must be done at a hospital, then the attending urologist will approve the paperwork required
to admit the patient to BPH. BPH offers inducements to the urologists so they will refer patients to BPH
rather than a competing hospital. One of the inducements BPH offers is free office space in the hospital
for the doctors to use when they are treating patients in the hospital.
After the doctor and hospital services are provided to the patient, the patient and/or the patient’s
insurance company is billed. The doctor will bill for the services he or she provided, and the hospital
will bill for the use of hospital facilities and staff. Doctors and hospitals bill using a coding system that is
standardized across the healthcare industry and consists of three main code sets: ICD, CPT, and HCPCS.
Using a coding system is more efficient and data-friendly compared to writing a narrative about the
procedures performed. However, the coding system is very complex, with thousands of different codes
for medical procedures and diagnoses. To complicate matters even more, for patients who are covered by
government-sponsored Medicare or Medicaid, doctors and hospitals must adhere to complicated govern-
ment regulations surrounding billings to Medicare and Medicaid.
As healthcare costs continue to rise each year, BPH administrators struggle to maintain consistent
profitability. They look for ways to keep costs low and also to collect from patients and insurance companies
  Audit Decision Cases  11-47

as quickly as possible. In addition, BPH must have a strong risk management team to handle unique situations
that may occur in hospitals such as malpractice lawsuits and periodic inspections by the state department
of health and hospitals. Negative publicity for BPH could lead to decreased revenues if physicians decide to
contract with a competing hospital.

C11.4  (LO 8)  Challenging   ADA   Auditing the existence of accounts receivable  Analysis:
Brookwood Pines Hospital has receivables from both insurance companies and from consumers. In the
past, only one in four confirmations has been returned. Internal controls have been tested and are strong.
How might audit data analytics be used to collect evidence regarding the existence of accounts receiv-
able? Develop a specific audit strategy for how you would screen 100% of the revenues (of a particular
type), how you would identify exceptions, and how you might consider what would be acceptable varia-
tions from your expectation norm versus unacceptable variations.

Cloud 9 - Continuing Case

Assume that you are preparing to confirm accounts receivable at
December 31, 2022, which is one month prior to the fiscal year-
end of January 31, 2023. The book value of gross accounts receiv-
able is $71,622,804. Complete the following requirements related
to the confirmation of receivables for Cloud 9 based on previous
work and the following information.
Required
a.  Using PPS sampling, determine the sample size that you
want to use for sending accounts receivable confirmations.
Draw on the information you learned about PPS sampling in
Chapter 10. The book value of accounts receivable before the
allowance for doubtful accounts is $71,622,804. You make
the following assumptions:
•  You set tolerable misstatement for accounts receivable at
$3,500,000.
•  Expected misstatement = $750,000.
$30,500, as a shipment of shoes was not received until
January 2, 2023. Further investigation showed that the cus-
tomer ordered the goods on December 31, 2022, and they
were not counted in inventory when the inventory was taken
on that date. The freight carrier came by late in the day
and picked up the goods, even though the warehouse was
normally shut down for inventory on December 31, 2022.
The goods were shipped FOB shipping point. The receiv-
able was paid in full on January 29, 2022.
•  Customer No. 00651 disputed receivables in the amount of
$250,750, as it had been paid on December 30, 2022. The
check from Customer No. 00651 was received and depos-
ited by Cloud 9 on January 3, 2022. The book value of the
receivable for Customer No. 00651 at December 31, 2022,
was $250,750.
•  Customer No. 00850 disputed the balance on the confirma-
tion of $35,700 in its entirety. Further investigation showed

•  Risk of incorrect acceptance = 37%.

Given these parameters:
1. What do you believe to be appropriate qualitative assump-
tions for inherent risk and control risk given the risk of
incorrect acceptance used?
2.  What do you calculate for sample size?
3.  What do you calculate for sampling interval?
b.  After discussion of the sample size with Josh Thomas, the audit
team sets tolerable misstatement at $3,000,000, expected mis-
statement at $1,750,000, and risk of incorrect acceptance at
37%. You use a sample size of 73 confirmations. The sampling
interval is $981,134. You may assume that except for the follow-
ing, you received confirmations from customers that showed
no exceptions. Determine whether the following conditions
represent errors for purposes of your evaluation. Based on your
evaluation and the parameters of the sample you designed
above, evaluate the result of confirming accounts receivable.
•  Customer No. 00030 disputed the price on stock number
11205, which was priced at $75 per item and should have
been priced at $60 per item on 1200 items. Cloud 9 issued a
credit memo for $18,000 on January 7, 2023. The book val-
ue of the receivable for Customer No. 00030 at December
31, 2022, was $130,500.
•  Customer No. 00158 with a receivable balance of $730,225
on December 31 disputed receivables in the amount of
that the balance was charged to the wrong customer. Goods
were shipped to Customer No. 00580. On January 3, 2022,
the error was discovered. A credit memo was issued to Cus-
tomer No. 00850 and an invoice was sent to Customer No.
00580, which was paid in full on January 27, 2022.
•  No response was received from Customer No. 10141.
Goods in the amount of $944,232 were shipped on Novem-
ber 1, 2022. Additional goods in the amount of $131,824
were shipped on December 12, 2022. The receivable bal-
ance was $1,076,056 at December 31, 2022. A review of the
cash receipts journal showed that a check for $944,232 was
deposited on January 24, 2022. Another check for $131,824
was received on February 1, 2023.
•  Customer No. 21287 disputed receivables in the amount
of $755 claiming that it did not receive a promised 1% dis-
count associated with the first shipment to a new customer.
The book value of the receivables for Customer No. 21287
at December 31, 2022 was $75,500. The customer subse-
quently paid $74,745 on January 29, 2022, and Cloud 9
issued a credit memo in the amount of $755.
1. Determine the amount of misstatement for each cus-
tomer listed above.
2. Determine the upper misstatement limit.
3. Draw a conclusion about whether the existence
assertion for accounts receivable is presented fairly at
December 31, 2022.
 Chapter 12
Auditing the Purchasing
and Payroll Processes

The Audit Process

Overview of Audit and Assurance

(Chapter 1)

Professionalism and Professional Responsibilities

(Chapter 2)

Client Acceptance/Continuance and Risk Assessment

(Chapters 3 and 4)

Gaining an Identify Significant

Set Planning
Understanding of Accounts and
Materiality
the Client Transactions

Gaining an Understanding of the

Make Preliminary Risk
System of Internal Control
Assessments
(Chapter 6)

Develop Responses to Risk and an Audit Strategy

Audit Data Analytics

Audit Evidence
(Chapter 5)

(Chapter 7)
Performing Tests of Controls Performing Substantive Procedures
(Chapter 8) (Chapter 9)

Audit Sampling for Substantive Tests

(Chapter 10)

Auditing the Auditing the Purchasing Auditing the Balance Sheet

Revenue Process and Payroll Processes and Related Income Accounts
(Chapter 11) (Chapter 12) (Chapter 13)

Completing and Reporting on the Audit

(Chapters 14 and 15)

Procedures Performed Near Drawing Audit

Reporting
the End of the Audit Conclusions

12-1
12-2  C h a pte r 12 Auditing the Purchasing and Payroll Processes

Learning Objectives

LO 1 Explain the nature of purchasing transactions and
balances.
LO 2 Evaluate how an auditor’s understanding of
an entity and its environment affects audit planning
decisions related to purchases.
LO 3  Determine inherent risk for various assertions in
the purchasing process.
LO 4 Evaluate control activities for purchase transactions.
LO 9 Assess detection risk and design substantive
tests, including audit data analytics, to address various
assertions in the purchasing process.
LO 10* Explain the nature of payroll transactions and
balances.
LO 11* Evaluate how an auditor’s understanding of
an entity and its environment affects audit planning
decisions in the payroll process.

LO 5 Evaluate control activities for cash disbursement LO 12*  Determine inherent risk for various assertions in
transactions. the payroll process.

LO 6 Evaluate control activities in an evaluated receipt
settlement system.
LO 7 Evaluate control activities for purchase
adjustment transactions and purchasing process
disclosures.
LO 8  Determine how to design and perform tests of
controls in the purchasing process and connect the
results of control testing to audit strategy.
LO 13* Evaluate control activities for payroll
transactions.
LO 14*  Determine how to design and perform tests of
controls in the payroll process and connect the results of
control testing to audit strategy.
LO 15* Assess detection risk and design substantive
tests, including audit data analytics, to address various
assertions related to payroll.

Auditing and Assurance Standards

PCAOB Auditing Standards Board

AS 1210  Using the Work of a Specialist AU-C 620  Using the Work of an Auditor’s Specialist

Cloud 9 - Continuing Case

Josh Thomas (audit senior) and Suzie Pickering (audit staff)
are discussing the audit of the purchasing process for Cloud 9.
Cloud 9 products are developed through a collaboration between
Cloud 9’s product development teams and third-party manufac-
turers. Purchases from manufacturers represent a material trans-
action stream, and accounts payable is one of the most significant
current liabilities on Cloud 9’s balance sheet. As Josh and Suzie
plan the audit of the purchasing process, they believe they have
a basic understanding of Cloud 9’s business processes. However,
they still need to address a few key issues before they settle on an
audit plan. What are the most significant inherent risks for Cloud
9 in the purchasing process? Do significant fraud risks exist? Are
there significant substantive tests that can be performed at an
interim date?

Chapter Preview: Audit Process in Focus

This chapter focuses on decisions about appropriate audit procedures in the purchasing
process. We begin with a discussion of the nature of the purchasing process. We then
address the process of understanding the entity and its environment in the context of an
entity’s purchases and using this knowledge to assess inherent risk. The chapter moves on
to discuss evaluating the system of internal control over purchasing, including understanding
   Nature of Purchase Transactions and Balances   12-3

entity-level controls, understanding the document trail, evaluating what can go wrong (WCGW),
identifying controls to test, performing tests of controls, and evaluating control risk and the risk
of fraud. The discussion of the audit trail begins with a more traditional system that includes a
combination of electronic and paper documents. It is followed by a similar discussion involving
a paperless evaluated receipt settlement (ERS) process. At this point, the auditor should be able
to confirm or revise his or her preliminary audit strategy and then execute substantive tests
to reduce audit risk to an acceptable level. The chapter is supplemented by an appendix that
addresses similar issues in the payroll process.

Nature of Purchase Transactions

and Balances
LEA RNING OBJECTI VE 1
Explain the nature of purchasing transactions and balances.

An entity’s purchasing process consists of activities related to the acquisition of, and payment
for, goods and services. The core purchases transactions are (1) purchasing goods and services
(purchase transactions), (2) making payments (cash disbursement transactions), and (3) pur-
chase adjustments. These transactions are depicted in Illustration 12.1.

Purchasing Transactions Debit
Purchases on credit Merchandise Inventory
Raw Materials Inventory
Plant Assets
Other Assets
Various Expenses
Cash disbursements (primarily Accounts Payable
focused on payment of payables)
Purchase adjustment transactions
  Purchase returns and allowances Accounts Payable
ILLUSTRATION 12.1  
Credit
Purchasing transactions
Accounts Payable
Cash
Purchase Discounts
Purchase Returns and
Allowances

For companies that purchase goods on account, the transaction should record purchases
and accounts payable upon the receipt of goods. Purchases and accounts payable may be
understated if a company receives goods but then waits to record the transaction until a
vendor’s invoice is received. If discounts are taken for early payment, purchase discounts
are recorded when recording the cash disbursement. In some cases, a company will return
defective goods or claim an allowance for goods that are damaged but still usable upon re-
ceipt. This is included in a discussion of purchase returns and allowances. The discussion of
inventory, cost of goods sold, and cash is deferred to Chapter 13.
Recall that the auditor should obtain sufficient appropriate evidence for each asser-
tion related to the purchasing process. Therefore, the auditor should obtain sufficient
appropriate evidence for the transaction classes, balances, and disclosures outlined in
Illustration 12.2. Finally, the rights and obligations assertion with respect to accounts pay-
able relates to whether accounts payable reflect the recorded liability of the entity. This is
usually tested as part of the existence assertion.
12-4  C h a pte r 12 Auditing the Purchasing and Payroll Processes

ILLUSTRATION 12.2   Key purchasing process assertions

Relevant Transaction Classes Relevant Account Balances Relevant Disclosures

Purchases of materials or goods Accounts payable Payable disclosures

Various expenses Various purchased assets Asset and expenditure disclosures

Assertions Assertions Assertions

Occurrence Existence Occurrence and rights and
Completeness Rights and obligations obligations
Accuracy Completeness Completeness
Cutoff Valuation and allocation Classification and
Classification • Valuation at historical cost understandability
• Valuation at net realizable value Accuracy and valuation

Before You Go On
1.1 Identify two major transaction classes with significant volumes of transactions in the pur-
chasing process.
1.2 Explain the interaction of purchases and cash disbursements with accounts payable. Further,
if cash disbursements are understated, what are the implications for accounts payable?

Understanding the Entity and Its Environment

LEA RNING OBJECTIVE 2
Evaluate how an auditor’s understanding of an entity and its environment affects
audit planning decisions related to purchases.

Chapters 3 and 4 explained the importance of understanding the entity and its environ-
ment, and how this understanding is important to assessing inherent risk. As inherent
risk factors vary from industry to industry, from client to client, and from year to year,
each audit must be custom-made to address unique risks. The following discussion will
address the importance of understanding the entity and its environment in the context of
the purchasing process, analytical procedures commonly used in the purchasing process,
other issues associated with the entity and its environment, and the resultant assessment
of inherent risk.

Understanding the Client’s Purchasing Process

purchasing process
(procurement process)   
involves selecting vendors,
establishing payment terms,
negotiating contracts, purchas-
ing goods, receiving goods, and
recording purchases and payment
of liabilities
The process of purchasing goods and services will vary from entity to entity. In this chapter, the
purchasing process is synonymous with the procurement process. The purchasing or pro-
curement process involves selecting vendors, establishing payment terms, negotiating contracts,
purchasing goods, receiving goods, and recording purchases and payment of liabilities. Purchas-
ing is concerned with acquiring (procuring) all of the goods and services that are vital to an organi-
zation. It is particularly important for the auditor to be knowledgeable about the entity, the types
of purchases the entity makes, and how those purchases support the earnings generation of the
entity. Every business has different market forces that place differing demands on the company’s
   Understanding the Entity and Its Environment  12-5

cash flow. An entity’s net operating cycle represents the time from using cash to purchase goods
or services to collecting cash from the sale of goods or services. For a manufacturer or retailer, the
gross operating cycle is estimated by the average number of days it takes to turn over inventory
and collect receivables. The net operating cycle represents the gross operating cycle reduced by
accounts payable turnover in days, which is the amount of time that an entity’s suppliers will let it
use trade credit before requiring payment for goods and services. Some companies are very adept
at using vendor financing (accounts payable) to finance a significant portion of their operating
cycle. For example, before Dell Computers went private in 2013, it was turning over its inven-
tory approximately every 8 days. Further, Dell Computers was taking approximately 30 days to
collect from its customers (mostly business customers). This adds up to a gross operating cycle of
38 days. However, Dell Computers was taking 41 days to pay its vendors; that is, it used vendor
funds to finance its operating cycle. It is critical for auditors to understand the economic drivers
in the purchasing process and how cash flows through the entity.
Illustration 12.3 illustrates the importance of understanding the purchasing process for
the five different industries that were introduced in Chapter 11. These industries were cho-
sen for their variety based on the North American Industry Classification System (NAICS).
They include the manufacture of oil and gas field machinery and equipment (NAICS 333132),
the manufacture of electronic computer equipment (NAICS 334111), supermarkets and other

ILLUSTRATION 12.3   Understanding an entity’s purchasing process

Example Industry Traits
Oil and Gas Field Machinery and
Equipment Manufacturing
• Purchases range from raw materials (where
quality is essential) for the production of
drill bits, drilling pipes, valves, or derricks,
to motors used in a variety of oil and gas
field equipment
• Wide variety of vendors
Electronic Computer Manufacturing
• Purchases must be managed aggressively
to minimize inventory obsolescence
• Significant subcontracting or outsourcing
of the manufacturing process
Supermarkets and Other Grocery Stores
• Purchase a wide array of products including
products with perishable characteristics
• Purchasing and supply chain management
is an important aspect of profitability
• Wide variety of vendors
Developing a Knowledgeable
Perspective About the Entity’s
Financial Statements (Median Assessing the Risk of Material
Industry Data) Misstatement
Accounts Payable Turnover in Days: 34 • Concerns about recording purchases in the correct
Accounts Payable as a % of Total time period
  Assets: 13.7% • Concerns about increased fraud risk with a high
Current Ratio: 1.8:1 number of vendors
Quick Ratio: .9:1
• Concerns about potential for unrecorded liabilities
Accounts Payable Turnover in Days: 30 • Vendors often offer price concessions or terms
Accounts Payable as a % of Total such that goods do not have to be paid for until
  Assets: 18.1% purchased product is sold, leading to concerns
Current Ratio: 1.8:1 about consignment traits of inventory
Quick Ratio: 1.0:1 • Concerns about purchasing cutoff at year-end
• Concerns about potential unrecorded liabilities
Accounts Payable Turnover in Days: 16 • Concerns about accounting for advertising
Accounts Payable as a % of Total allowances and other price concessions to stock
  Assets: 3.4% merchandise
Current Ratio: 1.2:1 • Concerns about recording purchases in the correct
Quick Ratio: .5:1 time period
• Concerns about potential unrecorded liabilities

Hotels and Motels
• Purchases include food for restaurant and
convention business
• Purchases are less significant operating costs
compared to retailers or manufacturers
Colleges, Universities, and Professional
Schools
• Purchases are incidental to the core product,
educating students
• Core process may not be significantly
affected by price increases for purchased
goods
Accounts Payable Turnover in Days: • Purchases, including food, cleaning of linens,
  Not Reported and purchases of other supplies that are moderately
Accounts Payable as a % of Total material to the entity
  Assets: 2.4%
Current Ratio: .7:1
Quick Ratio: .6:1
Accounts Payable Turnover in Days: • Purchases and accounts payable are not central
  Not Reported to the core business, resulting in reduced
Accounts Payable as a % of Total potential for unrecorded liabilities
  Assets: 3.3%
Current Ratio: 1.6:1
Quick Ratio: 1.4:1
12-6  C h a pte r 12 Auditing the Purchasing and Payroll Processes

grocery stores (NAICS 445110), hotels and motels (NAICS 721110), and colleges, universities,
and professional schools (NAICS 611310). These examples define a wide spectrum of under-
lying business practices and an equally wide spectrum of risk for the auditor. The auditor
would normally obtain an understanding of the client’s business and its economic environ-
ment through previous experience with the entity; information from trade associations, busi-
ness periodicals, and newspapers; and from publishers of industry information such as Robert
Morris Associates or Value Line.
It is important for the auditor to understand the nature of the client’s purchasing pro-
cess. The oil and gas field machinery equipment industry produces products such as drill bits,
drilling pipes and motors, derricks, valves, portable rigs, well-monitoring instruments, tubing,
wellheads, blowout preventers, and oil and gas separators. Therefore, manufacturers may have
a wide range and large number of suppliers, which heightens the attention to internal controls
over vendors. Manufacturing computer components can be very capital-intensive, and the
quality of raw materials is very important. However, the actual manufacturing of computers
or tablets may be outsourced, and supply chain management may be a key component of the
purchasing system. The retail grocery industry usually has a very large number and variety
of vendors; control over the supply chain and vendors in the supply chain is critical to prof-
itability in this industry. Purchases of products are less important in the hotel industry, and
purchases of supplies may be even less significant to the operations of a college or university.
The auditor should also consider the industry-related factors of the availability and price
volatility of raw materials. For example, a computer assembler, who may be dependent on a
single vendor for a unique component critical to an assembled product, may face significant
price increases if key components are in demand. An airline’s demand for fuel is another ex-
ample of a key purchase that cannot be substituted and is extremely vulnerable to price swings
or shortages. Alternatively, a retail grocer deals with numerous vendors and prices where in-
tense market competition tends to stabilize prices, and substitute products are available. A
retail grocer may be able to choose among a variety of produce providers, resulting in more
limited exposure to inventory shortages or sudden price swings. Once again, the audit of each
company must be custom-made. Inherent risks differ from one client to the next, and inherent
risks may often differ from one audit to the next for an existing client. Auditors must be alert
to the potential issues unique to a specific audit client. Hence, understanding the nature of
the purchasing process will help auditors identify and assess the inherent risk of material mis-
statement in the purchasing process. Assessing inherent risk related to the purchasing process
is discussed later in the chapter.

Audit Reasoning Example Taking a Fresh Look at the Client

Every Year

Carla has been working as an auditor for about six months. She was assigned to the audit of a
Howard’s Hardware (a local hardware and lumber company that has six stores in small com-
munities in a midwestern state). Carla prepared some of the initial planning documents because
the senior on the engagement was moved to another engagement, and the audit firm believed she
could step up and do the work. Brandon, the audit manager, has just reviewed some of Carla’s plan-
ning documentation. Brandon comments, “It looks like you cut and pasted a lot of the planning
documentation from last year, which is a place to start. But let’s discuss and think deeper about
planning for the current year. What do you think has changed?” Carla replies, “The company has
not opened any new stores, and sales have dropped at a couple of stores, but otherwise it seems to
be doing about the same.” Brandon then asks, “Why is this planning documentation important?”
Carla responds, “The documentation is required by professional standards.” Brandon responds,
“Yes, but it is more than compliance with professional standards. I don’t think an auditor can look
at data and draw appropriate conclusions without having a broader context of what is happening
in the client’s industry. For example, a major lumber company with stores in 20 states has just
entered two markets to compete with Howard’s Hardware. How will new and major competition
change business for Howard’s Hardware? Does Howard’s Hardware have plans for how it will
respond? I know you are not familiar with this industry, but it is important that you and the entire
team be up to speed about how this, and other changes, might influence Howard’s Hardware’s
business. This sets the context for our ability to look at, and understand, the variety of information
we will review during the audit.”
   Understanding the Entity and Its Environment  12-7

Analytical Procedures
As noted previously, performing analytical procedures as part of risk assessment is cost-
effective and often useful in identifying potential misstatements in the financial statements.
The most effective analytical procedures rely on the auditor’s knowledge of the business and
industry. Some example analytical procedures that may apply to the purchasing process are
presented in Illustration 12.4.

Ratio Formula Audit Significance ILLUSTRATION 12.4  

( )
Accounts Cost of sales Prior experience in accounts payable turn- Analytical procedures
payable turnover 365 ÷   over in days combined with knowledge of commonly used to audit
Average accounts payable
in days current purchases can be useful in estimating purchases
current payables. A reduction of the period
may indicate completeness problems.
Cost of goods Cost of goods sold Unless the company has changed its
sold to average Average accounts payable payment policy, this ratio should be about
accounts payable the same percentage from year to year.
Payables as a Accounts payable Common-sized percentages in accounts
percentage of Total assets payable are useful to compare with industry
total assets data. A significant decline in payables
as a percent of total assets may indicate
completeness problems.
Current ratio Current assets A significant increase in the current ratio
Current liabilities compared to prior years may indicate a
completeness problem. However, this
ratio may also be influenced by changes in
current asset accounts.

Many analytical procedures focus on the relationship between purchases and accounts pay-
able. If a company is growing, it is common to expect purchases, inventory, and accounts payable
to grow at approximately the same rates. The auditor’s knowledge of the volume of purchases,
combined with prior experience in terms of accounts payable turnover in days (the average num-
ber of days it takes to retire payables), is useful in estimating current year’s payables. While ratios
like the current ratio are easy to calculate, they may fluctuate based on influences from processes
other than the purchasing process, such as sales or investments. The auditor needs to bring an
appropriate level of professional skepticism to reviewing the results of analytical procedures, and
auditors should be particularly alert to the risk that purchases and payables may be understated
(a problem with the completeness of purchases and payables).

Audit Reasoning Example Analyzing the Results of Analytical

Procedures

Emily White, an audit manager, is reviewing with Steve McKinley, audit staff, the results of
his analytical procedures. Emily notes Steve picked up on the fact that a client’s current ratio
improved significantly, from 1.5:1 to 2.5:1. “However, does this mean that the company is per-
forming better?” Steve responds that he is not quite sure what Emily’s concern is. Emily then
points out that the company’s receivables and inventory have grown about 3–5%, consistent with
sales growth. However, payables are down significantly. Emily goes on, “We need to bring an
appropriate level of professional skepticism to our analytical procedures and analyses. From my
perspective, the improvement in the current ratio is largely due to a significant decline in payables.
We could have a potential problem in unrecorded liabilities and expenses. This needs to be high-
lighted for further investigation. Do you understand my concern now?”

Other Considerations Regarding the Entity

and Its Environment
Recall from Chapter 4 (see Illustration 4.1) that an auditor should understand numerous is-
sues about the entity and its environment. Illustration 12.5 provides examples of situations
12-8  C h a pte r 12 Auditing the Purchasing and Payroll Processes

and key factors related to an entity that might lead to either a higher or lower assessment
of inherent risk for the purchasing process. Each audit should be viewed independently
from previous audits when an auditor updates his or her understanding of the entity and
its environment.

illustration 12.5   Understanding the entity and its environment related to purchases

Key Factors Regarding the

Higher Inherent Risk Entity and Its Environment Lower Inherent Risk
Many governmental entities may be subject Compliance with laws Purchases are not subject to legal
to various “buy American” laws. and regulations restrictions.

Companies need to be concerned about

purchases from entities in countries where
corruption is common.
The client does not effectively monitor
purchasing activity.
Significant purchase transactions are
conducted with affiliated companies or
other related parties.
Corporate governance provides little or no
oversight of management or the purchasing
process.
Payables are not recorded until vendor
invoices are received, and little or no
attention is paid to month-end cutoff and
closing procedures.
Client performance
measurement
Related party transactions
Corporate governance
Month-end, quarter-end,
and year-end closing
procedures
The client carefully monitors purchases
compared to underlying business activity.
There are few or no purchase transactions
with affiliated companies or other related
parties.
There is strong corporate governance with
oversight of the purchasing process.
When vendor invoices are not received,
policies are in place to accrue liabilities for
items received and significant attention is
paid to month-end cutoff and closing
procedures.

Before You Go On
2.1 Explain how auditing the purchasing process might be different for a retail grocer than for a
college or university.
2.2 Assume that, when performing analytical procedures during risk assessment, an auditor notices
that purchases have grown by 10% while payables have declined by 15%. What assertions
might be misstated?
2.3 Explain how month-end closing procedures might decrease inherent risk in the purchasing
process.

Inherent Risks in the Purchasing Process

LEA RNING OBJECTI VE 3
Determine inherent risk for various assertions in the purchasing process.

In assessing inherent risk for purchasing process assertions, the auditor should consider perva-
sive factors influencing the understatement or overstatement of payables and expenses. Perva-
sive factors that might motivate management to misstate purchasing process assertions include:

•  Pressure to understate expenses in order to report achieving announced profitability

targets or industry norms that were not achieved in reality.
•  Pressure to understate payables in order to report a higher level of working capital when
the entity is experiencing liquidity problems or going-concern doubts.

Both of these pressures lead to a greater risk of understatement of expenses and payables.
   Inherent Risks in the Purchasing Process  12-9

The expenditure process is also particularly prone to the risk of employee fraud through
unauthorized disbursements of cash, misappropriation (theft) of purchased assets, and col-
lusion with vendors to win bids or set prices. If managers, or the auditors, are sufficiently
familiar with industry practices and prices, they might be able to spot these types of problems
at early stages. Other factors that may contribute to misstatements in the purchasing process
include:

•  A high volume (very material amount) of transactions are usually made.

•  Duplicate payment of vendor invoices may occur.
•  Cutoff problems due to failure to accrue liabilities when goods have been received but
vendor invoices have not arrived.

Professional Environment  Duplicate Payments Are a Problem for Companies and Governments
Imagine paying a $40,000 invoice from a vendor twice. What does
that do to a company’s cash flow? In its 2014 Annual Report,1 the
U.S. Government Accountability Office disclosed that it was involved
in preventing such improper payments in the amount of $124.7 bil-
lion within just 22 federal agencies. Infor, Inc., a company that helps
other companies prevent or detect duplicate payments estimates that
0.05% to 0.1% of invoices paid are typically duplicate payments.2 For
a company with $50 million in annual payments, this could repre-
sent a loss of $150,000. Infor, Inc. suggests some of the most common
data entry errors resulting in duplicate payments include:
•  Misreading a number or letter (e.g., 0 instead of O, or 5 in-
stead of S).
•  Transposing numbers (e.g., 45 instead of 54).
•  Mis-keying or omitting punctuation (such as hyphens or
slashes).
•  Omitting leading or trailing zeros (e.g., entering an invoice
one time as 456 and the next time as 000456).
Pyrus, a company that engages in workflow automation, suggests
the following problems may be at the root of many duplicate
payments:3
•  Poor review of vendor master files allowing duplicate
vendors.
•  Failure to double-check for mis-keying or misreading prob-
lems similar to those noted above.
•  Entities being too responsive to vendors who request rushed
checks (e.g., payment before receiving an invoice).
•  Payment from multiple source documents.
•  Multiple methods for processing an invoice.
•  Failure to have all invoices sent to a central location.
•  Failure of vendors to provide purchase order numbers on an
invoice, making it difficult to match invoices with purchase
orders.
•  Failure to make appropriate approval of a vendor invoice a
company priority.
•  Dispute resolution being a low priority.
•  Failure to pay only from original invoices or to mark original
invoices “paid.”

Finally, when auditors perform analytical procedures during risk assessment, they should
develop a skill in analyzing the likely assertions that might be misstated based on the data. For
example, consider the following information. Take a moment, study the data, and consider
what assertions might be at an increased risk of misstatement.

Current Year Prior Year

$000 Percentage $000 Percentage
Revenues $5,638 100.0% $3,780 100.0%
Cost of goods sold $2,691 47.7% $1,975 52.2%
  Gross profit $2,947 52.3% $1,805 47.8%
(continued)

1
U.S. Government Accountability Office, 2014 Annual Report: Additional Opportunities to Reduce Fragmenta-
tion, Overlap, and Duplication and Achieve Other Financial Benefits (Washington, DC, April 2014).
2
Infor.com, White Paper, Detecting and Preventing Duplicate Invoice Payments (New York, NY, 2015).
3
Pyrus.com, https://pyrus.com/en/blog/2016/07/duplicate-payment.html (accessed December 15, 2018).
12-10  C h a pte r 12  Auditing the Purchasing and Payroll Processes

(continued)

Current Year Prior Year

$000 Percentage $000 Percentage
Accounts payable, net $ 180 $ 164

Revenue growth 49% 33%

Accounts payable growth   9% 30%
Cost of goods sold growth 36% 34%

Accounts payable turnover in days   24 days   31 days

Inventory turnover in days 180 days 189 days

The data show a company that is clearly experiencing rapid growth. While cost of
goods sold has grown by 36%, payables have only grown by 9%, and gross margins have
improved. The lack of growth in accounts payable should heighten the auditor’s profes-
sional skepticism with respect to the completeness of payables and cutoff of purchases and
payables. In summary, significant inherent risks exist for the completeness of purchases
and payables.

Professional Environment  Restatements Related to Expense Recording and Liabilities

Audit Analytics4 recently reported a summary of restatements
due to expense recording and liability issues for a 17-year period
ending in 2017. Two categories of restatements are relevant to the
purchasing and payroll processes. The first category is entitled
Expense (Payroll, SGA, Other) Recording Issues. Expense record-
ing issues consist of errors or irregularities in approach, theory,
or calculation associated with the expensing of assets or under-
statement of liabilities. These issues can arise from any number
of areas, including failure to record certain expenses, reconcile
certain amounts, or record certain payables on a timely basis.
Issues with payroll and SG&A expenses are also identified in this
category.

Disclosure Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
Expense recording issues 144 153 286 236 135 114 124 95 61 78 104 81 77 959
% of all financial 15.6% 9.7% 15.5% 18.5% 14.0% 13.8% 14.6% 11.2% 7.2% 8.9% 12.1% 10.7% 11.3% 10.7%
statement restatements

The second category is entitled Liabilities, Payables, Reserves,
and Accrual Estimate Failure. This category consists of errors, irreg-
ularities, or omissions associated with the accrual or identification
of liabilities on the balance sheet. The underlying cause of these
­ isstatements ranges from failures to record pension obligations to
m
problems with establishing the correct amount of liabilities for leases
and other liabilities. The category also includes the failures to record
deferred revenue obligations or normal accruals.

Disclosure Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
Liabilities, payables, 151 224 237 237 101 87 102 86 76 89 97 89 78 63
reserves, and accrual
estimate failure
% of all financial 15.9% 14.2% 12.7% 18.5% 10.5% 10.5% 12.0% 10.2% 8.9% 10.2% 11.3% 11.8% 11.5% 11.4%
statement restatements

In the last four years of this period, the expense recording failure have also leveled out in the last four years of the period,
issues have leveled out between 10.7% and 12.1% of all restate- ranging between 11.3% and 11.8% of all restatements.
ments. The liabilities, payables, reserves, and accrual estimate

4
Don Whalen, Olga Usvyatsky, and Dennis Tanona, 2017 Financial Restatements, A Seventeen Year Comparison
(Audit Analytics: Sutton, MA, 2018).
   Control Activities for Purchases  12-11

Cloud 9 - Continuing Case

Josh and Suzie review what they know about Cloud 9’s pur-
chasing function. Cloud 9’s product development teams work
closely with a variety of manufacturers around the globe. Cloud
9 has been particularly concerned about the quality of manu-
facturing when choosing manufacturers. Cloud 9’s CFO, David
Collier, has also expressed concerns about risks inherent in the
purchasing function globally. David has had several meetings
with accounting staff to raise awareness about the risk of du-
plicate payment or fictitious vendors. Further, he has placed
a top priority on regular screening of the master vendor file to
ensure the file is kept current, old vendors are removed from the
file, and the file represents an accurate list of current vendors
and manufacturers that Cloud 9 does business with. However,
Josh points out to Suzie that inherent risk is still high related to
the occurrence assertion for purchases and that the quality of
Cloud 9’s internal control will likely allow for a low control risk
assessment. Further, Josh and Suzie are concerned about po-
tential cutoff problems that may lead to unrecorded liabilities;
therefore, inherent risk is also assessed as high for the com-
pleteness of purchases.

Before You Go On
3.1 Identify several pervasive factors that might motivate management to misstate assertions in
the purchasing process.
3.2 Why are auditors more concerned about the understatement of liabilities rather than the
overstatement of liabilities?
3.3 Identify several analytical procedures the auditor might use to assess the likelihood that a
material misstatement might exist in the purchasing process. Would the analysis of accounts
payable turnover in days provide for more accurate analysis of accounts payable than analyz-
ing the current ratio? Explain.

Control Activities for Purchases

Lea rning Objecti ve 4
Evaluate control activities for purchase transactions.

The quality of entity-level controls is important to the effective functioning of transaction-level

controls. In particular, auditors should understand the combined effect of the control environ-
ment and an entity’s risk assessment activities in establishing an awareness within the entity
about the risk of misappropriation of assets in the purchasing process, the potential for dupli-
cate payments, and the risk of failure to accrue expenses and payables due to cutoff problems.
A strong tone at the top about the importance of accurate financial reporting also discourages
the under-accrual of expenses and liabilities.
The discussion for the remainder of this chapter focuses on transaction-level controls.
When understanding transaction-level controls and performing a system walkthrough, audi-
tors should always be alert to understanding the influence of the control environment on the
effective operation of transaction-level controls.
The process used for developing an audit strategy for various assertions involves the fol-
lowing six steps:

1.  Understanding the flow of transactions in a given transaction process.

2. Identifying what can go wrong (WCGW) from initiating the transaction to recording
it in the general ledger. The auditor needs to link what can go wrong to relevant
assertions.
12-12  C h a pte r 12  Auditing the Purchasing and Payroll Processes

3. Assessing whether controls exist to mitigate what can go wrong.

4. Identifying relevant controls, performing tests of controls, and evaluating results.
5. Reporting internal control weaknesses to those charged with governance of the entity,
based on controls that are absent or controls that are not operating effectively.
6. Determining an audit strategy at the assertion level.

Now think about the five industries that were mentioned at the beginning of this chapter.
It is likely the demands in the purchasing process will be different for a computer manufac-
turer than for a retail grocery chain or a college and university. Today, many larger companies
use a heavily automated system with electronic data interchanges between a company and
its suppliers. However, many governments and private companies continue to use a more
paper-intensive environment to provide an audit trail for transactions recorded in a computer-
ized accounting system. The following discussion of purchases and cash disbursements begins
with illustrations of systems that use a higher level of documentation in the audit trail. Subse-
quently, the chapter has a section on evaluated receipt settlement (ERS). ERS and electronic
invoice presentment and payment (EIPP) systems are highly automated with significant elec-
tronic data interchange. A comparison of the two systems displays very different methods of
recording and controlling purchases, payables, and cash disbursements. The paper-intensive
system is discussed in this chapter in “Control Activities for Purchases” and “Control Activities
for Cash Disbursements,” while the automated system is discussed in “Evaluated Receipt Set-
tlement (ERS).”
Many of the controls discussed in this section focus on IT application controls im-
plemented by a company. The assumption is made that IT general controls are strong,
and the auditor will need to understand and eventually test the effectiveness of manual
follow-up of exceptions noted by IT application controls.

Example Transaction Flows—Credit Purchases

The transaction flow in a typical process for a client purchasing goods includes approving
purchases, receiving goods, and recording purchases and accounts payable.
Common documents and files that are found in the process of selling goods include:

Source Documents and Related Electronic Files

•  Purchase requisition—Written request for goods or services by an authorized individual

or department.
•  Approved vendor master file—Electronic file containing pertinent information on
vendors and suppliers that have been approved to purchase services from and make
payments to.
•  Purchase order—Written offer from the purchasing department to a vendor or supplier to
purchase goods or services specified in the order.
•  Receiving report—Report prepared on the receipt of goods showing the kinds and quantities
of goods received from vendors.
•  Vendor invoice—The bill from the vendor that states the number of items shipped or ser-
vices rendered, the amount due, the payment terms, and the date billed.

Recording Document

•  Voucher—An internal document used to record a purchase on account. The voucher has
information about the vendor, the amount due, the payment date, and due date. Many
purchase systems require a complete packet of purchase information (e.g., purchase
order, receiving report, and vendor invoice) before approving a purchase for payment.
This is also referred to as a three-way match.
•  Purchases journal—The journal of original entry where each purchase is recorded.
   Control Activities for Purchases  12-13

Important Databases or Other Documents

•  Purchases database—Electronic files that accumulate data on purchases, accounts

payable, and cash disbursements.
•  Monthly statements received from vendors—A monthly statement often sent by a vendor
that shows the beginning payable balance, transactions during the month, and the ending
payable balance (even if it is zero).

An example of how these documents commonly flow is illustrated in Illustration 12.6,

which is followed by a brief discussion of how purchases on credit are processed in many
companies.

ILLUSTRATION 12.6   Example flow of transactions for purchases

Process Documents Files and Databases

Authorization
Department Internal External Vendor
requisitions goods Purchasing
master and G/L database
file

Prepare purchase Purchase

order order

Receiving
Receive Receiving Purchasing
goods report and G/L database

Recording
Receive Vendor’s
vendor invoice invoice

Prepare voucher to
Voucher
record purchase

Record in purchases Purchasing

journal and G/L database

Post to general
ledger

Record in A/P Vendor’s monthly

subsidiary ledger statement

Initiating and Authorizing Purchases

Initiating a transaction is the process of agreeing to a transaction with an independent
third party. For smaller transactions, a department may have more latitude in purchas-
ing goods, and company credit cards may be used by authorized personnel for smaller
purchases. When management grants greater latitude to a department in initiating trans-
actions, strong budget and accountability controls over a department’s expenditures are
usually established.
12-14  C h a pte r 12  Auditing the Purchasing and Payroll Processes

Controls over an authorized vendor list. The process of approving vendors for the delivery
of goods and services is a critical control. If management establishes strong controls over
putting authorized vendors on an authorized vendor list, it is difficult for employees to initiate
transactions with fictitious vendors. The master vendor file should also be reviewed on a reg-
ular basis to remove old vendors or potential duplicate vendors. For example, a vendor might
show up twice in a master vendor file, once with an address of 1800 Southwest Fifth Avenue,
and again with an address of 1800 SW 5th Ave. Having the same vendor with the same address
written in two different ways increases the risk of duplicate payments.
Requisition goods and services. The purchase requisition is often prepared electroni-
cally and represents the start of the transaction trail of documentary evidence in support
of management’s assertion of occurrence of purchase transactions. Purchase requisitions
usually are initiated from the warehouse for inventoried items or any department for items
that are not in inventory. Most companies permit general authorizations for regular oper-
ating items included in a department’s operating budget. The permitted dollar amount is
often tied to the employee’s responsibilities within the entity. In contrast, company policy
frequently requires specific, high-level authorizations for capital expenditures and lease
contracts.
In an IT system, unique purchase requisitions should be sequentially numbered regard-
less of the originating department. Creation of electronically prepared requisitions should
require entry of a valid employee number. The software uses that number to confirm that
the requisition is within the authorization limit set for that employee. The software will also
screen the input fields for errors such as negative numbers, characters in a numeric field,
and so on. Rejected data often must be dealt with immediately in online systems. A report
of missing or out-of-sequence requisitions should be routinely produced, and any exceptions
promptly investigated.
Preparing purchase orders. The purchasing department should have the authority to issue
purchase orders only on the receipt of properly approved purchase requisitions. Preparing
the purchase order continues the process of initiating a transaction. The role of purchasing
is to ascertain the best source of supply. Purchase orders should contain a precise description
of the goods and services desired, quantities, price, and vendor name and address. Purchase
orders should be prenumbered and accounted for, which enables the tracking of each trans-
action from initiation, to receipt of goods or services, to recording the purchase, and to final
payment. The original purchase order is usually sent to the vendor and copies are electroni-
cally distributed internally to the receiving department, the accounts payable department, and
the department that submitted the requisition. The quantity ordered is generally omitted on
the receiving department’s copy so that receiving clerks will make careful counts when the
goods are received. Depending on the extent of the IT system, the only hard copy document
generated would be the purchase order that is sent to the vendor. Many companies eliminate
this hard copy by using electronic data interchange with their suppliers.

Receipt of Goods and Services

Preparing a receiving report. A valid purchase order represents authorization for the receiv-
ing department to accept goods delivered by vendors. The receipt of goods usually results
in the exchange of title and the establishment of a liability. Receiving department person-
nel should compare the goods received with the description of the goods on the purchase
order, count the goods, and inspect the goods for damage. A prenumbered receiving report
should be prepared for each order received to document that goods have been received, and
a liability should be established. In IT systems, the receiving report may be prepared by
using information already in the system and adding the appropriate data for quantities
received. The software should compare the quantity ordered to that received and gener-
ate an exception report for appropriate follow-up. An entity should keep received goods
in secure storage with limited access and proper surveillance. Most electronic perpetual
inventory systems allow warehouse management to keep track of inventory by specific
location in the warehouse.
The receiving report is an important document supporting the occurrence assertion for
purchase transactions. In addition, most companies prepare daily reports of anything re-
ceived that has not resulted in vouchers (the recording of an accounts payable) to control the
   Control Activities for Purchases  12-15

c­ ompleteness assertion for purchases and accounts payable. The information on the receiving
report is forwarded to accounts payable via a paper copy of the receiving report or electroni-
cally. Receiving reports are rarely prepared for the receipt of services (e.g., utility bills, rent, or
accounting services) and management usually documents receipt of a service by approving a
copy of the vendor invoice for payment.

Recording Purchases
The receipt of a good or service usually establishes an obligation for an entity to record
a transaction as a liability. Many companies create a voucher (an internal, prenumbered
document) to recognize the liability and record it in the purchases journal or voucher
register. Usually, the accounts payable department is responsible for ensuring that pur-
chases are accurately recorded. Controls over the recording of the payables are particu-
larly important because once a liability is established, it also authorizes the payment of
the liability.

Identify What Can Go Wrong (WCGW) and Identify

Key Controls—Purchases and Accounts Payable
Once the auditor understands the flow of transactions, the auditor should evaluate what can
go wrong, identify potential controls management has placed in operation, and then choose
key controls to test. In doing so, it is important for the auditor to understand the logic used by a
software application to flag potential misstatements for investigation. Illustration 12.7 sum-
marizes the flow of transactions through the purchasing process, key documents and files,
what can go wrong, and example controls for a manufacturing client making purchases on
credit. As you review Illustration 12.7, try to associate particular controls with the assertions
being controlled.

ILLUSTRATION 12.7   Purchase transactions—WCGW and example controls

Documents
Transaction and Files Risks (WCGW) Example Control
Authorizing Vendor master file Purchases may be made from Only a limited number of individuals can change the
purchases unauthorized vendors. vendor master file, and these duties are segregated
from receiving goods or recording transactions. All
file changes are reviewed by appropriate levels of
management. The master vendor file is also reviewed
to remove old vendors or duplicate vendors.
Purchase requisition Unauthorized purchases may The software application determines individuals
be made. who have authority to initiate a purchase. Budgetary
responsibility and account numbers for items
purchased are established at this time.
Purchase requisitions are prenumbered and
accounted for.
Purchase order Unauthorized purchases may Purchases can only be made from approved vendors.
be made. Purchase order establishes evidence of items ordered
and price agreed with vendor.
Purchase orders are prenumbered and accounted for.
Receiving Perpetual inventory Goods received may not have The software application matches all goods received to
goods been ordered. approved purchase order.
Receiving report Products may be received The software application prints a report of all unfilled
without generating a receiving purchase orders for follow-up by ordering depart-
report. ment. Receiving reports are also prenumbered and
accounted for.
Receiving report Goods ordered may not be The software application prints a report of all unfilled
received. purchase orders for follow-up by ordering department.

(continued)
12-16  C h a pte r 12  Auditing the Purchasing and Payroll Processes

ILLUSTRATION 12.7   (continued)

Documents
Transaction and Files Risks (WCGW) Example Control
Recording Voucher and Purchases may not be recorded. The software application prints a report of goods
purchases purchasing database received that have not resulted in a voucher.
A month-end accrual is made for items received in
the warehouse, but the vendor’s invoice has not been
received.
Vouchers are prenumbered and accounted for.
Voucher and Purchases may be made for Vouchers are only recorded when a vendor’s invoice
purchasing database fictitious transactions, or is received. The software application matches voucher
duplicate payments may be and vendor invoice information with the receiving
made. report. The purchase order and vendor’s invoice are
marked as recorded, so they cannot be recorded again.
Voucher and Purchases may be recorded The software application matches the voucher date
purchasing database in the incorrect accounting with the accounting period in which goods are
period. received.
Voucher and Purchases may be recorded The software application matches voucher quantities
purchasing database in the incorrect amount with receiving information and prices with the
(incorrect quantities or purchase order.
prices).
Voucher and Vouchers may be posted to The software application checks account numbers on
purchasing database incorrect accounts. the voucher to underlying purchase requisition and
purchase order.
Voucher and Payable may be posted to the The software application matches vendor number on
purchasing database wrong vendor. voucher with vendor number on the purchase order.
Vendor’s monthly Vendors invoices may be Monthly statements from vendors are compared with
statements recorded in incorrect amounts. the accounts payable subsidiary ledger.

Many clients build in redundant controls such that if one control does not find a mis-
statement, another control will detect the problem. Many clients put both preventive
and detective controls in place. However, auditors cannot efficiently test all controls that
exist. The auditor will find a key control by identifying the most important control for
each assertion. Following are example key controls auditors often identify. The examples
rely significantly on IT application controls to flag potential misstatements. The auditor
should understand the logic behind the IT application controls and how client personnel
manually follow up on exceptions on a timely basis. Note that the direction of the control
is important. For completeness, the control will start with receiving reports and compare
that population with the recorded payable. For other assertions, the control will normally
validate the recorded purchase by comparing the purchase information with information
documented previously in the system.
Completeness of purchases. The software application starts with a population of daily
receiving reports and develops a one-for-one match with vouchers to ensure each receiving
report results in a voucher (the recording of a payable). A report is generated daily, reporting
any goods received that have not resulted in a recorded voucher.
Occurrence of purchases. The software application starts with the population of daily
vouchers and develops a one-for-one match with the underlying receiving report to ensure
each purchase voucher is supported by a receiving report (or an approved vendor’s invoice in
the case of services). A report is generated daily of any purchases not supported by documen-
tation of receiving goods. Once the match is made, the vendor invoice and receiving report are
cancelled so they cannot be used with a subsequent voucher.
Accuracy of purchases. The software application starts with the population of daily vouchers
and compares quantities with the underlying receiving report, compares prices to the underlying
purchase order, and checks the mathematical accuracy of the voucher. A report is generated daily
of any prices or quantities on the voucher that are not supported by underlying documents or files.
   Control Activities for Purchases  12-17

Purchases cutoff. The software application starts with the population of daily vouchers
and compares the date on the voucher with the date on the underlying receiving report. A
report is generated daily of any vouchers not recorded in the same accounting period as the
receiving report.
Classification of expenses and payables. The software application starts with the popula-
tion of daily vouchers and compares the vendor number with the purchase order. Both vendor
account coding and general ledger coding are compared with the purchase order and purchase
requisition, as a variety of accounts could be debited when the payable is recorded. A report is
generated daily of any vouchers showing incorrect account coding.
Completeness of payables, valuation of payables at historic cost, and existence of accounts
payable. Monthly statements received from vendors are reconciled to the accounts payable
subsidiary ledger.
In addition, department managers should be asked to review the transactions that have
been charged to their accounts. These managers should be familiar with the underlying busi-
ness reasons for the transactions and review such reports to ensure transactions are valid, the
obligation of the entity, correctly valued, and charged to correct accounts. If management has
not established controls over accountability for the use of resources, it is evidence of a weak
control-consciousness in the organization and reduces the likelihood that other controls will
function effectively.

Audit Reasoning Example What Is a Voucher and What Is Its

Purpose?

Ron and Vincent are working on a new audit engagement. The client has not been audited be-
fore. Ron is a junior member of the audit staff, and he is clearly frustrated when he comes in to
talk with Vincent, the senior on the audit engagement. Ron recounts for Vincent, “I just finished
talking with the company’s accounts payable clerk. When I asked about a voucher, she had no
idea what I was talking about. On the last two clients I worked on, the companies used vouchers to
record accounts payable. That doesn’t seem to be the case here. Does that mean accounts payable
is a high-risk audit area? What should I do next?”
Vincent responds, “There are several possible explanations. First, determine if our client
has a purchases journal to record purchases and payables when goods are received. If so, what do
they call the document recorded in each line of the purchases journal? They may just use another
name. However, I have seen companies that don’t use a purchases journal. These companies just
have a cash disbursements journal, and they pay vendor invoices when they come due. At the end
of the month, these companies have a formal process for determining items received that have
not been paid. Once the amount of unrecorded purchases is determined, they write an entry to
accrue the purchase and payable. Further, they write a reversing entry at the beginning of the
next month. It is just a different process for accruing purchases and liabilities. There is also a third
possibility. The company may pay vendor invoices when they come due, and they may not have a
formal process for accruing purchases and payables. If this is the case, then there is a significant
risk that purchases and payables are understated.”

Before You Go On
4.1 How are financial statements misstated if there is a material misstatement in the com-
pleteness assertion regarding purchases? Describe a key control to detect and correct this
problem.
4.2 How are financial statements misstated if there is a material misstatement in the occur-
rence assertion regarding purchases? Describe a key control to detect and correct this
problem.
12-18  C h a pte r 12  Auditing the Purchasing and Payroll Processes

Control Activities for Cash Disbursements

Lea rning O bjecti ve 5
Evaluate control activities for cash disbursement transactions.

The cash disbursements process involves the following subprocesses: (1) approving cash dis-
bursements and (2) recording cash disbursements. Segregation of duties in performing these
subprocesses is an important internal control. Today, many disbursements involve the elec-
tronic transfer of funds. However, in the United States, many businesses continue to write
checks to vendors.

Example Transaction Flows—Cash

Disbursements
Common documents and files that are found in the cash disbursements process include:

Supporting Documents

•  Voucher—An internal document indicating the vendor, the amount due, and pay-
ment terms for the purchases received. It is used to authorize recording and paying a
liability.
•  Report of vendor invoices due—A report of vendor invoices listed by due date.
•  Report of cash balances—A report of daily cash balances.

Recording Cash Disbursements

•  Check or electronic funds transfer (EFT)—A formal order to a bank to pay the payee the
indicated amount.
•  Cash disbursements journal—A daily report showing checks written or electronic funds
transferred to vendors and amounts paid.

Important Databases or Other Documents

•  P
 urchasing database—Electronic files that accumulate data on purchases, accounts
payable, and cash disbursements.
•  Monthly bank statement—Statement from the bank showing transactions in the bank
account.
•  B
 ank reconciliation—A reconciliation of the cash amount shown in the general ledger
with the cash amount shown on the bank statement. Often, there are differences due to
deposits in transit, outstanding checks, or bank charges.
•  M
 onthly statements received from vendors—A monthly statement often sent by vendors
that shows the beginning payable balance, transactions during the month, and the end-
ing payable balance (even if it is zero).

An example of how these documents commonly flow through the cash disbursements process
is illustrated in Illustration 12.8, followed by a brief discussion of how cash disbursements
may be processed in many companies.
   Control Activities for Cash Disbursements  12-19

ILLUSTRATION 12.8   Example flow of transactions for cash disbursements

Process Documents Files and Databases

Authorization
Internal External
Vendor Purchasing
Report of vendor master
invoices due and G/L database
Determine file
disbursements to
be made
Report of cash
balances
Recording
Prepare
Check or EFT
payment

Purchasing
Record in cash and G/L database
disbursements
journal

Post to general Bank Bank

ledger reconciliation statement

Record in A/P Vendor’s monthly

subsidiary ledger statement

Paying the Liability and Recording Cash Disbursements

Usually, a treasury or cash management function is responsible for determining that unpaid
payables are processed for payment on their due dates. All payments should be by check or
electronic funds transfer. The software can be programmed to extract the vouchers due on
each day from the accounts payable database. This report is reviewed to determine which
payables should be paid considering the company’s cash position.
Once management identifies certain vouchers for payment, the software application
matches the check or EFT information against supporting information, performs IT appli-
cation controls, and sets a flag to identify the voucher and that the related vendor’s invoice
has been paid (to prevent duplicate payment). Each payment, whether by individual check
or EFT, is recorded in the cash disbursements journal. Checks below a certain dollar amount
may be machine-signed, with larger checks requiring a manual signature from one or more
authorized individuals.
On a monthly basis, the client should receive both a bank statement from the bank and a
monthly statement from vendors. The bank statement should be reconciled with the general
ledger cash account. The monthly statement from vendors should be reconciled with individ-
ual accounts payable subsidiary ledgers.

Identify What Can Go Wrong (WCGW) and

Identify Key Controls—Cash Disbursements
Once the auditor understands the flow of transactions, the auditor should evaluate what can
go wrong, identify potential controls management has placed in operation, and then iden-
tify key controls to test. Illustration 12.9 summarizes the flow of transactions through the
purchasing process, key documents and electronic files, what can go wrong, and example
controls. As you review Illustration 12.9, try to associate particular controls with the assertions
they are controlling.
12-20  C h a pte r 12  Auditing the Purchasing and Payroll Processes

ILLUSTRATION 12.9   Cash disbursement transactions—WCGW and example controls

Transaction Documents and Files Risks (WCGW) Example Control

Paying the Purchasing process A check (EFT) may not be The software application reports any breaks in the
liability and database recorded. sequence of a prenumbered check series and electronic
recording cash Report of vendor’s funds transfers.
disbursements invoices due The software application compares the daily total in the cash
Cash disbursements disbursements journal with the total vouchers submitted for
journal payment.
Access to blank checks and signature plates is controlled.
There is an independent bank reconciliation.
Purchasing process A check (EFT) may not be The software application prints a report of checks due but
database recorded promptly. not yet paid.
Report of vendor Run-to-run totals compare beginning cash less cash
invoices due disbursements with ending cash balance; beginning accounts
Cash disbursements payable less disbursements with ending accounts payable are
journal also compared.

Purchasing process Checks (EFT) may be issued The software application compares check information
database for unauthorized purchases. with purchase order and receiving information or other
authorization.
The software application performs a limit test on any large
disbursement and checks for such disbursements must be
manually signed.
Purchasing process A vendor’s invoice may be The software application has a field that identifies a vendor’s
database paid twice. invoice has been paid and the voucher number cannot be
reused.
Purchasing process A check (EFT) may be issued Manual control requires check signers control the mailing
database for the wrong amount. of checks.
Bank reconciliation There is an independent bank reconciliation.
Purchasing process A check (EFT) may be posted The software application compares information on check
database to the wrong account. summary with related voucher information.

Recall that many clients build in redundant controls such that if one control does not find
a misstatement, another control will detect the problem. However, auditors cannot efficiently
test all controls that exist. The auditor will identify a key control for each assertion. Follow-
ing are example key controls auditors often identify for cash disbursement transactions. The
examples rely significantly on IT application controls to flag potential misstatements. The
auditor should understand the logic behind the IT control and how client personnel manually
follow up on exceptions on a timely basis.
Completeness of cash disbursements. The software application compares the daily total in
the cash disbursements journal with the total of vouchers submitted for payment.
Occurrence of cash disbursements. The software application compares the check (EFT)
information with purchase order, receiving, and voucher information. Once the voucher is
paid, it is cancelled so that it cannot be paid twice.
Accuracy of cash disbursements. The software application compares the check (EFT) in-
formation with the underlying information on the voucher. The software application must
calculate discounts taken for early payment.
Cutoff of cash disbursements. Run-to-run totals compare beginning daily cash balances
with cash disbursed from the cash disbursements journal, plus cash receipts, and the ending
daily cash balances. Therefore, a run-to-run total starts with the beginning balance, adds and
subtracts transactions, and should match the ending balance in a balance sheet account. Also,
the software application compares the vendors approved for payment with the total of the
daily cash disbursements journal.
Classification of cash disbursements. The software application compares information on
the cash disbursements journal with the related voucher information.
  Evaluated Receipt Settlement (ERS)   12-21

Completeness, existence, and valuation of cash balances. The client performs an indepen-
dent bank reconciliation.

Before You Go On
5.1  How are financial statements misstated if there is a material misstatement in the complete-
ness assertion regarding cash disbursements? Describe a key control to detect and correct
this problem.
5.2 How are financial statements misstated if there is a material misstatement in the accuracy
assertion regarding cash disbursements? Describe a key control to detect and correct this
problem.
5.3  How are financial statements misstated if there is a material misstatement in the classifi-
cation assertion regarding cash disbursements? Describe a key control to detect and correct
this problem.

Evaluated Receipt Settlement (ERS)

Lea rning Objecti ve 6
Evaluate control activities in an evaluated receipt settlement system.

Evaluated receipt settlement (ERS) is a highly automated business process between evaluated receipt settlement
suppliers and purchasers to exchange data electronically and execute a purchase trans- (ERS)  a highly automated busi-
action electronically. In larger public companies, ERS transactions represent 75–90% of ness process between suppliers
all transactions. In smaller, privately owned companies, not-for-profit organizations, or and purchasers to exchange data
governments, ERS transactions are rare. ERS recognizes the key elements of a purchase electronically and execute a pur-
chase transaction electronically
transaction involve:

•  The nature and quantity of the goods received.

•  The price of the goods received.
•  The payment terms for the goods received.

In an ERS system, the purchaser and supplier agree to exchange data about a transaction electron-
ically and use an ERS process for paying purchases. While ERS systems are often custom-made
to accommodate the supplier’s and purchaser’s information systems, the following discussion
addresses the common elements of many ERS systems.

Initiating an ERS Transaction

The first step in initiating an ERS transaction is the contract, which may be the only
“paperwork” in the process. Many contracts are exchanged and signed electronically.
The contract between the vendor and the purchaser will specify how data is exchanged
electronically, how long prices are good for (30 days, 60 days, or whenever updated), the
process for verifying quantities shipped and received, the process for verifying other trans-
action costs such as freight or taxes, and the terms of payment (e.g., discounts for early
payment). Once the contract is agreed to, the system of electronic data interchange is
established, pricing information regarding the vendor’s catalog (stating items available
for sale and prices) is often obtained online, and controls over access to data are placed
in operation.
12-22  C h a pte r 12  Auditing the Purchasing and Payroll Processes
advance shipping notice
(ASN)  an electronic acknowl-
edgement of a transaction by a
supplier indicating goods shipped,
prices, and other information
such as freight costs or taxes
electronic invoice present-
ment and payment (EIPP)
systems  an electronic system
that uses a third-party payment
process to settle a business-
to-business transaction
third-party payment processor  to federal regulations, which requires investing in secure IT systems and paying for regular
an independent third party such
as a bank or payment processor
that processes a payment from the
purchaser to the supplier; federal
regulations require that the third-
party payment process is PCI
security compliant
The next step involves the purchasing company initiating a purchase order. The pur-
chase order is prenumbered to establish control over the population of purchases. The
purchase order is usually sent electronically to the vendor (although it may be faxed or
sent by mail).
The supplier will normally acknowledge the transaction electronically by sending an
advance shipping notice (ASN) indicating the goods to be shipped, prices, and other infor-
mation (e.g., freight costs or taxes). Upon shipment, the vendor will create normal shipping
documents such as a bill of lading and packing slip.
Receiving Goods
The receipt of goods in an ERS system is similar to any other system. A prenumbered, elec-
tronic receiving report should be created, noting the items received and the condition of goods
including any defective items. Often, the goods are counted using barcodes, and once the quan-
tity received of each item is known, the purchaser has sufficient information to book a liability.
Recording Payables
Upon the receipt of goods, the purchaser should match the goods received, per the receiv-
ing report, to the purchase order and ASN. Once all the documents match, an entry should
be made to the purchases journal to record the purchase and accounts payable. Normally, a
unique, prenumbered document (similar to a voucher) should be created to record the pur-
chase and establish control over the recording process. Since this is an internal document,
it is usually created only in electronic form in an ERS system. The ERS system often records
the purchase and liability created concurrently with the receiving report, as all information is
known about the transaction at time of receipt of goods (e.g., the type of goods received, the
quantity of goods received, the price for goods received, and payment terms).
When a vendor’s invoice is presented electronically, it is matched to determine that the
purchase order, receiving report, and vendor’s invoice agree (a three-way match). In some
systems, a vendor’s invoice is never generated. Rather, all the information needed to establish a
transaction is embedded in the ASN and the receiving report. A liability is created when goods
are received and the purchase is paid based on contractual terms. In these cases, a two-way
match is performed to agree the recorded liability to the receiving report and purchase order.
Electronic Payment
Many ERS systems use electronic invoice presentment and payment (EIPP) systems.
EIPP systems use an independent third party to settle the business-to-business (B2B) trans-
action. An independent third-party payment processor, such as a bank or payment
processor, is used to make the payment from the purchaser to the supplier. A third-party pay-
ment processor is often used to make payments because entities that store checking account
number information must be Payment Card Industry (PCI) security compliant according
recertification.
In an EIPP system, the purchasing entity:
•  Receives an electronic invoice from the vendor.
•  Validates the invoice (using a three-way match).
•  Cancels the vendor’s invoice so it is not paid twice.
•  Approves the invoice for payment (usually taking advantage of early payment discounts).
Once the invoice is approved for payment, the third-party payment processor transfers funds
from the purchasing entity to the vendor on the due date.
  Evaluated Receipt Settlement (ERS)   12-23

Internal Controls in an ERS System

Internal controls in an ERS system are similar to internal controls in a traditional system.
Following is a list of key controls that are often found in an ERS system for purchases,
categorized by relevant assertion. The effectiveness of each of these controls relies on
timely manual follow-up on exception reports, as well as the accuracy of the software
application.

•  Completeness of purchases. The software application generates a daily report of receiving

reports that have not been matched one for one with the recording of a purchase and a
liability.
•  Occurrence of purchases. The software application generates a daily report of any dis-
crepancies between the recorded payable and quantities on the receiving report. Once
a receiving report is matched with a purchase, it cannot be matched with another
purchase.
•  Accuracy of purchases. The software application generates a daily report of any discrepan-
cies between the recorded payable and quantities on the receiving report or prices on the
purchase order, and other information such as freight and taxes on the advance shipping
notice from the vendor. When a vendor’s invoice is received electronically, it is matched
with information on the recorded payable (which has previously been matched with the
purchase order, advance shipping notice, and the receiving report) and a report is created
of any discrepancies.
•  Purchases cutoff. The software application generates a daily report of any discrepancies
between the accounting period on the receiving report and the accounting period on the
recording of the purchase and liability.
•  Classification of expenses and payables. The software application generates a daily re-
port of any discrepancies between the vendor account coding and general ledger coding,
which is compared with the purchase order and purchase requisition.
•  Completeness of payables, valuation of payables at historical cost, and existence of ac-
counts payable. Monthly statements received from vendors are compared to the accounts
payable subsidiary ledger with timely follow-up on discrepancies.

Following is a list of key controls that are often found in the purchaser’s ERS system for
cash disbursements, categorized by relevant assertion.

•  C
 ompleteness of cash disbursements. The software application generates a daily report
comparing the daily total in the cash disbursements journal with the total of payables
submitted to the third-party payment processor for payment and any discrepancies are
reported.
•  O
 ccurrence and accuracy of cash disbursements. The vendor’s invoice is cancelled so that
it is not paid twice. The software application develops a daily report that compares the
EFT information submitted to the third-party payment processor with the payable and
invoice information and that identifies any discrepancies. Any duplicate payments or
potential payments with discrepancies are rejected and not forwarded to the third-party
payment processor for payment.
•  C
 utoff of cash disbursements. The software application generates a daily report comparing
the time period of when vendors are approved for payment with the time period they are
recorded in the cash disbursements journal.
•  C
 lassification of cash disbursements. The software application generates a daily report
comparing account classification in the cash disbursements journal with the related
voucher information.
•  C
 ompleteness, existence, and valuation of cash balances. The purchasing entity performs
an independent bank reconciliation.
12-24  C h a pte r 12  Auditing the Purchasing and Payroll Processes

Before You Go On
6.1  Explain the flow of a transaction from initiating a purchase to paying for the purchase in an
ERS system.
6.2 How are financial statements misstated if there is a material misstatement in the complete-
ness assertion regarding the recording of purchases? Describe a key control to detect and
correct this problem in an ERS system.
6.3  How are financial statements misstated if there is a material misstatement in the occurrence
assertion regarding cash disbursements? Describe a key control to detect and correct this
problem in an ERS system.

Control Activities for Purchase Adjustments and Purchasing

Process Disclosures
Lea rning O bjecti ve 7
Evaluate control activities for purchase adjustment transactions and purchasing
process disclosures.

Important documents and records used in processing purchase adjustments in traditional or

ERS systems include the following:

•  Purchase return authorization—Form showing the description, quantity, and other data
pertaining to the goods the vendor has authorized the purchaser to return. It serves as the
basis for initiating the purchase return.
•  Shipping report—Report prepared on the shipment of goods to vendors showing the
kinds and quantities of goods shipped.
•  Debit memo—Form stating the particulars of a debit to accounts payable, including the
specific items returned, prices, and amount debited. It provides the basis for recording
the purchase return.

These documents are referenced in the following discussion.

Purchase Returns and Allowances

On occasion, goods received from vendors are defective and must be returned. In addition,
vendors offer a number of inducements to purchase inventory. In some cases, vendors will
agree to reduce the price for goods rather than have goods returned. Some vendors offer
incentives depending on the volume of their products sold. Other vendors offer various
advertising allowances. For example, in the retail grocery industry, many vendors will pay
some of the advertising costs for their products in the advertisements of the grocery store.
In many companies, the number and dollar value of these transactions is immaterial.
However, in some companies, the potential for misstatements could reach a material
amount.
Each of these transactions results in reducing payables and expenses, and improving
reported liquidity and earnings. In rare instances, companies have recorded material
purchase returns at year-end to reduce payables and expenses. Sound financial report-
ing needs to establish adequate controls over these transactions to prevent their abuse in
earnings management activities. Accordingly, control activities useful in reducing the risk
   Control Activities for Purchase Adjustments and Purchasing Process Disclosures  12-25

of misstatements focus on establishing the occurrence of such transactions and include

the following:

•  All purchase returns should be authorized by the vendor.

•  Goods should be returned only with a proper purchase return authorization, and an in-
dependent count of goods returned should be recorded on shipping documents such as
packing slips and bills of lading.
•  The software application should match the debit memo information with the authoriza-
tion for purchase return and the shipping documents and report any discrepancies.

Further, there should be adequate segregation of duties between obtaining authorization for
purchase returns, shipping goods, and recording debit memos.
When there is the potential for material misstatements from purchase adjustments
transactions, the auditor should obtain an understanding of all relevant aspects of the
internal control structure components and consider the factors that affect the risk of such
misstatements. If purchase adjustments are estimated at quarter-end, management should
establish controls to ensure adjustments are based on reliable information and that adjust-
ments are consistent from quarter to quarter. A disclosure committee should review these
estimates if they could aggregate with other adjustments to an amount that is material to the
financial statements.

Other Controls in the Purchasing Process

The previous discussion focused primarily on controls over transactions. If good controls exist
over credit purchases, cash disbursements, and purchase returns, the accounts payable and
cash balances should also be controlled as they are the result of recording these transactions.
Additional controls over payables include comparing vendor statements with the balance in
the accounts payable subsidiary ledger. Further, sound control over cash balances involves
performing a bank reconciliation shortly after month-end.
Finally, management should establish controls over the occurrence and rights and ob-
ligations of disclosures, the completeness of disclosures, the classification and understand-
ability of disclosures, and the accuracy and valuation of information included in disclosures.
Common disclosures in the purchasing process include:

•  Reclassification of material debit balances in accounts payable as accounts receivable.

•  Segregation of short-term payables from long-term payables.
•  Dependence on a single vendor or a small number of vendors.
•  Disclosure of purchase commitments and long-term purchase contracts.
•  Expenses reportable by business segment or geographic region.
•  Disclosure of payables to officers, directors, employees, or related parties.

Public companies normally accomplish this task with a disclosure committee that
works with the CFO or controller to review disclosures. The disclosure committee often
includes individuals in management who are knowledgeable about the condition of the
company and knowledgeable about appropriate GAAP for disclosures relevant to the pur-
chasing process. Many companies use a current GAAP disclosure checklist to assist in this
process.

Before You Go On
7.1 Explain the economic substance of purchase returns and allowances. Explain the appropriate
controls over purchase returns and allowances.
7.2  Explain the appropriate controls over the purchasing process disclosures.
12-26  C h a pte r 12  Auditing the Purchasing and Payroll Processes

Tests of Controls in the Purchasing Process and Audit Strategy

Lea rning O bjecti ve 8
Determine how to design and perform tests of controls in the purchasing process
and connect the results of control testing to audit strategy.

The following discussion identifies potential tests of controls that may be used to determine
if a client’s controls in the purchasing process are effective. Once the auditor has evaluated the
quality of internal controls, the audit team is in a good position to evaluate the opportunity
for fraud risk. The fraud risk assessment should be approached with professional skepticism.
Finally, this section focuses on the links between risk of material misstatement and subsequent
strategy for substantive testing.

Tests of Controls in the Purchasing Process

Most auditors plan to test controls in the purchasing process because of the high volume
of routine transactions in this process. Public company auditors test controls to support an
opinion on internal control. Auditors of private companies may decide to test controls if the
controls appear effective and the auditors determine it is efficient to do so.
If the client relies on IT controls and the auditor plans to assess control risk as low for
purchasing process assertions, the auditor will usually:

•  Test the effectiveness of general controls.

•  Use generalized audit software to evaluate the effectiveness of IT application controls.
•  Test the effectiveness of manual procedures to follow-up on exceptions identified by IT
application controls.

As discussed in previous chapters, the auditor will usually test the effectiveness of IT general
controls as part of testing entity-level controls. For example, when testing the control environ-
ment, the auditor might pay particular attention to making inquiries and collecting supporting
evidence regarding employee awareness of IT security issues. If the auditor is testing issues re-
garding controls over program changes, the auditor might determine how program access is con-
trolled and monitored, look at logs of program access or incident reports, and talk to users about
their involvement in program changes affecting their responsibilities. The auditor will want to
pay attention to segregation of duties regarding access to programs and access to data, the effec-
tiveness of password controls, and the follow-up of any incident reports regarding unauthorized
access. Many of these tests are performed by an IT audit specialist.
Auditors often use test data on IT application controls to determine whether expected results
appear on exception reports. For example, in the purchasing process the auditor might submit:

•  A missing or invalid vendor code.

•  An invalid product code.
•  Transactions reporting items received in quantities different from the amount ordered
(both over and under).
•  Prices, vendor numbers, or other information on vouchers that does not match informa-
tion on the purchase order.
•  Voucher quantities that do not match quantities on receiving documents.

Finally, the auditor will need to test the appropriateness of manual follow-up of excep-
tions noted by the software application. If exception reports are printed daily, the auditor
might select a sample of exception reports to determine if exceptions are cleared on a timely
basis. The auditor might make inquiries of personnel responsible for clearing exceptions to de-
termine their awareness of the types of misstatements that might appear on exception reports.
The auditor should also follow through on previously noted exceptions to determine they were
cleared appropriately by authorized personnel on a timely basis.
  Tests of Controls in the Purchasing Process and Audit Strategy  12-27

Fraud Risk Assessment

After evaluating inherent risk and control risk, the auditor is in a position to evaluate fraud
risk. The risk of misappropriation of assets is particularly prevalent in the purchasing process.
Procurement fraud risks include:
•  Fictitious or phantom vendors. An employee sets up a fictitious vendor in the master
vendor file. The fictitious vendor information relates to an address or post office box
controlled by the employee. Purchases, which are fictitious, are made from the fictitious
vendor, and then payments are made to the employee via the fictitious vendor.
•  Kickbacks. A kickback scheme involves collusion between an employee and a vendor. kickback  the entity pays
The client company pays inflated prices to the vendor, and the employee receives a pay- inflated prices to the vendor, and
ment, or kickback, for facilitating the inflated transactions with the vendor. the employee receives a payment
for facilitating the inflated trans-
•  Bid rigging. A bid rigging scheme involves collusion between an employee and a vendor
actions with vendor
in which the employee assists the vendor in winning a competitive bid for a contract,
bid rigging  an employee assists
sometimes at higher prices. The employee is typically compensated by the vendor in the
a vendor in winning a competitive
form of a cash payment.
bid for a contract; employee is
•  Personal purchases. An employee uses company funds to purchase personal items. For ex- compensated, usually in the form
ample, an employee may be on a legitimate business trip but also spends company funds of a cash payment
for personal travel such as extended hotel nights and meals for extra days.
These frauds can be reduced with strong controls over the vendor master files, determining the
appropriateness of support for payments to vendors before recording a liability (voucher), and the
willingness to dispute inappropriate items with vendors. Auditors should also consider incentives
and pressures on management that may push management toward fraudulent financial reporting,
such as how management compensation plans provide incentives to meet profitability targets, or
whether management is trying to meet previously forecasted earnings targets. Ultimately, a key
aspect of fraud risk relates to the opportunity that may or may not be present based on the quality of
the system of internal control. An auditor’s concerns are heightened when the control environment
is weak, or control activities are nonexistent. In not-for-profit organizations, smaller companies, or
governments, segregation of duties may be weak or nonexistent. In these cases, the auditor, with
appropriate professional skepticism, should consider fraud risk to be high and design effective sub-
stantive tests to provide reasonable assurance of detecting material fraud.

Audit Data Analytics as a Risk Assessment Procedure

Audit data analytics might be effective at finding fraud in the purchasing process. Sometimes
people who commit fraud know the different thresholds for their approval of an invoice for
payment. For example, a supervisor’s approval may be required for any invoice of $5,000 or
more. To identify a population of possible fraudulent invoices, the auditor might identify a
group of invoices that are 4% less than the approval amount. This would flag invoices between
$4,800 and $4,999 for further investigation, particularly if many are from the same vendor.
This would be a clue to determine if the vendor was a fictitious vendor or if the vendor might
be giving the purchasing agent a kickback.

Audit Reasoning Example Audit Data Analytics in the

Purchasing Process

Cecily has just returned from a staff training session on audit data analytics. She is auditing a mining
company with a high volume of purchases, and she is concerned about the risk of her client paying
a fictitious vendor. She asks herself, “How would I determine if an employee is submitting invoices
from a fictitious vendor to pay himself or herself extra money?” Eventually, Cecily thinks about
merging two key files: the client’s vendor master file and the client’s employee master file. Each file
has fields for addresses, tax ID numbers, phone numbers, and bank routing numbers. She thinks to
herself, “If I use audit data analytics to compare the two files, I should find no matches. However, if
I find a match of any one of these fields in both databases, further investigation is clearly warranted.”
For example, Cecily would not expect to find the same tax ID number or bank routing number for
a vendor and an employee.
12-28  C h a pte r 12  Auditing the Purchasing and Payroll Processes

The Risk of Material Misstatement and

Audit Strategy
Once the auditor has tested internal controls, the auditor will determine whether the auditor’s
expectations regarding the effectiveness of internal controls are confirmed. Tests of controls
are performed when the auditor expects that internal controls are effective. If the auditor’s ex-
pectations regarding effective controls are not confirmed, the auditor will need to evaluate the
significance of the deficiencies noted and determine if the client has a compensating control
in place that the auditor might rely on. If no compensating controls exist, the auditor will
need to revise the audit strategy, determine if fraud risk is increased as a result of the internal
control deficiency, and determine how to revise planned substantive tests for the purchase
process. The auditor may need to change the timing of planned substantive tests related to
an assertion from interim testing to testing year-end balances. The auditor may also need
to consider increasing sample sizes when sampling is involved. If internal controls related
to an assertion are found to be ineffective, the auditor will need to communicate significant
deficiencies or material weaknesses to management and to those charged with governance of
the entity.

Cloud 9 - Continuing Case

Josh and Suzie are pleased with the results of tests of controls
related to the purchasing process. They found strong controls over
the master vendor file, and vouchers are prepared based only on
original invoices. Cloud 9 is very careful about entering the right
invoice number, including any leading zeros, so an invoice is not
paid twice. Further, individuals who are responsible for following
up on exceptions understood the types of exceptions they were
following up on, and exceptions tended to be rare. Finally, under
David Collier’s direction, Cloud 9 developed clear procedures for
accruing payables for goods received in the warehouse for which
vendor invoices had not yet arrived.

Before You Go On
8.1 If the auditor has identified an IT application control related to the completeness of pur-
chases, and IT general controls have already been determined to be effective, suggest how the
auditor might test the effectiveness of such IT application and the related manual follow-up.
8.2 Explain the fraud associated with a phantom vendor. What controls might prevent this from
happening?
8.3 Assume an auditor is auditing a small city or county with poor segregation of duties in the
purchasing process. What are the most significant risks in this case? What are the implica-
tions for developing an audit strategy in the purchasing process?

Substantive Procedures for the Purchasing Process

Lea rning O bjecti ve 9
Assess detection risk and design substantive tests, including audit data analytics, to
address various assertions in the purchasing process.

At this stage, the auditor has evaluated inherent risks, evaluated and tested the system of
internal control in the purchasing process, and developed an audit strategy. What remains is
   Substantive Procedures for the Purchasing Process  12-29

performing substantive tests. The following discussion focuses on identifying the appropriate
substantive tests for relevant assertions in the purchasing process. Illustration 12.10 presents
a suggested audit program for substantive tests of purchasing process assertions, including ini-
tial procedures, substantive analytical procedures, and tests of details. A discussion of each
of these steps follows the illustration. The audit procedures in Illustration 12.10 are most
likely to be associated with manufacturing companies, wholesalers, or retailers.

ILLUSTRATION 12.10   Substantive tests in the purchasing process

Relevant
Category Substantive Test Assertion
Initial 1.  Obtain an understanding of the business and industry to determine: All
procedures a.  The significance of purchases and accounts payable to the entity.
b.  Key economic drivers that influence the entity’s purchases, margins, and cash disbursements.
c.  Standard trade terms in the industry, including seasonal dating, payment period, etc.
d.  The extent of concentration of activity with vendors.
2.  Perform initial procedures on accounts payable and records that will be subjected to further testing. Valuation and
a.  Trace beginning balance for accounts payable to prior year’s working papers. allocation,
Rights and
b. Scan activity in the general ledger account for accounts payable and investigate entries that
obligations
appear unusual in amount or source.
c. Obtain the accounts payable subsidiary ledger and determine that it accurately represents the Valuation and
underlying accounting records by footing the subsidiary ledgers and comparing the total to the allocation
general ledger balance.
Analytical 3.  Perform analytical procedures: All
procedures a. Develop an expectation for accounts payable using knowledge of the entity’s business activity,
market share, normal trade terms, and its history of accounts payable turnover in days.
b.  Calculate ratios:
i. Compare purchases activity to the entity’s sales.
ii.  Compare purchases growth and payable growth.
iii.  Accounts payable turnover in days.
c. Analyze ratio results relative to expectations based on prior years, industry data, budgeted
amounts, or other data.
Tests of 4.  Vouch a sample of recorded purchasing process transactions to supporting documentation. Occurrence,
details of a. Vouch recorded purchase transactions to supporting vendor’s invoices, receiving documents, and Accuracy,
transactions purchase orders. Cutoff,
Classification
b. Vouch disbursement transactions to underlying vouchers and supporting documents.
c. Vouch purchase returns to supporting shipping documents and subsequent recognition of return
by the vendor.
5. Trace a sample of purchase transactions from goods received to their recording in the purchases Completeness
journal. Also trace a sample of cash disbursements and purchase returns to their recording in the
accounting records.
6.  Perform cutoff tests for purchases and purchase returns. Cutoff
a. Select a sample of goods received in the warehouse for several days before and after year-end and
examine supporting vouchers to determine that purchases were recorded in the proper period.
b. Select a sample of purchase returns from the shipping dock for several days before and after
year-end to determine that debits to accounts payable were recorded in the proper period.
7. Perform cash disbursements cutoff tests by observing that all cash disbursed through the close of Cutoff
business on the last day of the fiscal year is included in the cash disbursements journal.
8.  Perform a search for unrecorded liabilities.
a. Examine subsequent payments between balance sheet date and end of fieldwork, and when re-
lated documentation indicates payment was for an obligation in existence at balance sheet date;
trace to accounts payable listing.

(continued)
12-30  C h a pte r 12  Auditing the Purchasing and Payroll Processes

ILLUSTRATION 12.10   (continued)

Relevant
Category Substantive Test Assertion
b. Examine documentation for payables recorded at year-end that are still unpaid at end of
fieldwork.
c. Inspect unmatched purchase orders, receiving reports, and vendor invoices at year-end.
d. Inquire of accounting and purchasing personnel about unrecorded payables.
e. Review capital budgets, work orders, and construction contracts for evidence of unrecorded
payables.
Tests of 9.  Evaluate the effectiveness of confirming accounts payable. Existence,
details of a. Identify major vendors by reviewing the voucher register or accounts payable subsidiary ledger Valuation and
balances or master file and send confirmation requests to vendors with large balances, unusual activity, allocation,
small or zero balances, and debit balances. Completeness
b. Investigate and reconcile differences.
10.  Reconcile unconfirmed payables to monthly statements received by client from vendors.
Tests of 11.  Compare statement presentation with GAAP.
details of a. Determine that payables are properly identified and classified as to type and expected period of Classification and
presentation payment. understandability
and disclosure
b. Determine whether debit balances in accounts payable are significant in the aggregate and Classification and
should be reclassified as accounts receivable. understandability
c. Determine the appropriateness of disclosures pertaining to related party payables. Classification and
understandability
d. Inquire of management about potential undisclosed commitments or contingent liabilities. Completeness
e. Evaluate the completeness of presentation and disclosures for payables in drafts of financial Completeness
statements to determine conformity to GAAP by reference to disclosure checklist.
f. Read disclosures and independently evaluate their understandability. Classification and
understandability

Initial Procedures
The starting point for every audit test is obtaining an understanding of the business and
industry. Understanding the significance of the purchasing process to the entity provides a
context for important risk assessments. Understanding the company’s economic drivers, stan-
dard trade terms, and the extent of concentration of business with certain suppliers provides
the context for evaluating the results of analytical procedures, tests of controls, and substantive
tests. Procedures performed to obtain this understanding were discussed earlier in this chapter.
Another initial procedure for substantive tests of accounts payable is tracing the beginning
balance to the prior year’s working papers, using generalized audit software to scan the general
ledger account for any unusual entries, and developing a list of amounts owed at the balance
sheet date. Ordinarily, the client provides a listing of the unpaid voucher file or the accounts
payable subsidiary ledger in electronic form. The auditor can also use generalized audit
software to determine the mathematical accuracy of the listing by refooting the total and by
verifying that it agrees with the general ledger account balance.

Substantive Analytical Procedures

Recall that analytical procedures are not required to be used as a substantive procedure. Illustra-
tion 12.4 provided examples of analytical procedures that are commonly used in the purchasing
process. If analytical procedures are used as a substantive procedure during risk response, the
auditors are using data through the client’s third quarter or even the entire year of data if the pro-
cedures are performed after year-end. Therefore, when used as a substantive procedure, the audi-
tor typically has more data to analyze and can develop more precise expectations of the accounts
payable balance and the relationship between accounts payable and other key accounts such as
   Substantive Procedures for the Purchasing Process  12-31

purchases or inventory. For example, an abnormal decrease in the accounts payable turnover in
days or unexpected increase in the current ratio may provide indicators of understated liabilities.

Audit Data Analytics as a Substantive Test

The right ADA procedure may be a very effective substantive test of details. If a client has strong
internal controls regarding the three-way match of purchase documents (purchase order, receiv-
ing report, and vendor invoice), then the auditor can focus on searching for transactions that
may be more unusual or outside of the norm. For example, the client may issue company credit
cards to certain employees, either to make purchases or for work-related travel. Banks and credit
card companies use a common coding system, called merchant category codes (MCC), to de-
termine the type of business from which goods or services have been purchased with the credit
card. There are codes for specific airlines, hotels, electronics, household appliances, electrician
services, and hundreds more. The auditor could use ADA to organize all credit card purchases
by MCC code. For codes that are unusual for the client, such as MCC 8351 for child care services,
the auditor would investigate further by inspecting supporting documentation and proper au-
thorization for the transaction.

Tests of Details of Transactions

Five major substantive tests of details of accounts payable transactions are shown in Illustra-
tion 12.10 and discussed next. Recall that in performing these tests, the auditor is primarily con-
cerned with detecting understatements of recorded payables as well as unrecorded payables.
The extent to which each test is performed varies based on the acceptable levels of detection
risk specified for the related assertions.

Vouch Recorded Payables to Supporting Documentation

In this test of the occurrence assertion, credit entries to accounts payable are vouched back to
supporting documentation such as vendor invoices, receiving reports, and purchase orders. Deb-
its to accounts payable are vouched to documentation of cash disbursement transactions, such as
paid checks, or memoranda from vendors pertaining to purchase returns and allowances. Some
vouching may be performed during interim work as a dual-purpose test with tests of controls over
purchasing. The extent of vouching is directly related to the auditor’s conclusions about inherent
risk and control risk. This test primarily provides evidence for the specific audit objectives related
to four of the five assertions, excluding completeness. Vouching is not applicable to the complete-
ness assertion as vouching starts with a recorded transaction.

Perform Cutoff Tests

The purchase cutoff test involves determining that purchase transactions occurring near
the balance sheet date are recorded in the proper period. This may be done by tracing dated
receiving reports to voucher register entries and vouching recorded entries to supporting
documentation. The test usually covers a period of five to ten business days before and after
the balance sheet date. Evidence from the procedure pertains to the existence or the occur-
rence and completeness assertions for accounts payable transactions.
In examining documentation as part of this procedure, special consideration must be
given to goods in transit at the balance sheet date. Goods shipped FOB (free on board) ship-
ping point should be included in the inventory and accounts payable of the purchasing entity.
In contrast, goods in transit shipped FOB destination should remain in the inventory of the
seller and be excluded from the purchaser’s inventory and accounts payable until arrival at the
purchasing entity’s receiving department. In performing this procedure, the auditor should
determine that a proper cutoff is achieved in the taking of the physical inventory, as explained
further in Chapter 13, as well as in the recording of the purchase transactions.
A proper cutoff of cash disbursement transactions at the end of the year is essential for
the correct presentation of cash and accounts payable at balance sheet date. Evidence for the
cash disbursement cutoff test may be obtained by personal observation and review of internal
documentation. If the auditor can be present at the balance sheet date, he or she can personally
12-32  C h a pte r 12  Auditing the Purchasing and Payroll Processes
search for unrecorded
liabilities  procedures designed
specifically to detect significant
unrecorded obligations as of the
balance sheet date (or as of an
interim date)
examining subsequent
payments  examining vouchers
paid after the balance sheet date
(or an interim date) to determine
if the payment is for an obligation
that existed as of the balance
sheet date (or an interim date)
and whether the obligation was
in fact recorded as of the balance
sheet date (or an interim date)
determine the last check written by the client. Subsequent tracing of this evidence to the ac-
counting records will verify the accuracy of the cutoff. Alternatively, the auditor can trace “paid”
checks dated within a period of several days before and after the balance sheet date to the dates
the checks were recorded. Evidence from this test also pertains to the existence or occurrence
and completeness assertions for accounts payable.
Purchase return cutoff tests are similar to other cutoff tests. First, the auditor should start
with the shipping records for a period of five to ten days before and after year-end to ensure
that purchase returns are accurately recorded in the accounting records. Then, the auditor
should go from the accounting records back to evidence in shipping records to verify the accu-
racy of the last purchase returns recorded by the entity.
Perform Search for Unrecorded Liabilities
The search for unrecorded liabilities consists of procedures designed specifically to detect
significant unrecorded obligations at the balance sheet date (or as of an interim date). Thus, it
relates to the completeness assertion for accounts payable.
A common procedure involves examining subsequent payments, which consists of
examining supporting documentation for checks issued or vouchers paid after the balance
sheet date. When the payment is for an obligation existing at the balance sheet date, it is
traced to the accounts payable listing to determine whether it was included. This procedure
is performed toward the end of fieldwork to enhance the opportunity of obtaining evidence
concerning payables that were intentionally or inadvertently excluded from the listing of pay-
ables at the balance sheet date.
Liabilities rarely go unrecorded for long periods. If vendors are not paid, they will usually
follow up to ask when a payment can be expected, which results in the recording of a purchase,
usually in the wrong accounting period. Therefore, examining subsequent payments may be an
effective search for unrecorded liabilities. The auditor can also search this subsequent period
looking for overstatements of subsequent payments and may focus on larger transactions.
Documentation supporting payables recorded but remaining unpaid through the end of field-
work should also be examined on a test basis. This may reveal obligations that existed but were un-
recorded as of the balance sheet date. Other procedures may reveal unrecorded payables including
(1) investigating unmatched purchase orders, receiving reports, and vendor invoices at year-end,
(2) inquiring of accounting and purchasing personnel about unrecorded payables, and (3) review-
ing capital budgets, work orders, and construction contracts for evidence for unrecorded payables.
Tests of Details of Balances
Two tests included in this category are (1) confirming accounts payable and (2) reconciling
unconfirmed payables to monthly statements received by the client from vendors.
Confirmation of Accounts Payable
Unlike the confirmation of accounts receivable, there is no presumption made about the con-
firmation of accounts payable. This procedure is optional because (1) confirmation offers no
assurance that unrecorded payables will be discovered, and (2) external evidence in the form
of invoices and vendor monthly statements should be available to substantiate the balances.
Confirmation of accounts payable is recommended when the detection risk is low, there are
individual creditors with relatively large balances, or a company is experiencing difficulties
in meeting its obligations. As in the case of confirming accounts receivable, the auditor must
control the preparation and mailing of each request and should receive the responses directly
from the respondent.
When auditors choose to send confirmations of accounts payable, accounts with zero or
small balances should be among those selected for confirmation because they may be more
understated than accounts with large balances. In addition, confirmations should be sent to
major vendors who (1) were used in the prior year but not in the current year and (2) do
not send monthly statements. The positive form should be used in making the confirmation
request. Usually, a positive confirmation does not specify the amount due. In confirming a
   Substantive Procedures for the Purchasing Process  12-33

payable, the auditor prefers to have the creditor indicate the amount due because that is the
amount to be reconciled to the client’s records. The confirmation may also request informa-
tion regarding purchase commitments of the client.
This test produces evidence for all accounts payable assertions. However, evidence pro-
vided for the completeness assertion is limited because of the possible failure to identify and
send confirmation requests to vendors with whom the client has unrecorded obligations.

Reconcile Unconfirmed Payables to Vendor Statements

In many cases, vendors provide monthly statements that are available in client files. The audi-
tor can reconcile the vendor statements to the client’s listing of payables. The evidence from
this procedure applies to the same assertions as confirmations but is less reliable because the
vendors’ statements were sent to the client rather than directly to the auditor. In addition,
statements may not be available from certain vendors.

Tests of Details of Presentation and Disclosure

Illustration 12.10 describes a number of tests of disclosures for the purchasing process. The
auditor must be knowledgeable about the statement presentation and disclosure require-
ments for accounts payable and purchases under GAAP. Accounts payable should be prop-
erly identified and classified as a current liability. If the accounts payable balance includes
material advance payments to some vendors for future delivery of goods and services, such
amounts should be reclassified as advances to suppliers and included as assets. In addition,
disclosures may be required for related party payables, purchase commitments, and contingent
liabilities. Management’s presentation and disclosures must be compared with these GAAP
requirements. Evidence relevant to these matters can be obtained by inquiring of management
and reviewing minutes of board of directors’ meetings. Evidence is also obtained through
the audit procedures performed to test other assertions. Management’s representations
on these matters should be obtained in writing in a management representation letter as one
of the final steps in the audit, as will be explained in Chapter 14.

Cloud 9 - Continuing Case

As Josh and Suzie finalize their plans for substantive tests in the
purchasing process, they recognize that a significant number of
tests of transactions were accomplished with dual-purpose tests
for testing controls. With cutoff controls being performed monthly,
they decided to test cutoff at interim with a dual-purpose test, plus
retesting Cloud 9’s internal control and simultaneously perform-
ing substantive cutoff procedures at year-end. Josh did not feel that
confirmations of payables was an effective procedure. Josh felt the
audit team could perform a search for unrecorded liabilities at
year-end, rather than performing the procedure at an interim date
and performing roll forward tests. Josh felt that performing the
search for unrecorded liabilities at year-end would not be overly
time-consuming, and it would be good to have evidence as of the
balance sheet date.

Before You Go On
9.1 Which assertion is of primary importance to the auditor in auditing accounts payable? Why?
9.2 Your classmate believes the auditor’s responsibility for confirming accounts payable is the
same as for accounts receivable. Do you agree with your classmate? Explain.
9.3 Explain the following audit test and the assertion(s) that are evaluated with this audit
procedure: Vouch recorded payables to supporting documents.
9.4 Explain the following audit test and the assertion(s) that are evaluated with this audit
procedure: Perform a search for unrecorded liabilities.
9.5 Explain the following audit test and the assertion(s) that are evaluated with this audit
procedure: Determine that payables are properly identified and classified.
9.6 List several common disclosures required for purchases and accounts payable.
12-34  C h a pte r 12  Auditing the Purchasing and Payroll Processes

Appendix 12A   Auditing Payroll

Explain the Nature of Payroll Transactions and Balances

Lear ning Objective 10*
Explain the nature of payroll transactions and balances.

payroll process  transactions
and balances related to the
payment of salaries, hourly
and incentive compensation,
commissions, and bonuses
imprest payroll bank account  payroll bank account means that only payroll transactions go through this bank ac-
a bank account that only processes
payroll transactions; only the
exact amount needed to clear net
payroll transactions is transferred
into this account, and after payroll
disbursements are made the
balance in the account is zero
This appendix focuses on auditing payroll transactions and balances and follows the same
format as the previous discussions of the revenue and purchasing processes. The presen-
tation in this appendix is abbreviated compared to the chapter discussions, with a focus
on understanding the business and industry, inherent risks, expected controls and control
risk, and substantive tests in the payroll process. For many businesses, the payroll process
includes a significant volume of routine transactions. The payroll process includes trans-
actions and balances related to the payment of salaries, hourly and incentive compensation,
commissions, and bonuses. The following discussion does not include additional payroll
transactions such as stock options, pension benefits, or other benefits tied to payroll, such
as health insurance or paid vacations. In many companies, payroll is recorded when paid,
and payroll taxes are accrued at the same time. If the pay period does not coincide with
the end of month, end of quarter, or end of fiscal year, accruals should be made for payroll
payable.
The payroll process interfaces with the expenditure process. Payment of payroll and pay-
roll taxes relates to cash disbursements transactions in the expenditure process. Many com-
panies create an imprest payroll bank account used for payroll disbursements. An imprest
count and, each pay period, only the exact amount necessary to clear net payroll transac-
tions is transferred into the account. Then the payroll disbursements are made (often by
electronic funds transfer) and the book balance in the account is zero. If payroll is paid
by check, then the balance in the bank account relates only to outstanding checks. The
transactions in the payroll process are depicted in Illustration 12A.1. Payroll expenses
might be charged to manufactured inventory via direct or indirect labor accounts, or they
might be charged to various accounts associated with selling, general, and administrative
expenses.

illustration 12A.1   Payroll Transactions Debit Credit

Payroll transactions
Payroll paid Payroll Expense Cash
Payroll Withholdings
  Payable
Payroll taxes accrued Payroll Tax Expense Payroll Taxes Payable
Payroll accruals for partial pay periods Payroll Expense Payroll Payable
at the end of the period (two entries) Payroll Withholdings
  Payable
Payroll Tax Expense Payroll Taxes Payable

Sufficient and appropriate evidence for the payroll process should be obtained for the
following assertions outlined in Illustration 12A.2. The rights and obligations for payroll and
payroll taxes payable relate to whether the payable reflects the recorded liability of the entity.
This may not be a significant assertion, and it is often tested as part of testing the existence or
occurrence assertions.
  Appendix 12A: Auditing Payroll  12-35

illustration 12A.2   Key payroll process assertions

Relevant Transaction Classes Relevant Account Balances Relevant Disclosures

Payroll expense Payroll payable Payroll disclosures
Payroll tax expense Payroll taxes payable
Payroll withholdings payable

Assertions Assertions Assertions

Occurrence Existence Occurrence and rights and
Completeness Rights and obligations obligations
Accuracy Completeness Completeness
Cutoff Valuation and allocation Classification and
Classification at historical cost understandability
Accuracy and valuation

Before You Go On
10.1  E
 xplain what should be accrued at month-end if payroll is paid in cash and payroll pay
periods do not coincide with month-end.
10.2 Explain what an imprest payroll bank account is and how it works.

Understanding the Entity and Its Environment

Lea rning Objecti ve 11*
Evaluate how an auditor’s understanding of an entity and its environment affects
audit planning decisions in the payroll process.

Understanding the Client’s Payroll Process

Detailed statistics on labor costs by industry are not readily available, except for specific trade
associations. However, some organizations, such as a college or university, are labor-intensive.
The audit of the payroll process may be significant for a university; 70–75% of the annual
budget might be expended for personnel services and benefits. The hotel industry is a service
industry that also depends on effective utilization of personnel. Today, the majority of employ-
ment in the U.S. economy is in the service sector.
Personnel services may vary in importance to various manufacturers, wholesalers, and
retailers. Some industries may vary widely on the labor-intensiveness of the manufacturing
process. Before proceeding with the audit of the payroll process, it is important for the auditor
to understand:

•  The importance of human resources to the overall entity (i.e., is the entity labor-intensive
or capital-intensive?).
•  The nature of compensation, as hourly compensation requires a different control system
than salaried compensation.
•  The importance of various compensation packages, such as bonuses or other compensa-
tion arrangements.

If an entity’s compensation is primarily salary-based and demonstrates a predictable re-

lationship to the delivery of services, the auditor may emphasize analytical procedures in the
12-36  C h a pte r 12  Auditing the Purchasing and Payroll Processes

development of audit strategy. If compensation expenses are based on hourly pay and show a
high degree of variability throughout the period, the auditor may emphasize testing controls.

Analytical Procedures
The auditor usually will perform analytical procedures as part of risk assessment procedures
because they are cost-effective. Examples of analytical procedures the auditor might use for
the payroll process are presented in Illustration 12A.3. Analytical procedures may be useful
in identifying potential fraud, such as when gross payroll per employee exceeds the auditor’s
expectations. This type of procedure is most effective when the auditor uses generalized audit
software to sort employees by category and then evaluates the average pay by category of em-
ployees. For example, if the auditor were performing this test for a professional baseball team,
professional ballplayers should be segregated from front-office personnel, who in turn should
be segregated from employees who sell hot dogs at the ball games. If every class of employee
is lumped together, the analytical procedure becomes ineffective.

illustration 12A.3   Analytical procedures commonly used to audit the payroll process

Ratio Formula Audit Significance

Average payroll cost per employee
classification
Revenue per employee
Total payroll costs as a percent of
revenues
Total payroll costs for employee group Reasonableness test of gross payroll for a group of employees.
Number of employees in group Many companies have more than one class of employee, and it
is important to evaluate the reasonableness of payroll based on
employee class.
Total revenue This may be a measure of productivity per employee. This is
Number of full-time employees particularly important in services industries and would be
compared with industry statistics.
Total payroll expenses Reasonableness test of payroll costs. This is often compared
Total revenues with industry statistics.

Payroll tax expense as a percent of Total payroll tax expenses Reasonableness test of payroll taxes. This can often be compared
gross payroll Gross payroll with standard tax rates.

Compare payroll expenses (salaries
and wages, commissions, bonuses)
with prior-year balances or budgets
Compare current-year payroll
liability with prior-year payroll
liability
Employee benefits expenses as a
percent of gross payroll
Current-year payroll expenses
Prior-year payroll expenses
Current-year payroll tax liability
Prior-year payroll tax liability
adjusted for growth in payroll volume
Total benefits expenses
Gross payroll
Reasonableness test for payroll expenses if the ratio is
significantly different from 1.0.
Reasonableness test for payroll liability if the ratio is significantly
different from 1.0.
Reasonableness test of benefits expenses. This is often compared
with industry statistics.

In some cases, the auditor may be able to develop accurate expectations regarding an or-
ganization’s payroll. In a university, for example, the auditor can develop accurate estimates of
the number of full-time faculty and gross pay for those faculty in a school or college given the
number of full-time-equivalent students. As the auditor develops more reliable expectations,
he or she may place more assurance on that evidence than if expectations are rather broad
and general. The use of generalized audit software may allow for the development of more
accurate expectations when auditing the payroll process.

Other Considerations Regarding the Entity and

Its Environment
Recall from Chapter 4 (see Illustration 4.1) that an auditor should understand numerous
issues about the entity and its environment. Illustration 12A.4 summarizes important
  Appendix 12A: Auditing Payroll  12-37

aspects of the payroll process that an auditor should understand. The illustration provides
examples of the settings in which these factors might lead to either a higher assessment of
inherent risk or a lower assessment of inherent risk. As stated before, each audit should
be viewed independently from previous audits when an auditor updates his or her under-
standing of the entity and its environment, as entity traits and characteristics may change
over time.

illustration 12A.4   Understanding the entity and its environment in the payroll process

Key Factors Regarding the

Higher Inherent Risk
Most entities must comply with state or local
minimum wage laws, the U.S. Fair Labor
Standards Act, and the Family Medical Leave Act.
Additional legal requirements regarding payroll
taxes often apply.
The client does not effectively monitor payroll
costs.
These are usually not a significant issue as
material compensation transactions with related
parties are excluded from required disclosures.
Corporate governance provides little or no
independent oversight of management.
Employees are paid weekly, or every other week,
and pay periods do not align well with month-end.
Entity and Its Environment
Compliance with laws
and regulations
Client performance
measurement
Related party transactions
Corporate governance
Month-end, quarter-end,
and year-end closing procedures
Lower Inherent Risk
It is rare that legal requirements are not found in
the payroll process.
The client carefully monitors payroll costs
compared to underlying business activity.
Typical disclosure requirements for material
related party transactions exclude compensation
arrangements.
Corporate governance provides strong oversight
of management.
Employees are paid monthly, and significant
cutoff issues do not exist.

Before You Go On
11.1 Explain how auditing the payroll process might be different for a manufacturer in a capital-
intensive manufacturing business than for a college or university.
11.2 Explain how the timing of pay periods not aligning with month-end influences inherent
risk.

Inherent Risks Related to Payroll

LEA RNING OBJECTI VE 12*
Determine inherent risk for various assertions in the payroll process.

The auditor is rarely concerned about the completeness assertion in the payroll process as
most employees quickly follow up with their employers if they are not paid. However, payroll
fraud (occurrence of payroll expense) is a major concern for the auditor. Fraud may occur at
two levels. First, employees involved in preparing and paying the payroll may process data for
fictitious employees and then divert the payroll payments to their own use. When there is fre-
quent turnover of personnel in a company, there is the risk that a terminated employee might
be continued on the payroll. Second, there is a risk that management may overtly misclassify
or “pad” labor costs in government contract work to defraud the agency.
12-38  C h a pte r 12  Auditing the Purchasing and Payroll Processes

Pay periods may be weekly, bimonthly, or monthly. If pay periods do not align well
with month-end, quarter-end, or year-end, then the risk of cutoff problems associated with
accruing unpaid payroll increases. If factory workers are paid based on time and/or pro-
ductivity, or if payroll computations are subject to complex rules, inherent risk for accuracy
may be high.

Before You Go On
12.1 Why are auditors less concerned about the understatement of payroll liabilities and expenses?
12.2 Explain two significant inherent risks in the payroll process.

Control Activities for Payroll

LEA RNING OBJECTI VE 13*
Evaluate control activities for payroll transactions.

The following discussion continues to focus on transaction-level controls. It is assumed the

auditor has already obtained an understanding of entity-level controls, and management
has emphasized an awareness about the risks associated with paying fictitious payroll, or
about ensuring that period-end cutoff is accurate. Further, a strong tone at the top dis-
courages efforts to misclassify or “pad” labor costs in contract arrangements. Many of the
controls discussed below focus on IT application controls implemented by a company. The
following discussion assumes IT general controls are strong, and the auditor will need to
understand and eventually test the effectiveness of manual follow-up of exceptions noted
by IT application controls.

Example Transaction Flows—Payroll

The transaction flow in a typical payroll process focuses on authorizing payroll, employee
working hours, and paying payroll. At month-end, a company must consider whether unpaid
payroll needs to be accrued by way of an adjusting journal entry. Common documents and
files that are found in the payroll process include:

Source Documents and Related Electronic Files

•  Payroll authorization—Written request to put a new employee on the payroll.
•  Approved payroll master file—Electronic file containing pertinent information on employ-
ees that have been approved for payroll payments.
•  Time card—Written or electronic record of hours worked.
Recording Document
•  Payroll disbursement, EFT, or paycheck—An internal document indicating the employee,
gross payroll, payroll deductions, and net payroll paid.
•  Payroll journal—The journal of original entry where each payroll paid is recorded.
•  Payroll tax returns—Tax returns based on gross payroll, reporting taxes due to state and
local governments.
Important Databases or Other Documents
•  Payroll process database—Electronic files that accumulate data on payroll expenses, pay-
roll liabilities, and related cash disbursements.
  Appendix 12A: Auditing Payroll  12-39

An example of how these documents commonly flow is illustrated in Illustration 12A.5,

which is followed by a brief discussion of how payroll transactions are processed in many
companies.

illustration 12A.5   Example flow of transactions for payroll

Process Documents Files and Databases

Authorization
Personnel Payroll Payroll
authorization master and G/L database
file

Update personnel Master file

master file change report
Hours
Worked
Payroll
Hours are worked Time card and G/L database

Recording

Pay payroll Paycheck

Payroll
and G/L database

Record in payroll Payroll tax

journal returns

Post to general
ledger

Month-end journal
entry

In the flowchart, observe that responsibility for (1) authorizing payroll, (2) recording hours
worked, and (3) paying and recording payroll should be segregated. This segregation of duties
contributes significantly to reducing the risk of payments to fictitious employees or excessive
payments to actual employees due to inflated rates or hours.

Initiating Payroll Transactions

Hiring employees. The hiring of employees is usually done in the human resources (HR) personnel
department. All hiring should be documented on an HR authorization form. The form should
indicate the job classification, starting wage rate, and authorized payroll deductions. In the system
shown in Illustration 12A.5, authorized individuals in the personnel ­department gain access to
the personnel data master file by entering a password before entering data on new hires. A ­regular
IT-generated log of all changes to the master file should be printed and independently checked by
a HR manager not involved in entering the data into the system. Usually, a copy of the personnel
authorization form is placed in the employee’s personnel file in the HR department. Controls over
adding new hires to the HR data master file reduce the risk of payroll payments to fictitious em-
ployees. Thus, they relate to the occurrence assertion for payroll transactions.
Authorizing payroll changes. The request for a change in job classification or a wage rate
increase may be initiated by the employee’s supervisor. However, all changes should be au-
thorized in writing by the HR department before being entered in the personnel data master
file. Other controls over entering the changes in the software application and distributing
12-40  C h a pte r 12  Auditing the Purchasing and Payroll Processes

the change forms are the same as discussed above for new hires. These controls over payroll
changes help to ensure the accuracy of the payroll. The HR department should also issue a
termination notice on completion of an individual’s employment. Prompt updating of the
personnel data master file is vital in preventing terminated employees from continuing on the
payroll. Thus, this control relates to the occurrence assertion.

Receive Services from Employees

In many companies, a timekeeping department is responsible for this function. Time clocks
are frequently used to record time worked by an employee when a clock card or employee card
(electronic fob) or code is inserted into the clock. To prevent one employee from “punching
in” for another employee, security or supervisory personnel should supervise the clock card
procedures. Management should also review and approve hours worked before they are paid.
For factory employees, clock hours are usually supported by time tickets showing the type
of work done (direct or indirect labor) and the jobs to which direct labor hours are to be charged.
Increasingly, these records are kept in electronic form. By ensuring accurate data are accumulated
on time worked, controls over the timekeeping function relate to the occurrence, completeness,
and accuracy assertions for payroll transactions. Supervisory approval often is used to validate the
payment of salaried employees, and it may also facilitate proper classification of payroll.

Recording and Paying Payroll

Preparing the payroll. Information from electronic time cards should be forwarded to the su-
pervisor for review and electronic approval. The file is then electronically forwarded to payroll
for processing. Before processing payroll, the payroll program will check the employee number
and pay rates against the master payroll information. The program may also place a limit test
on hours worked or gross payroll expenses. The output of the payroll program should consist of
valid payroll transactions and an exceptions and control report that is sent to data control. Data
control compares the control totals and batch totals, informs the payroll department of excep-
tions discovered by the edit routine, and follows up to confirm that corrected data is processed.
These controls over the payroll processing relate to the occurrence, completeness, accuracy, and
classification assertions. The data associated with valid payroll transactions and the em-
ployee master file are used to calculate payroll and prepare the payroll register and payroll
disbursements.
Recording the payroll. As the gross pay, deductions and net pay are calculated for each
employee, the payroll program updates the payroll master file for year-to-date payroll transac-
tions and accumulates totals for entries in the payroll journal. Another important control over
paying the payroll in most large companies is the use of an imprest payroll bank account on
which all payroll checks are drawn.
Filing payroll tax returns. Payroll tax returns must be filed for amounts withheld from
employees for federal income taxes and Social Security, and for the Social Security and fed-
eral and state taxes levied on the employer. Returns must be filed on a timely basis to avoid
penalties and interest payments, and possibly even criminal charges. Responsibility should be
clearly assigned for performing this function according to a schedule that conforms to federal
and state filing and payment deadlines.

Identify What Can Go Wrong (WCGW) and Identify

Key Controls—Payroll
At this point, we have established an audit process whereby, once the auditor understands
the flow of transactions, the auditor should evaluate what can go wrong, identify potential
controls that management has placed in operation, and then identify key controls the auditor
wants to test. Illustration 12A.6 summarizes the flow of transactions through the payroll
process, key documents and files, what can go wrong, and example controls for payroll. As
you review Illustration 12A.6, try to associate particular controls with the assertions they are
controlling. Also, think about what these controls have in common with controls you have
studied in the revenue and purchasing processes.
  Appendix 12A: Auditing Payroll  12-41

illustration 12A.6   Payroll transactions—WCGW and example controls

Documents
Transaction and Files Risks (WCGW) Example Control
Authorizing Payroll master file Payroll may be paid to Only a limited number of individuals can change the payroll
payroll fictitious employees. master file, and this duty should be segregated from recording
payroll transactions. All file changes are reviewed by appropriate
levels of management. The personnel master file is also reviewed
to remove employees no longer working for the organization.
Hours are Electronic time cards Employees may be paid Supervisory review of hours worked for hourly and salaried
worked for hours not worked. employees.
Recording Payroll database Payroll may not be The software application prints a report of all hours that have
payroll recorded. not been paid. A month-end accrual is made for payroll worked
between the last pay period and period end. Employees will
complain if they work and are not paid.
Payroll database Payroll may be paid to Each payroll is matched with the payroll master file. The software
fictitious employees. application matches payroll disbursement to hours worked.
Payroll database Payroll may be recorded The software application matches hours with the time card
in the incorrect amount information and wage rate with the master payroll file.
(incorrect hours or
wage rates).
Payroll database Payroll may be recorded At month-end, the software application generates a report of
in the incorrect hours worked but not paid. This report is the basis of end-of-
accounting period. period journal entries reviewed and approved, and reversed in
the subsequent period.
Payroll database Vouchers may be The software application checks wage classification against the
posted to incorrect master payroll file. Wage classification is also reviewed and
accounts. approved by a supervisor when approving hours worked.
Payroll database Payroll may be paid to The software application matches employee number on the time
the wrong employee. card with employee number on the master payroll file. Employees
will complain if they work and are not paid.

As noted in other transaction classes, when choosing controls for control testing, the auditor
will find a key control (the most important control) for each assertion. Following are ­example
­controls that auditors often look for when identifying key controls. The examples rely sig­
nificantly on IT application controls to flag potential misstatements. In this case, the auditor
must understand both the IT control and how client personnel follow up on exceptions on a
timely basis.
Completeness of payroll. The software application starts with a population of hours
worked and develops a one-for-one match with hours paid. A report is generated for hours
worked that does not result in a payroll disbursement. At the end of the month, a report is
prepared of hours worked that need to be accrued. This report is compared to any adjusting
journal entry to accrue payroll expenses.
Occurrence of payroll. The software application starts with the population of pay-
roll disbursements and develops a one-for-one match with underlying approved hours
worked. A report is generated each pay period of any payroll that is not supported by
hours worked. The employee number is also compared with the approved master payroll
file. A report is generated of any transactions that are not supported by underlying docu-
ments or files.
Accuracy of payroll. The software application starts with the population of payroll dis-
bursements and compares hours worked with underlying time approved, and compares wage
rates with the master payroll file. A report is generated of any transactions that are not sup-
ported by underlying documents or files.
Payroll cutoff. At month-end, the software application generates a report of hours worked
but not paid. This report is the basis of end-of-period journal entries that are reviewed and
independently approved.
12-42  C h a pte r 12  Auditing the Purchasing and Payroll Processes

Classification of expenses and payroll. The software application checks wage classification
against master payroll file. Wage classification is also reviewed and approved by a supervisor
when approving hours worked. A report is generated each pay period of any payroll showing
incorrect account coding.
Completeness of payroll payables, existence of payroll payable, and valuation of payables
at historic cost. At month-end, the software application generates a report of hours worked
but not paid. This report is the basis of an end-of-period journal entry that is reviewed and
independently approved.

Audit Reasoning Example Understanding Manual Follow-Up

Procedures

Shelly is auditing a large construction company and is doing a system walkthrough. Shelly talked
to Frank, a client employee responsible for following up on exceptions flagged by the IT system.
Shelly wanted to know if Frank had seen any exceptions where the system identified employees
who had not worked during the current time period. Frank responded, “It is very rare, and I only
remember one instance. About two months ago, the payroll system flagged over 25 employees for
further investigation. It turned out that we had settled a union contract and employees were given
a retroactive pay raise. At that time, we had about 25–30 employees who did not work during the
current pay period but had previously worked and earned pay for the retroactive pay raise.” Shelly
was impressed that Frank understood what the IT system was looking for, and it appeared that the
internal control was placed in operation. Shelly documented the conversation and made a point
to test some of Frank’s follow-up on the exceptions to make sure the entire control system was
working effectively.

Before You Go On
13.1 How are financial statements misstated if there is a material misstatement in the oc-
currence assertion regarding payroll? Describe a key control to detect and correct this
problem.
13.2 How are financial statements misstated if there is a material misstatement in the accuracy
assertion regarding payroll? Describe a key control to detect and correct this problem.
13.3 How are financial statements misstated if there is a material misstatement in the classifica-
tion of payroll? Describe a key control to detect and correct this problem.

Tests of Controls in the Payroll Process and Audit Strategy

LEA RNING OBJECTI VE 14*
Determine how to design and perform tests of controls in the payroll process and
connect the results of control testing to audit strategy.

The following discussion identifies potential tests of controls to be used to test a client’s con-
trols in the payroll process. Once the auditor has evaluated the quality of the system of in-
ternal control, the audit team is in a good position to evaluate the opportunity for fraud risk.
The fraud risk assessment should be approached with professional skepticism. Finally, this
section focuses on the links between risk of material misstatement and subsequent strategy
for substantive testing.
  Appendix 12A: Auditing Payroll  12-43

Tests of Controls for Payroll

Most auditors plan to test controls in the payroll process because of the high volume of rou-
tine transactions. Public company auditors test controls to support an opinion on internal
control. Auditors of private companies may decide to test controls that appear to be effective
because of the audit efficiencies that exist when the client has effective controls in place,
particularly for a payroll-intensive entity like a university, a hotel, or another entity in the
service industry.
If the client relies on IT controls and the auditor plans to assess control risk as low for
payroll assertions, the auditor will usually:

•  Test the effectiveness of general controls.

•  Use generalized audit software to evaluate the effectiveness of IT application controls.
•  Test the effectiveness of manual procedures to follow-up on exceptions identified by IT
application controls.

As discussed in previous chapters, the auditor will usually test the effectiveness of IT
general controls as part of testing entity-level controls. For example, when testing the control
environment, the auditor might pay particular attention to making inquiries and collecting
supporting evidence regarding employee awareness of IT security issues. If the auditor is
testing issues regarding controls over program changes, the auditor might determine how
program access is controlled and monitored, look at logs of program access or incident re-
ports, and talk to users about their involvement in program changes affecting their respon-
sibilities. The auditor will want to pay attention to segregation of duties regarding access to
programs and access to data, the effectiveness of password controls, and the follow-up of any
incident reports regarding unauthorized access. Many of these tests are performed by an IT
audit specialist.
Auditors often use test data to test IT application controls and determine whether ex-
pected results appear on exception reports. For example, in the payroll process the auditor
might submit:

•  A missing or invalid employee number.

•  Inaccurate hours worked compared to hours processed to be paid.
•  Inaccurate wage rates compared to the master payroll file.
•  Inaccurate account classifications compared to the master payroll file.

The auditor may also want to test important manual controls, such as supervisor ap-
proval of time and account classifications, by reperforming these controls. Finally, the auditor
will need to test the appropriateness of manual follow-up of exceptions noted by the soft-
ware ­application. If exception reports are printed each pay period, the auditor might select
a ­sample of exception reports to determine if exceptions are cleared before payroll is paid.
The auditor might make inquiries of personnel responsible for clearing exceptions to deter-
mine their awareness of the types of misstatements that might appear on exception reports,
and their sensitivity to issues that result in the overpayment of payroll or paying fictitious
employees. The auditor should also follow through on previously noted exceptions to
determine they were cleared appropriately and on a timely basis.

Fraud Risk Assessment

After evaluating inherent risk and control risk, the auditor is in a position to evaluate fraud
risk. The risk of misappropriation of assets is a significant risk in the payroll process. The risks
are (1) paying a fictitious employee or (2) paying for more hours than are actually worked. In
entities with poor segregation of duties, weak internal controls, and a significant volume of
payroll transactions, this must be considered a significant risk. In certain industries that bill
on a cost-plus basis, auditors also need to be alert to the risk of padding payroll in order to
increase revenues. Whether addressing the fictitious employee, or addressing padded payroll
expenses, the auditor needs to be alert to potential occurrence or accuracy problems.
12-44  C h a pte r 12  Auditing the Purchasing and Payroll Processes

Payroll fraud can be reduced with strong controls over the payroll master files and by
ensuring there is strong underlying support for payments to employees. Ultimately, a key
aspect of fraud risk relates to the way effective internal controls minimize the opportunity
to commit fraud. An auditor’s concerns are heightened when the control environment is
weak or control activities are nonexistent. In not-for-profit organizations, smaller compa-
nies, or smaller governments, segregation of duties may be weak or nonexistent. In these
cases, the auditor with appropriate professional skepticism should consider fraud risk to
be high and design effective substantive tests to provide reasonable assurance of detecting
material fraud.

Audit Data Analytics Used in Fraud

Risk Assessment
The use of ADA may be effective in organizations with a single payroll system, such as large
universities with multiple departments or campuses, governments of large cities or counties,
or state governments. Large public companies may have internal controls to look for the fol-
lowing indicators of payroll fraud, but private companies, not-for-profit organizations, or gov-
ernments may not have made the same investment in internal controls. The auditor might use
ADA to compare payroll payments with the supporting human resource files, looking for the
following indicators of possible payroll fraud:

•  Multiple employees with the same information in the payroll system such as bank ac-
count routing number, Social Security number, or same home address.
•  Employees on the payroll register prior to their start date or after their termination date.
•  Multiple paychecks issued to an employee within a single pay period.
•  Bonuses paid to employees who are not eligible.
•  Inappropriate wage levels given the employee’s classification.

As with any use of ADA, the auditor’s knowledge of the client helps refine the auditor’s
ability to identify potential anomalies, and there may be legitimate business reasons for some
anomalies. Nevertheless, the auditor should investigate items flagged for further investigation
with appropriate professional skepticism.

The Risk of Material Misstatement and

Audit Strategy
When an entity has a significant volume of payroll transactions, inherent risk would normally
be considered high for the occurrence assertion due to the risk of fictitious employees on the
payroll, over-reporting hours, and over-reporting payroll costs on cost-plus contracts. Inherent
risk may also be high for the cutoff assertion when there is a significant volume of payroll
transactions and pay periods do not line up well with month-end. Inherent risk is moderate
for the completeness assertion because employees will complain if they are not paid, minimiz-
ing the risk of unrecorded payroll. Inherent risk is also moderate for accuracy when payroll
calculations are not complex.
The control risk assessment for each assertion will depend on the results of tests of
controls for each assertion. If the auditor’s expectations regarding effective controls are not
confirmed, the auditor will need to evaluate the significance of the deficiencies noted and
determine if the client has a compensating control in place. If no compensating controls
exist, the auditor will need to revise the audit strategy, determine if fraud risk is increased
as a result of the internal control deficiency, and determine how to revise planned substan-
tive tests for the payroll process. The auditor may need to change the timing of planned
substantive tests related to an assertion from interim testing to testing accrued payroll bal-
ances at year-end. The auditor may also have to consider increasing sample sizes when
sampling is involved. Finally, if the auditor determines material weaknesses or significant
  Appendix 12A: Auditing Payroll  12-45

deficiencies exist in internal controls over payroll, the auditor will need to communicate
significant deficiencies or material weaknesses to management and to those charged with
governance of the entity.

Before You Go On
14.1 If the auditor has identified an IT application control related to the occurrence of payroll
transactions, and IT general controls have already been determined to be effective, sug-
gest how the auditor might test the effectiveness of such IT controls and related manual
follow-up.
14.2 Explain the fraud associated with payments to fictitious employees. What controls might
prevent this from happening?
14.3 Assume an auditor is auditing a rural fire district with poor segregation of duties in the
payroll process. What are the most significant risks in this case? What are the implications
for developing an audit strategy in the payroll process?

Substantive Tests for the Payroll Process

LEA RNING OBJECTI VE 15*
Assess detection risk and design substantive tests, including audit data analytics, to
address various assertions related to payroll.

Substantive tests of payroll transactions are often performed at an interim date as part of a
dual-purpose test. Interim substantive tests of payroll balances may be performed if internal
controls are strong, or at year-end if internal controls are weak. Payroll balances normally in-
clude accrued liabilities for salaries, wages, commissions, bonuses, employee benefits, payroll
taxes, and related expense accounts. Suggested substantive tests of payroll transactions and
balances are shown in Illustration 12A.7. Each of the substantive tests is discussed with
selected comments about how the procedures can be tailored based on the acceptable level of
detection risk to be achieved.

illustration 12A.7   Substantive tests of payroll process

Category Substantive Test Relevant Assertions

Initial procedures 1.  Obtain an understanding of the business and industry and determine: All
a.  The significance of payroll costs to the business.
b.  Key economic drivers for payroll costs.
c. The extent to which the client has defined benefit pension plans or
uses other incentive compensation plans.
2. Perform initial procedures on payroll balances and records that will be
subjected to further testing.
a.  Trace beginning accrued payroll balances to prior year’s working papers. Valuation and allocation
b. Review activity in payroll accounts and investigate entries that appear Occurrence, Accuracy
unusual in amount or source.
c. Verify totals of payroll registers and other subsidiary ledgers for Valuation and allocation
agreement with general ledger balances.

(continued)
12-46  C h a pte r 12  Auditing the Purchasing and Payroll Processes

ILLUSTRATION 12A.7   (continued)

Analytical procedures 3.  Perform analytical procedures: All

a.  Review industry experience and trends.
b.  Examine analysis of payroll costs.
c. Review relationship of payroll costs to recent production and sales
activities.
Tests of details of 4. On a test basis, vouch payroll transactions to supporting documentation Occurrence, Accuracy,
transactions (e.g., time cards, employee contracts, bonus arrangements, and incentive Classification
compensation agreements).
5. On a test basis, vouch payroll tax transactions to supporting documenta- Occurrence, Accuracy,
tion (e.g., underlying gross payroll and calculation of payroll taxes). Classification
6. Verify officer compensation to board of director Occurrence, Accuracy,
authorization. Classification
7. On a test basis, trace data from time cards and contracts to the payroll Completeness
register.
8. Test payroll cutoff at the end of the month (year) based on time periods Cutoff
worked and payroll accrual if month-end (year-end) and the end of the
payroll period do not coincide.
Tests of details of 9. Recalculate accrued payroll liabilities at year-end to underlying payroll Completeness, Existence,
balances records. Valuation and allocation
10. Recalculate accrued payroll tax liabilities and vouch to subsequent cash Completeness, Existence,
disbursements. Valuation and allocation
11.  Determine that accrued payroll payables are the obligations of the entity. Rights and obligations
Tests of presentation 12.  Compare statement presentation with GAAP.
and disclosure a. Review presentation and disclosure for payroll costs in drafts Classification and
of the financial statements and determine conformity with understandability, Occurrence
GAAP. and rights and obligations
b. Evaluate the completeness of presentation and disclosures for Completeness
receivables in drafts of financial statements to determine conformity
to GAAP by reference to disclosure checklist.
c.  Read disclosures and independently evaluate their understandability. Classification and
understandability

Initial Procedures
An essential initial procedure involves obtaining an understanding of the entity’s business
and industry and expected payroll costs. This allows the auditor to develop a knowledgeable
perspective about the entity and set the context for the evaluation of analytical procedures
and tests of details. If the client is a manufacturer, it is particularly important to understand
the mix of payroll costs versus other manufacturing costs and how this interacts with the
production process. It is also important to understand incentive compensation agreements
and the degree to which these agreements might influence behavior related to other processes
(e.g., compensating executives only on the level of revenues). Finally, the auditor also needs
to understand the nature of pension agreements, stock options, and other employee benefit
costs.
In tracing beginning payroll and payroll tax payable balances to the working papers
in prior years, the auditor should make certain that any audit adjustments agreed upon in
the prior year did in fact get recorded. In addition, current period entries in the general
ledger payroll accounts should be scanned to identify any postings that are unusual in
amount or nature and require special investigation. Initial procedures also involve deter-
mining that the detailed subsidiary ledgers for payroll liabilities tie in with the general
ledger balances.
  Appendix 12A: Auditing Payroll  12-47

Substantive Analytical Procedures

Recall that analytical procedures are not required to be used as a substantive procedure.
Illustration 12A.3 provided examples of analytical procedures that are commonly used in
the payroll process. If analytical procedures are used as a substantive procedure during risk
response, the auditors are using data through the client’s third quarter or even the entire
year of data if the procedures are performed after year-end. Therefore, when used as a sub-
stantive procedure, the auditor typically has more data to analyze and can develop more
precise expectations of the accrued payroll account balances and the relationship between
payroll costs and hours worked. Auditors should be alert to signals of unrecorded payroll
liabilities.

Audit Data Analytics as a Substantive Test

The use of ADA as a substantive test depends on the quality of the client’s data. For ex-
ample, when auditing a university, many employees may be salaried rather than hourly
employees. The amount of gross payroll expense and the classification of payroll expense
may be easily compared to a master payroll file (assuming strong controls over the mas-
ter payroll file). The same test may be performed for employees who teach courses on a
fixed-term contract. The ability to use ADA to test the payroll for hourly employees de-
pends on how information about hours worked is captured in electronic form. If reliable
information about hours worked is captured in electronic form, the auditor can have the
software validate hours paid for the entire population of hourly workers. Further, gross
payroll and payroll deductions can be validated with information obtained from the mas-
ter payroll file.

Tests of Details of Transactions

These tests involve traditional procedures of vouching and tracing to obtain evidence about
the processing of individual payroll transactions. In addition, the auditor should also give
consideration to payroll taxes, benefits, and determining the propriety of the cutoff of payroll
transactions at the end of the accounting period. Some or all of this type of testing may be
done as part of dual-purpose tests during interim work. Examples of vouching recorded en-
tries in payroll accounts include the vouching of:

•  Transactions recorded in the payroll register to underlying source documents to de-

termine the appropriateness of occurrence, accuracy, and classification of payroll
costs.
•  Authorization of officers’ compensation by the board of directors.

Tracing transactions from time cards or other evidence of employees working to the payroll
register provides evidence for the completeness and accuracy of payroll costs.
Officers’ compensation may be audit sensitive for the following two reasons: (1) separate
disclosure of officers’ compensation is required in 10-K reports that public companies file
with the SEC, and (2) officers may be able to override controls and receive salaries, bonuses,
stock options, and other forms of compensation in excess of authorized amounts. For these
reasons, board of directors’ authorizations for officers’ salaries and other forms of compen-
sation should be compared with recorded amounts. This test pertains to objectives related to
each category of assertions.
Depending on how pay periods are determined, there may be a risk of material misstate-
ment associated with cutoff problems. If employees are paid every two weeks and payroll is
recorded when paid, it is possible that almost two weeks’ worth of payroll costs have not been
recorded at month-, quarter-, or year-end. The auditor should determine management’s pro-
cedures for accruing payroll costs, including the costs of gross payroll, payroll taxes, and other
benefits and test the completeness and accuracy of payroll accruals.
12-48  C h a pte r 12  Auditing the Purchasing and Payroll Processes

Tests of Details of Balances

Tests of details of balances are similar to the search for unrecorded liabilities in the purchas-
ing process. In large part, they focus on recalculating accruals and vouching subsequent cash
disbursements to underlying support. It is necessary for many companies to make a variety
of accruals at the balance sheet date for amounts owed to officers and employees for sala-
ries and wages, commissions, bonuses, vacation pay, and for amounts owed to government
agencies for payroll taxes. Although the auditor’s primary concern for payroll expenses for
the year is with overstatement, for the year-end accruals the primary concern is with under-
statement. Also of concern is consistency in the methods of calculating the accruals from
period to period.
In obtaining evidence concerning the reasonableness of management’s accruals, the au-
ditor should review management’s calculations or make independent calculations. Accruals
for payroll taxes should be compared with amounts shown on payroll tax returns. Additional
evidence is usually obtained by examining subsequent payments made on the accruals prior to
the completion of fieldwork. Evidence obtained from these tests should support the complete-
ness, existence, valuation and allocation, and rights and obligations assertions.
Many companies offer significant pension and post-retirement benefits to employees.
A number of manufacturing companies have defined benefit pension plans that present
significant issues with respect to the measurement of pension expenses as well as pension
disclosures. The most significant risks are associated with misstatements in the valuation and
allocation assertion (determining pension expenses) and the presentation and disclosure as-
sertions (writing the pension note). Defined benefit pension plans are normally subject to
requirements of the Employee Retirement Income Security Act (ERISA) of 1974, which usu-
ally requires a separate audit of the pension plan. The financial statement auditor can usu-
ally refer to the results of the ERISA audit when auditing pension expenses and disclosures.
When completing the ERISA audit, the auditor will usually employ an outside expert to audit
the important actuarial assumptions that are needed to determine pension expenses and the
projected benefit obligation. The auditor will have to comply with the requirements of AU-C
620 Using the Work of an Auditor’s Specialist or AS 1210 Using the Work of a Specialist. These
standards require the auditor to evaluate the reasonableness of the key actuarial estimates
made by the specialist, such as the discount rate that is used to determine the projected benefit
obligation and the long-term rate-of-return assumption used for the expected return on plan
assets. The discount rate should be in line with current annuity purchase rates for high-quality
fixed income investments. The long-term rate of return assumption should reflect the actual
and anticipated returns for the plan’s assets.

Tests of Disclosures
The most significant disclosures for payroll transactions are not covered as part of this dis-
cussion of routine payroll transactions. More complex payroll transactions involving stock
options, stock appreciation rights, and defined benefit pension plans require significant dis-
closures. However, these transactions are not covered as part of this appendix, which focuses
primarily on internal controls and substantive testing of a large volume of routine transac-
tions, which rarely generate significant disclosures.

Before You Go On
15.1  Which assertion is of primary importance to the auditor in auditing payroll expenses? Why?
15.2 Explain the following audit test and the assertion(s) that are evaluated with this audit pro-
cedure: Vouch payroll expenses to supporting documents.
15.3 Explain the following audit test and the assertion(s) that are evaluated with this audit
procedure: Recalculate accrued payroll tax liabilities and vouch to subsequent cash
disbursements.

Learning Objectives Review
1  Explain the nature of purchasing transactions and
balances.
The purchasing process includes three major classes of transactions:
(1) credit purchases, (2) cash disbursements, and (3) purchase adjust-
ments. The primary balance sheet account in the purchasing process
is accounts payable. Illustration 12.1 summarizes the transactions
that go through the purchasing process, and Illustration 12.2 identi-
fies the assertions relevant to the purchasing process. Remember, the
auditor must obtain sufficient, appropriate evidence for each mate-
rial assertion, and an audit strategy for one assertion may be different
from the audit strategy for another assertion.
2  Evaluate how an auditor’s understanding of an entity
and its environment affects audit planning decisions re-
lated to purchases.
Different companies in different industries experience different risks
associated with the purchasing process. It is important for the audi-
tor to understand how the company uses vendor financing (accounts
payable) to finance its operating cycle. Some companies with short
inventory turns are quite skillful in using vendor financing as a key
source of working capital. Auditors should also understand the im-
portance of the entity’s supply chain to the business. Some raw mate-
rials or products may be very important to the business and auditors
need to understand the extent to which businesses may be vulnerable
to shortage of key products or materials. Finally, the auditor should
also understand how related party transactions influence the pur-
chasing process, or the potential for legal restrictions that might influ-
ence an entity’s purchasing process.
3  Determine inherent risk for various assertions in the
purchasing process.
Common inherent risks in the purchasing process relate to the com-
pleteness of purchases, expenses, and payables. In addition, the
risk of misappropriation of assets may be significant due to unau-
thorized disbursements, fictitions vendors, collusion with vendors,
and weak controls in the purchasing process. Further, cutoff errors
may be frequent due to receiving goods prior to receiving vendor in-
voices. Finally, this section also provides an example of how analyti-
cal procedures might flag an increased risk of material misstatement
for some purchasing process assertions. It is critical for an auditor
to use professional skepticism to recognize factors that increase in-
herent risk in the purchasing process, so the auditor is responsive
to these risks.
4  Evaluate control activities for purchase transactions.
Each entity has a unique system of internal control tailored to the en-
tity’s business model and its purchasing process. It is important for
the auditor to (1) understand the flow of transactions for purchases,
(2) identify what can go wrong in the purchasing process, and (3) assess
whether the client has controls to mitigate what can go wrong. Illus-
tration 12.6 provides an example of the flow of transactions for credit
  Learning Objectives Review  12-49
purchases. Illustration 12.7 addresses what can go wrong in the
process of making credit purchases and making cash disburse-
ments, and common controls that might be found to mitigate these
risks. This section concludes with a discussion of key controls that
are often found related to relevant assertions for credit purchases
and accounts payable.
5  Evaluate control activities for cash disbursement
transactions.
This section continues the discussion of understanding the flow
of transactions related to cash disbursements. While an increas-
ing number of cash disbursements is made by way of electronic
funds transfers, many U.S. companies continue to pay vendors with
checks. Illustration 12.9 summarizes what can go wrong in the cash
disbursement process along with common controls that might mit-
igate these risks. This section concludes with a discussion of key
controls that might be found related to relevant cash disbursement
transaction assertions.
6  Evaluate control activities in an evaluated receipt
settlement system.
Evaluated receipt settlement (ERS) is a highly automated business
process between suppliers and purchasers to electronically exchange
data and execute a purchase transaction. ERS recognizes that the key
elements of a purchase transaction involve (a) the nature and quan-
tity of the goods received, (b) the price of the goods received, and
(c) the payment terms for the goods received. While an ERS system
is highly automated and documents are exchanged electronically, the
internal controls in an ERS system are similar to those found in any
sound purchasing system.
7  Evaluate control activities for purchase adjustment
transactions and purchasing process disclosures.
The final section on purchase transactions discusses common docu-
ments found when goods are returned to vendors and payables and
expenses are reduced. Common controls over purchase adjustments,
and controls over purchasing process disclosures, are also discussed
in this section of the chapter.
8  Determine how to design and perform tests of con-
trols in the purchasing process and connect the results
of control testing to audit strategy.
This section related to controls in the purchasing process discusses
testing the controls identified for relevant assertions in the financial
statements. Remember, when the entity relies on significant IT appli-
cation controls, the auditor must test (1) the effectiveness of IT gen-
eral controls, (2) the effectiveness of the IT application controls, and
(3) the effectiveness of manual procedures to follow up on exceptions.
Once the auditor has evaluated controls, the auditor should consider
fraud risk in the purchasing process. Auditors should be particu-
larly attentive to the potential for fraud related to fictitious vendors,
12-50  C h a pte r 12  Auditing the Purchasing and Payroll Processes
kickbacks, bid rigging, and personal purchases with entity funds. Once
the auditor has determined the risk of material misstatement of each
assertion, the auditor can make decisions about what substantive tests
to perform, the timing of substantive tests, and the extent of substan-
tive tests.
9  Assess detection risk and design substantive tests,
including audit data analytics, to address various asser-
tions in the purchasing process.
This section outlines common substantive tests in the purchasing pro-
cess. Illustration 12.10 provides a common audit program for substan-
tive tests that might be found in the purchasing process, and this section
explains the importance of each of these tests. Given the risk of un-
derstatement of payables, auditors should understand procedures to
search for potential unrecorded liabilities. Further, given the risk of
understatement of payables, if auditors choose to confirm accounts
payable, they need to give equal attention to payables with small or
zero balances as they do to larger payables.
10*  Explain the nature of payroll transactions and
balances.
The payroll process includes two major classes of transactions:
(1) paying payroll and (2) accruing payroll and payroll taxes at the
end of the period. The primary balance sheet account in the pay-
roll process is payroll and payroll taxes payable. Illustration 12A.1
summarizes the transactions that go through the payroll process,
and Illustration 12A.2 identifies the assertions relevant to the payroll
process. Remember, the auditor must obtain sufficient, appropriate
evidence for each material assertion, and an audit strategy for one as-
sertion may be different from the audit strategy for another assertion.
11*  Evaluate how an auditor’s understanding of an en-
tity and its environment affects audit planning decisions
in the payroll process.
Different companies in different industries experience various risks
associated with the payroll process. It is important for the auditor
to understand the importance of human resources to the overall
entity (i.e., is the entity labor-intensive or capital-intensive?), the
nature of compensation (hourly compensation requires a different
control system than salaried compensation), and the importance of
various compensation packages such as bonuses or other compen-
sation arrangements.
12*  Determine inherent risk for various assertions in
the payroll process.
Key Terms Review
Advance shipping notice (ASN) Evaluated receipt settlement (ERS)
Bid rigging Examining subsequent payments
Electronic invoice presentment and payment *Imprest payroll bank account
  (EIPP) systems Kickback
Common inherent risks in the payroll process relate to the complete-
ness of payroll expenses and payables, particularly when pay periods
do not align with month-end. The accuracy assertion may be at risk
depending on the complexity of payroll calculations (e.g., complex
bonus schemes), Finally, fraud risks relate to paying fictitious em-
ployees or keeping employees on the payroll after they leave the
organization.
13*  Evaluate control activities for payroll transactions.
Each entity has a unique system of internal control tailored to the
entity’s business model and its payroll process. It is important for
the auditor to (1) understand the flow of transactions for payroll,
(2) identify what can go wrong in the payroll process, and (3) as-
sess whether the client has controls to mitigate what can go wrong.
Illustration 12A.5 provides an example of the flow of transactions
for payroll. Illustration 12A.6 addresses what can go wrong in
the payroll process and common controls that might be found to
mitigate these risks. This section concludes with a discussion of
key controls that are often found related to relevant assertions for
payroll.
14*  Determine how to design and perform tests of con-
trols in the payroll process and connect the results of
control testing to audit strategy.
This final section related to controls in the payroll process discusses
testing the controls identified for relevant assertions in the finan-
cial statements. Remember, when the entity relies on significant IT
application controls the auditor must test (1) the effectiveness of
IT general controls, (2) the effectiveness of the IT application con-
trols, and (3) the effectiveness of manual procedures to follow-up
on exceptions. Once the auditor has evaluated controls, the auditor
should consider fraud risk in the payroll process. Once the auditor
has determined the risk of material misstatement of each asser-
tion, the auditor can make decisions about what substantive tests
to perform, the timing of substantive tests, and the extent of sub-
stantive tests.
15*  Assess detection risk and design substantive tests,
including audit data analytics, to address various asser-
tions related to payroll.
This section outlines common substantive tests in the payroll pro-
cess. Illustration 12A.7 provides a common audit program for sub-
stantive tests that might be found in the payroll process. Given the
risk of understatement of payroll payables, auditors should under-
stand procedures to evaluate payroll accruals at the end of the ac-
counting period.
*Payroll process
Purchasing process (procurement process)
Search for unrecorded liabilities
Third-party payment processor

Audit Decision-Making Example
Background Information
During the year, Mid-City State University purchased approxi-
mately $5 million of office equipment under its “special” ordering
systems, with individual orders ranging from $5,000 to $30,000.
“Special” orders involve low-volume items that have been in-
cluded in an authorized user’s budget. Department heads include
in their annual budget requests for the type of office equipment
needed and the dollar amounts at their estimated cost. The bud-
get, which limits the types and dollar amounts of office equipment
a department head can requisition, is approved at the beginning
of the year by the board of regents. Department heads prepare a
purchase requisition form for equipment and forward the requi-
sition to the purchasing department. Mid-City’s ordering system
functions as follows:
Purchasing. Upon receiving a purchase requisition, a buyer veri-
fies that the person requesting the equipment is an authorized depart-
ment head and compares the purchase requisition with the unused
budget. The buyer then selects the appropriate vendor by searching
the various vendor catalogs on file and then emails the vendor and
confirms a price quotation. The buyer next processes a prenumbered
purchase order with the original sent to the vendor. The purchase
order information is sent electronically to the requisitioning depart-
ment and stored in the system to be accessed by purchasing, receiv-
ing, and accounts payable. Once a month, the buyer reviews a report
of unfilled orders to follow up and expedite open orders.
Receiving. The receiving department can access a copy of the
purchase order online, without quantities. When office equipment
is received, the receiving clerk accesses the purchase order elec-
tronically to complete a receiving report, noting the date and types
and quantities of goods received. Goods are then delivered to the
requisitioning department.
Accounts payable. The IT system maintains an open purchase
order file. When a vendor’s invoice is received, the invoice is en-
tered into the system and matched with the applicable purchase
order. A payable is set up by debiting the equipment account of
the department for the invoiced items. The accounts payable clerk
carefully compares the information on the vendor invoice with
the underlying purchase order before submitting the vendor’s
invoice to the accounts payable system. The vendor’s invoice is
then filed with the purchase order by purchase order number in
a paid invoice file, and the check is forwarded to the treasurer for
signature. At the end of every month, an accounts payable clerk
compares the total of unpaid invoices in the IT database with the
general ledger control account for accounts payable. Monthly,
university administration and department heads receive a report
comparing recorded departmental expenses and capital expendi-
tures with budgets.
Identify the Issues
Evaluate Mid-City State University’s transaction-level controls re-
lated to the recording of purchases. If any controls are evaluated
as weak, prepare a list of recommended controls for management.
Gather Information and Evidence
Important information includes:
•  Payables are recorded when the vendor’s invoice is received.
 Audit Decision-Making Example  12-51
•  Information on the vendor’s invoice is compared with the
purchase order.
•  Budgetary controls appear to be placed in operation.
•  Review of the recording of the purchase and accounts pay-
able is performed by the AP clerk that enters the information.
Analysis and Evaluation of Alternatives
•  There is no comparison of receiving reports with the record-
ing of purchases to test for completeness.
•  Purchases are not recorded until the vendor’s invoice is re-
ceived, which increases the likelihood of completeness and
cutoff problems.
•  There is no independent check of the recorded purchase with
the receiving report to control the occurrence of purchases.
•  There is no independent check of the recorded purchase
with underlying vendor information, quantities on the
receiving report, or prices on the purchase order to control
the accuracy of purchases.
•  There is no independent check of the recorded purchase with
account classification on the purchase order to control the
classification of purchases. There may be a compensating
control if department heads carefully review items charged
to their department budgets.
Conclusions Regarding Internal Controls in the
Purchasing Process
Internal controls over the recording of purchases are weak for the
following transaction class assertions: completeness, occurrence,
accuracy, cutoff, and classification. Control risk should be assessed
at the maximum for these assertions. Further, the auditor should
recommend the client implement the following controls:
•  Completeness: On a daily basis, the software application
should generate a report to be reviewed and items cleared
related to all receiving reports that have not resulted in the
recording of a purchase and payable.
•  Occurrence: On a daily basis, the software application should
generate a report to be reviewed and items cleared related to all
recordings of a purchase and a payable that are not supported
by receiving reports with matching quantities of items received.
•  Accuracy: On a daily basis, the software application should
generate a report to be reviewed and items cleared related to
all recordings of a purchase and a payable that are not sup-
ported by receiving reports with matching quantities of items
received or purchase orders with matching prices.
•  Cutoff: On a daily basis, the software application should gen-
erate a report to be reviewed and items cleared comparing
dates on receiving reports with dates on the recording of a
purchase and a payable.
•  Classification: On a daily basis, the software application
should generate a report to be reviewed and items cleared
comparing account classification on the recording of a pur-
chase and a payable with account classification on the under-
lying purchase requisition.
12-52  C h a pte r 12  Auditing the Purchasing and Payroll Processes
CPAexcel
CPAexcel questions and other resources are available in WileyPLUS.
Multiple-Choice Questions
1.  (LO 1)  The purchasing process normally includes all of the fol-
lowing transactions:
a.  purchases, inventory transactions, and cash receipts.
b.  purchases on account, purchase returns, and cash receipts.
c.  purchases on account, purchase returns, and cash disburse-
ments.
d.  purchases of inventory, plant and equipment, and deprecia-
tion.
2.  (LO 2)  Which of the following industries would have the greatest
concerns about purchases cutoff at month end, unrecorded liabilities,
and accounting for advertising allowances provided by vendors?
a.  Manufacturer of construction equipment.
b.  Retail grocer.
c.  Hotel.
d.  Local school district.
3.  (LO 3)  If the auditor is concerned about the risk of fraud in the
purchasing process, which of the following best describes the audi-
tor’s potential fraud risk assessments?
a.  Fraudulent financial reporting–high risk; misappropriation
of assets–high risk.
b. Fraudulent financial reporting–high risk; misappropriation
of assets–low risk.
c. Fraudulent financial reporting–low risk; misappropriation of
assets–high risk.
d. Fraudulent financial reporting–low risk; misappropriation of
assets–low risk.
4.  (LO 3)  The auditor is studying a ratio of accounts payable turn-
over in days. Which of the following indicates a potential risk of un-
recorded liabilities?
a.  Accounts payable turnover in days increased from 28 days to
45 days from year one to year two.
b.  Accounts payable turnover in days increased from 28 days to
30 days from year one to year two.
c.  Accounts payable turnover in days decreased from 28 days to
15 days from year one to year two.
d.  Accounts payable turnover in days decreased from 30 days to
25 days from year one to year two.
5.  (LO 4)  The internal document commonly used to record a credit
purchase in the purchases journal is a:
a.  purchase requisition.
b.  purchase order.
c.  vendor’s invoice.
d.  voucher.
6.  (LO 4)  Describe the IT application control procedure that pro-
vides assurance that all the merchandise for which the client was
billed was received. Assume the software application prepares an ex-
ception report and follow-up procedures are effective. IT application
edit checks compare:
a.  quantities and prices on the voucher with quantities and
prices on the purchase order.
b.  quantities on the vendor’s invoice with quantities entered in
receiving.
c.  quantities and prices on the voucher with quantities and
prices on the vendor’s invoice.
d.  quantities times price on the voucher with the amount of
cash disbursements.
7.  (LO 4)  Which of the following IT application control procedures
would be most effective in assuring that recorded purchases are accu-
rately recorded for transactions that actually occurred?
a.  The software application compares the quantity ordered from
purchase order information with the quantity received from
the receiving department.
b.  Vendor invoice information is compared with purchase order
information.
c.  Receiving reports require the signature of the individual who
authorized the purchase.
d.  The software application matches voucher information with
information supporting purchase orders, receiving reports,
and vendor invoices.
8.  (LO 5)  Which of the following controls would most likely prevent
a vendor’s invoice from being paid twice?
a.  An independent bank reconciliation is prepared. 
b.  The software application compares information on the check
with information on the receiving report.
c.  The software application compares the daily total in the cash
disbursements journal with the total vouchers submitted for
payment.
d.  The software application has a field that identifies a vendor’s in-
voice has been paid and the voucher number cannot be reused.
9.  (LO 6)  An evaluated receipt system is:
a.  a highly automated business process between suppliers and
purchasers to exchange data electronically to execute a pur-
chase transaction.
b.  a highly automated business process between retailers and
customers to receive payment electronically for a purchase
transaction.
c.  a highly automated process between suppliers and purchasers
to manage the receipt of goods.
d.  a highly automated process associated with the initiation of a
purchase transaction.

10.  (LO 7)  The key documents involved in recording a purchase ad-
justment involve:
a.  a purchase return authorization, a shipping report, and a
debit memo.
b.  a vendor’s invoice, a receiving report, and a credit memo.
c.  a purchase order, a vendor’s invoice, and a voucher.
d.  a purchase return authorization, a shipping report, and a
credit memo.
11.  (LO 8)  Assume an auditor is testing an IT application control
over the accuracy of purchases. The auditor is most likely to submit
test data for a:
a.  voucher with different quantities than on the receiving report.
b.  purchase order without appropriate authorization.
c.  voucher with no receiving report.
d.  purchase order with an invalid vendor number.
12.  (LO 9)  Which of the following procedures is best for identifying
unrecorded trade accounts payable?
a.  Examining unusual relationships between monthly accounts
payable balances and recorded cash payments.
b.  Reconciling vendors’ statements to the file of receiving reports
to identify items received just prior to the balance sheet date.
c.  Investigating payables recorded just prior to and just subse-
quent to the balance sheet date to determine whether they are
supported by receiving reports.
d.  R
 eviewing cash disbursements recorded subsequent to the
balance sheet date to determine whether the related payables
apply to the prior period.
13.  (LO 9)  An auditor decided to confirm accounts payable to ac-
complish a low level of detection risk for the completeness assertion.
Which of the following is the most reasonable sampling plan?
a.  Confirm accounts payable with an emphasis on all vendors
including zero and small balances.
b.  Confirm accounts payable with an emphasis on the largest
account payables.
c.  Confirm accounts payable using probability-proportionate-
to-size sampling.
d.  C
 onfirm accounts payable with an emphasis on new vendors,
irrespective of the size of the account balance.
*14. 
  (LO 10)  An imprest payroll bank account is:
a.  a bank account where a company only deposits sufficient
funds to process net payroll transactions.
b.  a bank account that processes all payroll withholding
transactions.
c.  a bank account devoted to all payroll transactions.
Review Questions
R12.1  (LO 1)  Explain the transactions in the purchasing process.
R12.2  (LO 2)  Explain how the risk of material misstatement in the
purchasing process is different for a hotel than it is for a manufacturer
of gas and oil field equipment.
 Review Questions  12-53
d.  a bank account where a company only deposits sufficient
funds to process gross payroll amounts.
*15. 
  (LO 11)  When auditing the payroll process, the auditor will nor-
mally want to understand:
a.  the relationship between payroll and significant customers.
b.  the extent to which a company is capital-intensive or labor-
intensive.
c.  the predictability of the relationship between payroll expense
and capital expenditures for the year.
d.  the relationship between net payroll and the company’s tax
liability.
*16. 
  (LO 12)  An inherent risk of major concern to the auditor in the
payroll process is:
a.  the completeness of payroll.
b.  the occurrence assertion for payroll.
c.  the occurrence and cutoff assertions for payroll.
d.  the completeness and occurrence assertions for payroll.
*17. 
  (LO 13)  A client just read about a business paying extraordinary
sums of money to a variety of employees. How would the client com-
pany use an IT application control to prevent this type of valuation
problem?
a.  Test a check digit embedded in the employee number.
b.  Perform a limit test related to the class of employee.
c.  Check the employee number against the master payroll file.
d.  Compare the total number of payroll disbursements with a
predetermined batch total.
*18. 
  (LO 14)  An auditor may plan to test controls in the payroll pro-
cess because, among other factors:
a.  the chance of employee fraud is remote.
b.  outside governmental auditors spend considerable time in-
vestigating the payroll area in most companies.
c.  audit risk in the area relates primarily to the hiring of com-
petent personnel.
d.  payroll transactions are generally routine and processed in
a high volume, which makes controls effective for manage-
ment to employ.
*19. 
  (LO 15)  Which of the following audit assertions is least likely
to be accomplished by vouching payroll transactions to supporting
documentation (e.g., time cards and employee contracts)?
a.  The occurrence of payroll transactions.
b.  The completeness of payroll transactions.
c.  The accuracy of payroll transactions.
d.  Proper cutoff related to payroll transactions.
R12.3  (LO 3)  What are the greatest inherent risks in the purchas-
ing process? Explain the assertions that are at risk and the underlying
drivers causing an increase in inherent risk.
R12.4  (LO 4)  Assume that your client is a private company that
manufacturers wedding rings. The company’s raw materials are gold,
 12-54  C h a pte r 12  Auditing the Purchasing and Payroll Processes

silver, platinum, and gem stones. Explain the expected flow of trans-
actions, the documents, and accounting system from purchasing raw
materials to paying for raw materials.
R12.5  (LO 5)  Explain a typical control preventing, or detecting and
correcting, duplicate payment of a vendor’s invoice in a purchasing
system.
R12.6  (LO 5)  Explain a typical control preventing, or detecting and
correcting, payments to a fictitious vendor.
R12.7  (LO 6)  Assume that your client is a major grocery chain that
uses evaluated receipt settlement (ERS) for 75% of its purchases. Ex-
plain the flow of transactions from the purchasing of products (e.g.,
various household cleaning supplies) for various grocery stores to the
payment for products using an ERS system.
R12.8  (LO 7)  Explain the flow of transactions for purchase
returns.
R12.9  (LO 9)  Explain how examining subsequent payments paid
after the balance sheet date (or a cutoff date) is a useful test of the
completeness of purchases and payables.
*R12.10 
  (LO 10)  Assume that a company has numerous hourly em-
ployees that it pays every Friday. Explain the transactions expected in
this payroll process.
*R12.11 
  (LO 11)  Explain how the risk of material misstatement in
the payroll process is different for a manufacturer of gas and oil field
equipment than it is for a university.
*R12.12 
  (LO 12)  What are the greatest inherent risks in the payroll
process? Explain the assertions that are at risk and the underlying
drivers causing an increase in inherent risk.
*R12.13
    (LO 13)  Assume that you are auditing a software compa-
ny that has mostly salaried employees. Explain the expected flow of
transactions, documents, and accounting system from hiring a new
employee to paying payroll.
*R12.14 
  (LO 13)  Explain a typical control preventing, or detecting
and correcting, payments to a fictitious employee.
*R12.15 
  (LO 13, 14)  Explain a typical IT application control to pre-
vent paying an inappropriate wage rate. Also, explain how you would
test the control.
*R12.16 
  (LO 15)  Explain how an auditor might use ADA when
auditing payroll. Explain the assertions being analyzed and what
might be considered an outlier given the test that you suggest.

Analysis Problems
AP12.1  (LO 2)  Basic   Knowledge of the entity and its environment  Your client is a local
independent grocer with five stores which competes with a number of large grocery chains. It pur-
chases goods from several large grocery supply chains as well as from various vendors that sell
directly to the store. Some vendors offer various advertising rebates or other price concessions for
stocking goods.

Required
Explain how your knowledge of the business and industry would impact your audit of total purchases
and accounts payable for the client.

AP12.2  (LO 2)  Moderate   Analytical procedures  The following information was taken from the
accounting records for Aurora Manufacturing, Inc.:

Year 5 Year 4 Year 3 Year 2 Year 1

Unaudited Audited Audited Audited Audited
Inventory $  525,000 $  460,000 $  390,000 $  310,000 $  225,000
Current assets 1,350,000 1,175,000 950,000 750,000 600,000
Accounts payable 115,000 113,000 97,500 85,000 70,000
Current liabilities 545,000 535,000 440,000 380,000 320,000
Sales 2,700,000 2,050,000 1,750,000 1,400,000 1,200,000
Cost of goods sold 1,650,000 1,225,000 1,025,000 850,000 725,000

Industry Median
Accounts payable turnover days 31 30 29 30
Cost of goods sold to average 10.7 11.2 10.9 11.1
  accounts payable
Current ratio 1.9 2.2 2.3 2.1
  Analysis Problems  12-55

Required
a.  Calculate the following information and ratios for years 2, 3, 4, and 5:
1.  Purchases.
2.  Accounts payable turnover in days.
3.  Cost of goods sold to average accounts payable.
4.  Current ratio.
b.  Describe the implications of the resulting ratios for the audit strategy in year 5. What specific audit
objectives are likely to be misstated? How should the auditor respond in terms of potential audit
procedures?

AP12.3  (LO 6)  Moderate   Internal control evaluation—cash disbursements  Management has
requested a review of internal control over cash disbursements for parts and supplies purchased at
manufacturing plants. Cash disbursements are centrally processed at corporate headquarters based on
disbursement vouchers prepared and approved at manufacturing plants. Each manufacturing plant
purchases parts and supplies for its own production needs.
In response to management’s request, a thorough evaluation of internal control over disbursements
for manufacturing plant purchases of parts and supplies is being planned. As a preliminary step in plan-
ning the engagement, each plant manager has been requested to provide a written description of his or
her plant’s procedures for processing disbursement vouchers for parts and supplies. Presented below are
some excerpts from one of the written descriptions.

1.  The purchasing department acts on purchase requisitions issued by the parts department.
2. A software application generates prenumbered purchase orders based on information submitted by
buyers in purchasing.
3.  Receiving has complete access to purchase order information in the IT system.
4. When goods are received, the receiving department logs the shipment in the IT system by indicating
that the purchase order was received and forwards this electronically to accounts payable.
5. When the vendor invoice is received, it is entered into the IT system and matched electronically
with purchase order and receiving information. Discrepancies are printed on an exception report for
follow-up by accounts payable personnel.
6. The software application checks the clerical accuracy of information on vendor invoices. Discrepan-
cies are printed on an exception report for follow-up by accounts payable personnel.
7. A prenumbered disbursement is prepared and forwarded along with supporting documentation to
the plant controller who reviews and approves the voucher.
8. Supporting documents are returned to accounts payable for filing, and approved disbursement
vouchers are forwarded to corporate headquarters for payment.
9. A report listing checks issued by corporate headquarters is received and promptly filed by accounts
payable.

Required
For each of the disbursement system procedures listed above, state whether the procedure is consis-
tent with good internal control and describe how each procedure strengthens or weakens internal
control.

Consistent/Inconsistent Strengthens or Weakens

1. (Example) Consistent Purchase requisitions provide the authorization for purchasing to order.

AP12.4  (LO 9)  Moderate   Accounts payable assertions/confirmations  Mincin, CPA, is the au-
ditor of the Raleigh Corporation. Mincin is considering the audit work to be performed in the accounts
payable area for the current year’s engagement.
The prior year’s papers show that confirmation requests were mailed to 100 of Raleigh’s 1,000 sup-
pliers. The selected suppliers were based on Mincin’s sample that was designed to select accounts with
large dollar balances. A substantial number of hours were spent by Raleigh and Mincin resolving rela-
tively minor differences between the confirmation replies and Raleigh’s accounting records. Alternative
auditing procedures were used for those suppliers who did not respond to the confirmation requests.
12-56  C h a pte r 12  Auditing the Purchasing and Payroll Processes

Required
a.  Identify the accounts payable assertions that Mincin must consider in determining the substantive
tests to be performed.
b.  Identify situations when Mincin should use accounts payable confirmations and discuss whether
Mincin is required to use them.
c.  Discuss why the use of large dollar balances as the basis for selecting accounts payable for confirma-
tion might not be the most efficient approach and indicate what more efficient procedures could be
followed when selecting accounts payable for confirmation.

(AICPA adapted)

AP12.5  (LO 9)  Moderate   Search for unrecorded liabilities  You were in the final stages of
your audit of the financial statements of Ozine Corporation for the year ended December 31, 2022,
when you were consulted by the corporation’s president, who believes there is no point in your
examining the 2023 voucher register and testing data in support of 2023 entries. He stated that
(a) bills pertaining to 2022 that were received too late to be included in the December voucher register
were recorded as of the year-end by the corporation by journal entry, (b) the internal auditor made
tests after the year-end, and (c) he would furnish you with a letter certifying that there were no un-
recorded liabilities.

Required
a.  Should a CPA’s search for unrecorded liabilities be affected by the fact that the client made a journal
entry to record 2022 bills that were received late? Explain.
b.  Should a CPA’s search for unrecorded liabilities be affected by the fact that a letter is obtained in
which a responsible management official certifies that to the best of his knowledge all liabilities have
been recorded? Explain.
c.  Should a CPA’s search for unrecorded liabilities be eliminated or reduced because of the internal
audit tests? Explain.
d.  Assume that the corporation, which handled some government contracts, had no internal auditor
but that an auditor for a federal agency spent three weeks auditing the records and was just complet-
ing his work at this time. How would the CPA’s unrecorded liability search be affected by the work
of the auditor for a federal agency?
e.  What sources, in addition to the 2023 voucher register, should the CPA consider to locate possible
unrecorded liabilities?
(AICPA adapted)

AP12.6  (LO 9)  Moderate   Substantive tests for accounts payable  Taylor, CPA, is engaged in the
audit of Rex Wholesaling for the year ended December 31, 2022. Taylor performed a proper study of
the internal control structure relating to the purchasing, receiving, trade accounts payable, and cash
disbursement processes, and has decided not to proceed with tests of controls. Based on analytical pro-
cedures, Taylor believes that the trade accounts payable balance on the balance sheet as of December 31,
2022, may be understated.
Taylor requested and obtained a client-prepared trade accounts payable schedule listing the total
amount owed to each vendor.

Required
What additional substantive procedures should Taylor apply in auditing trade accounts payable?
(AICPA adapted)

AP12.7  (LO 9)  Challenging   Fraud   Research   SEC  In 2003, the Securities and Exchange
Commission released an Accounting and Auditing Enforcement Release (AAER) describing charges and
discipline against TruServ Corporation and the company’s chief financial officer. The charges claim
that TruServ underestimated the accrual for merchandise payable.

Required
Find and read the 2003 AAER related to TruServ Corporation. Explain the scheme that the company used
to understate the accrual for merchandise payable. Finally, what audit procedures might an auditor use
to uncover this misstatement?

*AP12.8 
  (LO 13)  Moderate   Internal control questionnaire—payroll  Butler, CPA, has been
engaged to audit the financial statements of Young Computer Outlets, Inc., a new client. Young is a
  Analysis Problems  12-57

privately owned chain of retail stores that sells a variety of software and video products. Young uses an
in-house payroll department at its corporate headquarters to compute payroll data and to prepare and
distribute payroll checks to its 300 salaried employees.
Butler is preparing an internal control questionnaire to assist in obtaining an understanding of
Young’s internal control structure and in assessing control risk.

Required
Prepare a “Payroll” segment of Butler’s internal control questionnaire that would assist in obtaining an
understanding of Young’s internal control structure and in assessing control risk. Focus on preparing
questions about payments based on hourly rates and payroll tax accruals other than withholdings.
Use the format in the following example:

Questions Yes No
1.  Are paychecks prenumbered and accounted for?
2.
3.

*AP12.9 
  (LO 13)  Moderate   Control activities in payroll processing  As part of the audit of
Beach Land Construction, you are assigned to review and test the payroll transactions. Beach Land Con-
struction is a privately owned company, which has about 30 full-time employees, and another 30 to 60
part-time employees, depending on the company’s needs. All employees, job foreman, and other work-
ers are paid hourly wages. Your procedures show the payroll register was properly footed, totaled, and
posted. The company keeps a separate bank account for payroll transactions, which normally carries a
balance between $2,000 and $10,000.
Based on your conversations with the owner and bookkeeper, you determine the following:
1. Any new employee is interviewed by and hired by the owner of the company. Upon being hired,
the new employee must complete appropriate IRS and other withholding forms. This information is
given to the bookkeeper.
2. At the end of every day, the job foreman phones the owner to report the number of hours worked by
each employee on the job. The owner then reports this information to the bookkeeper.
3. Each Friday at the end of the day, the bookkeeper prepares payroll based on the number of hours
reported by the owner for each employee, the employee’s wage rate, and withholdings. The book-
keeper then prepares payroll checks.
4. The owner gives checks a cursory scan and signs the checks at the end of the day on Friday. On
Monday morning, the owner has a meeting with all job foremen. Payroll checks are given to each
job foreman who then distributes the checks to employees every Monday.
5. At the end of the month, the bookkeeper performs a monthly bank reconciliation on the payroll
bank account, and writes and posts any needed adjusting journal entries.

Required
a.  Identify any significant deficiencies or material weaknesses in the payroll procedures used in the
payroll system for Beach Land Construction.
b.  For each significant deficiency or material weakness you identify, recommend an improvement to
correct the deficiency.

*AP12.10 
  (LO 14)  Moderate   Potential misstatements/tests of controls—payroll  The following
questions are included in the internal control questionnaire on control procedures for payroll transac-
tions in the Pena Company:
1.  Are pay rates, payroll deductions, and terminations authorized by the personnel department?
2.  Are time clocks and clock cards used?
3.  Is there supervisory approval of time worked by each employee?
4.  Are electronic payroll deposits appropriately authorized?
5.  Is there internal verification of payroll checks with payroll register data?
6.  Is access restricted to personnel and employee earnings master files?
7.  Is hiring of new employees authorized by personnel department?
8.  Are payroll tax returns and payment of payroll taxes reviewed for accuracy and for timely filing?
12-58  C h a pte r 12  Auditing the Purchasing and Payroll Processes

Required
a.  Identify a misstatement that may occur if a NO answer is given to each question.
b.  Identify a possible test of controls assuming a YES answer is given to each question. (Present your
answers in tabular form using separate columns for each part.)

Audit Decision Cases

Construction Industry Resources, Inc.
This case has two phases. Question C12.1 is based on Phase I. Question C12.2 is based on Phase II.

Phase I: Company Background and Internal Control Evaluation

Construction Industry Resources, Inc. (CIRI), a C corporation, supplies building material to contractors
and construction sites in a major metropolitan area. Today, CIRI has approximately $60 million in total
assets and generates approximately $250 million in annual revenues. Les Browning, the majority share-
holder, purchased CIRI five years ago when sales were approximately $90 million per year and it was
the only building supply business in the area. Les Browning owns 70% of CIRI, a business associate who
is not active in the operation of the business owns 10% of the business, and two family members (Les
Browning’s father and his brother) own 10% each. The other shareholders hold management positions
in other businesses (not in the construction industry) and are not active in day-to-day management. Five
years ago, Les owned only 55% of the business and he purchased 5% from each of the other shareholders
based on an independent valuation of the business two years ago. Les plans to purchase 100% of the com-
mon stock outstanding sometime in the next five years. Les has prided himself on his ability to grow sales
and profits of the company and he looks forward to another 10 to 15 years of running the company, and
enjoying the benefits of ownership, before considering an exit strategy and retirement.
The board of directors is composed of the four shareholders, a representative of CIRI’s major lender,
the corporation’s attorney, and its controller, Craig Ferris. The board of directors meets semiannually to
review the company’s performance and make decisions regarding officer bonuses and dividends. Unlike
public companies, CIRI does not have an audit committee. An audit is needed for the bank and other
creditors, and the auditor meets annually with the board as a whole.
CIRI is composed of two major divisions. One division is involved in the purchase and sale of lum-
ber, building materials, hardware, and related products. The other division is a lumber brokerage busi-
ness. The building supply division competes in a very competitive business environment where business
must be earned on both price competitiveness and on quality of service. The building supply division
has three retail/wholesale outlets in a major metropolitan area of approximately 2 million people. The
lumber brokerage business is also extremely price-competitive. As a result, the company operates on rel-
atively high ratios of sales to total assets (high asset turnover), and profit margins are low.
When Les came to CIRI, he had a strong sales background. He therefore focused his attention first
on customer relations and building sales in the building supply business, paying attention to CIRI’s rela-
tionships with the major general contractors and builders in the community. Les knew that profit margins
were going to be thin, so he focused his energies on growing sales volume. Then, three years ago, he
decided to launch the lumber brokerage division, which allowed CIRI direct access to lumber markets as
well as allowed the company to continue a strong growth trend in total revenues.
Craig Ferris has been CIRI’s controller for 30 years, and he continued with the company when Les
Browning and the other shareholders acquired it. Les is comfortable with Craig’s skills and knows that
he will have to increase the salary for the position to hire a replacement when Craig retires. Craig, while
not a CPA, has a competent understanding of GAAP and knows many of the suppliers and general con-
tractors in the construction business. In addition to completing monthly income statements and balance
sheets for the company, Craig has paid a great deal of attention in recent years to the lumber brokerage
business, particularly to understanding and attempting to control the business risks associated with price
volatility in the lumber markets.
Craig also reviews each store’s overall performance when the financial statements are prepared each
month, but the company does not have sufficient staff or time to develop budgets. Accountability for store
performance is very informal. Store managers are paid competitive salaries, but they receive no bonuses.
Therefore, accounting numbers do not play in the determination of store managers’ compensation pack-
ages. Further, Craig and Les feel that it would be too time-consuming to develop budgets that reflect the
seasonal nature of the business, and they feel that interim financial statements are sufficient to control
the business.
  Audit Decision Cases  12-59

You have been assigned to the audit of the building supplies division, specifically the purchasing
process, which consists primarily of the acquisition of inventories (many of which are delivered directly
to building sites), the inventory process, and accounts payable.

Information and Communication and Control Activities

With respect to the accounting system and control activities, Les has been rather hands-off, focusing his
attention on sales growth and lumber brokerage. Les has been satisfied with Craig’s ability to produce
income numbers within 15–20 days after month-end, and he has relied on the annual audit to ensure that
the accounting system is working correctly. In past audits, Les and Craig have accepted auditor-proposed
journal entries related to the allowance for doubtful accounts and inventory shrinkage (a perpetual problem
in the construction industry), but routine transactions have not resulted in significant audit problems.
Three ongoing issues have been raised in prior management letters:

1. There is a segregation of duties problem in cash disbursements as Craig has access to the supply of
unused checks, he signs checks, and he performs the monthly bank reconciliations.
2. A similar segregation of duties issue has been raised regarding the activities of Wendy Roberts, who
authorizes credit, maintains accounts receivable records, and follows up on bad debts. However,
Craig has responsibility for writing off bad debts.
3. There is no formal system and review associated with adding new vendors or new customers to
master vendor and customer files.

Les and the other owners have not taken action on these issues as no significant audit adjustments
have been proposed related to these problems that they believe are due to a company with a small ac-
counting staff. The owners have viewed the audit adjustments to the allowance for doubtful accounts as
an issue where they welcome the oversight provided by outside auditors.
A major change in the accounting system was planned last year and implemented at the beginning of the
current year (2022) when one of CIRI’s major suppliers, Contractors Wholesale Supply (CWS), approached
CIRI about implementing a purchasing system with electronic data interchange (EDI). Les was eager to move
forward with the system as it would keep CIRI on the cutting edge. In general, the EDI system allows CIRI to
order goods electronically. CWS sends electronic sales invoices, and CIRI makes weekly payments by electronic
funds transfer through a bank where both CWS and CIRI have accounts. Les sees that the process expedites
shipments to customers, and CIRI receives a 1% discount on all shipments ordered through the system. Craig
was also willing to make the change, as a significant portion of the operating system was resident with the
supplier, and only modest programming changes were necessary at CIRI.
Craig delegated implementation of the EDI system to Dennis Brewer. Dennis has been with the
company for several years and has demonstrated strong technology skills. Dennis is also responsible for
accounts payable and accounting for inventories. Dennis looks at the systems project as a real oppor-
tunity to demonstrate his skills. Dennis has been disappointed that he has not advanced faster in the
organization. He has commented to colleagues about his frustration that most of his college friends have
achieved management roles in their jobs, and they are earning good salaries and bonuses. Dennis has
several children in private school and feels that this is his opportunity to earn advancement, status, and
the salary he wants and needs.
Following is a brief description of how the new EDI purchasing system functions at CIRI:
Initiating purchases. Several buyers are responsible for purchasing inventory, managing store in-
ventories, and making sales to general contractors and the larger builders in the metropolitan area.
The buyers determine inventory to order based on their review of inventory on hand and requests from
­customers. Based on perceived inventory needs, the buyer can log onto the CSW/CIRI system using
passwords, and electronically place a CIRI prenumbered purchase order directly with CWS online in real
time. CWS confirms the order electronically, and an electronic sales order is sent from CWS to Dennis.
Dennis receives exception reports each morning of any mismatches between CIRI purchase orders and
CWS sales orders. (CWS writes sales orders based on inventory that they have in stock.) Dennis tracks
all purchases based on the prenumbered purchase orders. Buyers have restricted access to only the order
side of the system. (Buyers can also monitor all inventory quantities.) Receiving access has been given
only to the warehouse clerks at each store. Dennis has full access to the system.
Receiving goods. When shipments are received from CWS, they are counted by the warehouse clerk
at each of CIRI’s three stores. The clerk then logs into the CWS/CIRI system and enters quantities re-
ceived in the electronic equivalent of a prenumbered receiving report. The electronic receiving report is
sent from each store to Dennis. Further, approximately 35% of purchases are drop-shipped directly to
customer locations. In other words, a building contractor will call a CIRI buyer, who will order the goods
from CWS and have them shipped directly to the building site. The warehouse clerk at each store has
responsibility for following up on drop shipments with customers and filing electronic receiving reports
for drop shipments. Experience shows that this is a low priority for these warehouse clerks, and it often
12-60  C h a pte r 12  Auditing the Purchasing and Payroll Processes

takes nagging by Dennis each week to get these reports filed. This had also been a problem in the manual
system in that on-site project managers were not good about signing delivery reports. When the ware-
house clerk at the responsible store files an electronic receiving report for drop shipments, the clerk also
has responsibility for filing a shipping report to initiate CIRI’s customer billing process.
The receiving information updates the perpetual inventory records for all items received at one
of the three stores. The perpetual inventory is not updated for drop shipments. The buyers informally
review the accuracy of the perpetual inventory for reasonableness. A full physical inventory is done at
year-end, and the stores are closed for that event.
Recording payables. When CWS ships goods, an invoice is electronically sent to Dennis. Each day,
Dennis receives a system-generated report of items that have been ordered from CWS, a report of items
ordered that have not been received, and a list of all billings that have not been matched with prenum-
bered receiving reports. Dennis pays the most attention to these reports on Wednesdays and Thursdays so
that all billings are cleared for electronic payment on Friday. He particularly follows up on items where
electronic invoices have been received from CWS that have not yet been matched with receiving reports
sent from the stores. He then files these exception reports by date with his notations on the various re-
ports. Once the electronic receiving report is electronically matched with the sales invoice, a payable is
established and Dennis approves payment of the invoice.
Electronic funds transfer. Every Friday, the total of approved invoices is paid via electronic funds
transfer though a national bank from CIRI to CWS. Craig is responsible for reviewing and approving a
list of cash disbursements before they are run. With respect to the EDI system, Craig performs an overall
reasonableness check on the volume of activity with CWS.
Craig feels that the system has greatly reduced the paperwork, made the office more efficient, and
allowed the company to maintain margins in a very competitive marketplace. Dennis was happy to work
on the project and was pleased to be given the increased responsibility. However, Dennis was overheard
in the lunchroom to have been disappointed that neither pay nor promotion advances were received as
he expected, and that he is not earning what he deserves. Dennis expressed frustration that his career was
going nowhere and that Craig and Les were too tight-fisted with promotion and recognition for making
the transition go smoothly.

C12.1  (LO 1, 3, 4, 6, 7)  Challenging   Understanding internal control, fraud risk assessment,
and substantive tests
a. Analysis and evaluation: Evaluate the effectiveness of the CIRI’s control environment. You may
evaluate each individual component of the control environment but then develop an overall
conclusion regarding the control environment and its influence on other aspects of internal
control.
b.  1. Analysis and evaluation: Using the table below, evaluate the factors associated with the risk of
fraud and the effectiveness of control activities with respect to the occurrence assertion for pur-
chases and payables associated with the EDI purchasing system.

Fraud Risk Factors

Incentives/ Attitude and Control Possible
Assertion Pressures Opportunity Rationalization Activities Misstatements
Occurrence
purchases
and payables

2.  Analysis: Identify internal control deficiencies that you find in the EDI purchasing system.
c. Evaluation: Prepare a letter with the two most important internal control recommendations that
you have for management. Each specific recommendation should describe the current system,
explain the risk involved, and make specific recommendations for improvement. Focus on issues
raised by the new system and not on issues that have been raised in prior audits.

Phase II: Substantive Testing

When obtaining an understanding of the accounting system, you looked at the file containing the excep-
tion reports reviewed by Dennis Brewer (e.g., for items billed but not received). While these reports are
printed daily, often only three or four reports would be present for a given week. Dennis said that he really
pays attention to the reports primarily on Wednesday and Thursday and that he often does not keep the
reports from earlier in the week.
Subsequently, you pulled a sample of 30 transactions from the EDI system to perform substantive
tests of transactions and test the accuracy of recorded transactions that are processed through the system.
  Audit Decision Cases  12-61

Of the 30 transactions selected at random, 19 represented transactions shipped directly to stores, and
11 represented drop shipments. The following table summarizes the nature of this sample of 30.

$ BV of # of Sample $ BV of
Popn. Transactions Size Sample
Drop shipments $ 5,756,077 1,391 11 $ 80,530
Shipped to stores 10,615,018 1,737 19 188,455
Purchases through the EDI system $ 16,371,095 3,128 30 $ 268,985

You noted the following issues among the 30 transactions.

•  You find one item that shipped directly to the stores with an invoice total of $9,775, for which the
price on the invoice per the purchase order was $67 per unit but was billed at $76 per unit. The com-
pany purchased 100 units of the SKU number on that invoice and paid the invoice in full as billed.
•  The company was closed from Thursday, June 30, 2022, through Monday, July 4, 2022. Inventory
was taken on Thursday, June 30, 2022. During the inventory count, a truck came in with a shipment
from CWS. The value of the invoice was $9,875. The units were segregated from the rest of the in-
ventory and not counted. At the end of the inventory, the shipment was added to the overall value of
the inventory. During the closing of the books after July 4, the purchase was recorded as an account
payable in the amount of $9,875 with a date of June 30, 2022.
•  Auditing drop shipments has been a problem in past audits, as CIRI has not always had receiving
documents to support deliveries to construction sites. However, your firm has been able to verify that
shipments had been billed to customers and subsequently cash was received associated with these de-
liveries. In the current year, not only did you verify that the item was supported by electronic receiving
reports, but you also followed up to find that they were billed to customers who paid for the goods. All
11 of the electronic invoices from CWS for drop shipments included in the sample were supported by
electronic receiving reports and they were paid in the correct amounts and on time. However, Dennis
could not show where one transaction with an invoice amount of $4,323 had been billed to, and had
been paid by, customers. He suggested two possibilities. First, he suggested that some customers had
prepaid for the shipments. Second, he complained that he often had to follow up with the stores about
filing receiving reports because someone at the store level failed to file a shipping report. However,
his primary responsibility was only for the purchasing system, not the billing system and ensuring
that vendors were paid on time. He could not verify what caused the problem with this transaction.
Further follow-up failed to identify the underlying sales invoice for this transaction.

C12.2  (LO 1, 3, 4, 6, 7)  Challenging   Understanding internal control, fraud risk assessment,
and substantive tests
a. Analysis and evaluation: What concerns, if any, are raised by the evidence noted above? Assuming that
the problems found in the sample are representative of problems in the population, determine any
relevant amount of projected misstatement based on your finding, assuming that the ratio of misstate-
ments to book value found in the strata from which they were selected are representative of the entire
strata. After considering your findings, what additional audit procedures should be performed, if any?
b.  Evaluation: What issues do you want to discuss with management? Draft the issues that you want to
discuss with CIRI management, including with whom in management discussions should be held.

Brookwood Pines Hospital

Question C12.3 is based on the following case.

Goodfellow & Perkins gained a new client, Brookwood Pines Hospital (BPH), a private, not-for-profit
hospital. The fiscal year-end for Brookwood Pines is June 30. You are performing the audit for the 2023
fiscal year-end.
The healthcare industry can be very complicated, especially in the area of billing for services pro-
vided. BPH contracts with private physician groups who use the hospital facilities, equipment, and nurs-
ing staff to treat patients. The physicians in the private group are not employees of the hospital; they are
simply using the hospital facilities to treat patients. For example, a group of urologists have their own
practice, separate from the hospital, where they treat patients. If one of the patients needs a surgical pro-
cedure that must be done at a hospital, then the attending urologist will approve the paperwork required
to admit the patient to BPH. BPH offers inducements to the urologists so they will refer patients to BPH
12-62  C h a pte r 12  Auditing the Purchasing and Payroll Processes

rather than a competing hospital. One of the inducements BPH offers is free office space in the hospital
for the doctors to use when they are treating patients in the hospital.
After the doctor and hospital services are provided to the patient, the patient and/or the patient’s
insurance company is billed. The doctor will bill for the services he or she provided, and the hospital
will bill for the use of hospital facilities and staff. Doctors and hospitals bill using a coding system that is
standardized across the healthcare industry and consists of three main code sets: ICD, CPT, and HCPCS.
Using a coding system is more efficient and data-friendly compared to writing a narrative about the
procedures performed. However, the coding system is very complex, with thousands of different codes
for medical procedures and diagnoses. To complicate matters even more, for patients who are covered by
government-sponsored Medicare or Medicaid, doctors and hospitals must adhere to complicated govern-
ment regulations surrounding billings to Medicare and Medicaid.
As healthcare costs continue to rise each year, BPH administrators struggle to maintain consistent
profitability. They look for ways to keep costs low and also to collect from patients and insurance compa-
nies as quickly as possible. In addition, BPH must have a strong risk management team to handle unique
situations that may occur in hospitals such as malpractice lawsuits and periodic inspections by the state
department of health and hospitals. Negative publicity for BPH could lead to decreased revenues if phy-
sicians decide to contract with a competing hospital.
You are completing the planning of the audit of accounts payable and payments system. A prenum-
bered voucher is used to record all payables. An IT application control performs the following procedures:
•  T
 he vendor details, item numbers, quantities, and prices on the voucher are matched to information
on the supplier’s invoice and the appropriate receiving report.
•  T
 he vendor details, item numbers, and quantities on the voucher are matched to information on an
authorized purchase order.
•  M
 anual follow-up procedures are performed daily by a data control group. Any exceptions are cor-
rected within 24 hours.

C12.3  (LO 9)  Challenging   Evaluating internal controls  Given the information you have collected
above about internal controls in the purchases process:
a.  Evaluation: Evaluate the quality of internal controls for each assertion related to purchase transactions.
b.  Analysis: For assertions where internal controls are determined to be strong, design appropriate tests
of controls to test the assertion. You may assume that IT general controls have previously been tested
and found effective.
c.  Analysis and evaluation: For assertions where internal controls are weak, prepare a recommendation
to management identifying the weakness, the risk of misstatement associated with the weakness, and
a recommended control to correct the weaknesses.

The Vane Corporation

Question C12.4 is based on the following case.

The Vane Corporation is a manufacturing concern that has been in business for the past 18 years. During
this period, the company has grown from a very small family-owned operation to a medium-sized manu-
facturing concern with several departments. Despite this growth, a substantial number of the procedures
employed by Vane have been in effect since the business was started. Just recently, Vane has computer-
ized its payroll function.
The payroll function operates in the following manner. Human resources is responsible for hiring or
firing workers. HR also maintains an employee master file with the employee number, pay rates, infor-
mation about the department in which an employee works, and payroll withholding information. Only
the HR manager and two of her assistants have the ability to access and change the employee master file
database. The HR manager reviews a report of all changes weekly. Each worker has a personal swipe card
to record hours worked electronically. Each Friday evening, the factory foreman reviews an electronic
file of hours worked and approves the hours or raises questions with employees about what has been
recorded. This information is submitted to payroll by Monday at noon for processing.
In payroll, the approved time worked is imported electronically to process weekly payroll. Later on
Monday, a final payroll file is sent to the company controller for approval. Once the controller approves
the payroll, direct deposits of payroll are made to employee bank accounts.
Further analysis of the payroll function reveals the following:

•  A worker’s gross wages should not exceed $1,300 per week.

•  Raises never exceed $3.55 per hour for the factory workers.
•  No more than 20 hours of overtime are allowed each week.
•  The factory employs 150 workers in ten departments.
   Audit Decision Cases  12-63

The following problems surfaced when the new payroll system was placed in operation:
1. A worker received a direct deposit for $1,531.80 when it should have been $153.81. It was deter-
mined that the wage rate was overstated by a magnitude of 10 because it was entered incorrectly in
the payroll system.
2. One worker complained that a direct deposit was not made to his account, and this error was not
detected. As it turned out, the payment was made to another individual because the wrong bank
account number was on file.
3. One worker received a paycheck for an amount considerably larger than she should have. Investi-
gation revealed that a worker was paid $21.75 per hour rather than $12.75 per hour because of an
input error when changing the employee’s wage rate on the master file.
4. In processing non-routine changes, an HR assistant included a pay rate increase for one of his
friends in the factory. This was discovered by chance when a foreman was reviewing charges to his
department.

*C12.4 
  (LO 13)  Challenging   Internal control evaluation—payroll  Analysis and evaluation:
Identify the control deficiencies in the payroll process for The Vane Corporation. Recommend the
changes necessary to improve the control structure. Arrange your answer in the following columnar
format:

Control Deficiencies Recommendations

(ICMA)

Cloud 9 - Continuing Case

Answer the following questions based on the information for
Cloud 9 presented in the appendix to this text and the current
and earlier chapters. You should also consider your answers to the
case study questions in earlier chapters. The following informa-
tion focuses on evaluating inherent risk, control risk and detection
risk for purchase transactions and accounts payable.
Required
a.  After reviewing the trial balance, calculate the following ra-
tios for Cloud 9 as of 1/31/2021, 1/31/2022, and 10/31/2022:
1. Accounts payable turnover in days (use ending balance
rather than average balance for accounts payable).
2.  Cost of goods sold to average accounts payable.
3.  Payables as a % of total assets.
4.  Current ratio.
5. Any other ratios and information that you believe would
be appropriate to evaluating inherent risk for purchase
transactions and accounts payable balances.
b.  Based on your analysis of information gathered:
1. Identify high inherent risk assertions for purchases trans-
actions and accounts payable.
2. Evaluate inherent risk for purchase transactions and
accounts payable. Explain why you have identified var-
ious assertions as high or maximum risk for accounts
payable.
c. Analyze and draw conclusions about the nature and extent
of tests of controls:
1. For each assertion that you identify as high or maximum
inherent risk, identify an internal control, or a combination
of internal controls, that would control that risk.
2. Explain the nature and extent of tests of controls you
would need to perform to assess control risk as low, for
the controls you identified in (c)1 above.
d. Analyze and draw conclusions about the nature, timing, and
extent of substantive procedures:
1. Given your conclusions about inherent risk and assum-
ing that tests of controls show that internal controls are
effective, what are your conclusions about detection risk
for the assertions identified as high or maximum inherent
risk? Explain your conclusions.
2. For the assertions you identified as high or maximum in-
herent risk, what is the substantive procedure you would
suggest performing (nature of the test)? Explain your
conclusions.
3. For the assertions you identified as high or maximum inher-
ent risk, when do you suggest performing the substantive
procedure (timing of the test)? Explain your conclusions.
4. For the assertions you identified as high or maximum in-
herent risk, how extensively should the auditor test these
assertions (extent of the test)? Explain your conclusions.
 Chapter 13
Auditing Various Balance Sheet
Accounts (and Related Income
Statement Accounts)
The Audit Process

Overview of Audit and Assurance

(Chapter 1)

Professionalism and Professional Responsibilities

(Chapter 2)

Client Acceptance/Continuance and Risk Assessment

(Chapters 3 and 4)

Gaining an Identify Significant

Set Planning
Understanding of Accounts and
Materiality
the Client Transactions

Gaining an Understanding of the

Make Preliminary Risk
System of Internal Control
Assessments
(Chapter 6)

Develop Responses to Risk and an Audit Strategy

Audit Data Analytics

Audit Evidence
(Chapter 5)

(Chapter 7)
Performing Tests of Controls Performing Substantive Procedures
(Chapter 8) (Chapter 9)

Audit Sampling for Substantive Tests

(Chapter 10)

Auditing the Auditing the Purchasing Auditing the Balance Sheet

Revenue Process and Payroll Processes and Related Income Accounts
(Chapter 11) (Chapter 12) (Chapter 13)

Completing and Reporting on the Audit

(Chapters 14 and 15)

Procedures Performed Near Drawing Audit

Reporting
the End of the Audit Conclusions

13-1
13-2  C h a pte r 13 Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Learning Objectives

LO1  Evaluate how an auditor determines and executes
an audit strategy for cash and cash equivalents.
LO2  Evaluate how an auditor determines and executes
an audit strategy, including the use of ADA, for inventory
and cost of goods sold.
LO3  Evaluate how an auditor determines and
executes an audit strategy, including the use of ADA,
for property, plant, and equipment, and depreciation
expense.
LO4  Evaluate how an auditor determines and executes
an audit strategy for long-term debt and interest
expense, and stockholders’ equity.

Auditing and Assurance Standards

PCAOB Auditing Standards Board

AS 1105 Audit Evidence AU-C 500 Audit Evidence
AU-C 501 Audit Evidence—Specific Considerations for
Selected Items

Cloud 9 - Continuing Case

Suzie and Ian are continuing their work on the substantive audit
testing program for the Cloud 9 audit. Suzie convinced Ian that
analytical procedures are not the only substantive tests they will
need. They will need to consider how audit risk and other factors
impact the appropriateness of analytical procedures for each area
of the audit, and include other substantive tests where required.
Today, they are focusing on asset and liability accounts. Sig-
nificant accounts on Cloud 9’s trial balance that they have not
yet addressed include cash; inventory; property, plant, and equip-
ment (PPE) (mainly furniture and equipment and leasehold im-
provements); as well as long-term debt and stockholders’ equity
accounts.
Suzie asks Ian to suggest the key factors that they will consider
when designing the substantive test program for each of these
accounts, as well as which procedures they will choose to include
in the program.

Chapter Preview: Audit Process in Focus

This chapter focuses on the audit of several key balance sheet accounts. Chapters 11 and 12
discussed performing tests of details of transactions for cash receipts and cash disbursements
and purchases, including the purchases of inventory. In this chapter, we begin with a discus-
sion of performing tests of details for the cash and cash equivalents balance. The discussion
continues by focusing on how auditors test inventory on the balance sheet, and how the end-
ing inventory balance affects cost of goods sold. Next, we describe auditing property, plant,
and equipment, and the related depreciation expense. Finally, this chapter concludes with a
discussion of testing financing activities associated with long-term debt, the related interest
expense, and equity. In each case, the discussion follows a process of:

1. Understanding the flow of transactions involving the balance sheet and income statement.
2. Understanding the entity and its environment.
3. Understanding the results of analytical procedures.
4. Assessing inherent risk.
5. Assessing controls risk and fraud risk.
6. Determining an audit strategy.
7. Completing substantive tests.
  Auditing Cash and Cash Equivalents  13-3

Auditing Cash and Cash Equivalents

Lea rning Objective 1
Evaluate how an auditor determines and executes an audit strategy for cash and
cash equivalents.

Understanding the Flow of Transactions

Cash and cash equivalents include:

•  Cash in the bank. An example is the primary bank account for the company.
•  Imprest bank accounts. An example is an imprest payroll bank account (see the appendix to
Chapter 12). These are bank accounts that will have a specific book balance, such as zero
or $10,000. At each payroll date, the exact amount needed to clear net payroll transactions
is transferred into this account. After payroll disbursements are made, the balance in the
account reverts to the specific expected balance.
•  Cash equivalents. Examples are commercial paper, Treasury bills, or money market funds.
These are highly liquid investments having a maturity of three months or less. These ac-
counts usually result in the recognition of interest income.

Chapter 11 discussed cash receipt transactions and internal controls over cash receipts.
Chapter 12 discussed cash disbursement transactions and internal controls over cash dis-
bursements. The following discussion focuses primarily on testing cash balances on the
balance sheet.

Understanding the Entity and Its Environment

An important aspect of developing a preliminary audit strategy involves understanding the
entity and its environment. In Chapters 11 and 12, we discussed how understanding the
entity and its industry might be helpful for developing an expectation for certain balances.
For example, a manufacturer is more likely to sell on credit, resulting in more significant
receivables than a retail grocer. Cash balances may vary significantly from company to com-
pany within an industry. Top performers in an industry, which generate significant free cash
flow (the excess of cash flow from operations over capital expenditures), are more likely
to have significant balances of cash and cash equivalents. It is important for the auditor to
understand:

•  Management’s cash budgeting practices.

•  The influence of seasonal activity on cash balances.
•  The level of minimum cash balances the company expects to keep on hand.
•  The company’s policies regarding the investment of excess cash in cash equivalents or
long-term investments.

Some companies, such as Apple, Inc., have significant positive cash flow from opera-
tions and positive free cash flow, which result in significant cash and cash equivalents, and
significant investments in marketable securities. Other companies, such as Sears Holding
Corporation, have experienced negative cash flow from operations and have had to manage
cash by selling assets, issuing debt, and repaying debt; cash balances are a small percentage of
total assets. While Apple and Sears may be extreme examples, it is important for the auditor
to understand how management budgets and manages cash balances, and to tailor the audit
of cash accordingly.
13-4  C h a pte r 13 Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Understanding the Results of Analytical Procedures

Management’s operating, investing, and financing decisions and strategies significantly affect
cash balances. Consequently, in some audits these balances may not be expected to show a
stable or predictable relationship with other current or historical financial or operating data.
Well-managed companies regularly develop cash budgets, projecting (1) cash receipts from
operations, (2) cash disbursements for operating needs, and (3) cash flows from investing
and financing activities. Effective analytical procedures involve comparing cash balances with
forecasts or budgets, or with company policies regarding minimum cash balances and the
investment of surplus cash. When internal controls are strong, it is usually most effective to
compare cash balances with budgets and company policies because the individual cash needs
of various entities are often unique.

Assessing Inherent Risk

Cash, by its nature, is susceptible to theft. Many schemes for stealing cash involve failing to
record cash receipts. Significant inherent risks relate to cash receipts and disbursement trans-
actions (discussed in Chapters 11 and 12). Cash is also susceptible to theft by the manipulation
of cash balances, such as paying fictitious vendors or employees. Disclosures related to cash
balances are usually not complex. Auditors should recognize that problems with transactions
during the period result in problems with the completeness of the ending cash balance, yet
these frauds are uncovered by auditing transactions rather than cash balances. In contrast to
receivables or inventories, inherent risks pertaining to the rights and obligations or the valu-
ation and allocation assertions for cash are low because there are no complexities involving
rights, accounting measurements, and estimates.

Assessing Control Risk and Fraud Risk

Strong internal control always starts with a strong tone at the top and sound control environment.
The most important control over the existence, completeness, and valuation of cash balances
is an independent bank reconciliation. Auditors expect that public companies and larger private
companies will have good internal controls over cash. Controls over cash receipts and cash
disbursement are usually tested as part of testing controls in the revenue process and the
purchasing process.
However, many smaller businesses, not-for-profit organizations, or smaller governments
may have inadequate segregation of duties, which may result in weak internal controls over
cash. If control risk is high or maximum (as it should be when segregation of duties is inad-
equate and there are no compensating controls), the auditor should assume that fraud risk is
high and design appropriate substantive tests, particularly substantive tests of transactions.
In some cases, particularly businesses with significant cash sales, it may be very difficult to
determine if cash is being skimmed before being recorded and deposited. To detect this, audit
procedures might focus on average size of cash sales and lower gross margins compared to
prior periods or industry statistics to determine if unrecorded cash is a problem. If the com-
pany appears to be receiving more cash than the underlying business supports, and gross
margins are unusually high, it may be evidence of money laundering. With respect to cash
disbursements, it may be easier for auditors to focus on payments to fictitious vendors as
there is often a lack of evidence related to receiving goods. Nevertheless, it is important for
auditors to design appropriate audit procedures when control risk is high or maximum, and
fraud risk is high.

Determining an Audit Strategy

Illustration 13.1 provides an example audit strategy for assertions related to cash balances
and disclosures. This audit strategy assumes that internal controls are strong and the auditor
  Auditing Cash and Cash Equivalents  13-5

performs tests of controls. In the case of larger public companies where the internal auditor
tests controls over cash and cash budgeting, or the internal auditor performs some level of
substantive tests of cash, the external auditor will determine if it is appropriate to use the work
of the internal auditor to support the audit conclusion.

ILLUSTRATION 13.1   Example preliminary audit strategies for cash assuming strong internal controls

Risk That Analytical Risk That Detail

Assertion Inherent Risk
Existence Maximum: Cash involves a
high volume of transactions
and it is highly susceptible
to misappropriation.
Completeness Moderate: Completeness
problems are more likely
with cash transactions than
with cash balances. It is
more likely that cash will be
overstated than understated.
Rights and Low: Significant rights
obligations issues do not exist with
respect to cash balances.
Valuation and Low: Significant valuation
allocation issues do not exist with
respect to cash balances.
Presentation Moderate: Usually cash
and disclosure does not have significant
assertions disclosures; however, cash
may be restricted due to debt
covenants or compensating
balance arrangements.
Control Risk
Low: Strong controls over
cash disbursements and cash
receipts. Additional con-
trols include independent
monthly bank reconciliation.
Low: Strong controls over
cash disbursements and
cash receipts. Additional
controls include inde-
pendent monthly bank
reconciliation.
N/A
Low: Strong controls over
cash disbursements and cash
receipts. Additional con-
trols include independent
monthly bank reconciliation.
Moderate or Low: Primary
control is the involvement
of an effective disclosure
committee.
Procedures Will Fail
to Detect Material
Misstatements
High: Comparing year-to-
year financial data and com-
paring cash balances with
cash budgets and forecasts.
High: Comparing year-to-
year financial data and com-
paring cash balances with
cash budgets and forecasts.
Maximum: Analytical
procedures are not directed
at the rights and obligations
assertion.
High: Comparing year-to-
year financial data and com-
paring cash balances with
cash budgets and forecasts.
Maximum: Analytical pro-
cedures are not directed at
disclosures.
Testing Will Fail
to Detect Material
Misstatements
High: The auditor will usu-
ally confirm bank balances.
Tests of bank reconcilia-
tions depend on quality of
internal controls.
High: The auditor will usu-
ally confirm bank balances.
Tests of bank reconcilia-
tions depend on quality of
internal controls.
High: The auditor will usu-
ally confirm bank balances
and any restriction on cash.
High: The auditor will usu-
ally confirm bank balances.
Tests of bank reconcilia-
tions depend on quality of
internal controls.
Moderate to High: The
auditor will often perform
tests of details to evaluate
the quality and accuracy
of financial statement
disclosures.

In some cases involving private companies, a small business owner may want the au-
ditor to extend the scope of the engagement to provide assurance about the validity of cash
balances. As a result, the auditor will follow a primarily substantive approach emphasizing
tests of details even when the audit risk model might indicate that such an approach is not
necessary because of the effectiveness of internal controls. As previously discussed, when seg-
regation of duties is weak, the auditor will plan a primarily substantive approach for obtaining
assurance about cash balances and cash transactions.

Substantive Tests of Cash Balances

Tests of cash balances focus on the account balance assertions of existence, completeness,
right and obligations, and valuation and allocation. An audit program for testing cash bal-
ances is presented in Illustration 13.2. Each of these procedures is explained in the following
section, including comments on when certain procedures might be omitted and how some of
the procedures can be tailored to applicable risk factors.
13-6  C h a pte r 13 Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

ILLUSTRATION 13.2  Substantive tests of cash balances

Category Substantive Test Assertions

Initial 1.  Obtain an understanding of the business and industry to determine: All
procedures a.  The significance of cash balances and transactions to the entity.
b. The entity’s policies for maintaining minimum cash balances, forecasting cash
balances, and investing surplus cash.
2. Perform initial procedures on cash balances and records that will be subjected to
further testing.
a. Trace beginning balance for cash on hand and in bank to the prior year’s Valuation and allocation
working papers.
b. Review activity in general ledger accounts for cash and investigate entries that All
appear unusual in amount or source.
c. Obtain client-prepared schedules of bank balances, verify mathematical accuracy, Valuation and allocation
and determine agreement with general ledger.
Analytical 3.  Perform analytical procedures: All
procedures a. Compare cash balances with budgeted amounts, prior year’s balances, or other
expected amounts.
b. Calculate cash as a percent of total assets and compare with auditor expectations.
Tests of 4. Perform cash cutoff tests (note these tests may have been performed as part of the Existence, Completeness
details of audit programs for cash receipts and cash disbursements):
transactions a. Observe that all cash received through the close of business on the last day of
the fiscal year is included in cash on hand or deposits in transit and that no
receipts of the subsequent period are included.
OR
b. Inspect documentation such as daily cash summaries, duplicate deposit slips,
and bank statements covering several days before and after year-end date to
determine proper cutoff.
c. Determine the last check issued and mailed on the last business day of the
fiscal year and trace to accounting records to determine the accuracy of the cash
disbursements cutoff.
OR
d. Compare dates on checks issued for several days before and after the year-end
date to the dates the checks were recorded to determine proper cutoff.
5. Trace bank transfers for several days before and after the year-end date to determine Existence, Completeness
that each transfer is properly recorded as a disbursement and a receipt in the same
accounting period and is properly reflected in bank reconciliations when applicable.
6. Prepare proof of cash for any bank accounts the auditor has been unable to reconcile Existence, Completeness, Accuracy
or for which there is a high risk that fraudulent transactions have occurred.
Tests of 7. Count undeposited cash on hand and determine that such amounts are included in Existence, Completeness, Valuation
details of cash balances. and allocation, Rights and obligations
balances 8.  Confirm cash balances and loan balances with banks. Existence, Completeness, Valuation
and allocation, Rights and obligations
9. Confirm other arrangements with banks, such as lines of credit, compensating Existence, Completeness, Valuation
balance agreements, or loan guarantees. and allocation, Rights and obligations
10.  Obtain, scan, review, and reperform bank reconciliations as appropriate. Existence, Completeness, Valuation
and allocation
11. Obtain and use cutoff bank statements to verify bank reconciliation items and Existence, Completeness, Valuation
detect any unrecorded checks that have cleared the bank. and allocation
Presentation 12.  Compare statement presentation with GAAP.
and a. Determine that cash balances are properly identified and classified in the financial Classification and understandability
disclosure statements.
b. Determine that bank overdrafts are reclassified as current liabilities. Classification and understandability
c. Make inquiries of management, inspect correspondence with banks, and Occurrence and rights and obligations
inspect minutes of board of directors’ meetings to determine matters
requiring disclosure such as lines of credit, loan guarantees, compensating
balance agreements, or other restrictions on cash balances.
d. Evaluate the completeness of presentation and disclosures for cash balances in Completeness
drafts of financial statements to determine conformity to GAAP by reference to
disclosure checklist.
e. Read disclosures and independently evaluate their understandability. Classification and understandability
  Auditing Cash and Cash Equivalents  13-7

Initial Procedures
Before proceeding with tests of details of cash balances, the auditor should ensure that an
understanding has been obtained regarding the entity and its environment and the impor-
tance of cash balances to the entity. For example, the auditor might understand the volume
of transactions going through various cash accounts, the entity’s ability to generate positive
cash flow from operations, policies for forecasting or budgeting cash, and policies for investing
surplus cash.
The starting point for verifying cash balances is tracing the current period’s beginning
balances to the ending audited balances in the prior year’s working papers (when applicable).
Next, the current period’s activity in the general ledger cash accounts should be reviewed for
any significant entries that are unusual in nature or amount that require special investigation.
In addition, any schedules prepared by the client showing summaries of undeposited cash
receipts at different locations and/or summaries of bank balances should be obtained. The
mathematical accuracy of any such schedules should be determined and their agreement with
related cash balances in the general ledger checked. This test provides evidence about the
valuation and allocation assertion.

Substantive Analytical Procedures

As previously discussed, the effectiveness of analytical procedures varies significantly from
client to client. Cash balances may be difficult to predict and may depend on operating cash
flow plus investing and financing activities during the year. Nevertheless, the auditor should
understand management’s policies for maintaining minimum cash balances and for investing
surplus cash.

Tests of Details of Transactions

Chapters 11 and 12 discussed internal control over cash receipts and cash disbursements.
Many times, substantive tests of transactions involving the tracing and vouching of cash re-
ceipts and cash disbursements transactions are performed concurrently with tests of controls
as dual-purpose tests. The evidence from such tests should be combined with the evidence
from the procedures discussed here in reaching a conclusion as to the fair presentation of cash
balances.
Testing cutoff. A proper cutoff of cash receipts and cash disbursements at the end of the
year is essential to the proper statement of cash at the balance sheet date. In many cases,
the auditor may rely on the client’s internal controls related to the cutoff assertion for cash
receipts (see Chapter 11) and cash disbursements (Chapter 12), and test these controls at an
interim date. When internal controls are weak, the auditor will perform his or her own cutoff
procedures at year-end. For cash receipts, the auditor will determine the last deposits made before
year-end and the amount of any cash on hand at year-end. The auditor can then compare
this information with the last transactions recorded in the cash receipts journal. Likewise,
the auditor will determine the last check written at year-end and compare this information
with the cash disbursements journal to determine that transactions are recorded in the proper
accounting period.
Auditing bank transfers. Many entities maintain accounts with more than one bank. A
company with multiple bank accounts may make authorized transfers of money between bank
accounts. For example, money may be transferred from a general bank account to a payroll bank
account for payroll checks that are to be direct-deposited on payday. When checks are written
to transfer funds between accounts at different banks, several days (called the float period)
generally will elapse before the check clears the bank on which it is drawn. Thus, if the bank
deposit is recorded in one period, and the cash disbursement is recorded in the subsequent
kiting  a method often used
period, cash will be overstated because it is being double-counted. It is essential that the
to conceal a cash shortage or to
disbursement and the deposit be recorded in the same period. overstate cash; kiting involves
Intentionally recording a bank transfer as a deposit in the receiving bank while failing to recording a transfer between bank
show a deduction from the bank account on which the transfer check is drawn is a form of accounts as a deposit while failing
fraud known as kiting. Kiting may be used to conceal a cash shortage and overstate cash at to record the cash disbursement
the balance sheet date. in the same time period
13-8  C h a pte r 13 Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

An auditor requires evidence on the validity and accuracy of bank transfers. This is obtained
by preparing a bank transfer schedule. Data for the schedule is obtained from an analysis of the
cash entries per books and applicable bank statements and cutoff bank statements. The schedule
lists all transfer checks issued at or near the end of the client’s fiscal year, and shows the dates that
the checks were recorded by the client and the bank, as illustrated in Illustration 13.3. If we as-
sume all checks are dated and issued on December 31, check 4100 in Illustration 13.3 was handled
properly because both book entries were made in December and both bank entries occurred in Jan-
uary. This check would be listed as an outstanding check in reconciling the general bank account
at December 31 and as a deposit in transit in reconciling the payroll bank account. Check 4275
illustrates a transfer check in transit at the closing date. Cash per books is understated by $10,000
because the check has been deducted from the balance per books by the issuer in December, but
has not been added to the Branch #1 account per books by the depositor until January. To correct
this error, an adjusting entry is required at December 31 to increase the branch balance per books.

ILLUSTRATION 13.3   Bank Accounts Disbursement Date Receipt Date

Bank transfer schedule
Check No. From To Amount Per Books Per Bank Per Books Per Bank
4100 General Payroll $50,000 12/31 1/3 12/31 1/2
4275 General Branch #1 $10,000 12/31 1/4 1/2 1/2
4280 General Branch #2 $20,000 1/2 1/2 12/31 12/31
B403 Branch #4 General $5,000 1/3 1/4 12/31 12/31

Checks 4280 and B403 illustrate the likelihood of kiting because these December checks
were not recorded as disbursements per books until January, even though they were deposited
in the receiving banks in December. Check 4280 results in a $20,000 overstatement of cash in
bank because the receipt per books occurred in December, but the corresponding book de-
duction was not made until January. Check B403 may illustrate an attempt to conceal a cash
shortage because the bank deposit occurred in December, presumably to reconcile the bank
and book balances, and all other entries were made in January.
Kiting is possible when weaknesses in internal controls allow one individual to issue and
record checks (i.e., improper segregation of duties), or there is collusion between individuals
who are responsible for the two functions. In addition to tracing bank transfers, kiting may
be detected by (1) obtaining and using a cutoff bank statement (as discussed in the following
section) because the kited check clearing in January will not appear on the list of outstanding
checks for December, and (2) performing a cash cutoff test because the last check issued in
December will not be recorded in the check register.

Tests of Details of Balances

The following tests of details of balances focus primarily on two major tests: (1) sending a
bank confirmation and (2) testing the client’s bank reconciliation.
Confirm bank deposit and loan balances. It is customary for the auditor to obtain a bank
confirmation for cash on deposit and loan balances as of the balance sheet date. The standard
bank confirmation, depicted in Illustration 13.4, normally confirms the following information:
1. The client’s permission for the bank to respond to the auditor.
2. Requests for all bank balances including details of any accounts closed during the year.
3. Requests of details of interest charges.
4. Requests for details of any loans or lending facilities or bank overdrafts, together with the lim-
its and, if applicable, dates of repayments and any collateral pledged as security for the loan.
5. Requests for details of any assets held by the bank on the customer’s behalf.
6. Requests for details of any contingent liability of which the bank may be aware.
A trend is developing where the auditor obtains this information through secure online access
to the client’s bank account information. This information assists the auditor in testing the
existence, completeness, and valuation and allocation assertions. In addition, it provides infor-
mation in support of disclosure assertions.
  Auditing Cash and Cash Equivalents  13-9

ILLUSTRATION 13.4  
ASB-CL-6.1: Standard Form to Confirm Account
Example bank confirmation
Balance Information with Financial Institutions

[ ]
ORIGINAL
To be mailed to CUSTOMER NAME

Financial [Financial Institution’s We have provided to our accountants the following

Institution’s Name and Address] information as of the close of business on [Date],
Name and regarding our deposit and loan balances. Please
Address confirm the accuracy of the information, noting any
exceptions to the information provided. If the balances
have been left blank, please complete this form by
furnishing the balance in the appropriate space below.
Although we do not request nor expect you to conduct
a comprehensive, detailed search of your records, if
during the process of completing this confirmation
additional information about other deposit and
loan accounts we may have with you comes to your
attention, please include such information below.
Please use the enclosed envelope to return the form
directly to our accountants.

1. At the close of business on the date listed above, our records indicated the following deposit
balance(s):

ACCOUNT NAME ACCOUNT NO. INTEREST RATE BALANCE*

2. We were directly liable to the financial institution for loans at the close of business on the date
listed above as follows:

ACCOUNT NO./ INTEREST DATE THROUGH WHICH DESCRIPTION

DESCRIPTION BALANCE* DUE DATE RATE INTEREST IS PAID OF COLLATERAL

(Customer’s Authorized Signature) (Date)

The information presented above by the customer is in agreement with our records. Although we
have not conducted a comprehensive, detailed search of our records, no other deposit or loan
accounts have come to our attention except as noted below.

(Financial Institution Authorized Signature) (Date)

(Title)

EXCEPTIONS AND/OR COMMENTS

[Audit Firm’s Name and Address]

Please return this form directly to our accountants:
*Ordinarily, balances are intentionally left blank if they are not available at the time the form is prepared.

Approved 1990 by American Bankers Association, American Institute of Certified Public Accountants,
and Bank Administration Institute.
13-10  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Scan or test bank reconciliations. Scanning or testing a bank reconciliation establishes

the correct cash-in-bank balance at the balance sheet date. When the acceptable level of detec-
tion risk is high, the auditor may scan the client-prepared bank reconciliation and verify the
mathematical accuracy of the reconciliation. If detection risk is moderate or low, the auditor
may test more items on the client’s bank reconciliation, which includes:
•  Comparing the ending bank balance with the balance confirmed on the bank confirma-
tion form.
•  Verifying the validity of deposits in transit and outstanding checks to supporting docu-
mentation and the bank cutoff statement (explained below).
•  Establishing the mathematical accuracy of the reconciliation.
•  Vouching reconciling items such as bank charges, bank credits, or errors to supporting
documentation.
•  Investigating old items such as checks outstanding for a long period of time and unusual items.
The working paper showing auditor testing of a bank reconciliation prepared by the
client (PBC) is illustrated in Illustration 13.5.

ILLUSTRATION 13.5  
Client: New Millennium Ecoproducts Bell & Bowerman, LLP Prepared by: C.J.B. 1/15/23
Review of client-prepared
Period-end: 12/31/22 Reference: A-1 Reviewed by: R.E.Z. 1/25/23
bank reconciliation
Acct # 110
Bank Account No. 12345-642
Balance per Bank $120,262.47 (a)
Deposits in Transit Per Books Per Bank
12-30 1-2 $ 8,425.15 (b)
12-31 1-7 17,844.79 (b) 26,269.94 (F)

Outstanding Checks 1047 225.94 (c)

1029 21,600.00 (c)
1435 47.25 (c)
1436 1,428.14 (c)
1437 1,000.00 (c)
1440 832.08 (c)
1441 41.08 (c) (25,174.49) (F)
Add NSF Check: R. Zim 12/29 200.00 (d)
Balance per Books $121,557.92 (F)(e)
To A
(F) Footed.
(a) Agreed to bank statement and bank confirmation.
(b)  Vouched to cutoff bank statement plus supporting remittance documents.
(c)  Vouched to bank cutoff statement and supporting disbursement documentation.
(d) Vouched to bank statement and debit memo. Cash balance at year-end was overstated by $200
and receivables were understated by the same amount. Immaterial. Pass further investigation.
(e) Agreed to general ledger.

cutoff bank statement  A cutoff bank statement is a bank statement as of a date subsequent to the balance sheet
a bank statement for the period
subsequent to the date of the
balance sheet that the client
requests the bank to send directly
to the auditor
The auditor agreed the balance per bank to the bank confirmation. The auditor vouched
deposits in transit and outstanding checks to a cutoff bank statement obtained from the bank
or by way of secure online access to the client’s bank account information for the cutoff period.
date. The date should be at a point in time that will permit most of the year-end outstanding
checks to clear the bank. Usually, the date is seven to 10 business days following the end of
the client’s fiscal year. The client must request the cutoff statement from the bank and instruct
that it be sent directly to the auditor. On receipt of the cutoff statement, the auditor should:
•  T
 race a sample of all checks dated in the prior year to the outstanding checks listed on
the bank reconciliation.
•  V
 ouch a sample of deposits in transit on the bank reconciliation to deposits on the cutoff
statement.
•  Scan the cutoff statement and enclosed data for unusual items.
  Auditing Inventory on the Balance Sheet  13-11

The extent of this testing depends on the level of detection risk associated with tests of
details. The auditor will test the mathematical accuracy of the client-prepared bank reconciliation
and agree the final balance per books to the general ledger.
Proof of cash. When fraud risk is high, the auditor might consider performing a proof of cash.
A proof of cash not only reconciles the ending balance, it also reconciles cash receipt transactions
between the accounting records and the bank, and the cash disbursement transactions between
the accounting records and the bank. Consider the following situation. A controller who is a check
signer withdraws $5,000 in cash without approval and replaces the cash before the end of the
month. This would not be picked up by a bank reconciliation, but it would be picked up by a proof
of cash. An end-of-chapter problem explores the topic of proof of cash in more depth.

Tests of Details of Presentation and Disclosure

Cash should be correctly identified and classified in the balance sheet. For example, cash on
deposit is a current asset. However, bond sinking fund cash is a long-term investment. In addi-
tion, there should be appropriate disclosure of arrangements with banks such as lines of credit,
restrictions on cash balances, or contingent liabilities. A bank overdraft is normally reported as a
current liability. The auditor determines the appropriateness of the statement presentation from
a review of the draft of the client’s statements and the evidence obtained from substantive tests.
In addition, the auditor should review the minutes of board of directors’ meetings and make
inquiry of management for evidence of restrictions on the use of cash balances.

Cloud 9 - Continuing Case

Suzie reminds Ian they have conducted extensive testing of Cloud
9’s controls over cash receipts and payments, and many of these tests
were dual-purpose. This means that the substantive and control tests
were done at the same time. While examining the documents, Ian
completed tasks designed to detect control deviations and substan-
tive errors. These tests included reperformance of the bank reconcili-
ations and vouching recorded cash payments and receipts (including
transaction approvals and posting) to the underlying documents.
The testing already completed shows that controls over cash
are reasonably strong, and they can justify requesting a bank con-
firmation for an interim date, with a roll-forward to year-end. The
bank confirmation will gather evidence about the existence and
valuation and allocation assertions, plus rights and obligations
(that is, it will reveal liens or claims over bank accounts). The
roll-forward will include testing the cutoff of cash receipts and
payments.

Before You Go On
1.1 When auditing cash, how might the auditor’s procedures change when a client has poor
segregation of duties and weak controls over cash balances?
1.2 What is meant by the term kiting? Explain how kiting results in misstated financial statements.
Explain the audit procedures that can be used to detect misstatements due to kiting.
1.3 What information does the auditor seek on a standard bank confirmation form? Explain how
the bank confirmation is used in the audit of cash.
1.4 What is a cutoff bank statement? How is the cutoff bank statement used in the audit of cash?

Auditing Inventory on the Balance Sheet

Lea rning Objective 2
Evaluate how an auditor determines and executes an audit strategy, including the
use of ADA, for inventory and cost of goods sold.

Chapter 11 discussed the revenue process, including the sale of inventory. Chapter 12 discussed
the purchasing process, including the purchase and payment for many costs associated with the
production of inventory. This chapter will focus on auditing the ending balance for inventory
13-12  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

reported on the balance sheet. It will focus primarily on auditing inventory for a company that
purchases and resells inventory. However, the discussion of auditing the valuation and alloca-
tion assertion will also address valuation of inventory for a manufacturing company.

Understanding the Flow of Transactions

Some companies produce inventory, which involves purchasing raw materials (the purchasing
process), incurring factory overhead in the conversion process (the purchasing process), and
incurring labor costs (the payroll process). In some cases, companies purchase inventory for
resale, which also involves the purchasing process. The costs of purchasing or manufacturing
inventory are accumulated and added to the cost of beginning inventory to determine the cost
of goods available for sale. The cost of ending inventory is then subtracted from goods avail-
able for sale to determine the cost of goods sold.
The focus of this section is on auditing the costs assigned by the client to ending inventory
and the account balance assertions of:

•  The completeness of inventory.

•  The existence of inventory.
•  The valuation of inventory and the allocation of costs to cost of goods sold.
•  The rights and obligations related to inventory.

Auditors need to be aware that any changes to inventory reported on the balance sheet will
also result in changes to cost of goods sold reported on the income statement.

Understanding the Entity and Its Environment

A theme that runs through this text is that the audit will vary from client to client, and it may
vary from year to year for a particular client. The auditor needs to be attuned to changes in an
audit client and tailor the audit to the circumstances that the auditor finds. To drive this point
home, we have followed five different industries (manufacturing of oil and gas field machin-
ery and equipment, manufacturing computer equipment, the retail grocery industry, the hotel
and motel industry, and colleges and universities) with the goal of understanding how each is
different from the others, so that the auditor might make appropriate adjustments in the audit
plan. Illustration 13.6 illustrates the importance of inventory and inventory turnover for
these five industries. Inventory is immaterial for two of these industries, the hotel and motel
industry and colleges and universities, because these are service industries.

illustration 13.6   Understanding an entity’s inventory

Developing a Knowledgeable
Perspective About the Entity’s
Example Industry Traits Financial Statements
Oil and Gas Field Machinery and Inventory as a % of Total Assets: 28%
Equipment Manufacturing Inventory Turnover in Days (upper quartile):
•  Relatively slow inventory turnover   52 days
Inventory Turnover in Days (median): 85 days
Inventory Turnover in Days (lower quartile):
  131 days
Assessing the Risk of Material
Misstatement
•  Inventory is very material to the financial
statements.
•  Inventory valuation is subject to industry
volatility.
•  Products are less subject to significant
obsolescence risk.

Electronic Computer Manufacturing
•  Moderate inventory turnover
•  Gross margins depend on technological
superiority of products
•  Companies outsource significant aspects
of the manufacturing process
Inventory as a % of Total Assets: 26%
Inventory Turnover in Days (upper quartile):
  31 days
Inventory Turnover in Days (median): 66 days
Inventory Turnover in Days (lower quartile):
  114 days
•  Inventory is very material to the financial
statements.
•  The valuation of inventory is a significant
inherent risk due to the technological
obsolescence issue.
(continued)
  Auditing Inventory on the Balance Sheet  13-13

illustration 13.6   (continued)

Developing a Knowledgeable
Perspective About the Entity’s
Example Industry Traits Financial Statements
Supermarkets and other Grocery Stores Inventory as a % of Total Assets: 30%
•  Very competitive environment and one Inventory Turnover in Days (upper quartile):
product may be substituted easily for other   16 days
products Inventory Turnover in Days (median): 24 days
Inventory Turnover in Days (lower quartile):
  31 days
Hotels and Motels Inventory as a % of Total Assets: Less than 1%
•  Inventory is usually insignificant in this Inventory Turnover in Days (upper quartile): N/A
industry
Inventory Turnover in Days (median): N/A
Inventory Turnover in Days (lower quartile): N/A
Colleges, Universities, and Professional Inventory as a % of Total Assets: Less than 1%
Schools Inventory Turnover in Days (upper quartile): N/A
•  Inventory is usually insignificant in this
Inventory Turnover in Days (median): N/A
industry
Inventory Turnover in Days (lower quartile):
  N/A
Assessing the Risk of Material
Misstatement
•  Inventory is very material to the financial
statements.
•  The valuation of inventory is a significant
inherent risk due to complexity of applying
the retail method for valuing inventory.
•  Modest risk associated with perishable
inventories.
•  Supply chain management is the key to
profitability in a competitive industry.
•  The risk of material misstatement is low
due to the immateriality of inventory for
this industry.
•  The risk of material misstatement is low
due to the immateriality of inventory for
this industry.

Inventory is a material asset for the other three industries. Inventory in the manufacture
of oil and gas field machinery and equipment is less subject to significant obsolescence risk,
but in some economic environments when prices are down due to lower demand, growing
inventories may be a concern. The computer manufacturing industry is subject to technological
obsolescence, and laptops face significant competition from phones and tablets. When consid-
ering the valuation and allocation assertion for manufacturing companies, the auditor needs to
understand how capital-intensive the manufacturing process is, and the expected costs associ-
ated with raw materials, labor, and manufacturing overhead. The grocery industry is extremely
competitive, margins are low, and supply-chain management is critical to a retailer’s success.
Further, a significant amount of inventory may be in the supply chain or in the warehouse,
rather than in stores.

Understanding the Results of Analytical Procedures

Analytical procedures performed as part of risk assessment are cost-effective and may
alert the auditor to potential misstatements. If the financial statements show a trend of
increased profit margin combined with an increase in the number of inventory turnover
in days, inventory may be overstated. This will alert the auditor to pay careful attention to
the existence and valuation of inventory. The auditor might also be alert to cutoff prob-
lems that might have resulted in overstating inventory. Illustration 13.7 pre­sents some
example analytical procedures along with an explanation of the problems that might be
identified. When inventory is material to the financial statement audit, the auditor should
not consider that analytical procedures are a substitute for other tests of details, but they
may be very effective in focusing audit attention where misstatements are likely. In addition,
Illustration 13.7 suggests several comparisons of financial measures with underlying mea-
sures of business activity, such as raw materials used and direct labor hours. If the auditor
plans to use this type of data for a substantive analytical procedure, the auditor should
test the control system that ensures the reliability of the data used to support an analytic
conclusion.
13-14  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

illustration 13.7   Analytical procedures commonly used to audit inventory

Ratio Formula Audit Significance

Inventory turnover in days
Inventory growth to cost of
sales growth
365 ÷
( Cost of goods sold
Average inventory
( InventoryCurrent Year
InventoryPrior Year ) −1
) Prior experience in inventory turnover in days, combined with knowledge
of cost of sales, can be useful in estimating current inventory levels.
A lengthening of inventory turnover in days may indicate existence or
valuation (lower-of-cost-or-net-realizable-value) problems.
Ratios larger than 1.0 indicate that inventories are growing faster
than sales. Large ratios may indicate possible inventory obsolescence
problems.

( Cost of salesCurrent Year

Cost of salesPrior Year ) −1

Finished goods produced to
raw material used
Finished goods produced to
direct labor
Product defects per million
Finished goods quantities
Raw material quantities
Finished goods quantities
Direct labor hours
Number of product defects
Each million produced
Useful in estimating the efficiency of the manufacturing process. May be
helpful in evaluating the reasonableness of production costs.
Useful in estimating the efficiency of the manufacturing process. May be
helpful in evaluating the reasonableness of production costs.
Useful in estimating the effectiveness of the manufacturing process.
May be helpful in evaluating the reasonableness of production costs and
warranty expenses.

Professional Environment  Indicators of Phantom Inventory

In his article “Ghost Goods: How to Spot Phantom Inventory,”
Joseph T. Wells says that ghost goods throw a company’s accounting
records out of kilter. He suggests the following trends are potential
indicators of phantom inventory:
•  Inventory increasing faster than sales.
•  Decreasing inventory turnover.
•  Shipping costs decreasing as a percentage of inventory.
•  Inventory rising faster than total asset growth.
•  Falling cost of sales as a percentage of sales.
•  C
 ost of goods sold on the books not agreeing with tax
returns.
Source: Joseph T. Wells, “Ghost Goods: How to Spot Phantom Inven-
tory,” Journal of Accountancy (June 2001).

Assessing Inherent Risk

The inherent risk of material misstatement arising from inventory transactions for a hotel
chain or a university is relatively low, as inventory is not a material part of the entity’s core
process. With a manufacturer, wholesaler, or retailer, however, inherent risk for inventory
may be assessed at or near the maximum for the following reasons:

•  The volume of purchases, manufacturing, and sales transactions that affects these ac-
counts is generally high, increasing the opportunities for misstatements to occur.
•  Contentious issues often surround the use of professional judgment in the identification,
measurement, and allocation of costs related to inventory such as indirect materials,
labor, and manufacturing overhead, joint product costs, and the accounting for cost
variances, scrap, or inventory shrinkage.
•  The wide diversity of inventory items sometimes requires the use of special procedures to
determine inventory quantities, such as geometric volume of stockpiles, aerial photogra-
phy, and estimation of quantities by experts.
•  Inventories are often stored at multiple sites, adding to the difficulties associated with
maintaining physical controls over theft and damages, and properly accounting for goods
in transit between sites.
•  The wide diversity of inventory items may present special problems in determining their
quality and market value.
•  Inventories are vulnerable to spoilage, obsolescence, and other factors such as general
economic conditions that may affect demand and sales price, and thus the proper valua-
tion of the inventories.
  Auditing Inventory on the Balance Sheet  13-15

Professional Environment  Restatements Related to Inventory

Audit Analytics1 recently reported a summary of restate-
ments due to inventory, vendor, and cost-of-sales issues for the
17-year period ending in 2017. Inventory restatements included
inventory, vendor, and cost-of-sales issues that consisted of er-
rors or fraud in approach, theory, or calculations associated
with transactions affecting inventory, vendor relationships
(including rebates), and/or cost of sales. These misstatements
primarily are related to the capitalization of activities in inven-
tory or the calculation of year-end inventory balances. As seen
below, these misstatements range between 4.2% and 9.6% of
all restatements. From 2013–2016, misstatements were pretty
steady, ranging between 7.9% to 9.1% of all restatements. In
2017, the number of restatements associated with inventory
dropped down to 6.3% of all restatements.

Disclosure Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
Expense recording issues 91 145 133 72 54 47 36 46 49 71 78 60 59 35
% of all financial 9.6% 9.2% 7.2% 5.6% 5.6% 5.7% 4.2% 5.4% 5.8% 8.1% 9.1% 7.9% 8.7% 6.3%
statement restatements

Assessing Control Risk and Fraud Risk

Many elements of valuing inventory involve professional judgment and accounting estimates.
For example, significant professional judgment is involved in estimating how manufacturing
overhead is allocated to inventory versus cost of goods sold. Professional judgment is also
involved in determining if inventory is obsolete or should be written down to the lower-of-cost-
or-net-realizable-value. As a result, entity-level controls such as a sound control environment
and a tone at the top set an important foundation for accurate accounting and strong internal
controls.
Many of the controls over inventory overlap with revenue, purchasing, and payroll pro-
cesses. For example, the purchase of raw materials or the purchase of inventory held for
resale overlap with the controls over purchase transactions. Controls over the classification
of these transactions are particularly relevant to inventory (e.g., the proper classification of
purchase of raw materials or items related to manufacturing overhead). Further, controls
over the classification of payroll are particularly relevant to the accounting for manufactur-
ing labor.
It is important for the auditor to understand how the client develops the value for in-
ventory reported on the balance sheet at the end of the year. Most clients keep a perpetual
inventory for inventory quantities, which keeps track of the quantity of each item in inventory
and where it is located. However, when it comes to determining the value of inventory, most
clients use the periodic method. Therefore, at the end of the year, the client determines the
quantity of inventory on hand, usually by a physical count, and then the client determines the
value of each item in inventory to arrive at an ending inventory value. The client then takes
the beginning inventory value and adds purchases (or total manufacturing cost) to determine
the value of goods available for sale. Finally, the client subtracts the value of ending inventory
to determine cost of goods sold.
To summarize, determining the value of ending inventory is a three-step process outlined
in Illustration 13.8. In step one, the client determines inventory quantities at each location.
This may be done by taking a complete physical count of inventory, or by using the perpetual
inventory records of inventory quantities on hand. The client often controls the accuracy of
physical counts by having a second team investigate differences between the physical count
compilation of inventory
and the perpetual inventory. In step two, a compilation of inventory values is developed
values  the client’s documenta-
in which the client assigns values to each item in inventory to determine the value of ending tion behind the value for inven-
inventory. In step three, a journal entry is prepared to adjust the value of ending inventory tory in the general ledger; this
and cost of goods sold based on the physical count and the compilation of inventory values. If shows the quantity of each item
ending inventory is overstated in this process, cost of goods sold will be understated, and gross in inventory and the values as-
margins and net income will be overstated. signed to each item in inventory

1
Don Whalen, Olga Usvyatsky, and Dennis Tanona, 2017 Financial Restatements, A Seventeen Year Comparison
(Audit Analytics: Sutton, MA, 2018).
13-16  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

ILLUSTRATION 13.8   2. Develop a compilation 3. Develop a journal

1. Physically count
Steps in accounting for inventory at each of inventory values with entry to adjust ending
location quantities and prices for inventory and cost
inventory each item in inventory of goods sold

Illustration 13.9 summarizes what can go wrong (WCGW) with respect to inven-
tory, and key controls the auditor might expect to find related to inventory. As you review
Illustration 13.9, try to associate particular controls with the assertions being controlled.
The following illustration assumes there is good segregation of duties and strong entity-
level controls.

ILLUSTRATION 13.9   Risks (WCGW) Example Controls

Inventory: WCGW and
example controls Inventory may not exist.
Inventory counts may be inflated.
Inventory may not be recorded.
Inventory may be valued incorrectly
at historical cost.
Inventory may be valued incorrectly
at net realizable value.
Consignment out may not be
included.
Consignment in may be included in
inventory.
•  Physical controls over inventory (fences, a secure ware-
house, and additional physical controls in the warehouse
depending on the size and value of inventory).
•  W
 arehouse and store organization such as numbered
locations and identification of each item in inventory
using SKU (Stock Keeping Unit) numbers and
barcodes or UPC (Universal Product Codes) numbers
and barcodes.
•  Regular comparison of perpetual records with actual
inventory using frequent counts of a small proportion of
inventory, or cycle counts.
•  Regular independent comparison of perpetual records with
actual inventory.
•  Accurate recording of all scrap transactions or spoilage.
•  Regular count of physical inventory for comparison with
perpetual records.
•  Investigation of negative balances in inventory records.
•  Costs compared with recent purchases.
•  Internal controls over purchases of raw materials and man-
ufacturing labor charged to inventory.
•  Regular review of manufacturing overhead charged to
inventory.
•  Regular review of obsolete inventory.
•  Regular comparisons of inventory costs to sales prices.
•  Consignment out periodically inspected by company.
•  Consignment inventory segregated from other inventory
and accounted for separately.

Key Inventory Controls

Many clients build in redundant controls such that if one control does not prevent a misstatement,
another control will detect the problem (both preventive and detective controls). Auditors
cannot efficiently test all controls that exist, but will identify a few key controls and test the
most important control for each assertion. Following are example key controls auditors often
identify. Several of these controls are dependent on good physical controls over inventory and
the use of SKU (Stock Keeping Unit) numbers and barcodes, or UPC (Universal Product
Codes) numbers and barcodes, similar to what you see in Illustration 13.10.
  Auditing Inventory on the Balance Sheet  13-17

ILLUSTRATION 13.10  
Alphanumeric SKU#: V4C3D5R2 SKU or UPC inventory label

UPC:

Numeric only
8 10 2 9 5 0 0 1 16 9

Existence of inventory. The client conducts regular cycle counts, typically monthly or cycle counts  the client will
quarterly. The client will frequently identify a small portion of items in the perpetual inven- frequently identify a small
tory, go to the inventory location and count the inventory, and investigate and correct any portion of items in the perpetual
discrepancies that are found. Clients that do not cycle-count should count inventory at least inventory, count actual inventory,
once a year, preferably near the balance sheet date. and investigate discrepancies;
the client will usually vouch
Completeness of inventory. As part of regular cycle counts, the client begins by counting
items in the perpetual records
items in inventory and comparing them with the perpetual inventory records. Any discrep-
to the actual inventory on hand
ancies between the physical count and the perpetual records are investigated and corrected. (testing existence), and also count
Valuation of inventory at historical cost. The client regularly compares costs with recent inventory on hand for other
purchases when using FIFO. The client also regularly compares accumulated manufacturing items and then trace results to
costs with standard costs and investigates variances. the perpetual records (testing
Valuation of inventory at net realizable value. The client regularly conducts a review of completeness)
obsolete inventory. This usually involves evaluating the amount of inventory on hand, investi-
gating slow-moving items, and comparing inventory cost with sales prices.
Rights and obligations. An important rights and obligations issue involves consignment consignment inventory 
inventory. Consignment inventory is inventory that is sent by its owner (consignor) to an agent inventory that is sent by its
(consignee) who agrees to sell the goods. The consignee has an obligation to pay the consignor owner (consignor) to an agent
when the goods are sold by the consignee. If the client holds inventory on consignment from a (consignee) who undertakes to
consignor, it should be segregated from other inventory in the warehouse or store, counted sepa- sell the goods; the consignee has
an obligation to pay the consignor
rately, and not included in any final inventory count. If the client owns inventory on consignment
when the goods are sold by the
to a consignee, the client should regularly visit the consignee’s locations and count consignment
consignee
inventory that has not been sold for comparison with perpetual inventory records.

Testing Inventory Controls

Tests of inventory controls often involve observing the client’s controls and reperforming the
client’s controls. For example, the auditor will observe the client conducting cycle counts, and
at the same time the auditor may check the accuracy of the client’s cycle counts and investi-
gate and correct discrepancies. In some cases, the client may use IT application controls to test
the accuracy of inventory prices compared to recent purchases, or to compare inventory values
with sales prices. If these controls operate monthly or quarterly, the auditor may choose to test
these software applications at both interim and year-end, thereby performing a dual-purpose
test—testing the control and substantively testing the assertion at the same time.

Fraud Risk Assessment

After evaluating inherent risk and control risk, the auditor is in a position to evaluate fraud
risk. The auditor should be alert to incentives and pressures that may motivate management
to misstate inventory. Further, weak internal control over the existence of inventory may lead
to increased theft of inventory by employees. Ultimately, good internal controls reduce the
opportunity for fraud. If internal controls are not strong, the auditor should be alert to the
heightened risk of fraud.
13-18  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Professional Environment SEC Settlements Regarding Inventory Frauds and

Misstatements

On April 19, 2016, the SEC issued Accounting and Auditing
Enforcement Release 3765 involving Logitech International.
In October 2010, Logitech launched a product called “Revue,” a
set-top device that connected to televisions allowing internet us-
age and video streaming. The product was not well-received and
Logitech missed a number of internal sales projections. Based
on the sales rate for the fourth quarter of 2011, Logitech had
over a year’s supply of Revue. Based on the quarter-end sales
rate to retailers, Logitech had over three years of inventory of
Revue. However, management used optimistic sales forecasts
when considering whether there was a lower-of-cost-or-market
problem, in spite of internal discussions that noted if Logitech
needed to scrap inventory and components, Logitech should as-
sume the recoverable value of zero. The SEC findings concluded
that at the time Logitech filed its 2011 financial statements, the
company overstated its operating income by $30.7 million, i.e.,
over 27%.
On September 22, 2015, the SEC issued Accounting and
Auditing Enforcement Release 3704 involving Stein Mart, Inc.,
a retailer of discounted clothing and accessories. In May 2013,
Stein Mart had to restate its financial results for the first quarter
of 2012, all reporting periods in fiscal year 2011, and its annual
reporting period for 2010. The primary reason was that it failed
to appropriately account for permanent markdowns of inventory.
Unlike temporary markdowns, permanent markdowns were
never returned to their original prices. While the retailer regu-
larly marked down inventory, it did not record the permanent
inventory markdowns until the inventory was actually sold. The
failure to decrease the value of inventory for permanent inven-
tory markdowns was so significant that, in the first quarter of
2012, Stein Mart overstated its pretax income by almost 30%. The
SEC concluded that not only were earnings materially misstated,
but that Stein Mart did not have adequate internal controls over
inventory markdowns.

Audit Data Analytics as a Risk Assessment Procedure

Audit data analytics (ADA) allow the auditor to screen the entire inventory population
for particular characteristics. ADA may be helpful in assessing whether inventory may be
misstated. The auditor can use ADA to determine how quickly or slowly inventory is turn-
ing. For example, ADA can calculate the number of inventory turnover in days for each
SKU number and identify the slowest-moving inventory for follow-up analysis regarding
the lower-of-cost-or-net-realizable-value (NRV) of inventory. ADA can also aggregate in-
ventory turnover in days for each location to identify specific locations that are underper-
forming or appear to have excessive inventory. In some cases, companies that have filed for
bankruptcy have had inventory on hand that would take them two years to sell. This should
be a clear indicator for the auditor that the client may have obsolete inventory or inventory
with a lower-of-cost-or-NRV problem.
ADA may also be used to evaluate the space needed to store inventory. When a company
has a large number of items in inventory, and the inventory should take up significant space,
the auditor can use information about the space needed to warehouse each item of inventory
and determine whether the space needed for the entire inventory approximates the space actually
used to store that inventory. This may be an effective way to determine the appropriateness of
quantities recorded for inventory.

Determining an Audit Strategy

The audit strategy is highly dependent on the client’s system of internal controls. For many
companies, inventory is a material item on the balance sheet and cost of goods sold is material
to the income statement. Inherent risk associated with the existence and the valuation and
allocation assertions is likely to be at or near maximum because of the materiality of the in-
ventory account and its interaction with cost of goods sold.
When evaluating internal controls, auditors are particularly alert to the frequency
and quality of cycle counts and the number of discrepancies that result in corrections to
the perpetual inventory. Auditors are also alert to the controls over the valuation of in-
ventory. It is particularly important for auditors to use their knowledge of the entity and
its business environment when evaluating customer demand for inventory, the amount
  Auditing Inventory on the Balance Sheet  13-19

of inventory on hand, and the potential need to adjust inventory for lower-of-cost-or-
NRV issues.
When the risk of material misstatement (the combined assessment of inherent risk and
control risk) is low, the auditor is likely to perform substantive tests at an interim date with
smaller sample sizes. However, when the risk of material misstatement is high, the auditor
is more likely to perform substantive tests directly on year-end balances with more extensive
audit procedures.

Substantive Tests of Inventory

Possible substantive tests of inventory balance assertions are shown in Illustration
13.11. Evidence from some of the tests applicable to merchandise inventory and to manu-
factured finished goods inventories also relates to objectives for the corresponding cost of
goods sold accounts because of the reciprocal relationship of these accounts. Following
the illustration, each of the substantive tests is discussed, together with selected com-
ments about how the tests can be tailored based on the acceptable level of detection risk
to be achieved.

ILLUSTRATION 13.11  Substantive tests for inventory

Category Substantive Test Assertions

Initial 1.  Obtain an understanding of the business and industry and determine: All
procedures a.  The significance of cost of sales and inventory to the business.
b. Key economic drivers that influence the entity’s cost of sales, gross margins, and the
possibility of obsolete inventory.
c. The extent to which the client has consignment inventories (in or out).
d. The existence of purchase commitments and concentration of activities with suppliers.
2. Perform initial procedures on inventory balances and records that will be subjected to
further testing.
a. Vouch beginning inventory balances to ending balances in the prior year’s working papers. Valuation and allocation
b. Review activity in inventory accounts and investigate entries that appear unusual in Existence,
amount or source. Completeness
c. Verify totals of perpetual records and other inventory schedules and their agreement with Existence,
general ledger balances. Completeness, Valuation
and allocation
Analytical 3. Perform analytical procedures: All
procedures a. Review industry experience and trends.
b. Examine analysis of inventory turnover.
c. Review relationship of inventory balances to recent purchasing, production, and sales
activities.
d. Compare inventory balances to anticipated sales volume.
Tests of 4. On a test basis, vouch entries in inventory to supporting documentation (e.g., vendors’ Occurrence,
details of invoices, manufacturing cost records, completed production reports, and sales and sales Accuracy,
transactions return records). Classification
5. On a test basis, trace data from purchases, manufacturing, completed production, and sales Completeness,
records to inventory accounts. Accuracy,
Classification
6. Test cutoff of purchases and sales returns (receiving), movement of goods through Cutoff
manufacturing departments (routing), and sales (shipping).

(continued)
13-20  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

ILLUSTRATION 13.11  (continued)

Category Substantive Test Assertions

Tests of 7. Observe client’s physical inventory count: Existence,
details of a. Determine the timing and extent of tests. Completeness
balances
b. Evaluate adequacy of client’s inventory-count plans.
c. Observe care taken in client’s counts and make test counts.
d. Look for indications of slow-moving, damaged, or obsolete inventory. Valuation and allocation
e. Account for all inventory electronic count media, tags, or count sheets used in physical count.
8. Test clerical accuracy of the compilation of inventory values:
a. Recalculate totals and extensions of quantities × unit prices. Valuation and allocation
b. Trace test counts (from item 7c) to the compilation of inventory values. Completeness
c. Vouch items on the compilation of inventory values to inventory electronic count media, Existence, Valuation
tags, count sheets. and allocation
d. Reconcile physical counts to perpetual records, the compilation of inventory values, and Existence, Completeness,
general ledger balances. Inspect adjusting entries. Valuation and allocation
9. Test inventory pricing:
a. Examine paid vendor invoices for purchased inventories. Valuation and allocation
b. Examine propriety of direct labor and overhead rates, standard costs, and accounting for Valuation and allocation
variances pertaining to manufactured inventory.
10. Confirm inventories at locations outside the entity. Rights and obligations
11. Examine consignment arrangement and contracts. Rights and obligations
12. Based on the tests of beginning inventory, production costs, and ending inventory, determine Valuation and allocation
the appropriateness of cost of sales.
13. Evaluate the net realizable value of inventory: Valuation and allocation
a. Examine sales invoices after year-end and perform lower-of-cost-or-NRV test.
b. Compare inventories with client’s current sales catalog and sales reports.
c. Inquire about slow-moving, excess, or obsolete inventories and determine need for write-
down.
d. Evaluate management’s process for estimating the net realizable value of inventory using
hindsight.
e. Evaluate the net realizable value of inventory given information about:
•  Industry trends.
•  Inventory turnover trends.
•  Specific slow-moving inventory.
Presentation 14. Compare statement presentation with GAAP:
and a. Confirm agreements for pledging inventories as collateral for loans. Occurrence and rights
disclosure and obligations
b. Review presentation and disclosure for inventories in drafts of the financial statements and Classification and
determine conformity with GAAP. understandability,
Accuracy and valuation
c. Evaluate the completeness of presentation and disclosures for inventory in drafts of Completeness
financial statements to determine conformity to GAAP by reference to disclosure checklist.
d. Read disclosures and independently evaluate their understandability. Classification and
understandability

Initial Procedures
An essential initial procedure involves obtaining an understanding of the entity’s business
and industry. This allows the auditor to develop a knowledgeable perspective about the entity
and set the context for the evaluation of analytical procedures and tests of details.
In tracing beginning inventory balances to the prior year’s working papers, the auditor
should make certain that any audit adjustments agreed upon in the prior year did in fact get
  Auditing Inventory on the Balance Sheet  13-21

recorded. In addition, current period entries in the general ledger inventory accounts should
be scanned to identify any unusual adjustments in amount or nature and require special inves-
tigation. Initial procedures also involve determining that the compilation of inventory values
agrees with the general ledger balance.

Substantive Analytical Procedures

The application of substantive analytical procedures to inventories uses the auditor’s knowl-
edge of the entity and its environment to develop expectations about the financial statements.
This knowledgeable perspective is effective in identifying accounts that may be misstated.
Suggested analytical procedures are presented in Illustration 13.7 and by the steps shown in
Illustration 13.11. A review of industry experience and trends may be essential in developing
expectations to be used in evaluating analytical data for the client. For example, knowing
that a sharp drop in the client’s inventory turnover ratio mirrors what is happening in the
industry may help the auditor to conclude that the drop does not indicate errors pertaining
to the existence assertion or problems in the client data used in calculating the ratio, but may
instead indicate a valuation problem related to a drop in demand that is likely to be followed
by falling market prices. A review of relationships of inventory balances to recent purchasing,
production, and sales activities should also aid the auditor in understanding changes in inven-
tory levels. For example, an increase in the reported level of finished goods inventory when
purchasing, production, and sales levels have remained steady might indicate misstatements
related to the existence or valuation of the finished goods inventory. In addition to the calcu-
lation of an overall inventory turnover ratio for each inventory account, it may be appropriate
to calculate the ratio for disaggregated data, such as by product line.
Because of the reciprocal relationship between inventories and cost of goods sold, these
procedures may provide evidence useful in determining the fairness of management’s asser-
tions pertaining to both accounts. For example, an unexpectedly high inventory turnover ratio
or an unexpectedly low gross margin might be caused by an overstatement of cost of goods
sold and a corresponding understatement of inventories. The auditor should also understand
and evaluate the relationship between costs, volume, and gross profit, and the degree to which
manufacturing costs are fixed and variable. Conversely, conformity of these ratios with expec-
tations may provide some limited assurance of the fairness of the historical data used in the
calculations unless evidence from other sources is contradictory. Finally, analysis of inventory
levels and ratios based on anticipated sales volume in the subsequent period may be useful in
conjunction with market valuation procedures.

Tests of Details of Transactions

Testing transactions involves the procedures of vouching and tracing to obtain evidence about
the processing of individual transactions that affect inventory balances. In this process, the au-
ditor should give special consideration to determining the propriety of the cutoff of inventory
transactions at the end of the accounting period.
Inspect entries in inventory accounts. Some or all of this type of testing may be done as part
of dual-purpose tests during interim work. Examples of vouching recorded entries in inventory
accounts include the vouching of
•  Purchases of merchandise or raw materials inventories to vendor invoices, receiving re-
ports, and purchase orders.
•  Increases in work in process or finished goods inventories to manufacturing cost records
and production reports.
•  Decreases in raw materials and work in process inventories to manufacturing cost records
and production reports.
•  Sales of merchandise and finished goods inventories to sales documents and records.

Tests of purchases and sales may be performed during testing of the purchasing process
(Chapter 12) and revenue process (Chapter 11).
Recall that vouching entries that increase inventory balances provides evidence about the
existence and valuation of the inventory at the time of the transaction. Vouching entries that
decrease inventory balances to determine the propriety of the inventory reductions provides
13-22  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

evidence about the valuation and allocation assertion for cost of goods sold. Tracing documen-
tation for purchases and the cost of factors added to production to entries in the inventory
accounts provides evidence for the completeness and valuation and allocation inventory asser-
tions. Tracing documentation of transactions that decrease inventory balances, such as sales,
provides evidence for the existence and valuation and allocation assertions for inventory, since
the evidence helps determine that entries were recorded and entered at the correct amounts.
Test cutoff of purchases, manufacturing, and sales transactions. The purpose and nature
of sales and purchases cutoff tests are explained in Chapters 11 and 12 in connection with
the audit of accounts receivable and accounts payable balances. Both tests are important in
establishing that transactions occurring near the end of the year are recorded in the correct
accounting period. In a manufacturing company, it must also be determined that entries are
recorded in the proper period for the transfer of costs for goods moved (1) between stores and
production departments, (2) between one production department and another, or (3) between
production departments and finished goods.
In each case, the auditor must determine, through inspection of documents and phys-
ical observation, that the paperwork cutoff and the physical cutoff for inventory counts are
coordinated. For example, if the auditor determines that an entry transferring the cost of the
period’s last lot of completed production to finished goods has been recorded, the auditor
should determine that the goods, even if in transit, were included in the physical inventory of
finished goods only. That is, they were neither counted as part of work in process, nor double
counted, nor missed altogether. Evidence from these cutoff tests relates to both the existence
and completeness assertions for inventory balances and cost of goods sold.

Tests of Details of Balances: Observing the Client’s

Physical Inventory Count
The observation of inventories has been a generally accepted auditing procedure for over
80 years. This procedure is required whenever inventories are material to a company’s finan-
cial statements. In performing this auditing procedure, the client has responsibility for the
counting of inventory. AU-C 501 Audit Evidence—Specific Considerations for Selected Items
states that, from testing the accuracy of the client’s inventory count, the auditor obtains direct
knowledge of the effectiveness of the client’s inventory count and gains a measure of reliance
that may be placed on management’s assertions as to the quantities and physical condition of
the inventories. In some cases, outside inventory specialists may be hired by the client to count
the inventory. When this occurs, the auditor must also be present to observe the specialist’s
counts because, from an auditing standpoint, the specialist is basically the same as client em-
ployees. The primary audit considerations applicable to this required procedure are explained
in the following subsections.

Professional Environment Why Do Auditors Observe Inventory?

During the 1930s, audit evidence for inventories was usually re-
stricted to obtaining a certification from management as to the
correctness of the stated amount. In 1938, the discovery of a major
fraud in McKesson & Robbins Company, a major pharmaceu-
tical firm, caused a reappraisal of the auditor’s responsibilities for
inventories. The company’s December 1937 financial statements
“certified” by a national public accounting firm reported $87 mil-
lion of total assets. Of this amount, $19 million ($10 million in
inventory and $9 million in receivables) was subsequently deter-
mined to be fictitious. The auditors were exonerated of blame be-
cause they had complied with existing auditing standards. How-
ever, promptly thereafter, in Statement on Auditing Procedure No.
1, auditing standards were changed to include physical observa-
tion of inventories.
In spite of the standard for auditors to physically observe in-
ventory, inventory scandals continue to happen. In 1963, Allied
Crude Vegetable Oil, a New Jersey company led by Anthony
De Angelis, determined that it could obtain loans based on the
company’s inventory of salad oil. When inspectors confirmed
that stores of salad oil were full, the company obtained millions
in loans. However, storage tanks were filled mostly with water,
with only a few feet of salad oil floating on the top. The company
claimed to have 1.8 billion pounds of salad oil, when it only had
110 million pounds. Once the scandal was exposed, investors and
lenders lost significant sums.
These issues are only avoided when the auditor understands
the client’s business and uses due diligence and professional skep-
ticism when auditing inventory.
  Auditing Inventory on the Balance Sheet  13-23

Timing and extent of inventory observations. The timing of an inventory observation de-
pends on the effectiveness of the client’s internal controls over inventory. In a periodic in-
ventory system, quantities are determined by a physical count, and all counts are made as of
a specific date. The date should be at or near the balance sheet date, and the auditor should
ordinarily be present on the specific date.
In a perpetual inventory system with effective internal controls, physical counts may be
compared with inventory records at interim dates. When the perpetual records are well kept
and comparisons with physical counts are made periodically by the client, the auditor should
be present to observe a representative sample of such counts. In such cases, this procedure
may occur either during or after the end of the period under audit. In companies where in-
ventories are at multiple locations, the auditor will use his or her knowledge of sampling to
determine the number of locations at which to observe inventory.
Inventory-count plans. The counting of a physical inventory by a client is done according
to a plan or a list of instructions. The client’s instructions should include such matters as the:

•  Names of employees responsible for supervising the counting of inventory.

•  Date of the counts.
•  Locations to be counted.
•  Detailed instructions on how the counts are to be made (e.g., manual counts versus elec-
tronic counts) and instructions for controlling inventory counts (e.g., whether manual
counts are double counted or the basis for testing electronic counts).
•  Use and control of electronic count media, prenumbered inventory tags, or summary
count sheets.
•  I nstructions for handling the receipt, shipment, and movement of goods during the counts
if such activity is unavoidable.
•  Segregation or identification of goods not owned.
The auditor must plan in advance so that inventory observation can be done efficiently
and effectively. An experienced auditor usually has the responsibility for (1) planning the in-
ventory observation, (2) determining the staffing needs, and (3) assigning members of the
audit team to specific locations. Each observer should be provided with a copy of the client’s
inventory plans and written instructions for counting inventory.
Performing the inventory observation. In observing inventories, the auditor should:

•  Scrutinize the care with which client employees are following the inventory plan.
•  See that all merchandise is counted once and only once. If inventory is tagged, no items
should be double-tagged.
•  Determine that the electronic count media, prenumbered inventory tags, or compilation
sheets are properly controlled.
•  Make some test counts and trace quantities to final count.
•  Be alert for empty containers and hollow squares (empty spaces) that may exist when
goods are stacked in solid formations.
•  Identify the last receiving and shipping documents used and determine that goods re-
ceived during the count are properly segregated.
•  Watch for damaged and obsolete inventory items and evaluate the general condition of
the inventory (e.g., inventory caked with dust or cobwebs).
•  Inquire of employees about the existence of slow-moving inventory items.

The extent of the auditor’s test counts depends, in part, on the care exercised by client
employees in counting the inventory, the nature and composition of the inventory, and the
effectiveness of controls pertaining to the physical safeguarding of the inventory and the main-
tenance of perpetual records. Ordinarily, the auditor will stratify the inventory items to include
the items of highest dollar value in the count, as well as count a representative sample of other
items. The auditor may refer to perpetual inventory records to identify the high-value items and
select the sample items.
In making test counts, the auditor should record the count and give a complete and accurate
description of the item (identification number, unit of measurement, location, etc.) in the working
13-24  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

papers as shown in Illustration 13.12. Such data are essential for the auditor’s comparison of the
test counts with the client’s counts, the subsequent tracing of the counts to the perpetual inventory
records, and the compilation of inventory values. After the inventory has been counted, the auditor
should obtain a copy of the electronic count media, or make a listing of all tags (used or unused) or
summary sheets and obtain sufficient information so no inventory can be added to the count after
the auditor has observed inventory. Several significant frauds have occurred, overstating inventory,
when the auditor has not adequately controlled the electronic media or count sheets.

ILLUSTRATION 13.12  
Client: New Millennium Ecoproducts Bell & Bowerman, LLP Prepared by: W.C.B.  1/15/23
Inventory test counts working
Period-end: 12/31/22 Reviewed by: R.E.Z.  1/25/23
paper
Raw Materials Test Counts Reference: F-2
Tag No. Sheet No. Number Description Count Count Difference
6531 15 1-42-003 back plate 125 125 (a)  0
8340 18 1-83-012 1/4″ copper plate 93 93 (a)  0
1483 24 2-11-004 Single end wire 1325 yds. 1321 yds. (a) 4 yds. (b)
4486 26 2-28-811 Copper tubing 220 220 (a)  0
3334 48 4-26-204 Side plate 424 424 (a)  0
8502 64 7-44-310 1/2″ copper wire 276 ft. 276 ft. (a)  0
8844 68 7-72-460 3/8″ copper wire 419 ft. 419 ft. (a)  0
6295 92 3-48-260 Front plate 96 69 (a) 27 (b)
(a) Traced to clientʼs electronic count media (F-4), noting corrections for all differences.
(b) Each difference was corrected by the client. The net effect of the corrections was to increase
inventory by $840. If similar errors existed in the unsampled portion of the population (F-5),
the projected misstatement would amount to $26,460, which is considered to be immaterial to
the current fiscal year. Pass further investigation.

At the conclusion of the observation procedure, a designated member of the audit team should
prepare an overall summary. The summary should include a description of such matters as
(1) departures from the client’s inventory-count plan, (2) the extent of test counts and any
material discrepancies resulting therefrom, (3) conclusions on the accuracy of the counts, and
(4) conclusions regarding slow-moving or obsolete inventory noted while at the client’s location.

Audit Reasoning Example  Preparing for an Inventory Observation

Ken has been assigned to the audit of a regional company that sells household appliances (e.g., wash-
ers and dryers, refrigerators, televisions). Ken is meeting Jennifer, the audit manager, before going out
to perform an inventory observation at the company’s warehouse. Jennifer says, “Ken, the inventory
observation is particularly important. If errors happen during the inventory observation and we don’t
get the appropriate evidence, we will have to observe the inventory again— at our own cost! This
must be done right the first time. First, it is essential that you observe how the client is counting
the inventory, and how client personnel are double-checking their counts. Test the client’s controls
over counting all of the inventory. If the client has good controls you can reduce the extent of your
test counts. All of the inventory is bar coded, so they should be comparing actual counts with the
company’s perpetual inventory. Make sure you document your tests of the client’s controls and your
conclusions. Second, you will need to test-count the inventory; have the client open boxes to make
sure the boxes actually contain the appropriate inventory. This is important to testing the existence
of inventory. Third, look for any evidence of the inventory being damaged, or boxes with a lot of dust
on them. On average, the company turns over its inventory about every two months, so inquire of
workers in the warehouse about inventory that has been around for three months or more. Fourth,
when you are talking with the warehouse personnel, determine if they are aware of inventory that is
held on consignment. I don’t expect that they should have any consignment inventory, but we need
to ask the employees that work with inventory on a day-to-day basis about this. Finally, in addition
to your test counts, make sure you leave with a copy of all of the counts made by the client. This will
most likely be in electronic form, so obtain a copy of the electronic file the client has with 100% of the
counts of inventory. This will be essential for our later work. It goes without saying that you need to
document all of your tests and your audit findings.”
  Auditing Inventory on the Balance Sheet  13-25

Observation of beginning inventories. To express an unqualified opinion on the income

statement, the auditor must observe the counting of both the beginning and ending inven-
tories. On a recurring audit engagement, this requirement is met by auditing the ending
inventory of each year. However, in the initial audit of an established company, the auditor
may either be appointed after the beginning inventory has been counted or be asked to
report on the financial statements of one or more prior periods. In such circumstances, it
is clearly impracticable for the auditor to have observed the inventory count, and generally
accepted auditing standards permit the auditor to verify the inventories by other auditing
procedures as explained below.
When the client has been audited by another firm of independent auditors in the prior
period(s), the other procedures may include a review of the predecessor auditor’s report
and/or working papers and a review of the client’s inventory summaries for the prior peri-
od(s). If the client has not been audited previously, the auditor may be able to obtain audit
satisfaction by reviewing the summaries of any client counts, testing prior inventory trans-
actions, and applying gross profit tests to the inventories. Such procedures are appropriate
only when the auditor is able to verify the validity and propriety of the ending inventory for
the period under audit.
When inventories have been observed at the beginning of the year, the auditor may be
able to issue a standard unmodified audit report. However, when sufficient appropriate
evidence has not been obtained as to the beginning inventories or the auditor is unable to ob-
serve the counting of ending inventories, the auditor has a scope limitation and should issue a
qualified opinion or a disclaimer of opinion as will be discussed in Chapter 15.
Test clerical accuracy of compilation of inventory values. After the physical inventory has
been counted, the client uses the electronic count media, inventory tags, or count sheets to
prepare a compilation of inventory values that lists all items counted. The inventory items
are then priced to arrive at the total dollar valuation of the inventory on hand. Because this
listing serves as the client’s basis for any entries required to adjust recorded inventories to
agree with those on hand, the auditor must perform certain tests to determine that the list-
ing is clerically accurate, it accurately represents the results of the physical counts, and it
agrees to the general ledger.
Tests of clerical accuracy include recalculating the totals shown on the inventory listings
and verifying the accuracy of the extensions of quantities multiplied by unit prices on a test
basis. This can often be done with generalized audit software. To determine that the list accu-
rately represents the results of the count, the auditor traces his or her own test counts to the
inventory listings, and vouches items on the listings to the electronic count media, inventory
tags, or count sheets used in the physical inventory. The physical counts are then compared,
on a test basis, with amounts per perpetual records, when applicable, and any differences are
noted and investigated and traced to adjusting entries if required. This test provides evidence
for the existence, completeness, and valuation and allocation assertions.
Test inventory pricing. This test involves examining supporting documentation for both the
cost and market value of inventories. Thus, it relates primarily to the valuation and allocation
assertion. Evidence in support of unit costs varies with the nature of the inventory. For items
purchased for resale (merchandise inventory or raw materials), costs should be vouched to rep-
resentative vendor’s invoices. If the client is unable to produce vendor invoices for the quan-
tity in inventory, it would indicate a potential existence problem with inventories. The auditor
should also determine that inventory costing procedures used are consistent with those used in
prior years. The consistency of the pricing can be established by review of the prior year’s work-
ing papers on a recurring audit.
This step in the verification of pricing includes a review of the pricing of obsolete and
damaged goods to ensure they are not valued in excess of net realizable value at the statement
date. The determination of net realizable value of inventory is based on sales prices. If the
client can sell inventory and break even, there is not a lower-of-cost-or-NRV problem. There-
fore, when auditing net realizable value the auditor will usually look at sales prices on sales
invoices after year-end to determine if the cost of inventory is recovered by sales prices.
Test costs of manufactured inventories. The nature and extent of the auditor’s pricing tests of
work in process and finished goods depend on the reliability of the client’s cost accounting records
and the methods used by the client to accumulate such costs. The auditor should review the meth-
ods for propriety, and accuracy and consistency of application. For example, when standard costs
13-26  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

are used, the auditor should test the calculation of the standards, and evaluate whether the stan-
dards approximate actual costs by examining the variance accounts. When variance accounts have
large balances, the auditor must consider whether fair presentation requires a pro rata allocation to
inventories and costs of goods sold, rather than simply charging the variances to cost of goods sold.
When the inventory is specialized or highly technical, the auditor may require the
assistance of an outside expert. This might occur, for example, in an oil company with
different grades of gasoline and motor oil, or in a jewelry store with different carat dia-
monds and different jeweled watches. The auditor may use the work of a specialist as an
auditing procedure to obtain competent evidential matter when the auditor is satisfied
about the qualifications and objectivity of the expert. The use of a specialist is discussed
in Chapter 5.
Confirm inventories at locations outside the entity. When client inventories are stored in
public warehouses or with other outside custodians, the auditor should obtain evidence as
to the existence of the inventory by direct communication with the custodian. This type of
evidence is deemed sufficient except when the amounts involved represent a significant pro-
portion of current or total assets. When this is the case, the auditor should apply one or more
of the following procedures:

•  Test the owner’s procedures for investigating the warehouse company and evaluating the
warehouse company’s performance.
•  Obtain an independent accountant’s report on the warehouse company’s control pro-
cedures relevant to custody of goods and, if applicable, pledging of receipts, or apply
alternative procedures at the warehouse to gain reasonable assurance that information
received from the warehouse company is reliable.
•  Observe physical counts of the goods, if practicable and reasonable.
•  If warehouse receipts have been pledged as collateral, confirm with lenders pertinent
details of the pledged receipts (on a test basis, if appropriate).

This test also provides evidence about the rights and obligations assertion. In addition, it
will result in evidence as to the completeness assertion if the custodian confirms more goods
on hand than stated in the confirmation request. Confirming inventories does not provide any
evidence about the value of the inventory because the custodian is not asked to report on the
cost, condition, or market value of the goods stored in the warehouse.
Examine consignment agreements and contracts. Goods on hand may be held on consign-
ment by a consignee. Thus, the consignee’s management is requested to segregate goods not
owned during the inventory count. In addition, the auditor often requests a written assertion
on ownership of inventories. When consignments exist, the agreement should be examined
for terms and conditions. If the client (consignor) has shipped goods on consignment, the
auditor should review the documentation to determine that goods held by the consignee are
included in the consignor’s inventory at the balance sheet date. The evidence obtained from
this procedure relates to the rights and obligations assertion.
Tests of accounting estimates. When auditing inventory, the auditor must determine
whether it is appropriate to write down the value of inventory below cost because the in-
ventory is obsolete or slow-moving, and whether conditions would cause the client to sell
inventory at such a price that it would experience a loss. The audit of accounting estimates is
particularly challenging because of their prospective nature. The auditor (and the client) must
estimate what inventory will sell for after year-end.
The auditor’s responsibility for quality is limited to that of a reasonably informed
observer. This means the auditor is expected to determine whether the inventory appears
to be in condition for sale, use, or consumption, and whether there are any obsolete,
slow-moving, or damaged goods. The auditor obtains evidence of general condition or
obsolescence by:

•  Observing the client’s inventory count.

•  Scanning perpetual inventory records for slow-moving items or items where the client
has sufficient quantity that it cannot sell the inventory during the period of normal in-
ventory turnover.
•  Reviewing quality control production reports.
  Auditing Inventory on the Balance Sheet  13-27

In addition, the auditor will use hindsight and review the sale of inventory after year-end
to determine the reasonableness of costs compared to subsequent sales prices. For example,
the auditor will usually:

•  Compare the cost of inventory items with the entity’s current sales catalog and sales reports.
•  Review inventory turnover after year-end.
•  Consider whether a change in replacement costs indicates changing market conditions.
•  Make inquiries of the client about slow-moving and obsolete inventory and the realizable
value of inventory through sales.

ADA can be used to evaluate the lower-of-cost-or-net-realizable-value of inventory. The auditor

can use ADA to compare the cost of inventory with sales prices after year-end for every item in in-
ventory to determine the materiality of a potential NRV problem. When evidence suggests a mate-
rial decline in the realizable value of the goods, an appropriate write-down below cost is required.
Auditing cost of goods sold. Cost of goods sold is usually determined by starting with the
book value of beginning inventory, adding purchases of production costs, and subtracting
the book value of ending inventory. Beginning inventory is normally validated by the previ-
ous year’s audit. Purchases are audited as part of the audit of tests of transactions in the
purchasing process (see Chapter 12). For a manufacturing company, the auditor will have
to audit the process of accumulating transactions regarding the purchases of raw materials
(this may be audited as part of auditing the purchasing process), the allocation of direct pay-
roll costs to inventory (this may be audited as part of auditing the payroll process), and the
allocation of indirect payroll costs and factory overhead to the cost of production. The audi-
tor will often perform tests of transactions related to the accumulation of production costs.
As part of this process, the auditor should pay attention to variances from standard costs
and determine the degree to which these variances are period costs (and should be allocated
to cost of sales) or whether they are product costs (and part of the variance should be allo-
cated to the cost of ending inventory). The process of auditing manufacturing costs involves
significant professional judgment, and this is often performed by auditors that have some
experience auditing manufacturing companies. Ultimately, the auditor should also validate
adjusting journal entries at year-end to adjust the value of ending inventory, based on the
audit procedures suggested above, and determine the appropriateness of related charges to
cost of goods sold.

Testing Presentation and Disclosure

It is customary to identify the major inventory categories in the notes to the financial state-
ments. In addition, there should be disclosure of the inventory costing method(s) used, the
assignment or pledging of inventories, and the existence of major purchase commitments.
Evidence pertaining to statement presentation and disclosure is often obtained by the sub-
stantive tests described previously. Further evidence may be obtained, as needed, from a
review of the minutes of board of directors’ meetings and from inquiries of management.
Based on the evidence and a comparison of the client’s financial statements with applicable
accounting pronouncements, the auditor determines the propriety of the presentation and
disclosures.
Inquiry of management is also used to determine the existence of binding contracts for
future purchases of goods. When such commitments exist, the auditor should examine the
terms of the contracts and evaluate the propriety of the company’s accounting and reporting.
When material losses exist on purchase commitments, they should be recognized in the finan-
cial statements, together with a disclosure of the circumstances.
At this point, we have discussed the risks, audit strategies, and audit plans for auditing
the revenue process, the purchasing process, the payroll process, cash, and inventory. Before
you begin the next section on auditing property, plant, and equipment, take a blank piece of
paper, write out the assertions, think about the risks associated with each assertion, and think
about the audit strategy and audit procedures you would plan for the audit of property, plant,
and equipment. When you are finished, take a moment and do the same exercise for long-term
debt. Think about how property, plant, and equipment and long-term debt are connected, and
then develop an audit plan for long-term debt. Then, read the remainder of the chapter.
13-28  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Cloud 9 - Continuing Case

Suzie and Ian spend a considerable amount of time discussing
the substantive procedures they will include in the audit program
for Cloud 9’s inventory. Cloud 9’s core business is importing and
wholesaling inventory; in addition, they have now established
a retail store. The importance of inventory to the business’s suc-
cess means that Cloud 9’s senior managers are very aware of the
issues surrounding good inventory systems and handling proce-
dures. The audit team has already recognized the importance of
these systems by focusing much attention on the controls relating
to inventory. However, Suzie and Ian have some concerns about
their ability to gather sufficient appropriate evidence about Cloud
9’s inventory management system, and they know that if inven-
tory is misstated in the financial statements, it is unlikely that the
financial statements are presented fairly in all material respects.
Suzie and Ian decide that they will gather substantive evidence
from the inventory counts at Cloud 9 to add to the evidence gathered
from analytical procedures and vouching of inventory transactions.
Suzie also decides to take charge of writing the program for gath-
ering evidence on the contracts surrounding the inventory transac-
tions between Cloud 9 and the overseas manufacturers. She wants
to be sure that the accounts appropriately reflect the terms of these
contracts with respect to transfer of inventory ownership. She asks
Ian to take charge of reviewing Cloud 9’s procedures for identifying
damaged, slow-moving, excess, out-of-style, and obsolete inventory.

Before You Go On
2.1 Explain how the audit of inventory would be different for an oil and gas field equipment
manufacturer than it would be for a retail grocer.
2.2 Assume that, when performing analytical procedures, an auditor notices inventory turnover
in days slowing from 33 days to 43 days, and gross margin increasing from 40% to 47%. What
assertions might be misstated?
2.3 Explain the concept of the client’s cycle counts and how they relate to management’s assertions.
2.4 Assume that you are auditing an oil and gas field equipment manufacturer. Explain several
key controls that you would expect to find related to the valuation and allocation assertion.
2.5 Determining the value of inventory as reported on the balance sheet is normally a three-step
process. Explain the three steps.
2.6 Explain the importance of the auditor’s inventory observation. Further, explain three audit
procedures performed during an inventory observation related to three different assertions.
2.7 Explain how the auditor will audit the lower-of-cost-or-NRV of inventory.

Auditing Property, Plant, and Equipment

LEA RNING OBJE CTIVE 3
Evaluate how an auditor determines and executes an audit strategy, including the
use of ADA, for property, plant, and equipment, and depreciation expense.

investing activities  the
purchase and sale of land,
buildings, equipment, and other
long-term assets not generally
held for resale; in addition,
investing activities include the
purchase and sale of financial
instruments that are not intended
for trading purposes
The following section focuses on a material aspect of a company’s investing activities: the
acquisition, use, and sale of property, plant, and equipment. Investing activities include the
purchase and sale of land, buildings, equipment, and other long-term assets not generally held
for resale. In addition, investing activities include the purchase and sale of financial instru-
ments not intended for trading purposes. The primary focus of this section will be on the audit
of property, plant, and equipment. An entity acquires property, plant, and equipment assets
because they support its operations and core processes.
Understanding the Flow of Transactions
During the audit of inventory, an auditor expects that inventory has turned over several times
during the year and that none of the inventory that was on hand during the prior audit would
  Auditing Property, Plant, and Equipment  13-29

still be present. However, with property, plant, and equipment, the auditor’s expectations are
just the opposite—most of the property, plant, and equipment that was on hand at the begin-
ning of the year will still be on hand at the end of the year. Therefore, substantive tests of
property, plant, and equipment often focus on:

•  Agreeing the beginning balance in property, plant, and equipment to the prior year’s audit.
•  Auditing the acquisition of new property, plant, and equipment.
•  Auditing the disposal of property, plant, and equipment.
•  Auditing the depreciation of property, plant, and equipment.

Understanding the Entity and Its Environment

When an auditor develops a business-based approach to auditing property, plant, and equip-
ment, it is essential to understand how the long-term assets support the operations of the entity.
For example, a forest products company will usually make significant investments in timber and
timberlands, as well as manufacturing facilities. As a rule of thumb, most businesses will ac-
quire new assets if the rate of return generated by those assets exceeds the after-tax marginal cost
of debt financing associated with acquiring additional assets. The first step in auditing property,
plant, and equipment involves understanding the assets that are needed to support the entity’s
operations (e.g., investments in the supply chain, manufacturing facilities, land, or natural re-
sources) and the rate of return a company expects to achieve from its underlying asset base.
The auditor will often look at how the entity is growing and determine the assets needed to
support that growth. The auditor will also obtain an understanding of how newly acquired assets
are financed. The issue of how long-term assets are financed has received substantial attention as
the FASB has adopted new standards for accounting for leases. The new accounting standard on
leases will take effect for public companies for fiscal years beginning after December 15, 2018.
For all other organizations, the standard on leases will take effect for fiscal years beginning after
December 15, 2019.
Illustration 13.13 provides summary financial information related to fixed assets as
a percent of total assets, a measure of return on assets, and a summary of how all of the
company’s assets are financed for the various industries we followed in Chapters 11 and 12.
There is a significant variation from industry to industry. It is important to develop a good
understanding of the audit client to develop expectations regarding the client’s financial
statements.

ILLUSTRATION 13.13   Understanding the importance of property, plant, and equipment, and debt for various industries

Example Industry Traits
Oil and Gas Field Machinery and Net Fixed Assets as a % of Total Assets: 22.9%
Equipment Manufacturing
•  Fixed assets are a modest portion of total
assets for these companies.
•  Financing debt is slightly more than the
amount of fixed assets.
Electronic Computer Manufacturing
•  Fixed assets are a smaller proportion of
total assets as a significant amount of
production is outsourced.
•  Financing debt is significant relative to the
investment in fixed assets.
Developing a Knowledgeable
Perspective About the Entity’s Assessing the Risk of Material
Financial Statements Misstatement
•  There is little risk of asset obsolescence.
Sales ÷ Net Fixed Assets: 8.4 •  Debt tends to be stable and concentrated
Profit Before Tax as a % of Total Assets: 3.4% with a few sources.
Operating Debt as a % of Total Assets: 28.1%
Financing Debt as a % of Total Assets: 23.8%
Equity as a % of Total Assets: 48.1%
Net Fixed Assets as a % of Total Assets: 11.6% •  Chip manufacturers, rather than computer
Sales ÷ Net Fixed Assets: 35.2 manufacturers, have a higher degree of
obsolescence of production technology.
Profit Before Tax as a % of Total Assets: 5.2%
•  Debt tends to be stable and concentrated
Operating Debt as a % of Total Assets: 39.4%
with a few sources.
Financing Debt as a % of Total Assets: 22.9%
Equity as a % of Total Assets: 37.7%

(continued)
13-30  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

ILLUSTRATION 13.13   (continued)

Example Industry Traits
Supermarkets and Other Grocery Stores
•  Fixed assets and having key locations are
important for grocery retailers. Currently,
retail grocers have significant operating
leases associated with locations.
Hotels and Motels
•  Properties are a key asset for many hotels
and motels. Operating leases are likely to
be significant.
Colleges, Universities, and Professional
Schools
•  P
 roperty, plant, and equipment is a key
asset.
Developing a Knowledgeable
Perspective About the Entity’s
Financial Statements
Net Fixed Assets as a % of Total Assets: 33.1%
Sales ÷ Net Fixed Assets: 21.2
Profit Before Tax as a % of Total Assets: 9.2%
Operating Debt as a % of Total Assets: 37.5%
Financing Debt as a % of Total Assets: 29.2%
Equity as a % of Total Assets: 33.3%
Net Fixed Assets as a % of Total Assets: 69.6%
Sales ÷ Net Fixed Assets: 0.8
Profit Before Tax as a % of Total Assets: 5.8%
Operating Debt as a % of Total Assets: 22.5%
Financing Debt as a % of Total Assets: 62.0%
Equity as a % of Total Assets: 15.5%
Net Fixed Assets as a % of Total Assets: 50.7%
Sales ÷ Net Fixed Assets: 0.8
Profit Before Tax as a % of Total Assets: 1.1%
Operating Debt as a % of Total Assets: 13.3%
Financing Debt as a % of Total Assets: 29.3%
Equity as a % of Total Assets: 57.4%
Assessing the Risk of Material
Misstatement
•  Significant use of long-term operating
leases. Expect a significant increase in net
fixed assets and financing debt under the
new accounting rules for leased assets.
•  Property, plant, and equipment is material
and capital expenditures are often also
material.
•  Property, plant, and equipment is material
and capital expenditures are often also
material.
•  Long-term operating leases may be
significant. Expect a significant increase in
net fixed assets and financing debt under
the new accounting rules for leased assets.
•  Many properties are financed with long-
term debt.
•  Property, plant, and equipment is material.
•  More recent investments are often
investments in technology more than
bricks and mortar.

Understanding the Results of Analytical Procedures

Analytical procedures are required as part of risk assessment. They are cost-effective and they
may assist the auditor in planning the nature, extent, and timing of other procedures. Illus-
tration 13.14 presents some example analytical procedures along with an explanation of the
problems they might identify. Plant assets should be relatively stable and grow at approxi-
mately the rate of sales growth. Results of analytical procedures could highlight issues related
to appropriateness of depreciation expense and proper capitalization of costs in plant asset
accounts.

ILLUSTRATION 13.14   Analytical procedures for property, plant, and equipment

Ratio Formula Audit Significance

Fixed assets turnover
Total assets turnover
Return on total assets
Depreciation expense as a
percent of property, plant,
and equipment
Repair expenses to net sales
Net sales An unexpected increase in fixed assets turnover may indicate
Average fixed assets the failure to record or capitalize depreciable assets.
Net sales An unexpected increase in total assets turnover may indicate
Average total assets the failure to record or capitalize depreciable assets.
{Net income + [Interest × (1 – Tax rate)]} An unexpected increase in return on assets may indicate the
Average total assets failure to record or capitalize depreciable assets.
Depreciation expense An unexpected increase or decrease in the depreciation
Average property, plant, and equipment expense as a percent of depreciable assets may indicate an
error in calculating depreciation.
Repair and maintenance expense An unexpected increase in repair and maintenance expense
Net sales may indicate the possibility that assets that should have
been capitalized were expensed.
  Auditing Property, Plant, and Equipment  13-31

Assessing Inherent Risk

Inherent risk for property, plant, and equipment is not straightforward. The following discus-
sion outlines some key factors that influence the auditor’s thinking about inherent risk:

•  Existence. Inherent risk for the existence assertion may be low because fixed assets are
not vulnerable to theft. However, the appropriate classification of transactions may be
an issue when companies make decisions about whether a transaction should be directly
expensed versus capitalized as an asset. WorldCom and other companies managed earn-
ings by capitalizing transactions rather than appropriately expensing items. The existence
of assets is called into question if they should be directly expensed.
•  Completeness. Inherent risk may be high or maximum if it is difficult to determine if the
economic substance of a lease is an operating lease or a finance (capital) lease. However,
beginning in 2019, most leases will be treated as finance leases for public companies.
•  Rights and obligations. Inherent risk is often high because assets are usually pledged as
collateral for underlying debt.
•  Valuation and allocation. Inherent risk may be high or maximum depending on the industry,
the degree of difficulty associated with estimating useful lives and salvage values for depreci-
ation methods, and the extent to which the value of long-lived assets is impaired.
•  Presentation and disclosure assertions. Fixed assets disclosures are relatively straightfor-
ward and misstatements represent only a moderate inherent risk.

Professional Environment  Restatements Related to Long-Lived Assets

Audit Analytics2 recently reported a summary of restatements
due to property, plant, and equipment, intangible asset, or fixed
asset issues for a 17-year period ending in 2017. Property, plant,
and equipment, intangible asset, or fixed asset issues consist of
misstatements either in calculation, approach, or theory that have
taken place in the recording of assets, goodwill, intangibles, or
contra liabilities that are required to be valued or assessed for de-
clines in value on a period basis. This description covers misreport-
ing of fixed assets, buildings, leasehold improvements, intangibles,
goodwill, securities, investments, etc. As seen below, during the
period of 2004–2005, these misstatements are in excess of 13.2% of
all restatements. However, during the period of 2007–2017, these
misstatements decrease significantly as a percentage of all financial
statement restatements (5.7% to 8.3% of all restatements).

Disclosure Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2012 2013 2014
Expense recording issues 130 208 183 95 61 49 63 70 63 50 61 49 49 39
% of all financial 13.7% 13.2% 9.8% 7.4% 6.3% 5.9% 7.4% 8.3% 7.4% 5.7% 7.1% 6.5% 7.2% 7.1%
statement restatements

Assessing Control Risk and Fraud Risk

Strong entity-level controls, such as a strong control environment, effective risk assessment,
effective accountability for the use of resources, effective monitoring of the control system,
and strong IT general controls, continue to be important. One of the key transactions associ-
ated with plant assets is the initial accounting for the acquisition of plant assets. The features
of the accounting system and specific control procedures associated with the expenditure pro-
cess, discussed in Chapter 12, apply to the acquisition of property, plant, and equipment and
the appropriate classification of repair and maintenance expenditures. The controls described
in Chapter 12 over the occurrence, completeness, accuracy, cutoff, and classification of pur-
chases should also control the acquisition of fixed assets. Transactions that are individually
material, such as the acquisition of land, buildings, or major capital expenditures, are usually
subject to additional controls including capital budgets and authorization by the board of
directors. Further, a disclosure committee may be involved in addressing the appropriate clas-
sification of complex leases as operating leases or finance leases (up through the adoption of

2
Don Whalen, Olga Usvyatsky, and Dennis Tanona, 2017 Financial Restatements, A Seventeen Year Comparison
(Audit Analytics: Sutton, MA, 2018).
13-32  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

new accounting standards for lease recognition), as well as reviewing depreciation policies for
new assets and the reasonableness of assumptions about useful lives and salvage values. Once
depreciation polices are determined, software applications are used to calculate depreciation
expense and these programs usually include reasonableness tests such as limit tests to ensure
that assets are not overdepreciated (e.g., the book value of assets should be greater than zero).
Controls over the disposition of assets should include specific authorization controls for
the sale or trade-in of fixed assets. Because the sale or trade-in of fixed assets is less routine,
an entity may develop specific controls to test the completeness and accuracy of accounting
for these transactions.
Controls over fixed asset balances often include physical controls over fixed assets as well as the
maintenance of a fixed asset inventory that is periodically checked against existing assets. Controls
over the valuation of assets at historic costs are directly related to the controls over the valuation
of recorded transactions. The disclosure committee should also review any rights or obligations
issues and issues surrounding asset impairment on a regular basis. Finally, the disclosure com-
mittee should review all financial statement disclosures before they are presented to the auditor.

Fraud Risk Assessment

Frauds related to property, plant, and equipment are similar to other frauds discussed in Chapter
12 related to purchasing and procurement fraud. Many fixed asset frauds involve fictitious invoices,
phantom vendors, or bid rigging and kickbacks. Auditors should also be alert to fraudulent finan-
cial reporting schemes that capitalize items that should be expensed. The opportunity to commit
these frauds can be significantly reduced with strong internal controls over fixed asset acquisitions.

Audit Data Analytics as a Risk Assessment Procedure

Audit data analytics as a risk assessment procedure are probably most effective in the audit of capital-
intensive companies, such as an oil refinery. Several examples of audit data analytics include:

•  Searching the audit population for significant gains or losses on the disposal of assets.
This may be an indication of poor decisions about useful lives or salvage values affecting
depreciation calculations.
•  Analyzing capital expenditures versus expenditures for repair and maintenance.
•  Analyzing the most common requests for maintenance.
•  Analyzing construction costs to determine the amount of work allocated to various con-
tracts. An excessive amount of work allocated to one contractor may surface problems
with bid rigging or kickbacks.

Determining an Audit Strategy

As we have discussed in other audit areas, the audit strategy is highly dependent on the cli-
ent’s system of internal controls. A strong tone at the top regarding reporting accurate earn-
ings will affect professional judgments about depreciation calculations and decisions about
capitalizing versus expensing various transactions.
The auditor’s strategy in a recurring audit also focuses on auditing three key transaction
streams: (1) acquisitions of PPE, (2) depreciation of PPE, and (3) disposals of PPE. When
internal controls are strong, and the results of analytical procedures appear normal, the auditor
may perform limited testing of these three transaction streams. On the other hand, if a private
company or not-for-profit organization is undergoing significant capital expansion, and internal
controls are weak, the auditor will likely increase sampling and audit a more significant portion
of fixed asset additions.

Substantive Tests for Property,

Plant, and Equipment
Possible substantive tests for the audit of property, plant, and equipment in a recurring engage-
ment are shown in Illustration 13.15. Each substantive test is explained in the following sections.
  Auditing Property, Plant, and Equipment  13-33

ILLUSTRATION 13.15  Substantive tests for property, plant, and equipment

Category Substantive Test Assertions

Initial 1. Obtain an understanding of the entity and its environment and determine: All
procedures a. The significance of plant assets, and changes in plant assets, to the entity.
b. Key economic drivers that influence the entity’s acquisition of plant assets.
c. Industry standards for the extent to which the entity is capital-intensive and the impact of
plant assets on earnings.
d. The degree to which the company has operating leases and finance leases to finance assets.
2. Perform initial procedures on plant asset balances and records that will be subjected to further
testing.
a. Trace beginning balance for plant assets and accumulated depreciation to the prior year’s Existence, Completeness
working papers.
b. Review activity in general ledger accounts for plant assets and depreciation expense and Valuation and allocation
investigate entries that appear unusual in amount or source.
c. Obtain client-prepared schedules of plant asset additions, retirements, and depreciation
expense, and determine that they accurately represent the underlying accounting records
from which they were prepared by:
  i. Footing and cross-footing the schedules and reconciling the totals with increases or
decreases in the related general ledger balances during the period.
ii. Testing agreement of items on schedules with entries in related general ledger accounts.
Analytical 3. Perform analytical procedures: All
procedures a. Develop an expectation for plant assets using knowledge of the industry and the entity’s
business activity.
b. Calculate ratios such as:
  i. Fixed asset turnover.
  ii. Depreciation expense as a percent of sales.
iii. Repair and maintenance expense as a percent of sales.
  iv. Rate of return on assets.
c. Analyze ratio results relative to expectations based on prior years, industry data, budgeted
amounts, or other data.
Tests of 4. Vouch plant asset additions to supporting documentation. Occurrence, Accuracy
details of 5. Vouch plant asset disposals to supporting documentation. Occurrence, Accuracy
transactions 6. Vouch a sample of larger entries to repairs and maintenance expense. Completeness, Valuation
7. Vouch the recording of new finance leases and operating leases to underlying contracts. Occurrence,
Completeness, Accuracy,
Rights and obligations*
8. Evaluate the fair presentation of depreciation expense by evaluating the appropriateness of Valuation and allocation
useful lives and estimated salvage values.
Tests of 9. Inspect plant assets. Existence
details of a. Inspect additions to plant assets.
balances b. Tour other plant assets and be alert to evidence of additions and disposals not included on Existence, Completeness
client’s schedules and to conditions that bear on the proper valuation and classification of
the plant assets.
10. Confirm if assets are pledged as collateral for loans. Rights and obligations
11. Examine any significant events that could result in an impairment of the value of plant assets. Valuation and allocation
Presentation 12. Compare statement presentation with GAAP. Classification and
and a. Determine that plant assets and related expenses, gains, and losses are properly identified understandability,
disclosure and classified in the financial statements. Accuracy and valuation
b. Determine the appropriateness of disclosures related to the cost, book value, depreciation Accuracy and valuation,
methods, and useful lives of major classes of plant assets, the pledging of plant assets as Occurrence and rights
collateral, and the terms of lease contracts. and obligations
c. Evaluate the completeness of presentation and disclosures for property, plant, and equip- Completeness
ment in drafts of financial statements to determine conformity to GAAP by reference to
disclosure checklist.
d. Read disclosures and independently evaluate their understandability. Classification and
understandability
*In this case, testing transactions also provides evidence about an account balance assertion.
13-34  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Initial Procedures
An important initial procedure involves obtaining an understanding of the importance of
property, plant, and equipment to the business and industry. As discussed earlier, it is import-
ant for the auditor to understand how assets support core activities of the entity and the
generation of earnings. This understanding of the economic substance behind plant asset
transactions provides the context for evaluating the reasonableness of evidence collected
during the audit.
Before performing other substantive tests in the audit program, the auditor determines
that the beginning general ledger balance for plant asset accounts agrees with the prior peri-
od’s working papers. Among other things, this comparison will confirm that any adjustments
determined to be necessary at the conclusion of the prior audit that were reflected in the prior
period’s published financial statements were properly booked and carried forward. Next, the
auditor should test the mathematical accuracy of client-prepared schedules of additions and
disposals and reconcile the totals with changes in the related general ledger balances for plant
assets during the period. In addition, the auditor should test the schedules by vouching items
on the schedules to entries in the ledger accounts and tracing ledger entries to the schedules
to determine that they are an accurate representation of the accounting records from which
they were prepared. The schedules may then be used as the basis for several of the other audit
procedures. Illustration 13.16 illustrates an auditor’s lead sheet schedule for plant assets and
accumulated depreciation.

ILLUSTRATION 13.16  Property, plant, and equipment lead schedule

Client: New Millennium Ecoproducts                       Bell & Bowerman, LLP          Prepared by: W.C.B. Date: 2/4/23
Property, Plant, and Equipment, and Accumulated Depreciation             Reference: G - Lead            Reviewed by: R. E. Z. Date: 2/12/23
Period-end: 12/31/22

Property, Plant, and Equipment Accumulation Depreciation

W/P Acct. Balance Adjustments Balance Balance Depreciation Adjustments Balance
Ref. No. Account Title 12/31/21 Additions Disposals DR / (CR) 12/31/22 12/31/21 Expense Disposals (DR) / CR 12/31/22
G-1 301 Land $ 450,000 (a) $ 450,000 $ – (a) $ –
G-2 302 Buildings 2,108,000 (a) $ 125,000 $(25,000) (b) 2,208,000 379,440 (a) $ 84,320 G-5 $(1,000) (b) 462,760
G-3 303 Machinery and Equipment 3,757,250 (a) 980,000 $370,000 25,000 (b) 4,392,250 1,074,210 (a) 352,910 G-5 $172,500 1,000 (b) 1,255,620
G-4 304 Furniture and Fixtures 853,400 (a) 140,000 110,000 883,400 217,450 (a) 43,250 G-5 21,000 239,700
$7,168,650 $1,245,000 $480,000 $ – $7,933,650 $1,671,100 $480,480 $193,500 $ – $1,958,080

(✓) (✓) (✓) (✓) (✓✓) (✓) (✓) (✓) (✓) (✓✓)

(a) Traced to general ledger and 12/31/21 working papers.

(b) To reclassify cost and related accumulated depreciation from purchased equipment recorded as buildings.
See Adjusting entry #2 on W/P AE-4
(✓) Footed.
(✓✓) Footed and cross-footed.

Substantive Analytical Procedures

An important part of auditing property, plant, and equipment involves determining that the
financial information is consistent with the auditorʼs expectations. During risk assessment,
the auditor develops expectations by being knowledgeable of the business and industry and
performing analytical procedures. The analytical procedures in Illustration 13.14 can be used
again during risk response to assess the reasonableness of balances for plant assets, deprecia-
tion expense, repair and maintenance expense, and expenses associated with operating leases.
The auditor should maintain an appropriate level of professional skepticism and investigate
any abnormal results by performing tests of details to gather additional evidence. If, however,
the results of substantive analytical procedures at interim or year-end are consistent with the
auditorʼs expectations, the audit strategy might be modified to reduce the extent of tests of
transactions and/or balances.
  Auditing Property, Plant, and Equipment  13-35

Tests of Details of Transactions

The following substantive tests address three types of transactions for property, plant, and
equipment: (1) additions, (2) disposals, and (3) repair and maintenance.
Vouch plant asset additions. All major additions should be supported by documentation
in the form of authorizations in a capital budget, receiving reports, vouchers, vendor invoices,
contracts, and canceled checks. The recorded amounts should be vouched to supporting doc-
umentation. If there are numerous transactions, the vouching may be done on a sample basis.
In performing this procedure, the auditor ensures that appropriate accounting recognition has
been given to installation costs, freight-in, and similar costs. For construction in progress, the
auditor may review the contract and documentation in support of construction costs.
When plant assets are acquired under a finance lease, the cost of the property and the
related liability should be recorded at the present value of the future minimum lease pay-
ments. The accuracy of the clientʼs determination of the present value of the lease liability
should also be verified by recomputation. Vouching property, plant, and equipment additions
provides evidence about the existence and valuation and allocation assertions. When you look
at Illustration 13.16, testing of the additions to Buildings, Machinery and Equipment, and
Furniture and Fixtures would be found on working papers G-2, G-3, and G-4, respectively.
Vouch plant asset disposals. Evidence of sales, retirements, and trade-ins should be avail-
able to the auditor in the form of cash remittance advices, written authorizations, and sales
agreements. The documentation should be carefully examined to determine the accuracy and
propriety of the accounting records, including the recognition of a gain or loss, if any. The
following procedures may also be useful to the auditor in determining whether all retirements
have been recorded:

•  Analyze the miscellaneous revenue accounts for proceeds from sales of plant assets.
•  Investigate the disposition of facilities associated with discontinued product lines and
operations.
•  Review insurance policies for termination or reductions of coverage.
•  Make inquiry of management as to retirements.

Evidence that all retirements or disposals have been properly recorded relates to the exis-
tence and valuation and allocation assertions. Evidence supporting the validity of transactions
that reduce plant asset balances relates to the completeness assertion. Finally, evidence ob-
tained while auditing disposals of plant assets may assist in the audit of depreciation expense.
Significant losses on the disposal of assets may indicate that depreciation estimates may be in-
adequate. Significant gains may indicate the client is overly aggressive in depreciating assets.
When you look at Illustration 13.16, testing of the disposals of Machinery and Equipment, and
Furniture and Fixtures would be found on working papers G-3 and G-4, respectively.
Inspect entries to repairs and maintenance expense. The purpose of the auditor’s test of repair
and maintenance expense is to determine the propriety and consistency of these charges. Pro-
priety involves a consideration of whether the client has made appropriate distinctions between
items that should be capitalized or expensed. Accordingly, the auditor should scan the individ-
ual charges to identify those that are sufficiently material are capitalized. For these items, the
auditor should examine supporting documentation, such as the vendor invoice, company work
order, and management authorization, to determine the propriety of the charge or the need for
an adjusting entry. The auditor should also consider other expenses that an entity might have
capitalized, such as the capitalization of interest costs related to self-constructed assets.
Consistency refers to a determination of whether the company’s criteria for distinguish-
ing between capital items and expenditures are the same as in the preceding year. This sub-
stantive procedure provides important evidence concerning the completeness assertion for
plant assets because it should reveal expenditures that should be capitalized. Inspecting the
entries to repairs expense also results in evidence about the valuation of the plant assets.
Examine entries for depreciation expense. In this test, the auditor seeks evidence on the
reasonableness, consistency, and accuracy of depreciation expense for the period. An essential
starting point for the auditor is determining the depreciation methods used by the client during
the year under audit. The methods can be identified from a review of depreciation schedules
prepared by the client and inquiry of the client. The auditor must then determine whether the
13-36  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

methods currently in use are consistent with the preceding year. During a recurring audit, this
can be established by a review of the prior year’s working papers.
Determination of the reasonableness of depreciation expense involves a consideration
of such factors as (1) the client’s past history in estimating useful lives and (2) the remaining
useful lives of existing assets. The auditor’s verification of accuracy is achieved through recal-
culation. Ordinarily, this is done on a selective basis by recomputing the depreciation on major
assets and testing depreciation recorded on additions and retirements during the year. Evi-
dence of unusual gains and losses on the retirement or sale of assets may indicate that depre-
ciation estimates may be misstated. Illustration 13.16 shows that testing depreciation expense
would be found on working paper G-5.

Audit Reasoning Example Large Gains and the Reasonableness

of Depreciation Expense

David, an audit manager, was reviewing Kristina’s work in auditing plant assets for a construction
company that did a great deal of road building and repair work. David comments, “I see that there
were significant gains when the company replaced a variety of equipment this year. You have
correctly tested the calculation of the gains. Do you think there are other issues for this year’s au-
dit?” Kristina is a bit puzzled. “If the gains are correct, what other issues might there be?” David
comments, “If there are so many gains, and they are relatively large, is that an indication of un-
derdepreciating these assets? If these assets are underdepreciated, could we have a similar prob-
lem with other assets on the books? Let’s go back and look at the current depreciation methods
for these classes of assets. If we recalculated depreciation for the existing assets, using different
assumptions, would we find a material difference from our current depreciation calculations? I
think we need to look carefully at this issue.”

Tests of Details of Balances

In many ways the auditor’s tests of transactions also serve as tests of balances. If the auditor
traces the beginning balance to prior year’s working papers, and then obtains sufficient, ap-
propriate evidence about the transactions for the period, the auditor has audited the ending
balance. The following procedures focus on inspecting plant assets, determining if assets have
been pledged as collateral for loans, and evaluating whether assets have been impaired.
Inspect plant assets. Often, the auditor will tour the client’s facilities and inspect plant
assets. Inspecting enables the auditor to obtain direct personal knowledge of the existence of
plant assets. In a recurring engagement, detailed inspections may be limited to items listed on
the schedule of plant asset additions. During a tour of plant assets, an auditor should be alert
to other evidence relevant to plant assets. For example, the astute auditor will look for indica-
tions of additions or retirements not listed on the schedules that relate to the completeness and
existence assertions, and to evidence regarding the general condition of other plant assets, and
whether they are currently being used, that relates to the valuation and allocation assertion.
Confirm if assets have been pledged as collateral for loans. The auditor will often obtain
evidence about whether assets have been pledged as collateral for loans when sending con-
firmations regarding loans and debt agreements. Even though invoices for the purchase of
property, plant, and equipment might be marked “paid,” it is possible that the same asset has
been pledged as collateral for a loan. Lease agreements convey to the lessee the right to use
property, plant or equipment for a specific period of time. Auditors should read lease agree-
ments to determine the proper accounting classification of leases. When finance leases exist,
both an asset and a liability should be recognized on the balance sheet. Examination of lease
agreements also provides significant evidence relevant to note disclosures. These procedures
provide important evidence related to the rights and obligations assertion.
Examine impairment of property, plant, and equipment. Events may occur between acquir-
ing and retiring an asset that affect the valuation and allocation assertion and require immediate
write-down of the asset, as addressed in ASC 360. An impairment exists when the cost of a
plant asset, or group of assets, exceeds its fair value and is not recoverable. Auditors should
be alert to a significant decrease in the market price of a plant asset, a change in how the
  Auditing Financing Activities  13-37

company uses an asset, or changes in the business climate that could affect an asset’s value.
An auditor will normally test an asset for recoverability by comparing its estimated future
undiscounted cash flows with its carrying value. The asset is impaired when the future cash
flows are less than the carrying amount.

Tests of Details of Presentation and Disclosure

Financial statement presentation requirements for plant assets are moderately extensive. For ex-
ample, the note disclosure should show depreciation expense for the year, cost and book values
for major classes of plant assets, and depreciation methods used. Evidence concerning these
matters is acquired through the substantive tests described in the preceding sections. Property
pledged as security for loans should also be disclosed. Information on pledging may be obtained by
reviewing minutes of board meetings or contractual agreements, confirming debt agreements, and
inquiring of management. The appropriateness of the client’s disclosures related to leased assets
can be determined by understanding the terms of the lease agreement. Auditors normally test the
completeness of disclosures by using a disclosure checklist. Finally, an auditor with significant
experience will read the disclosures to evaluate their understandability.

Cloud 9 - Continuing Case

Ian and Suzie have already discussed their approach to PPE ac-
quisitions and disposals, plus using limited recalculation and ana-
lytical procedures for depreciation expense testing. Suzie reminds
Ian that they need to design substantive procedures to assess as-
set values. Asset impairments must be recognized under the ac-
counting standards, and the auditors will need to gather evidence
about Cloud 9’s processes for identifying and recognizing asset
impairments. Suzie will discuss with Sharon Gallagher, the audit
manager, how they want to approach the issue of asset impair-
ments. However, going into this meeting, Suzie does not anticipate
changes in the business climate, or changes in how Cloud 9 uses
its assets that would indicate potential impairments.

Before You Go On
3.1 Explain how the audit of property, plant, and equipment would be different for a computer
manufacturer than for a hotel and motel chain.
3.2 Assume that, when performing analytical procedures, an auditor notices a material
increase in repair and maintenance expense as a percent of net sales. What assertions
might be misstated?
3.3 Explain the relationship between internal controls over the acquisition of fixed assets and
internal controls found in the purchases process. What additional controls might you expect
to find related to the acquisition of fixed assets?
3.4 Explain the general audit strategy for auditing property, plant, and equipment.
3.5 Explain the evidence that would show a company is underdepreciating plant, and equipment.

Auditing Financing Activities

lea rning objective 4

Evaluate how an auditor determines and executes an audit strategy for long-term
debt and interest expense, and stockholders’ equity.
financing activities 
transactions and events whereby
The following section focuses on auditing financing activities. Financing activities include cash is obtained from, or repaid
transactions and events whereby cash is obtained from, or repaid to, lenders (debt financing) or to, lenders (debt financing) or
owners (equity financing). Financing activities include acquiring debt, finance leases, issuing owners (equity financing)
13-38  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

bonds, or issuing preferred or common stock. Financing activities would also include payments
to retire debt, reacquisition of stock (treasury stock), and payment of dividends. If the auditor
knows that changes have occurred in investing activities, changes in financing activities often
are predictable. If, for example, an entity finances equipment with a finance lease, the value of
the additions to assets and debt are directly related.

Understanding the Flow of Transactions

Following is a summary of common financial statement accounts associated with long-term
debt or equity transactions an auditor usually encounters.

Short-Term and Long-Term Debt Transactions Stockholders’ Equity Transactions

Loans payable Preferred stock
Mortgages payable Common stock
Bonds payable Treasury stock
Bond premium (discount) Paid-in capital
Interest payable Retained earnings
Interest expense Dividends
Gain (loss) on retirement of bonds Dividends payable

The population of debt and equity instruments is usually small. For example, a public
company may have fewer than 50 different notes payable, or only one to three classes of equity
securities, which are small population sizes. As a result, audit strategy often focuses on audit-
ing the entire population of debt and equity at year-end.
Audit data analytics software is most often used with large populations of data, such
as inventory or sales transactions. Since borrowing and equity transactions usually represent
relatively small populations, audit data analytics are typically not used to audit financing
transactions.

Understanding the Entity and Its Environment

When an auditor performs risk assessment procedures and develops a business-based approach
to auditing financing activities, it is essential to understand how the entity chooses a financing
strategy, and the types of financial instruments used by the entity. Recall that Illustration 13.13
provides summary financial information related to an entity’s choice of operating debt,
financing debt, and equity for the various industries we have been following in Chapters 11
and 12. There continues to be significant variation from industry to industry; therefore, it is
critical for the auditor to develop a good understanding of the audit client and its business
environment to develop expectations regarding the client’s financial statements. For example,
the average level of debt in the hotel and motel industry represents 62% of total assets.
Alternatively, colleges, universities and professional schools that have significant fixed assets
have a capital structure that is heavily equity financed and debt represents only 29% of total
assets. It is particularly important for auditors to understand the client’s financing strategy
and the types and complexity of financial instruments used.
There is often a direct connection between a client’s investment in property, plant,
and equipment (or other long-term assets) and the entity’s financing activities. An auditor
should understand how a company plans to fund the acquisition of long-term assets. Some
entities may generate sufficient cash flow from operations to allow for the purchase of PPE.
Most entities, however, will use some form of debt or equity to fund the acquisition of long-
term assets.
  Auditing Financing Activities  13-39

Understanding the Results of Analytical

Procedures
Analytical procedures are required during risk assessment. They are cost-effective and they may
assist the auditor in evaluating the reasonableness of the financial statements. Further, an audi-
tor should develop an expectation for any of the ratios or analytical procedures discussed below.
Once an auditor understands the long-term assets that an entity has acquired, the auditor should
also obtain an understanding of how the entity financed the acquisitions. If the auditor under-
stands the entity’s investing activities and the nature of the business, the entity’s financing activi-
ties should be predictable. Illustration 13.17 presents some example analytical procedures along
with an explanation of the problems they might identify. These analytical procedures provide
indicators of the entity’s need for financing, its ability to service debt, and the reasonableness of
interest costs (both interest expense and capitalized interest).

illustration 13.17   Analytical procedures commonly used to audit long-term debt

Ratio Formula Audit Significance

Free cash flow
Interest-bearing debt to
total assets
Stockholders’ equity to
total assets
Comparing return on assets
with the incremental cost
of debt
Return on common equity
Sustainable growth rate
Current portion of debt and
dividends to cash flow from
operations
Times interest earned
Interest expense to interest-
bearing debt
Cash flow from operations – Capital
expenditures
Interest-bearing debt
Total assets
Stockholders’ equity
Total assets
If ROA > the incremental cost of debt:
{Net income + [Interest × (1 – tax rate)]}
Average total assets
(Net income – Preferred dividends)
Average common stockholders’ equity
Return on common equity × (1 –
Dividend payout rate)
(Current portion of debt + Dividends)
Cash flow from operations
Income before interest and income taxes
(Interest expense + Capitalized interest)
(Interest expense + Capitalized interest)
Average interest-bearing debt
Negative free cash flows indicate the need for, and approximate
amount of, expected financing to prevent drawing down on cash
or investments.
Provides a reasonableness test of the entity’s proportion of debt that
may be compared with prior years’ experience or industry data.
Provides a reasonableness test of the entity’s proportion of equity
that may be compared with prior years’ experience or industry data.
If a company is able to generate a higher rate of return on assets
than its incremental cost of debt, this is a signal that an entity may
use debt financing to expand the assets and earnings of the entity.
Provides a reasonableness test of stockholders’ equity given the
company’s earnings and financing structure.
Provides an estimate of rate of sales growth that can be obtained
without changing the entity’s profitability or financing structure.
The auditor should expect changes in the financing structure when
sales grow significantly faster than the sustainable growth rate.
A test of the entity’s ability to service its financing obligations.
Ratios less than 1.0 indicate potential liquidity problems.
A test of the entity’s ability to generate earnings to cover the cost
of debt service. Ratios less than 1.0 indicate the entity’s earnings
are insufficient to cover financing costs.
A reasonableness test of recorded interest expense that should
approximate the entity’s average cost of debt capital.

Assessing Inherent Risk

Many auditors might think that inherent risk in the financing cycle is moderate to low. However,
as noted in the following discussion of the professional environment, issues associated with
debt, warrants, and equity are the number one cause of financial statement restatements. For
example, in 2013, First Data Corporation refinanced its debt with borrowings of similar ma-
turities. The company originally treated the transaction as a modification of debt rather than an
extinguishment of debt. Properly treating the transaction as an extinguishment of debt resulted
in recording a $56 million loss.3 Other significant inherent risks involve the proper accounting
for interest rate swaps and the proper classification of equity instruments that behave like debt.
There are some companies that have a relatively straightforward capital structure where
accounting issues are not complex. But when an auditor finds that a client has engaged in

3
T. Shumsky, “Three Stubborn Types of Mistakes Dog Financial Reporting,” The Wall Street Journal (April 11, 2016).
13-40  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

significant new debt or equity transactions, the auditor should be prepared to study a sig-
nificant volume of legal documents related to the financing transaction, and determine the
impact of any legal requirements (such as debt covenants) on the entity.

Professional Environment  Restatements Related to Debt, Quasi-Debt, Warrants, and Equity

Audit Analytics4 recently reported a summary of restatements due
to debt, quasi-debt, warrants, and equity issues for a 17-year period
ending in 2017. Debt, quasi-debt, warrants, and equity security is-
sues consist of misstatements in approach, theory, or calculation
associated with the record of debt or equity accounts. These restate-
ments will often be about errors made in the calculation of bal-
ances arising from debt, equity, or quasi-debt/equity instruments
with beneficial conversion options. For example, when convertible
debt is issued, converted, repurchased, or paid off, GAAP require-
ments can be challenging. In addition, certain debt instruments
can be erroneously valued. Often financial derivative requirements
are at issue. During the 17-year period, these restatements were
the number one source of financial statement restatements. They
range from 15.7% to 23.8% of all restatements. As a result, this is a
significant risk issue in all years.

Disclosure Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2012 2013 2014
Expense recording issues 171 331 502 297 200 140 182 177 143 195 204 162 121 87
% of all financial 18.0% 21.0% 27.0% 22.9% 20.7% 16.9% 21.4% 20.9% 16.8% 22.3% 23.8% 21.4% 17.8% 15.7%
statement restatements

Assessing Control Risk and Fraud Risk

The following financing functions and related control activities are associated with the financ-
ing process:

bond trustee  a bond trustee
is usually a commercial bank
or a trust company that is given
fiduciary powers by a bond issuer
to enforce the terms of a bond
indenture; the trustee sees that
bond interest payments are made
as scheduled and protects the
interests of the bondholders if the
issuer defaults
transfer agent  a trust
company, bank, or similar
financial institution assigned by
a corporation to maintain records
of investors and account balances;
the transfer agent records
transactions, cancels or issues
stock certificates, and processes
investor mailings
•  Authorizing bonds and capital stock. The board of directors usually authorizes financing
transactions based on the entity’s strategic plans and investing activities.
•  Issuing bonds and capital stock. Issues are made in accordance with board of directors’
authorizations and legal requirements, and proceeds are promptly deposited intact. Often
bond and stock transactions are handled by a bond trustee or transfer agent.
•  P
 aying bond interest and cash dividends. Payments are made to proper payees in accor-
dance with board of directors’ or management authorizations.
•  R
 edeeming and reacquiring bonds and capital stock. Transactions are executed in accor-
dance with board of directors’ authorizations; treasury stock certificates are physically
safeguarded.
•  R
 ecording financing transactions. Transactions are correctly recorded as to amount,
classification, and accounting period based on supporting authorizations and documen-
tation. The duties of executing and recording financing transactions are usually seg-
regated. Periodic independent checks are made by agreement of subsidiary ledgers to
control accounts.
Major financing transactions usually require involvement of the board of directors. Con-
trols over the routine payment of principal and interest are usually subject to the standard
internal controls in the expenditure process. Paying dividends requires board of directors’
authorization and is typically handled by an outside transfer agent. Controls over the com-
pleteness of transactions involve regular review by the disclosure committee, particularly with
respect to accounting for any complex debt or equity security transactions. An independent
review of the amortization of bond premiums or discounts also falls within the responsibilities
of a disclosure committee.
Management maintains subsidiary records of loan balances. It is common for management
to establish an independent check of such balances against monthly statements sent by lenders.
Public companies usually outsource these transactions to a transfer agent. Often a quarterly or
annual reconciliation with the records of a transfer agent provide a key control.

4
Don Whalen, Olga Usvyatsky, and Dennis Tanona, 2017 Financial Restatements, A Seventeen Year Comparison
(Audit Analytics: Sutton, MA, 2018).
  Auditing Financing Activities  13-41

However, as noted in the Professional Environment discussion above, many debt or eq-
uity transactions may involve complex accounting issues. When convertible debt is issued,
converted, repurchased, or paid off, GAAP requirements can be challenging. Entities may en-
gage in interest-rate swaps or other derivative financial instruments that involve complex ac-
counting. In these situations, an entity’s internal control may involve a separate independent
review of the accounting for complex transactions. Finally, the disclosure committee should
review all financial statement disclosures before they are presented to the auditor. If these
controls are not present, control risk should be assessed at high or maximum.

Determining an Audit Strategy

Audit strategy is often determined by the nature of the entity and the complexity of the enti-
ty’s transactions. If the entity is a public company, the auditor will test controls and follow a
reliance on controls approach. If the entity is not a public company, but has complex debt or
equity transactions, the auditor may likely test relevant controls prior to determining an audit
strategy. If the entity is not a public company, and debt and equity transactions are limited in
number and straightforward, the auditor will often follow a primarily substantive approach
after understanding the controls that the entity has placed in operation. For example, a small,
private company may have a small number of loans, and confirming loans, loan covenants,
and other terms of the loan may be a simple process.

Substantive Tests of Long-Term Debt

Illustration 13.18 shows a list of possible substantive tests of long-term debt balances to-
gether with the specific audit objectives to which each test relates. The auditor relies primarily
on (1) direct communication with outside independent sources, (2) review of documentation,
and (3) recomputations to obtain sufficient appropriate evidence about the assertions per-
taining to long-term debt balances. Each of the substantive tests is explained in the following
sections.

ILLUSTRATION 13.18  Substantive tests for long-term debt

Category Substantive Test Assertions

Initial 1. Obtain an understanding of the business and industry and determine: All
procedures a. The significance of various sources of financing (debt and equity) to the entity.
b. Key economic drivers that influence the entity’s need for financing and its ability to service
the cost of debt.
c. Industry standards for the extent to which the industry uses debt and equity financing and
the impact of debt on earnings.
d. The degree to which the entity has used operating leases and finance leases to finance assets.
2. Perform initial procedures on long-term debt balances and records that will be subject to
further testing.
a. Trace beginning balances for long-term debt accounts to prior year’s working papers. Existence, Completeness
b. Review activity in all long-term debt and related income statement accounts and investi-
gate entries that appear unusual in amount or source.
c. Obtain client-prepared schedules of long-term debt and determine that they accurately Valuation and allocation
represent the underlying accounting records from which prepared by:
   i. Footing and cross-footing the schedules and reconciling the totals with increases or
decreases in related subsidiary and general ledger balances.
ii. Testing agreement of items on schedules with entries in related subsidiary and general
ledger accounts.
(continued)
13-42  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

ILLUSTRATION 13.18   (continued)

Category Substantive Test Assertions

Analytical 3. Perform analytical procedures: All
procedures a. Calculate appropriate debt ratios (see Illustration 13.17).
b. Analyze ratio results relative to expectations based on prior year, budget, industry, or
other data.
Tests of 4. Vouch a sample of entries in long-term debt and related interest expense accounts. Occurrence, Accuracy,
details of Cutoff, Classification
transactions 5. For bonds, confirm the balance and transactions with the bond trustee. Occurrence, Accuracy,
Completeness
6. Scan the cash receipts journal for large, unusual cash receipts. Completeness
7. Confirm interest expense and recalculate as necessary. Occurrence, Accuracy,
Cutoff
Tests of 8. Inspect authorizations and contracts for long-term debt. Existence
details of 9. Confirm debt with lenders and bond trustees. Existence, Completeness,
balances Valuation and allocation,
Rights and obligations
Presentation 10. Compare statement presentation with GAAP. Occurrence and rights
and and obligations
disclosure 11. Determine that long-term debt balances are properly identified and classified in the financial Classification and
statements. understandability
12. Determine the appropriateness of disclosures concerning all terms, covenants, and retirement Accuracy and valuation,
provisions pertaining to long-term debt. Occurrence and rights
and obligations
13. Evaluate the completeness of presentation and disclosures for long-term debt in drafts of Completeness
financial statements to determine conformity to GAAP by reference to disclosure checklist.
14. Read disclosures and independently evaluate their understandability. Classification and
understandability

Initial Procedures
As shown in Illustration 13.18, the familiar initial procedures are applicable to long-term debt
balances. It is important to obtain an understanding of the business and industry, determine
the entity’s need for external financing, and determine the entity’s ability to service debt.
Because financing is so clearly linked to investing activities, the auditor may perform these
procedures together. For example, the same auditor may be assigned to audit purchases of
plant, and equipment, long-term debt, various lease agreements, and equity. The schedules
associated with long-term debt may include separate schedules of long-term notes payable to
banks, obligations under finance leases, and listings of registered bondholders prepared by
bond trustees.

Substantive Analytical Procedures

An important part of auditing long-term debt is determining that the financial informa-
tion subjected to audit is consistent with the auditor’s expectations. The earlier discus-
sions regarding knowledge of the entity and its environment and analytical procedures
addressed procedures the auditor might perform to assess the reasonableness of financial
statement information regarding long-term debt and interest expense (Illustration 13.17).
As part of the auditor’s responsibilities with respect to evaluating whether an entity is a
going concern (discussed further in Chapter 14), the auditor will evaluate the entity’s
ability to generate sufficient cash flow to meet commitments regarding interest expenses,
debt maturities, and debt covenants. When performing substantive analytical procedures,
the auditor should maintain an appropriate level of professional skepticism and investi-
gate abnormal results.
  Auditing Financing Activities  13-43

Tests of Details of Transactions

For notes payable, the auditor will normally vouch transactions to the cash receipts or cash
disbursements journal. Payments on principal of long-term debt can be verified by an exam-
ination of vouchers and canceled checks. Payments in full can be validated by an inspection
of the canceled notes. When installment payments are involved, their propriety can be traced
to repayment schedules and supporting documentation from banks. For bonds, the auditor
should confirm transactions and the ending balance with the bond trustee. When bond inter-
est is paid by an independent agent, the auditor should examine the agent’s reports on pay-
ments. Issuances of debt instruments should be traced to the cash receipts journal. Bonds may
also be converted into stock. Evidence of such transactions is available from the bond trustee
or the transfer agent.
The vouching of entries to long-term debt accounts and underlying documentation pro-
vides evidence about the occurrence of transactions and the existence of debt, accuracy and
valuation, cutoff, and classification. The auditor will often test completeness by reviewing the
cash receipts journal for large transactions. Completeness is also tested by tests of balances in
the form of confirmation with banks, a bond trustee, or transfer agent.
Evidence of interest expense and accrued interest payable is easily obtained by the au-
ditor as part of a bank or loan confirmation. If interest expense is not confirmed, and inter-
nal controls are strong, the auditor may perform analytical procedures to estimate interest
expense using the average loan balance outstanding times the interest rate. If internal con-
trols are weak, the auditor may reperform the client’s interest calculations and trace interest
payments to supporting vouchers, canceled checks, and confirmation responses. Accrued in-
terest, in turn, is verified by identifying the last interest payment date and recalculating the
amount booked by the client. Illustration 13.19 shows an example working paper related to
the audit of notes payable and related interest payable.

ILLUSTRATION 13.19  Notes and interest payable working paper

Client: New Millennium Ecoproducts                  Bell & Bowerman, LLP             Prepared by: W.C.B. Date: 2/5/23
Long-Term Debt Payable and Accrued Interest            Reference: G - Lead             Reviewed by: R. E. Z. Date: 2/12/23
Period-end: 12/31/22                          

Notes Payable Interest Payable

Balance Balance Balance Balance
Account Title 12/31/21 Borrowing Payments 12/31/22 12/31/21 Expense Payments 12/31/22
5% note payable to Sunriver National Bank
(a) Due $100,000 per year to 7/3/24 $300,000 (c) $100,000 (f) $200,000 (d) $7,500 (c) $12,500 (e) $15,000 (f) $5,000 (d)
(b) 4% note payable to First Trust Company
Due $100,000 per year to 7/3/24 $ – (c) $250,000 (g) $250,000 (d) $ – (c) $   2,500 (e) $ – $2,500 (d)
$300,000 $250,000 $100,000 $450,000 $7,500 $15,000 $15,000 $7,500
(✓) (✓) (✓) (✓✓) (✓) (✓) (✓) (✓✓)

(a) Long-term investments in securities portfolio are pledged as security for the loan. See confirmation received from bank W/P A-4.

(b) Land and building pledged as security for the loan. See confirmation received from First Trust Co. W/P A-5.

(c) Agreed to general ledger and 12/31/21 working papers.

(d) Agreed to general ledger at 12/31/22.

(e) Recomputed interest expense with no exception.

(f) Vouched payment to cash disbursements journal and supporting documentation.

(g) Examined copy of note payable agreement and vouched to the cash receipts journal.

(✓) Footed.

(✓✓) Footed and cross-footed.

13-44  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Tests of Details of Balances

The authority of an entity to enter into a contractual agreement to borrow money through
the issuance or incurrence of long-term debt usually rests with the board of directors. Ac-
cordingly, evidence of authorizations should be found in the minutes of board meetings. Nor-
mally, the auditor reviews only the authorizations that have occurred during the year under
audit because evidence of the authorizations for debt outstanding at the beginning of the year
should be in the permanent working paper file. Authorization for the new debt issue should
include reference to the applicable sections of the bylaws that pertain to such financing. The
inspection of contracts should also include the details of covenants and the entity’s compli-
ance therewith, and the details of obligations under finance leases.
The auditor is expected to confirm the existence and terms of long-term debt by direct
communication with lenders and bond trustees. Notes payable to banks in which the client
has an account are confirmed as part of the confirmation of bank balances. Other notes are
confirmed with the holders by separate letter. The existence of mortgages and bonds payable
normally can be confirmed directly with the bank or trustee. Each confirmation should include
a request for the current status of the debt and current year’s transactions. All confirmation
responses should be compared with the records and any differences should be investigated.
When bonds were originally sold at a premium or discount, the auditor should review the cli-
ent’s amortization schedule and verify the recorded amount of amortization by recalculation.

Tests of Details of Presentation and Disclosure

In evaluating the appropriateness of the client’s classification and disclosure of long-term
debt, the auditor should be aware of the requirements of the applicable financial reporting
framework. The procedures of inspecting and reading debt contracts and confirming the
terms of debt provide the data for use in the evaluation of note disclosures.

Substantive Tests of Stockholders’ Equity

Illustration 13.20 shows a list of possible substantive tests of stockholders’ equity. The auditor
relies primarily on (1) direct communication with outside independent sources and (2) review
of documentation to obtain sufficient appropriate evidence about the assertions pertaining to
stockholders’ equity. Each of the substantive tests is explained in the following sections.

ILLUSTRATION 13.20  Substantive tests for stockholders’ equity

Category Substantive Test Assertions

Initial 1. Obtain an understanding of the business and industry and determine: All
procedures a. The significance of various sources of financing (debt and equity) to the entity.
b. Key economic drivers that influence the entity’s need for financing and its ability to obtain
equity capital and pay dividends.
c. Industry standards for the extent to which the industry uses equity financing.
2. Perform initial procedures on stockholders’ equity balances and records that will be subject to
further testing.
a. Trace beginning balance for stockholders’ equity accounts to prior year’s working papers. Existence, Completeness
b. Review activity in stockholders’ equity accounts and investigate entries that appear unusual Valuation and allocation
in amount or source.
c. Obtain client-prepared schedules of changes in stockholders’ equity balances and deter- Valuation and allocation
mine that they accurately represent the underlying accounting records by:
   i. Footing and cross-footing the schedules and reconciling the totals with increases or
decreases in related subsidiary and general ledger balances.
ii. Testing agreement of items on schedules with entries in related subsidiary and general
ledger accounts.
(continued)
  Auditing Financing Activities  13-45

ILLUSTRATION 13.20   (continued)

Category Substantive Test Assertions

Analytical 3. Perform analytical procedures: All
procedures a. Calculate appropriate equity ratios such as the following:
     i. Return on common stockholders’ equity.
   ii. Equity to total liabilities and equity.
iii. Dividend payout.
  iv. Sustainable growth rate.
4. Analyze ratio results relative to expectations based on prior year, budget, industry, or other
data.
Tests of 5. Confirm equity transactions with the company’s registrar/transfer agent. Occurrence,
details of Completeness,
transactions Accuracy, Cutoff,
Classification
6. Inspect board of directors’ minutes for authorization of equity transactions. Completeness
Tests of 7. Review articles of incorporation and bylaws. All
details of 8. Review authorizations and terms of stock issues. Existence, Completeness,
balances Valuation and allocation
9. Confirm shares outstanding with registrar/transfer agent. Existence, Completeness,
Valuation and allocation,
Rights and obligations
Presentation 10. Compare statement presentation with GAAP.
and a. Determine that stockholders’ equity balances are properly identified and classified in the Occurrence and rights
disclosure financial statements. and obligations,
Classification and
understandability
b. Determine the appropriateness of disclosures concerning all changes in stockholders’ Accuracy and valuation,
equity account balances during the period, par or stated values, dividend and liquidation Occurrence and rights
preferences, dividends in arrears, stock option plans, conversion features, and treasury and obligations
shares.
c. Evaluate the completeness of presentation and disclosures for stockholders’ equity in Completeness
drafts of financial statements to determine conformity to GAAP by reference to disclosure
checklist.
d. Read disclosures and independently evaluate their understandability. Classification and
understandability

Initial Procedures
The auditor should obtain an understanding of the business and industry and determine
(1) the entity’s need for external financing and (2) the desirability of using equity financ-
ing to support the growth of the entity. Equity financing might be used either to support
investing activities or to support needed investments in working capital (e.g., growth in
inventories and receivables needed to grow the entity). The schedules referred to in Illus-
tration 13.20 for this group of procedures might include a trial balance of the stockhold-
ers’ equity ledger or listings of stockholders supplied by the registrar and transfer agent.
The auditor should test the agreement of the data in the schedules with any underlying
accounting records and verify that the schedules or subsidiary ledgers agree with general
ledger control accounts.

Substantive Analytical Procedures

Illustration 13.21 presents several ratios commonly used to evaluate the reasonableness of
stockholders’ equity. The financial relationships expressed in these ratios may be helpful in
evaluating the reasonableness of stockholders’ equity balances.
13-46  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

ILLUSTRATION 13.21   Analytical procedures commonly used to audit stockholders’ equity

Ratio or Other Financial

Information
Return on common
stockholders’ equity
Equity to total liabilities and
equity
Dividend payout rate
Formula
(Net income – Preferred dividends)
Average common stockholders’ equity
Stockholders’ equity
(Stockholders’ equity + Total liabilities)
Cash dividends
Net income
Audit Significance
Provides a measure of the rate of return generated on the
common stockholders’ investment. The auditor should
understand the competitiveness factors that allow a com-
pany to obtain an unusually high return.
Provides a reasonableness test of the entity’s proportion of
equity that may be compared with prior years’ experience or
industry data.
Auditors would normally expect low dividend payout rates
for high-growth companies that need reinvested earnings to
fund investments in working capital and long-term assets.

Tests of Details of Transactions

The most common equity transactions that may occur on a regular basis are (1) issuing shares
when stock options are exercised, (2) repurchasing common stock, and (3) paying dividends.
Each of these transactions can be confirmed with the transfer agent who is responsible for
maintaining a record of equity transactions and who owns equity securities. In addition,
these transactions should also be authorized in the minutes of the board of directors. If a
company issues new shares, the auditor should also examine remittance advices and vouch
the transactions to the cash receipts journal. The repurchase of common stock or the pay-
ment of dividends should also be examined by looking at minutes, disbursement vouchers,
and the cash disbursements journal. The auditor should exercise care in determining the
propriety of the accounting treatment for conversion of stock warrants, the exercise of stock
appreciation rights, or the conversion of debt to equity, as the accounting for these transac-
tions may be complex.
The auditor will also vouch all entries to retained earnings such as transactions related to
repurchasing common stock and paying dividends. The auditor will also verify the accuracy
of closing income statement accounts to retained earnings. The client should furnish support
for any prior-period adjustments or any other transactions posted to retained earnings. The
auditor should also vouch the occurrence and accuracy of transactions affecting accumulated
comprehensive income.

Tests of Details of Balances

Copies of the articles of incorporation and the bylaws should be included in the auditor’s
permanent working paper file. The auditor should also make inquiries of the client’s legal
counsel about changes in either of these documents. As noted above, the auditor will send a
confirmation to the company’s transfer agent, confirming the shares authorized, issued, and
outstanding at the balance sheet date.
Many private companies act as their own transfer agent, and the company or the com-
pany’s lawyer will maintain its own records of who owns shares. In these cases, the auditor
should examine the stock certificate book to determine that (1) stubs for shares issued and
outstanding have been properly filled out, (2) canceled certificates are attached to original
stubs, and (3) all unissued certificates are intact. Then the auditor should determine that the
changes during the year have been correctly recorded in the individual stockholders’ accounts
in the subsidiary ledger. Finally, the auditor should reconcile the total shares issued and out-
standing as shown in the stock certificate book with total shares reported in the stockholders’
ledger and capital stock accounts.

Tests of Details of Presentation and Disclosure

Financial accounting standards provide that disclosure of changes in the separate accounts
comprising stockholders’ equity is required to make the financial statements sufficiently
   Learning Objectives Review  13-47

informative. Often such disclosures are made both in the financial statements and the notes.
Disclosures related to the equity section include details of stock option plans, dividends in
arrears, par or stated value, and dividend and liquidation preferences. The auditor obtains evi-
dence about the presentation and disclosure assertion from substantive procedures and from a
review of the corporate minutes for provisions and agreements affecting the stockholders’ eq-
uity accounts. In reviewing the minutes, the auditor should note whether any shares of stock
have been reserved for stock options or similar plans, commitments for future issuance of
stock in the purchase of or merger with another company, and restrictions limiting dividend
payments. Relevant evidence may also be obtained from discussions and communications
with legal counsel. When evaluating the appropriateness of the client’s classification and dis-
closure of stockholders’ equity, the auditor should be alert for some equity instruments used
by companies that behave more like debt than equity (e.g., preferred stock with a mandatory
redemption date), which therefore should not be classified as stockholders’ equity.

Cloud 9 - Continuing Case

Suzie and Josh (audit senior) finalize their plans for financing
activities, and they note that in a low-interest-rate environment,
Cloud 9 has relied on debt to finance growth and there has been
little change in stockholders’ equity. They obtained significant in-
formation regarding Cloud 9’s debt agreements as part of the bank
confirmation. They plan on using this information to test Cloud 9’s
financing arrangements. When it comes to stockholders’ equity,
they plan to confirm shares outstanding with the registrar and
transfer agent. They also expect that confirmation with the reg-
istrar/transfer agent will provide evidence on stock options exer-
cised during the year. They will then have to look at stock option
agreements to vouch these transactions. Dividends declared and
paid will be vouched to board of director minutes in addition to
information obtained from the registrar and transfer agent.

Before You Go On
4.1 Explain what an auditor should consider when developing an expectation for changes in
long-term financing and changes in equity.
4.2 Explain why calculating a company’s sustainable growth might be a good analytical proce-
dure for long-term financing or equity accounts.
4.3 Identify a more complex aspect of auditing stockholders’ equity that auditors should be alert
to when considering inherent risk for these long-term financing and equity accounts.
4.4 Explain important internal controls an auditor would expect to find before a company entered
into a new loan agreement or it issues new common stock.
4.5 Explain the general audit strategy for auditing long-term debt.
4.6 Explain the general audit strategy for auditing stockholders’ equity.

Learning Objectives Review

1  Evaluate how an auditor determines and executes an
audit strategy for cash and cash equivalents.
An auditor normally expects strong internal controls over cash due
to its susceptibility to misappropriation. When internal controls are
strong, the auditor will normally test internal controls over bank
reconciliations at an interim date as a dual-purpose test. The auditor
will also send bank confirmations to confirm bank balances, loan bal-
ances, and any assets that might be pledged as collateral. If segrega-
tion of duties does not exist, and internal controls are poor, the auditor
should evaluate the risk of fraud as high. There is a significant risk
associated with fraudulent cash disbursements. As a result, the auditor
should plan significant tests of details of cash balances at year-end.
13-48  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Unlike inventory, most of the property, plant, and equipment on hand

2  Evaluate how an auditor determines and executes
an audit strategy, including the use of ADA, for inventory
and cost of goods sold.
Inventory is a significant balance sheet account for businesses that
manufacture or resell goods. It is important for the auditor to deter-
mine internal controls over inventory and understand how the client
determines the value of inventory that appears on the balance sheet.
Most clients use a perpetual method only to keep track of inventory
quantities during the year, while they use a periodic method for valu-
ing inventory. Therefore, the process of auditing inventory is normally
a two-step process. The first step involves auditing the quantities of
inventory on hand (at interim or as of balance sheet date) by way of
observing the client’s inventory counts. The second step involves au-
diting the client’s method of assigning values to each item in inven-
tory. The auditor should also be alert to the risk that inventory should
be marked down to the lower-of-cost-or-net-realizable-value.
3  Evaluate how an auditor determines and executes
an audit strategy, including the use of ADA, for property,
plant, and equipment, and depreciation expense.
at the beginning of the year will also be on hand at the end of the year.
The auditor will agree beginning balances to prior audited figures and
then audit the transactions for the period to arrive at an audited end-
ing balance. As a result, the auditor pays careful attention to internal
controls over purchasing new assets, disposing of assets, as well as
controls for the professional judgments associated with depreciation
estimates and potential asset impairments.
4  Evaluate how an auditor determines and executes an
audit strategy for long-term debt and interest expense,
and stockholders’ equity.
Once an auditor has determined the changes in long-term assets, he or
she will determine how those assets were financed (i.e., with debt or eq-
uity). A key aspect of auditing long-term debt involves confirmation of the
debt with lenders, including any assets pledged as collateral for the loan,
other loan restrictions, and the amount of interest expense. A key aspect
of auditing stockholders’ equity involves a confirmation with the registrar
of the amount of shares outstanding and reviewing board of directors’
authorization for equity transactions, such as the issuance of dividends.

Key Terms Review

Bond trustee Cutoff bank statement Investing activities
Compilation of inventory values Cycle counts Kiting
Consignment inventory Financing activities Transfer agent

Audit Decision-Making Example

Background Information costs for the year. At year-end, the company shuts down produc-
You have been assigned to the audit of Tama Manufacturing. In tion such that it has only raw materials and finished goods on
performing substantive analytical procedures, you have developed hand. There is no work-in-process inventory.
the following information regarding the company’s production
Unaudited 2022 Audited 2021 Audited 2020
Sales $12,005,336 $10,291,333 $8,892,132
Cost of raw materials used $3,539,595 $3,173,333 $2,800,952
Direct labor cost $1,496,230 $1,364,309 $1,191,009
Cost of payroll taxes and benefits $480,411 $439,309 $383,184
Indirect costs $1,309,180 $1,094,931 $962,099
  Total production costs $6,825,416 $6,071,887 $5,337,244

Beginning inventory $330,587 $274,764 $156,577

Ending inventory $450,016 $330,587 $274,764
Cost of goods sold $6,705,987 $6,016,064 $5,219,057

Tons of raw material used 6,873 6,222 5,600

Direct labor hours 82,429 76,863 70,723

Manufacturing capacity 10,000,000 10,000,000 10,000,000

Units produced 8,780,800 7,840,400 7,000,000
Units sold 8,725,500 7,775,000 6,850,100
Units in beginning inventory 415,300 349,900 200,000
Units in ending inventory 470,600 415,300 349,900
   Multiple-Choice Questions  13-49

Identify Audit Issues Gather Information and Evidence

You have observed inventory and have verified the ending inventory You choose to calculate the following additional information.
of 470,600 units. Calculate additional information as you see fit, and
determine the nature of any remaining potential audit issues. Your
firm has set tolerable misstatement for inventory at $20,000.

Unaudited 2022 Audited 2021 Audited 2020

Gross profit $5,299,349 $4,275,269 $3,673,075
Gross profit margin 44.1% 41.5% 41.3%
Inventory turnover in days 21.2 18.4 15.1
Number of units produced per ton of raw materials 1,278 1,260 1,250
Number of units produced per direct labor hour 106.5 102.0 99.0
Indirect cost per unit $0.15 $0.14 $0.14
Cost per unit of ending inventory $0.96 $0.80 $0.79
Production cost per unit $0.78 $0.77 $0.76
Sales growth 16.7% 15.7%
Growth of cost of goods sold 11.5% 15.3%
Inventory growth in dollars 36.1% 20.3%
Inventory growth in units 13.3% 18.7%

Analysis and Evaluation of Alternatives Audit Conclusion

There is some inconsistent information in the analysis above.
Tama Manufacturing has consistently been more productive, with
an increase in the number of units produced per ton of raw mate-
rials and the number of units produced per direct labor hour. The
indirect cost per unit has gone up by only $0.01 per unit. Inven-
tory turnover in days is up, and the gross margin has increased by
2.6%. The cost per unit of ending inventory has risen significantly
($0.16 per unit and a 20% increase over the prior year). The average
cost of production per unit for the year is $0.77 and yet the cost
per unit of ending inventory is $0.96. Why would the cost per unit
of ending inventory increase by 20% when the company is more
productive?
The valuation and allocation assertion for inventory is significantly
at risk of misstatement. Because of Tama’s cost-flow assumptions,
the cost of ending inventory is often about $0.03 more than the
average cost of production. However, the average cost of ending
inventory at the end of fiscal year 2022 is $0.18 more than the av-
erage cost of production. A $0.15 per unit difference amounts to a
potential overstatement of inventory and understatement of cost
of goods sold in the amount of $70,590 ($0.15 × 470,600). The au-
dit team needs to carefully review the underlying calculations for
pricing ending inventory, as it is likely that inventory is overstated
based on the analysis performed above.

CPAexcel
CPAexcel questions and other resources are available in WileyPLUS.

Multiple-Choice Questions
1.  (LO 1)  Which of the following cash transfers results in a mis- 2.  (LO 1)  Which of the following is one of the better auditing tech-
statement of cash at December 31, 2022? niques that might be used by an auditor to detect kiting?
a.  Review authenticated deposit slips.
Cash Disbursement Cash Paid Cash Receipt Cash Received
b.  Review subsequent bank statements and canceled checks
per Books by the Bank per Books by the Bank
received directly from the bank.
a. 12/31/22 1/5/23 12/31/22 1/4/23
c.  P
 repare a schedule of bank transfers from the client’s
b. 12/31/22 1/4/23 12/31/22 12/31/22 books.
c. 1/4/23 1/4/23 12/31/22 12/31/22 d.  Prepare year-end bank reconciliation.
d. 1/3/23 1/5/23 1/4/23 1/4/23
13-50  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)
3.  (LO 1)  When detection risk is low, the auditor is likely to:
a.  prepare the bank reconciliation using bank data in the
client’s possession or audit the bank reconciliation using a
cutoff bank statement obtained from the bank.
b.  scan bank reconciliations and test items on bank reconcilia-
tions on a sample basis.
c.  test the client’s internal controls over the preparation of bank
reconciliations.
d.  confirm bank balances with the Federal Deposit Insurance
Corporation.
4.  (LO 2)  A client maintains perpetual inventory records in both
quantities and dollars. If the assessed level of control risk is low, an
auditor would probably:
a.  insist that the client perform physical counts of inventory
items several times during the year.
b.  observe the client’s inventory count at an interim date.
c.  increase the extent of tests of controls over inventory.
d.  request the client to schedule the physical inventory count at
the end of the year.
5.  (LO 2)  For which of the following companies would the auditor
have the least concern about the existence of inventory?
a.  A retail grocer.
b.  A computer manufacturer.
c.  An oil and gas field equipment manufacturer.
d.  A hotel.
6.  (LO 2)  The primary objective of a CPA’s observation of a client’s
physical inventory count is to:
a.  discover whether a client has counted a particular inventory
item or group of items.
b.  obtain direct knowledge that the inventory exists and has
been properly counted.
c.  provide an appraisal of the quality of the merchandise on
hand on the day of the physical count.
d.  allow the auditor to supervise the conduct of the count to
obtain assurance that inventory quantities are reasonably
accurate.
7.  (LO 2)  In the audit of inventory, selecting inventory items from a
perpetual master file, going to the locations, and obtaining test counts
is intended to produce evidence for which audit assertion?
a.  Completeness.
b.  Rights and obligations.
c.  Existence.
d.  Valuation and allocation.
8.  (LO 2)  Which of the following would represent the best evidence
for testing the net realizable value of inventory?
a.  Investigate sales prices on the sale of inventory made after
year-end.
b.  Vouch inventory prices to vendor invoices at an interim
date.
c.  Vouch inventory prices to the perpetual inventory.
d.  Investigate all prices that have decreased by more than 5%
during the year.
9.  (LO 3)  From year one to year two, the ratio of sales to fixed assets
declined significantly. This is a possible indication that:
a.  the client is overdepreciating fixed assets.
b.  the client is capitalizing costs that should be expensed.
c.  the client has used debt to finance acquisitions of fixed assets.
d.  the client has treated finance leases as operating leases.
10.  (LO 3)  When auditing a fixed asset account such as land, build-
ings, and equipment, the auditor will normally:
a.  vouch the book value of fixed assets to underlying purchase
documents.
b.  place the greatest emphasis on tests of balances at year-end.
c.  trace transactions from receiving documents to recording of
the purchase.
d.  use a combination of of agreeing beginning balances to prior year
working papers and then testing transactions during the year.
11.  (LO 3)  An auditor analyzes repairs and maintenance primarily
to obtain evidence in support of the assertion that all:
a.  non-capitalizable expenditures have been recorded.
b.  expenditures for property and equipment have not been
charged to expense.
c.  non-capitalizable expenditures for repairs and maintenance
have been recorded in the proper period.
d.  expenditures for property and equipment have been recorded
in the proper period.
12.  (LO 3)  If an auditor performs analytical procedures on rent ex-
pense and finds that rent expense has increased 50%, he or she is
most likely to perform which of the following additional procedures?
a.  Test rent cutoff to determine if all rent has been recorded.
b.  Vouch rent payments to underlying documents to determine
that all vouchers have receiving reports.
c.  V
 ouch larger items in rent expense in a search for unrecorded
finance leases.
d.  Perform tests of controls to ensure that all rent transactions
are authorized.
13.  (LO 4)  An auditor’s program to examine long-term debt most
likely would include steps that require:
a.  correlating interest expense recorded for the period with out-
standing debt.
b.  comparing the carrying amount of the debt to its year-end
market value.
c.  v erifying the existence of the holders of the debt by direct
confirmation.
d.  inspecting the accounts payable subsidiary ledger for unre-
corded long-term debt.
14.  (LO 4)  When a client does not maintain its own stock records,
the auditor should obtain a written confirmation from the transfer
agent and registrar concerning:
a.  restrictions on the payment of dividends.
b.  guarantees on preferred stock liquidation value.
c.  t he number of shares subject to agreements to repurchase.
d.  the number of shares issued and outstanding.
  Analysis Problems  13-51

Review Questions
R13.1  (LO1)  How can an auditor use results from procedures per-
formed during the control risk assessment phase to affect the nature
of substantive testing when testing cash balances?
R13.2  (LO1)  Explain the difference between the audit of the pro-
cesses impacting cash and the substantive testing of the cash balance.
How is audit testing for each affected by the outcome of controls
testing?
R13.7  (LO3)  Explain the relationship between the repairs and
maintenance expense account and the PPE asset account. Why is
the auditor interested in examining debits to both accounts when
auditing PPE? Explain your answer with reference to the assertions
at risk.
R13.8  (LO3)  Why is an auditor interested in PPE that is not cur-
rently being used or could become idle in the near future?

R13.3  (LO1)  What information is obtained by sending a bank con- R13.9  (LO4)  Explain why completeness is a more critical assertion
firmation? Explain the importance of a bank confirmation to the au- for long-term debt than for cash, inventory, or PPE. What procedures
dit of cash balances, including the assertions that are addressed by are primarily designed to address the completeness assertion for long-
obtaining a bank confirmation. term debt?

R13.4  (LO2)  In the context of auditing inventory, explain why an
audit team cannot use the same combination of audit procedures for
every audit.
R13.5  (LO2)  How would an auditor test the existence of inventory
on hand in a public warehouse?
R13.6  (LO2)  Explain the difference between year-end counting of
inventory and cycle counts. What conditions should exist at a client
that conducts cycle counts and uses the perpetual inventory to value
inventory at quarter-end?
R13.10  (LO4)  Explain the importance of obtaining confirmations
regarding notes payable.
R13.11  (LO4)  Explain how an auditor will usually test interest ex-
pense when auditing notes payable.
R13.12  (LO4)  What considerations apply in determining the appro-
priate level of detection risk for stockholders’ equity?

Analysis Problems
AP13.1  (LO 1)  Basic   Designing audit procedures for cash  Julie is designing the audit program
for cash for her client, Onslow Services Corp. (Onslow). Onslow is a property management services com-
pany. It deals with six major clients and several smaller clients, each with a number of properties for
rent in the central business district of Minneapolis, Minnesota. Onslow finds tenants, conducts credit
checks, negotiates tenancy agreements, and arranges cleaning and maintenance services for each prop-
erty. Onslow has a staff of 15 and operates from an office in downtown Minneapolis. Other than a small
petty cash amount, no cash is kept on the premises because rents are directly deposited by the tenants
to Onslow’s bank account. After the relevant fees are deducted, Onslow remits the rents monthly to the
property owners. These transactions pass through a bank account kept solely for this purpose. In addi-
tion, Onslow maintains a trust account (for any client moneys held on trust) and a general operating
account (for salaries and other expenses).

Required
a.  Advise Julie about the controls over cash that should be maintained by Onslow.
b.  Assuming these controls are present and operating effectively, suggest the appropriate substantive
procedures for Onslow’s cash balance.

AP13.2  (LO 1)  Moderate   Finding fraud related to cash  Patricia Company had poor internal con-
trol over its cash transactions. Facts about its cash position at November 30, 2022, were as follows:
The cash ledger showed a balance of $18,901.62, which included undeposited receipts which
were on hand at November 30. A credit of $100 on the bank’s records did not appear on the books
of the company. The balance per bank statement was $15,550. Outstanding checks were #62 for
$116.25, #183 for $150, #284 for $253.25, #8621 for $190.71, #8623 for $206.80, and #8632 for
$145.28.
13-52  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

The cashier subtracted undeposited receipts of $3,794.41 and prepared the following
reconciliation:
Balance per books, November 30, 2022 $18,901.62
Add: Outstanding checks
8621 $190.71
8623 206.80
8632 145.28 442.79
19,344.41
Less: Undeposited receipts (3,794.41)
Balance per bank, November 30, 2022 15,500.00
Deducted: Unrecorded credit 100.00
True cash, November 30, 2022 $15,450.00

Required
a.  Prepare a working paper showing how much the cashier embezzled.
b.  How did the cashier attempt to conceal this theft?
c.  Using only the information given, name two specific features of internal control that were appar-
ently lacking.
(AICPA adapted)

AP13.3  (LO 1)  Moderate   Review of client-prepared bank reconciliation  The following client-
prepared bank reconciliation is being examined by Kautz, CPA, during an audit of the financial statements
of Cynthia Company:

Cynthia Company
Bank Reconciliation Village Bank Account 2
December 31, 2022
Balance per bank (a) $ 18,375.91
Deposits in transit (b)
  12/30 $1,471.10
  12/31 2,840.69 4,311.79
   Subtotal 22,687.70
Outstanding checks (c)
  837 6,000.00
  1941 671.80
  1966 320.00
  1984 1,855.42
  1985 3,621.22
  1987 2,576.89
  1991 4,420.88 (19,466.21)
   Subtotal 3,221.49
NSF check returned 12/29 (d) 200.00
Bank charges (e) 550.00
Error check No. 1932 (f) 148.10
Customer note collected by the bank
  ($2,750 plus $275 interest) (g) (3,025.00)
Balance per books (h) $ 1,094.59

Required
Indicate one or more auditing procedures that should be performed by Kautz in gathering evidence in
support of each of the items (a) through (h) above.
(AICPA adapted)

AP13.4  (LO 1)  Moderate   Bank transfer schedule, kiting  LMN Company has a June 30 year-end
and maintains three bank accounts: City Bank–Regular, City Bank–Payroll, and Metro Bank–Special.
  Analysis Problems  13-53

Your analysis of cash disbursements records for the period June 23 to July 6 reveals the following bank
transfers:
Check No. Date of Check Bank Drawn On Payee Amount
2476 June 23 Regular Payroll $100,000
2890 June 25 Regular Payroll 200,000
3140 June 28 Regular Special 100,000
A1006 June 29 Special Payroll 50,000
A1245 June 30 Special Regular 25,000
3402 June 30 Regular Special 125,000
You determine the following facts about each of the first five checks: (1) the date of the cash disburse-
ments journal entry is the same as the date of the check, (2) the payee receives the check two days later,
(3) the payee records and deposits the check on the day it is received, and (4) it takes five days for a depos-
ited check to clear banking channels and be paid by the bank on which it is drawn. Check 3402 was not
recorded as a disbursement until July 1. This check was picked up by the payee on the date it was issued,
and it was included in the payee’s after-hours bank deposit on June 30.
Required
a.  What are the purposes of the audit of bank transfers?
b.  Prepare a bank transfer schedule as of June 30 using the format shown in Illustration 13.3.
c.  Prepare separate adjusting entries for any checks that require adjustment.
d.  In the reconciliation for the three bank accounts, indicate the check numbers that should appear as
(1) an outstanding check or (2) a deposit in transit.
e.  Which check(s) may be indicative of kiting?

AP13.5  (LO 1)  Moderate   Research   Proof of cash  Look up and watch a YouTube video on “proof
of cash.”

Required
Answer the following questions.
1.  Explain how a proof of cash differs from a bank reconciliation.
2.  If internal controls are weak and segregation of duties are poor, what benefits are obtained by per-
forming a proof of cash versus a bank reconciliation?
3.  Does performing a proof of cash eliminate the need to perform tests of transactions for cash receipts
and cash disbursements?

AP13.6  (LO 2)  Moderate   Inventory valuation  The following is a copy of the auditor’s working
paper for auditing inventory balances for the client Zack’s Electrical Supply. It shows the details of the
net realizable value (NRV) tests.

Client: Zack’s Electrical Supply Bell & Bowerman, LLP Prepared by: R.E.J. Date: 2/8/23

Period-end: 12/31/22 Reference  F07 Reviewed by: L.E.W. Date: 2/16/23

F07 – NET REALIZABLE VALUE TESTING

[A] [B] [B/A = C] [D] [E] [D − E − C]

Quantity Total
Sample Item in Inventory Unit Selling Price Distribution Allowance Amount
Number Code Description Category Inventory Value Price TM/Ref per Unit Costs? TM/Ref Variance Needed? ($000) Comments
Key item
700025 switches Purchased goods 2,000 $10,000 $ 5 SL $ 33 1 ✓ $ 27 No —
etc…
Representative sample
1 701442 routers Purchased goods 25,000 $13,500,000 $540 SL $420 1 ✓ $(121) Yes $(3,250)
3 800245 fuses Purchased goods 440 7,000 16 SL 28 1 ✓ 11 No —
4 800347 covers Purchased goods 288 4,200 15 SL 45 1 ✓ 29 No —
5 etc…

Key to audit tick marks:

✓  Agrees to supporting documentation of sales invoices posted after year-end.
Comments:
None (no error detected, exception noted was correctly provided for by the company).
13-54  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Required
a.  Why does an auditor test for NRV?
b.  Find the details of the inventory items selected for NRV testing. What is a “key item”? Explain how
the auditor has decided whether or not the inventory items should be shown at NRV or cost.
c.  Are any inventory items to be written down to NRV in this example? If so, by how much?

AP13.7 (LO 2)  Moderate   Evaluation of internal controls—raw materials inventory  You

have been engaged by the management of Alden, Inc. to review its internal controls over the purchase,
receipt, storage, and issue of raw materials. You have prepared the following comments that describe
Alden’s procedures:

1.  Raw materials, which consist mainly of high-cost electronic components, are kept in a locked store-
room. Storeroom personnel include a supervisor and four clerks. All are well-trained, competent,
and adequately bonded. Raw materials are removed from the storeroom only on written or oral
authorization of one of the production managers.
2.  There are no perpetual inventory records; therefore, the storeroom clerks do not keep records of
goods received or issued. To compensate for the lack of perpetual records, inventory is counted
monthly by the storeroom clerks, who are well-supervised. Appropriate procedures are followed in
making the inventory count.
3.  After the physical count, the storeroom supervisor matches quantities counted against a prede-
termined reorder level. If the count for a given part is below the reorder level, the supervisor
enters the part number on a materials requisition list and sends this list to the accounts pay-
able clerk. The accounts payable clerk prepares a purchase order for a predetermined reorder
quantity for each part and mails the purchase order to the vendor from whom the part was last
purchased.
4.  When ordered materials arrive at Alden, they are received by the storeroom clerks. The clerks count
the merchandise and agree the counts to the shipper’s bill of lading. All vendors’ bills of lading are
initialed, dated, and filed in the storeroom to serve as receiving reports.

Required
Describe the deficiencies in internal control and recommend improvements in Alden’s procedures for the
purchase, receipt, storage, and issue of raw materials. Organize your answer sheet as follows:

Deficiency Recommended Improvements

(AICPA adapted)

AP13.8  (LO 2)  Moderate   Inventory  Brompton Hardware runs a network of small hardware
retail outlets across the state. All sales are paid by cash or credit card, and are processed through
electronic cash registers. A wide range of goods are held in inventory by the stores, meaning that
the business deals with a large number of suppliers. All goods are purchased on credit with varying
terms, depending on the supplier. Invoices are paid by check after a package of documen ts is col-
lated and approved for payment. Ordering of goods and subsequent payments are processed by the
central office with delivery direct from supplier to the stores—no central warehouse is used. Bromp-
ton uses a perpetual stock system to track inventory quantities and conducts test counts at regular
periods throughout the year.

Required
a.  What controls would you expect to see over inventory movements at the local store level and the
central office?
b.  Explain how you would audit the physical inventory count for Brompton Hardware. What details
would you focus on most?

AP13.9  (LO 2)  Moderate   ADA   Inventory data analytics  An auditor is conducting an audit of
the financial statements of a wholesale cosmetics distributor with an inventory consisting of thousands
of individual items. The distributor keeps its inventory in its own distribution center and two public
  Analysis Problems  13-55

warehouses. An inventory database is maintained and updated after each transaction. The database
contains the following information:

1.  Item number.

2.  Location of item.
3.  Description of item.
4.  Quantity on hand.
5.  Cost per item.
6.  Date of last purchase.
7.  Date of last sale.
8.  Quantity sold during year.

The auditor is planning to observe the distributor’s physical count of inventories as of an interim date.
The auditor will have access to the inventory as of the date of the physical count and will use a gener-
al-purpose audit software package.

Required
The auditor is planning to perform inventory substantive tests. Identify the inventory tests and describe
how the use of audit software and the database might be helpful to the auditor in performing such tests.
Organize your answer as follows:

How Audit Software and Data Analytics

Inventory Substantive Test Might Be Helpful for Substantive Tests

1. Observe the physical count, making and 1. Determine which items are to be test-counted
recording test counts when applicable. by selecting a random sample of a representative
number of items from the inventory file as of
the date of the physical count.

(AICPA adapted)

AP13.10  (LO 3)  Basic   PPE additions and disposals  The following is a copy of the auditor’s work-
ing paper for auditing additions and disposals relevant to the balance of property, plant, and equipment
(PPE) for the client New Millennium Ecoproducts.

Client: New Millennium Ecoproducts Bell & Bowerman, LLP Prepared by: W.C.B. Date: 2/4/23
Period-end: 12/31/22 Reference  K02 Reviewed by: R.E.Z. Date: 2/12/23
K02 – Additions and Disposals
Currency unit: $000

Section 1: Additions
Depreciation AssetLife
Asset Code Description Category Starting Date TM/Ref (years) Amount TM/Ref
700025 Delivery van (15) Equipment 5/1/22 (c) 10 $2,750 ✓
N/A CPX 120 Asset under construction N/A (c) N/A $ 500 ✓

Section 2: Disposals
Gross Book Accumulated Net Book Selling Gain/(Loss)
Asset Code Description Category Value Depreciation Value Price TM/Ref on Disposal
600662 Delivery van Equipment $350 $280 $70 $75 ✓ $5

Key to audit tick marks:

✓  Agrees to purchase invoice.
✓  Agrees to sales invoice and receipt of payment.
(c)  Depreciation starting date appears reasonable.

Comments:
•  No issue from testing of additions.
•  Gain on disposal of item tested is not material and confirms relevance of depreciation rate used by company.
13-56  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Required
a.  What assertions are relevant to additions and disposals of PPE?
b.  Find the details of the additions. Explain the difference between the two items, particularly with
respect to depreciation.
c.  Find the details of the disposal. How much was the gain on sale? Why is the auditor interested in
the amount of the gain? Explain the comment by the auditor about the disposal in the working
paper.

AP13.11  (LO 3)  Moderate   Substantive testing of PPE  Fabrication Holdings Inc. (FH) has been
a client of KFP LLP for many years. You are an audit senior and have been assigned to the FH audit for
the first time for the financial year-end June 30, 2022. During March 2022, you are completing the risk
assessment for PPE, which is one of FH’s most material accounts. You are also aware that FH has made
a large investment in a new manufacturing process to place itself in a more competitive position. Your
analytical procedures indicate an increase in acquisitions of PPE.

Required
a.  What is the key assertion at risk for the PPE additions? Why is it at risk? Explain.
b.  Identify the relevant substantive tests of details that would be appropriate to address the assertion
at risk identified in (a) above.
c.  How would your answers to the previous questions change if the PPE additions had been manufac-
tured in-house by FH’s engineers and toolmakers, rather than purchased?

AP13.12  (LO 4)  Challenging   Substantive tests, assertions, and types of evidence for financing
activities  The following transactions and events relate to financing transactions at Weber Inc.
  1.  Declare cash dividend on common stock.
  2.  Issue bonds.
  3.  Pay bond interest.
  4.  Purchase 500 shares of treasury stock.
  5.  Pay cash dividend declared in 1 above.
  6.  Issue additional common stock for cash.
  7.  Accrue bond interest payable at year-end.
  8.  Redeem outstanding bonds.
  9.  Establish appropriation for bond retirement.
10.  Announce a two-for-one stock split.

Required
a.  Identify the substantive test that should verify each transaction or event.
b.  For each test, indicate the financial statement assertion(s) to which it pertains.
c.  Indicate the source of evidence obtained from the substantive test (i.e., outside party, client-generated,
auditor personal knowledge or observation, documented, oral. (Use a tabular format for your answers
with one column for each part.)

AP13.13  (LO 4)  Moderate   Substantive tests and disclosures for long-term debt  Andrews,
CPA, has been engaged to audit the financial statements of Broadwall Corporation for the year ended
December 31, 2022. During the year, Broadwall obtained a long-term loan from a local bank pursuant to
a financing agreement that provided that the:
1.  Loan was to be secured by the company’s inventory and accounts receivable.
2.  Company was to maintain a debt-to-equity ratio not to exceed 2:1.
3.  Company was not to pay dividends without permission from the bank.
4.  Monthly installment payments were to commence July 1, 2022.

In addition, during the year the company borrowed from the president of the company, on a short-term
basis, including substantial amounts just prior to the year-end.
  Audit Decision Cases  13-57

Required
a.  For purposes of Andrews’ audit of the financial statements of Broadwall Corporation, what sub-
stantive tests should Andrews employ in examining the described loans? Do not discuss internal
control.
b.  What are the financial statement disclosures that Andrews should expect to find with respect to the
loans from the president?

(AICPA adapted)

AP13.14  (LO 4)  Moderate   Confirmation of stock outstanding  You are engaged in doing the au-
dit of a corporation whose records you have not previously audited. The corporation has both an inde-
pendent transfer agent and a registrar for its capital stock. The transfer agent maintains the record of
stockholders, and the registrar checks that there is no over-issue of stock. Signatures of both are required
to validate certificates.
It has been proposed that confirmations be obtained from both the transfer agent and the registrar
as to the stock outstanding at the balance sheet date. If such confirmations agree with the books, no ad-
ditional work is to be performed as to capital stock.

Required
If you agree that obtaining the confirmations as suggested would be sufficient in this case, give the jus-
tification for your position. If you do not agree, state specifically all additional steps you would take and
explain your reason for taking them.
(AICPA adapted)

Audit Decision Cases

Mobile Security, Inc.

Question C13.1 is based on the following case.

Mobile Security, Inc. (MSI) has been an audit client of Leo & Lee, LLP for the past 12 years. MSI is
a small, publicly traded aviation company based in Cleveland, Ohio, where it manufactures high-
tech unmanned aerial vehicles (UAV), also known as drones, and other surveillance and security
equipment. MSIʼs products are primarily used by the military and scientific research institutions,
but there is growing demand for UAVs for commercial and recreational use. MSI must go through an
extensive bidding process for large government contracts. Because of the sensitive nature of govern-
ment contracts and military product designs, both the facilities and records of MSI must be highly
secured.
In October 2022, MSI installed a new cloud-based inventory costing system to replace a system
that had been developed in-house. The old system could no longer keep up with the complex and
detailed manufacturing costing process that provides information to support competitive bidding.
MSIʼs IT department, together with the consultants from the software company, implemented the
new inventory costing system which went live on December 1, 2022. Key operational staff and the
internal audit team from MSI were significantly engaged in the selection, testing, training, and im-
plementation stages.

C13.1  (LO 2)  Challenging   ADA   Public Company   Substantive testing of inventory
a. Gather information: What inventory items would you expect to see in MSIʼs accounts? How would
the cost of each item be calculated?
b.  Analysis: Suggest substantive procedures for each account balance assertion that you would use in
the audit of inventory for MSI.
c. Analysis: What are the implications, if any, of the new inventory costing system for planned uses of
audit data analytics as a substantive test?
13-58  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Circuits Technology, Inc.

This case has two phases. Question C13.2 is based on Phase I. Question C13.3 is based on Phase II.

Phase I: Company History and Background

You are about to begin the audit of Circuits Technology Inc. (CTI) for the year ended December 31, 2022.
CTI resells, installs, and provides computer networking products (client software, and gateway hardware
and software) to other businesses. Jessica Freeman founded the business in the late 1990s and grew the
business to a stable and profitable enterprise in a major metropolitan area. Jessica owns 60% of the busi-
ness and four other shareholders (a brother, a sister, her father, and a friend) own 10% each. The minority
shareholders contributed capital to the company when it was getting started and the owners make up the
board of directors. They usually meet only once a year to discuss dividends to be declared. During the
rest of the year, the minority owners leave the day-to-day management decisions to Jessica, who also has
controlling interest in the company.
The business grew rapidly in the first five years and then it settled into a steady performance
mode. In 2011, during its growth stage, Jessica was approached about merging the business with a
larger company, but she decided that she did not want to merge the company, even if it meant limiting
the growth of the business. CTI was her baby. Jessica enjoyed being CEO, she knew the business in-
side and out, and she did not want to be subordinate to someone else. The business was organized as
a Subchapter S Corporation and it was distributing a nice return to shareholders, so family members
and friends were happy with her decisions. Jessica had her fingers in every aspect of the business and
she was boss.
CTI performed solidly until 2019. Then the entire industry became much more competitive. A sig-
nificant portion of the demand that had been generated by cloud computing had been met, competition
increased, and the steady business slowed down such that cash flow did not come as easily. Jessica and
her sales staff had to work harder to close deals as the industry became more competitive.
Rob Kaiser, the CFO, began complaining about Jessica’s increasing intrusion into the company’s
finances in late 2020. During the period of steady performance, he and Jessica met quarterly to discuss
the company’s performance and finances. They would go over the entity’s operating performance, its
investing activities, and cash management; the primary focus of attention was the annual distribution of
earnings to shareholders. On occasion, Jessica would want to structure a client contract in a particular
way, or she would come in and insist on an additional discount for a particular customer, but Jessica
generally let Rob manage the finances of the business.
Now things had changed, particularly in the competitive environment where there were numerous
vendors chasing each customer. Jessica regularly discussed the accounting for particular transactions. It
was not uncommon for Jessica to come in and tell someone in accounting to change a sales invoice to
offer a particular price discount to a customer. Further, there were often heated discussions between Rob
and Jessica over the monthly financial statements. Jessica knew the business and sometimes would not
accept his explanations for draft financial statements that showed performance falling below Jessica’s ex-
pectations. She had built the business, was involved in key decisions, and she knew what profit margins
should result. For example, gross margins should not fall below 52% as they did in 2019. In her view, this
was due to problems in the accounting system.
In some cases, Jessica was correct. Accounting was not a high priority. The first priority had
to be sales and customer satisfaction. Jessica swallowed hard when she had to hire Rob, but it was
clear that it would be more cost-effective to hire someone in-house to manage finances than to
subcontract to a CPA firm. However, accounting never had a significant budget. It could invest in
technology and software, but it was always several people short of full staffing for the accounting
system. Rob and his two salaried employees were cross-trained on most aspects of the accounting
system, and everyone worked long hours. As a result, errors happened. The previous audit detected
problems in the purchasing process and some vendors’ invoices had been paid twice. These problems
usually surrounded rush purchases for clients where the vendor was asking for significant upfront
payments. The auditors also noted some cutoff problems in sales and purchases, and proposed an
audit adjustment to the allowance for doubtful accounts. In Rob’s opinion, this was the result of his
department being stretched too thin.
In recent years, Jessica has paid considerable attention to the financial performance in the last two
quarters of the year. Her major concern has focused on the company’s profitability and ability to pay
shareholder distributions. During the year-end close last year, Jessica stopped by Rob’s office daily to
ask about the journal entries being made that day and their impact on earnings. This just added to the
pressure on Rob to “get the job done.”
Rob was also concerned about managing the relationship with First State Bank. Over the years, the
business relationship changed from one where CTI had significant deposits with First State Bank and
used occasional seasonal borrowing, to one where the line of credit has not been retired in the last 18
months. First State Bank, which had previously been satisfied with reviewed financial statements, now
  Audit Decision Cases  13-59

requested audited financial statements. Further, First State Bank established the following debt
covenants.
•  Dividends are restricted to 90% of net income.
•  CTI must keep a minimum current ratio of 2.50:1.
•  CTI must keep a minimum quick ratio of 1.2:1.
•  CTI’s debt-to-equity ratio cannot exceed 1.00:1.
Rob keeps a tight control on cash. An independent bank reconciliation is performed monthly. Fur-
ther, Rob closely tracks when vendor payments are due. With the exception of 2020, he has been able
to keep the accounts payable turnover somewhere between 30 and 38 days. Rob would like to collect
receivables faster, but the nature of the company’s service, which involves installation of hardware and
software to the customer’s satisfaction, results in collection periods approaching 90 days. The company
does not rely on programmed control procedures to monitor individual transactions. CTI does not have
the staff to follow up on exception reports that might be generated by the accounting system. The pri-
mary controls in place involve Rob’s independent review of transactions on a monthly basis. In addition,
Jessica keeps a close eye on revenues, expenses, and profit margins, and she demands explanations from
Rob when actual results deviate from her expectations.

C13.2  (LO 2)  Challenging   Risk assessments and substantive tests for inventory
a.  Evaluate the effectiveness of CTI’s control environment.
b.  Assess risk at the financial statement level.
1.  Evaluate inherent risk at the financial statement level.
2.  Evaluate the risk of fraud. Specifically, consider each aspect of the fraud triangle; (i) incentives
and pressures, (ii) opportunity, and (iii) attitudes and rationalization.
c.  What is the potential for the effectiveness of the management performance reviews performed by
Rob and Jessica with respect to the following assertions?
1.  Existence of inventory.
2.  Valuation of inventory and cost of sales.
d.  Prepare a letter with any internal control recommendations that you have for management. Each
specific recommendation should describe the current system, explain the risk involved, and make
specific recommendations for improvement. You may assume that issues have already been discussed
with management regarding the audit adjustments found in prior audits, so focus your attention on
other issues that are of concern to you.

Phase II
CTI prices its inventory at FIFO. You select a random sample of 35 items for price testing and find the
following results as of year-end 2022. The total book value of inventory is $1,027,000. You should assume
that errors exist in the unsampled portion of the population in the same proportion that they exist in the
sample.
Inventory Inventory
Quantity Price Cost per Quantity Price Cost per
SKU # per Client per Client Client per Auditor per Auditor Auditor
1 10001 6 $1,252.00 $ 7,512.00 6 $1,252.00 $ 7,512.00
2 10269 4 $1,275.00 $ 5,100.00 4 $1,275.00 $ 5,100.00
3 10537 7 $1,279.00 $ 8,953.00 7 $1,279.00 $ 8,953.00
4 10805 8 $2,200.00 $ 17,600.00 8 $1,200.00 $ 9,600.00
5 11073 3 $1,400.00 $ 4,200.00 3 $1,400.00 $ 4,200.00
6 11341 8 $1,410.00 $ 11,280.00 8 $1,410.00 $11,280.00
7 11609 4 $1,400.00 $ 5,600.00 4 $1,400.00 $ 5,600.00
8 11877 9 $ 810.00 $ 7,290.00 9 $ 510.00 $ 4,590.00
9 12145 10 $ 750.00 $ 7,500.00 10 $ 500.00 $ 5,000.00
10 12413 9 $ 750.00 $ 6,750.00 9 $ 750.00 $ 6,750.00
11 12681 8 $ 800.00 $ 6,400.00 8 $ 800.00 $ 6,400.00
12 12949 7 $1,800.00 $ 12,600.00 7 $ 800.00 $ 5,600.00
13 13217 4 $2,750.00 $ 11,000.00 4 $1,750.00 $ 7,000.00
(continued)
13-60  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

(continued) Inventory Inventory

Quantity Price Cost per Quantity Price Cost per
SKU # per Client per Client Client per Auditor per Auditor Auditor
14 13485 5 $2,750.00 $ 13,750.00 5 $1,750.00 $ 8,750.00
15 13753 6 $ 800.00 $ 4,800.00 6 $ 800.00 $ 4,800.00
16 14021 2 $ 800.00 $ 1,600.00 2 $ 800.00 $ 1,600.00
17 14289 3 $ 900.00 $ 2,700.00 3 $ 900.00 $ 2,700.00
18 14557 1 $ 900.00 $ 900.00 1 $ 900.00 $ 900.00
19 14825 5 $1,000.00 $ 5,000.00 5 $ 900.00 $ 4,500.00
20 15093 18 $1,000.00 $ 18,000.00 18 $1,000.00 $18,000.00
21 15361 16 $1,250.00 $ 20,000.00 16 $1,000.00 $16,000.00
22 15629 14 $1,250.00 $ 17,500.00 14 $1,000.00 $14,000.00
23 15897 9 $2,000.00 $ 18,000.00 9 $1,750.00 $15,750.00
24 16165 5 $2,000.00 $ 10,000.00 5 $1,750.00 $ 8,750.00
25 16433 2 $3,000.00 $ 6,000.00 2 $3,000.00 $ 6,000.00
26 16701 8 $ 250.00 $ 2,000.00 8 $ 250.00 $ 2,000.00
27 16969 8 $ 275.00 $ 2,200.00 8 $ 275.00 $ 2,200.00
28 17237 8 $ 270.00 $ 2,160.00 8 $ 270.00 $ 2,160.00
29 17505 15 $ 200.00 $ 3,000.00 15 $ 100.00 $ 1,500.00
30 17773 12 $ 400.00 $ 4,800.00 12 $ 250.00 $ 3,000.00
31 18041 12 $ 410.00 $ 4,920.00 12 $ 250.00 $ 3,000.00
32 18309 11 $ 400.00 $ 4,400.00 11 $ 310.00 $ 3,410.00
33 18577 9 $ 410.00 $ 3,690.00 9 $ 310.00 $ 2,790.00
34 18845 6 $ 750.00 $ 4,500.00 6 $ 650.00 $ 3,900.00
35 19113 4 $ 750.00 $ 3,000.00 4 $ 750.00 $ 3,000.00
Total $264,705.00 $216,295.00

In addition, you find a journal entry where Rob has capitalized half of December’s payroll for
six network installers’ work on two contracts as part of work in progress. The amount of gross payroll
amounts to $15,600 plus 35% for the cost of payroll taxes and benefits. The total of payroll included in
work in process amounted to $21,060. Further investigation shows that the client was billed for all work
performed on those contracts as of December 31, 2022.

C13.3  (LO 2)  Challenging   Further risk assessments and substantive tests for inventory
a.  Evaluate the implications of the evidence you noted above.
1.  What are the implications of your direct findings for fair presentation in the financial statements?
You may assume that it is your best guess that errors found in your sample are representative of
errors that would exist in items that you did not sample.
2.  Based on your findings, what additional audit procedures should be performed, if any?
b. What additional issues do you want to discuss with company management and the board of directors?
Draft your additional management letter comments regarding the issues that you want to discuss
with CTI management, and indicate (in the margin) who you would have the conversations with.
c. As the auditor for CTI, what conversations or correspondence, if any, should you have with First
State Bank?

Brookwood Pines Hospital

Question C13.4 is based on the following case.

Goodfellow and Perkins LLP is a successful mid-tier accounting firm with a large range of clients across
Texas. During 2022, Goodfellow and Perkins gained a new client, Brookwood Pines Hospital, a private, not-
for-profit hospital. The fiscal year-end for Brookwood Pines is June 30. You are performing the audit field
work for the 2023 fiscal year-end. The field work must be completed in time for the audit report to be signed on
August 21, 2023. The balance sheet for Brookwood Pines includes the caption “Property, Plant, and Equip-
ment.” Goodfellow and Perkins has been asked by the company’s management if audit adjustments or
  Audit Decision Cases  13-61

reclassifications are required for the following material items that have been included in or excluded
from property, plant, and equipment:
1.  A tract of land was acquired during the year. The land is the future site for expansion of the hospital,
which will be constructed in the following year. Commissions were paid to the real estate agent used
to acquire the land, and expenditures were made to relocate the previous owner’s equipment. These
commissions and expenditures were expensed and are excluded from property, plant, and equipment.
2.  Clearing costs were incurred to make the land ready for construction. These costs were included in
property, plant, and equipment.
3.  During the land-clearing process, timber and gravel were recovered and sold. The proceeds from the
sale were recorded as other income and are excluded from property, plant, and equipment.
4.  A group of diagnostic machines was purchased under a royalty agreement that provides royalty
payments based on how often the machines were used to deliver diagnostics services. The cost of the
machines, freight costs, unloading charges, and royalty payments were capitalized and are included
in property, plant, and equipment.

C13.4  (LO 3)  Challenging   Auditing plant assets

a.  Analysis: Identify the relevant assertions for property, plant, and equipment, and indicate the principal
substantive tests pertaining to each.
b.  Evaluate: Indicate whether each of the items numbered 1 to 4 above requires one or more audit
adjustments or reclassifications, and explain why such adjustments or reclassifications are required
or not required. Organize your answers as follows:

Is Audit Adjustment or
Reclassification Reasons Why Audit Adjustment or
Item Number Required? (Yes or No) Reclassification Is Required or Not Required

(AICPA adapted)

The Lewis Company

Question C13.5 is based on the following case.

Lewis Com­pany is a biotechnology company that recently received U.S. Food and Drug Administration
(FDA) approval for a new drug that treats Parkinson’s disease. Sales are showing early signs of success.
On the wave of this success, Lewis Company acquired a patent for a related drug that is designed to treat
Alzheimer’s disease from Brown and Harley, another biotechnology company. Brown and Harley has
completed successful animal tests with the patented drug, known as AZH. Now that Lewis has acquired
the patent, Lewis will have to take the drug through human trials and obtain FDA approval, a process
that could last two to four years.
Lewis agreed to pay Brown and Harley $10 million for the patent on February 29, 2022. Brown and
Harley’s book value associated with the patent was only $500,000. Lewis acquired the patent from Brown
and Harley for $1 million in cash and $9 million in 9%, preferred stock redeemable on February 29, 2026.
Lewis accounted for the transaction by debiting an asset account for the patent in the amount of $10 mil-
lion, with an intent to amortize the patent over 16 years, the remaining legal life of the patent, crediting
cash for $1 million and crediting stockholders’ equity accounts for $9 million.

C13.5  (LO 4)  Challenging   Auditing financing transactions and balances

a. Gather information: What is the economic substance of the patent acquired by Lewis Company?
In your opinion, has Lewis Company accurately accounted for the investing side of the transaction?
b. Analysis: Describe the audit procedures that you would perform in 2022 to audit the patent. For each
procedure, describe how the procedure satisfies the audit of financial statement assertions.
c. Gather information: What is the economic substance of the preferred stock issued by Lewis
Company? In your opinion, has Lewis Company accurately accounted for the financing side of
the transaction?
d. Analysis: Describe the audit procedures that you would perform in 2022 to audit the preferred
stock. For each procedure, describe how the procedure satisfies the audit of financial statement
assertions.
13-62  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Cloud 9 - Continuing Case

Answer the following questions based on the information for Cloud 9 presented in the appendix to this text, as well as
the current and earlier chapters. You should also consider your answers to the case study questions in earlier chapters.
You have obtained the following information about property, plant, and equipment for Cloud 9.

Property, Plant, and Equipment

Balance Balance
January 31, 2022 Acquisitions Disposals January 31, 2023
Property, plant, and equipment $100,065,433 $9,451,131 $1,813,390 $107,703,174

Assets audited by W&S Partners $ 78,951,627 $7,468,810 $1,405,165 $ 85,015,272

Assets audited by other auditors 21,113,806 1,982,321 408,225 22,687,902
$100,065,433 $9,451,131 $1,813,390 $107,703,174

Accumulated Depreciation
Beginning Depreciation Ending
January 31, 2022 Expense Disposals January 31, 2023
Accumulated depreciation $37,803,894 $5,576,162 $1,153,117 $42,226,939

Assets audited by W&S Partners $29,180,183 $4,383,307 $ 895,992 $32,667,498

Assets audited by other auditors 8,623,711 1,192,855 257,125 9,559,441
$37,803,894 $5,576,162 $1,153,117 $42,226,939

Required 1.  Occurrence of disposals of property, plant, and equipment.

a. You are auditing the acquisition of property, plant, and equip-
ment. Explain the audit procedures to audit the following
assertions.
1. Occurrence of acquisitions of property, plant, and
equipment.
2.  Accuracy of acquisitions of property, plant, and equipment.
3. Completeness of acquisitions of property, plant, and
equipment.
b. You are auditing the disposals of property, plant, and equip-
ment. Explain the audit procedures to audit the following
assertions.
2.  Accuracy of disposals of property, plant, and equipment.
3. Completeness of disposals of property, plant, and
equipment.
c. How does auditing the disposals of property, plant, and
equipment provide evidence related to depreciation expense?
d. You select the following sample of acquisitions of property,
plant, and equipment. What can you conclude about the
acquisitions of property, plant, and equipment from this
evidence? Tolerable misstatement for property, plant, and
equipment is $1 million.

Book Value Size of Size of Book Value Audited Value

Stratum of Population Stratum Sample of Sample of Sample
1 > $750,000 $2,678,016  4  4 $2,678,016 $3,143,213
2 $250,000 − $750,000 2,343,151  6  3 1,231,576 1,231,576
3 < $250,000 2,447,643 27 10 932,534 932,534
$7,468,810 $4,842,126 $5,307,323
 Chapter 14
Completing the Audit
The Audit Process

Overview of Audit and Assurance

(Chapter 1)

Professionalism and Professional Responsibilities

(Chapter 2)

Client Acceptance/Continuance and Risk Assessment

(Chapters 3 and 4)

Gaining an Identify Significant

Set Planning
Understanding of Accounts and
Materiality
the Client Transactions

Gaining an Understanding of
Make Preliminary Risk
the System of Internal Control
Assessments
(Chapter 6)

Develop Responses to Risk and an Audit Strategy

Audit Data Analytics

Audit Evidence
(Chapter 5)

(Chapter 7)
Performing Tests of Controls Performing Substantive Procedures
(Chapter 8) (Chapter 9)

Audit Sampling for Substantive Tests

(Chapter 10)

Auditing the Auditing the Purchasing Auditing the Balance Sheet

Revenue Process and Payroll Processes and Related Income Accounts
(Chapter 11) (Chapter 12) (Chapter 13)

Completing and Reporting on the Audit

(Chapters 14 and 15)

Procedures Performed Near Drawing Audit

Reporting
the End of the Audit Conclusions

14-1
14-2  C h a pte r 14  Completing the Audit
Learning Objectives
LO 1 Apply the audit procedures used to search for loss
contingencies.
LO 2  Distinguish between the two types of material
subsequent events and evaluate what effect they have
on the financial statements, if any.
Auditing and Assurance Standards
PCAOB
AS 1201  Supervision of the Audit Engagement
AS 1215 Audit Documentation
AS 1220 Engagement Quality Review
AS 1301  Communications with Audit Committees
AS 2401  Consideration of Fraud in a Financial
Statement Audit
AS 2415  Consideration of an Entity’s Ability to Continue
as a Going Concern
AS 2505  Inquiry of a Client’s Lawyer Concerning
Litigation, Claims, and Assessments
AS 2801  Subsequent Events
AS 2805  Management Representations
AS 2810 Evaluating Audit Results
Cloud 9 - Continuing Case
The partner on the Cloud 9 audit, Jo Wadley, has called a meeting
with the audit team (Sharon Gallagher, Josh Thomas, and Mark
Batten) to discuss the completion of the audit. Jo wants to be sure
that she is briefed on all contentious matters so that she can re-
solve them at the scheduled meetings with Cloud 9’s audit com-
mittee and management.
Sharon, Josh, and Mark hold a preliminary meeting to pre-
pare for the meeting with the partner. On the agenda are final
LO 3  Describe engagement wrap-up procedures
performed at the conclusion of the audit.
LO 4 Evaluate the going concern assumption for a client.
LO 5  Discuss what reporting is required to management
and those charged with governance.
Auditing Standards Board
AU-C 220  Quality Control for an Engagement
Conducted in Accordance with Generally Accepted
Auditing Standards
AU-C 230 Audit Documentation
AU-C 240  Consideration of Fraud in a Financial
Statement Audit
AU-C 250  Consideration of Laws and Regulations in an
Audit of Financial Statements
AU-C 260 The Auditor’s Communication with Those
Charged with Governance
AU-C 450 Evaluation of Misstatements Identified During
the Audit
AU-C 501 Audit Evidence—Specific Considerations for
Selected Items
AU-C 520 Analytical Procedures
AU-C 560  Subsequent Events and Subsequently
Discovered Facts
AU-C 570 The Auditor’s Consideration of an Entity’s
Ability to Continue as a Going Concern
AU-C 580  Written Representations
evidence and misstatements evaluation, search for loss contingen-
cies, subsequent events procedures and evidence, going concern
procedures and assessment, and communication with Cloud 9’s
audit committee.
What issues have arisen with Cloud 9’s audit? How can they
make sure the partner is fully prepared for the meeting with the
client’s management?
  Audit Procedures for Loss Contingencies  14-3

Chapter Preview: Audit Process in Focus

As the audit is nearing completion, specific procedures must be performed before auditors
can draw an overall conclusion on the audit. In this chapter, we discuss audit procedures for
loss contingencies, subsequent events, and auditing the going concern assumption. We also
describe how auditors revisit key audit planning items, such as materiality, audit risk, and risk
of fraud, to determine if their original assessments are still valid or if adjustments are required
that may alter the nature and extent of audit procedures.
Experienced members of the audit team review working papers to ensure the planned
audit procedures have been performed and properly documented. Auditors evaluate the mis-
statements identified throughout the audit and analyze the effect of uncorrected misstate-
ments on the financial statements as a whole to form the audit opinion. This chapter also
reviews other wrap-up procedures including final analytical procedures, engagement quality
review, and final assembly of the audit documentation. Prior to issuing the audit report, audi-
tors obtain a representation letter from management and communicate significant findings or
issues from the audit to those charged with governance.

Audit Procedures for Loss Contingencies

Lea rning Objective 1

Apply the audit procedures used to search for loss contingencies.

Every company, no matter how big or how small, faces risk of events happening today that
have consequences in the future. For example, the explosion of the Deepwater Horizon
offshore oil rig (operated by BP) in 2010 resulted in worker injuries and fatalities and dam-
age to the environment in the Gulf of Mexico. Many lawsuits against BP followed, and some
are still not resolved almost a decade after the incident. What is the proper accounting treat-
ment for a situation like this one in which the company could still be liable to many differ-
ent groups over an extended period of time? FASB ASC Topic 450, Contingencies, provides
accounting guidance for events, or potential events, that create uncertainty for a company.
FASB defines a loss contingency as an existing condition or situation involving uncertainty loss contingency  an existing
as to possible loss that will ultimately be resolved when one or more future events occur condition or situation involving
or fail to occur. Some other examples of a loss contingency include income tax disputes uncertainty as to possible loss that
with the IRS, guarantees of debt of others, threat of expropriation of assets, and pending or will ultimately be resolved when
threatening litigation with employees, customers, vendors, or shareholders. one or more future events occur
or fail to occur
To account for a loss contingency, company management must determine the likelihood
that the future event will trigger a loss. FASB ASC Topic 450 classifies the likelihood of loss
contingencies into three categories:
1.  Probable. The future event is likely to occur.
2.  R
 easonably possible. The chance of the future event occurring is more than remote but
less than likely.
3.  Remote. The chance of the future event occurring is slight.
If management determines the loss contingency is probable and an amount can be reasonably
estimated, then the company must record a liability and a related expense or loss and disclose
the relevant details of the event in the notes to the financial statements. If the loss contingency
is reasonably possible or the amount cannot be reasonably estimated, then only a disclosure in
the notes is required. If the likelihood of a loss contingency is remote, then nothing needs to
be disclosed in the notes.
Since there is no crystal ball to see into the future, you can appreciate that determining
the likelihood of a loss contingency occurring and trying to estimate a reasonable amount for a
future loss involves significant judgment by management. Therefore, the role of auditors is to
14-4  C h a pte r 14  Completing the Audit
ILLUSTRATION 14.1  
Risk assessment and risk
response procedures that may
identify loss contingencies
legal letter  an audit inquiry
sent to a client’s external and
in-house legal counsel to obtain
information about litigation,
assessments, and claims
ILLUSTRATION 14.2  
Example of legal letter used
for Cloud 9 audit
determine if management’s assessment is reasonable, appropriate liabilities have been ­recorded,
and the disclosures are complete. Auditors should carefully consider the completeness assertion
for loss contingencies. Management may not be sufficiently objective and could fail to identify
loss contingencies or may classify identified contingencies as remote to avoid accruing or disclos-
ing them. Failing to identify one or more material loss contingencies is a material misstatement.
During the execution of all phases of the audit, the audit team should be watchful for
evidence of any potential loss contingencies. Many of the risk assessment procedures used to
gain an understanding of the entity, the industry, and its environment may identify the possi-
bility of loss contingencies. Substantive procedures used when testing account balances and
classes of transactions may also bring to light potential loss contingencies. Illustration 14.1
provides examples of audit procedures used during risk assessment and/or risk response that
can reveal the potential risk for loss contingencies.
Risk assessment and risk response procedures that can reveal the potential risk for loss
contingencies:
1.  Confirming with financial institutions, including guarantees of debt of others.
2.  Inspecting the minutes of board of directors’ meetings.
3.  Inspecting contracts, leases, and correspondence from governmental agencies.
4.  Inspecting tax returns and correspondence with the IRS.
5.  Inquiring of management regarding the completeness of recorded liabilities.
6.  Inquiring of client’s legal counsel.
Toward the end of the audit, auditors perform an inquiry procedure specifically designed to
gather information about loss contingencies arising from litigation, claims, and assessments. Audi-
tors will communicate directly with the client’s external legal counsel by sending a letter of inquiry,
often referred to as a legal letter. If the client has in-house legal counsel responsible for litigation,
claims, and assessments, a legal letter will also be sent to the in-house legal counsel. Attorneys and
their clients have a privileged relationship. That means attorneys cannot talk about their client’s
cases to anyone without permission from the client. Therefore, before auditors can communicate
with the client’s legal counsel, client management must give permission to the attorneys to discuss
their cases with the auditors. The client grants permission to the attorneys by signing the legal letter.
Legal letters are sent to all attorneys the client paid for legal services. AU-C 501 Audit
Evidence—Specific Considerations for Selected Items and AS 2505 Inquiry of a Client’s Lawyer
Concerning Litigation, Claims, and Assessments provide guidance for the content of the legal
letter. The objective of the legal letter is to gather audit evidence regarding the existence of
uncertainties arising from litigation, claims, and assessments; the time period in which the
cause for the legal action occurred; the probability of an unfavorable outcome for the client;
and an estimate of the potential loss. A legal letter used for the Cloud 9 audit is presented in
Illustration 14.2, followed by explanations of the bracketed numbers. The format and wording
of the letter is dictated by auditing standards, so all auditors will follow the same basic format.
[1] Cloud 9 Inc.
[2] March 1, 2023
[3] Smith, Day, & Jones
18696 11th Street, Suite 5000
Seattle, WA 95686
To Legal Counsel:
[4] In connection with an audit of our financial statements as of January 31, 2023, and for the year
then ended, please furnish our auditors, W&S Partners, P.O. Box 525, Seattle, WA 95688, with the
information requested below concerning contingencies involving matters with respect to which
you have devoted substantial attention on behalf of the company in the form of legal c­ onsultation
or representation.
  Audit Procedures for Loss Contingencies  14-5

[5] Regarding pending or threatened litigation, claims, and assessments, please include in your ILLUSTRATION 14.2  
response: (1) the nature of each matter, (2) the progress of each matter to date, (3) how the Com- (continued)
pany is responding or intends to respond (for example, to contest the case vigorously or seek an
out-of-court settlement), and (4) an evaluation of the likelihood of an unfavorable outcome and an
estimate, if one can be made, of the amount or range of potential loss. Accordingly, please furnish
to our auditors such explanation, if any, that you consider necessary to supplement the foregoing
information, including an explanation of those matters for which your views may differ from those
of management.

[6] We understand that whenever, in the course of performing legal services for us with respect
to a matter recognized to involve an unasserted possible claim or assessment that may call for
financial statement disclosure, you have formed a professional conclusion that we should disclose
or consider disclosure concerning such possible claim or assessment, as a matter of professional
responsibility to us, you will so advise us and will consult with us concerning the question of such
disclosure and the applicable requirements of FASB ASC 450. Please specifically confirm to our
auditors that our understanding is correct.

[7] Your response should include matters that existed as of January 31, 2023, and during the period
from that date to the effective date of your response. Please specifically identify the nature of and
reasons for any limitations on your response. Our auditors expect to have the audit completed
about March 15, 2023. They would appreciate receiving your reply by that date with a specified
effective date no earlier than March 7, 2023.

Sincerely,

[8]James W. Harley
Chief Executive Officer
Cloud 9 Inc.

Source: AU-C 501.A69 and AS 2505A.

Sections of the letter in Illustration 14.2 are numbered to correspond with the following
explanations:

1. Client letterhead—The legal letter is prepared on the client’s letterhead because the client
must grant permission for the attorneys to respond. Auditors oversee the preparation and
content of the letter and have control over the mailing and receipt of the letter.
2. Date of the letter—The letter is sent about mid-way through the completion of year-end
fieldwork.
3. Name and address of attorneys—A legal letter should be sent to all attorneys the client
hired during the year for legal services. Auditors can obtain a listing by inspecting the
transactions and invoices related to the client’s legal services expense account.
4. Request for information—This paragraph identifies the financial statements under audit
and states a request to supply information directly to the auditors.
5. Response regarding pending or threatened litigation—This paragraph requests that the
attorneys provide a list and description of pending or threatened litigation, claims, and
assessments. Notice auditors are seeking the attorney’s evaluation of the likelihood of an
unfavorable outcome and an estimate, if possible, of the potential loss.
6. Response regarding unasserted claims or assessments—This paragraph requests that the
attorneys confirm their responsibility to inform management of situations that may in-
volve possible unasserted claims or assessments that may require disclosure. Notice the
reference to the applicable financial reporting framework, which for Cloud 9 is GAAP.
7. Time frame for preparing the response—This paragraph specifies the time parameters for
the attorney’s response. The response should include matters that existed at January 31,
2023, and any matters after year-end up to the date of the attorney’s response letter. Ide-
ally, the date of the attorney’s response should coincide with the end of fieldwork, in this
case March 15, 2023, or very close to that date. Also, this paragraph requests the attorneys
state any reasons for limitations on their response.
8.  Signature—The letter is signed by the client’s chief executive officer.
14-6  C h a pte r 14  Completing the Audit

The nature of the legal environment in the United States is such that it could take years
for a lawsuit or other action to be settled and/or resolved. Therefore, it may not be possible for
the legal counsel to evaluate the time frame of an outcome or a reasonable amount for a loss.
In many cases, just disclosure of the pending litigation, rather than accrual in the financial
statements, is the appropriate way to account for the uncertainty. (See the following Profes-
sional Environment segment for a real-world example.) If the attorneys refuse to respond
appropriately to the legal letter, then it is considered a limitation on the scope of the audit,
which may impact the opinion in the auditor’s report. If auditors cannot gather sufficient
appropriate evidence regarding loss contingencies, then it may not be possible to issue an
unmodified opinion. Situations causing modifications to the audit report will be discussed
in Chapter 15.

Professional Environment  Litigation Contingencies

Large publicly traded companies are under great scrutiny, not only
by regulators such as the SEC but also by the public. Therefore,
it is no surprise that large companies typically have legal issues
in process all the time, such as contract negotiations or disputes
with suppliers or customers and hiring or firing issues with em-
ployees. A majority of these issues are immaterial to the financial
statements as a whole and do not garner public attention through
media outlets or disclosure in the financial statements. A common
practice by companies is to include a generic disclosure in the fi-
nancial statements to inform financial statement readers that var-
ious legal matters are ongoing. For example, the following state-
ment is from Note 15 in the fiscal year 2017 Starbucks annual
report that was filed with the SEC:
Starbucks is party to various other legal proceedings
arising in the ordinary course of business, including,
at times, certain employment litigation cases that
have been certified as class or collective actions, but
is not currently a party to any legal proceeding that
management believes could have a material adverse
effect on our consolidated financial position, results of
operations or cash flows.
A disclosure like this one alerts the public that legal matters are an
ordinary part of conducting business, but at the present time there
is no expectation that any of the legal matters could have a mate-
rial impact on the financial statements. Investors can access the
annual reports of public companies online and find disclosures
similar to this one in the notes of many companies.
Starbucks did have a material litigation contingency that
was first disclosed in the fiscal year 2011 financial statements.
Starbucks and Kraft had entered into a contract in 2004 for
Kraft to manage the distribution, marketing, advertising, and
promotion of Starbucks products. By the end of 2010, the two
parties were in dispute. Starbucks claimed that Kraft materially
breached their contract, and therefore Starbucks was discontin-
uing the distribution agreement. Here is an excerpt from Note 15
of the Starbucks fiscal year 2011 financial statements (emphasis
added):
While Starbucks believes we have valid claims of materi-
al breach by Kraft under the Agreement that allowed us
to terminate the Agreement and certain other relation-
ships with Kraft without compensation to Kraft, there
exists the possibility of material adverse outcomes
to Starbucks in the arbitration or to resolve the
matter. At this time, the Company is unable to esti-
mate the range of possible outcomes with respect to
the arbitration as we have not received any statement or
articulation of damages from Kraft nor have we estimat-
ed the damages to Starbucks caused by Kraft’s breaches.
Information in this regard will be provided during the
discovery process and is currently expected to be available
in late March or early April 2012.
In the Starbucks fiscal year 2012 financial statements, an update
of the dispute with Kraft was provided in Note 15. More infor-
mation was provided regarding the amount of damages Kraft was
seeking, but the dispute had not been resolved by the time the
financial statements were issued. Starbucks did not accrue any
loss contingencies because it determined the amount of the pos-
sible loss could not be reasonably estimated. An excerpt from the
note is provided below (emphasis added). Notice the use of the
terms from FASB ASC 450, such as “probable” and “reasonably
possible.”
On April 2, 2012, Starbucks and Kraft exchanged expert
reports regarding alleged damages on their affirmative
claims. Starbucks claimed damages of up to $62.9 mil-
lion from the loss of sales resulting from Kraft’s failure to
use commercially reasonable efforts to market Starbucks®
coffee, plus attorney fees. Kraft’s expert opined that the
fair market value of the Agreement was $1.9 billion. After
applying a 35% premium and 9% interest, Kraft claimed
damages of up to $2.9 billion, plus attorney fees. The
arbitration hearing commenced on July 11, 2012 and
was completed on August 3. Starbucks presented evidence
of material breaches on Kraft’s part and sought nominal
damages from Kraft for those breaches. Kraft presented
evidence denying it had breached the parties’ Agreement
and sought damages of $2.9 billion plus attorney fees. We
expect a decision from the Arbitrator in the first half of
fiscal 2013.
At this time, Starbucks believes an unfavorable
outcome with respect to the arbitration is not
probable, but as noted above is reasonably possible.
As also noted above, Starbucks believes we have valid
claims of material breach by Kraft under the Agreement
that allowed us to terminate the Agreement without
compensation to Kraft. In addition, Starbucks believes
Kraft’s damage estimates are highly inflated and based
upon faulty analysis. As a result, we cannot reasonably
estimate the possible loss. Accordingly, no loss
contingency has been recorded for this matter.
   Subsequent Events  14-7

In the Starbucks fiscal year 2013 financial statements, another
update of the dispute with Kraft was provided in Note 15. The re-
sults from the arbitration were released. When two parties agree
to let a dispute be settled with arbitration, the decision from the
arbitration is considered final. In other words, there is no appeal
process by either party. Here is an excerpt from Note 15, fiscal
year 2013:
On November 12, 2013, the arbitrator ordered Starbucks
to pay Kraft $2,227.5 million in damages plus prejudg-
ment interest and attorney’s fees. We have estimated pre-
judgement interest, which includes an accrual through
the estimated payment date, and attorneys’ fees to be
approximately $556.6 million. As a result, we recorded
a litigation charge (expense) of $2,784.1 million in our
fiscal year 2013 operating results.
The dispute was settled after being disclosed for two years. The
outcome was definitely unfavorable for Starbucks since it was
ordered to pay cash of $2.2 billion plus interest and attorney’s
fees to Kraft. This is a great example of the uncertainty involved
with litigation disputes and the subjectivity involved with deter-
mining if a potential loss contingency should be accrued or just
disclosed.

Cloud 9 - Continuing Case

Josh (senior) mailed out the legal letters two weeks prior to the responses have been received from the attorneys. Based on the
expected completion of fieldwork date. He sent letters to all at- responses, there do not seem to be any pending legal issues that
torneys that Cloud 9 paid for legal services during the year. All would have a material effect on Cloud 9’s financial statements.

Before You Go On
1.1  What is a loss contingency? Provide an example.
1.2  Explain the audit procedures used to identify loss contingencies.
1.3  List three items that are included in a legal letter and explain why each is important.

Subsequent Events

Lea rning Objective 2

Distinguish between the two types of material subsequent events and evaluate
what effect they have on the financial statements, if any.

The financial statements are prepared by client management on the basis of conditions
existing at year-end, which would be December 31 for a calendar-year entity. As you have
learned in previous chapters, many of the substantive audit procedures are performed af-
ter the year-end date and up through the date of the audit report. How long is this period
of time between year-end and the audit report? The answer depends on whether the au-
dit is for a public company or private company. For public companies, the SEC has strict
deadlines for the filing of Form 10-K, which is the document that contains the company’s
audited annual financial statements. Illustration 14.3 summarizes the SEC’s filing dead-
lines for Form 10-K. For private companies, the timeline for completion of an audit varies
widely, depending on the needs of the users of the financial statements. The most com-
mon user of a private company’s financial statements is a bank or other lender. Typically,
debt covenants require audited financial statements anywhere from 90–120 days after the
­company’s year-end.
14-8  C h a pte r 14  Completing the Audit
ILLUSTRATION 14.3   Category of Filer
Public company filing
deadlines for Form 10-K
subsequent events  events
occurring between the date of the
financial statements and the date
of the auditor’s report
Type I subsequent events 
conditions that existed at the
date of the financial statements
and require adjustment to the
financial statements
Type II subsequent events  cial statements.
conditions that arose after the
date of the financial statements
and may require disclosure in the
notes to the financial statements
ILLUSTRATION 14.4   Subsequent
Illustration of the subsequent
period for a calendar-year
client
Deadline to File
Large accelerated filer ($700 million* or more) 60 days from fiscal year-end
Accelerated filer ($75 million* or more but < $700 million*) 75 days from fiscal year-end
Non-accelerated filer (<$75 million*) 90 days from fiscal year-end
*Amounts refer to worldwide market value of outstanding voting and non-voting common equity held by
non-affiliates.
Source: https://www.sec.gov/answers/form10k.htm.
Since auditors usually conduct part of the audit during the 60–90 day period after year-
end, they should be alert to certain subsequent events that may occur between the date of
the financial statements and the date of the auditor’s report. Illustration 14.4 illustrates an
example of the subsequent period for a calendar-year client whose audit is completed no more
than 60 days after year-end. Some subsequent events may affect amounts that are included in
the year-end financial statements. AU-C 560 Subsequent Events and Subsequently Discovered
Facts and AS 2801 Subsequent Events address the auditor’s responsibilities related to subse-
quent events. The standards distinguish between two types of subsequent events as follows:
•  T
 ype I subsequent event—event that provides evidence of conditions that existed at
the date of the financial statements. A Type I event requires an adjustment to the finan-
•  T
 ype II subsequent event—event that provides evidence of conditions that arose after
the date of the financial statements. A Type II event does not require an adjustment to the
financial statements but may require disclosure in the notes to the financial statements.
period
1/1/2022 12/31/2022 2/15/2023
Period covered by the End of
2022 financial statements fieldwork/
date of auditor’s
report
An example of a Type I event would be the bankruptcy of a client’s customer after year-
end as a result of poor financial condition that existed as of the balance sheet date. If the
customer has a large accounts receivable balance on the client’s year-end balance sheet, then
management needs to reconsider the adequacy of the allowance for doubtful accounts. The al-
lowance balance and the related bad debt expense may need to be increased. Another example
would be the client receiving payment from an insurance company after year-end in resolu-
tion of a claim that was still in negotiations at year-end. Since the outcome of the negotiation
was in favor of the client, management should establish a receivable at year-end.
Type II subsequent events represent conditions and events that did not exist as of the
balance sheet date and do not require adjustment to the financial statements, but may be of
such significance as to require disclosure in the financial statements. For example, shortly
after year-end, management commits to purchasing another business. Purchasing another
business will probably add significant assets and debt to the balance sheet and may result in
changing the capital structure of the client. This commitment is significant and should be
mentioned in the notes. Another example would be the loss of a building or inventory as a
result of a fire or flood after year-end, and the client is underinsured. The situation, and an
estimate of the amount of loss not covered by insurance, should be disclosed in the notes.
   Subsequent Events  14-9

Audit Reasoning Example  Subsequent Event

Imperial Coffees, Inc. is a coffee roaster and direct sells its coffee through grocery stores, restau-
rants, and corporate-owned coffee cafes. For almost a decade, Imperial has experienced explosive
growth and has acquired smaller coffee roasters all over the United States and some international
locations. Imperial’s most recent fiscal year just ended, and its auditors are completing year-end
fieldwork. Jorge is an audit manager on the audit team and meets with Stephanie, Imperial’s
CFO, one month after year-end. Jorge says, “I know the board of directors just had its monthly
meeting. Are the minutes from the meeting available for me to review?” “Yes, I have them right
here,” says Stephanie. “I’ll go ahead and tell you the most important item that was discussed. The
board has decided to acquire the largest coffee roaster in Nicaragua, Central America. The acqui-
sition process will take several months, but should be completed this year. The board feels this is
an excellent strategic move because Nicaragua is the twelfth-largest coffee producer in the world.
Having operations in Nicaragua could help form strategic alliances with the coffee growers there,
which could lead to reduced costs for some of our coffee supply.”
Jorge relays this news to his audit team. Jorge asks Lincoln, a first-year audit associate, if
this event impacts the financial statements they are currently auditing. Lincoln says, “Well, it is
definitely important news that stakeholders should know about. But since the acquisition hasn’t
happened yet, I don’t think it should affect any accounts on the financial statements for the most
recent fiscal year. I do think it should be disclosed in the financial statements since the board has
made the decision and the financials have not yet been issued. Imperial management should draft
a disclosure to include in the notes to the financial statements.” “You are correct, Lincoln,” says
Jorge. “This is called a Type II subsequent event. Management will draft the disclosure and we
will review it.”

The objective of the auditors is to obtain sufficient appropriate audit evidence about
whether events occurring after the balance sheet date but before the auditor’s report date have
been identified and properly accounted for, if necessary. In the course of performing planned
substantive procedures after year-end, auditors may identify subsequent events. Auditing
standards require auditors to also conduct specific audit procedures to identify subsequent
events that may occur up through the date of the auditor’s report. Specific audit procedures to
identify subsequent events include:

•  Obtaining an understanding of how management identifies subsequent events.

•  Inquiring of management and, if necessary, those charged with governance about
whether subsequent events have occurred that may impact the financial statements.
•  Reading the minutes of manager meetings and/or board of directors’ meetings that have
been held after the date of the financial statements.
•  Reading the client’s subsequent interim financial statements, if available, and other data
such as budgets and cash flow forecasts.
•  Scanning manually, or through the use of generalized audit software, sales and receipts
journals or other accounting records relating to transactions that have occurred after the
date of the financial statements.
•  Inquiring of the client’s legal counsel regarding litigation, claims, and assessments (see
“Audit Procedures for Loss Contingencies” in this chapter).

When conducting inquiries of management and those charged with governance, auditors in-
quire about the current status of items that were accounted for on preliminary or estimated
data at the date of the financial statements. Circumstances or events may have occurred
after year-end that would affect estimates or assumptions used at the financial statement
date. Illustration 14.5 provides examples of inquiries of management on specific matters.
The nature of the specific procedures performed for the subsequent events review will
depend on the individual circumstances of each client. Auditors will also rely heavily on their
knowledge of the client’s business gained during the risk assessment phase of the audit. If audi-
tors identify subsequent events that require adjustment to, or disclosure in, the financial state-
ments, they must determine if each event has been properly reflected in the financial state-
ments as required by the appropriate financial reporting framework. If management ­refuses
14-10  C h a pte r 14   Completing the Audit

ILLUSTRATION 14.5  
Examples of inquiries of Inquiries of management regarding subsequent events:
management regarding •  Has the company entered into new commitments, borrowings, or guarantees?
subsequent events
•  Have sales occurred or are sales planned that may affect the carrying value or classification
of assets?
•  Are there any plans to issue new shares or debt instruments (debentures)?
•  Have any assets been seized (or appropriated) by the government or destroyed by natural
disaster?
•  Has any change in ownership occurred or is it contemplated?
•  Have any unusual accounting adjustments been made or are they contemplated?
•  Have any developments occurred regarding risk areas and contingencies?
•  Have there been any significant assessments by tax authorities regarding tax assessments,
fines, and penalties?
•  Have any events occurred that are relevant to the measurement of estimates or provisions
made in the financial statements?

Source: AU-C 560.A6

to make an adjustment or a disclosure that is required for the financial statements to be fairly
presented, auditors would not be able to issue an unmodified audit report. Situations that pre-
vent the issuance of an unmodified audit report will be covered in more depth in Chapter 15.

Cloud 9 - Continuing Case

Procedures to search for subsequent events at Cloud 9 are docu-
mented in the audit program. These include a review of minutes
of board meetings in January, February, and March, and analysis
of the interim results for these months (including analytical proce-
dures). The partner, Jo Wadley, will also formally ask management
about any subsequent events that have come to management’s
attention in the meetings held between year-end and the audit
report date. For example, does Cloud 9 have any plans to issue
additional stock? Have there been any significant tax assessments
or fines? Has Cloud 9 entered into any additional borrowings or
contracts? The CFO tells Jo that Cloud 9 is in the process of signing
a five-year purchase commitment with a new supplier located in
Colombia, South America. The paperwork should be complete by
the next day. The purchase commitment locks in a good price for
some of Cloud 9’s raw materials. Cloud 9 is predicting that prices
of some of its raw materials will be rising over the next few years,
so locking in a commitment now can help save costs in the fu-
ture. Jo relays information about this subsequent event back to the
team. They will need to confirm the details of the contract and
review Cloud 9’s disclosure of this Type II subsequent event.

Before You Go On
2.1 Describe the two types of subsequent events that must be considered as part of the audit of
the financial statements. Explain each type of subsequent event with an example.
2.2 Explain two types of subsequent events procedures an auditor may perform to identify a
subsequent event.

Engagement Wrap-Up

Lea rning O bjective 3

Describe engagement wrap-up procedures performed at the conclusion of the
audit.

After performing audit procedures related to loss contingencies and subsequent events, au-
ditors are in a position to start wrapping up the audit. This is the audit team’s last chance to
  Engagement Wrap-Up  14-11

evaluate audit evidence before forming an opinion on the financial statements and determin-
ing the appropriate independent auditor’s report to issue. This section will address conducting
final analytical procedures, final evaluation of audit findings, completion of working paper
reviews, engagement quality review, and completion of documentation.

Final Analytical Procedures

We have discussed the requirement of using analytical procedures during the risk assessment
phase to identify risk and help auditors to gain an understanding of the client (Chapter 4).
During the risk response phase, analytical procedures can be used, but are not required, as a
substantive test to gather audit evidence (Chapter 9). AU-C 520 Analytical Procedures and AS
2810 Evaluating Audit Results require that analytical procedures be used once again near the
end of the audit to assist the auditor in forming an overall conclusion about whether the finan-
cial statements are consistent with the auditor’s understanding of the entity. At the end of the
audit, this is the auditor’s last opportunity to evaluate the reasonableness of the final financial
statements that reflect any audit adjustments recommended by the auditor and accepted by
the client. The actual analytical procedures performed will depend on auditor judgment
and may vary by client. The procedures may include ratio analysis, trend analysis, and other
analytical procedures as discussed in Chapter 4.
The final analytical procedures are intended to corroborate audit evidence obtained
during the audit and to confirm the financial statements are consistent with the auditor’s
revised expectations based on evidence evaluated during the audit. For example, based on
evidence gathered regarding the valuation of inventory for a computer manufacturing client,
auditors would recommend a significant adjustment to mark down obsolete inventory. Once
the client makes the adjustment, auditors would expect to see a lower value for inventory
due to the markdown adjustment and a loss on the income statement. Auditors also consider
industry factors when performing final analytical procedures. For example, if the computer
manufacturing industry as a whole is experiencing a decline in revenue, auditors would ex-
pect the client would also reflect a similar trend. If the financial statements are not consistent
with the auditor’s expectations, auditors may need to perform additional audit procedures to
gather more audit evidence to reduce the risk of material misstatement to an acceptable level.

Final Evaluation of Audit Findings

At the conclusion of the audit, auditors (1) revaluate materiality decisions made during the
audit; (2) revaluate audit risks based on audit findings, including inherent risk, control risk,
and fraud risk; and (3) evaluate misstatements found during the audit.

Final Evaluation of Materiality

At the conclusion of the audit, auditors revisit the materiality level determined at the be-
ginning of the audit to ensure it is still appropriate based on the results of audit procedures.
Recall from Chapter 3 that materiality is first considered in the planning phase of the audit.
During the execution of the audit, materiality, as a whole or for a specific account or class of
transactions, may be revised if auditors become aware of new information that would have
caused them to determine a different level of materiality. For example, during the audit of
sales transactions, the client informs the auditors that sales returns for the fourth quarter are
higher than normal due to a manufacturing error in some batches of the product. Customers
are returning the defective product and the client is giving them a new product at no charge.
Because of this situation, auditors may decide to lower the performance materiality level for
the occurrence and accuracy assertions for sales transactions and adjust the nature or extent
of their audit procedures. As this example illustrates, any significant revisions to materiality
are likely to be made prior to the final evaluation of audit findings. However, if near the end
of the audit it is determined that a lower level of overall materiality is appropriate, auditors
would consider if sufficient appropriate evidence has been obtained. If the answer is no, they
would determine the nature and extent of further audit procedures to perform to obtain more
audit evidence.
14-12  C h a pte r 14   Completing the Audit

Final Evaluation of Inherent Risk, Control Risk, and Fraud Risk

When planning an audit, auditors identify the presence or absence of factors related to in-
herent risk, the five components of internal control (discussed in Chapter 6), and risk of
fraud (discussed in Chapter 3), and then make their initial assessment of control and fraud
risks. Throughout the audit, they consider whether additional factors or risks are present and
whether they need to revise their assessments of inherent risk, control risk, and fraud risk
at the entity and transaction levels (discussed in Chapter 6). Auditors specifically reconsider
their assessment of control risk at the entity level when they become aware of significant
changes in the client’s system of internal control and after they perform tests of controls.
When the results of substantive procedures identify misstatements, auditors consider
whether the misstatements may indicate the need to reevaluate inherent risk, control risk, or
fraud risk. For example, suppose auditors send accounts receivable confirmations to 100 cus-
tomers to test the existence assertion. All 100 confirmations are returned, but 75 of the cus-
tomers report overstatement errors. This is a surprising result for the auditors. They had tested
internal controls over the sales and accounts receivable processes and concluded that controls
were effective. How could there be so many overstatement errors if controls are effective? Per-
haps they overlooked something during tests of controls. What if the sample used for a test of
controls was not representative of the population? The next course of action would be to re-
evaluate relevant internal controls by gathering additional evidence. Additional evidence may
support the conclusion that a significant deficiency or material weakness exists in controls over
the sales and accounts receivable process. If controls are weak, auditors will increase the con-
trol risk assessment and perform additional substantive tests to detect material misstatements.
If it is determined that fraud is the cause of misstatements in an account or class of
transactions, it does not matter if the misstatements are material or immaterial because fraud
typically does not occur as an isolated incidence. The discovery of fraud causes auditors to
reevaluate their assessment of risk, materiality level, and the nature and extent of audit pro-
cedures that have been performed. They also question their previous assessment of manage-
ment and employee integrity, especially if the fraud involves senior management.
When fraud is discovered, auditors gather sufficient appropriate evidence to support their
conclusion. When auditors determine that an employee has committed fraud (either misap-
propriation of assets or fraudulent financial reporting), they evaluate the scope of the employ-
ee’s responsibilities and whether fraud may also have occurred in other audit areas subject to
the employee’s control. For example, if a divisional controller were responsible for premature
revenue recognition, he or she might be in a position to engage in other inappropriate earn-
ings management activities (such as capitalizing items that should be expensed) that could
result in material misstatements of the financial statements.

Audit Reasoning Example  Discovery of Fraud

Tiny Tots, Inc. (TT) designs and manufactures infant and toddler clothing and is headquartered
in suburban Chicago, Illinois. TT has approximately 300 suppliers of its raw materials. During
interim, the audit team tested internal controls over purchasing and concluded that controls were
strong. Substantive tests for the purchasing process were also performed at interim and included
tests of details of transactions for the first three quarters. No material misstatements were de-
tected during the interim procedures.
It is now year-end, and Lorene, an audit associate, is performing substantive procedures on
the purchases and accounts payable function for fourth-quarter transactions. She has selected a
sample of 50 recorded purchase transactions from the fourth quarter and vouched them to sup-
porting documentation (purchase order, receiving report, and vendor invoice). Five of the transac-
tions are with a new vendor who was added to the approved vendor list during the fourth quarter.
Lorene notices that the new vendor supplies thread to TT and is located in Chicago, which
she finds a bit unusual. Most of TT’s suppliers are located in foreign countries or other parts
of the United States. Lorene decides to Google the vendor to find out more about it; however,
the Google search shows no results for a company of that name in Chicago. She then opens her
Google maps app and enters the address shown on the vendor invoice. To Lorene’s surprise,
the address is a residential address in a Chicago suburb. Lorene tells the senior associate, Jack,
about what she has discovered.
  Engagement Wrap-Up  14-13

Upon further examination, the audit team discovers that a purchasing clerk and accounts pay-
able clerk colluded to create a fictitious vendor for the purpose of misappropriating assets. The ad-
dress for the fictitious vendor belonged to the brother of the accounts payable clerk. Although the
checks that were written to the fictitious vendor were not material, the audit team reconsiders the
assessment of control risk. If controls were assessed as strong during interim testing, then how were
employees able to override the controls and create a fictitious vendor? Could there be a significant
deficiency or material weakness in internal control? Could other transactions be fraudulent? The au-
dit team will perform additional work regarding the controls over purchasing and accounts payable.

AS 2401 Consideration of Fraud in a Financial Statement Audit and AU-C 240 Consid-
eration of Fraud in a Financial Statement Audit require auditors to report fraud to a level of
management at least one level above the level where the fraud occurred. If the fraud involves
senior management, auditors report it to those charged with governance, such as the audit
committee of the board of directors. From there, the responsibility falls on management or
those charged with governance to take action to address the fraud. Action may include calling
the proper law enforcement agency and/or firing the employee(s) involved in the fraud. If
management or those charged with governance fail to take action in a timely manner, auditors
should consider withdrawing from the engagement.
In some cases, auditors may determine that fraud is so pervasive in the business they
are unable to complete their audit procedures, or the fraud will have such an impact on the
client’s reputation they no longer wish to have the company as a client. In these rare cases,
any decision to withdraw from the engagement is not taken lightly, and extensive consultation
both internally within the audit firm and externally with the audit firm’s legal counsel will
occur before any action is taken. If the auditors withdraw, they will inform the appropriate lev-
el of management or those charged with governance and provide reasons for the withdrawal.
If the client is a public company, management must report a change of auditors, and the rea-
son for the change, to the SEC using Form 8-K.

Professional Environment  Forensic Accounting

One of the more popular television genres in recent years has been
crime with a heavy reliance on forensic science to solve cases (for
example, the CSI franchise). The programs are so popular there are
claims that they have led to a jump in enrollments in forensic sci-
ence courses. According to an analysis of the demand for forensic
accounting courses, interest in forensic accounting has also never
been higher, although this is more likely due to the fall-out from
high-profile corporate collapses such as Enron and WorldCom
than from any television program.1 Some auditors claim that these
cases have made boards of directors more aware of their liability
for fraud.2 If a problem is brought to their attention, they appear to
be more willing to order an investigation, and forensic accountants
are called in to do the work.
Another potential cause of the increased interest in foren-
sic accounting is terrorism. Since the tragedy of 9/11, tracing the
money trail behind terrorism has been a high priority for securi-
ty agencies.3 Forensic accounting expertise is similar to auditing
in the sense that both rely on a deep understanding of double-
entry accounting plus a large dose of other skills and attributes. In
the case of forensic accounting, these include expert knowledge
of legal systems and interview techniques. However, at its heart,
forensic accounting relies on accounting knowledge because some
fraudsters go to great lengths to hide their trail and a knowledge of
double-entry bookkeeping is necessary to keep up.4
Forensic accountants need to have an eye on how their find-
ings will be used in court. In fact, “forensic” means something that
will be used, or is suitable to be used, in courts of law. In the past,
most forensic accounting work related to appearances in court as
expert witnesses for personal injury or divorce cases.5 Now, foren-
sic accounting practices focus more on investigation, fraud risk
management, anti-money laundering, and computer forensics.6
The Association of Certified Fraud Examiners (ACFE), an
association for accountants specializing in detecting fraud, has
experienced a sharp rise in membership over the last few years.7
The fraud investigators say they have been trying for years to get
regulators interested in investigating potential fraud cases, such as
the Madoff Ponzi scheme. Now, they say they have noticed a recent
increase in community appreciation of their work.8

1
C. Long, “Forensic Frenzy,” Charter, 78, no. 5 (June, 2007), pp. 20–22.
2
Long, 2007.
3
See for example, information about forensic accounting at www.forensic-accounting-information.com.
4
Long, 2007.
5
Long, 2007.
6
Long, 2007.
7
Association of Certified Fraud Examiners 2010, www.acfe.com.
8
G. Zuckerman, “For Group of Skeptics, the truth is Out There,” The Wall Street Journal (August 8, 2009).
http://webreprints.djreprints.com/2246630965260.html.
14-14  C h a pte r 14   Completing the Audit

Evaluation of Misstatements Identified During the Audit

AU-C 450 Evaluation of Misstatements Identified During the Audit classifies misstatements into
three categories: factual, judgmental, and projected misstatements (see Chapters 9 and 10).
As misstatements are identified and accumulated during the audit, it is important for auditors
to communicate misstatements to management in a timely manner so action can be taken to
correct the misstatements. Auditors typically request that management make adjusting en-
tries to correct all factual misstatements since there should not be any disagreements with
management regarding factual misstatements.
Factual misstatements are misstatements that are known with certainty. This may include
misstatements found with the application of audit data analytics in which auditors use software
to screen the entire population. It may also include the audit of 100% of a population that has
relatively few sampling units, such as notes payable. When auditors audit the entire population,
they can draw a conclusion with certainty about the misstatements found in the population.
Judgmental misstatements typically involve accounting estimates in which uncertainty
is a factor. After performing audit procedures, auditors may determine a different amount for
an accounting estimate than management. For example, suppose auditors estimate a different
amount for a fair value estimate of goodwill than management. They will request that manage-
ment review the assumptions and methods that were used in determining its estimate. After re-
viewing the estimate, management may decide to adjust its estimate or not adjust. Any difference
between what management decides to record and what the auditor recommends should be re-
corded would be considered a misstatement. Auditors document discussions with management
about the issue, including management’s reasons for not making recommended adjustments.
Projected misstatements are the result of audit sampling, which was discussed in Chapter
10. If misstatements are found in an audit sample, auditors use appropriate statistical or nonsta-
tistical methods to project the sample misstatement to the entire population. If the projected mis-
statement is material, they request that management examines the population of transactions to
understand the cause of the misstatement and make appropriate adjustments to the affected ac-
counts. After management makes adjusting entries to correct the misstatements, auditors should
perform additional audit procedures to determine if any misstatements still remain.

Evaluation of Uncorrected Misstatements

During the final evaluation, auditors evaluate the effect of uncorrected misstatements on the
financial statements. Typically, management makes adjustments for material misstatements
but may decide not to correct some immaterial misstatements. For uncorrected misstatements,
auditors obtain an understanding of management’s reasons for not making the corrections.
They take management’s reasoning into consideration when evaluating the overall effect of
uncorrected misstatements on the financial statements as a whole.
When evaluating the effect of uncorrected misstatements, both quantitative and qualitative
factors are considered. Uncorrected, immaterial misstatements should be aggregated to determine
if, in total, they exceed the materiality level for the financial statements as a whole or the materi-
ality level for a class of transactions, account balance, or disclosure. Also, the cumulative effect of
uncorrected, immaterial misstatements from prior periods, if any, should be considered for their
effect on the current year financial statements. Typically, uncorrected, immaterial misstatements
from a prior period are expected to “reverse” in the next period. For example, if purchases are un-
derstated due to a cutoff error in the prior period, the misstatement is considered to reverse in the
following period in which purchases would be overstated. The two immaterial errors would offset
each other over the two-year period. Prior period immaterial, uncorrected misstatements that do
not reverse should be accumulated with current period uncorrected immaterial misstatements to
determine if the combined total is material to the current year financial statements.
Illustration 14.6 provides an example of a working paper analysis of likely misstatements
for the New Millennium Ecoproducts audit. The first section of the working paper shows the
uncorrected overstatement of depreciation expense and the different accounts affected by
the overstatement. The second section shows projected uncorrected misstatements that are
the result of an overstatement of ending inventory discovered from statistical sampling. The
bottom section totals the aggregate likely misstatements by financial statement category.
The aggregate likely misstatement is divided by the related total from the final trial balance
to arrive at the ­aggregate likely misstatement percentage. For example, the aggregate likely
misstatement for current assets of $8,000 is divided by the final trial balance total current
  Engagement Wrap-Up  14-15

ILLUSTRATION 14.6   Analysis of aggregate likely misstatement working paper

Client: New Millennium Ecoproducts  W/P Ref. A-5

Analysis of Aggregate Likely MisstatementsPrepared By: A.E.R. Date 2/25/23
Period-end: December 31, 2022Reviewed by R.E.G. Date: 2/26/23
Debit (Credit)

Description Assets Liabilities Stockholders’ Pretax Income Tax

W/P Ref Acct. No Acquired Current Noncurrent Current Noncurrent Equity Earnings Expense
Uncorrected Known Misstatements:
Overstatement of Depreciation Expense
D-1 1590 Accumulated $   3500
Depreciation
4590 Depreciation $ (3,500) $  (3,500)
Expense
2295 Income Tax $  (1,225) $  1,225 $ 1,225
Payable
Uncorrected Projected Misstatement:
Overstatement of Ending Inventory Projected from Statistical Sample
C-1 4200 Cost of
Goods Sold
1200 Inventory $  (8,000) $  8,000 $  8,000
2295 Income Tax $  2,800 $  (2,800) $ (2,800)
Payable
Aggregate Likely Misstatement $  (8,000) $  3,500 $  1,575 $   0 $  2,925 $  4,500 $ (1,575)
Final Balance from Trial Balance $400,000 $735,000 $225,000 $375,000 $535,000 $ 150,000 $75,000
Aggregate Likely Misstatement % 2.0% 0.5% 0.7% 0.0% 0.5% 3.0% 2.1%

Conclusion: The likely misstatements listed above are deemed to be immaterial, either individually or in their aggregate effects on the
individual accounts, the financial statements categories, or the financial statement totals to which they relate.

assets of $400,000. The result is 2.0%, which means the aggregate likely misstatement for cur-
rent assets is 2.0% of the total current assets. The conclusion of the auditors is at the bottom of
the working paper and states that all of the likely misstatements are deemed to be immaterial.
If uncorrected, immaterial misstatements do not exceed materiality for the financial
statements as a whole or at the class of transactions, account balance, or disclosure level,
there may be qualitative characteristics that cause auditors to evaluate them as material. For
example, if an immaterial misstatement is the result of fraud, auditors consider the impact on
other areas of the audit, as discussed in the above section “Reconsider Assessment of Control
Risk and Risk of Fraud.” Qualitative characteristics will vary by client and by circumstance.
Illustration 14.7 lists examples of situations that cause auditors to consider an uncorrected
misstatement material based on a qualitative characteristic.

ILLUSTRATION 14.7  
Qualitative characteristics of immaterial misstatements:
Examples of qualitative
•  Affects compliance with regulatory requirements. characteristics of immaterial
•  Has the effect of increasing management compensation. misstatements
•  Relates to items involving particular parties, such as individuals related to management.
•  Changes a loss to income or income to loss.
•  Affects compliance with debt covenants or other contracts.
•  Results from the occurrence of fraud.
•  Relates to the incorrect application of an accounting policy that is likely to have a material
effect on future periods.
•  Affects whether the company meets a financial benchmark, such as analyst forecasts of earnings
per share.

Source: AU-C 450.A23.

14-16  C h a pte r 14   Completing the Audit

The working papers include documentation of all misstatements accumulated during the
audit and whether they have been corrected. For the uncorrected misstatements, auditors
should thoroughly document the basis for their conclusions about whether the uncorrected
misstatements are material individually or in the aggregate. In Chapter 15, we discuss the
effect on the auditor’s report of uncorrected misstatements that are material to the financial
statements as a whole.

Completion of Working Paper Review

An audit is an ongoing, cumulative, and iterative process of gathering and evaluating evidence
in support of relevant assertions. All audit documentation will have a preparer and reviewer, or
multiple reviewers. As audit procedures are completed and documented in the working papers,
the preparer will “sign off” with his or her initials when he or she feels the work is ready for
review. The work is reviewed by an audit team member with seniority over the team member
who did the work. (Refer to Illustration 5.6 for the structure of an audit team.) For example, when
an associate signs off on audit procedures related to the audit of accounts payable, the senior
associate reviews the work. Often, the senior has review notes, or “to-do” items, for the associate
to complete. For example, the associate may need to add more explanation to the working papers
of how a procedure was performed, or another sample of invoices may need to be inspected to
gather more evidence in support of a relevant assertion.
The senior associate performs audit procedures related to more complex areas of the
audit, such as intangible assets or investments. As the senior completes his or her proce-
dures, they are reviewed by the manager, and the manager will have review notes for the
senior to address. AU-C 220 Quality Control for an Engagement Conducted in Accordance with
Generally Accepted Audit Standards and AS 1201 Supervision of the Audit Engagement pro-
vide guidance regarding review of the working papers. Illustration 14.8 provides a list of
items an audit team member considers when reviewing the work of another team member.

ILLUSTRATION 14.8  
Items to consider when
reviewing working papers
Working paper reviewer should consider whether:
•  Work has been performed in accordance with appropriate auditing standards.
•  Significant findings or issues have been raised for further consideration or audit testing.
•  Consultations among team members and others within or outside of the audit firm have taken
place, as needed, and the resulting conclusions have been documented.
•  The nature, timing, and extent of the work performed are appropriate and do not need
revision.
•  Work performed supports the conclusions reached and is appropriately documented.
•  Evidence obtained is sufficient and appropriate to support the auditor’s report.
•  Objectives of the engagement procedures have been achieved.

Source: AU-C 220.A16 and AS1201.05(c).

Once an audit team member has responded to the review notes, the appropriate supervisor
reviews the work to ensure the review item was satisfactorily addressed. If satisfied the reviewer
signs off on the working paper. Once completed, the review notes are removed from the audit file
because the working papers are required to stand on their own in terms of the conclusions reached
and the underlying evidence supporting those conclusions. Ultimately, auditors rely on their pro-
fessional judgment to determine if sufficient appropriate audit evidence has been obtained.

Audit Reasoning Example  Working Paper Review

Jacob Bourgeois is a first-year audit associate at TB&I accounting firm. It is his first busy season,
and he is assigned to a manufacturing client in Detroit, Michigan. Jacob has completed the audit
procedures for tests of details of balances for accounts receivable. He feels very confident about
his work and doesn’t think he will have any review comments to address. Jacob tells the audit
senior, Maggie, that his work is ready to be reviewed. The next day, Maggie says to Jacob, “Overall,
you have done a good job and I can tell that you understand the purpose of the audit procedures
  Engagement Wrap-Up  14-17

you have completed. However, there are a few instances in which you have not sufficiently doc-
umented your follow-up procedures. For example, to gather evidence about the client’s past due
accounts, the audit procedures from the audit program are:

1. Examine evidence of collectibility such as correspondence with customers and outside

­collection agencies, credit reports, and customers’ financial statements.
2.  Inquire about collectibility of accounts with appropriate management personnel.

You notated in the working papers that you examined the client’s correspondence with customers
who had large overdue balances. However, you did not put a copy of the correspondence in the
working papers to substantiate that your examination procedure was completed. You also docu-
mented that you spoke with an accounts receivable clerk about the status of overdue accounts. It
is more appropriate to inquire of the accounts receivable manager, someone with more authority,
regarding the status of the overdue accounts. You need to schedule a meeting with the accounts
receivable manager today, and be sure you take good notes so you can thoroughly document your
discussion in the working papers. Also, remember that inquiry alone is not sufficient. You will
need to corroborate any discussions with additional evidence.”

The engagement partner is responsible for the audit engagement and its performance and engagement partner  partner
for the auditor’s report that is issued on behalf of the firm. As the audit is being performed, the or other person in the firm
engagement partner should conduct timely reviews of work completed on accounts, transactions, who is responsible for the audit
or disclosures that require extensive judgment or involve significant risks. If an item is considered engagement and its performance
a critical audit matter or is perhaps a contentious matter with management, it should be reviewed and for the auditor’s report that is
issued on behalf of the firm
as soon as possible so it is resolved on a timely basis. The engagement partner is not required to
review all audit documentation, but may choose to do so. The working papers should adequately
document that all reviews, including those performed by the partner, were completed.

Engagement Quality Review

To ensure the audit team has conducted the audit in accordance with standards and gath-
ered sufficient appropriate audit evidence to support the audit conclusions, an engagement engagement quality control
­quality control reviewer will review selected areas of working papers prior to the issuance reviewer  a partner or other
of the audit report. An engagement quality control reviewer is typically a partner of the ac- person in the firm, who is not
counting firm who is not part of the audit team that completed the audit. The reviewer must part of the engagement team, who
be independent of the client and have sufficient and appropriate experience to objectively has sufficient and appropriate
experience and authority to
evaluate the work completed on the audit. AU-C 220 Quality Control for an Engagement Con-
objectively evaluate the
ducted in Accordance with Generally Accepted Auditing Standards and AS 1220 Engagement
significant judgments that the
Quality Review provide guidance regarding what is involved in a quality review. engagement team made and the
The engagement partner discusses with the engagement quality control reviewer the conclusions it reached in
significant findings and other issues encountered during the audit. The reviewer reads the formulating the auditor’s report
financial statements and the proposed audit report, and reviews working papers related to
significant findings and conclusions reached in the audit. Ultimately, the reviewer evaluates
the conclusions reached in determining if the financial statements are fairly presented and
ensures the proposed auditor’s report is appropriate based on the audit team’s work.

Completion of Documentation
As we have discussed throughout the text, the working papers serve as documentation that the
audit work was completed. The working papers are the property of the audit firm and act as sup-
port for the auditor’s opinion. AU-C 230 Audit Documentation and AS 1215 Audit Documentation
provide guidance for the assembly and retention of the documentation. The working papers do
not have to be completely assembled and archived before the audit report release date. However,
the standards do provide a deadline for the complete assembly of the audit file and a time frame
for how long the audit file should be retained by the firm. Illustration 14.9 summarizes the time
frames for assembly and retention of the audit file for both public and private company audits.
After the audit report release date, no more audit procedures are performed. Assem-
bling the completed file includes administrative tasks such as sorting and organizing working
14-18  C h a pte r 14   Completing the Audit

ILLUSTRATION 14.9   Public Company Private Company

Assembly and retention of
audit documentation
Activity Audit (AS 1215)
Audit file assembly completion 45 days after audit report
deadline release date
Audit file retention 7 years from the audit
report release date
Audit (AU-C 230)
60 days after audit report
release date
5 years from the audit report
release date or as specified by
a state board of accountancy

papers, discarding old documentation that was replaced with updated documentation, and
signing off on completion of checklists related to assembling the file. After the audit file
assembly completion deadline, nothing should be deleted or removed from the audit file.
However, documentation can be added to the file after the assembly completion deadline. If
documentation is added, auditors must indicate who prepared the documentation, the date of
the addition, and the reason for adding it. For example, a firm’s documentation of the audit of
a public company client may be inspected by the PCAOB. If results from the inspection reveal
the need to add further explanation to an audit procedure that was performed, auditors could
add the documentation, noting who prepared it and the reason for adding it (AS 1215.16).
For firms that have multiple office locations, the office that issued the audit report is
responsible for retaining the audit file. Reasonable measures should be taken to ensure the
security of the data, both electronic data and any hard copies retained by the firm, especially
since it contains confidential client information.

Cloud 9 - Continuing Case

Sharon suggests that each member of the team ask themselves
whether they believe that sufficient appropriate evidence has
been gathered on which to base an audit opinion, given their
knowledge and involvement in the audit. Are assessments of con-
trol risk and materiality still valid given evidence obtained from
substantive procedures? No material misstatements were found
during substantive testing, and there is no evidence to suggest
that materiality should be adjusted. All confirmations sent to cus-
tomers, financial institutions, and the stock registrar and transfer
agent have been returned and any differences ­resolved. It appears
that the only other major outstanding items are the engagement
quality control review and the going concern assessment.

Before You Go On
3.1  Explain why it is important to reassess materiality at the end of the audit.
3.2 What are some qualitative characteristics of misstatements that would cause auditors to
classify them as material?
3.3 What is an engagement quality control review? Why is this review important to the public
interest?
3.4  What is meant by “assembly and retention” of the audit files?

Going Concern

Lea rning O bjective 4

Evaluate the going concern assumption for a client.

going concern assumption 

the viability of an entity to remain You may remember the going concern assumption from your financial accounting courses.
in business for the foreseeable The going concern assumption is a fundamental principle in the preparation of the finan-
future cial statements. Under the going concern assumption, an entity is viewed as continuing in
   Going Concern  14-19

business for the foreseeable future with neither the intention nor the need for liquidation. As
a result, assets and liabilities are recorded on the basis that the entity will realize its assets and
discharge its liabilities in the normal course of business.
Management is responsible for evaluating going concern in accordance with the applica­
ble financial reporting framework. Under GAAP, FASB ASC 205-40 Presentation of Financial
Statements—Going Concern requires management to make an assessment of the entity’s abil-
ity to continue as a going concern for the future period of one year beyond the issuance date
of the financial statements. Illustration 14.10 provides a timeline example to illustrate man-
agement’s responsibility. If the financial statements are dated December 31, 2022, the issuance
date will be 45 days or more after December 31, depending on when the audit is completed.
Supposing the financial statements are issued on March 1, 2023, the future period for man-
agement’s assessment of the risk of not being a going concern would be from March 1, 2023,
to March 1, 2024. If management determines there is substantial doubt about continuing as
a going concern, then management must make a note disclosure about the circumstances,
including any plans management may have to mitigate the situation.

ILLUSTRATION 14.10  
Management’s evaluation period Management’s going concern
evaluation period

3/1/2023 3/1/2024
12/31/2022 Date the 12/31/2023
Financial financial
statement statements
date/fiscal are issued
year-end
date

Auditors have a responsibility to gather evidence regarding management’s process for eval-
uating going concern status and the appropriateness of management’s conclusions regarding it.
If management does not have a formal process in place, it could be considered a weakness in
internal control. Auditors also draw their own conclusions about whether there is substantial
doubt about the entity’s ability to continue as a going concern for a reasonable period of time reasonable period of time 
and, if applicable, evaluate the adequacy of any disclosure related to the entity’s circumstances. the period of time required by
What would be a reasonable period of time for the auditor’s evaluation? AU-C 570 The Auditor’s the applicable financial reporting
Consideration of an Entity’s Ability to Continue as a Going Concern defines a reasonable period of framework, or if no such
time as the same period required by the client’s financial reporting framework. Therefore, under framework exists, for one year
after the date that the financial
GAAP, a reasonable period of time is one year from the date the client issues financial statements,
statements are issued
as shown in Illustration 14.10. (Current PCAOB AS 2415 defines a reasonable period of time as
one year from the date of the financial statements. Therefore, for public company audits, the time
frame for the auditor’s evaluation is shorter than for a private company client.)
According to AU-C 570, auditors do not have a responsibility to perform any audit pro-
cedures to identify going concern issues beyond the time period evaluated by management.
However, AU-C 570 does require that auditors inquire of management about any conditions
or events beyond the period of management’s evaluation that may have an effect on the
entity’s ability to continue as a going concern. For example, using Illustration 14.10, auditors
must inquire of management if there are any known conditions or events after March 1, 2024,
that could have an impact on going concern.
AU-C 570 and AS 2415 provide guidance for the auditor’s evaluation of the entity’s ability
to continue as a going concern. Audit procedures that are performed throughout the audit as
part of risk assessment and risk response should identify events or conditions that could sig-
nify going concern issues. Illustration 14.11 provides a list of audit procedures and examples
of the types of going concern issues that may be identified through the performance of routine
audit procedures. If one or more going concern issues are identified at any point during the
audit, auditors will use their professional judgment and consider the need to revise their risk
assessments and alter the nature, timing, or extent of audit procedures.
14-20  C h a pte r 14   Completing the Audit

ILLUSTRATION 14.11   Audit Procedure Identification of Possible Going Concern Issue

Audit procedures that may
identify going concern issues
Analytical procedures during risk
assessment
Review of subsequent events
Review of compliance with terms of
debt and loan agreements
Reading of minutes of meetings with
stockholders, board of directors, and
other important committees of the
board
Inquiry of client’s legal counsel
Confirmation with related parties
and third parties of the details of
arrangements to provide or maintain
financial support
May identify negative trends such as working capital
deficiencies, adverse key financial ratios, and decreasing
cash flow from operations
May identify internal or external matters that have
occurred such as loss of a key franchise, loss of a principal
customer, or work stoppages due to natural disaster
May identify possible financial difficulties such as re-
structuring of debt, default on loan or similar
agreements, or need to dispose of substantial assets
May identify internal or external matters that have
occurred such as labor difficulties, arrearages in
dividends, or substantial dependence on the success
of a particular project
May identify external matters that have occurred such as
legal proceedings that might jeopardize the client’s ability
to operate
May identify possible financial difficulties such as default
on financing arrangements, restructuring of financing
agreements, or need to seek new sources or methods of
financing

Source: AU-C 570.A7 and .A28.

If auditors determine there is substantial doubt about the entity continuing as a going
concern, the next step is obtaining information about management’s plans to mitigate or min-
imize the adverse effects of the situation. For example, if a client is experiencing a severe cash
shortage but has a letter from its bank agreeing to provide additional financing, the letter
reduces, but does not remove, the risk that the going concern assumption may be in doubt.
Other examples of mitigating factors include:

•  A letter of guarantee from a parent company.

•  The ability to raise additional funds by issuing more stock.
•  The ability to sell an unprofitable segment of the business.
•  A reduction of expenditures.
•  The ability to sell assets without interrupting the entity’s operating capacity.

Auditors perform audit procedures to gather evidence about the mitigating factors and con-
sider whether the plans can be effectively implemented. For example, if management plans
to sell assets that have been used in operations, is there a market for the assets? How quickly
could they be sold and for how much? Would the sale of the assets be sufficient to enable the
entity to continue as a going concern for a reasonable period of time? Auditors draw upon
their knowledge of the entity, the industry, and their professional judgment when evaluating
the information to arrive at a conclusion.
After considering management’s plans, if auditors determine there is substantial doubt
about the entity’s ability to continue as a going concern, the next steps are to consider the
possible effects on the financial statements and on the auditor’s report. Regarding the finan-
cial statements, auditors evaluate the adequacy of management’s note disclosure about the
going concern issue. The disclosure should include a description of the conditions or events
causing the substantial doubt, management’s evaluation of the significance of those condi-
tions or events, and management’s plans to minimize the effects of the situation. Auditors
consider modifying the auditor’s report to further emphasize the substantial doubt about the
entity’s ability to continue as a going concern. This is something that investors or other key
stakeholders should know. You can understand that the client might not want any more atten-
tion brought to the situation because, in fact, it could make it more difficult for the client to
implement its plans for mitigating the situation. For example, obtaining alternative financing
may be more difficult if the auditor’s report is modified for a going concern issue. Noting these
conditions could also negatively impact the stock price for a public company. Given these
   Management Representation and Communication with Those Charged with Governance   14-21

serious implications, auditors consider this decision very carefully. The specific modifications
that would be made to the auditor’s report are discussed in Chapter 15.
The final step is to communicate with those charged with governance. Those charged
with governance, such as a board of directors, probably already know about the situation, but
auditors still communicate the nature of the events that are causing doubt about the entity’s
ability to continue as a going concern. Auditors also discuss the note disclosure and other ef-
fects on the financial statements. If the auditors decide to issue a modified auditor’s report, it
should be communicated to those charged with governance.

Cloud 9 - Continuing Case

Sharon and the team discuss the existence of any issues throw-
ing doubt on the appropriateness of the going concern assump-
tion at Cloud 9. The financial ratios indicate no problems with
solvency, and the major borrowings are not due to be repaid
or refinanced for another four years. However, Cloud 9’s man-
agement is anticipating a decline in earnings this year because
of the costs associated with the new store opening and the
sponsorship deal. Cloud 9 does have a sizeable line of credit at
its bank that is currently not being utilized. If Cloud 9 has an
unexpected need for additional cash, Cloud 9 management could
draw on the line of credit. The team makes a note that these
issues have been formally reviewed and they conclude that there
are no significant issues casting substantial doubt on the going
concern assumption.

Before You Go On
4.1  Explain the going concern assumption. How does it affect a company’s accounting?
4.2 List three factors that might indicate the going concern assumption may be at risk. What
audit procedures would detect the factors?
4.3 Explain some mitigating factors that could offset possible going concern issues.

Management Representation and Communication

with Those Charged with Governance

Lea rning Objective 5

Discuss what reporting is required to management and those charged with
governance.

Throughout the entire audit, auditors communicate often with management and other client
personnel in the process of gathering audit evidence. As the audit draws to a conclusion,
some required communications must take place with management and those charged with
governance, and the communications must be documented. The remainder of this section will
explain the management representation letter and the required communications with those
charged with governance.

written representation  a
Management Representation Letter written statement by management
provided to the auditor to confirm
AU-C 580 Written Representations and AS 2805 Management Representations provide guid- certain matters or to support
ance about using written representations as audit evidence. A written representation is other audit evidence
14-22  C h a pte r 14   Completing the Audit
management representation
letter  a letter from manage-
ment to the auditor acknowledg-
ing management’s responsibility
for the preparation of the finan-
cial statements and details of any
verbal representations made by
management during the course of
the audit
ILLUSTRATION 14.12  
Management representation
letter for Cloud 9 audit
a written statement by management provided to the auditor to confirm certain matters or
to support other audit evidence (AU-C 580.07). Generally, a written representation com-
plements other audit procedures that were performed and generally does not provide suf-
ficient appropriate audit evidence on its own. For example, auditors ask management for
a written representation that no material subsequent events have occurred that require
adjustment to or disclosure in the financial statements. That evidence does not relieve au-
ditors of their duty to perform audit procedures designed to identify subsequent events. The
written representation supplements the inquiries made of management regarding subse-
quent events and the evidence gathered from audit procedures related to subsequent events
identification.
As we have discussed throughout the text, auditors make many inquiries of manage-
ment during risk assessment, testing of internal controls, and performance of substantive
procedures. The responses to the inquiries are documented in the auditor’s working papers.
As supplemental evidence to the inquiries, auditors are required to obtain a management
­representation letter as a final piece of audit evidence. A management representation letter
is a letter from management to the auditor acknowledging management’s responsibility for
the preparation of the financial statements and details of any verbal representations made by
management during the course of the audit. However, the management representation letter
is not a substitute for obtaining sufficient, appropriate evidence regarding the financial state-
ments through other audit procedures.
As you can imagine, the letter could be quite daunting to write because of the volume
of inquiries made of management during the audit. To help with this task, AU-C 580.A35
and AS 2805.16 provide illustrative management representation letters that auditors can
use as a guideline for what should be included in the letter. Illustration 14.12 contains a
management representation letter for the Cloud 9 audit. Since Cloud 9 is a public company,
the letter has been prepared using the example provided in PCAOB AS 2805.16.
[1] Cloud 9 Inc.
[2] March 15, 2023
[3] W&S Partners
P.O. Box 525
Seattle, WA 95688
Dear W&S Partners:
[4] We are providing this letter in connection with your audit of the consolidated financial state-
ments of Cloud 9 Inc. as of January 31, 2023, and for the year then ended for the purpose of ex-
pressing an opinion as to whether the consolidated financial statements present fairly, in all mate-
rial respects, the financial position, results of operations, and cash flows of Cloud 9 in conformity
with accounting principles generally accepted in the United States of America. We confirm that
we are responsible for the fair presentation in the consolidated financial statements of financial
position, results of operations, and cash flows in conformity with generally accepted accounting
principles.
[5] Certain representations in this letter are described as being limited to matters that are material.
Items are considered material, regardless of size, if they involve an omission or misstatement of
accounting information that, in the light of surrounding circumstances, makes it probable that the
judgment of a reasonable person relying on the information would be changed or influenced by
the omission or misstatement.
[6] We confirm, to the best of our knowledge and belief, as of March 15, 2023, the following repre-
sentations made to you during your audit:
1. The financial statements referred to above are fairly presented in conformity with accounting
principles generally accepted in the United States of America.
   Management Representation and Communication with Those Charged with Governance   14-23

2. We have made available to you all—

a. Financial records and related data, including the names of all related parties and all rela-
tionships and transactions with related parties.
b. Minutes of the meetings of stockholders, directors, and committees of directors, or
summaries of actions of recent meetings for which minutes have not yet been prepared.
3. There have been no communications from regulatory agencies concerning noncompliance
with or deficiencies in financial reporting practices.
4. There are no material transactions that have not been properly recorded in the accounting
records underlying the financial statements.
5. We believe that the effects of the uncorrected financial statement misstatements summarized
in the accompanying schedule are immaterial, both individually and in the aggregate, to the
financial statements taken as a whole.
6. We acknowledge our responsibility for the design and implementation of programs and con-
trols to prevent and detect fraud.
7. We have no knowledge of any fraud or suspected fraud affecting the entity involving—
a. Management,
b. Employees who have significant roles in internal control, or
c.  Others where the fraud could have a material effect on the financial statements.
8. We have no knowledge of any allegations of fraud or suspected fraud affecting the entity re-
ceived in communications from employees, former employees, analysts, regulators, short
sellers, or others.
9. The company has no plans or intentions that may materially affect the carrying value or clas-
sification of assets and liabilities.
10. The following have been properly recorded or disclosed in the financial statements:
a. Related party transactions, including sales, purchases, loans, transfers, leasing arrange-
ments, and guarantees, and amounts receivable from or payable to related parties.
b.  Guarantees, whether written or oral, under which the company is contingently liable.
c. Significant estimates and material concentrations known to management that are re-
quired to be disclosed in accordance with the FASB ASC Topic 275, Risks and Uncertainties.
[Significant estimates are estimates at the balance sheet date that could change materi-
ally within the next year. Concentrations refer to volumes of business, revenues, available
sources of supply, or markets or geographic areas for which events could occur that would
significantly disrupt normal finances within the next year.]
11. There are no—
a. Violations or possible violations of laws or regulations whose effects should be
considered for disclosure in the financial statements or as a basis for recording a loss
contingency.
b. Unasserted claims or assessments that our lawyer has advised us are probable of
assertion and must be disclosed in accordance with Financial Accounting Standards Board
(FASB) ASC Topic 450, Contingencies.
c. Other liabilities or gain or loss contingencies that are required to be accrued or disclosed
by FASB ASC Topic 450.
d. Side agreements or other arrangements (either written or oral) that have not been
disclosed to you.
12. The company has satisfactory title to all owned assets, and there are no liens or encumbranc-
es on such assets nor has any asset been pledged as collateral.
13. The company has complied with all aspects of contractual agreements that would have a ma-
terial effect on the financial statements in the event of noncompliance.

[7] To the best of our knowledge and belief, no events have occurred subsequent to the
balance-sheet date and through the date of this letter that would require adjustment to or
disclosure in the aforementioned financial statements.

James W. Harley
[8] Chief Executive Officer

David Collier
[8] Chief Financial Officer
14-24  C h a pte r 14   Completing the Audit

Sections of the management representation letter in Illustration 14.12 are numbered to

correspond with the following explanations:
1. Client letterhead—Since the letter is to the auditors from management, the letter is writ-
ten on client letterhead. However, the letter is typically drafted by auditors and presented
to management for review and signing.
2. Date—The letter is generally dated the same as the audit report so the representations made
by management include the subsequent period leading up to the date of the audit report.
3.  Address—The letter is addressed to the audit firm.
4. Identification of audit—This paragraph identifies the financial statements and the pur-
pose of the audit. It also provides a statement in which management accepts responsi-
bility for the fair presentation of the financial statements in conformity with generally
accepted accounting principles in the United States.
5. Materiality—This paragraph states a materiality threshold for items that will be included
in the letter.
6. List of items that management is confirming—This section of the letter is a listing of the
items the auditor wants management to confirm. Read through the listing and you’ll see
it encompasses many important audit items we have discussed in this text, such as proper
application of the financial reporting framework, availability of documents and records,
fraud detection and prevention, and proper disclosure in the financial statements.
7. Subsequent events statement—The final paragraph is a statement confirming that no
subsequent events have occurred through the date of the letter that have not already been
accounted for or disclosed.
8.  Signatures—The letter is signed by the CEO and CFO of the client.
The example provided in Illustration 14.12 is a basic example. Auditors can add more
items to the letter that are tailored to each client’s situation. For example, if inventory obsoles-
cence is a recurring issue in the client’s industry, auditors may add an item for management
to confirm that appropriate provisions have been made regarding slow-moving or obsolete
inventory. Public companies also must make some of these representations public in the quar-
terly and annual filings with the SEC. Section 302 of the Sarbanes-Oxley Act requires the CEO
and CFO to sign statements certifying they are responsible for the effectiveness of internal
controls, the financial statements are presented fairly, and there are no untrue statements of a
material fact or omission of material items.
If management refuses to sign a management representation letter, that would cause the
auditors to question management’s integrity, competence, and ethical values, and could have
serious ramifications for the audit. Auditors would be especially concerned about the reliabil-
ity of audit evidence obtained through inquiry of management. The refusal by management
to sign the representation letter would be considered a scope limitation and could affect the
auditor’s opinion on the financial statements. Chapter 15 provides more information about
the effect of a scope limitation on the auditor’s opinion.

Communication with Those Charged with

Governance
In Chapter 4, we discussed the concept of corporate governance. Governance structures will
vary by client. Public companies will have a board of directors with an audit committee, and
large private companies may also have a board of directors. For medium and smaller compa-
nies, governance responsibility may fall upon owners, partners, trustees, or a committee of
upper management. In very small companies, one person may be in charge of governance,
such as the owner-manager. Auditing standards AU-C 260 The Auditor’s Communication with
Those Charged with Governance and AS 1301 Communications with Audit Committees
address the auditor’s responsibility to communicate certain audit matters with those charged
with governance. As discussed in Chapter 4, auditors must communicate their responsibility
for forming and expressing an opinion on the financial statements that have been prepared
by management. This communication typically takes the form of an engagement letter and
   Management Representation and Communication with Those Charged with Governance   14-25

­ appens at the beginning of the engagement (refer to the section “Corporate Governance” in
h
Chapter 4). Auditors also provide a general overview of the planned scope and timing of the
audit to those charged with governance. During this communication, auditors do not reveal in-
depth detail about the planned audit procedures because they do not want to compromise the
effectiveness of the audit. But this dialogue can open a discussion about risks the client faces
and can assist the auditor in gaining a better understanding of the entity and its environment.
Communication with those charged with governance, with management, and with third
parties, when applicable, is also covered in several other auditing standards. For example, if
auditors have identified a fraud, or have information that indicates the existence of a fraud,
they are required to communicate these matters to an appropriate level of management by
AU-C 240 Consideration of Fraud in a Financial Statement Audit. Similarly, when auditors
have identified material noncompliance with laws and regulations, they are required to com-
municate their findings to those charged with governance in accordance with AU-C 250
Consideration of Laws and Regulations in an Audit of Financial Statements.
Toward the end of the audit, auditors communicate significant findings or issues from
the audit to those charged with governance. This communication should take place before the
audit report is issued. The communication may be oral or written, but either way it must be
documented in the working papers. Illustration 14.13 lists the matters to be communicated
with those charged with governance near the end of the audit.

ILLUSTRATION 14.13   Matters to be communicated with those charged with governance

Significant Finding or Issue

from the Audit
Appropriateness of significant
accounting policies
Process used by management in
developing sensitive accounting
estimates
Difficulties encountered during the
audit
Disagreements with management
Other significant findings or issues
Uncorrected misstatements
Corrected misstatements
Business conditions affecting the entity
Consultations with other accountants
Written representation the auditors are
requesting
Explanation
The applicable financial reporting framework may provide different alternatives for ac-
counting for an item. For example, there are different cost flow assumptions for inventory
(FIFO, LIFO, weighted average). Auditors discuss if the method management has chosen is
appropriate for the industry and for the entity.
Auditors communicate the significant assumptions used in developing the estimate, the
degree of subjectivity involved, and the relative materiality of the estimates to the financial
statements as a whole.
Significant difficulties include delays in management providing information, unrealistic
time within which to complete the audit, restrictions imposed on the auditor by manage-
ment, and the unavailability of expected information.
Disagreements may arise over the application of accounting policies to specific transactions
or events, assumptions for developing estimates, disclosures to be included in the financial
statements, or the scope of the audit. Even if the disagreements were resolved, they should
be communicated to those charged with governance.
Every client is unique; therefore, items specific to each client may need to be communi-
cated to those charged with governance. For example, if a client is involved with major
litigation, auditors would discuss the potential effect on the financial statements of an
unfavorable outcome.
Auditors accumulate individually immaterial uncorrected misstatements and discuss them
collectively to those charged with governance. For material uncorrected misstatements,
auditors should request that they be corrected.
Misstatements that were brought to management’s attention and corrected should also be
communicated to management.
If there are industry, economic, or other uncertainties that could affect the entity’s ability
to continue as a going concern, these matters should be communicated to those charged
with governance.
If auditors and management disagree on an issue, management may contact other outside
accountants to see if they may agree with management’s views. If auditors are aware that
management has consulted with other accountants, then it should be brought to the atten-
tion of those charged with governance. Auditors should communicate their own views on
the issue and how they differ from management’s views.
Auditors should provide those charged with governance with a copy of the management
representation letter.

Source: AU-C 260.12-.14.

14-26  C h a pte r 14   Completing the Audit

critical accounting policies
and practices  accounting
policies and practices that are
most important to the portrayal of
the company’s financial condition
and results, and require manage-
ment’s most difficult, subjective,
or complex judgments
critical accounting estimates 
accounting estimates whose na-
ture and impact on the financial
statements are material because
of the high levels of subjectiv-
ity and judgment necessary to
account for highly uncertain
matters
For a public company audit, the items in Illustration 14.13 should be communicated with
the audit committee of the board of directors. In addition, the PCAOB’s AS 1301 includes
some unique terminology that is not included in AU-C 260. AS 1301 specifies that critical
accounting policies and practices and critical accounting estimates must be commu-
nicated to the audit committee. An entity’s critical accounting policies and practices are most
important for the portrayal of the company’s financial condition and results, and require man-
agement’s most difficult, subjective, or complex judgments. For example, a large bank might
make a record number of new loans during the year, which could mean increased profits.
However, management must also determine how many of those new loans may go unpaid in
the future. That could involve subjective and complex judgments. Critical accounting policies
and practices are often unique to the industry or to the entity and are typically more subjective
than common situations that affect most entities. Auditors must discuss their assessment of
management’s application of and disclosure of the critical accounting policies and practices,
including any recommended modifications that management did not make.
Critical accounting estimates are accounting estimates that possess the following two
characteristics:
1. The nature of the estimate is material due to the levels of subjectivity and judgment nec-
essary to account for highly uncertain matters or the susceptibility of such matters to
change.
2. The impact of the estimate on financial condition or operating performance is material.

For example, estimating the amount of a loss contingency from a material litigation sit-
uation, such as the Starbucks example in the Professional Environment box earlier in the
chapter, is a critical accounting estimate. The outcome of litigation may be highly uncertain,
and the circumstances may change over the course of a long court battle that spans several
years. In addition, the circumstances that led to the litigation are unique to the entity and
generally cannot be compared to situations of other companies. Auditors must communicate
how they concluded that the estimate is or is not reasonable.
Recall from Chapter 6 that material weaknesses and significant deficiencies in ICFR are
also required to be communicated to those charged with governance. The communication
must be in writing and is required for both public and private company clients. Refer to the
section “Management Letters” in Chapter 6 for an example of a management letter used to
communicate internal control deficiencies.

Cloud 9 - Continuing Case

Sharon prepares a draft management representation letter for Jo,
the partner, to review before presenting it to Cloud 9’s CEO and
CFO to sign. The letter includes a statement about manage-
ment’s responsibility for critical accounting policies and critical
accounting estimates. Sharon also drafts a report to be used for
communication with Cloud 9’s audit committee. The report in-
cludes critical items for Cloud 9. Revenue recognition is a critical
accounting policy to discuss with the audit committee. Key items
that impact revenue recognition include the opening of a new
company-owned store and sales and sales returns to retailers
such as department stores. Some of the critical accounting esti-
mates to discuss with the audit committee include estimating the
allowance for doubtful accounts, inventory valuation in light of a
fickle fashion market, and valuation of derivatives.

Before You Go On
5.1  What is the purpose of the management representation letter?
5.2 Name five items of governance interest that would be communicated to those charged with
governance. Explain why each is important to be communicated to those charged with
governance.
5.3 What characteristics of an estimate would classify it as a critical accounting estimate?
Provide an example of a critical accounting estimate for a computer manufacturing company.

Learning Objectives Review
1  Apply the audit procedures used to search for loss
contingencies.
A loss contingency is an existing condition or situation involving un-
certainty as to possible loss that will ultimately be resolved when one
or more future events occur or fail to occur. The auditors perform
procedures to determine if material contingencies have been identi-
fied and properly included and disclosed in the financial statements.
For loss contingencies related to litigation, claims, and assessments,
the auditors will send a legal letter to all attorneys who performed
services for the client during the year. The attorneys will respond
with information regarding the likelihood of an unfavorable
outcome and, if possible, an estimate of the expected loss for the
client.
2  Distinguish between the two types of material subse-
quent events and evaluate what effect they have on the
financial statements, if any.
Material events may occur between the financial statement date and
the date the audit is completed. There are two types of subsequent
events. Type 1 subsequent events are those that provide additional
evidence with respect to conditions that existed at year-end. These
require an adjustment to the financial statements. Type 2 subsequent
events are those that provide evidence about conditions that devel-
oped subsequent to year-end. These are not required to be recorded in
the financial statements, but they must be disclosed in the footnotes.
Auditing standards require that audit procedures be performed to
identify subsequent events.
3  Describe engagement wrap-up procedures performed
at the conclusion of the audit.
At the end of the audit, when all of the planned substantive pro-
cedures are substantially completed, the auditors will conduct fi-
nal analytical procedures to assist in forming an overall conclusion
about whether the financial statements are consistent with the au-
ditor’s understanding of the client. The team will evaluate audit re-
sults, which entails reassessing materiality, control risk, and the risk
of fraud; considering quantitative and qualitative factors of
Key Terms Review
Critical accounting estimates Legal letter
Critical accounting policies and practices Loss contingency
Engagement partner Management representation letter
Engagement quality control reviewer Reasonable period of time
Going concern assumption Subsequent events
  Key Terms Review  14-27
uncorrected ­immaterial ­misstatements; and determining if suffi-
cient appropriate audit evidence has been obtained to support the
auditor’s conclusions. The review of the working papers by various
members of the audit team will also be completed. An engagement
quality control reviewer, typically a partner in the firm who is not on
the audit team, will review the conclusions reached in determining
if the financial statements are fairly presented and ensuring that the
proposed auditor’s report is appropriate based on the audit team’s
work. The auditors have an audit file assembly completion deadline
that is after the audit report release date (see Illustration 14.9). No
documentation can be deleted from the file after this date. The audit
firm must retain the audit file for a specified number of years (seven
years for a public company client and five years for a private com-
pany client).
4  Evaluate the going concern assumption for a client.
The auditor is required to consider whether there is substantial doubt
about the client’s ability to continue as a going concern for a reason-
able period of time, which is the same period of time required by the
client’s financial reporting framework. Audit procedures that are con-
ducted as part of risk assessment and risk response are sufficient for
determining if a client has a going concern issue. If there is a going
concern issue, auditors should inquire about management’s plans to
mitigate the issue and consider if management’s plans are feasible.
If audit evidence indicates there is a going concern issue, then man-
agement must disclose the situation in the notes to the financial
statements.
5  Discuss what reporting is required to management
and those charged with governance.
At the end of the audit, the auditor requests that the CEO and CFO
sign a management representation letter, which is a letter from man-
agement to the auditor acknowledging management’s responsibility
for the preparation of the financial statements and detailing any verbal
representations made by management during the course of the audit.
The auditors are also required to communicate with those charged
with governance at the conclusion of the audit. Illustration 14.13
lists required topics to discuss with those charged with governance.
The communication can be oral or written, but either way it must be
documented in the working papers.
Type I subsequent event
Type II subsequent event
Written representation
14-28  C h a pte r 14   Completing the Audit
Audit Decision-Making Example
Background Information
Your client, Broadcast Cable, Inc. (BC), is a large, privately owned
company that offers digital television, internet, telephone, and
home automation services. BC has been operating for 55 years.
Your audit team is busy wrapping up the audit in the final days of
fieldwork and completing the review of the working papers. The
audit partner and audit manager are preparing to meet with BC’s
audit committee as required by AU-C 260, and they call a meeting
of the entire audit team to discuss what should be communicated
to the audit committee. The team agrees that the following items
are key issues that emerged from the audit:
•  The digital home entertainment industry is experiencing
rapid change, and customers’ choice of products for their
homes is changing.
•  Controls testing revealed a significant deficiency in controls
over the processing of returns of customer deposits.
•  Several factual misstatements were identified that were col-
lectively immaterial.
•  BC has some equipment that appears to be obsolete and
no longer used in operations, but BC management has not
recorded any impairment loss related to the equipment.
Identify the Audit Issue
The audit team must compile a listing of significant findings
or issues from the audit and communicate them to the audit
committee. The listing can be communicated orally or in writing
to the audit committee, but it must be documented in the working
papers.
Gather Information and Evidence
The audit team discusses more details of the key audit matters:
•  The digital home entertainment industry is experiencing
rapid change. BC could experience a business model disrup-
tion and decreased future revenues if more customers move
to “on-demand” services and decrease or eliminate their
digital television service. Companies such as Amazon.com
and Disney are emerging as key players in the delivery of
home entertainment. Also, customers are choosing to drop
services, such as home phone lines, that historically have
been staples in every household. BC management should
be strategically planning for migration to next-generation
technologies.
•  Controls testing revealed a significant deficiency in
­controls over the processing of returns of customer
deposits. When a customer cancels service and returns the
digital cable box, BC processes a refund of the customer’s
CPAexcel
CPAexcel questions and other resources are available in WileyPLUS.
deposit for the digital cable box. The audit team discovered
multiple instances of duplicate refunds being processed to
customers.
•  Several factual misstatements were identified that were col-
lectively immaterial. They were all corrected by ­management.
•  BC has some equipment that appears to be obsolete and
no longer used in operations, but BC management has not
recorded any impairment loss related to the equipment. Net
property, plant, and equipment represents 31% of BC’s total
assets. Equipment such as trucks, cables, and wires are crit-
ical items that BC uses to provide its services. The obsolete
equipment consists of wiring, cable, and conduits related to
residential phone services and legacy analog cable services.
The audit team recommended that management mark
down the obsolete items to fair market value and record a
loss. The book value of the obsolete items is $1,059,500. The
items can be sold for scrap, so once they are marked down
to fair market value, BC would record an impairment loss of
$400,000. The materiality level for the financial statements
as a whole is $500,000. Management did not agree with the
assessment and has not made any adjustments for obsolete
equipment.
Analysis and Evaluation
The manager and partner agree that the items listed above should
be communicated to the audit committee. The issue with the obso-
lete equipment is perhaps the most concerning item. BC manage-
ment disagrees with the auditors that the equipment is impaired
and a loss should be recorded. The amount of the loss is below the
materiality level for the financial statements as a whole; however,
if the $400,000 loss is recorded, it would decrease net income to a
level that would impact upper management bonuses for the year.
The impact on bonuses could be the reason that management is
refusing to mark down the obsolete equipment. Because of this
qualitative aspect, the manager and partner agree that the adjust-
ment should be considered material.
Audit Conclusion
The audit partner and manager draft the report to present and
discuss with BC’s audit committee and also draft a copy of the
management representation letter to present to the audit commit-
tee. Regarding the obsolete equipment issue, it will be the audit
committee’s responsibility to take action and request that manage-
ment make the recommended adjustment. If the audit committee
does not take appropriate action, the audit team should consider
what impact that may have on the audit report and also consider
it a reflection on the integrity of both management and the audit
committee.

Multiple-Choice Questions
1  (LO 1)  If management considers a material loss contingency to
be probable but an amount cannot be reasonably estimated, the prop-
er accounting treatment is:
a.  note disclosure only.
b.  accrual in the financial statements only.
c.  accrual in the financial statements and note disclosure.
d.  no adjustment or disclosure necessary.
2.  (LO 2)  Subsequent events occur after:
a.  the start of the fiscal year.
b.  the appointment of the auditor.
c.  the end of the fiscal year.
d.  the going concern assumption.
3.  (LO 2)  Which of the following is an example of a subsequent
event?
a.  A
 bond issuance after the balance sheet date but prior to issu-
ance of the financial statements.
b. A cybersecurity attack that occurred in the third quarter of
the fiscal year.
c. Legal action that was settled in the last month of the fiscal year.
d.  A major customer declaring bankruptcy two months before
the client’s year-end.
4.  (LO 2)  Which of the following is a Type II subsequent event?
a.  B
 ankruptcy of a customer subsequent to year-end, which
would be considered when evaluating the adequacy of the
allowance for uncollectible accounts.
b.  Loss of plant as a result of fire or flood after year-end.
c. Deterioration in financial results after year-end, which may
indicate doubt about the ability to continue as a going concern.
d.  An amount received related to an insurance claim that was in
the course of negotiation at year-end.
5.  (LO 3)  At the conclusion of the audit, the wrap-up process
involves all of the following except:
a.  r eview of proper and complete execution of planned audit
procedures.
b. determination that all necessary matters have been appropri-
ately considered.
c. revisiting assessments for materiality, control risk, and risk
of fraud.
d.  sending confirmations to financial institutions.
6.  (LO 3)  All of the following are examples of qualitative character-
istics of a misstatement except:
a.  affects management’s compensation for the period.
b.  exceeds the amount for performance materiality.
c.  changes a net loss to a net income for the period.
d.  affects compliance with debt covenants.
7.  (LO 3)  If auditors discover fraud during the audit, it should first
be reported to:
a.  the SEC.
b.  the PCAOB.
Multiple-Choice Questions  14-29
c.  the employee who is committing the fraud.
d.  an appropriate level of management or those charged with
governance.
8.  (LO 3)  The audit firm must retain the audit file of a public
c­ ompany client for:
a.  7 years.
b.  6 years.
c.  5 years.
d.  4 years.
9.  (LO 4)  The going concern assumption means:
a. the entity is facing difficulties continuing as a viable business
entity.
b. the entity is viewed as continuing in business for the foresee-
able future with no need for liquidation.
c.  assets and liabilities are stated at liquidation values.
d.  the auditor is concerned whether the entity is going to change
locations.
10.  (LO 4)  For a private company client that follows GAAP, audi-
tors must consider the going concern assumption for a reasonable
period of time, which is:
a.  o ne year from the date the financial statements are
issued.
b.  one year from the completion of fieldwork.
c.  one year from the date of the financial statements.
d.  one year from the completion of interim audit procedures.
11.  (LO 5)  All of the following statements are included in a man-
agement representation letter except:
a.  there have been no violations of laws or regulations.
b. no subsequent events have occurred that require adjustment
to or disclosure in the financial statements.
c.  the auditor’s fee for completing the audit.
d.  the effects of uncorrected misstatements are immaterial,
both individually and in the aggregate, to the financial
statements.
12.  (LO 5)  Communication with those charged with governance
must occur:
a.  after the audit report is issued.
b.  before the audit report is issued.
c.  before legal letters are sent to attorneys.
d.  after the financial statements are released.
13.  (LO 5)  Accounting policies and practices that are most import-
ant to the portrayal of the company’s financial condition and results,
and require management’s most difficult, subjective, or complex
­judgments are called:
a.  critical accounting policies and practices.
b.  critical accounting estimates.
c.  significant accounting policies and practices.
d.  material contingencies.
14-30  C h a pte r 14   Completing the Audit

Review Questions
R14.1  (LO 1)  Describe the auditor’s process for preparing, sending,
and receiving responses from legal letters, including at what point
during the audit the letters are sent.
R14.2  (LO 2)  Differentiate between the two types of subsequent
events. List some audit procedures that may identify subsequent events.
R14.3  (LO 2)  Discuss the auditor’s responsibility for detecting sub-
sequent events prior to the completion of fieldwork.
R14.4  (LO 3)  Explain the process of “engagement wrap-up.” Why
is it important?
R14.5  (LO 3)  Provide an example of why an auditor would reevaluate
control risk near the end of the audit. Provide a different example of
why an auditor would reevaluate fraud risk near the end of the audit.
R14.6  (LO 3)  Discuss actions an auditor would take when misstate-
ments identified during the audit are not corrected by the client.
R14.7  (LO 3)  Explain the process of an engagement quality control
review.
R14.8  (LO 3)  What are the audit file assembly deadlines and the
audit file retention policies for public and private company audits?
Provide an analysis of why you think the deadlines and policies are
different for public and private company audits.
R14.9  (LO 4)  Evaluate why the accounting assumption of “going
concern” is of interest to auditors. Are there specific audit procedures
that must be performed related to the going concern assumption?
Why or why not?
R14.10  (LO 5)  Why is the management representation letter ob-
tained at the end of the audit? Discuss the impact on the audit if man-
agement refused to sign the management representation letter.
R14.11  (LO 5)  AU-C 260 stresses the importance of communica-
tion with “those charged with governance.” Who are “those charged
with governance?” Discuss why it is important that the auditor com-
municate with them (and not others).
R14.12  (LO 5)  Discuss the items an auditor communicates at the
end of the audit to those charged with governance.

Analysis Problems
AP14.1  (LO 1)  Basic   Communication with lawyers  Conversations between the board of direc-
tors of Acme Inc. and the engagement partner of the audit, Angelo Del Santo, have revealed that Acme
uses three law firms. Ball & Partners performs all legal work related to property transfers, mortgages,
and leases. Brown & Associates handle all employment matters, such as claims for unfair dismissal and
complex employment contracts. Zimmerman & Co. are retained for all other matters, such as agreements
relating to products and suppliers and any international matters.

Required
a.  Discuss the information that Angelo wants to obtain from the attorneys and how this information
is obtained.
b. What procedures could Angelo perform to discover if any other law firms have performed work for
Acme during the fiscal year?

AP14.2  (LO 2)  Moderate   Reporting subsequent events  Brad Scarlett is reviewing the results of
the subsequent events audit procedures. Brad is writing a report for the audit partner based on these
results and will be attending a meeting tomorrow with the partner and representatives of the company to
discuss them. The issue will be whether the financial statements should be amended or additional notes
included for these subsequent events.
Many of the items are not material and Brad will recommend that no action be taken with respect
to these. However, there are several items that Brad believes are material and should be discussed at the
meeting. These are:

•  The board is planning to issue shares in a private offering on February 15.

•  T
 he share issue is to fund the purchase of a 60% stake in another company. The negotiations are in
the final stages and although the contract is not yet signed, it will be signed by February 15.
•  A
 lawsuit was filed in court in the week after year-end claiming damages for illness allegedly caused
by chemicals used at a subsidiary company’s manufacturing plant in the 2000s. This is the tenth
such lawsuit filed and the client has denied responsibility in all cases because it was unreasonable to
believe at that time that these chemicals had adverse health effects. The claimant has new scientific
evidence that counters this defense.
•  T
 he review of subsequent cash receipts has revealed that several of the receivables that were consid-
ered doubtful have now been paid.

The year-end for the company is December 31 and the audit report is due to be signed on February 20.
 Analysis Problems  14-31

Required
For each item, discuss what type of subsequent event it is and the appropriate treatment in the financial
statements.

AP14.3  (LO 2)  Basic   Events after balance date  Martin Rorke is reviewing the results of the
review of subsequent cash receipts. There are several receipts listed from customers that were con-
sidered doubtful at the end of the year (December 31). Martin is also reviewing evidence showing
that another customer that had a large balance at year-end unexpectedly declared bankruptcy on
January 10.

Required
Analyze how this information should be reflected in the financial statements.

AP14.4  (LO 2)  Moderate   Reporting subsequent events  On October 14, Montevista Inc. made
deposits with an overseas supplier totaling $500,000 for the production of specialty items. On October
27, the supplier closed due to political unrest in the country. Montevista hired an international trade
consultant to gain more information about the situation. The consultant concluded on January 11 that
it is unlikely that the deposit will be recovered. Montevista purchases over $3 million worth of items
from this supplier every year. Year-end for the Montevista audit is December 31, and the audit report is
due to be signed on February 26.

Required
a.  Discuss what audit procedures would be used to gather evidence about this situation.
b.  What is the appropriate treatment of this item in the December 31 financial statements?

AP14.5  (LO 3)  Basic   Audit wrap-up  Lucy Huang has just finished her first audit assignment. She
is now assisting her audit manager, Tom Lucas, with the wrap-up of the engagement. He has asked Lucy
to make a list of all open review notes, to-do items, and audit procedures, and note for each whether the
matter requires more attention, has been resolved (but not yet noted on file), or is no longer relevant
because of other events.
Tom has also asked Lucy to go through the files and remove all unnecessary documentation, drafts,
and review notes. Lucy is very nervous about this task because she believes her inexperience will mean
she will not be able to distinguish “unnecessary” from “necessary.” She remembers learning about
Arthur Andersen being prosecuted because it shredded files related to the Enron audit that should
have been kept.

Required
a.  What types of “additional attention” would open matters require?
b.  Explain why documents in a client’s audit file would be “unnecessary.” Provide two examples.

AP14.6  (LO 4)  Basic   Going concern  Mark Jackson is the partner on the audit team for a new client,
Central Companies (CC). The client hired Mark’s firm in August 2022, in preparation for the December 31,
2022, audit. Mark’s firm is replacing the predecessor firm that audited CC for the last 12 years. Since January
2022, CC has experienced a slowdown in sales as evidenced by lower inventory turnover ratios. Slower in-
ventory turnover has negatively impacted operating cash flow, which has resulted in CC paying some of its
suppliers late. Some of the smaller suppliers are demanding that CC pay cash on delivery of inventory items.
Mark is also aware of correspondence between CC and its bank that indicates the company started having
cash flow problems as far back as 2021. CC’s management is convinced that business will pick up and
therefore has not laid off any employees or made any other strategic changes to try and improve cash flow.

Required
Discuss any significant events or conditions that Mark will consider when evaluating if there is substan-
tial doubt about CC’s ability to continue as a going concern.

AP14.7  (LO 4)  Moderate   Research   Assessing going concern  Columbia Metal Fabricators
(CMF) makes steel components for the construction industry. It specializes in extreme precision manu-
facturing where tolerances are measured in distances of less than one millimeter. Its products are used in
revolving restaurants, automatic doors, and similar construction components. In the past, the majority of
its sales have been to international construction companies, particularly in the Middle East. A drop in the
price of oil has slowed construction in the Middle East, and the extremely expensive buildings requiring
high-precision steel components are becoming less popular. In addition, some of the technology used
14-32  C h a pte r 14   Completing the Audit

by CMF has been copied by companies in Southeast Asia, resulting in extreme price competition in this
section of the construction industry for the first time.
CMF is highly leveraged. Two years ago, the company borrowed a large sum of money to fund the
purchase of new office headquarters and the latest laser-cutting equipment. The loan is due for renewal
three months after year-end. One week before signing the audit report, the bank has still not agreed to
renew the loan and CMF’s management has begun negotiations with another bank.

Required
a.  Evaluate factors that would raise substantial doubt about the going concern assumption for CMF.
Discuss any mitigating factors.
b.  If there is a substantial going concern issue, what details should be disclosed in CMF’s notes to the
financial statements? (Note: You may want to access AU-C 570 for more details about auditing the
adequacy of the disclosure.)

AP14.8  (LO 5)  Challenging   Misstatements and the audit report  Katrina Ellis is the engage-
ment partner of the audit of Champion Securities, an investment company. Most of Champion’s
assets and liabilities are financial and their valuation is critical to the assessment of the company’s
solvency and profitability. Katrina has employed two outside experts to value the financial assets and
liabilities because they are extremely complex to value, particularly the energy market derivatives
and the instruments traded in foreign markets. In addition, the valuations are highly dependent on
market conditions and the specific and detailed requirements of the recently revised accounting
standards.
Throughout this year’s audit, Katrina has had difficulties with the CEO of Champion Securities.
He is vehemently opposed to any asset write-downs she has suggested. The CEO has the backing of the
chairman of the board, and Katrina has been unable to get the CEO to agree with her concerns about the
valuations of the financial assets and liabilities the company has made. In past years, Katrina has had
an amicable relationship with both the CEO and the chairman, and the audits have run very smoothly.
Katrina now realizes that this harmonious relationship was mainly due to the boom in the market. It
was unlikely there would be arguments about writing up the value of the company’s assets during these
good times.
Katrina, with the help of the experts, has prepared a summary of the relevant items, detailing the
revised values for the assets and liabilities and the associated effects on income and retained earnings.
The CEO has dismissed this summary and the audit recommendations with the comment, “The market
has hit the bottom and is recovering. There is no need to show these write-downs because by the time the
financial statements are published, the values will be back to where they were before the market fell. It
is all a waste of time. In fact, I think you are just being difficult. I think we need an auditor who is a bit
more realistic.”

Required
a.  Katrina has planned a meeting with the audit committee of the board of directors. Draft a report that
she would discuss with the audit committee.
b.  Katrina is also drafting the management representation letter that the CEO will need to sign. If he
refuses to sign the letter, discuss the implications for the audit.

AP14.9  (LO 5)  Basic   Public Company   Research   Section 302 of the Sarbanes-Oxley Act 
As discussed in the “Management Representation Letter” section of this chapter, Section 302 of SOX
requires the CEO and CFO of public companies to sign a certification statement when the financial
statements are filed with the SEC. You can access these documents through a public company’s website.
For example, in your web browser, search “Starbucks Investor Relations.” The website link will be the
first item in the search. Select SEC Filings. On the SEC Filings page you can search for all of Starbucks’
filings with the SEC. In the Year filter, select the most current year or you can leave it as All Years, and
in the Groupings Filter, select Annual Filings, then click Submit. The 10-K filings will appear. You can
download the 10-K in Word, PDF, or Excel format. Once downloaded, scroll to the end of the document.
(It is very long, usually about 200 pages.) The certification statements are the last pages of the Starbucks
10-K. (Note that you can use this same procedure to access the 10-K for any public company.)

Required
Read the certification statements and compare them to the management representation letter in
Illustration 14.12. Differentiate between the certification statement and the management representation
letter. Be specific with your responses.
 Audit Decision Cases  14-33

Audit Decision Cases

King Companies, Inc.
Questions C14.1 and C14.2 are based on the following case.

King Companies, Inc. (KCI) is a private company that owns five auto parts stores in urban Los Angeles,
California. KCI has gone from two auto parts stores to five stores in the last three years, and it plans con-
tinued growth. Eric and Patricia King own the majority of the shares in KCI. Eric is the chairman of the
board of directors of KCI and CEO, and Patricia is a director as well as the CFO. Shares not owned by Eric
and Patricia are owned by friends and family who helped the Kings get started. Eric started the company
with one store after working in an auto parts store. To date, he has funded growth from an inheritance
and investments from a few friends. Eric and Patricia are thinking about expanding by opening three to
five additional stores in the next few years.
KCI employs 20 full-time staff. These workers are employed in store management, sales, parts deliv-
ery, and accounting. About 40% of KCI’s business is retail walk-in business, and the other 60% is regular
customers where KCI delivers parts to their locations and bills these customers on account. During peak
periods, KCI also uses part-time workers.
In mid-February 2023, while the December 31, 2022, audit was nearing the final wrap-up stage, KCI
was contacted by the manufacturer of its most popular line of brake pads and rotors. The manufacturer
notified KCI of a major defect recently discovered with its brake pads and rotors produced during August
2022 through November 2022. Several deadly car accidents have been attributed to the faulty brake parts,
and the manufacturer is moving as quickly as possible to recall the affected parts. The manufacturer
stated that KCI should pull the affected products off its shelves immediately and notify as many custom-
ers as possible who may have purchased the defective product. KCI management acts quickly and starts
looking through its sales records to see which customers purchased the affected parts. KCI also contacts
its attorney about the situation to begin discussions on how this might adversely affect KCI.

C14.1  (LO 1)  Challenging   Loss contingency  Information gathering and analysis: Does KCI have
a potential loss contingency? Discuss procedures the auditors should perform to gather evidence about
this situation.

C14.2  (LO 2)  Challenging   Subsequent event  Evaluation and conclusions: Evaluate whether the
recall qualifies as a subsequent event and its impact on the 2022 financial statements, if any.

Mobile Security, Inc.

Questions C14.3 and C14.4 are based on the following case.

Mobile Security, Inc. (MSI) has been an audit client of Leo & Lee, LLP for the past 12 years. MSI is a small,
publicly traded aviation company based in Cleveland, Ohio, where it manufactures high-tech unmanned
aerial vehicles (UAV), also known as drones, and other surveillance and security equipment. MSI’s prod-
ucts are primarily used by the military and scientific research institutions, but there is growing demand
for UAVs for commercial and recreational use. MSI must go through an extensive bidding process for
large government contracts. Because of the sensitive nature of government contracts and military prod-
uct designs, both the facilities and records of MSI must be highly secured.
The auditors are nearing the final wrap-up stages of the audit for the year ended June 30, 2023. The
following table shows final financial information for all four quarters of fiscal year end June 30, 2023
(amounts in millions).

Item 1st Quarter 2nd Quarter 3rd Quarter 4th Quarter

Total assets $96.00 $92.00 $93.00 $89.00
Total revenues 33.00 31.00 28.00 22.00
Pretax income 3.20 2.79 2.24 1.57

In October 2022, MSI installed a new cloud-based inventory costing system. During interim work,
the audit team found some errors with the costing calculations in the new system, which led to errors
in recommended sales prices used in MSI’s competitive bidding process. There were also problems with
proper inventory cutoff at year-end. Some raw materials that were in transit were not recorded in inven-
tory when they should have been. The audit team has a meeting scheduled for the afternoon to discuss
the findings and next steps to wrap up the engagement.
14-34  C h a pte r 14   Completing the Audit

For the past five years, the engagement quality control reviewer was Sally Pickering, a partner with
Leo & Lee. Sally retired three months ago. For the past month, the firm has been considering who would
take Sally’s place as the engagement quality control reviewer for the MSI audit. The industry and opera-
tions of MSI are very specialized. Unfortunately, no other partner in the firm, other than the engagement
partner on the audit team, has experience in the industry or with MSI.

C14.3  (LO 3)  Challenging   Public Company   Final evaluation of audit evidence
a.  Analysis and evaluation: Evaluate the impacts the costing errors and inventory cutoff errors have
on the audit and the assessments of control risk, fraud risk, and materiality. Does your evaluation
change depending on whether the errors are material or immaterial?
b.  Evaluation and conclusions: Refer to C3.4 in Chapter 3 in which you calculated planning materiality
for MSI based on results from the first two quarters and estimates for the last two quarters. Now
that you have the results of all four quarters (see table above), evaluate your calculation of planning
materiality from C3.4. Would you have adjusted your planning materiality during the year-end field-
work based on the actual results from the third and fourth quarters? If so, what would be the ad-
justed amount? What effect, if any, would your adjustment have on your planned audit procedures
for year-end fieldwork?

C14.4  (LO 3)  Moderate   Public Company   Research   Engagement quality control review 
Information gathering: If Leo & Lee does not have an internal qualified individual to serve as engagement
quality control reviewer, what options does the firm have? Research AS 1220 to provide a full response
(www.pcaobus.org). What characteristics should the engagement quality control reviewer possess? De-
scribe the actual engagement quality control review process, such as when it is conducted and the primary
tasks of the reviewer.

Brooks Health Group

Questions C14.5 and C14.6 are based on the following case.

Goodfellow & Perkins gained a new client, Brookwood Pines Hospital (BPH), a private, not-for-profit
hospital. The fiscal year-end for Brookwood Pines is June 30. You are the audit partner reviewing the
working papers for the BPH audit for the fiscal year end June 30, 2023. Today is August 2, 2023, and it is
expected that fieldwork will be completed in three weeks.
BPH provides medically necessary care to patients, regardless of their ability to pay. Both uninsured
and underinsured patients are offered discounts of up to 100% of charges based on their income as a
percentage of the federal poverty level guidelines. BPH does not pursue collection of these accounts;
therefore, they are not reported in patient service revenue and accounts receivable. The cost of providing
the charity care is included in operating expenses.
BPH’s investments consist of mutual funds, common equities, corporate and U.S. government debt
issues, state and municipal government debt issues, and trusts. A majority of the investments are the
result of charitable contributions to the hospital by generous donors. Earnings from the investments are
used to cover the costs of the charity care. BPH is also eligible for certain government grants to help cover
the costs of the charity care.
During your review, you note that during the third and fourth quarters the financial markets per-
formed well and BPH recorded strong returns for its equity investments. However, beginning toward the
end of the fourth quarter through today, the financial markets have taken a hit. Enacted future tax law
changes, increasing interest rates, higher unemployment, and trade conflicts with other countries are
negatively impacting the economy and the financial markets. Analysts are predicting a continued drop
in the overall market performance and a bear market for some time. Since BPH relies on investment re-
turns to cover the costs of charity care, you consider how smaller investment returns could impact BPH’s
ability to operate. Also, in times of economic downturns, individuals may not be as charitable. Therefore,
BPH could see a drop in donations.
Another situation that is on your mind is a kitchen fire that occurred at BPH last week. Thankfully
no one was seriously injured, but BPH did not have full insurance coverage for the accident. The kitchen
was badly damaged and had to be shut down along with the cafeteria seating area used for hospital visi-
tors. Until the kitchen can be repaired, BPH is paying an outside catering service to deliver meals daily to
patients and employees only. Visitors can no longer purchase items from the cafeteria. You are concerned
that negative publicity from the kitchen fire incident could lead to decreased revenues if physicians de-
cide to contract with a competing hospital.
You spoke with BPH’s controller yesterday about the fire incident. The controller said they do have
the funds to repair the kitchen and are currently accepting bids from contractors for the repair work.
They hope to have a contractor selected by next week so work can get started quickly. They are antici-
pating having the kitchen open in about six weeks. The controller did express concern over the added
expense of the repairs and the high cost of having an outside service provide daily meals to patients and
 Audit Decision Cases  14-35

employees. He also said they have received concerned calls from many of the doctors who use BPH for
their patient services. BPH administration is working very hard at “damage control” to assure the doctors
that the hospital is safe and abiding by all codes required by the state department of health and hospitals.

C14.5  (LO 2)  Moderate   Final review issues—subsequent events

a.  Analysis: Explain your responsibilities with respect to the kitchen fire.
b.  Evaluation: Recommend how this event should be handled in the financial statements.

C14.6  (LO 4, 5)  Challenging   Final review issues—going concern and communicating with
those charged with governance  Evaluation: You are drafting a document with items to discuss with
BPH’s audit committee closer to the end of the audit. In addition to the kitchen fire incident, what else
should you communicate to the audit committee?

Cloud 9 - Continuing Case

Answer the following question based on the information pre-
sented for Cloud 9 in the appendix to this text and the current and
earlier chapters. You should also consider your answers to the case
study questions in earlier chapters.
Required
a. Based on your findings from the Cloud 9 problems in
Chapters 11, 12, and 13, evaluate whether Cloud 9 has any
significant deficiencies or material weaknesses in internal
control.
b. Based on everything you know about the audit of Cloud 9,
prepare a report of items to be communicated to the audit
committee of Cloud 9’s board of directors.
 Chapter 15
Reporting on the Audit

The Audit Process

Overview of Audit and Assurance

(Chapter 1)

Professionalism and Professional Responsibilities

(Chapter 2)

Client Acceptance/Continuance and Risk Assessment

(Chapters 3 and 4)

Gaining an Identify Significant

Set Planning
Understanding of Accounts and
Materiality
the Client Transactions

Gaining an Understanding of the

Make Preliminary Risk
System of Internal Control
Assessments
(Chapter 6)

Develop Responses to Risk and an Audit Strategy

Audit Data Analytics

Audit Evidence
(Chapter 5)

(Chapter 7)
Performing Tests of Controls Performing Substantive Procedures
(Chapter 8) (Chapter 9)

Audit Sampling for Substantive Tests

(Chapter 10)

Auditing the Auditing the Purchasing Auditing the Balance Sheet

Revenue Process and Payroll Processes and Related Income Accounts
(Chapter 11) (Chapter 12) (Chapter 13)

Completing and Reporting on the Audit

(Chapters 14 and 15)

Procedures Performed Near Drawing Audit

Reporting
the End of the Audit Conclusions

15-1
15-2  C h a pte r 15 Reporting on the Audit
Learning Objectives
LO 1 Explain the components of the standard
unqualified/unmodified audit report for public and
private companies.
LO 2 Evaluate situations requiring an additional paragraph
in the unmodified report on the financial statements.
LO 3  Discuss modifications required to the auditor’s
report on the financial statements when the opinion is
based in part on the report of another auditor.
LO 4 Evaluate situations requiring a departure from an
unmodified opinion on the financial statements.
Auditing and Assurance Standards
PCAOB
AS 1205 Part of the Audit Performed by Other
Independent Auditors
AS 2201 An Audit of Internal Control over Financial
Reporting That Is Integrated with an Audit of Financial
Statements
AS 2415  Consideration of an Entity’s Ability to Continue
as a Going Concern
AS 2820 Evaluating Consistency of Financial
Statements
AS 2905  Subsequent Discovery of Facts Existing at the
Date of the Auditor’s Report
AS 3101 The Auditor’s Report on an Audit of Financial
Statements When the Auditor Expresses an Unqualified
Opinion
AS 3105  Departures from Unqualified Opinions and
Other Reporting Circumstances
Cloud 9 - Continuing Case
The partner on the Cloud 9 audit, Jo Wadley, has reviewed the
report to be used for communication with Cloud 9’s management
and audit committee and the draft management representation
letter, both prepared by the audit manager Sharon Gallagher.
Sharon briefed Jo on the major differences the partner will need
to resolve with Cloud 9’s management. Sometimes, meetings
with clients at the end of the audit can be difficult. If a client’s
LO 5 Analyze how subsequently discovered facts
may affect the auditor’s report on the financial
statements.
LO 6 Explain the components of the standard
unqualified opinion on the effectiveness of ICFR for
public companies and evaluate situations that cause
modifications to the unqualified opinion.
LO 7 Explain compilation and review engagements
performed on unaudited financial statements of a
private company.
Auditing standards board
AU-C 560  Subsequent Events and Subsequently
Discovered Facts
AU-C 570 The Auditor’s Consideration of an Entity’s
Ability to Continue as a Going Concern
AU-C 600  Special Considerations—Audits of Group
Financial Statements (Including the Work of a
Component Auditor)
AU-C 700  Forming an Opinion and Reporting on
Financial Statements
AU-C 705  Modifications to the Opinion in the
Independent Auditor’s Report
AU-C 706 Emphasis-of-Matter Paragraphs and Other-
Matter Paragraphs in the Independent Auditor’s
Report
AU-C 708  Consistency of Financial Statements
AU-C 940 An Audit of Internal Control That Is Integrated
with an Audit of Financial Statements
management will not adjust the financial statements to reflect
misstatements found during the audit, the partner considers mod-
ifying the audit report. Jo does not anticipate any major difficulties
with Cloud 9’s ­management.
Before the final meetings with Cloud 9’s management and
audit committee, the audit team will finalize the management
representation letter and prepare the auditor’s reports. Ian,
   Standard Unmodified/Unqualified Audit Report  15-3

a first-year associate, has learned a great deal about the pro-
cess of conducting an audit by working on the Cloud 9 engage-
ment. Based on his knowledge of the audit work completed, he
feels confident that Cloud 9 will receive an unqualified report
on the financial statements, but it will ultimately depend on
the outcome of Jo’s meetings with management and the audit
committee.
Ian remembers from his college auditing class that situa-
tions may happen in which auditors add another paragraph to the
unqualified report or modify their opinion. Ian asks Sharon to
refresh his memory on these situations. He asks her, “Do you
think there will be any modifications to Cloud 9’s audit report?”
Sharon replies, “Let’s do a quick review of situations that require a
modification to the audit report.”

Chapter Preview: Audit Process in Focus

Once auditors have evaluated the conclusions drawn from the audit, they are ready to pre-
pare an appropriately worded audit report. The purpose of this chapter is to revisit the audit
reports that were introduced in Chapter 1 and to discuss situations that cause the auditors
to modify some of the wording in the report or to modify the opinion. We describe situa-
tions in which auditors issue an unmodified opinion on the financial statements but add
an additional paragraph to the standard report for going concern problems, consistency
issues, or other special circumstances. We also revisit the discussion of relying on the work
of another auditor (Chapter 5) and how it may affect the auditor’s report on the financial
statements.
The next section of the chapter focuses on situations when the auditor may have to mod-
ify the opinion on the financial statements. This is followed by a discussion of situations when
new information comes to the auditor’s attention after the end of fieldwork. The new informa-
tion may or may not affect the financial statements and the auditor’s report. We walk through
the steps auditors take if this type of situation occurs. We also revisit the report on the effec-
tiveness of internal control over financial reporting (ICFR) for public company clients. We
review the components of the standard unqualified opinion and then discuss situations that
cause auditors to modify their opinion.
The last section of the chapter explains two services that auditors can provide for private
company clients only. The two services are a compilation engagement and a review engage-
ment. Since most private companies are not required to have an audit, these services are alter-
natives to an audit and are less in scope than an audit.

Standard Unmodified/Unqualified Audit Report

LEA RNING OBJECTI VE 1
Explain the components of the standard unqualified/unmodified audit report for
public and private companies.

The purpose of an audit is to provide financial statement users with an opinion by the au-
ditor on whether the financial statements are presented fairly in accordance with an appli-
cable financial reporting framework. The audit process enhances the degree of confidence
that intended users place in the financial statements. The audit report is the “end product”
of the financial statement audit. Once auditors have gathered sufficient appropriate audit
evidence, evaluated uncorrected misstatements, and completed the required communications
with those charged with governance (Chapter 14), the final step is to prepare and issue the
independent auditor’s report.
15-4  C h a pte r 15 Reporting on the Audit
unmodified opinion  the opin-
ion expressed by the auditor when
the auditor concludes that the
financial statements are presented
fairly, in all material respects, in
accordance with the applicable
financial reporting framework
illustration 15.1  
Example of an unmodified
audit report on the financial
statements of New Millen-
nium Ecoproducts, a private
company
You were introduced to the standard unmodified auditor’s report in Chapter 1. AU-C
700 Forming an Opinion and Reporting on Financial Statements defines an unmodified
opinion as the opinion expressed by the auditor when the auditor concludes the financial
statements are presented fairly, in all material respects, in accordance with the applica-
ble financial reporting framework (AU-C 700.11). The auditor’s report must be in writing,
in either hardcopy or electronic form. Illustrations 15.1 and 15.2 provide examples of an
unmodified auditor’s report for a private company and an unqualified auditor’s report for a
public company. These are the same example reports used in Chapter 1 in Illustrations 1.6
and 1.7. The components of each report are detailed as in Chapter 1. Take a few moments
to refresh your memory with the components of each report, as well as the similarities and
differences between each report.
[1] Independent Auditor’s Report
[2] To the owners of New Millennium Ecoproducts:
[3] Report on the Financial Statements
We have audited the accompanying financial statements of New Millennium Ecoproducts, which
comprise the balance sheets as of December 31, 2022 and 2021, and the related statements of
income, changes in equity, and cash flows for the years then ended, and the related notes to the
financial statements.
[4] Management’s Responsibility for the Financial Statements
Management is responsible for the preparation and fair presentation of these financial statements
in accordance with accounting principles generally accepted in the United States of America; this
includes the design, implementation, and maintenance of internal control relevant to the prepa-
ration and fair presentation of financial statements that are free from material misstatement,
whether due to fraud or error.
[5] Auditor’s Responsibility
Our responsibility is to express an opinion on these financial statements based on our audits. We
conducted our audits in accordance with auditing standards generally accepted in the United
States of America. Those standards require that we plan and perform the audit to obtain reason-
able assurance about whether the financial statements are free from material misstatement.
An audit involves performing procedures to obtain audit evidence about the amounts and disclo-
sures in the financial statements. The procedures selected depend on the auditor’s judgment, in-
cluding the assessment of the risks of material misstatement of the financial statements, whether
due to fraud or error. In making those risk assessments, the auditor considers internal control rele-
vant to the entity’s preparation and fair presentation of the financial statements in order to design
audit procedures that are appropriate in the circumstances, but not for the purpose of expressing
an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such
opinion. An audit also includes evaluating the appropriateness of accounting policies used and the
reasonableness of significant accounting estimates made by management, as well as evaluating
the overall presentation of the financial statements.
We believe that the audit evidence we have obtained is sufficient and appropriate to provide a
basis for our audit opinion.
[6] Opinion
In our opinion, the financial statements referred to above present fairly, in all material respects,
the financial position of New Millennium Ecoproducts as of December 31, 2022 and 2021, and the
results of its operations and its cash flows for the years then ended in accordance with accounting
principles generally accepted in the United States of America.
[7] Bell & Bowerman, LLP
Seattle, Washington
[8] February 15, 2023
Source: AU-C 700.A63 Exhibit—Illustration 1.
   Standard Unmodified/Unqualified Audit Report  15-5

Here is a quick summary of the components of an unmodified opinion for a private com-
pany audit:

1.  Title—Must include the term “independent.”

2.  Address—Addressed as required by the terms of the engagement.
3.  Introductory paragraph—Identifies the financial statements that were audited.
4.  Management’s responsibility paragraph—States management’s responsibility for the
preparation and fair presentation of the financial statements and for the design, imple-
mentation, and maintenance of ICFR.
5.  Auditor’s responsibility paragraph—States the auditor’s responsibility to conduct the au-
dit according to auditing standards and provide reasonable assurance about the fair pre-
sentation of the financial statements. Since it is a private company audit, the report states
the auditor did not evaluate internal control for the purpose of expressing an opinion on
internal control.
6.  Opinion paragraph—Clearly states the auditor’s opinion that the financial statements
are fairly presented, in all material respects, in accordance with the applicable financial
­reporting framework.
7.  Signature—Includes the firm name and location.
8.  Date—Date of the end of fieldwork.

illustration 15.2  
[1] REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM Example of an unqualified
audit report for the financial
[2] To the shareholders and the Board of Directors of The Boeing Company statements of The Boeing
Company, a public company
Opinion on the Financial Statements
[3] We have audited the accompanying consolidated statements of financial position of The Boeing
Company and subsidiaries (the “Company”) as of December 31, 2017 and 2016, the related consol-
idated statements of operations, comprehensive income, equity, and cash flows, for each of the
three years in the period ended December 31, 2017, and the related notes (collectively referred to
as the “financial statements”). In our opinion, the financial statements present fairly, in all material
respects, the financial position of the Company as of December 31, 2017 and 2016, and the results
of its operations and its cash flows for each of the three years in the period ended December 31,
2017, in conformity with accounting principles generally accepted in the United States of America.

[4] We have also audited, in accordance with the standards of the Public Company Accounting
Oversight Board (United States) (PCAOB), the Company’s internal control over financial reporting
as of December 31, 2017, based on criteria established in Internal Control—Integrated Framework
(2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission and
our report dated February 12, 2018, expressed an unqualified opinion on the Company’s internal
control over financial reporting.

Basis for Opinion

[5] These financial statements are the responsibility of the Company’s management. Our responsi-
bility is to express an opinion on the Company’s financial statements based on our audits. We are a
public accounting firm registered with the PCAOB and are required to be independent with respect
to the Company in accordance with the U.S. federal securities laws and the applicable rules and
regulations of the Securities and Exchange Commission and the PCAOB.

[6] We conducted our audits in accordance with the standards of the PCAOB. Those standards
require that we plan and perform the audit to obtain reasonable assurance about whether the
financial statements are free of material misstatement, whether due to error or fraud. Our au-
dits included performing procedures to assess the risks of material misstatement of the finan-
cial statements, whether due to error or fraud, and performing procedures that respond to those
risks. Such procedures included examining, on a test basis, evidence regarding the amounts and
disclosures in the financial statements. Our audits also included evaluating the accounting prin-
ciples used and significant estimates made by management, as well as evaluating the overall
15-6  C h a pte r 15 Reporting on the Audit

­ resentation of the financial statements. We believe that our audits provide a reasonable basis
p
for our opinion.

[7] /s/ Deloitte & Touche LLP

Chicago, Illinois

[8] February 12, 2018

[9] We have served as the Company’s auditor since at least 1934; however, an earlier year cannot
be reliably determined.

Here is a quick summary of the components of an unqualified opinion for a public com-
pany audit:
1.  Title—Must include the terms “registered” and “independent.”
2.  Address—Addressed to the board of directors and shareholders of the company.
3.  Opinion paragraph—Identifies the statements being audited and states the auditor’s opinion.
4.  Paragraph referencing the audit of internal control—References the auditor’s report on the
effectiveness of ICFR.
5.  Basis for opinion paragraph—States responsibilities and references registration with the
PCAOB and adherence to independence requirements of the SEC.
6.  Scope paragraph—Briefly explains the process of conducting an audit and that the PCAOB
standards were followed.
7.  Signature—Includes the firm name and location.
8.  Date—Date of the end of fieldwork.
9.  Auditor tenure—States the year in which the firm began serving consecutively as the
company’s auditor.
The next three sections of this chapter will discuss special situations in which auditors may
need to add a paragraph to the standard unmodified/unqualified audit report and situations in
which auditors will modify their opinion. We will use the private company standard audit report
(Illustration 15.1) as the basis for examples of adding a paragraph or modifying the opinion.

Professional Environment  Critical Audit Matters in the Audit Reports for Public Companies
The PCAOB standard for the new audit report, AS 3101, went into
effect for audits of fiscal years ending on or after December 15, 2017.1
The Boeing Company unqualified audit report in Illustration 15.2
reflects the new audit report. As mentioned in Chapter 1, a signif-
icant change to the audit report is the communication of critical
audit matters, or CAM. A CAM is any audit matter that was com-
municated to or required to be communicated to the audit commit-
tee. The PCAOB recognized that including CAMs in the ­auditor’s
report is a significant change and decided the requirement to
include CAMs would go into effect for fiscal years ending on or
after June 30, 2019. Therefore, we will not see CAMs included in the
audit reports for U.S. public companies until late 2019 and beyond.
At the international level, the International Auditing and
Assurance Standards Board (IAASB) issued a similar standard
requiring that auditors include key audit matters, or KAM, in the
audit reports of listed entities. International Standard on Auditing
(ISA) 701, Communicating Key Audit Matters in the Independent
Auditor’s Report, became effective for periods ending on or after
­ ecember 15, 2016. Therefore, audit reports issued under the
D
IAASB standards in 2017 include the discussion of KAM, which
is effectively the same as CAMs under PCAOB standards. The
audit standard-setting body in New Zealand follows the IAASB
standards, so we can look to a New Zealand-based public company
to see an example of an audit report that incorporates a discus-
sion of KAM. Air New Zealand, an airline company, is a public
company audited by Deloitte. Access the company’s website to see
the latest annual report and navigate to the auditor’s report in the
annual report. For the June 30, 2017, audit, the auditor’s report
included discussion of three KAMs in the areas of revenue recog-
nition, aircraft lease return costs, and aircraft residual values and
useful lives. For each KAM, the report includes a list of the audit
procedures that addressed the key audit matter and the results of
the auditor’s work. The Air New Zealand audit report provides a
great example of what the audit reports for U.S.-based public com-
panies will look like when the CAM requirement goes into effect
in late 2019.

1
PCAOB Release No. 2017-001, The Auditor’s Report on an Audit of Financial Statements When the Auditor
Expresses an Unqualified Opinion.
  Additional Paragraph for the Standard Unmodified Report  15-7

Before You Go On
1.1 Compare the titles of the two audit reports in Illustrations 15.1 and 15.2. How are they simi-
lar? How are they different?
1.2 Both reports in Illustrations 15.1 and 15.2 briefly describe an audit. How are the descriptions
similar? How are they different?
1.3 Why does the report in Illustration 15.2 reference another auditor report that the report in
Illustration 15.1 does not?

Additional Paragraph for the Standard Unmodified Report

LEA RNING OBJECTI VE 2
Evaluate situations requiring an additional paragraph in the unmodified report on
the financial statements.

There are certain situations in which the auditor issues an unmodified opinion but may in-
clude an additional paragraph in the report to draw attention to important information that is
already presented or disclosed in the financial statements. This additional paragraph is called
an emphasis-of-matter paragraph. The emphasis-of-matter paragraph is placed after the emphasis-of-matter paragraph 
opinion paragraph in the standard unmodified report. AU-C 706 Emphasis-of-Matter Para- a paragraph included in the
graphs and Other-Matter Paragraphs in the Independent Auditor’s Report addresses the general auditor’s report that is required by
use of the emphasis-of-matter paragraph, and other AU-C sections specifically require it. The generally accepted auditing stan-
rest of this section discusses circumstances in which the auditor is required to use or is per- dards, or is included at the audi-
tor’s discretion, and that refers to
mitted to use an emphasis-of-matter paragraph.
a matter appropriately presented
The reporting standards for private and public company audits are quite similar. The
or disclosed in the financial
following discussion provides examples from the auditing standards that apply to private statements that, in the auditor’s
company audits. In a public company audit, the auditing standards for adding an empha- professional judgment, is of such
sis-of-matter paragraph are the same. One minor difference is the PCAOB standard refers to importance that it is fundamental
an emphasis-of-matter paragraph as an “explanatory paragraph.” PCAOB AS 3101 The Audi- to users’ understanding of the
tor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified financial statements
Opinion lists situations in which an explanatory, or emphasis-of-matter, paragraph would be
added after the opinion paragraph in the public company auditor’s report.

Going Concern Paragraph

In Chapter 14, we discussed the auditor’s assessment of the client’s ability to continue as a
going concern for a reasonable period of time, which is one year from the issuance date of the
financial statements for a private company client and one year from the date of the financial
statements for a public company. If the client has a going concern issue, then management
must make a note disclosure about the circumstances, including any plans management may
have to mitigate the situation. If auditors determine that the disclosure is fairly presented in
accordance with the applicable financial reporting framework, then an unmodified auditor’s
report can still be issued (assuming there are no other uncorrected material misstatements).
Remember, an unmodified auditor’s report is not an indication the company is successful
financially but rather an indication the company has followed accounting standards as dictated
by the applicable financial reporting framework.
When a client has a going concern issue, AU-C 570 The Auditor’s Consideration of an
Entity’s Ability to Continue as a Going Concern requires an emphasis-of-matter paragraph
be added to the unmodified report after the opinion paragraph. The paragraph must include
the phrase “substantial doubt about the entity’s ability to continue as a going concern” and use
15-8  C h a pte r 15 Reporting on the Audit

the heading “Emphasis of Matter.” The paragraph should also include a reference to the note
in the financial statements that provides more information about the going concern circum-
stances. Illustration 15.3 provides an example of an unmodified opinion with a going concern
emphasis-of-matter paragraph. If the client refuses to properly disclose the going concern issue in
the notes as required by the financial reporting framework, the auditor should modify the opinion
for a material departure from the financial reporting framework. Modifications to the opinion will
be discussed in this chapter in “Modifying the Audit Opinion.”

illustration 15.3  
Example of an unmodified
opinion with a going concern
emphasis-of-matter paragraph
[Note to reader: Use the same components, 1 through 6, of the standard unmodified audit report,
then add the paragraph below.]
Emphasis of Matter
The accompanying financial statements have been prepared assuming that the Company will con-
tinue as a going concern. As discussed in Note X to the financial statements, the Company has
suffered recurring losses from operations, has a net capital deficiency, and has stated that sub-
stantial doubt exists about the Company’s ability to continue as a going concern. Management’s
evaluation of the events and conditions and management’s plans regarding these matters are also
described in Note X. The financial statements do not include any adjustments that might result
from the outcome of this uncertainty. Our opinion is not modified with respect to this matter.

Bell & Bowerman, LLP

Seattle, Washington

February 15, 2023

Source: AU-C 570.A52.

If a public company client has a going concern issue, AS 2415 Consideration of an Entity’s
Ability to Continue as a Going Concern also requires that an explanatory paragraph be added
after the opinion paragraph. The wording in the explanatory paragraph is virtually identical
to that shown in Illustration 15.3 for a private company client.

Consistency of Financial Statements

Companies typically present their financial statements in comparative form, which means
showing two consecutive years of balance sheets and three consecutive years of the income
statement, statement of cash flows, and statement of stockholders’ equity. Showing com-
parative financial statements helps users to analyze the company’s financial condition and
profitability. A core concept in accounting is that accounting principles should be applied
consistently from one accounting period to the next. For example, if a company chooses to use
an accelerated depreciation method, then it should be used consistently from year to year. If
a company switches each year from an accelerated method to straight-line depreciation and
back to an accelerated method, then it would be difficult for financial statement users to ana-
lyze the performance of the company from one year to the next.
AU-C 708 Consistency of Financial Statements requires auditors to evaluate the consistency of
a client’s financial statements for the periods that are presented. Two situations that can materially
impact the consistency of the financial statements are (1) a change in accounting principle and
(2) an adjustment to correct a material misstatement in previously issued financial statements.

Change in Accounting Principle

The following situations are considered a change in accounting principle:
•  Changing from one acceptable accounting principle to another acceptable accounting princi-
ple. A company may change methods if there is a justified reason for doing so. For example,
due to changes in its industry, a company may decide to change from the LIFO method of
inventory costing to the FIFO method, which are both approved methods under U.S. GAAP.
•  Changing from one acceptable accounting principle to a newly adopted accounting princi-
ple. When a new accounting standard becomes effective, a company is required to adopt
the new standard because the currently used standard will no longer be allowed.
  Additional Paragraph for the Standard Unmodified Report  15-9

•  Changing the method of applying an acceptable accounting principle. An accounting pro-

nouncement may be issued by the accounting standard-setting body that modifies how
an existing principle should be applied. When a company modifies how it applies the
accounting principle, it is considered a change in accounting principle as long as it is in
accordance with the applicable financial reporting framework.
When a change in accounting principle does occur, the client should account for the change and
prepare a note disclosure about the change in accordance with the applicable financial reporting
framework. Auditors apply audit procedures to ensure the accounting for the change and the
note disclosure are presented in accordance with the applicable financial reporting framework.
If the change in accounting principle is properly accounted for and disclosed, auditors can
issue an unmodified opinion. However, if the change in accounting principle has a material ef-
fect on the comparability of the financial statements, then AU-C 708 requires auditors to add an
emphasis-of-matter paragraph to the auditor’s report. The emphasis-of-matter paragraph would
be added after the opinion paragraph and would include a description of the change in account-
ing principle and a reference to the note disclosure. Illustration 15.4 provides an example of an
unmodified opinion with a consistency emphasis-of-matter paragraph for the adoption of a new
accounting standard. Illustration 15.5 provides an example of an unmodified opinion with a
consistency emphasis-of-matter paragraph for a voluntary change in accounting principle.

illustration 15.4  
[Note to reader: Use the same components, 1 through 6, of the standard unmodified audit report, Example of an unmodified
then add the paragraph below.] opinion with a consistency
emphasis-of-matter paragraph
Emphasis of Matter for adoption of a new account-
As discussed in Note X to the financial statements, in 2021 the Company adopted new accounting ing standard
guidance for revenue recognition as required by FASB Accounting Standards Update (ASU) No.
2014-09 Revenue from Contracts with Customers. Our opinion is not modified with respect to this
matter.

Bell & Bowerman, LLP

Seattle, Washington

February 15, 2023

Source: AU-C 708.A7.

illustration 15.5  
[Note to reader: Use the same components, 1 through 6, of the standard unmodified audit report, Example of an unmodified
then add the paragraph below.] opinion with a consistency
emphasis-of-matter paragraph
Emphasis of Matter for a voluntary change in
As discussed in Note X to the financial statements, in 2022 the Company elected to change its accounting principle
method of calculating depreciation on fixed assets from the double-declining balance method to
the straight-line method. Our opinion is not modified with respect to this matter.

Bell & Bowerman, LLP

Seattle, Washington

February 15, 2023

Source: AU-C 708.A8.

If the client refuses to properly disclose a material change in accounting principle or the ma-
terial change is not justifiable as dictated by the applicable financial reporting framework, the au-
ditor should modify the opinion for a material departure from the financial reporting framework.
Modifications to the opinion will be discussed in this chapter in “Modifying the Audit Opinion.”

Adjustment to Correct a Material Misstatement

The second situation that can materially impact the consistency of the financial statements
is an adjustment to correct a material misstatement in previously issued financial state-
ments. For example, in the current year, the client realizes there was a classification error in
15-10  C h a pte r 15  Reporting on the Audit

the prior year’s cash flow statement. Cash flows that were listed in the operating activities
category should have been listed in the financing activities category. This error is corrected,
and the prior year financial statements are restated and issued in comparative form with
the current year’s audited financial statements. The client would include a note disclosure
in the current year financial statements that describes the correction.
AU-C 708 requires auditors to include an emphasis-of-matter paragraph in the current-
year audit report that states the previously issued financial statements have been restated
for the correction of a material misstatement that was discovered in the current year. The
emphasis-of-matter paragraph should also reference the note disclosure that describes the
correction. Illustration 15.6 provides an example of an unmodified opinion with a consis-
tency emphasis-of-matter paragraph for a correction of a material misstatement in previously
issued financial statements. The emphasis-of-matter paragraph would not need to be included
in the following year’s audit report. It is only included in the year the material misstatement
is identified and corrected.

illustration 15.6  
Example of an unmodified
opinion with a consistency
emphasis-of-matter paragraph
for a correction of a material
misstatement in previously
issued financial statements
[Note to reader: Use the same components, 1 through 6, of the standard unmodified audit report,
then add the paragraph below.]
Emphasis of Matter
As discussed in Note X to the financial statements, the 2021 financial statements have been restat-
ed to correct a misstatement. Our opinion is not modified with respect to this matter.

Bell & Bowerman, LLP

Seattle, Washington

February 15, 2023

Source: AU-C 708.A14.

You may be wondering, if the prior year’s financial statements were audited, why was
the material misstatement not found in the prior year? If the same auditors are auditing
the current-year financial statements, does it mean they did not do a thorough audit in the
prior year? We will discuss this type of situation in this chapter in “Subsequently Discovered
Facts.”
Public companies face the same types of consistency issues as private companies. AS 2820
Evaluating Consistency of Financial Statements also requires that an explanatory paragraph be
added after the opinion paragraph to draw attention to material consistency issues. The word-
ing in the explanatory paragraph is virtually identical to the examples shown in Illustrations
15.4, 15.5, and 15.6 for a private company.

Emphasis Added at Discretion of the Auditor

There may be situations in which the auditor wants to draw users’ attention to a material mat-
ter that is already presented and/or disclosed in the client’s financial statements. AU-C 706
permits auditors to add an emphasis-of-matter paragraph to bring attention to the material
matter. Examples of situations auditors may want to draw attention to include:
•  Uncertainties relating to the future outcome of litigation or regulatory action.
•  A major disaster that has had or will continue to have a significant impact on the
­company’s financial situation.
•  Material transactions with related parties.
•  Significant subsequent events.
Auditors use their professional judgment to determine if an emphasis-of-matter paragraph
is appropriate for the client’s situation. If added, the emphasis-of-matter paragraph would
follow the opinion paragraph and would state the matter being emphasized and reference the
note that contains more information about the matter. Illustration 15.7 shows an example of
an emphasis-of-matter paragraph added at the auditor’s discretion for a litigation uncertainty.
  Additional Paragraph for the Standard Unmodified Report  15-11

illustration 15.7  
[Note to reader: Use the same components, 1 through 6, of the standard unmodified audit report, Example of an unmodified
then add the paragraph below.] opinion with an emphasis-
of-matter paragraph to draw
Emphasis of Matter attention to a material matter
As discussed in Note X to the financial statements, the Company is involved in litigation, and there
is uncertainty as to when the litigation will be resolved and the extent of its impact on the company.
Our opinion is not modified with respect to this matter.

Bell & Bowerman, LLP

Seattle, Washington

February 15, 2023

Source: AU-C 706.07.

Audit Reasoning Example  Emphasis-of-Matter Paragraph

Darnell Becker is the senior manager on the audit of the December 31, 2022, financial statements
of Escape Airlines. The audit team has completed the audit, and it is time to draft the audit report.
An unmodified audit report will be issued because the auditors concluded that Escape’s financial
statements are presented fairly, in all material respects, in accordance with GAAP. Will Phillips,
the partner, has called a meeting with Darnell to discuss some final items. “As you know, at the
beginning of 2022, Escape invested in Top Notch Paper & Cleaning Supplies and now has a 32%
ownership in the company,” says Will. “Top Notch is now Escape’s only supplier of paper goods
and cleaning supplies.” “Yes, that was a major investment for Escape,” says Darnell. “Our team
spent considerable time auditing the investment, which is appropriately accounted for using the
equity method. We also audited transactions between Top Notch and Escape. Since the two are
now considered related parties, we increased the extent of our audit procedures to more closely
scrutinize the form and substance of the transactions. Additionally, Escape is required to disclose
that Top Notch is a related party. We inspected the note disclosure prepared by Escape’s manage-
ment and concluded the disclosure was in accordance with GAAP. Has something else come up re-
lated to this issue?” Will shakes his head no, and says, “There is no new information, but I feel we
should emphasize this matter in our audit report. It is a material, new investment for Escape, and it
has changed the supply situation since Top Notch is now the only supplier of paper goods and clean-
ing supplies for Escape. I recommend we add an emphasis-of-matter paragraph to our unmodified
report, after the opinion paragraph, and refer the financial statement readers to the note disclosure
that describes the related party situation between Escape and Top Notch. Adding the paragraph will
help ensure that interested users are aware of the new situation.” “I agree,” says Darnell, “I will add
the emphasis-of-matter paragraph to our report and have a copy for you to review shortly.”

In summary, auditing standards require an emphasis-of-matter paragraph for going concern

and consistency issues. At their discretion, auditors can add an emphasis-of-matter paragraph
to the audit report to bring attention to other material issues that are already presented or
disclosed in the financial statements. In all cases, the emphasis-of-matter paragraph is placed
after the opinion paragraph because it does not modify the auditor’s opinion on the financial
statements as a whole.

Cloud 9 - Continuing Case

Sharon asks Ian if he thinks an emphasis-of-matter paragraph
should be added to the audit report.
Ian thinks for a moment, then replies, “Well, we confirmed
with Cloud 9’s lawyers that there are no pending legal issues,
so there is nothing we need to emphasize in that area. Cloud 9
has a decline in earnings this year but that does not represent a
going concern issue. There are no consistency issues with Cloud 9’s
application of accounting principles. So, I don’t think we need to
add an emphasis-of-matter paragraph to this year’s audit report.”
“I agree with your analysis,” replies Sharon.
15-12  C h a pte r 15  Reporting on the Audit

Before You Go On
2.1  What wording is required in the going concern emphasis-of-matter paragraph?
2.2  Provide two examples of a change in accounting principle.
2.3 Where is an emphasis-of-matter paragraph placed in the auditor’s report? Why is placement
of the paragraph important?

Opinion Based in Part on the Report of Another Auditor

LEA RNING OBJECTI VE 3
Discuss modifications required to the auditor’s report on the financial statements
when the opinion is based in part on the report of another auditor.

As discussed in Chapter 5 (in the section “Using the Work of Another Auditor”), sometimes
auditors must rely on work performed by auditors from a different firm. This occurs most
frequently when a group audit is being performed on the group financial statements of more
than one entity, such as consolidated financial statements prepared by a parent company. The
group engagement team audits the parent company and is responsible for the overall audit
strategy for all of the components. A component auditor, which is a different accounting firm,
audits a component or subsidiary of the parent company. It is the responsibility of the group
engagement partner to ensure the work completed by a component auditor meets the group
engagement partner’s requirements and standards.
In the audit of a private company, AU-C 600 Special Considerations—Audits of Group
Financial Statements (Including the Work of Component Auditors) states the group engage-
ment partner is responsible for issuing the audit report on the group financial statements. The
following discussion and example are based on AU-C 600 as it relates to private company au-
dits. The group engagement partner must decide whether to make reference to the audit of a
component auditor in the auditor’s report on the group financial statements. If the subsidiary
audited by the component auditor is a material amount of the group financial statements, the
group engagement partner typically decides to reference the work completed by the compo-
nent auditor in the audit report. By making this reference to the component auditor, the group
engagement partner is not assuming responsibility for the work of the component auditor.
Illustration 15.8 provides an example of an unmodified opinion based in part on the
report of another auditor. When reference is made to a component auditor, the auditor’s
responsibility paragraph is modified to include the portion of the group financial statements
that were audited by the component auditor. The portion audited by the component auditor
can be expressed in dollar amounts or percentages of total assets, total revenues, or other
appropriate criteria (AU-C 600.A58). If more than one component auditor was used to audit
multiple subsidiaries, then the portion audited by all component auditors can be aggregated
together and expressed as a single dollar amount or percentage. The name of the component
audit firm is typically not stated in the audit report, but it is allowed under AU-C 600. If the
group engagement partner wants to name the component audit firm, then he or she must
receive permission from the component auditor, and the component auditor’s report on the sub-
sidiary must be presented together with the auditor’s report on the group financial statements.

illustration 15.8  
Example of an unmodified
opinion based in part on the
report of another auditor
[Note to reader: Use the same components, 1 through 4, of the standard unmodified audit report.
In this example, the added verbiage is in italics.]
Auditor’s Responsibility
Our responsibility is to express an opinion on these consolidated financial statements based on
our audits. We did not audit the financial statements of B Company, a wholly owned subsidiary, which
statements reflect total assets constituting 20 percent and 22 percent, respectively, of c­ onsolidated
   Opinion Based in Part on the Report of Another Auditor  15-13

total assets at December 31, 2022 and 2021, and total revenues constituting 18 percent and 20 per-
cent, respectively, of consolidated total revenues for the years then ended. Those statements were
audited by other auditors, whose report has been furnished to us, and our opinion, insofar as it relates
to the amounts included for B Company, is based solely on the report of the other auditors. We con-
ducted our audits in accordance with auditing standards generally accepted in the United States of
America. Those standards require that we plan and perform the audit to obtain reasonable assur-
ance about whether the consolidated financial statements are free from material misstatement.

An audit involves performing procedures to obtain audit evidence about the amounts and disclo-
sures in the consolidated financial statements. The procedures selected depend on the auditor’s
judgment, including the assessment of the risks of material misstatement of the consolidated
financial statements, whether due to fraud or error. In making those risk assessments, the auditor
considers internal control relevant to the entity’s preparation and fair presentation of the consoli-
dated financial statements in order to design audit procedures that are appropriate in the circum-
stances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal
control. Accordingly, we express no such opinion. An audit also includes evaluating the appropriate-
ness of accounting policies used and the reasonableness of significant accounting estimates made by
management, as well as evaluating the overall presentation of the consolidated financial statements.

We believe that the audit evidence we have obtained is sufficient and appropriate to provide a
basis for our audit opinion.

Opinion
In our opinion, based on our audits and the report of the other auditors, the consolidated financial
statements referred to above present fairly, in all material respects, the financial position of New
Millennium Ecoproducts and its subsidiaries as of December 31, 2022 and 2021, and the results
of their operations and their cash flows for the years then ended in accordance with accounting
principles generally accepted in the United States of America.

Bell & Bowerman, LLP

Seattle, Washington

February 15, 2023

Source: AU-C 600.A97 Illustration 2.

As noted in Illustration 15.8, the opinion paragraph is also slightly modified with a ref-
erence to the component auditor. No emphasis-of-matter paragraph is required when there is
a reference to a component auditor. If the component auditor is not referenced in the audit
report, the standard unmodified audit report, like the one in Illustration 15.1, can be used. Not
referencing the component auditor means the group engagement partner is assuming respon-
sibility for the work of the component auditor. If the subsidiary audited by the component
auditor is an immaterial portion of the group financial statements, then it is likely the group
engagement partner would assume responsibility for all of the work completed.
In the audit of a public company client, the same situation may occur in which other in-
dependent firms assist with the audit of a subsidiary. The related PCAOB standard is AS 1205
Part of the Audit Performed by Other Independent Auditors. The requirements are essentially
the same as the ASB standard, but AS 1205 uses slightly different terminology. The firm of the
group engagement team is referred to as the “principal auditor” and the component auditor is
simply referred to as the “other auditor.”

Cloud 9 - Continuing Case

Sharon reminds Ian that Cloud 9 has some inventory production
in Vietnam. Jo, the partner, decided to continue to use a Vietnam-
based accounting firm to gather evidence on the inventory pro-
duced at the Vietnamese facility and the property, plant, and
equipment located there. Jo was satisfied with the reputation of
the firm, its past experience with auditing Cloud 9’s ­Vietnamese
facility, and its independence from the client. In addition, the in-
ventory produced at the Vietnamese location ­represents 25% of
Cloud 9’s total inventory. The property, plant, and equipment rep-
resents 20% of Cloud 9’s total PPE. Jo and Sharon reviewed the
working papers of the Vietnamese firm and were satisfied with
the work completed. No material misstatements were found re-
garding the inventory located at the Vietnamese facility. Since the
inventory located at the Vietnamese facility is a material portion of
Cloud 9’s overall inventory, Jo has decided to reference the work of
the Vietnamese accounting firm in the audit report.
15-14  C h a pte r 15  Reporting on the Audit
Modifying the Audit Opinion
modified opinion  a qualified
opinion, an adverse opinion, or a
disclaimer of opinion
pervasive  a description of the
impact or possible impact of a
material misstatement or material
scope limitation on the financial
statements as a whole
Before You Go On
3.1  Describe a situation that would require the use of a component auditor.
3.2 Explain how the component auditor’s share of the audit can be quantified in the auditor’s
report on the financial statements.
3.3 Explain whether the name of the component audit firm can be used in the audit report of the
group financial statements.
LEA RNING OBJECTI VE 4
Evaluate situations requiring a departure from an unmodified opinion on the
financial statements.
Now we will discuss situations in which the auditor cannot issue an unmodified opinion on
the financial statements. There are two scenarios that would cause auditors to modify the
opinion for both private and public company clients:
1. The auditor concludes the financial statements are not presented fairly in accordance
with the applicable financial reporting framework because of one or more material mis-
statements. Essentially, the client has departed from accounting standards and will not
correct the departure.
2. The auditor is not able to gather sufficient appropriate audit evidence to draw a conclusion
about the fair presentation of the financial statements. In other words, the auditor cannot com-
plete some portion of the planned audit procedures. This is referred to as a scope limitation.
In these scenarios, auditors would issue a modified opinion. AU-C 705 Modifications
to the Opinion in the Independent Auditor’s Report and AS 3105 Departures from Unqualified
Opinions and Other Reporting Circumstances state the types of modified opinions are a quali-
fied opinion, an adverse opinion, and a disclaimer of opinion.
The concept of materiality is a key factor in determining which type of modified report
to issue. Recall that if immaterial misstatements are discovered and left uncorrected, or if an
immaterial scope limitation occurs, auditors can still issue an unmodified report. If a misstate-
ment is considered material, it could affect decisions that users make if the users are made
aware of the misstatement. If a scope limitation is material, auditors cannot state a conclusion
without evidence to support the conclusion. AU-C 705 introduces the term pervasive to help
auditors further clarify the magnitude of a material misstatement or a material scope limita-
tion. Characteristics of a pervasive misstatement or scope limitation are as follows:
•  It is not confined to specific elements, accounts, or items of the financial statements.
•  If it is confined, it represents or could represent a substantial portion of the financial
statements.
•  In the context of disclosures, it is fundamental to users’ understanding of the financial
statements (AU-C 705.06).
In essence, if a misstatement or a scope limitation has a pervasive effect on the financial
statements, it means it is “super material.” Auditors must use their professional judgment
to distinguish if a misstatement or scope limitation is material or pervasively material (super
material). The level of materiality will determine which modified opinion should be issued.
The different modified reports are discussed next using example reports that would be used
for a private company client. At the end of this section (just after Illustration 15.15), we will
discuss modified reports for a public company client.
   Modifying the Audit Opinion  15-15

Departure from Applicable Financial

Reporting Framework
As discussed in Chapter 14 (in the section “Completion of Working Paper Review”), material
misstatements discovered during the audit are discussed with management and usually man-
agement makes the recommended adjustment to correct the misstatement. What if manage-
ment refuses to make the recommended adjustment? The next step would be to discuss the
issue with those charged with governance, which is typically the audit committee of the board
of directors. What if the audit committee agrees with management and refuses to make the
adjustment? At this point, the next step for the auditor is to modify the audit opinion.
A material misstatement occurs when the client departs from the applicable financial
reporting framework. For example, the accounting policy selected by the client may not be
appropriate or the client may be applying the policy incorrectly. Also, the presentation in the
financial statements or disclosures may be inappropriate or inadequate. Illustration 15.9
provides more examples of departures from the applicable financial reporting framework. Au-
ditors use their professional judgment to determine if a material misstatement is pervasive.

illustration 15.9  
Appropriateness of selected accounting policies: Examples of departures from
• Selected policies are not in accordance with the applicable financial reporting framework. the applicable financial
• Financial statements and notes do not represent the underlying transactions and events in a reporting framework
manner that achieves fair presentation.
• The change in accounting policy is unjustified and inappropriate.
Application of selected accounting policies:
• 
Management has not applied the selected accounting policies consistently to similar
transactions and events.
• An unintentional error was made in the application of the accounting policy.
Appropriateness and adequacy of financial statement presentation and disclosures:
• Required disclosures are missing or incomplete.
• Disclosures are not presented in accordance with the financial reporting framework.
• Information required to be presented is omitted either because a required financial statement
has not been included or the information has not been disclosed in the financial statements.

Source: AU-C 705.A3–7.

If a misstatement is material, but not pervasive, a qualified opinion is issued. In a qualified qualified opinion  auditors
opinion, auditors are stating the financial statements are fairly presented, except for a material de- state the financial statements are
parture from the applicable financial reporting framework. Illustration 15.10 provides an exam- fairly presented except for a mate-
ple of a qualified opinion for a material, but not pervasive, departure from the financial reporting rial departure from the applicable
financial reporting framework or
framework. The title, address, introductory paragraph, management’s responsibility paragraph,
a material scope limitation
and auditor’s responsibility paragraph are the same as an unmodified report. A “Basis for Qual-
ified Opinion” paragraph is added before the opinion paragraph. The basis for qualified opinion
paragraph provides a description of the situation causing the modified opinion and quantifies the
financial effects of the misstatements, if applicable. Placement before the opinion paragraph is
important because it alerts the reader to a material situation so the reader is not “surprised” when
reading the modified opinion in the next paragraph. The opinion paragraph is titled as “Qualified
Opinion.” The only change to the opinion paragraph is the addition of the phrase “except for the
effects of the matter described in the Basis for Qualified Opinion paragraph,” which is italicized
in Illustration 15.10. By using the phrase “except for,” auditors state the financial statements are
presented fairly, except for the situation that is described in the basis for qualified opinion para-
adverse opinion  auditors state
graph. No other phrases or wording should be used in the opinion paragraph. the financial statements are not
If a misstatement is material and pervasive, an adverse opinion is issued. In an ad- fairly presented due to a perva-
verse opinion, auditors are stating the financial statements are not presented fairly due to one sively material departure from
or more pervasively material departures from the applicable financial reporting framework. the applicable financial reporting
Illustration 15.11 provides an example of an adverse opinion. The title, address, introductory framework
15-16  C h a pte r 15  Reporting on the Audit

illustration 15.10  
Qualified opinion for a materi-
al, but not pervasive, departure
from the financial reporting
framework
[Note to reader: Use the same components, 1 through 5, of the standard unmodified audit report,
then add the paragraphs below. In this example, the added verbiage is in italics.]
Basis for Qualified Opinion
The Company has stated inventories at cost in the accompanying balance sheets. Accounting princi-
ples generally accepted in the United States of America require inventories to be stated at the lower-
of-cost-or-net-realizable-value. If the Company stated inventories at the lower of cost or net realiz-
able value, a write down of $XXX and $XXX would have been required as of December 31, 2022 and
2021, respectively. Accordingly, cost of sales would have been increased by $XXX and $XXX, and net
income, income taxes, and stockholders’ equity would have been reduced by $XXX, $XXX, and $XXX,
and $XXX, $XXX, and $XXX, as of and for the years ended December 31, 2022 and 2021, respectively.

Qualified Opinion
In our opinion, except for the effects of the matter described in the Basis for Qualified Opinion para-
graph, the financial statements referred to above present fairly, in all material respects, the finan-
cial position of New Millennium Ecoproducts as of December 31, 2022 and 2021, and the results of
its operations and its cash flows for the years then ended in accordance with accounting principles
generally accepted in the United States of America.

Bell & Bowerman, LLP

Seattle, Washington

February 15, 2023

Source: AU-C 705.A32 Illustration 1.

illustration 15.11   Adverse

opinion for a material and
pervasive departure from the
financial reporting framework
[Note to reader: Use the same components, 1 through 5, of the standard unmodified audit report,
then add the paragraphs below. In this example, the added verbiage is in italics.]
Basis for Adverse Opinion
As described in Note X, the Company has not consolidated the financial statements of subsidiary XYZ
Company that it acquired during 2021 because it has not yet been able to ascertain the fair values
of certain of the subsidiary’s material assets and liabilities at the acquisition date. This investment
is therefore accounted for on a cost basis by the Company. Under accounting principles generally
accepted in the United States of America, the subsidiary should have been consolidated because it
is controlled by the Company. Had XYZ Company been consolidated, many elements in the accom-
panying consolidated financial statements would have been materially affected. The effects on the
consolidated financial statements of the failure to consolidate have not been determined.

Adverse Opinion
In our opinion, because of the significance of the matter discussed in the Basis for Adverse O
­ pinion
paragraph, the consolidated financial statements referred to above do not present fairly, in all
material respects, the financial position of New Millennium Ecoproducts as of December 31, 2022
and 2021, and the results of its operations and its cash flows for the years then ended in accor-
dance with accounting principles generally accepted in the United States of America.

Bell & Bowerman, LLP

Seattle, Washington

February 15, 2023

Source: AU-C 705.A32 Illustration 3.

paragraph, management’s responsibility paragraph, and auditor’s responsibility paragraph are

the same as an unmodified report. A “Basis for Adverse Opinion” paragraph is added before
the opinion paragraph. The basis for adverse opinion paragraph provides a description of the
situation causing the modified opinion and quantifies the financial effects of the misstate-
ments, if applicable. The opinion paragraph is titled as “Adverse Opinion.” The only changes
to the opinion paragraph are the addition of the phrase “because of the significance of the
matter discussed in the Basis for Adverse Opinion paragraph” and the words “do not,” which
   Modifying the Audit Opinion  15-17

are italicized in Illustration 15.11. The result of a material and pervasive misstatement is the
financial statements as a whole are not presented fairly.

Scope Limitation
A scope limitation occurs when auditors cannot perform planned audit procedures to gather
sufficient appropriate evidence. What situations would prevent auditors from doing their
work? AU-C 705.A8 lists three scenarios that may cause a material scope limitation:
1. Circumstances beyond the control of the entity. A natural disaster could occur that destroys
some or all of a client’s accounting records. Another example would be if a significant
subsidiary located in a foreign country had its accounting records seized by the foreign
government for an indefinite period of time.
2. Circumstances related to the nature or timing of the auditor’s work. The timing of when the
auditor is hired may impact the performance of some audit procedures. For example, if
the auditor is hired after the client conducts its physical inventory count, then the auditor
cannot observe the physical inventory count.
3. Scope limitation imposed by management. Management may prevent auditors from per-
forming certain procedures, such as confirming financial information with third parties
or observing the physical inventory count.
If auditors cannot perform a specific procedure, they may be able to perform an alterna-
tive audit procedure. For example, if auditors could not observe the physical inventory count,
they could gather evidence about the existence and occurrence assertions by confirming pur-
chases of inventory from vendors and sales of inventory to customers. If the scope limitation
can be overcome with alternative procedures, auditors can still issue an unmodified opinion.
If the scope limitation is imposed by management, auditors should question manage-
ment’s motivations and integrity. Auditors may need to reconsider the risk of material mis-
statement and the risk of fraud. Auditors should communicate the situation to those charged
with governance so appropriate action can be taken. If the management-imposed scope limita-
tion is material and pervasive, the auditors should consider withdrawing from the engagement.
If a scope limitation is material, but not pervasive, a qualified opinion is issued.
Illustration 15.12 provides an example of a qualified opinion for a material, but not perva-
sive, scope limitation. The title, address, introductory paragraph, management’s responsibility
paragraph, and auditor’s responsibility paragraph are the same as an unmodified report. A
“Basis for Qualified Opinion” paragraph is added before the opinion paragraph. The basis for
qualified opinion paragraph describes the situation causing the scope limitation. Similar to
the qualified opinion in Illustration 15.10, the only change to the opinion paragraph is the
addition of the phrase “except for the effects of the matter described in the Basis for Qualified
Opinion paragraph.”

illustration 15.12  
[Note to reader: Use the same components, 1 through 5, of the standard unmodified audit report, Qualified opinion for a
then add the paragraphs below. In this example, the added verbiage is in italics] material, but not pervasive,
scope limitation
Basis for Qualified Opinion
New Millennium Ecoproducts’ investment in XYZ Company, a foreign affiliate acquired during
the year and accounted for under the equity method, is carried at $XXX on the balance sheet at
December 31, 2022, and New Millennium Ecoproducts’ share of XYZ Company’s net income of $XXX
is included in New Millennium Ecoproducts’ net income for the year then ended. We were unable
to obtain sufficient appropriate audit evidence about the carrying amount of New Millennium Eco-
products’ investment in XYZ Company as of December 31, 2022, and New Millennium Ecoproducts’
share of XYZ Company’s net income for the year then ended because we were denied access to the
financial information, management, and the auditors of XYZ Company. Consequently, we were
unable to determine whether any adjustments to these amounts were necessary.

Qualified Opinion
In our opinion, except for the effects of the matter described in the Basis for Qualified Opinion
­paragraph, the financial statements referred to above present fairly, in all material respects, the
15-18  C h a pte r 15  Reporting on the Audit
disclaimer of opinion  auditors
provide no opinion on the finan-
cial statements due to a pervasively
material scope limitation or lack of
independence from the client
illustration 15.13  
Disclaimer of opinion for a
material and pervasive scope
limitation
financial position of New Millennium Ecoproducts as of December 31, 2022 and 2021, and the re-
sults of its operations and its cash flows for the years then ended in accordance with accounting
principles generally accepted in the United States of America.
Bell & Bowerman, LLP
Seattle, Washington
February 15, 2023
Source: AU-C 705.A32 Illustration 4.
If a scope limitation is material and pervasive, a disclaimer of opinion is issued. With a
material and pervasive scope limitation, auditors cannot gather enough evidence to determine
if the financial statements are presented fairly or not. Therefore, a disclaimer of opinion is no
opinion. Illustration 15.13 provides an example of a disclaimer of opinion for a material and
pervasive scope limitation. The title, address, and management’s responsibility paragraph are
the same as an unmodified report. The introductory paragraph is slightly modified to state “we
were engaged to audit” the financial statements instead of “we have audited.” The auditor’s
responsibility paragraph is also modified by stating the auditors were not able to obtain suf-
ficient appropriate audit evidence to form an opinion. The second paragraph of the auditor’s
responsibility section is completely eliminated so as not to confuse users. It could be mislead-
ing to describe the procedures of conducting an audit when auditors were not able to apply all
of the required procedures.
[Note to reader: Use the same components, 1, 2, and 4, of the standard unmodified audit report. In
this example, the added verbiage is in italics.]
Report on the Financial Statements
We were engaged to audit the accompanying financial statements of New Millennium Ecoprod-
ucts, which comprise the balance sheet as of December 31, 2022, and the related statements of
income, changes in stockholders’ equity, and cash flows for the year then ended, and the related
notes to the financial statements.
Management’s Responsibility for the Financial Statements
Management is responsible for the preparation and fair presentation of these financial statements
in accordance with accounting principles generally accepted in the United States of America; this
includes the design, implementation, and maintenance of internal control relevant to the prepa-
ration and fair presentation of financial statements that are free from material misstatement,
whether due to fraud or error.
Auditor’s Responsibility
Our responsibility is to express an opinion on these financial statements based on conduct-
ing the audit in accordance with auditing standards generally accepted in the United States of
America. Because of the matters described in the Basis for Disclaimer of Opinion paragraph, how-
ever, we were not able to obtain sufficient appropriate audit evidence to provide a basis for an
audit opinion.
Basis for Disclaimer of Opinion
We were not engaged as auditors of the Company until after December 31, 2022, and, therefore,
did not observe the counting of physical inventories at the beginning or end of the year. We were
unable to satisfy ourselves by other auditing procedures concerning the inventory held at
December 31, 2022, which is stated in the balance sheet at $XXX. In addition, the introduction of
a new computerized accounts receivable system in September 2022 resulted in numerous mis-
statements in accounts receivable. As of the date of our audit report, management was still in the
process of rectifying the system deficiencies and correcting the misstatements. We were unable to
confirm or verify by alternative means accounts receivable included in the balance sheet at a total
amount of $XXX at December 31, 2022. As a result of these matters, we were unable to determine
whether any adjustments might have been found necessary in respect of recorded or unrecord-
ed inventories and accounts receivable, and the elements making up the statements of income,
changes in stockholders’ equity, and cash flows.
   Modifying the Audit Opinion  15-19

Disclaimer of Opinion
Because of the significance of the matters described in the Basis for Disclaimer of Opinion para-
graph, we have not been able to obtain sufficient appropriate audit evidence to provide a basis for
an audit opinion. Accordingly, we do not express an opinion on these financial statements.

Bell & Bowerman, LLP

Seattle, Washington

February 15, 2023

Source: AU-C 705.A32 Illustration 6.

A “Basis for Disclaimer of Opinion” paragraph is added before the opinion paragraph. The
basis for disclaimer of opinion paragraph describes the situation causing the scope limitation.
The opinion paragraph is titled as “Disclaimer of Opinion.” This paragraph is different from
the other modified reports. It clearly states the auditor does not express an opinion on the
financial statements.
Another situation in which auditors must disclaim an opinion is if the audit team discovers
that an audit team member is not independent from the client. As discussed in Chapter 3 (in
the section “Client Acceptance and Continuance Decisions”), independence is a critical factor
when an accounting firm is considering performing an audit for a new or continuing client.
The accounting firm carefully considers and investigates any threats to the firm’s independence
before accepting an engagement. But there may be a rare situation in which the team discovers
an independence issue after the audit team has started the audit. If safeguards cannot be put in
place to limit or remove the threat, then the firm should withdraw from the engagement and
issue a disclaimer of opinion report. For an independence issue, there is no distinction being
material and pervasive. When it comes to independence, the auditor is either independent or
not. Therefore, the only appropriate modified opinion for an independence problem is a dis-
claimer of opinion. Illustration 15.14 provides an example of a disclaimer of opinion when
the firm is not independent. Notice the report is only two sentences. According to AU-C 705.16,
the firm is not required to provide the reason for the lack of independence. If the firm does
include the reason for the lack of independence, then all reasons must be included if there is
more than one.

illustration 15.14  
Auditor’s Report Example of a disclaimer of
To the owners of New Millennium Ecoproducts: opinion when the audit firm
is not independent
We are not independent with respect to New Millennium Ecoproducts. Accordingly, we do not
express an opinion on the accompanying balance sheet as of December 31, 2022, and the related
statements of income, changes in equity, and cash flows for the years then ended, and the related
notes to the financial statements.

Bell & Bowerman, LLP

Seattle, Washington

February 15, 2023

Source: AU-C 705.16.

Audit Reasoning Example  Scope Limitation

Aabida Barr, a senior associate, is auditing Golden Yacht Company, a client that sells yachts.
Golden reports short-term investments on its balance sheet that consist primarily of certificates
of deposit and other highly liquid investments held in banks located in various Caribbean islands.
A standard procedure for the audit is to confirm the balances of the short-term investments
directly with the financial institutions. Aabida prepares the confirmations and takes them to the
controller, Jamal, to sign before Aabida sends them to the financial institutions.
15-20  C h a pte r 15  Reporting on the Audit

Surprisingly, Jamal does not sign the confirmations. He laughs and says to Aabida, “Why
would you want to confirm these small accounts? Seems like a waste of time to me. I think
your time is better spent auditing accounts that are material to our financial statements. For
the fee we are paying your firm to complete this audit, I recommend you spend your time
more wisely.” Jamal hands the confirmations back to Aabida and turns his attention to his
computer screen. Surprised by the response, Aabida leaves Jamal’s office and returns to the
conference room where the rest of her audit team is working.
Aabida tells the manager of the team, Janna, about the unsigned confirmations. Janna is vis-
ibly shocked and says, “This could be a serious situation. I agree that the short-term investments
account is not material to the financial statements as a whole, but the fact that Jamal does not
want us to confirm those accounts is very concerning. Why would he prevent us from completing
our work? The client should not be preventing us from completing our procedures or telling us
which procedures we should and shouldn’t do. I will alert the partner of the situation and discuss
how to proceed on this issue. If Jamal, or other members of management, refuse to sign the con-
firmations, that is a reflection on management integrity and a scope limitation. If the situation
cannot be resolved it could lead to a qualified opinion or a disclaimer of opinion.”

We have covered a significant amount of content in this section about modified

opinions. A summary chart is provided in Illustration 15.15 to help you organize the
information. Notice the only time auditors can issue an adverse opinion is for a material
and pervasive departure from the financial reporting framework. The only time auditors
can issue a disclaimer of opinion is for a material and pervasive scope limitation or an in-
dependence issue. While these modified opinions are rare in practice, they are important
for auditors to understand. The fact that auditors have the option of using these opinions
often persuades the client to adjust the financial statements so an unmodified report can
be issued. If auditors issue a modified opinion, they can still add an emphasis-of-matter
paragraph if needed for situations like going concern or consistency issues. The place-
ment of the emphasis-of-matter paragraph is the same for modified reports as it is for
an unmodified report. An emphasis-of-matter paragraph, if needed, is placed after the
opinion paragraph.

illustration 15.15  
Summary of situations causing
modified opinions
Situation Giving Rise to Auditor Uses Professional Judgment to Determine:
the Modified Opinion Material but Not Pervasive Material and Pervasive
Departure from financial
Qualified opinion OR Adverse opinion
reporting framework
Scope limitation Qualified opinion OR Disclaimer of opinion
Not independent Disclaimer of opinion

Source: AU-C 705.A1.

In our illustrations of the different modified opinions, we have used the private company
auditor’s report format. What about modified opinions for a public company audit? Illus-
tration 15.15 also applies to public company audits. AS 3105 Departures from Unqualified
Opinions and Other Reporting Circumstances provides examples of the modified opinions for
the public company audit report. The modified reports follow the same format as the unqual-
ified report in Illustration 15.2. If the opinion is being modified, an explanatory paragraph
is added before the basis for opinion paragraph. However, public company audits present a
unique situation. When a public company files its annual audited financial statements with
the SEC, the SEC will not accept modified opinions. That means management must make
the auditor-recommended adjustments to the financial statements to receive an unqualified
opinion to complete the filing with the SEC. If there is a pervasive scope limitation, such as
the company’s accounting records being destroyed, the company should alert the SEC and
request guidance for how to proceed.

Professional Environment  PCAOB Requires Disclosure of Engagement Partners
You have seen on the example audit reports in this chapter that
the signature is the name of the firm rather than the name of any
one individual or team of auditors that performed the audit. In
some countries, such as Australia and member countries of the
European Union, the engagement partner on the audit is required
to sign his or her name on the audit report. For many years, there
has been debate in the United States about requiring the engage-
ment partner for a public company audit to sign his or her name
on the audit report. In July 2009, the PCAOB issued a Concept Re-
lease on requiring the engagement partner to sign the audit report
(PCAOB Release NO. 2009-005). The concept release stated that
requiring the signature would improve audit quality in two ways.
First, the signing engagement partner would feel a greater sense of
accountability for the audit and therefore take greater care in the
performance of his or her duties. Second, transparency would be
improved regarding who is responsible for the audit which would
provide more useful information to investors.
The PCAOB received 23 comment letters on the 2009 Concept
Release. Many commenters were not in favor of the proposed re-
quirement. One argument against the proposal was it would not
improve audit quality. The PCAOB already issues Quality Con-
trol Standards that registered firms must follow, and it conducts
­inspections of registered accounting firms. Would the signature of
an engagement partner have any real impact since standards and
an inspection process are already in place? Engagement partners
already feel a strong sense of accountability because (1) they are
inspected by the PCAOB, (2) they must follow their own firm’s qual-
ity control policies, (3) they report to the audit committee of their
client’s board of directors, and (4) they typically attend shareholder
meetings. Also, a key argument against the proposal was the risk
of litigation against the engagement partner. The United States has
a very litigious environment. If engagement partners are named
individually in lawsuits, instead of just the accounting firm being
named, it can affect them personally. For example, it may hinder the
Cloud 9 - Continuing Case
Sharon asks Ian if he remembers the types of modified opinions
and if he thinks Cloud 9 should be issued a modified opinion.
Ian thinks for a moment, then says, “I remember that if a
company does not follow proper accounting procedures or if there
are material misstatements that management will not adjust, then
it cannot receive an unqualified opinion.”
“That’s correct,” says Sharon. “In those instances the au-
ditor would choose from a qualified or an adverse opinion. The
auditors would use their professional judgment in deciding if the
accounting issues were material or pervasively material. If
material, a qualified opinion would be appropriate. If pervasively
material, then an adverse opinion would be issued.”
“I don’t think we have those issues with Cloud 9, unless
something unexpected comes up in Jo’s meeting with manage-
ment and the audit committee,” says Ian. Sharon nods her head
in agreement.
2
PCAOB Release No. 2015-008, Improving the Transparency of Audits: Rules to Require Disclosure of Certain
Audit Participants on a New PCAOB Form and Related Amendments to Auditing Standards, p. 34.
3
“News Digest: Firms to Disclose Engagement Partners Under PCAOB Rules,” Journal of Accountancy 222,
no. 1 (July 2016), p. 12.
  Modifying the Audit Opinion  15-21
partner’s ability to obtain financing from a bank. It could also affect
the accounting firm’s ability to retain and attract talent, which in the
long run could cause a shortage of auditors in the entire profession.
In October 2011, the PCAOB issued a Proposed Rule (No.
2011-007) and received 44 comment letters. In December 2013,
the PCAOB issued a Reproposed Rule (No. 2013-009) and received
69 comment letters. In these updated releases, the PCAOB pro-
posed disclosing the name of the engagement partner in the audit
report rather than having the engagement partner sign the report.
Many of the commenters were still not in favor of the proposal.
The PCAOB decided to compromise and issued a Supplemental
Request in June 2015 (No. 2015-004). In the supplemental request,
the PCAOB proposed disclosing the engagement partner in a new
PCAOB form that would be filed by the accounting firm, rather
than disclosing the name of the engagement partner in the audit
report. The PCAOB received 48 comments letters on the supple-
mental request. Most of the respondents felt that disclosure of the
engagement partner on a PCAOB form, rather than in the audit
report, was a satisfactory compromise as it avoids the legal issues
that might be associated with disclosure in the audit report.
The PCAOB released the Final Rule (No. 2015-008) on
December 15, 2015, and it was approved by the SEC on May 9, 2016
(SEC Release No. 34-77787). The final rule requires audit firms to
file Form AP, Auditor Reporting of Certain Audit Participants, and
include the name of the engagement partner for all public compa-
ny audits issued on or after January 31, 2017. The deadline to file
Form AP is 35 days after the date the audit report is first included
in a document filed with the SEC.2 (Note the final rule also re-
quires the disclosure in Form AP of other firms that participated in
the audit.) How does requiring an audit firm to file a form with the
PCAOB improve transparency for investors? The PCAOB is taking
information from Form AP and has created a searchable database
that is publicly available. Investors can search the database by en-
gagement partner name, audit firm, and company name.3
Ian continues, “I also remember that if the auditors cannot
complete their audit procedures, which means they cannot gather
evidence to form an opinion on whether the client’s financial
statements are presented fairly, then the auditors cannot issue an
unmodified opinion.”
“Right again,” says Sharon. “We refer to that situation as a scope
limitation. Again, the auditors would use their professional judg-
ment in deciding if the scope limitation was material or pervasively
material. If material, a qualified opinion would be appropriate. If
pervasively material, then a disclaimer of opinion would be issued.”
“I remember,” says Ian. “A disclaimer of opinion means the
auditors do not give an opinion. That makes sense because if you
can’t perform your audit procedures, how can you form an opinion
with nothing to base it on?” Sharon nods again in agreement.
“I don’t think we have any scope limitations on the Cloud 9
audit,” Ian laughs. “There has been plenty of work for me to do!”
15-22  C h a pte r 15  Reporting on the Audit
Subsequently Discovered Facts
subsequently discovered
facts  facts that become known
to the auditor after the date of the
auditor’s report that, had they been
known to the auditor at that date,
might have caused the auditor to
revise the auditor’s report
illustration 15.16   Subsequent period
Illustration of time gap from
the date of auditor’s report
(end of fieldwork) to report
release date
Before You Go On
4.1  Explain the term “pervasive” in the context of audit reports.
4.2 If the auditor issues a qualified opinion for a material departure from the financial reporting
framework, explain how the format of that report is different from a standard unmodified
opinion.
4.3 If the auditor issues a qualified opinion for a material scope limitation, how is the format of
that report different from a standard unmodified opinion.
LEA RNING OBJECTI VE 5
Analyze how subsequently discovered facts may affect the auditor’s report on the
financial statements.
You learned about subsequent events in Chapter 14 (see the section “Subsequent Events”).
Recall that a subsequent event is an event that occurs between the date of the financial
statements and the date of the auditor’s report. The date of the auditor’s report is the date
of the completion of fieldwork. Sometimes, there may be a time gap from the date of the au-
ditor’s report to the date the client actually releases the report with the financial statements
to external users. For example, in Illustration 15.16, the end of fieldwork date, or the date
of the auditor’s report, is February 15, 2023. The client does not release the report with the
financial statements until February 28, 2023. According to AU-C 560 Subsequent Events and
Subsequently Discovered Facts and AS 2905 Subsequent Discovery of Facts Existing at the Date
of the Auditor’s Report, auditors are not required to perform any audit procedures after the
date of the auditor’s report. Using Illustration 15.16, that means auditors would not perform
any audit procedures after February 15, 2023. But what if a subsequently discovered fact
becomes known to the auditors after the date of the auditor’s report that, had they known the
fact at the audit report date, might have caused them to modify the audit report? Do auditors
have a responsibility regarding the subsequently discovered fact? The answer is yes. How au-
ditors respond depends if the fact is discovered before or after the report release date.
1/1/2022 12/31/2022 2/15/23 2/28/23
End of Report
fieldwork release
Period covered by the
date date
2022 financial statements
Subsequently Discovered Facts That Become
Known Before the Report Release Date
Suppose auditors just completed fieldwork on an audit, and then new information is discov-
ered during the period between the date of the auditor’s report (end of fieldwork) and the
   Subsequently Discovered Facts  15-23

report release date. For example, auditors discover that an important business deal of the
client has gone bad or the client discovers a material misstatement caused by fraud. The
question becomes, had the auditor known this information before the audit report date,
would the financial statements have been adjusted and would the audit report have been
modified?
AU-C 560 and AS 2905 state the first step is to discuss the matter with the appropriate
level of management and, if appropriate, those charged with governance. Auditors must
determine if the new information is reliable, material, and if it existed at the date of the au-
ditor’s report. If so, the next step is to determine whether the financial statements need to be
revised. If revision is necessary, auditors should inquire of management as to how manage-
ment will address the situation in the financial statements, either through adjustment and
disclosure or only disclosure. If management revises the financial statements, auditors should
perform audit procedures on the changes made by management. The types of audit proce-
dures performed will depend on the circumstances and type of revision made to the financial
statements.
Performing audit procedures after the end of fieldwork impacts the dating of the au-
dit report. Illustration 15.17 shows an example with an audit report date of February
15, 2023, and a subsequently discovered fact on February 20, 2023. Since additional pro-
cedures have been performed after the end of fieldwork, auditors have two options for
how to date the audit report. The first option is to date the audit report as of the date of
the subsequently discovered fact, which is February 20, 2023. Effectively, auditors are
extending fieldwork by five additional days and extending their responsibility period for
subsequent events.

Subsequently illustration 15.17  

discovered fact Subsequently discovered fact
requiring revision before the report release date
Subsequent
period

1/1/2022 12/31/2022 2/15/23 2/20/23 2/28/23

End of Report
fieldwork release
Period covered by the date date
2022 financial statements

The second option is to show two dates on the report, which is called dual dating. The dual dating  showing two dates
report would show the original end of fieldwork date, February 15, 2023, and a reference to a on an audit report; one date is the
note that is dated February 20, 2023. The date at the bottom of the auditor’s report would look end of fieldwork and the other is
like this: the date of a revision to the finan-
cial statements that occurred after
the end of fieldwork
February 15, 2023, except as to Note X, which is as of February 20, 2023.

The dual dating conveys that sufficient appropriate evidence was obtained by February 15,
and the auditor’s responsibility after that date is limited to the subsequent note disclosure that
is dated as of February 20, 2023. The auditor is not taking responsibility for any other events
after February 15.
Whether auditors choose to dual date or extend the end of fieldwork, they must request
written representation from management as of the new date of the auditor’s report. Recall
from Chapter 14 (in the section “Management Representation Letter”) that auditors obtain a
written representation letter from management dated the same as the auditor’s report. There-
fore, the auditor would update the management representation letter with the new date, or in
15-24  C h a pte r 15  Reporting on the Audit

the case of dual dating include the date the financial statements were revised, and have man-
agement sign the updated letter. If management refuses to sign the updated representation
letter or refuses to revise the financial statements as needed for the subsequently discovered
fact, the auditor should consider modifying the opinion as discussed earlier in “Modifying the
Audit Opinion.”

Audit Reasoning Example  Subsequently Discovered Facts

Jung Park is the senior manager on the audit of ATX Industries. ATX is a chemical plant that
produces a variety of chemicals and sells them to other companies. Ammonia is the best-selling
product of ATX and is sold to companies that produce fertilizer. ATX follows a calendar year, and
the audit team just concluded fieldwork on February 27 and will issue an unmodified audit report.
ATX is a private company and plans to release its audited financial statements and audit report to
its lenders and investors on March 10.
On the morning of March 5, Jung receives a call from Shane, the CFO of ATX. Shane says,
“Hi Jung, I have some unfortunate news to share with you. Our largest customer for our ammonia
sales, Gautreaux Green (GG), had a terrible accident at its plant facility last night. There was an
explosion that damaged two-thirds of the facility. Thankfully, no one was killed, although some
employees were injured. I’m sure you will be reading about this in the news. I’m hearing that it
could take three to four months for GG to rebuild and be up and running again. The company is
fully insured, so we should receive payment on GG’s outstanding accounts receivable balance.
However, our big concern is the impact on our business. GG accounts for approximately 30% of
our ammonia sales. We will be hurting until GG is up and running again.” Jung thanks Shane for
the call and says she will discuss the situation with her team.
Jung asks for a meeting with the partner, Rachel. Jung says, “Clearly this qualifies as a subse-
quent event, and since the client has not yet released the financial statements or the audit report,
we have time to gather information about the event and determine the impact to ATX’s financial
statements and our audit opinion.” Rachel agrees and says, “Let’s set up a meeting with ATX’s
management for tomorrow afternoon. We need to gather evidence regarding (1) GG’s ability to
pay what it currently owes to ATX, (2) an estimate of how long GG will be unable to operate, and
(3) ATX’s plans to manage the loss of revenue from a major customer. Once we evaluate the evi-
dence, we can recommend to ATX the proper financial statement treatment, either an adjustment
to the financial statements or a note disclosure. If ATX management makes the required changes,
then we will not need to modify our opinion. However, we will need to dual date our opinion to
reflect the additional audit work related to this event that occurred after the end of fieldwork date.”

Subsequently Discovered Facts That Become

Known After the Report Release Date
Now consider that new information is discovered after the financial statements and auditor’s
report have been released to external users, as illustrated in Illustration 15.18. In this situ-
ation, the end of fieldwork date is February 15, the financial statements and auditor’s report

illustration 15.18  
Subsequently
Subsequently discovered fact
discovered fact
after the report release date
requiring revision
Subsequent period

1/1/2022 12/31/2022 2/15/23 2/28/23 3/16/23

End of Report
fieldwork release
Period covered by the
2022 financial statements date date
   Subsequently Discovered Facts  15-25

are ­released on February 28, and new information is discovered on March 16. Auditors would
follow the same initial steps that were discussed in the section “Subsequently Discovered Facts
That Become Known Before the Report Release Date.” First, they would discuss the matter with
an appropriate level of management and, if appropriate, those charged with governance. Then
they would determine if the new information is reliable, material, and if it would have impacted
the financial statements and auditor’s report had the information been known at the date of the
auditor’s report. If so, they would determine whether the financial statements need revision and
inquire how management plans to address the situation in the financial statements. The audi-
tors would perform audit procedures on the revisions made by management and then reissue
the auditor’s report along with the revised financial statements. The revised auditor’s report
would have a new date or follow the dual dating procedure discussed earlier.
If the auditor’s opinion on the revised financial statements is different from the previously
issued audit report, then an emphasis-of-matter paragraph should be added to the revised au-
dit report after the opinion paragraph. The emphasis-of-matter paragraph would include the
date of the auditor’s previous report, the type of opinion previously expressed, the key reasons
for the different opinion, and a statement that the opinion on the revised financial statements
is different from the previous opinion.
One complication with this situation is that since the original financial statements had
already been issued, external users, such as lenders and investors, are relying on the origi-
nal financial statements and auditor’s report. Management should act in a timely manner to
inform users that the original financial statements are not to be relied upon. Management
can accomplish this by direct notification to known users and other users who management
knows are likely to rely on the financial statements.
What if management does not take appropriate steps to inform external users? Auditors
should notify management and those charged with governance that they will take action to pre-
vent further reliance on the original auditor’s report. If this does not spur management to take
action, auditors should seek legal advice from their own attorneys. (You can imagine this is not a
situation auditors want to be in.) After seeking legal advice, auditors would inform management
and those charged with governance not to rely on the auditor’s report, which effectively means
the auditors are withdrawing their report on the previously issued financial statements. Next,
auditors would notify regulatory agencies that have jurisdiction over the client that the audi-
tor’s report is not to be relied upon. From that point, the regulatory agency would take whatever
steps are appropriate to ensure revised financial statements are issued. Auditors should also
notify any known third parties who are relying on the financial statements. This is not always
practical because auditors typically do not know the identities of individual investors.

Cloud 9 - Continuing Case

Procedures to search for subsequent events at Cloud 9 have been
documented in the audit program. Jo will once again formally
ask management about any subsequent events in the final meet-
ing before the end of fieldwork date, which is expected to be
March 15, 2023. Cloud 9 expects to file its 10-K, which includes
the financial statements and auditor’s reports, on March 20,
2023.
Sharon asks Ian, “Do you remember the significance of the
date on the auditor’s report?”
“Yes, I do,” replies Ian. “That is the date of the completion
of fieldwork.”
“Very good,” says Sharon. “That date marks the end of our
responsibility period. However, if new information were to come
to our attention after March 20 that affects information in the
financial statements, we would speak to management about it.
It doesn’t happen very often, but in my experience, I have had a
couple of situations that required us to perform some audit proce-
dures after the end of fieldwork.”

Before You Go On
5.1  What is a subsequently discovered fact? Provide an example.
5.2  Explain a situation in which an auditor would dual date an auditor’s report.
5.3 Explain the steps an auditor would take if a subsequently discovered fact occurred after the
report release date.
15-26  C h a pte r 15  Reporting on the Audit
Reports on the Audit of icfr
integrated audit  an audit that
combines the financial statement
audit with an audit of the
effectiveness of ICFR
illustration 15.19  
Standard unqualified opinion
on the effectiveness of ICFR
for The Boeing Company, a
public company
LEA RNING OBJECTI VE 6
Explain the components of the standard unqualified opinion on the effectiveness of
ICFR for public companies and evaluate situations that cause modifications to the
unqualified opinion.
According to PCAOB AS 2201, publicly traded companies are required to have an audit of
the effectiveness of internal controls over financial reporting (ICFR). Auditors of public
companies can perform an integrated audit, which means performing the financial state-
ment audit and the audit of the effectiveness of ICFR at the same time. We discussed inter-
nal controls in Chapter 6 and the audit of internal controls in Chapter 8. In this section, we
review the standard unqualified opinion on the effectiveness of ICFR for public companies
and discuss situations that cause auditors to modify their opinion on the effectiveness of
ICFR.
Standard Unqualified Opinion on ICFR
In Chapter 1 we introduced the standard unqualified opinion on the effectiveness of ICFR.
Illustration 15.19 provides an example of an unqualified opinion on the effectiveness of
ICFR for a public company. This is the same example report used in Chapter 1 in Illustra-
tion 1.9. The components of the report are detailed as in Chapter 1. Take a few moments
to refresh your memory with the components of the report. The next section will discuss
situations that cause auditors to modify their opinion on the effectiveness of a company’s
ICFR.
[1] REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM
[2] To the Shareholders and Board of Directors of The Boeing Company
[3] Opinion on Internal Control over Financial Reporting
We have audited the internal control over financial reporting of The Boeing Company and sub-
sidiaries (the “Company”) as of December 31, 2017, based on criteria established in Internal
Control—Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the
Treadway Commission (COSO). In our opinion, the Company maintained, in all material respects,
effective internal control over financial reporting as of December 31, 2017, based on criteria estab-
lished in Internal Control—Integrated Framework (2013) issued by COSO.
[4] We have also audited, in accordance with the standards of the Public Company Accounting
Oversight Board (United States) (PCAOB), the consolidated financial statements as of and for
the year ended December 31, 2017, of the Company and our report dated February 12, 2018, ex-
pressed an unqualified opinion on those financial statements.
[5] Basis for Opinion
The Company’s management is responsible for maintaining effective internal control over financial
reporting and for its assessment of the effectiveness of internal control over financial reporting, in-
cluded in the accompanying Management’s Report on Internal Control Over Financial Reporting.
Our responsibility is to express an opinion on the Company’s internal control over financial reporting
based on our audit. We are a public accounting firm registered with the PCAOB and are required to
be independent with respect to the Company in accordance with the U.S. federal securities laws and
the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.
[6] We conducted our audit in accordance with the standards of the PCAOB. Those standards
r­ equire that we plan and perform the audit to obtain reasonable assurance about whether effective
  Reports on the Audit of icfr  15-27

internal control over financial reporting was maintained in all material respects. Our audit included
obtaining an understanding of internal control over financial reporting, assessing the risk that a
material weakness exists, testing and evaluating the design and operating effectiveness of internal
control based on the assessed risk, and performing such other procedures as we considered nec-
essary in the circumstances. We believe that our audit provides a reasonable basis for our opinion.

[7] Definition and Limitations of Internal Control over Financial Reporting

A company’s internal control over financial reporting is a process designed to provide reasonable
assurance regarding the reliability of financial reporting and the preparation of financial statements
for external purposes in accordance with generally accepted accounting principles. A company’s in-
ternal control over financial reporting includes those policies and procedures that (1) pertain to the
maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and
dispositions of the assets of the company; (2) provide reasonable assurance that transactions are
recorded as necessary to permit preparation of financial statements in accordance with gener-
ally accepted accounting principles, and that receipts and expenditures of the company are being
made only in accordance with authorizations of management and directors of the company; and
(3) provide reasonable assurance regarding prevention or timely detection of unauthorized acqui-
sition, use, or disposition of the company’s assets that could have a material effect on the financial
statements. Because of its inherent limitations, internal control over financial reporting may not
prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future peri-
ods are subject to the risk that controls may become inadequate because of changes in conditions,
or that the degree of compliance with the policies or procedures may deteriorate.

[8] /s/ Deloitte & Touche LLP

Chicago, Illinois

[9] February 12, 2018

Here is a quick summary of the components of unqualified opinion on the effectiveness

of ICFR for public companies:
1. Title—Must include the terms “registered” and “independent.”
2. Address—Addressed to the board of directors and shareholders of the company.
3. Opinion paragraph—States that an audit of the effectiveness of ICFR was conducted and
states the auditor’s opinion.
4. Paragraph referencing the financial statement audit—References the auditor’s report on
the financial statements.
5. Basis for opinion paragraph—States responsibilities and references registration with the
PCAOB and adherence to independence requirements of the SEC.
6. Scope paragraph—Briefly explains the process of conducting an audit of the effectiveness
of ICFR and that PCAOB standards were followed.
7. Definition and inherent limitations paragraph—Defines the concept of ICFR and states
inherent limitations of ICFR.
8. Signature—Includes the firm name and location.
9. Date—Date of the end of fieldwork.

Modified Opinion on ICFR

Now we discuss situations in which auditors cannot issue an unqualified opinion on the effec-
tiveness of ICFR. Two scenarios would cause auditors to modify the opinion on ICFR:

1. One or more material weaknesses in ICFR are identified.

2. There is a restriction on the scope of the auditor’s work.

We will discuss each of these scenarios and look at examples of the modified reports.
In Chapter 8, we discussed the testing of internal controls. If an internal control exception
is identified, auditors must use their professional judgment to determine if the exception is
15-28  C h a pte r 15  Reporting on the Audit

a control deficiency, a significant deficiency, or a material weakness. Recall from Illustration

8.12 that auditors consider the likelihood of the control failing to find a misstatement in com-
bination with the magnitude of the potential misstatement to the financial statements. If after
considering these factors auditors determine that one or more material weaknesses exist, they
must issue an adverse opinion on the effectiveness of ICFR. Even though a material weakness
is identified, that does not mean a material misstatement occurred in the financial statements.
It simply means there is increased risk that a material misstatement could occur because of
the material weakness in ICFR.
In practice, adverse opinions on the effectiveness of ICFR are rare for large, well-­
established companies. But each year, there are small and medium-sized public companies
that receive adverse opinions. Illustration 15.20 provides an example of an adverse opinion
for Access National Corporation, a bank holding company located in Reston, Virginia. The
adverse opinion follows the same format as the unqualified report in Illustration 15.19. In the
opinion paragraph, auditors make a clear statement that the company has not maintained
effective ICFR for the period under audit. An additional paragraph is inserted in the basis for
opinion section that defines a material weakness; states a material weakness, or weaknesses,
has been identified; and describes the material weakness or weaknesses.

illustration 15.20  
Adverse opinion on the [Note to reader: In this example, the added verbiage is in italics.]
effectiveness of ICFR for a
public company [1] Report of Independent Registered Public Accounting Firm

[2] To the Shareholders and Board of Directors of Access National Corporation, Reston, Virginia.

[3] Opinion on Internal Control over Financial Reporting

We have audited Access National Corporation’s (the “Corporation’s”) internal control over finan-
cial reporting as of December 31, 2017, based on criteria established in Internal Control-Integrated
Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Com-
mission (the “COSO criteria”). In our opinion, the Corporation did not maintain, in all material re-
spects, effective internal control over financial reporting as of December 31, 2017, based on the
COSO criteria. We do not express an opinion or any other form of assurance on management’s state-
ments referring to any corrective actions taken by the Corporation after the date of management’s
assessment.

[4] We also have audited, in accordance with the standards of the Public Company Accounting
Oversight Board (United States) (“PCAOB”), the consolidated balance sheets of the Corporation as
of December 31, 2017 and 2016, the related consolidated statements of income, comprehensive
income, changes in shareholders’ equity, and cash flows for each of the three years in the period
ended December 31, 2017, and the related notes (collectively referred to as “the financial state-
ments”) and our report dated April 4, 2018, expressed an unqualified opinion thereon.

[5] Basis for Opinion

The Corporation’s management is responsible for maintaining effective internal control over fi-
nancial reporting and for its assessment of the effectiveness of internal control over financial re-
porting, included in the accompanying “Item 9A, Report of Management’s Assessment of Internal
Control over Financial Reporting.” Our responsibility is to express an opinion on the Corporation’s
internal control over financial reporting based on our audit. We are a public accounting firm reg-
istered with the PCAOB and are required to be independent with respect to the Corporation in
accordance with U.S. federal securities laws and the applicable rules and regulations of the Secu-
rities and Exchange Commission and the PCAOB.

[6] We conducted our audit of internal control over financial reporting in accordance with the stan-
dards of the PCAOB. Those standards require that we plan and perform the audit to obtain reason-
able assurance about whether effective internal control over financial reporting was maintained
in all material respects. Our audit included obtaining an understanding of internal control over
financial reporting, assessing the risk that a material weakness exists, and testing and evaluating
the design and operating effectiveness of internal control based on the assessed risk. Our audit
also included performing such other procedures as we considered necessary in the circumstances.
We believe that our audit provides a reasonable basis for our opinion.
  Reports on the Audit of icfr  15-29

A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial re-
porting, such that there is a reasonable possibility that a material misstatement of the company’s annual
or interim financial statements will not be prevented or detected on a timely basis. A material weakness
relating to internal controls surrounding the general ledger account reconciliations to timely identify and
account for stale-dated and other uncollectable reconciling items has been identified and described in
management’s assessment. This material weakness was considered in determining the nature, timing,
and extent of audit tests applied in our audit of the 2017 financial statements, and this report does not
affect our report dated April 4, 2018, on those financial statements.

[7] Definition and Limitations of Internal Control over Financial Reporting

A company’s internal control over financial reporting is a process designed to provide reasonable
assurance regarding the reliability of financial reporting and the preparation of financial statements
for external purposes in accordance with generally accepted accounting principles. A company’s
internal control over financial reporting includes those policies and procedures that (1) pertain to
the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions
and dispositions of the assets of the company; (2) provide reasonable assurance that transactions
are recorded as necessary to permit preparation of financial statements in accordance with gener-
ally accepted accounting principles, and that receipts and expenditures of the company are being
made only in accordance with authorizations of management and directors of the company; and
(3) provide reasonable assurance regarding prevention or timely detection of unauthorized acqui-
sition, use, or disposition of the company’s assets that could have a material effect on the financial
statements. Because of its inherent limitations, internal control over financial reporting may not
prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future peri-
ods are subject to the risk that controls may become inadequate because of changes in conditions,
or that the degree of compliance with the policies or procedures may deteriorate.

[8] /S/ BDO USA, LLP

Richmond, Virginia

[9] April 4, 2018

If a company receives an adverse opinion on ICFR, will it also receive an adverse opinion
on the financial statements? The answer is no. Even though a material weakness was discov-
ered in internal control, it does not mean the company did not fairly present its financial state-
ments in accordance with the applicable financial reporting framework. The company can
follow financial reporting standards but have a weak internal control system. A weak internal
control system means there is heightened risk for misstatements in the financial statements.
This is important information for investors and other interested users that may affect the de-
cisions they make regarding the company. Note in Illustration 15.20 that Access National re-
ceived an unqualified opinion on its financial statements (section 4 of the report).
A scope limitation occurs when auditors cannot perform planned procedures to gather
sufficient appropriate evidence regarding the design and effectiveness of a client’s internal
controls. If a scope limitation is material, the appropriate report to issue would be a disclaimer
of opinion. A disclaimer of opinion states the auditor does not express an opinion on the ef-
fectiveness of ICFR. A separate paragraph is added to the report that describes the situation,
or situations, causing the scope limitation. Also, the paragraph that explains the process of
conducting an audit of ICFR is not included in the disclaimer report.
As we know, auditors of public company clients must perform an integrated audit in
accordance with the PCAOB standards. What if a private company client requested an inte-
grated audit? Could auditors perform an integrated audit for a private company client? The an-
swer is yes. In October 2015, the Auditing Standards Board (ASB) issued AU-C 940 An Audit of
Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial State-
ments. The standard is effective for integrated audits of private companies for periods ending
on or after December 15, 2016. There were existing attestation engagements that required an
integrated audit, so the ASB felt it made sense to move the content of the existing attestation
standards to the auditing standards. In drafting AU-C 940, the ASB wanted to adhere closely
to the existing attestation standards and to PCAOB AS 2201. The result is that AU-C 940 is
very similar to AS 2201, so that performing an integrated audit for a private company client is
virtually the same as an integrated audit for a public company client.
15-30  C h a pte r 15  Reporting on the Audit

Cloud 9 - Continuing Case

Ian worked closely with Josh, the senior, during the testing of in-
ternal controls. The working papers for controls testing were re-
viewed by Sharon and Jo.
Ian says to Sharon, “As for the opinion on the effectiveness of
ICFR, I’m thinking we will issue an unqualified opinion for Cloud
9. I did a lot of the work on the controls testing and it seemed that
Cloud 9’s controls were working effectively. Our testing revealed
what we believe is a significant deficiency over the period-end
accrual in accounts payable. We have discussed this with manage-
ment and the audit committee.”
“Yes, after reviewing the working papers for the controls test-
ing, Jo and I agree with that assessment,” says Sharon. “You’ve
done a great job on the Cloud 9 audit, Ian, and I think you have
gained a lot of valuable experience that will be useful on your fu-
ture clients.”

Before You Go On
6.1  What is an integrated audit?
6.2 What situation would cause the auditor to issue an adverse opinion on the effectiveness of
ICFR?
6.3 Explain how the unqualified report on the effectiveness of ICFR would be modified for a
scope limitation.

Compilation and Review Engagements

LEA RNING OBJECTI VE 7
Explain compilation and review engagements performed on unaudited financial
statements of a private company.

compilation engagement  an
engagement in which a CPA
applies accounting and financial
expertise to assist management
in the presentation of financial
statements without undertaking
to obtain or provide any assurance
that there are no material modifi-
cations that should be made to the
financial statements for them to be
in accordance with the applicable
financial reporting framework
This entire text has focused on the performance of audit engagements of historical financial
statements. Public companies are required to have an audit of financial statements and some-
times private companies may be required by a lender or regulator to have audited financial state-
ments. For small and medium-sized private companies, an audit can be very costly. There are
other services that accounting firms can provide for private company clients that are less in scope
than an audit but are often accepted by lenders to small businesses. Two services that we discuss
in this section are a compilation of financial statements and review of financial statements.
A committee of the AICPA, called the Accounting and Review Services Committee (ARSC),
issues standards for compilation and review engagements. The standards are called Statements on
Standards for Accounting and Review Services, or SSARS. SSARS No. 23 and 24 provide guidance
on compilation and review engagements. Similar to the ASB standards, the SSARS are arranged
by topical content using the AR-C numbering system. The “AR” stands for Accounting Review
standards, and the “C” refers to the recent clarification and revision of the standards in 2014.
Compilation of Financial Statements
Small private companies may not have the financial reporting expertise to prepare financial
statements from their accounting records. A private company can hire a CPA to perform a
compilation engagement. In a compilation engagement, the CPA will assist management
in the presentation of financial statements but will not provide assurance as to whether the
financial statements are presented fairly in accordance with the applicable financial reporting
framework. Since the CPA is not providing assurance, a compilation engagement is not an
assurance or attest service.
   Compilation and Review Engagements  15-31

AR-C 80 Compilation Engagements provides guidance for the performance of a compi-

lation engagement. When a CPA is considering whether to accept a compilation engagement,
the following conditions must be met:
•  The CPA must be professionally competent to perform the engagement, which means
having knowledge of the client’s industry and accounting practices.
•  The financial reporting framework selected by management must be acceptable in the
circumstances. For example, management uses the appropriate financial reporting frame-
work as specified by laws or regulations that apply to the industry. Alternatively, many
small businesses use cash-basis accounting or a federal income tax basis of accounting as
their financial reporting framework.
•  The CPA must obtain an agreement from management that it acknowledges its responsi-
bility for the preparation and fair presentation of the financial statements in accordance
with the applicable financial reporting framework. This agreement is documented in an
engagement letter if the CPA accepts the compilation engagement.
A CPA must also consider independence from the client before accepting a compilation en-
gagement. Since the CPA does not provide any assurance on a compilation engagement, the
CPA is not required to be independent. However, if the CPA is not independent, it must be
disclosed in the CPA’s compilation report, which is discussed below.
In a compilation engagement, the CPA does not perform any procedures to verify or corrob-
orate the client’s accounting records. The only requirement is for the CPA to read the financial
statements and determine whether they appear to be appropriate in form and free from obvious
material misstatements based on the CPA’s knowledge of the financial reporting framework
(AR-C 80.13). During the engagement, if the CPA becomes aware that accounting records or
other information provided by management is incomplete or inaccurate, the CPA should notify
management and ask for additional or corrected information. If the CPA determines that ad-
justments to the financial statements are necessary for them to be in accordance with the appli-
cable financial reporting framework, the CPA should recommend the adjustments be made by
management. If management is unwilling or unable to provide all necessary documentation or
is unwilling to make recommended adjustments to the financial statements or disclose that ad-
justments are needed, the CPA should consider withdrawing from the compilation engagement.
At the conclusion of a compilation engagement, the CPA provides a written compilation
report. Illustration 15.21 provides an example of a standard compilation report. The report
states that management is responsible for the financial statements and the engagement was
performed in accordance with SSARS. Note the report clearly states the financial statements
are not audited or reviewed and no opinion is provided on the fair presentation of the financial
statements. If the CPA is not independent, an additional sentence is added to the report that
states, “We are not independent with respect to XYZ Company” (AR-C 80.A33).

illustration 15.21  
Management is responsible for the accompanying financial statements of XYZ Company, which Example of standard
comprise the balance sheets as of December 31, 2022 and 2021, and the related statements of compilation report
income, ­changes in stockholders’ equity, and cash flows for the years then ended, and the related
notes to the financial statements in accordance with accounting principles generally accepted in
the United States of America.

We have performed compilation engagements in accordance with Statements on Standards for

Accounting and Review Services promulgated by the Accounting and Review Services Committee
of the AICPA. We did not audit or review the financial statements nor were we required to perform
any procedures to verify the accuracy or completeness of the information provided by manage-
ment. Accordingly, we do not express an opinion, a conclusion, nor provide any form of assurance
on these financial statements.

[Signature of accounting firm or accountant, as appropriate]

[Accountant’s city and state]

[Date of the accountant’s report]

Source: AR-C 80.A48 Exhibit B, Illustration 1.

15-32  C h a pte r 15  Reporting on the Audit
review engagement  an
engagement in which a CPA uses
inquiry and analytical procedures
to provide limited assurance that
no material modifications should
be made to the financial state-
ments for them to be in accordance
with the applicable financial
reporting framework
illustration 15.22  
Level of assurance provided by
different engagements
Review of Financial Statements
A review engagement is an attest engagement performed on the financial statements of a
private company client. In a review engagement, management prepares the financial state-
ments. The CPA is engaged to provide limited assurance that no material modifications should
be made to the financial statements for them to be in accordance with the applicable financial
reporting framework. In contrast to a compilation engagement, in which the CPA provides
no assurance, the CPA provides limited assurance in a review engagement. Remember that
reasonable assurance is provided in an audit engagement. So a review provides a lower level
of assurance than an audit engagement. Illustration 15.22 illustrates the level of assurance
provided by compilation, review, and audit engagements.
Reasonable: Audit
Level of
Limited: Review
Assurance
None: Compilation
AR-C 90 Review of Financial Statements provides guidance for the performance of a
review engagement. When a CPA is considering whether to accept a review engagement, the
following conditions must be met:
•  The CPA must be independent of the client. Any time a CPA is engaged for an attest ser-
vice, the CPA must be independent.
•  The CPA must be professionally competent to perform the engagement, which means
having knowledge of the client’s industry and accounting practices.
•  The financial reporting framework selected by management must be acceptable in the
circumstances. For example, management uses the appropriate financial reporting
framework as specified by laws or regulations that apply to the industry.
•  The CPA must obtain an agreement from management that it acknowledges its responsi-
bility for the preparation and fair presentation of the financial statements in accordance
with the applicable financial reporting framework. This agreement is documented in an
engagement letter if the CPA accepts the review engagement.
•  Management must agree to provide a representation letter at the conclusion of the re-
view engagement that confirms management’s representations made during the review.
(This is essentially similar to the management representation letter required in an audit
engagement discussed in Chapter 14.)
It is especially important that the CPA have a sufficient understanding of the client’s industry
and accounting practices to identify areas of the financial statements that have a greater risk
for material misstatement.
To provide limited assurance, the CPA must perform procedures to gather evidence that
no material modifications are needed for the financial statements to be in accordance with the
financial reporting framework. However, since the CPA is only providing limited assurance,
the CPA will perform fewer procedures as compared to an audit. According to AR-C 90, the
only required procedures a CPA must perform are analytical procedures and inquiry of man-
agement. The inquiry and analytical procedures should be designed to focus on areas the CPA
   Compilation and Review Engagements  15-33

believes to have increased risks of material misstatements. As with an audit, each review en-
gagement is unique and will vary by client and may be different each year as circumstances of
the client change. Illustration 15.23 provides examples of analytical procedures and inquiries
that are commonly used in review engagements. If results of analytical procedures are differ-
ent from what the CPA expects, or if management is unable to provide adequate responses to
inquiries, the CPA is permitted to perform other procedures as needed. However, in a review
engagement, the CPA is not required to corroborate management’s responses. Ultimately, it is a
matter of professional judgment as to whether the CPA should perform additional procedures.

illustration 15.23  
Examples of analytical procedures used in a review engagement: Examples of analytical
• Compare current year financial statements with previous year financial statements procedures and inquires in a
• Compare current year financial statements with budgets or forecasts review engagement
• Compare key current year ratios with expectations based on prior periods, such as current
ratio, receivables and inventory turnover, debt to equity, and gross profit percentage
• Compare current financial statements with relevant nonfinancial information
• Compare disaggregated data, such as profit by location, product line, or period (monthly,
quarterly)
Examples of inquiries used in a review engagement:
• New or complex revenue recognition methods
• Changes in litigation or contingencies
• Unusual or infrequently occurring transactions
• Compliance with debt covenants
• Changes in major contracts with suppliers or customers
• Changes in related parties or significant new related party transactions

Source: AR-C 90.A156–157.

At the conclusion of a review engagement, the CPA provides a written review report.
Illustration 15.24 provides an example of a standard review report. The report identifies the
financial statements that were reviewed, confirms that management is responsible for the
financial statements, and states the engagement was performed in accordance with SSARS.
Note in the first paragraph the report clearly states a review is less in scope than an audit and,
therefore, the CPA does not express an opinion on the financial statements as a whole. In the
Accountant’s Conclusion paragraph, the CPA provides limited assurance by stating that “we
are not aware of any material modifications that should be made for the financial statements
to be in accordance with” the financial reporting framework.

illustration 15.24  
Independent Accountant’s Review Report Example of standard review
report
[Appropriate addressee]

We have reviewed the accompanying financial statements of XYZ Company, which comprise the
balance sheets as of December 31, 2022 and 2021, and the related statements of income, changes
in stockholders’ equity, and cash flows for the years then ended, and the related notes to the
financial statements. A review includes primarily applying analytical procedures to management’s
financial data and making inquiries of company management. A review is substantially less in
scope than an audit, the objective of which is the expression of an opinion regarding the financial
statements as a whole. Accordingly, we do not express such an opinion.

Management’s Responsibility for the Financial Statements

Management is responsible for the preparation and fair presentation of these financial statements
in accordance with accounting principles generally accepted in the United States of America;
this includes the design, implementation, and maintenance of internal control relevant to the
preparation and fair presentation of financial statements that are free from material misstate-
ment whether due to fraud or error.
15-34  C h a pte r 15  Reporting on the Audit

Accountant’s Responsibility
Our responsibility is to conduct the review engagements in accordance with Statements on Stan-
dards for Accounting and Review Services promulgated by the Accounting and Review Services
Committee of the AICPA. Those standards require us to perform procedures to obtain limited as-
surance as a basis for reporting whether we are aware of any material modifications that should
be made to the financial statements for them to be in accordance with accounting principles
generally accepted in the United States of America. We believe that the results of our procedures
provide a reasonable basis for our conclusion.

Accountant’s Conclusion
Based on our review, we are not aware of any material modifications that should be made to the
accompanying financial statements in order for them to be in accordance with accounting princi-
ples generally accepted in the United States of America.

[Signature of accounting firm or accountant, as appropriate]

[Accountant’s city and state]

[Date of the accountant’s review report]

Source: AR-U 90.A160 Exhibit C, Illustration 1.

In the course of performing review procedures, if the CPA becomes aware of a material
departure from the financial reporting framework, it should be communicated to manage-
ment. If management takes appropriate action to correct the material departure, the CPA can
issue the standard review report. If management does not appropriately revise the financial
statements, the CPA should consider modifying the standard review report by adding a sepa-
rate paragraph to the report titled “Known Departures From (insert the application financial
reporting framework).” AR-C 90 provides an example of a modified review report.

Before You Go On
7.1 What standards are followed for compilation and review engagements? Who issues those
standards?
7.2 Is a CPA required to be independent for a compilation engagement? Explain.
7.3 Is a CPA required to be independent for a review engagement? Explain.

Learning Objectives Review

1  Explain the components of the standard unqual-
ified/unmodified audit report for public and private
companies.
An unmodified opinion is expressed by the auditor when the audi-
tor concludes that the financial statements are presented fairly, in all
material respects, in accordance with the applicable financial report-
ing framework. There is a standard unmodified report for a private
company audit (Illustration 15.1) and a public company audit (Illus-
tration 15.2). It is important to know the components of the standard
report because it is the basis for other types of opinions that may be
issued by the auditor.
2  Evaluate situations requiring an additional paragraph
in the unmodified report on the financial statements.
Situations may arise in which the auditors give an unmodified opinion
but add an emphasis-of-matter paragraph after the opinion paragraph.
If the client has a going concern issue or a consistency issue such as a
change in accounting principle, auditing standards require the use of
an emphasis-of-matter paragraph in the audit report. Standards also al-
low auditors to use an emphasis-of-matter paragraph to draw attention
to a matter that is presented or disclosed in the financial statements.
3  Discuss modifications required to the auditor’s report
on the financial statements when the opinion is based in
part on the report of another auditor.
Sometimes auditors must rely on work performed by auditors from a
different firm. This occurs most frequently when a group audit is being
performed on the group financial statements of more than one entity,
such as consolidated financial statements prepared by a parent com-
pany. If a material portion of the group financial statements is audited

by component auditors, the group engagement partner may decide not
to take responsibility for the work of the component auditors and ref-
erence them in the audit report. The auditor’s report would include
a reference to the component auditor in the auditor’s responsibility
paragraph and the opinion paragraph. No emphasis-of-matter para-
graph would be required. If the component auditors are not referenced
in the audit report, then the group engagement partner is assuming
responsibility for all of the audit work.
4  Evaluate situations requiring a departure from an un-
modified opinion on the financial statements.
There are two situations that cause auditors to modify the opinion
on the financial statements: (1) the financial statements are not pre-
sented fairly with the applicable financial reporting framework, and
(2) the auditors cannot gather sufficient appropriate audit evidence
to state an opinion on the financial statements (scope limitation). If
either of these situations occur, the auditors use their professional
judgment to determine if the issue is immaterial, material, or per-
vasively material. The level of materiality will determine which type
of modified opinion to issue: a qualified opinion, adverse opinion, or
disclaimer of opinion. Illustration 15.15 summarizes the situations
giving rise to the different types of modified opinions.
5  Analyze how subsequently discovered facts may af-
fect the auditor’s report on the financial statements.
A subsequently discovered fact is a fact that becomes known to the
auditor after the date of the auditor’s report that, had it been known at
the audit report date, might have caused the auditor to revise the au-
ditor’s report. The auditors should discuss the fact with management
and those charged with governance to determine if the information is
reliable, material, and if it existed at the date of the auditor’s report.
If necessary, management should revise the financial statements, and
the auditors should perform audit procedures on management’s
revisions. The auditors would issue a revised audit report and might
choose to extend the end of fieldwork date or dual date the audit
report. If the financial statements are revised after they have been
released to external users, management should notify external users
Key Terms Review
Adverse opinion Emphasis-of-matter paragraph
Compilation engagement Integrated audit
Disclaimer of opinion Modified opinion
Dual dating Pervasive
Audit Decision-Making Example
Background Information
Lowrys is a department store that has been in business for 75 years.
At its peak, it had locations in every major city in the United States
and usually served as an anchor store for large malls. In the last 15
years, business has been tough for Lowrys. With more consumers
switching to online shopping, Lowrys has seen a decrease of in-
store shoppers, which has resulted in steadily decreasing sales. In
the last decade, Lowrys has closed one-third of its locations and laid
 Audit Decision-Making Example  15-35
not to rely on the original financial statements. If management does
not take proper steps to notify external users, the auditors should take
steps to prevent reliance on the original financial statements.
6  Explain the components of the standard unqualified
opinion on the effectiveness of ICFR for public compa-
nies and evaluate situations that cause modifications to
the unqualified opinion.
The standard unqualified opinion on the effectiveness of ICFR for
public companies has nine components as shown in Illustration
15.19. If one or more material weaknesses in ICFR are identified, the
auditors issue an adverse opinion and state that the company did not
maintain effective ICFR for the period, as shown in Illustration 15.20.
If the auditors are limited in their scope and cannot gather sufficient
appropriate evidence, they issue a disclaimer of opinion.
7  Explain compilation and review engagements per-
formed on unaudited financial statements of a private
company.
Private companies, which are not required to have an audit, may hire
a CPA to perform a compilation or review engagement. A CPA must
follow Statements on Standards for Accounting and Review Services
(SSARS) when performing compilation and review engagements. In
a compilation engagement, the CPA assists management in the pre-
sentation of financial statements without providing assurance as to
whether material modifications are needed for the financial state-
ments to be in accordance with the financial reporting framework.
A compilation engagement is not an assurance or attest engagement.
Illustration 15.21 provides an example of a standard compilation re-
port. In a review engagement, the CPA performs analytical procedures
and inquiries to provide limited assurance that no material modifica-
tions are needed for the financial statements to be in accordance with
the applicable financial reporting framework. A review engagement is
an attest engagement since limited assurance is provided by the CPA;
therefore, the CPA must be independent from the client. Illustration
15.24 provides an example of a standard review report.
Qualified opinion
Review engagement
Subsequently discovered facts
Unmodified opinion
off thousands of employees. Lowrys has also experienced turnover
in upper management in both the CEO and CFO positions. In the
last 10 years, Lowrys has had four different CEOs. The current
CEO has been at the helm for 11 months, but there is speculation
that he may resign because current year sales have dropped 30%
compared to the previous year. Lowrys is reporting losses, running
low on cash, showing negative operating cash flow, and struggling
to make debt payments on time.
15-36  C h a pte r 15  Reporting on the Audit
Your firm has been the auditor for Lowrys for over 20 years
and is wrapping up the current year audit. The audit team is
meeting to discuss the audit conclusions and the type of ­audit
report to issue. No scope limitations impacted the audit, but there
is a situation that could be a material departure from the financial
reporting framework. The situation relates to the accounting for
Lowrys’ leases of retail space for all of its stores. The accounting
standard requires lessees to account for all leases as finance leases
and record an asset and liability for each lease; however, there is
an exception for short-term leases that have a term of 12 months
or less. A short-term lease can be accounted for as an operating
lease as long as it does not include an option to purchase the as-
set at the end of the lease and does not include a renewal option
that the lessee is reasonably certain to exercise. At the beginning
of the year, Lowrys renegotiated all of its leases of retail space to
be 12  months or less. Lowrys’ management accounted for all of
the leases as operating leases and avoided having to record leased
assets and liabilities on the balance sheet. The leases include a
renewal option, but management argues that with the current
financial situation of the company, it is not reasonably certain that
the leases will be renewed.
Identify the Audit Issue
The audit team must determine what type of audit report is
appropriate for Lowrys. The primary issues to consider are
whether there is a material departure from the applicable fi-
nancial reporting framework and if there is a going concern
issue.
Gather Information and Evidence
The audit team discusses more details of the primary issues:
•  The accounting standard requires lessees to account for
most leases as finance leases, which means an asset and a
liability must be recorded on the balance sheet. If Lowrys
records all its leases on the balance sheet, the additional li-
ability would cause Lowrys to violate debt covenants relat-
ed to its long-term debt. If the debt covenants are violated,
the lender can require that Lowrys pay back the debt im-
mediately. Because of the downturn in sales, Lowrys does
not have enough cash to pay back the debt. This situation
is what prompted Lowrys to renegotiate all its leases to be
12 months or less and avoid recording the leases on the
balance sheet.
•  Lowrys has experienced deteriorating sales for almost 15
years. Cost-cutting, streamlining, and lay-offs have been
the norm during this time period. Upper management has
experienced significant turnover, and no one has been able
to develop a strategic plan that can propel Lowrys back to
its former glory. Currently, management does not have any
plans to restructure its debt. Management’s current strategy
is to close underperforming stores and lay off employees, as
needed, to keep the company afloat.
CPAexcel
CPAexcel questions and other resources are available in WileyPLUS.
Analysis and Evaluation
After considering the information, the audit team evaluates both
situations.
•  It seems that the move to having all leases as 12-month
leases is a tactic to avoid the proper accounting for the true
substance of the leases. The renegotiated leases do include
a renewal option. The standard states that a lease can have
a renewal option and still be accounted for as an operating
lease; however, there must be reasonable certainty that the
lessee is not going to exercise the renewal option. If Lowrys
wants to keep its stores in the same locations, then presum-
ably it will have to renew the leases. The manager and part-
ner on the audit team advised management that the leases
should be recorded as finance leases. The CFO argued that
because of the uncertainty surrounding store closures, his
management team thinks there is reasonable certainty the
renewal options will not be exercised; therefore, the account-
ing for leases as operating leases is justified. The manager
and partner agreed that the CFO’s argument could be valid
for the most underperforming stores, but for a majority of
the locations, the stores will most likely stay open beyond a
one-year period. Therefore, the majority of leases should be
recorded as finance leases. The manager and partner agree
that it is a material departure from the applicable financial
reporting framework if management refuses to record the
leases as finance leases.
•  With continued operating losses, decreases in sales, and no
clear strategic vision, the future for Lowrys is very uncer-
tain. Management has included a note disclosure describing
Lowrys’ current financial situation and the plans to continue
downsizing and streamlining operations in an effort to con-
tinue operating. Including a note disclosure is in accordance
with the applicable financial framework; therefore, manage-
ment has applied the proper accounting treatment for this
situation. The manager and audit partner discuss whether to
add a going concern paragraph to the audit report. Consider-
ing the high turnover in upper management and the lack of
a clear strategic vision for Lowrys’ future, the manager and
audit partner agree that a going concern emphasis-of-matter
paragraph should be added to the audit report.
Audit Conclusion
If Lowrys’ management does not adjust the accounting for leases
to comply with the applicable financial reporting framework, then
the audit team will issue a modified report to reflect a qualified
opinion for the material departure from the financial reporting
framework. The basis for the qualified opinion paragraph will be
inserted before the opinion paragraph. In addition, the report will
include a going concern emphasis-of-matter paragraph inserted
after the opinion paragraph. The going concern paragraph will ref-
erence the note disclosure that provides more information about
the going concern issue.

Multiple-Choice Questions
1.  (LO 1)  All of the following phrases would be found in the stan-
dard unmodified audit report for a private company except:
a.  in our opinion, the financial statements referred to above are
correct, in all material respects.
b.  management is responsible for the preparation and fair pre-
sentation of the financial statements.
c.  standards require that we plan and perform the audit to ob-
tain reasonable assurance.
d.  w
 e believe the audit evidence we have obtained is sufficient
and appropriate.
2.  (LO 1)  In a public company audit, the audit report is addressed
to the:
a.  audit committee.
b.  the CEO and CFO.
c.  the SEC.
d.  the board of directors and shareholders.
3.  (LO 2)  If a client has a going concern issue that has been properly
disclosed in the notes, the auditor should:
a.  issue an unmodified report and add an emphasis-of-matter
paragraph before the opinion paragraph to highlight the go-
ing concern issue.
b.  issue a qualified report and add an emphasis-of-matter para-
graph before the opinion paragraph to highlight the going
concern issue.
c.  issue an unmodified report and add an emphasis-of-matter
paragraph after the opinion paragraph to highlight the going
concern issue.
d.  i ssue a qualified report and add an emphasis-of-matter para-
graph after the opinion paragraph to highlight the going con-
cern issue.
4.  (LO 2)  All of the following are examples of a change in account-
ing principle except:
a.  a change from one acceptable accounting principle to another
acceptable accounting principle.
b.  a change in an accounting estimate.
c.  a change from an acceptable accounting method to a newly
adopted accounting principle.
d.  a change in the method of application of an acceptable ac-
counting principle.
5.  (LO 2)  An emphasis-of-matter paragraph is used with an unmod-
ified opinion when:
a.  a significant uncertainty exists that should be brought to the
financial statements user’s attention.
b.  an extreme limitation of the scope of the audit exists.
c.  there is a disagreement with those charged with governance
regarding the selection of accounting policies.
d.  a client has an unjustified change in accounting principle.
  Multiple-Choice Questions  15-37
6.  (LO 3)  When the audit opinion is based in part on the work of
another auditor, all of the following changes are made to the standard
unmodified audit report except:
a.  the auditor’s responsibility paragraph has added wording
stating that other auditors completed a portion of the audit.
b.  the opinion paragraph references the other auditors.
c.  the portion of the audit conducted by the component auditor
is stated in the report.
d.  an emphasis-of-matter paragraph is added after the opinion
paragraph.
7.  (LO 4)  Which of the following is an example of a modified
opinion?
a.  A qualified opinion.
b.  A going concern emphasis-of-matter paragraph.
c.  A consistency emphasis-of-matter paragraph.
d.  A reference to the audit of component auditors.
8.  (LO 4)  If the auditor encounters a material scope limitation and
cannot obtain sufficient appropriate audit evidence regarding the fair
presentation of the financial statements, what type of report would
be issued?
a.  A qualified or adverse opinion.
b.  An unmodified opinion with an emphasis-of-matter paragraph.
c.  A qualified or disclaimer of opinion.
d.  No report can be issued.
9.  (LO 5)  If an auditor becomes aware after the date of the auditor’s
report but before the financial statements are issued, of a fact that may
materially affect the financial statements, the first step the auditor
should take is to:
a.  alert the appropriate regulatory body.
b.  discuss the matter with management and, if appropriate,
those charged with governance.
c.  determine if the financial statements need to be revised.
d.  make the appropriate adjustments to the financial statements.
10.  (LO 5)  The dual dating of an audit report means:
a.  the release date of the financial statements was after the com-
pletion of fieldwork.
b.  a subsequent event occurred.
c.  the auditors performed audit procedures regarding a specific
event that was after the end of fieldwork.
d.  the auditors extended their responsibility period to include
the release date of the financial statements.
11.  (LO 6)  All of the following are components of the standard un-
qualified report on the effectiveness of ICFR except:
a.  a title that includes the term “independent.”
b.  a statement about the inherent limitations of ICFR.
c.  t he definition of internal control over financial reporting.
d.  the definition of a material weakness.
15-38  C h a pte r 15  Reporting on the Audit

12.  (LO 6)  If auditors identify only one material weakness in 13.  (LO 7)  In an engagement to review financial statements of a
a client’s internal control system, the appropriate report to issue private company, the auditor will do all of the following except:
is a(n): a.  confirm key account receivable balances.
a.  qualified opinion. b.  inquire of management regarding key revenue recognition
b.  adverse opinion. policies.
c.  disclaimer of opinion. c.  calculate key ratios relevant to the client.
d.  unqualified opinion with an emphasis-of-matter paragraph. d.  issue a report at the conclusion of the engagement.

Review Questions
R15.1  (LO 1)  Why does the standard unmodified report on the fi-
nancial statements of a private company contain paragraphs outlining
(1) management’s responsibility for the financial statements and (2)
the auditor’s responsibility for the financial statements? What is con-
tained in these paragraphs?
R15.2  (LO 1)  What is the significance of the date on the auditor’s
report on the financial statements?
R15.3  (LO 2)  In what circumstances is an auditor required or al-
lowed to include an emphasis-of-matter paragraph in the audit report
on the financial statements?
R15.4  (LO 2)  Explain the term “consistency” in the context of fi-
nancial statements. Provide examples of situations that affect consis-
tency of financial statements.
R15.5  (LO 3)  Explain how the standard audit report on the financial
statements would be modified if reference is made to a component
auditor.
R15.6  (LO 4)  Distinguish between a limitation of scope and a de-
parture from the financial reporting framework. Provide an example
of each.
R15.7  (LO 4)  Which would auditors consider to be more serious: a
client-imposed scope limitation or a situation-imposed scope limita-
tion? Provide an example of each to support your answer.
R15.8  (LO 5)  Distinguish between a subsequent event and a sub-
sequently discovered fact. What is the auditor’s responsibility for
each?
R15.9  (LO 5)  What factors should the auditor evaluate when decid-
ing whether to dual date the audit report on the financial statements
for a subsequently discovered fact?
R15.10  (LO 6)  List and briefly explain the components of the un-
qualified report on the effectiveness of ICFR.
R15.11  (LO 6)  What factors do auditors consider when determin-
ing if an identified control deficiency is a significant deficiency or a
material weakness?
R15.12  (LO 6)  Explain how the standard unqualified report on the
effectiveness of ICFR would be modified for an adverse opinion.
R15.13  (LO 7)  Compare and contrast a compilation engagement
and review engagement.

Analysis Problems
AP15.1  (LO 1, 2)  Basic   Going concern  Mark Jackson is the partner on the audit team for a new
client, Central Companies (CC). The client hired Mark’s firm in August 2022 in preparation for the
December 31, 2022, audit. Mark’s firm is replacing the predecessor firm that audited CC for the last
12 years. Since January 2022, CC has experienced a slowdown in sales as evidenced by lower inventory
turnover ratios. Slower inventory turnover has negatively impacted operating cash flow, which has re-
sulted in CC paying some of its suppliers late. Some of the smaller suppliers are demanding that CC pay
cash on delivery of inventory items.
Mark is also aware of correspondence between CC and its bank that the company started having
cash flow problems as far back as 2021. CC has attempted to obtain short-term financing from its bank
but has not been successful. CC’s management has adequately disclosed these issues in the 2022 financial
statements. Based on the audit evidence, CC’s financial statements are presented fairly in accordance with
the financial reporting framework, but Mark has concluded that CC has a substantial going concern issue.

Required
Prepare the appropriate audit report for Central Companies.

AP15.2  (LO 1, 2)  Moderate   Research   Special purpose framework  Your firm has been en-
gaged to audit a private company that uses a tax basis of accounting to prepare the financial statements
rather than using generally accepted accounting principles (GAAP). You remember learning about spe-
cial purpose frameworks in one of your college courses. You decide to research the issue and access AU-C
800 through the AICPA website at www.aicpa.org.
  Analysis Problems  15-39

Required
a.  Can your firm accept the engagement if the client does not use GAAP in the preparation of financial
statements? Cite where you found the answer in the standard (the paragraph number).
b.  When a client uses a special purpose framework, will the format of an unmodified audit report be
different than when a client uses GAAP? Research AU-C 800 and then copy and paste an example
of an auditor’s report on a set of financial statements prepared in accordance with the tax basis of
accounting. Discuss the similarities and differences of the report with the unmodified audit report
from Illustration 15.1.

AP15.3  (LO 3)  Moderate   Audit report based in part on the report of another auditor  Marco
Ramirez is the partner on the audit engagement of Sun Products, a private company based in New
­Mexico. Sun Products manufactures outdoor patio furniture and yard decorations. Sun Products recently
acquired another company, Al Aire Libre, which is based in Argentina. Al Aire Libre represents 13%
of Sun Products’ assets on the consolidated financial statements. Al Aire Libre has been audited by an
Argentina-based accounting firm for the last five years. Marco and his team decide Al Aire Libre should
continue to be audited by the Argentina-based accounting firm.

Required
a.  Discuss the factors Marco should consider when deciding whether to refer to the Argentina-based
accounting firm in the audit report on the consolidated financial statements of Sun Products.
b.  If Marco decides not to assume responsibility for the work of the Argentina-based accounting firm,
draft the audit report for Sun Products assuming an unmodified opinion is being rendered.

AP15.4  (LO 2, 4)  Basic   Modified opinion  Waveland South, a private company, is a new audit
client for 2022. Waveland’s financial statements for 2021 were audited by the previous auditor. An
unmodified audit opinion with an emphasis-of-matter paragraph was included in the previous auditor’s
report because of a going concern issue. The issue identified by the previous auditor was that a material
amount of debt, which Waveland could not pay, was coming due in the next year. Waveland was in nego-
tiations with Gulf State Bank, but the bank was not willing to modify or extend the existing financing.
Waveland took no other action to secure financing from other lenders. In the 2021 financial statements,
Waveland did not disclose any information about the debt situation.

Required
Debate whether the opinion in the previous year’s audit report was appropriate. If you disagree with the type
of report issued by the previous auditors, what type of report do you think should have been issued and why?

AP15.5  (LO 2, 4)  Moderate   Emphasis-of-matter paragraph  Billy’s Burger House, a private com-
pany, is a chain of fast-food restaurants that has experienced fast growth in the last decade. The restau-
rant chain has been successful because it focuses on the three core foods of hamburgers, French fries, and
milkshakes rather than trying to offer a wide range of options. Billy’s Burger House has a loyal customer
base because of the high quality and consistency of its three core foods.
In the last nine months of 2022, Billy’s Burger House locations have been opening inside of AllMart
supermarkets. The vice president of operations of AllMart is the brother of the CEO and founder of
Billy’s Burger House. The two brothers have been working on this plan for the last three years. With this
new alliance with AllMart, Billy’s Burger House expects to see more growth in the next four years than it
has experienced in the last 10 years. In its December 31, 2022, financial statements, Billy’s Burger House
has disclosed the alliance with AllMart as a related party transaction.

Required
a.  The auditors of Billy’s Burger House intend to issue an unmodified opinion on Billy’s financial
statements and add an emphasis-of-matter paragraph to highlight the related party situation. Draft
the audit report.
b.  If management of Billy’s Burger House had refused to disclose the material related party transaction in
the financial statements as required by the financial reporting framework, evaluate the auditor’s report-
ing options. What factor or factors would auditors consider in determining what type of report to issue?

AP15.6  (LO 4)  Moderate   Audit reports and other communication at the end of an audit 
Steven Edwards has had difficulties throughout the audit of Kingston Catering. The company is a
long-standing client of the audit firm and there have been no problems in the past. However, four months
into the start of the fiscal year, the company’s IT systems failed. Subsequent diagnostic tests revealed that
a particularly nasty virus had infected the IT system and corrupted all the processed data. The IT man-
ager called in an IT specialist for advice as soon as the problem was discovered. The specialist installed a
15-40  C h a pte r 15  Reporting on the Audit

new IT system and additional security programs, and the IT manager is confident that the problem will
not recur.
The processed data had been backed up and stored in a secure location, but when a restoration was
attempted it was discovered that the virus also corrupted the backups. The Kingston Catering staff tried to
reconstruct the files based on paper records, but the reconstruction was incomplete because some paper
documents had been inadvertently destroyed.
Steven is particularly concerned about sales and accounts receivable. Kingston Catering has many
“one-time” customers as well as several large accounts. The first four months of the year corresponded to
the busiest time of the year for the company. Staff attended many corporate and private functions during
this time and made numerous sales of catering equipment to wholesale and retail customers (or at least
they think they did). They believe that they collected all the accounts. Steven is not so sure. He thinks the
chaos caused by the computer virus meant that deliveries were being made in a rush without the com-
pletion of the appropriate paperwork, and the attempts to collect accounts were ineffective as customers
took advantage of the situation to claim they had either already paid or had returned goods for credit.
Other customers simply “fell off” the system and were never billed.

Required
a.  Evaluate Steven’s audit report options and draft the audit report that you would recommend be
issued.
b.  Make a list of matters Steven would include in the communication to those charged with governance
at Kingston Catering.

AP15.7  (LO 5)  Moderate   Subsequently discovered facts  Mitch Jackson and Rosie Punter are
part of the audit team for Hexagon Industries, a large manufacturing, private company client. The client’s
year-end was December 31, 2022, the end of fieldwork date on the unmodified report was February 28,
2023, and the financial statements and auditor’s report will be released on March 9, 2023. The primary
lender for Hexagon Industries, First Union Bank, requires that Hexagon be audited each year as a con-
dition of borrowing funds.
Today is March 5, 2023, and Mitch and Rosie are working on assembling the audit file for archiving.
Shortly before lunch, they receive an instant message through the firm’s intranet from Elizabeth Morgan,
the partner on the Hexagon audit. She says to report to her office immediately as there has been a new
development on the Hexagon audit.
Elizabeth informs Mitch and Rosie that she received a call from Hexagon’s CFO an hour ago. It was
discovered that Hexagon’s controller and human resource director were embezzling funds through an elab-
orate payroll fraud. The CFO suspects the fraud has been going on for several years. Elizabeth says, “Eat a
quick lunch, and then we are headed to Hexagon for a meeting with the CEO and CFO at 1:00 p.m.”

Required
a.  Explain the auditor’s responsibilities for events that arise after the date of the audit report.
b.  List the steps Elizabeth and her team should take regarding this situation.
c.  Since fraud was discovered, what implication does that have for the client’s internal controls?
Evaluate the effect of the discovered fraud on the work auditors performed on internal controls and
the substantive procedures performed.

AP15.8  (LO 6)  Basic   Public Company   Research   Audit reports for a public company  You
are completing an internship with a Big Four accounting firm and have worked on one client, a public
company, during the entire internship. In your college class, you learned that an audit firm conducts
an integrated audit and renders two opinions, one on the fair presentation of the financial statements
and another on the effectiveness of ICFR. You see one draft audit report prepared by the manager on
the audit team. You wonder why there is only one report, so you ask the manager, “Shouldn’t there be
another report since we are giving two opinions?” The manager replies with a smile, “Look closely, our
two opinions are in that one report.”

Required
Research the PCAOB Auditing Standards to find an example of a combined report on the company’s
financial statements and on ICFR. Go to the PCAOB’s website (www.pcaobus.org) and navigate to
the auditing standards. Open AS 2201 An Audit of Internal Control Over Financial Reporting That Is
Integrated with An Audit of Financial Statements. Copy and paste an example of a combined report and
cite where it is found in the standard (the paragraph number). Read through the report and highlight the
components of both reports (refer to Illustrations 15.2 and 15.19 for the components). Does the combined
report have all the required components of both reports?

AP15.9  (LO 6)  Moderate   Public Company   Reporting on effectiveness of ICFR  Phillips &
Craig LLP was hired by Richards Manufacturing, a public company, to perform an integrated audit of the
  Analysis Problems  15-41

December 31, 2022, financial statements and internal controls. Phillips & Craig was hired just after year-
end, on January 3, 2023. Because of the tight deadline to complete the audit before the SEC filing deadline,
Phillips & Craig focused more time on performing substantive procedures for the financial statement audit
and was not able to complete a full audit of ICFR. The tests of controls that were completed provided evi-
dence that internal controls were effective. The audit manager for Phillips & Craig tells the partner, “I feel
certain if we had the time to complete all of the planned tests of controls, we wouldn’t identify any material
weaknesses. We already decided to issue an unqualified opinion on the financial statements based on the
evidence gathered from our substantive procedures, so I’m sure the internal controls are effective.”

Required
What type of opinion on the effectiveness of ICFR should Phillips & Craig issue? Evaluate the situation
and provide support for the type of opinion selected.

AP15.10  (LO 6)  Moderate   Public Company   Audit reports and subsequent events  Industrial
Holdings Inc. (IH), a public company, has been a client of Walker LLP for several years. Walker has com-
pleted the integrated audit of IH for the year ended December 31, 2022. In February 2022, IH upgraded
to a new inventory management system that should make IH’s inventory recording more efficient and
more paperless. The change to the new system required IH to make significant changes to internal con-
trols over inventory recording. IH management has worked hard to make the needed changes to internal
control and test the changes during the year. For example, in early April 2022, management identified a
material weakness regarding the number of employees who had access to edit transactions in the new
inventory system. Management quickly took steps to correct the weakness so that from late April through
the rest of the year the control was effective.
The auditors conducted extensive controls testing on the new inventory management system in
September and October 2022. Although three control deficiencies were identified, the auditors deter-
mined there was a remote possibility that a material misstatement would not be prevented, or detected
and corrected, on a timely basis. The auditors concurred with management that the material weakness
that was identified in early April was remediated and was no longer a material weakness.
Required
a.  What type of opinion on the effectiveness of ICFR should the auditors issue? Draft the report.
b.  Suppose management had not identified the material weakness in April. Instead, auditors identified
the material weakness during their controls testing in October 2022. By year-end, management had
not remediated the material weakness. What type of opinion on the effectiveness of ICFR should the
auditors issue? Draft the report.
c.  Suppose management had not identified the material weakness in April. Instead, auditors identified the
material weakness during their controls testing in October 2022. Management corrected the material
weakness in early November and auditors concurred that the material weakness was remediated. What
type of opinion on the effectiveness of ICFR should the auditors issue? Defend your choice of opinion.

AP15.11  (LO 6)  Moderate   Research   Documents accompanying financial statements  You
have learned that the auditor is responsible for expressing an opinion on the financial statements. The
term “financial statements” includes the four financial statements and the notes that accompany the
financial statements. A company’s financial statements are often included as part of a larger document,
such as the annual report. Does the auditor have any responsibility related to the other information in the
documents containing the audited financial statements?

Required
Research the ASB and PCAOB standards online to determine if auditors have any responsibility for other
information in documents containing the audited financial statements. Write a summary of your find-
ings, and also discuss if the auditor’s responsibility is different depending on if the client is a public
company or private company.
AP15.12  (LO 7)  Moderate   Research   Review engagement  You are a first-year staff at a regional
accounting firm. The firm primarily services private company clients and performs more review engage-
ments than audit engagements. Your first assignment is a review engagement on a small private company
that specializes in manufacturing team sports apparel. You decide to do some research to refresh your
memory on review engagements.

Required
a.  Discuss the similarities and differences of a review engagement and an audit engagement.
b.  You remember learning about the standard review report from your college course, but you are not
familiar with modifications to the standard report. Go to www.aicpa.org/research/standards to
access SSARS No. 24, AR-C 90, Review of Financial Statements. Copy and paste an example of a
review report that is modified for a departure from the applicable financial reporting framework.
15-42  C h a pte r 15  Reporting on the Audit

Audit Decision Cases

King Companies, Inc.
Questions C15.1 and C15.2 are based on the following case.

King Companies, Inc. (KCI) is a private company which owns five auto parts stores in urban Los Angeles,
California. KCI has gone from two auto parts stores to five stores in the last three years, and it plans
continued growth. Eric and Patricia King own the majority of the shares in KCI. Eric is the chairman of
the board of directors of KCI and CEO, and Patricia is a director as well as the CFO. Shares not owned
by Eric and Patricia are owned by friends and family who helped the Kings get started. Eric started
the company with one store after working in an auto parts store. To date, he has funded growth from
an inheritance and investments from a few friends. Eric and Patricia are thinking about expanding by
opening three to five additional stores in the next few years.
KCI employs 20 full-time staff. These workers are employed in store management, sales, parts delivery,
and accounting. About 40% of KCI’s business is retail walk-in business, and the other 60% is regular
customers where KCI delivers parts to their locations and bills these customers on account. During peak
periods, KCI also uses part-time workers.
Your accounting firm, Thornson & Danforth, LLP, is conducting the annual audit of KCI for the year
ended December 31, 2022. Your audit team discovers numerous misstatements, mostly caused by human
error and weak internal controls. In aggregate, the misstatements are material, but management agrees
to make your recommended adjustments to correct the misstatements. Also, during 2022, KCI changed
its method of valuing inventory from a weighted-average method to FIFO. When Eric and Patricia opened
their first store, they thought the easiest way to value inventory was to use an average cost for each cate-
gory of inventory items. As the company grew, they never revisited this practice. Now that the company is
significantly larger with multiple stores, Eric and Patricia realize they need to be more focused on track-
ing inventory costs because that impacts their profit margins. The change was made to FIFO because it is
more commonly used in the industry.
Your team concludes fieldwork on March 1, 2023, and Eric and Patricia are planning to provide the
audited financial statements and audit report to its lenders on March 6, 2023.

C15.1  (LO 1, 2)  Challenging   Consistency issue

a.  Analysis and evaluation: Does KCI have a justified change in accounting principle? If so, how should
the change be presented in the financial statements?
b.  Conclusions: Assuming KCI has a justified change in accounting principle and has accounted for the
change properly, draft the audit report that Thornson & Danforth will issue.

C15.2  (LO 4)  Challenging   Modified opinion  Analysis and evaluation: Suppose management
does not agree to make adjustments to correct the material misstatements and does not properly
present the change in accounting principle in the financial statements. What reporting options does
Thornson & Danforth have? Analyze the factors Thornson & Danforth will consider when determin-
ing what type of report to issue. Draft the audit reports for each reporting option that Thornson &
Danforth is considering.

Mobile Security, Inc.

Question C15.3 is based on the following case.

Mobile Security, Inc. (MSI) has been an audit client of Leo & Lee, LLP for the past 12 years. MSI is a small,
publicly traded aviation company based in Cleveland, Ohio, where it manufactures high-tech unmanned
aerial vehicles (UAV), also known as drones, and other surveillance and security equipment. MSI’s prod-
ucts are primarily used by the military and scientific research institutions, but there is growing demand
for UAVs for commercial and recreational use. MSI must go through an extensive bidding process for
large government contracts. Because of the sensitive nature of government contracts and military prod-
uct designs, both the facilities and records of MSI must be highly secured.
In October 2022, MSI purchased a small company in Brazil, Jungle Max, that manufactures small,
unmanned vehicles that can maneuver through jungle terrain. The subsidiary represents 15% of MSI’s
assets on the consolidated financial statements. For the last 20 years, Jungle Max has been audited by a
Brazilian accounting firm. After meeting with representatives from the Brazilian firm and researching
the firm’s history, Leo & Lee decide it would be most efficient to have the Brazilian firm continue to
audit Jungle Max. Therefore, for the audit of MSI for the year ended June 30, 2023, the Brazilian firm
conducted the audit of Jungle Max.
  Audit Decision Cases  15-43

C15.3  (LO 3)  Moderate   Public Company   Research   Use of another auditor
a.  Information gathering and analysis: What factors should Leo & Lee consider when deciding whether
to use the Brazilian accounting firm? (Refer back to the section “Using the Work of Another Auditor”
in Chapter 5 when preparing your answer.)
b.  Information gathering and analysis: What are the responsibilities of the Leo & Lee partner on the
MSI audit as they relate to the Brazilian accounting firm? (Refer back to the section “Using the Work
of Another Auditor” in Chapter 5 when preparing your answer.)
c.  Conclusions: Draft the audit report for MSI assuming an unqualified opinion based in part on the
work of another auditor. (Access AS 1205 at www.pcaobus.org to see an example report.)

Brookwood Pines Hospital

Questions C15.4 and C15.5 are based on the following case.

Goodfellow & Perkins gained a new client, Brookwood Pines Hospital (BPH), a private, not-for-profit hospital.
The fiscal year-end for Brookwood Pines is June 30. You are the audit partner on the BPH audit for the year
ended June 30, 2023. The audit is finished, and the date on the unmodified audit report is August 21, 2023.
BHG provided the audited financial statements and the auditor’s report to its banks on August 25, 2023.
Today is August 28, 2023. As you are drinking your morning coffee at your desk, you get a phone call
from BPH’s controller. He has some bad news: BPH just received notice from Infinity Health Insurance,
the largest health insurance provider in Texas, that it will no longer list BPH as a preferred, in-network
provider for its insurance members. Infinity Health Insurance is cancelling the contract with BPH
because of the following reasons:
•  Perception that BPH has poor internal controls because in September 2022, two ER doctors were
caught upcoding, which is a type of fraud that causes insurance companies and patients to pay for
services they did not receive.
•  Closure of the hospital kitchen/cafeteria because it was badly damaged by fire.
•  Increased complaints from Infinity Health Insurance members about outdated facilities at BPH.
You tell the controller that you’d like to have a meeting with the executive management team that afternoon
to further discuss the new development. You thank him for the call and hang up.
In preparation for your afternoon meeting, you review some evidence that was gathered in the last
few days before the completion of fieldwork. The fire that occurred in the hospital kitchen a month
ago was not adequately covered by insurance, but BPH has the funds to have the kitchen repaired. The
original time frame to have the kitchen and cafeteria re-opened was 6 weeks. However, by the end of the
audit, the controller stated it would be closer to three months before the kitchen would be fully repaired
and open for operations.

C15.4  (LO 5)  Challenging   Subsequently discovered facts

a.  Information gathering: Prepare a list of questions that you will inquire of management at the after-
noon meeting regarding this new development.
b.  Analysis and evaluation: Assuming this new information is material, discuss the steps the auditors
will take. Would you recommend that management revise the financial statements? Why or why not?
c.  Analysis and evaluation: What if management does not cooperate with your recommended course
of action? What steps would you take?

C15.5  (LO 1, 2 4, 5)  Challenging   Audit reports

a.  Conclusions: Based on the new information and assuming management cooperates with your rec-
ommended course of action, how would you date your updated report and would your updated
report be an unmodified opinion? Explain your answers.
b.  Conclusions: If management does not cooperate with your recommended course of action, would
you modify your opinion on the updated report? Explain your answer.

Cloud 9 - Continuing Case

Answer the following question based on the information pre- Required
sented for Cloud 9 in the appendix to this text and the current and Based on everything you know about the audit of Cloud 9, prepare
earlier chapters. You should also consider your answers to the case the audit reports. Fieldwork was completed on March 15, 2023,
study questions in earlier chapters. and the 10-K will be filed with the SEC on March 20, 2023.
 Appendix A
Cloud 9 Inc. Audit
W&S Partners is a U.S.-based accounting firm with offices located in most major cities. W&S
Partners will be conducting the January 31, 2023, audit for Cloud 9 Inc., a publicly traded
company. The audit team assigned to the client is:

•  Partner: Jo Wadley
•  Audit manager: Sharon Gallagher
•  Audit senior: Josh Thomas
•  IT audit manager: Mark Batten
•  Experienced staff: Suzie Pickering
•  First-year staff: Ian Harper

Prior-year audits were conducted by Ellis & Associates. As part of the transfer of records pro-
cess, Jo Wadley met with RJ Ellis (managing partner, Ellis & Associates) to discuss acceptance
of Cloud 9 as a client and to inquire about access to Ellis & Associates’ working papers. In the
discussion, RJ Ellis stated that there were no issues that W&S Partners should be aware of
before accepting the client or beginning the work.

Cloud 9 Inc. Company Background

Cloud 9 Inc. is a manufacturer and retailer of athletic shoes and apparel, based in Sacramento,
California. In 2021, Cloud 9 purchased McLellan’s Shoes from Ron McLellan. As part of the
sale agreement, Ron McLellan was appointed to the Cloud 9 board of directors.
Cloud 9 has wholly owned subsidiaries in Canada and Vietnam, and has built a reputa-
tion for its comfortable and durable shoes. The company promotes itself using its now well-
known tagline, “Our shoes are so comfortable, it’s like walking on Cloud 9.” Currently, Cloud 9
is primarily a wholesaler of athletic shoes and apparel to its main customers All Day Sports,
Mayer, Bob’s, and Varsity Sports.
Cloud 9 receives about 25% of its inventory from the Vietnam production plant with the
remainder coming from the United States. Also, about 20% of its property, plant, and equip-
ment is located at the Vietnam production plant. All inventory is purchased on free on board
(FOB) shipping terms, which means Cloud 9 takes ownership of the products once the inter-
national courier accepts the goods for delivery. The inventory is sent to the main warehouse
in Sacramento, which is linked to retailers via an electronic inventory system. When retail
inventory gets low, the company ensures deliveries are made using its own transport trucks,
thus ensuring control throughout the entire process.
In February 2021, Cloud 9 launched its new product line that included the “Heavenly
456” walking shoe. Advertising campaigns and media coverage have been very successful, and
sales for this style of shoe have steadily increased. For Cloud 9, the Heavenly 456 now makes
up 20% of total sales.
A specific marketing campaign was initiated in 2022 to promote and build the Cloud 9
brand in the United States. Cloud 9 decided to sponsor a professional soccer team, Georgia
Thunder, for the 2022 season. Under this sponsorship agreement, Cloud 9 is to provide all
the athletic footwear and apparel for the team as well as have sole merchandising rights. The
agreement also includes general advertising rights at the stadium.
In a separate contractual arrangement, Cloud 9 has signed Miguel Fernandez, the captain
of Georgia Thunder, as spokesperson for the brand. This arrangement allows Cloud 9 to use
Miguel’s image to promote and build the brand. A-1
A-2  A p p e n di x A   Cloud 9 Inc. Audit

To further establish the brand, the first Cloud 9 retail store was opened in San Francisco,
California, on June 1, 2022. The store operates on a just-in-time inventory system linked with
a series of warehouses and distribution centers throughout the United States and Canada.
However, the management team reports that there have been a few hiccups in determining
ideal stock quantities for the store to allow optimum availability of merchandise to its custom-
ers. Because some thefts of merchandise from the store have also occurred, the company has
installed closed-circuit television cameras.

Personnel
The Cloud 9 corporate office has 358 full-time employees. In the retail store, the company em-
ploys two full-time managers and some part-time staff, with seasonal employees enhancing
staff levels in the busier retail period.
Some key positions in the accounting and IT area are as follows:

•  CFO: David Collier

•  Financial controller: Carla Johnson
•  IT manager: Will Burton

These three employees are entitled to participate in the employee stock-purchase plan and
receive stock options in Cloud 9 if revenue targets are met.

Financial Information
Cloud 9 set a goal to increase revenue by 3% for the 2022 fiscal year. One of the critical success
factors for the company to achieve this 3% increase is to grow its share of the U.S. footwear
market. However, with the new store opening and the subsequent increase in costs, as well
as the costs related to the sponsorship deals, the management team is projecting a decline in
earnings for the year.
In addition, to build customer loyalty and promote sales in the retail store, Cloud 9 in-
troduced a loyalty program whereby customers earn one point for every $10 that they spend.
Customers can then redeem points by going online to receive coupons that can be exchanged
for merchandise in the store. On August 1, 2022, the company took out an additional loan of
$7 million with Windsor Bank to help fund the store costs and to purchase additional delivery
trucks and vans. This loan is repayable over five years. The company’s other debt relates to
loans issued more than five years ago from various lending institutions.
All inventory is purchased in U.S. dollars, which the company acquires under forward
exchange contracts. The company provides a 12-month warranty on all footwear. Historical
claims have been 0.2% of total sales.
The most recent financial statements for Cloud 9 are as follows. (Note that these financial
statements are also available in Excel format in WileyPLUS.)

Cloud 9  Consolidated Statement of Income

For the year ended  For the year ended 
January 31, 2022 January 31, 2021
Revenues $364,953,846 $345,965,385
Costs and expenses:
  Cost of sales $222,496,154 $207,838,462
  Selling and administrative 104,450,000 100,246,154
  Interest expense 1,257,692 1,730,769
  Other (income)/expense, net 1,311,539 796,154
Total costs and expenses 329,515,385 310,611,539
Income before income taxes 35,438,461 35,353,846
Income taxes 12,757,692 13,080,769
Net income $ 22,680,769 $ 22,273,077
   Cloud 9 Inc. Company Background  A-3

Cloud 9  Consolidated Balance Sheet

January 31, 2022 January 31, 2021
Assets
Current assets:
Cash and cash equivalents $11,692,308 $ 9,780,769
Accounts receivable, less allowance for doubtful 62,361,538 60,361,539
  accounts of $2,773,077 and $2,515,385
Inventory 54,773,077 55,615,385
Investments (derivatives) 14,460,577 14,852,885
Deferred income taxes 3,357,692 3,288,461
Prepaid expenses and other current assets 5,250,000 7,276,923
Total current assets $151,895,192 $151,175,962
Property, plant, and equipment, net 62,261,539 60,900,000
Identifiable intangible assets and goodwill, net 3,820,192 3,950,961
Deferred income taxes and other assets 5,853,846 9,238,462
Total assets $223,830,769 $225,265,385

Liabilities and Stockholders’ Equity

Current liabilties:
Current portion of long-term debt $ 207,692 $ 1,926,923
Notes payable 28,896,154 35,546,154
Accounts payable 20,615,385 20,915,385
Accrued liabilities 18,157,692 23,336,581
Income taxes payable 842,308 582,650
Total current liabilities $ 68,719,231 $ 82,307,693
Long-term debt 16,765,384 18,088,462
Deferred income taxes and other liabilities 3,942,308 4,253,846
Stockholders’ equity:
Common stock at par value 107,692 107,692
Capital in excess of par value 17,669,231 14,192,308
Unearned stock compensation (380,769) (450,000)
Accumulated other comprehensive income (5,850,000) (4,273,077)
Retaining earnings 122,857,692 111,038,461
Total stockholders’ equity 134,403,846 120,615,384
Total liabilties and stockholders’ equity $223,830,769 $225,265,385

Cloud 9  Condensed Cash Flow Statement

For the year ended
January 31, 2022 January 31, 2021
Cash provided by operations $ 25,250,000 $ 26,907,692
Cash used by investing activities (13,165,385) (16,923,077)
Cash used by financing activities* (13,457,692) (9,696,154)
Effect of exchange rate changes on cash 3,284,616 1,873,077
Net increase in cash and cash equivalents 1,911,539 2,161,538
Cash and cash equivalents, beginning of year 9,780,769 7,619,231
Cash and cash equivalents, end of year $ 11,692,308 $  9,780,769

*Includes dividends paid of $4,988,462 in 2022 and $5,119,231 in 2021.

A-4  A p p e n di x A   Cloud 9 Inc. Audit

Cloud 9  Trial Balance

October 31, 2022 October 31, 2021
Debit Credit Debit Credit
Cash and cash equivalents $ 13,446,154 $ 6,123,884
Accounts receivable 70,485,625 64,867,910
Allowance for doubtful accounts $ 704,856 $ 648,679
Inventory 55,100,000 57,900,000
Investments (derivatives) 13,419,231 13,805,769
Deferred income taxes (current) 2,857,692 3,584,615
Prepaid expenses and other current assets 9,265,385 6,446,154
Property, plant, and equipment 103,803,846 97,576,923
Accumulated depreciation 39,761,538 35,207,692
Identifiable intangible assets and goodwill 3,723,007 3,851,923
Accumulated amortization
Deferred income taxes and other assets (noncurrent) 9,557,692 8,410,849
Current portion of long-term debt 2,115,385 300,125
Notes payable 21,376,923 34,823,077
Accounts payable 14,986,457 22,561,538
Accured liabilities 25,803,846 24,150,000
Income taxes payable 2,211,539 3,726,923
Long-term debt 23,661,538 17,119,106
Deferred income taxes and other liabilities (noncurrent) 4,915,384 4,330,769
Common stock at par value 111,538 107,692
Capital stock in excess of par value 19,415,385 16,484,615
Unearned stock compensation 253,846 480,769
Accumulated other comprehensive income 5,011,538 4,746,154
Beginning retained earnings 122,857,692 98,150,473
Dividends 3,866,838 3,299,423
Repurchases of common stock 4,627,381 2,939,393
Revenue 277,338,461 269,442,308
Cost of sales 169,346,154 163,003,846
Selling and administrative 79,092,308 78,246,154
Interest expense 1,438,461 1,773,077
Other expense 453,846 757,692
Income tax expense 9,511,538 9,238,462
Totals $555,260,542 $555,260,542 $527,052,997 $527,052,997

Transcript of Meeting with David Collier

Present:  David Collier, chief financial officer, Cloud 9 Inc.  
Josh Thomas, audit senior, W&S Partners
JT: Thanks for seeing me, David.
DC: You’re welcome, Josh. What can I do for you?
JT: I need to ask you some questions about Cloud 9’s process for recording wholesale
revenue transactions, including the trade receivables and cash receipts aspects.
After I understand the process, I will be doing a system walkthrough and con-
firming my understanding by talking to the individuals who are involved in each
step of the process.
DC: We’ve got a pretty complex inventory management software system called Swift. It was de-
signed by some of our tech guys. It tracks inventory and it integrates with our sales system.
   Transcript of Meeting with David Collier  A-5

JT: How do customers decide the quantity and know the price?
DC: The customers complete a purchase order online through a site that is linked to Swift. The
site will tell customers the price for each item in inventory, as well as the quantity we have
in stock.
JT: How often are prices changed?
DC: Price changes really depend on the market. While they don’t change that often, our mar-
keting management meets weekly to discuss price changes. Price changes are initiated
after that meeting. Only the marketing manager and a few of her staff members have
access to update the master price list.
JT: What if a customer logs on and you don’t have the products?
DC: The system doesn’t allow a customer to place an order greater than our current inven-
tory levels. If a customer needs more inventory, the customer should fill out a separate
request for inventory not on hand. The request gets e-mailed to our production manager
and our marketing manager, who determine if we need to manufacture more goods. The
decision about manufacturing more goods is complex as it integrates with our production
decisions, or whether we can purchase additional inventory from a subcontractor that
manufactures for us.
JT: OK. This is helpful. Let’s stay focused on the sales process. Once a customer’s
purchase order is complete, then what?
DC: The submitted purchase order goes through a credit check and then becomes a sales or-
der. If a customer exceeds his or her credit limit, there are a few people in my office that
can approve a credit override, on a case-by-case basis. We tend to allow this only for good
customers with good payment history. Then, the purchase order becomes our sales order.
JT: I guess this electronic process saves a lot of time and trees!
DC: Yes, there’s so much that we rely on the system to do for us, it’s scary. I worry about things
like what happens if we are hit by a storm or lose power. We do have the whole system
backed up off-site.
JT: That is nice to know, and probably gives you some comfort. What happens to the
sales order – how does it get filled?
DC: Every day, the system assigns shipments to the warehouse location nearest to the custom-
er’s location that can fulfill the entire order. The warehouse manager then downloads the
outstanding sales orders to these little handheld computer/scanners. It’s very Star Trek.
Warehouse personnel use these to identify inventory in the warehouse, then the warehouse
personnel put boxes of ordered shoes onto pallets. The pallets are taken to a staging area
where each product is then scanned.
JT: Are the shipping documents approved before the goods go out the door? How do
you know that what got sent is what was ordered?
DC: Swift matches the quantities and products on the packing slip to the sales order. If they
don’t match, the order is set aside for follow-up to ensure that the order is accurately
filled. Once they match, the approval box is activated, and the shipping supervisor can
enter his or her passcode. This officially approves the packing slip and bill of lading, and
each gets printed.
JT: OK, so once the goods are shipped to the customer, how do you bill for this
shipment?
DC: We go into the billing system and pull up a draft invoice that was generated when the
shipping document was approved. At this point, Swift performs a number of checks.
The system matches the quantities in the invoice against the packing slip and sales order.
Prices are also matched to the sales order. The customer number should also match on the
sales order, shipping documents, and draft invoice. A report is run daily of any shipments
that have not resulted in invoices. The reverse is also true. A report is run of any invoices
that are not supported by shipping documents. At month-end, we run a report to compare
dates on shipping documents with the month that transactions are recorded in the sales
journal. If there are any discrepancies, the transaction is reported for manual ­follow-up.
I believe discrepancies are rare as the system is very tight, and we ship only what was
A-6  A p p e n di x A   Cloud 9 Inc. Audit

ordered. Then, the sales invoice is processed. Processing the sales invoice enters the trans-
action in a database from which we build the sales journal and accounts receivable subsid-
iary ledger. Also, at the end of each day, we compare the totals for accounts receivable with
the total of each customer’s balance in the accounts receivable subsidiary ledger.
JT: When you do have discrepancies, who follows up on them and how are they
cleared?
DC: We have a data control group that follows up on discrepancies in a variety of systems.
Discrepancies have to be cleared daily. Once the reason for the discrepancy is identified,
changes to the underlying data must be approved by a manager in the data control group.
The data is then corrected, and the invoice is processed. As I noted, discrepancies are very
rare. We don’t ship goods unless the order is completely filled.
JT: Does finance ever go back to the sales order?
DC: No. Since the shipping document can’t be generated unless it agrees to the sales order,
Swift only looks at the sales order for prices. Do you think we should do otherwise?
JT: I wouldn’t say so at this stage. But you’d have to be sure to have some tight con-
trols around Swift, given that it seems to do everything.
DC: Yes, good IT general controls over the Swift program, and other programs, are extremely
important. I meet with the IT manager monthly, to talk about the few discrepancies
found, reasons for discrepancies, and the importance of controls. I think you will find
that our IT manager understands the importance of strong IT general controls, and strong
controls over clearing any discrepancies identified in transaction streams.
JT: Let’s talk about accounts receivable. Who follows up on past-due receivables?
DC: That is the sales manager’s responsibility. In my opinion, we do a good job of screening
credit upfront so we don’t have a significant problem with past-due receivables. We send
statements to customers with their receivable balances monthly. The sales manager and I
discuss past-due accounts on a regular basis. The sales manager, controller, and I review
the allowance for doubtful accounts monthly. A monthly adjusting journal entry is made
by the controller, which I review and approve. You will find that our allowance for doubt-
ful accounts is only about 1% of outstanding receivables as we do a good job of screening
customer’s credit upfront.
JT: What is the cash receipts process?
DC: We get most payments via EFT. If a customer pays by check, it goes to a lockbox where it
also is directly received by our bank. Our AR clerk is able to download the previous day’s
cash receipts from online banking. She then merges this information with our account-
ing system, which first screens the data, matching customer numbers with the master
customer file. On occasion, the bank has made errors in entering customer numbers, and
we have to follow up on these transactions before they are processed in our accounting
system. This is done the same day. Once the transaction is processed, it is posted to the
database from which we build our cash receipts journal and accounts receivable subsid-
iary ledger. Finally, every morning someone reconciles what was posted to cash receipts
with what has been deposited in various bank accounts. I believe it is critical that all cash
receipts are posted timely and accurately.
JT: Are bank reconciliations done in a timely manner?
DC: Yes, someone in my office does bank recs every month for the main operating account and
other bank accounts. Our standard is to complete this by the fifth business day of each
month. My assistant reviews and approves the bank reconciliations. Keep in mind that what
I explained is for the wholesale transactions. We have separate procedures for the retail store
regarding daily cash balance reconciliations to the deposits in the operating bank account.
JT: Yes, we have another auditor who will be handling the retail store side of the
sales-to-cash-receipts process. She or he will probably come and talk to you in
a day or two. Well, I think that should do it for now. I may have some follow-up
questions for you as I start getting my head around the revenue process.
DC: The door is always open.
JT: Thanks for your time.

Ability of cash flow from operations to
cover current debt and dividends  Meas-
ures ability to cover current debt maturities
and dividends with operating cash flow.  when an independent practitioner, or CPA,
(p. 4-18).
Accounting estimate  An approximation
of a monetary amount when a precise means
of measurement is not available.  (p. 9-19).
Accounting records  Client’s records of
the initial accounting entry and supporting
documents.  (p. 5-10).
Acid-test (quick) ratio  Measures ability
to meet short-term obligations with liquid
assets such as cash, short-term investments,
and receivables.  (p. 4-17).
Advance shipping notice (ASN)  An
electronic acknowledgement of a transac-
tion by a supplier indicating goods shipped,
prices, and other information such as freight
costs or taxes.  (p. 12-22).
Adverse interest threat  The threat that a
CPA will not act with objectivity because the
CPA’s interests are opposed to the client’s
interests.  (p. 2-8).
Adverse opinion  Auditors state the finan-
cial statements are not fairly presented due
to a pervasively material departure from
the applicable financial reporting frame-
work.  (p. 15-15).
Advocacy threat  The threat that a CPA
will promote a client’s interests or position to
the point that his or her objectivity or inde-
pendence is compromised.  (p. 2-8).
Allowance for sampling risk (ASR)  A
measure of the uncertainty associated
with not sampling the entire population.  is given fiduciary powers by a bond issuer to
(p. 10-23).
Analytical procedures  Evaluations of
financial information through analysis of
plausible relationships among both financial
and nonfinancial data; analytical procedures
also encompass such investigation, as is nec-
essary, of identified fluctuations or relation-
ships that are inconsistent with other relevant
information or that differ from expected
values by a significant amount.  (pp. 4-14,
5-16, 9-9).
Appropriate  Refers to the quality of audit
evidence gathered.  (p. 5-8).
Assertions  Statements or representations,
explicit or implied, made by management
regarding the recognition, measurement,
presentation, and disclosure of items included
in the financial statements.  (pp. 3-16, 5-3).
Assurance services  Independent profes-
sional services that improve the quality of
information, or its context, for decision mak-
ers.  (p. 1-5).
Attestation services  Services performed
is engaged to issue a report on subject mat-
ter that is the responsibility of another party.  requesting information such as cash held in
(p. 1-4).
Attribute sampling  A sampling tech-
nique used to reach a conclusion about a
population in terms of a rate (frequency) of
occurrence.  (p. 8-19).
Audit committee  A committee of the
board of directors responsible for oversight of
internal controls, financial reporting and dis-
closure in the financial statements, regulatory
compliance, and the company’s independent
auditors.  (pp. 2-20, 4-24).
Audit data analytics (ADA)  The sci-
ence and art of discovering and analyzing
patterns, identifying anomalies, and extract-
ing other useful information in data under-
lying or related to the subject matter of an
audit through analysis, modeling, and vis-
ualization for planning and performing the
audit.  (pp. 4-20, 5-17, 7-2).
Audit evidence  Information gathered by
the auditor that is used when forming an
opinion on the fair presentation of a client’s
financial statements.  (p. 5-7).
Audit program  A listing of details of
the audit procedures to be used when test-
ing controls, conducting detailed substan-
tive audit procedures, and completing the
audit.  (p. 5-7).
Audit risk  The risk that an auditor
expresses an inappropriate audit opinion
when the financial statements are materially
misstated.  (pp. 1-20, 3-9).
Audit sampling  The selection and evalu-
ation of less than 100% of the population of
audit ­relevance such that the auditor expects
the items selected (the sample) to be repre-
sentative of the population and, thus, likely
to provide a reasonable basis for conclusions
about the population.  (p. 10-5).
Audit services  Services by an independent
CPA that provide financial statement users
with (1) an opinion on whether the financial
statements are presented fairly, in all material
respects, in accordance with an applicable
financial reporting framework and, in some
cases, (2) an opinion on the effectiveness of
ICFR, which enhances the degree of confi-
dence that intended users can place in the
financial statements.  (p. 1-4).
Audit strategy  The determination of the
amount of time spent testing the client’s inter-
Glossary
nal controls and conducting detailed testing of
transactions and account balances.  (p. 3-21).
Bank confirmation  Correspondence sent
directly by the auditors to their client’s bank
the bank and details of any loans with the
bank and interest rates charged.  (p. 5-13).
Basic precision (BP)  The amount of esti-
mated misstatement in the population, even if
no misstatements are detected in the sample. 
(p. 10-23).
Benchmarking  An audit testing strategy
that can be used to allow evidence obtained
in prior audit periods to support a conclu-
sion about IT application controls in the
current audit period.  (p. 8-22).
Bid rigging  An employee assists a vendor
in winning a competitive bid for a contract;
employee is compensated, usually in the
form of a cash payment.  (p. 12-27).
Bill-and-hold transactions  A customer
is billed for goods, but goods are not shipped;
accounting principles have very narrow cri-
teria for when revenue can be recognized for
a bill-and-hold transaction; the transaction
must be initiated by the customer, and the
customer must have a sound economic reason
for purchasing the goods and asking the seller
to continue to hold the goods.  (p. 11-10).
Board of directors  A group that repre-
sents the shareholders and is responsible for
ensuring the company is being run to benefit
the shareholders.  (p. 4-24).
Bond trustee  A bond trustee is usually
a commercial bank or a trust company that
enforce the terms of a bond indenture; the trus-
tee sees that bond interest payments are made
as scheduled and protects the interests of the
bondholders if the issuer defaults.  (p. 13-40).
Breach of contract  A binding agreement
is not honored by one or more parties to a
contract.  (p. 2-27).
Cash earnings per share (CEPS) ratio 
Shows cash flow capacity of a company for
each common share issued.  (p. 4-13).
*Classical
  variables sampling  A sam-
pling method that uses normal distribution
theory to select a sample from a population
and evaluate the characteristics of a pop-
ulation based on the results of the sample. 
(p. 10-33).
Close relative  A covered member’s par-
ents, nondependent children, brothers and
sisters, or stepbrothers or stepsisters.  (p. 2-15).
G-1
G-2 GLOSSARY
Closing procedures  Processes used by a
client when finalizing the accounts for an
accounting period.  (p. 4-27).
Cluster analysis  The process of discov-
ering groups (termed clusters in data sci-
ence) of similar items in a set of data; items
in the same group are similar, while items in
different groups are not as similar.  (p. 7-18).
Common law  Law based on justice, rea-
son, and common sense, rather than on
absolute rules.  (p. 2-27).
Common-size analysis  A comparison
of account balances to a single line item.  Control risk  The risk that a client’s system
(p. 4-15).
Compilation engagement  An engage-
ment in which a CPA applies accounting
and financial expertise to assist manage-
ment in the presentation of financial state-
ments without undertaking to obtain or
provide any assurance that there are no
material modifications that should be made
to the financial statements for them to be
in accordance with the applicable financial
reporting framework.  (p. 15-30).
Compilation of inventory values  The
client’s documentation behind the value for
inventory in the general ledger; this shows
the quantity of each item in inventory and
the values assigned to each item in inven-
tory.  (p. 13-15).
Compliance audit  An audit to determine
whether the entity has conformed with regu-
lations, rules, or processes.  (p. 1-7).
Component  An entity or business activ-
ity whose financial information is required
by an applicable financial reporting frame-
work to be included in group financial state-
ments.  (p. 5-23).
Component auditor  An audit firm that
performs work on the financial information
of a component that will be used as audit evi-
dence for the group audit.  (p. 5-23).
Confirmation bias  The tendency to
seek or interpret evidence in ways that
support pre-­existing beliefs or expectations.
(p. 9-14).
Consignment inventory  Inventory that
is sent by its owner (consignor) to an agent
(consignee) who undertakes to sell the goods;
the consignee has an obligation to pay the
consignor when the goods are sold by the
consignee.  (p. 13-17).
Consignment sales  May occur in a
transaction between a manufacturer and a
wholesaler, when the seller retains title to
inventory in the wholesaler’s possession,
and the sale is completed when the whole-
saler sells the inventory forward; a con-
signment sale may be created in economic
substance when the terms of sale create
uncertainties about whether the wholesaler
assumes risk of ownership upon receipt of
goods.  (p. 11-9).
Control activities  Policies and proce-
dures that help ensure that management
directives are carried out.  (p. 6-11).
Control environment  The attitudes, aware-
ness, and actions of management and those
charged with governance concerning the enti-
ty’s internal control and its importance in the
entity.  (p. 6-7).
Control exception (deviation)  An
observed condition that provides evidence
that the control being tested did not operate
as intended.  (p. 8-19).
of internal controls will not prevent or detect
a material misstatement on a timely basis.  of assurance that the sample is represent-
(p. 3-16).
Corporate governance  The people,
systems, and processes within companies
used to ensure that companies are well-
managed and that risks are identified and
controlled by management and entity per-
sonnel. (p. 4-23).
Covered member  A person in a position
to potentially influence attest decisions
or the outcome of an attest engagement.  transactions have been processed to identify
(p. 2-14).
Criminal liability  Subjects auditors to
penalties of fines or imprisonment or both;
the only entities that can bring charges for
criminal causes of action are federal or state
governments.  (p. 2-39).
Critical accounting estimates  Account-
ing estimates whose nature and impact
on the financial statements are material
because of the high levels of subjectivity and
judgment necessary to account for highly
uncertain matters.  (p. 14-26).
Critical accounting policies and prac-
tices  Accounting policies and practices
that are most important to the portrayal
of the company’s financial condition and
results, and require management’s most
difficult, subjective, or complex judgments.  of independence from the client.  (p. 15-18).
(p. 14-26).
Current file  Contains client information
that is relevant for the duration of one audit.  with the purpose of helping ensure that
(p. 5-26).
Current ratio  Measures ability to meet
short-term obligations as they come due.  respects.  (p. 11-24).
(p. 4-17).
Cutoff bank statement  A bank state-
ment for the period subsequent to the date
of the balance sheet that the client requests
the bank to send directly to the auditor.
(p. 13-10).
Cycle counts  The client will frequently
identify a small portion of items in the per-
petual inventory, count actual inventory, and
investigate discrepancies; the client will usu-
ally vouch items in the perpetual records to
the actual inventory on hand (testing exist-
ence), and also count inventory on hand
for other items and then trace results to the
perpetual records (testing completeness). 
(p. 13-17).
Debt-to-equity ratio  Measures the rel-
ative proportion of equity and debt used to
finance total assets.  (p. 4-19).
Deficiency in internal control (control
deficiency)  A deficiency in the design or
operations of a control does not allow man-
agement or employees, in the normal course
of performing their assigned functions, to
prevent, or detect and correct, misstatements
on a timely basis.  (p. 6-32).
Desired level of assurance  The level
ative of the population; the auditor wants
to choose a level of assurance so tolerable
misstatement is less likely to be exceeded by
the actual misstatement in the population. 
(pp. 8-18, 10-12).
Detection risk  The risk that the auditor’s
testing procedures will not be effective in
detecting a material misstatement.  (p. 3-17).
Detective controls  Controls applied after
whether fraud or errors have occurred, and
to rectify the fraud or errors on a timely basis. 
(p. 8-8).
Difference method  A method of estimat-
ing the audited value of the population where
the auditor adds (or subtracts) the projected
difference between the audited value and
book value of the sample to the book value of
each stratum.  (p. 10-30).
Direct and material effect  A situation
in which noncompliance with laws and reg-
ulations impacts amounts and disclosures
already included in the financial statements. 
(p. 4-10).
Disclaimer of opinion  Auditors provide
no opinion on the financial statements due to
a pervasively material scope limitation or lack
Disclosure committee  A committee
often led by the CFO or chief legal officer
financial statement disclosures are accurate,
complete, and fairly presented in all material
Dual dating  Showing two dates on an
audit report; one date is the end of field-
work and the other is the date of a revision
to the financial statements that occurred
after the end of fieldwork.  (p. 15-23).
Dual-purpose test  A substantive test of a
transaction and a test of control relevant to that
transaction that are performed concurrently. 
(p. 9-7).
Due care defense  The auditor’s docu-
mentation should provide evidence that the
audit was performed in accordance with
auditing standards generally accepted in the
United States.  (p. 2-32).

Due diligence defense  An audit firm
must show that it made a reasonable inves-
tigation, that the firm followed auditing
standards, and accordingly had reasonable
grounds to believe, and did believe, that
the statements certified were true at the
date of the statements and as of the time
the registration statement became effective.
(p. 2-34).
Due professional care  Exercising due
professional care expected of other CPAs in
the performance of professional services.  as of the balance sheet date (or an interim
(p. 2-23).
Earnings per share (EPS) ratio  Meas-
ures the earnings return on each common
share issued.  (p. 4-12).
Electronic invoice presentment and pay-
ment (EIPP) systems  An electronic system
that uses a third-party payment process to
settle a business-to-business transaction.  expects in a transaction class or account bal-
(p. 12-22).
Emphasis-of-matter paragraph  A par-
agraph included in the auditor’s report that
is required by generally accepted auditing
standards, or is included at the auditor’s
discretion, and that refers to a matter
appropriately presented or disclosed in the
financial statements that, in the auditor’s
professional judgment, is of such importance
that it is fundamental to users’ understand-
ing of the financial statements.  (p. 15-7).
Engagement letter  Sets out the terms of
the audit engagement, to avoid any misunder-
standings between the auditor and the client.  directly to the auditor on the matter(s)
(p. 3-6).
Engagement partner  Partner or other
person in the firm who is responsible for
the audit engagement and its performance
and for the auditor’s report that is issued on
behalf of the firm.  (p. 14-17).
Engagement quality control reviewer  CPA will become too sympathetic to the cli-
A partner or other person in the firm, who
is not part of the engagement team, who
has sufficient and appropriate experience
and authority to objectively evaluate the
significant judgments that the engage-
ment team made and the conclusions it
reached in formulating the auditor’s report.  ments.  (p. 5-23).
(p. 14-17).
Entity-level controls  The client’s con-
trol environment, risk assessment process,
information system, control activities, and
monitoring of controls that exist at the
organizational level.  (p. 6-7).
Entity-level risk  Client risk that affects
multiple financial statement accounts, asser-
tions, and transaction classes.  (p. 4-4).
Error  An unintentional misstatement
in amounts or disclosures in the financial
statements.  (p. 3-25).
Estimation uncertainty  The suscepti-
bility of an accounting estimate and related
disclosures to an inherent lack of precision
in its measurement.  (p. 9-19).
Evaluated receipt settlement (ERS)  A
highly automated business process between
suppliers and purchasers to exchange data
electronically and execute a purchase trans-
action electronically.  (p. 12-21).
Examining subsequent payments  Exam-
ining vouchers paid after the balance sheet
date (or an interim date) to determine if the
payment is for an obligation that existed
date) and whether the obligation was in fact
recorded as of the balance sheet date (or an
interim date).  (p. 12-32).
Executive directors  Employees of the
company who also hold a position on the
board of directors.  (p. 4-24).
Expected misstatement (EM)  The
amount of misstatement the auditor
ance when performing a substantive test.  foreseeable future.  (p. 14-18).
(p. 10-13).
Expected rate of deviation in the pop-
ulation  The rate at which the auditor
expects controls not to function as planned. 
(p. 8-18).
Extent of an audit procedure  The deter-
mination of the quantity of audit procedures to
be performed.  (p. 3-21).
External confirmation  An audit pro-
cedure in which the auditor corresponds
directly with a third party, either in paper or
electronic form, and the third party responds
included in the confirmation.  (p. 5-13).
False positives  Items incorrectly identi-
fied as notable items.  (p. 7-16).
Familiarity threat  The threat that, due to
a long or close relationship with a client, a
ent’s interests or too accepting of the client’s
work or product.  (p. 2-8).
Financing activities  Transactions and
events whereby cash is obtained from, or
repaid to, lenders (debt financing) or owners
(equity financing).  (p. 13-37).
FOB destination  Title passes from seller
to buyer when goods arrive at the customer’s
warehouse.  (p. 11-32).
FOB shipping point  Title passes from
seller to buyer when goods are shipped.
(p. 11-32).
Foreseeable parties  Individuals or enti-
ties who the auditor either knew, or should
have known, would rely on the audit report.  nique.  (p. 10-11).
(p. 2-30).
Foreseen class  A limited class of third
parties known to be relying on the financial
statements.  (p. 2-30).
Fraud (auditor legal liability)  Inten-
tional deception, such as misrepresentation,
  GLOSSARY G-3
concealment, or nondisclosure of a mate-
rial fact, that results in injury to another.
(p. 2-28).
Fraud (client management)  An inten-
tional act through the use of deception
that results in a misstatement in financial
statements that are the subject of an audit.
(p. 3-25).
Fraud risk factors  Conditions that indi-
cate an incentive or pressure to commit fraud,
provide an opportunity to commit fraud, or
indicate rationalizations to justify fraudulent
actions.  (p. 3-26).
Fraudulent financial reporting  Inten-
tional misstatements, including omissions of
amounts and disclosures in financial state-
ments, to deceive financial statement users. 
(p. 3-26).
Going concern assumption  The viabil-
ity of an entity to remain in business for the
Gross negligence  Failure to use even
slight care in the circumstances.  (p. 2-28).
Gross operating cycle  Measures how many
days, on average, it takes to purchase inventory,
sell it, and collect the receivable.  (p. 4-18).
Gross profit margin  Measures whether
a seller of goods has sufficient markup on
goods sold to pay other expenses.  (p. 4-16).
Gross sales  Total revenues before any
deductions, such as deductions for sales
returns and allowances.  (p. 11-10).
Group audit  An audit of group financial
statements.  (p. 5-23).
Group engagement partner  The part-
ner who is responsible for the group audit
engagement and its performance and for the
auditor’s report on the group financial state-
ments that is issued on behalf of the firm.
(p. 5-23).
Group engagement team  Partners and
staff who establish the overall group audit
strategy, communicate with component
auditors, perform work on the consolida-
tion process, and evaluate audit evidence to
form an opinion on the group financial state-
Group financial statements  Financial
statements that include the financial infor-
mation of more than one entity, or compo-
nent.  (p. 5-23).
Haphazard selection  The selection of
a sample without use of a methodical tech-
Illegal acts  Violations of laws or govern-
mental regulations.  (p. 4-10).
Immediate family member  A covered
member’s spouse, spouse equivalent, or
dependent.  (p. 2-15).
G-4 GLOSSARY
*Imprest
  payroll bank account  A bank
account that only processes payroll trans-
actions; only the exact amount needed to
clear net payroll transactions is transferred
into this account, and after payroll disburse-
ments are made the balance in the account is
zero.  (p. 12-34).
Independence  A member in public prac-
tice shall be independent in the performance
of professional services as required by stand-
ards promulgated by bodies designated by
Council.  (p. 2-12).
Independent in appearance  Avoiding
potential conflicts of interest that can be
observed by others.  (p. 2-13).
Independent in fact  Acting with integ-
rity and objectivity, being honest, and not
subordinating the public trust to personal
gain and advantages.  (p. 2-12).
Indirect effect  A situation in which non-
compliance with laws and regulations does
not have a direct impact on amounts and
disclosures in the financial statements, but
could require the creation of a contingent
liability or an additional disclosure.  (p. 4-10).
Information and communication  The
information and communication system rel-
evant to financial reporting objectives, which
includes the accounting system, consists of
methods and records established to iden-
tify, assemble, analyze, classify, record, and
report entity transactions (as well as events
and conditions) and to maintain account-
ability for the related assets and liabilities;
communication involves a clear understand-
ing of individual roles and responsibilities
pertaining to ICFR.  (p. 6-14).
Information technology (IT)  The use
of computers to process, record, and store
financial reporting data and other informa-
tion.  (p. 4-26).
Inherent risk  The susceptibility of an
assertion to a misstatement that could be
material, either individually or when aggre-
gated with other misstatements, before con-
sideration of any related controls.  (p. 3-16).
Inquiry  An evidence-gathering procedure
that involves asking questions verbally or in
written form to gain an understanding of var-
ious matters throughout the audit.  (p. 5-12).
Inspection  An evidence-­gathering proce-
dure that involves examining documents and
physical assets.  (p. 5-11).
Integrated audit  An audit that combines
the financial statement audit with an audit
of the effectiveness of ICFR. (pp. 1-6, 15-26).
Integrity and objectivity  In the perfor-
mance of any professional service, a mem-
ber shall maintain objectivity and integrity,
shall be free of conflicts of interest, and
shall not knowingly misrepresent facts or
subordinate his or her judgment to others.  the cash disbursement in the same time
(p. 2-11).
Internal audit  A function within an entity
which generally evaluates and improves risk
management, internal control procedures and
elements of the governance process.  (p. 1-8).
Internal auditors  Employees of the cli-
ent who perform assurance and consulting
activities designed to evaluate and improve
the effectiveness of the entity’s governance,
risk ­management, and internal control pro-
cesses.  (p. 5-20).
Internal control  A process, effected by an
entity’s board of directors, management, and
other personnel, designed to provide reason-
able assurance regarding the achievement of
the objectives related to operations, report-
ing, and compliance.  (p. 6-3).
Interpretations  Provide additional guid-
ance regarding the scope and applicability of
the rules of conduct.  (p. 2-6).
Inventory turnover in days  Measures
how many days, on average, it takes a com-
pany to sell its inventory.  (p. 4-18).
Investing activities  The purchase and
sale of land, buildings, equipment, and
other long-term assets not generally held
for resale; in addition, investing activities
include the purchase and sale of financial
instruments that are not intended for trading
purposes.  (p. 13-28).
IT application controls  Controls designed
to provide reasonable assurance that the
recording, processing, and reporting of data
by IT are properly performed for specific
applications.  (p. 6-25).
IT-dependent manual controls  Controls
that involve manual review of the complete-
ness and accuracy of computer-generated
information.  (p. 6-27).
IT general controls  Controls of program
development, program changes, computer
operations, and access to programs and data;
these entity-level controls are designed to
provide reasonable assurance that individual
software applications operate consistently
and effectively.  (p. 6-24).
Key performance indicators (KPIs)  acknowledging management’s responsibility
Measurements, agreed to beforehand, that
can be quantified and reflect the success fac-
tors of an organization.  (p. 4-12).
Key position  A position with an attest cli-
ent where an individual can exercise influ-
ence over the financial statements.  (p. 2-15).
Kickback  The entity pays inflated prices
to the vendor, and the employee receives a
payment for facilitating the inflated transac-
tions with vendor.  (p. 12-27).
Kiting  A method often used to conceal
a cash shortage or to overstate cash; kiting
involves recording a transfer between bank
accounts as a deposit while failing to record
period.  (p. 13-7).
Lapping  A scheme where an accounting
clerk incorrectly classifies cash receipts from
one customer to another in order to cover up
the diversion of funds from a customer for
personal gain.  (p. 11-26).
Lead schedule  Summarizes the detail
included in a specific account on the financial
statements.  (p. 5-26).
Legal letter  An audit inquiry sent to a cli-
ent’s external and in-house legal counsel to
obtain information about litigation, assess-
ments, and claims.  (p. 14-4).
Liquidity  The ability of a company to
pay its current debts when they fall due.
(p. 4-13).
Lockbox system  Cash is received at a post
office box that is controlled by the client’s
bank; the bank picks up the mail daily (or
more ­frequently) and deposits the checks in
the company’s bank account.  (p. 11-20).
Logical sampling unit  The item snagged
by the sampling plan for audit, such as an
individual customer or individual sales
invoice; auditing procedures are performed
on the logical sampling unit.  (p. 10-18).
Loss contingency  An existing condition
or situation involving uncertainty as to pos-
sible loss that will ultimately be resolved
when one or more future events occur or fail
to occur.  (p. 14-3).
Management bias  A lack of neutrality
by management in the preparation and fair
presentation of information.  (p. 9-20).
Management letter  A ­document pre-
pared by the audit team and provided to the
client that discusses internal control weak-
nesses and other matters discovered during
the course of the audit.  (p. 6-33).
Management participation threat  The
threat that a CPA will take on the role of cli-
ent management or otherwise assume man-
agement responsibilities.  (p. 2-8).
Management representation letter  A
letter from management to the auditor
for the preparation of the financial statements
and details of any verbal representations made
by management during the course of the
audit.  (p. 14-22).
Matching information in key data
fields  The process whereby the auditor
uses audit data analytics to search for key
characteristics that may exist in several
different databases.  (p. 7-25).
Materiality  The ability of information to
influence decisions that users make on the
basis of the financial information of a spe-
cific reporting entity.  (pp. 1-7, 3-10).
Material weakness  A deficiency, or com-
bination of deficiencies, in ICFR, such that
there is a reasonable possibility that a material

misstatement of the financial statements will
not be prevented or detected on a timely basis.  material misstatement.  (p. 7-15).
(pp. 1-28, 6-32).
Misappropriation of assets  Intentional
theft of a company’s assets by employees.  cedure that involves watching a process or
(p. 3-26).
Misstatement  A difference between the
amount, classification, presentation, or
disclosure of a reported financial state-
ment item and the amount, classification,
presentation, or disclosure that is required
for the item to be in accordance with the
applicable financial reporting framework;
misstatements can arise from error or fraud.  exercise under the same circumstances.  ticular sampling unit will be chosen in the
(p. 9-26).
Modified opinion  A qualified opinion, an
adverse opinion, or a disclaimer of opinion.  ties, such as creditors, stockholders, and poten-
(p. 15-14).
Monitoring  A process that assesses the
quality of internal control performance over
time. It involves assessing the design and
operation of controls on a timely basis and
taking necessary corrective actions.  (p. 6-16).
*MPU
  estimation  A sampling method
that involves determining an audit value
for each item in the sample; an average (or
mean) of these audit values is then calcu-
lated and multiplied by the number of units
in the population to obtain an estimate of the
total population value.  (p. 10-33).
Nature of an audit procedure  The deter-
mination of what type of audit procedure to
use, such as tests of controls or substantive
procedures.  (p. 3-21).
Negative confirmation  Correspondence
sent directly by an auditor to a third party,
who is asked to respond to the auditor on the
matter(s) included in the letter only if the
party disagrees with the information pro-
vided.  (p. 5-14).
Net operating cycle  Measures how many
days, on average, it takes a company to pur-
chase and sell inventory, collect the receiva-
ble, and pay back creditors.  (p. 4-18).
Non-executive directors  Board members
who are not employees of the company; their
involvement on the board is limited to prepar-
ing for and attending board meetings and rel-
evant board committee meetings.  (p. 4-24).
Nonsampling risk  The risk that the audi-
tor reaches an ­erroneous conclusion for any
reason not related to sampling risk.  (p. 10-7).
Nonstatistical sampling  Involves any
sample selection method and evaluation
method that does not have the characteris-
tics of statistical sampling.  (p. 10-8).
Notable item  An item identified from
the population being analyzed that has one
or more characteristics that, for a relevant
assertion, may do the following: (a) be indic-
ative of a risk of material misstatement, or
(b) provide information useful in designing
or tailoring procedures to address risks of
Observation  An evidence-­gathering pro-
procedure being carried out by client person-
nel or another party.  (p. 5-12).
Operational (performance) audit  An
assessment of the economy, efficiency and
effectiveness of an organization’s operations.  sampling  An approach to sampling that
(p. 1-7).
Ordinary negligence  Failure to exercise
the degree of care a reasonable person would
(p. 2-28).
Other beneficiaries  Unnamed third par-
tial investors, who use the auditor’s report.  only those professional services that a CPA
(p. 2-29).
Payables turnover in days  Measures
how many days, on average, it takes a com-
pany to pay its suppliers.  (p. 4-18).
*Payroll
  process  Transactions and balances
related to the payment of salaries, hourly and
incentive compensation, commissions, and
bonuses.  (p. 12-34).
Performance materiality  Amount or
amounts set by the auditors at less than the
materiality level for particular classes of
transactions, account balances, or disclo-
sures.  (p. 3-13).
Permanent file  Contains client infor-
mation that is relevant for more than one
audit.  (p. 5-25).
Pervasive  A description of the impact or
possible impact of a material misstatement
or material scope limitation on the financial
statements as a whole.  (p. 15-14).
Planning and supervision  Adequately
plan and supervise the performance of pro-
fessional services.  (p. 2-23).
Population  The class of transactions or
the account balance to be tested.  (p. 10-9).
Positive confirmation  Correspondence
sent directly by an auditor to a third party,
who is asked to respond to the auditor on the
matter(s) included in the letter in all circum-
stances (that is, whether they agree or disagree
with the information included in the auditor’s
letter).  (p. 5-14).
Preventive controls  Controls applied to
each transaction that stop fraud or errors
from occurring.  (p. 8-7).
Price–earnings (PE) ratio  Measures
how much a stockholder is willing to pay per
dollar of earnings.  (p. 4-12).
Primary beneficiary  Anyone identified
to the auditor by name prior to the audit
who is a recipient of the auditor’s report.
(p. 2-29).
  GLOSSARY G-5
Principles  Express the basic tenets of
ethical conduct and provide the framework
for the rules that govern the performance of
the member’s professional responsibilities. 
(p. 2-6).
Privity of contract  A contractual rela-
tionship that exists between two or more
contracting parties.  (p. 2-27).
Probability-proportionate-to-size (PPS)
uses attribute sampling theory to express a
conclusion in dollar amounts; with this sam-
pling technique, the probability that a par-
sample is proportionate to the monetary size
of the item.  (p. 10-17).
Professional competence  Undertaking
or a CPA’s firm can reasonably expect to com-
plete with professional competence.(p. 2-23).
Professional judgment  The application
of relevant training, knowledge, and expe-
rience in making informed decisions about
the courses of action that are appropriate in
the circumstances of the audit engagement.
(p. 1-12).
Professional skepticism  An attitude that
includes a questioning mind, being alert to
conditions that may indicate possible mis-
statement due to fraud or error, and a criti-
cal assessment of audit evidence.  (pp. 1-12,
3-15).
Profitability  The ability of a company to
earn a profit.  (p. 4-12).
Profit margin  Measures profitability after
taking into account all operating expenses. 
(p. 4-16).
Projected misstatement (PM)  A pro-
jection of the misstatement in the popula-
tion based on the findings in the sample. 
(p. 10-23).
Proportionate liability  Defendants who
are not found to have “knowingly commit-
ted a violation” of the securities law are
liable based on the defendant’s percentage
of responsibility.  (p. 2-37).
Purchasing process (procurement pro-
cess)  Involves selecting vendors, estab-
lishing payment terms, negotiating contracts,
purchasing goods, receiving goods, and
recording purchases and payment of liabil-
ities.  (p. 12-4).
Qualified opinion  Auditors state the finan-
cial statements are fairly presented except
for a material departure from the applicable
financial reporting framework or a material
scope limitation.  (p. 15-15).
Qualitative materiality  Information or
misstatements that impact a user’s decision-
making process for a reason other than its
magnitude.  (p. 3-11).
G-6 GLOSSARY
Quantitative materiality  Information or
misstatements that exceed the magnitude of
an auditor’s preliminary materiality assess-
ment, which is a percentage of an appropri-
ate benchmark.  (p. 3-11).
Random selection  Involves selecting a
sample that is free from bias and for which
each item in a population has an equal
chance of selection  (p. 10-9).
Ratio method  A method of estimating
the audited value of the population where
the auditor estimates the audited value of
the population based on the ratio of the
audited value in each stratum divided by the
book value of the sample in each stratum.  ers.  (p. 4-17).
(p. 10-30).
Reasonable assurance  A high, but not
absolute, level of assurance.  (p. 1-19).
Reasonable period of time  The period
of time required by the applicable financial
reporting framework, or if no such frame-
work exists, for one year after the date
that the financial statements are issued.  Risk assessment phase  Gaining an
(p. 14-19).
Recalculation  An audit procedure that
involves checking the mathematical accu-
racy of documents or records.  (p. 5-15).
Receivable confirmation  Correspondence
sent directly by the auditors to their client’s
customers requesting information about
amounts owed to the client by the customer.
(p. 5-14).
Receivables turnover in days  Measures
how many days, on average, it takes a com-
pany to collect its receivables.  (p. 4-18).
Reciprocal population  A population that
is overstated if the population of interest is
understated (or vice versa).  (p. 10-16).
Refund rights  A sale is made with the
right to return the goods for a full refund,
even if the goods are not defective.  (p. 11-9).
Regression analysis  A statistical pro-
cess that involves estimating a prediction
equation that expresses an item of interest
(commonly known as the y or dependent
variable) in terms of other data fields (the
x or independent variables).  (p. 7-30).
Related party  An affiliate, principal
owner, manager, or other party that is not
independent of the entity.  (p. 4-22).
Relevance  Refers to the logical connec-
tion with the assertion being tested.  (p. 5-8).
Relevant assertions  Assertions that have
a reasonable possibility of containing a
material misstatement that would cause
the financial statements to be materially
misstated and, therefore, have a meaning-
ful impact on whether the account is fairly
stated.  (pp. 5-6, 9-7).
Reliability  Refers to the source, form, or
nature of the audit evidence.  (p. 5-8).
Reperformance  An audit procedure that
involves the independent execution of pro-
cedures or controls that were originally per-
formed by client personnel.  (p. 5-16).
Reporting phase  Evaluation of the results
of the detailed testing in light of the auditor’s
understanding of the client and forming an
opinion on the fair presentation of the cli-
ent’s financial statements.  (p. 3-8).
Return on assets (ROA) ratio  Measures
ability to generate income from average
investment in total assets.  (p. 4-17).
Return on stockholders’ equity (ROE)
ratio  Measures ability to generate income
from funds invested by common stockhold-
Review engagement  An engagement
in which a CPA uses inquiry and analytical
procedures to provide limited assurance that
no material modifications should be made
to the financial statements for them to be
in accordance with the applicable financial
reporting framework.  (p. 15-32).
understanding of the client, identifying risk
factors, developing an audit strategy, and set-
ting planning materiality.  (p. 3-8).
Risk assessment process  The entity’s
process for identifying and responding to
risks that an organization will not achieve its
objectives.  (p. 6-10).
Risk of incorrect acceptance  The risk that
the auditor concludes that a material misstate-
ment does not exist when it does.  (p. 10-6).
Risk of incorrect rejection  The risk that
the auditor concludes that a material mis-
statement exists when it does not.  (p. 10-6).
Risk of material misstatement (RMM) 
The risk that the financial statements are
materially misstated prior to the audit; a
combination of inherent risk and control risk.  Solvency  The ability of a company to meet
(p. 3-17).
Risk response phase  Performing tests
of controls and detailed substantive testing
of transactions and accounts, concentrating
effort where the risk of material misstate-
ment is greatest.  (p. 3-8).
Roll-forward procedures  Procedures per-
formed at year-end on transactions occurring
between an interim date and year-end (the
roll-forward period) to provide sufficient
appropriate audit evidence on which to base
conclusions at year-end when substantive
procedures are performed at an interim
date.  (p. 9-15).
Rules of conduct  Establish minimum
standards of acceptable conduct in the per-
formance of professional services.  (p. 2-6).
Sampling risk  The risk that the auditor’s
conclusion based on a sample may be differ-
ent from the conclusion if the entire popula-
tion were subjected to the same audit proce-
dure.  (p. 10-6).
Sampling unit  A subset of the population
that is the basis for sampling.  (p. 10-9).
Scanning  A type of analytical procedure
in which auditors use their professional
judgment to review accounting data to identify
unusual or significant items to examine fur-
ther.  (p. 5-16).
Scienter  The auditor either had actual
knowledge of the falsity of the representa-
tion, or had a reckless disregard for the truth
or falsity of the representation.  (p. 2-36).
Search for unrecorded liabilities  Pro-
cedures designed specifically to detect sig-
nificant unrecorded obligations as of the
balance sheet date (or as of an interim date). 
(p. 12-32).
Self-interest threat  The threat that a
CPA could benefit, financially or otherwise,
from an interest in, or a relationship with, a
client or persons associated with the client. 
(p. 2-9).
Self-review threat  The threat that a CPA
will not appropriately evaluate the results
of a previous judgment made by, or service
performed by, an individual in the member’s
firm, and that the CPA will rely on that work
in forming a judgment as part of an engage-
ment.  (p. 2-9).
Significant deficiency  A deficiency, or
a combination of deficiencies, in internal
control that is less severe than a material
weakness, yet important enough to merit
attention by those charged with governance. 
(p. 6-32).
Significant risk  An identified and assessed
risk of material misstatement that, in the
­auditor’s judgment, requires special audit
­consideration.  (pp. 3-16, 9-8).
its long-term financial obligations.  (p. 4-13).
Specialist  An individual or organization
with expertise in a field other than account-
ing or auditing whose work in that field is
used by the auditors to assist in obtaining
sufficient appropriate evidence.  (p. 5-18).
Statistical sampling  An approach to
sampling that involves a random selection
of sample items and the use of an appro-
priate statistical technique to determine
sample size and evaluate the sample results,
including a measurement of sampling risk. 
(p. 10-8).
Statutory law  Law established by state
and federal legislative bodies that specifi-
cally addresses the auditor’s liability under
certain circumstances.  (p. 2-33).
Stratification  A process of dividing a pop-
ulation into groups of sampling units with
similar characteristics that are more homo-
geneous.  (p. 10-10).

Subsequent events  Events occurring
between the date of the financial statements
and the date of the auditor’s report.  (p. 14-8).
Subsequently discovered facts  Facts
that become known to the auditor after the
date of the auditor’s report that, had they
been known to the auditor at that date,
might have caused the auditor to revise the
auditor’s report.  (p. 15-22).
Substantive procedures (substantive
testing or tests of details)  Audit proce-
dures designed to detect material misstate-
ments at the assertion level and to gather
evidence to support management assertions.
(pp. 3-21, 9-3).
Sufficient  Refers to the quantity of audit
evidence gathered.  (p. 5-7).
Sufficient relevant data  Obtain suffi-
cient relevant data to afford a reasonable
basis for conclusion or recommendation
in relation to any professional services
performed.  (p. 2-23).
Sustainable cash flow from operations 
Cash flow from operations adjusted for one-
time influences.  (p. 4-13).
Sustainable free cash flow  Measures
cash flow remaining after covering cash
outflows for operations and capital expendi-
tures.  (p. 4-18).
Systematic selection  Involves the selec-
tion of a sample for testing by dividing the
number of items in a population by the sam-
ple size, determining a sampling interval
(n), and then selecting every nth item in the
population.  (p. 10-10).
Tests of controls (controls testing)  Audit
procedures designed to evaluate the ­operating
effectiveness of controls in preventing, or
detecting and correcting, material misstate-
ments at the assertion level. (pp. 3-21, 8-13).
Third party  An individual or collective
group who is not in privity with the parties
to a contract.  (p. 2-29).
Third-party payment processor  An inde-
pendent third party such as a bank or pay-
ment processor that processes a payment
from the purchaser to the supplier; federal
regulations require that the third-party
payment process is PCI security compliant.  Type II subsequent events  Conditions
(p. 12-22).
Those charged with governance  Persons
with responsibility for overseeing the strate-
gic direction of the entity and the obligations
related to the accountability of the entity. 
(pp. 1-8, 4-24).
Times-interest-earned ratio  Measures
ability of earnings to cover interest pay-
ments.  (p. 4-19).
Timing of an audit procedure  The
determination of when an audit procedure is
to be performed.  (p. 3-21).
Tolerable deviation rate  The maximum
rate of deviation from a prescribed control
that an auditor is willing to accept and still
use the planned assessed level of control
risk.  (p. 8-17).
Tolerable misstatement (TM)  The max-
imum dollar amount of misstatement that
an auditor is willing to accept within the
population tested, and conclude that the
population is presented fairly when perform-
ing a substantive test.  (p. 10-13).
Tort  A wrongful act that injures another
person’s property, body, or reputation. 
(p. 2-28).
Tracing  A type of inspection in which
auditors select source documents and work
forward to follow the transaction through
to recording in the journal and ledger; trac-
ing provides evidence for the completeness
assertion.  (p. 5-11).
Transaction-level controls  Controls that
affect a particular transaction or group of
transactions.  (p. 6-19).
Transaction-level risk  Client risk that
affects only one transaction class, account,
or assertion.  (p. 4-4).
Transfer agent  A trust company, bank,
or similar financial institution assigned by
a corporation to maintain records of inves-
tors and account balances; the transfer agent
records transactions, cancels or issues stock
certificates, and processes investor mail-
ings.  (p. 13-40).
Trend analysis  A comparison of account
balances over time.  (p. 4-15).
Type I subsequent events  Conditions
that existed at the date of the financial state-
ments and require adjustment to the finan-
cial statements.  (p. 14-8).
that arose after the date of the financial
  GLOSSARY G-7
statements and may require disclosure
in the notes to the financial statements. 
(p. 14-8).
Undue influence threat  The threat that
a CPA will subordinate his or her judgment
to an individual associated with a client or
any relevant third party due to that individ-
ual’s reputation or expertise, aggressive or
dominant personality, or attempts to coerce
or exercise excessive influence over the CPA.
(p. 2-9).
Unmodified opinion  The opinion
expressed by the auditor when the auditor
concludes that the financial statements are
presented fairly, in all material respects, in
accordance with the applicable financial
reporting framework.  (p. 15-4).
Upper misstatement limit  A statisti-
cal estimate of the maximum misstatement
in the population based on the sample. 
(p. 10-22).
Visualization  The representation of a data
set, or key information, as a chart or other
image to explain and communicate find-
ings.  (pp. 5-17, 7-34).
Vouching  A type of inspection in which
auditors select transactions from a journal
or ledger and work backward to examine the
underlying source documents. Vouching pro-
vides evidence for the occurrence or existence
assertion.  (p. 5-11).
Walkthrough  Following a transaction
from initiating the transaction until it is
recorded in the financial records.  (p. 6-19).
What can go wrong (WCGW)  Describes
where material misstatements due to error
or fraud could occur in a flow of transactions
or source and preparation of information
that affects a relevant financial statement
assertion.  (p. 8-4).
Working papers  Paper or electronic doc-
umentation of the audit created by the audit
team as evidence of the work completed. 
(p. 5-24).
Written representation  A written state-
ment by management provided to the audi-
tor to confirm certain matters or to support
other audit evidence.  (p. 14-21).
 Index
1136 Tenants’ Corp v. Max completeness of, 11-18 some misstatements found, AS 2110, 3-2, 3-16, 3-25, 3-30, 4-4,
Rothenberg & Co. (1971), confirmation of, 11-33–11-37 10-23 6-3, 8-7
2-28–2-29 estimates of, 11-7 American Institute of Certified AS 2201, 1-2, 1-6, 1-25–1-26, 1-27,
rights and obligations of, 11-18 Public Accountants. See 6-7, 6-32, 8-6, 8-29, 15-26,
A
trial balance, 11-31 AICPA 15-29
Ability of cash flow from
validating with subsequent cash Analytical procedures AS 2301, 3-2, 3-22, 9-5, 9-7
operations to cover current
receipts, 7-38–7-42 audit data analytics (ADA), 4-20 AS 2305, 9-2, 9-9
debt and dividends, 4-18
WCGW, 11-16–11-18 to audit long-term debt, 13-39 AS 2310, 11-2, 11-33
Absolute assurance, 1-19
write-off authorization, 11-23 as audit procedure, 5-16 AS 2315, 10-2, 10-5
Access controls, 6-25
Accuracy cash and cash equivalents and, AS 2401, 3-2, 14-13
Accounting
of cash disbursements, 12-20, 13-4 AS 2405, 4-2, 4-10
forensic, 14-13
12-23 common-size analysis, AS 2410, 4-2, 4-22
professionalism and, 2-3–2-5
of payroll, 12-41 4-15–4-16 AS 2415, 14-2, 14-19, 15-8
Accounting estimates
of purchases, 12-16, 12-23 comparisons, 4-14–4-15 AS 2501, 9-2, 9-19
assumption used by
of sales, 11-17–11-18 defined, 4-14, 5-16, 9-9 AS 2502, 9-2, 9-19
management, 9-23, 9-25
Accuracy and valuation assertion, factors to consider when AS 2505, 14-2, 14-4
critical, 14-26
5-4, 5-6 conducting, 4-20–4-21 AS 2605, 5-2, 5-21
defined, 9-19
Accuracy assertion, 5-4 final, 14-11 AS 2610, 3-4
estimation uncertainty, 9-19
Acid-test (quick) ratio, 4-17–4-18 financing activities, 13-39 AS 2801, 14-2, 14-8
example of, 9-24–9-25
Activity ratios, 4-17–4-19 interpreting results of, 9-12 AS 2805, 14-2, 14-21–14-22
fair value, 9-23
ADA. See Audit data analytics for inventory, 13-13–13-14 AS 2810, 9-2, 9-26, 14-11
how they are made, 9-21, 9-24
Advance shipping notice (ASN), multidimensional analysis, AS 2820, 15-2, 15-10
inspecting events and, 9-23, 9-25
12-22 4-20 AS 2905, 15-2, 15-22, 15-23
inventory, 13-26–13-27
Adverse interest threat, 2-8 payroll process, 12-36 AS 3101, 1-2, 1-24, 15-6, 15-7
management bias and, 9-20
Adverse opinion. See also Opinions property, plant, and equipment, AS 3105, 15-2, 15-14, 15-20
method of measurement, 9-23
basis for, 15-16–15-17 13-30 ASN (advance shipping notice),
nature of, 9-19–9-21
defined, 15-15 purchasing process, 12-7 12-22
prior period, inspecting
on effectiveness of ICFR, ratio analysis, 4-16–4-19 ASR. See Allowance for sampling
outcome of, 9-22, 9-24
15-28–15-29 regression analysis, 4-20 risk
process for identifying need for,
illustrated, 15-16 reliable information sources, Assertions
9-21, 9-24
Advocacy threat, 2-8 4-21 audit strategy for, 6-19
recalculating, 9-23, 9-25
AICPA (American Institute requirement, 4-14 by category, 9-4
risk assessment procedures for,
of Certified Public results of, 9-12 defined, 3-16, 5-3
9-21–9-22, 9-24
Accountants) for revenue process, 11-6–11-8 in guiding procedures, 3-16
risk response procedures for,
ASB, 1-15–1-17 review engagement, high risk, 3-18–3-19, 5-9
9-22–9-23, 9-25
Audit Guide: Audit Sampling, 15-32–15-33 low risk, 3-19–3-20, 5-9
as significant risks, 9-23
8-17, 10-17 substantive, 9-9–9-12 management, 5-3–5-7
types of, 9-19
Code of Professional Conduct, time-series analysis, 4-20 related to physical assets,
Accounting firms, as assurance
2-3–2-26 trend analysis, 4-15 5-12
providers, 1-12
committees, 1-15 use of, 4-14 Assurance
Accounting principles
Conceptual Framework for Apple, Inc., 13-3 absolute, 1-19
change in, 15-8–15-9
Members in Public Practice, Applicable financial reporting desired level of, 8-18,
client refusal to disclose
2-7–2-26 framework, 1-4 10-12–10-13
material change in, 15-9
defined, 1-15 Application system acquisition, illegal acts and, 4-10
client selection and application
PPS sampling model, 10-17 development, and relative, 1-19–1-20
of, 4-5, 4-6
role of, 1-15–1-17 maintenance controls, 6-25 Assurance services
Accounting principles rule, 2-25
tolerable deviation rate, 8-17 Appropriate audit evidence, 5-8, defined, 1-5
Accounting records
AICPA Guide to Audit Data 5-9–5-10 demand for, 1-8–1-11
as audit evidence, 5-10–5-11
Analytics, 7-2–7-3, 7-9, Approved payroll master file, providers of, 1-12
defined, 5-10
7-15, 7-16 12-38 sources of demand for, 1-10
Accounts payable
Allied Crude Vegetable Oil, 13-22 Arthur Andersen LLP, 3-4 Attest clients
confirmation of, 12-32
Allowance for doubtful accounts, AS 1015, 3-2 employment or association
relationship between purchases
evaluating, 11-37 AS 1101, 3-2, 3-15 with, 2-17–2-18
and, 12-7
Allowance for sampling risk (ASR) AS 1105, 5-2, 5-6, 5-7, 7-7 rule for, public versus private,
substantive tests for, 12-30
classical variables sampling, AS 1201, 14-2, 14-16 2-17
WCGW and key controls,
10-36 AS 1205, 5-2, 5-23, 15-13 working in key position, 2-15
12-15–12-17
defined, 10-23 AS 1210, 12-2, 12-48 Attestation services
Accounts receivable growth to
incremental, calculating, 10-24 AS 1215, 5-2, 5-24, 8-30, 14-17 defined, 1-4
sales growth ratio, 11-6
incremental change for, 10-25 AS 1220, 14-2, 14-17 relationship of assurance and
Accounts receivable turnover in
no misstatements found, 10-23 AS 1301, 3-2, 3-6, 4-2, 4-24, 14-24, audit services, 1-3–1-4
days, 11-6, 11-7
planned, 10-36 14-26 Attitudes and rationalization to
Accounts receivables
ratio to tolerable misstatement, AS 2101, 3-2, 3-9 justify fraud, 3-29
comparison to receivables
10-36 AS 2105, 3-10, 3-11 Attribute sampling, 8-19
estimate, 11-8
I-1
I-2  In d e x
AU-C 200, 1-2, 1-4, 1-6–1-7, 1-19,
3-2, 3-15
AU-C 210, 3-2, 3-4, 3-6
AU-C 220, 14-2, 14-16, 14-17
AU-C 230, 5-2, 5-24, 7-9, 8-30,
14-17
AU-C 240, 3-2, 3-25, 3-30, 9-22,
14-13, 14-25
AU-C 250, 4-2, 4-10, 14-25
AU-C 260, 4-2, 4-24, 14-24, 14-26,
14-28
AU-C 265, 6-2, 6-32, 6-34, 8-6,
8-29
AU-C 300, 3-2, 3-4
AU-C 315, 3-2, 3-16, 4-4, 4-14,
4-26, 5-3, 6-3, 6-12, 6-15,
6-29, 7-13–7-14, 7-37, 8-7, 9-4
AU-C 320, 3-2, 3-11, 3-13
AU-C 330, 3-2, 3-22, 9-5, 9-7
AU-C 450, 9-2, 9-26, 14-14
AU-C 500, 5-2, 5-7, 5-8, 7-6–7-7,
7-37
AU-C 501, 13-2, 13-22, 14-4
AU-C 505, 5-2, 5-13, 11-33
AU-C 510, 9-2, 9-9
AU-C 520, 9-2, 9-9, 14-11
AU-C 530, 10-2, 10-5, 10-8, 10-12,
10-29
AU-C 540, 9-2, 9-19, 9-20
AU-C 550, 4-2, 4-22
AU-C 560, 14-2, 14-8, 15-22, 15-23
AU-C 570, 14-2, 14-19, 15-7
AU-C 580, 14-2, 14-21–14-22
AU-C 600, 5-2, 5-23, 15-12
AU-C 610, 5-2, 5-20–5-21
AU-C 620, 5-2, 5-19, 12-48
AU-C 700, 1-2, 15-4
AU-C 705, 15-2, 15-14, 15-17, 15-19
AU-C 706, 15-2, 15-7, 15-10
AU-C 708, 15-2, 15-8, 15-9, 15-10
AU-C 940, 15-2, 15-29
Audit committee
communication with, 4-24–4-25
defined, 2-20, 4-24
disclosures to, 2-22
recruiting, 4-25
Sarbanes-Oxley Act (SOX) and,
4-25
Audit data analytics (ADA)
accessing and preparing the
data for, 7-6
accessing and preparing the data
for (cluster analysis), 7-20
accessing and preparing
the data for (matching
information), 7-27
accessing and preparing
the data for (regression
analysis), 7-32
application as risk assessment
procedure, 7-17–7-37
application of, 10-3
application purpose
consideration, 7-11
as audit procedure, 5-16–5-17
audit sampling versus,
10-3–10-5, 10-16
clean data and, 7-6, 7-11–7-12
cluster analysis, 7-18–7-25
conclusions, drawing, 7-8–7-9
conclusions, drawing (cluster
analytics), 7-21–7-24
conclusions, drawing (matching
information), 7-29–7-30
conclusions, drawing
(regression analysis), 7-34
data completion and, 7-6, 7-11
data formats, 7-6
defined, 4-20, 5-17, 7-2–7-3
documentation, 7-9–7-10
factors that influence use
decision, 10-4
five-step process for planning
and performing, 7-4
in fraud risk assessment, 12-27,
12-44
inventory and, 13-18
issues in planning data for, 7-6
large number of notable items
and, 7-16–7-17
matching information in key
data fields, 7-25–7-30
notable items and, 7-15–7-17
overview of, 4-20, 7-3
overview of applying, 7-5
payroll process and, 12-47
performing, 7-7–7-8
performing (cluster analytics),
7-21–7-24
performing (matching
information), 7-28–7-29
performing (regression
analysis), 7-33
personal views on the use of,
7-10
planning, 7-5
planning (cluster analysis),
7-19–7-20
planning (matching
information), 7-26
planning (regression analysis),
7-31–7-32
property, plant, and equipment
and, 13-32
in purchasing cycle, 12-27
purchasing process and, 12-27
questions in planning, 7-5
ranking of inventory, 7-8
regression analysis, 7-30–7-34
relevance and reliability of data
for, 7-6–7-7
relevance and reliability of
data for (cluster analysis),
7-20–7-21
relevance and reliability of data
for (matching information),
7-27–7-28
relevance and reliability of data
for (regression analysis),
7-32
results, evaluating, 7-8–7-9
results, evaluating (cluster
analytics), 7-21–7-24
results, evaluating (matching
information), 7-29–7-30
results, evaluating (regression
analysis), 7-34
in revenue process, 11-27
risk analysis decision tree and,
7-14–7-15
as risk assessment procedure,
7-13–7-17
software use, 5-17
steps associated with accessing
and preparing data for,
7-11–7-13
steps in performing, 7-3–7-10
substantive procedures and,
9-13–9-14, 11-31–11-32
as substantive test, 12-31
successful, 7-36
use of, 7-4
visualization, 5-17, 7-34–7-36
when to use, 10-3
Audit data analytics as
substantive test
accessing and preparing the
data for, 7-39–7-40
applying, 7-38–7-42
evaluating the relevance and
reliability of data for, 7-40
evaluating the results and
drawing conclusions,
7-41–7-42
overview, 7-38
performing, 7-40–7-41
planing, 7-38–7-39
using, 7-37–7-38
validating sale revenue and
accounts receivable,
7-38–7-42
Audit evidence
accounting records as, 5-10–5-11
appropriate, 5-8, 5-9–5-10
audit procedures and,
5-10–5-17
audit program and, 5-7
audit risk and, 5-9–5-10
characteristics of, 5-7–5-10
defined, 5-7
management assertions and,
5-3–5-7
procedures for gathering,
5-10–5-17
relevance of, 5-8
reliability of, 5-8
of risk of material misstatement
(RMM), 9-5
sufficient, 5-7, 5-9–5-10
using the work of others and,
5-18–5-24
working papers, 5-24–5-29
Audit expectations gap
cause of, 1-28–1-29
defined, 1-28
graphical representation, 1-29
reducing, 1-29
Audit phases
illustrated, 3-9
reporting phase, 3-8, 3-10
risk assessment phase, 3-8, 3-9
risk response phase, 3-8, 3-9
Audit plan, 3-21
Audit principles, 1-15–1-16
Audit procedures
analytical procedures, 4-14–4-21,
5-16
applying, classical variable
sampling, 10-37
applying, nonstatistical
sampling, 10-30
applying, PPS sampling, 10-22
audit data analytics (ADA),
5-16–5-17
bank confirmation, 5-13–5-14
extent of, 3-21
external confirmation, 5-13
in gathering evidence, 5-11
identifying going concern
issues, 14-20–14-21
inquiry, 5-12
inspection, 5-11–5-12
for loss contingencies,
14-3–14-7
nature of, 3-21
negative confirmation, 5-14
observation, 5-12
performing in response to
assessed risks, 9-5
positive confirmation, 5-14
property, plant, and equipment,
13-32
recalculation, 5-15–5-16
receivable confirmation,
5-13–5-14
reperformance, 5-16
risk assessment, 5-11
scanning, 5-16
in subsequent event
identification, 14-9
subsequently discovered facts,
15-23
substantive, 3-21, 3-22, 5-11,
9-1–9-36
tests of controls, 3-21, 5-11
those charged with governance
and, 14-21
timing of, 3-21
types of, 3-21
“year-end,” 3-21
Audit program, 5-7
Audit report
on audit of ICFR,
15-26–15-30
as end product, 15-3
standard unmodified,
15-3–15-12
unqualified, 15-5–15-6
Audit report on financial
statements
conclusions, 1-24
format, 1-20–1-21
new, PCAOB release of, 1-24
situations causing modified
options, 1-24
unmodified, 1-21–1-22,
15-4–15-5
unqualified, 1-22–1-23,
15-5–15-6
Audit report on internal controls
over financial reporting
(ICFR)
adverse opinion, 1-28
elements of, 1-27–1-28
example of, 1-26–1-28
material weakness and, 1-28

reasonable assurance and,
1-25–1-26
unqualified, 1-26–1-27
Audit risk. See also Risk
assessment phase
control risk, 3-16, 3-17, 3-19
defined, 1-20, 3-9
detection risk, 3-17–3-18, 3-21
high risk assertions,
3-18–3-19, 5-9
inherent risk, 3-16, 3-17, 3-19,
3-20, 3-24, 4-3
low risk assertions,
3-19–3-20, 5-9
model and components,
3-17–3-20
planning audit to keep
acceptable, 3-18
reduction of, 3-15–3-16
results of determination of, 3-21
in risk assessment phase, 3-9
significant risk, 3-16
substantive procedures and,
9-3–9-5
sufficient appropriate audit
evidence and, 5-9–5-10
Audit sampling
audit data analytics (ADA)
versus, 10-3–10-5, 10-16
audit procedures application,
10-22, 10-30
audit sample or entire
population determination,
10-14–10-15
defined, 10-5
documentation, 10-27–10-28,
10-32
factors that influence use
decision, 10-4
framework for, 10-14–10-16
as function of audit procedure,
10-4
guidance on, 10-5
population and sampling unit
definition, 10-16
representative sample selection,
10-21–10-22, 10-29–10-30
sample results evaluation,
10-22, 10-30–10-31
sample size determination,
10-18, 10-29, 10-34–10-37
statistical, 9-18
steps in, 10-14–10-16
substantive procedures
determination, 10-14
substantive test objectives
determination, 10-14
technique, choosing,
10-17–10-18, 10-28–10-29
use of, 9-16–9-17
when to use, 10-3–10-4
Audit services
analogy of, 1-3
defined, 1-4
demand for, 1-8–1-11
relationship of attestation and
assurance services, 1-3–1-4
sources of demand for, 1-10
types of, 1-4
Audit standards, 1-24
Audit strategy
for assertions, 6-19
basis of, 3-21
for cash and cash equivalents,
13-4–13-5
financing activities, 13-41
high RMM and, 3-24
“interim” period and, 3-21
for inventory, 13-18–13-19
low RMM and, 3-22
preliminary, determining, 8-5
process at account or assertion
level, 3-23
process for developing, 11-13
reliance on controls approach,
3-22–3-23
risk of material misstatement
(RMM) and, 11-27–11-28,
12-28, 12-44–12-45
substantive approach, 3-24
timeline of audit activities, 3-22
Audit team
member not independent from
client, 15-19
questions when planning ADA
application, 7-5
size of, 5-18
structure of, 5-18
work of others and, 5-18–5-23
Auditing standard setting, in
United States, 1-17
Auditing Standards Board (ASB).
See also specific standards
AU-C topical content, 1-16
defined, 1-15
on integrated audits, 15-29
Auditors
audit risk, 1-20
component, 5-23
control deficiencies and, 8-28
defined, 1-4
detection risk control,
3-17–3-18
emphasis-of-matter paragraph
use, 15-10–15-11
fraud inquiry, 3-30
independence, 2-12–2-13, 15-19
internal, using work of,
5-20–5-22
inventory observation, 13-22
IT, 5-20
legal liability, 2-26–2-40
legal responsibilities, 2-3
liability under common law,
2-27–2-33
liability under statutory law,
2-33–2-40
opinion, 1-19, 1-20
predecessor, 3-5
professional judgment, 1-12
professional skepticism, 1-12
report from another, opinion
based in part on, 15-12–15-14
responsibility of, 1-11–1-12
responsibility regarding illegal
acts, 4-10
safeguards in guiding, 2-9
SOX changes for, 2-37–2-38
threats identification, 2-8–2-9
using work of another, 5-23
Audits
compliance, 1-7
financial statement, 1-6–1-7
integrated, 1-6, 15-26, 15-29
internal, 1-8
operational (performance),
1-7–1-8
Authorization controls, 6-12
Authorization of transactions, 8-3
Authorized vendor list controls,
12-13–12-14
Automated controls. See also
IT application controls; IT
general controls (ITGCs);
IT-dependent manual
controls
defined, 8-11
types of, 8-11–8-12
B redeeming and reacquiring,
Balance sheet, auditing inventory
on, 13-11–13-28
Balances. See also Cash balances;
Tests of details of balances
clustering, 7-15
factors that influence sample
size in testing, 10-12
payroll process, 12-34–12-35
purchasing process, 12-3–12-4
Bank accounts, imprest, 12-34,
13-3
Bank confirmation, 5-13–5-14
Bank deposit slip, 6-21
Bank deposits, confirmation of,
13-8, 13-9
Bank reconciliations, 6-21, 8-19,
12-18, 13-10
Bank statements, cutoff, 13-10
Bank transfers
auditing, 13-7
schedule, 13-8
validity and accuracy of, 13-8
Basic precision (BP), 10-23,
10-24
BDO USA LLP, 1-12, 3-12
Beginning balance, tracing as
initial procedure, 9-9, 11-31
Benchmarks
appropriate circumstances for,
8-22–8-23
auditing standards, 3-12
balance-sheet, 3-12
defined, 8-22
establishment of, 8-22
industry data, 4-21
selection of, 3-11–3-12
in setting materiality, 3-11–3-12
tests of controls, 8-22–8-23
Bias
confirmation, 9-14
management, 9-20
Bid rigging, 12-27
Big 4 firms, 7-4
Bill of lading, 6-20, 11-14
Bill-and-hold transactions, 11-10
Bily v. Arthur Young & Co. (1992),
2-31–2-32
  Index  I-3
Blockchain, 6-28
Board of directors, 4-24
Boeing Company, 1-20, 3-9
Bond trustee, 13-40
Bonds
authorizing, 13-40
issuing, 13-40
redeeming and reacquiring,
13-40
BP (basic precision), 10-23, 10-24
“Brainstorming session,” 3-30
Breach of contract, 2-27–2-28
Burden of proof, common law
defenses and, 2-32
Business relationships, SEC rules
on, 2-22
C
Capital stock
authorizing, 13-40
issuing, 13-40
13-40
Cash
in the bank, 13-3
discounts, 11-21
pressure to overstate, 11-9
proof of, 13-11
receiving, 11-20
recording, 11-21
Cash and cash equivalents
audit strategy, 13-4–13-5
auditing, 13-3–13-11
control risk and fraud risk
assessment, 13-4
entity and its environment, 13-3
flow of transactions, 13-3
inherent risk assessment, 13-4
results from analytical
procedures, 13-4
Cash balances
auditing bank transfers, 13-7
completeness, existence, and
valuation of, 12-21, 12-23
confirmation of, 13-8, 13-9
cutoff tests, 13-7
initial procedures, 13-6, 13-7
kiting and, 13-7, 13-8
proof of cash, 13-11
report of, 12-18
scan or test bank reconciliations
and, 13-10
substantive analytical
procedures, 13-6, 13-7
substantive tests of, 13-5–13-11
tests of details of balances, 13-6,
13-8–13-11
tests of details of transactions,
13-6, 13-7–13-8
tests of presentation and
disclosure, 13-6, 13-11
Cash disbursements
accuracy of, 12-20, 12-23
classification of, 12-20, 12-23
completeness of, 12-20, 12-23
cutoff of, 12-20, 12-23
databases, 12-18
example of flow of transactions
for, 12-19
I-4  In d e x
Cash disbursements (Cont’d)
occurrence of, 12-20, 12-23
paying the liability, 12-19, 12-20
recording, 12-18, 12-19, 12-20
subprocesses, 12-18
supporting documents, 12-18
transaction flows, 12-18–12-19
WCGW and key controls,
12-19–12-21
Cash disbursements journal, 12-18
Cash discounts, 11-21
Cash earnings per share (CEPS)
ratio, 4-13
Cash equivalents, 13-3. See also
Cash and cash equivalents
Cash receipts
classification of, 11-22
common documents and files,
6-21
completeness of, 11-22
control activities for,
11-18–11-22
cutoff of, 11-22
cutoff test for, 11-33
databases, 11-19
depositing cash, 6-22
diverting, 11-22
example controls, 11-21
example transaction flows,
6-21–6-22, 11-19–11-21
flow of transactions illustration,
11-19
granting cash discounts and,
11-21
initial control over, 11-18
lapping, 11-26
lockbox system, 11-20
occurrence of, 11-22
over-the-counter, 11-20
prelist of, 6-21
process risks and controls, 6-22
receiving cash, 6-22
receiving cash and, 11-20
recording, 6-22, 11-19, 11-21
source documents, 11-19
subfunctions, 11-18
transactions, 11-20–11-22
what can go wrong (WCGW),
11-21
Cash receipts journal, 11-23
CBIZ/Mayer Hoffman McCann
PC, 1-12
Certified Public Accountant
(CPA), 1-4, 1-5, 2-26. See
also Auditors
Change in accounting principle,
15-8–15-9
Checklists, 6-29, 6-31
Chief Executive Officer (CEO),
4-24
Chief Financial Officer (CFO),
4-24, 5-12
Classical variables sampling
applying, 10-33
audit procedures application,
10-37
constraints, 10-33
defined, 10-33
difference method, 10-33
documentation, 10-39–10-40
estimated population standard
deviation, 10-34
mean-per-unit estimation,
10-33, 10-34–10-35
planned allowance for sampling
risk, 10-36
population size, 10-34
random sample selection, 10-37
ratio method, 10-33
risk of incorrect acceptance,
10-36
risk of incorrect rejection,
10-35–10-36
sample results evaluation,
10-38–10-39
sample size determination,
10-34–10-37
sample size formula, 10-37
for substantive testing,
10-33–10-40
techniques, 10-33
tolerable misstatements, 10-37
working paper, 10-40
Classification
of cash disbursements, 12-20,
12-23
of cash receipts, 11-22
category, 5-4
defined, 5-5
of expenses, 12-17, 12-23, 12-42
of expenses and payroll, 12-42
for income statement accounts,
9-5
of payables, 12-17, 12-23
of receivables, 11-18
of sales, 11-18
verification, 9-5
Classification and
understandability, 5-6, 9-5
Client acceptance retention
decision
communication with
predecessor auditor and, 3-5
engagement letter and, 3-6–3-7
factors that influence, 3-3–3-4
as first stage of audit, 3-3
gathering information on
factors, 3-4–3-5
management integrity and, 3-4
special circumstances/risks
and, 3-5
staff availability and, 3-5
threats to compliance and, 3-5
Close relatives, 2-15
Closing procedures
assessing adequacy of, 4-27–4-28
defined, 4-27
period-end closing entries, 4-28
pressure for strong results and,
4-28
risk associated with, 4-27
Cluster analysis
access and prepare the data for
ADA, 7-20
algorithms for, 7-18–7-19
defined, 7-18
evaluating results and drawing
conclusions, 7-24
evaluating the relevance and
reliability of data for,
7-20–7-21
example of applying, 7-19
graphing data in, 7-19
looking for notable items and,
7-18–7-25
overview of applying, 7-19
perform the ADA, 7-21–7-24
plan the ADA, 7-20
relevance and reliability of data
for, 7-20–7-21
Clustering transactions, 7-15
Code of Professional Conduct.
See also AICPA (American
Institute of Certified Public
Accountants)
accounting principles rule,
2-24–2-26
application to all CPAs in
state, 2-6
Conceptual Framework for
Members in Public
Practice, 2-7
confidential information, 2-26
due professional care, 2-23, 2-24
fees and other types of
renumeration, 2-25–2-26
general standards, 2-23–2-24
independence rule, 2-12–2-23
integrity and objective rule,
2-11–2-12
interpretations, 2-6
other rules, 2-24–2-26
overview, 2-3
planning and supervision,
2-23, 2-24
principles, 2-6
professional competence, 2-23
provisions, 2-6
rules of conduct, 2-6
structure of, 2-6–2-7
sufficient relevant data, 2-23
Code of professional ethics, 2-3
Combination documentation,
6-29, 6-30
Committee on Sponsoring
Organizations of the
Treadway Commission
(COSO), 1-18. See also
COSO framework
Common law
auditor liability graphic, 2-27
burden of proof and, 2-32
cases illustrating liability to
client, 2-28–2-29
contract law, 2-27–2-28
defined, 2-27
duty of care and, 2-32–2-33
foreseen class concept, 2-30
legal liability under, 2-27–2-33
liability to clients, 2-27
liability to third parties,
2-29–2-32
tort law, 2-28
Common-size analysis, 4-15, 4-16
Communication with those
charged with governance
auditing standards, 14-25
critical accounting estimates,
14-26
critical accounting policies and
practices, 14-26
matters in, 14-25
overview, 14-24–14-25
Comparisons, 4-14–4-15
Compilation engagement
conditions to accept, 15-31
defined, 15-30
guidance on, 15-31
Compilation of inventory values,
13-15
Compilation report, 15-31
Completeness
of accounts receivable, 11-18
of cash and cash equivalents,
13-5
of cash balances, 12-21, 12-23
of cash disbursements, 12-20,
12-23
of cash receipts, 11-22
of inventory, 13-17
of payables, 12-17, 12-23
of payroll, 12-41
of property, plant, and
equipment, 13-31
of purchases, 12-16, 12-23
of revenues, 11-10
of sales, 11-17
Completeness assertion, 5-4, 5-5,
5-6, 12-37
Complexity, 1-10
Compliance audits, 1-7
Compliance with laws and
regulations, 4-10
Component auditors, 5-23
Components, 5-23
Conceptual Framework for
Members in Public
Practice. See also Code of
Professional Conduct
accounting principles rule,
2-24–2-26
confidential information,
2-26
fees and other types of
renumeration, 2-25–2-26
flowchart, 2-8
general standards, 2-23–2-24
independence rule, 2-12–2-23
integrity and objective rule,
2-11–2-12
other rules of conduct,
2-24–2-26
overview, 2-7
safeguards effectiveness
evaluation, 2-9
safeguards identification and
application, 2-9
threat significance evaluation,
2-9
threats and safeguards
documentation, 2-10
threats identification, 2-8–2-9
Confidential information, rules of
conduct, 2-26
Confirmation of accounts
payable, 12-32–12-33

Confirmation of accounts
receivable
applicability to assertions,
11-36–11-37
clients prohibiting auditors
from, 11-34
defined, 11-33
disposition of exceptions, 11-35
evaluating exceptions, 11-35
positive confirmation, 11-34
procedures for dealing with
nonresponses, 11-35
reasons for not requesting,
11-33–11-34
summarizing and evaluating
results, 11-36
timing and extent of requests,
11-35
Confirmations
bank, 5-13–5-14
external, 5-13–5-14
negative, 5-14
positive, 5-14
practice of, 5-15
receivable, 5-14
updating standards, 5-14–5-15
Consideration, 8-4
Consignment agreements and
contracts, 13-26
Consignment inventory, 13-17
Consignment sales, 11-9
Consistency
emphasis-of-matter paragraph,
15-9, 15-10, 15-11
of financial statements,
15-8–15-10
public and private companies
and, 15-10
Constructive fraud, 2-28
Contingent fee, SEC rules on, 2-22
Contract
breach of, 2-27–2-28
privity of, 2-27
Contract law, 2-27–2-28
Control activities. See also COSO
framework; Entity-level
controls
authorization controls, 6-12
for cash receipts, 11-18–11-22
for credit sales, 11-12–11-18
defined, 6-11
effective, 6-11–6-12
information processing
controls, 6-12
mitigation of risks with
(principle 10), 6-12–6-13
or cash disbursements,
12-18–12-21
over technology (principle 11),
6-13–6-14
performance reviews, 6-12
physical controls, 6-13
principles, 6-11–6-14
principles overview, 6-5
for purchase adjustments,
12-24–12-25
for purchases, 12-11–12-17
for purchasing process
disclosures, 12-25
for revenue process disclosures,
11-24–11-25
for sales adjustments,
11-23–11-24
segregation of duties, 6-13
through policies (principle 12),
6-14
for uncollectible accounts, 11-24
Control deficiencies. See also
Internal control(s)
auditor action and, 8-28
categorization of, 8-28
communication regarding, 6-34
defined, 6-32
material weakness, 1-28, 6-32,
8-28–8-29
non-reported, 8-29
professional judgment and, 6-34
reporting findings and, 8-5–8-6
significant deficiency, 6-32, 8-28
Control environment. See also
COSO framework;
Entity-level controls
board of directors
independence (principle 2),
6-7–6-8
commitment to attract, develop,
and retain competent
individuals (principle 4), 6-8
defined, 6-7
gaining an understanding of, 6-9
individual accountability for
internal control (principle
5), 6-8–6-9
integrity and ethical values
(principle 1), 6-7
principles, 6-7–6-9
principles overview, 6-5
reporting lines, authorities, and
responsibilities (principle 3),
6-8
selecting and designing, 8-23
tone at the top and, 6-9
Control exceptions (deviations)
defined, 8-19
detection of, 8-20
non-expectations of, 8-19
Control risk. See also Audit risk
defined, 3-16
final evaluation of, 14-12–14-13
low, 3-19
reevaluation of, 14-12
RMM and, 3-17
substantive procedures and, 9-17
Control risk assessment
cash and cash equivalents, 13-4
determine preliminary audit
strategy, 8-5
evaluate evidence, 8-5
financing activities, 13-40–13-41
identification of relevant
controls to test, 8-5
illustration of steps, 8-4
inventory, 13-15–13-17
perform tests of controls, 8-5
property, plant, and equipment,
13-31–13-32
reporting findings, 8-5–8-6
steps in, 8-3–8-6
understanding entity-level
controls, 8-3
understanding flow of
transactions, 8-3–8-4
what can go wrong (WCGW)
identification, 8-3
Controls testing. See Tests of
controls
Corporate and Criminal Fraud
Accountability Act, 2-38
Corporate governance
audit committee, 4-24
board of directors, 4-24
defined, 4-23–4-24
those charged with governance,
4-24
COSO framework
acceptance, 6-4
board of directors
independence (principle 2),
6-7–6-8
commitment to attract, develop,
and retain competent
individuals (principle 4),
6-8
communication with external
parties (principle 15),
6-15–6-16
components of internal control,
6-4–6-5
control activities over
technology (principle 11),
6-13–6-14
control activities principles,
6-11–6-14
control activities through
policies (principle 12), 6-14
control environment principles,
6-7–6-9
defined, 6-2–6-3
evaluation and communication
of deficiencies (principle
17), 6-16–6-17
fraud in risk assessment
(principle 8), 6-10
identification and assessment
of changes (principle 9),
6-10–6-11
identification and assessment of
risks (principle 6), 6-10
individual accountability for
internal control (principle
5), 6-8–6-9
information and
communication principles,
6-14–6-16
integrity and ethical values
(principle 1), 6-7
internal communication of
information (principle 14),
6-15
internal control definition, 6-3
mitigation of risks with control
activities (principle 10),
6-12–6-13
monitoring principles,
6-16–6-17
objectives of internal
control, 6-4
  Index  I-5
obtaining and generating
relevant and quality
information (principle 13),
6-14–6-15
ongoing and/or separate
evaluations (principle 16),
6-16
organizational structure, 6-4,
6-6
principles of internal control,
6-5
reporting lines, authorities, and
responsibilities (principle 3),
6-8
risk analysis and management
(principle 7), 6-10
risk assessment process
principles, 6-10–6-11
Costs of goods sold, auditing, 13-27
Counting period, 9-4
Covered members, 2-14–2-15
Credit Alliance Corp. v. Arthur
Andersen & Co. (1985), 2-31
Credit memos, 11-23
Credit sales
accepting customer orders,
11-15
approving credit, 11-15
authorizing, 11-15
control activities for,
11-12–11-18
databases, 11-14
example transaction flows,
11-13–11-16
initiating, 11-15
recording, 11-16
recording document, 11-14
shipping goods, 11-15
source documents and
electronic files, 11-13–11-14
transactions, 11-15–11-18
WCGW and example controls,
11-16–11-17
Criminal liability, 2-39–2-40
Critical accounting estimates,
14-26
Critical accounting policies and
practices, 14-26
Crowe Horwath LLC, 1-12, 3-12
Current file, 5-25–5-26
Current ratio, 4-17
Customer master file, 6-19, 11-13
Customers, as financial statement
user, 1-9
Cutof, payroll, 12-41
Cutoff assertion, 5-4–5-5
Cutoff bank statement, 13-10
Cutoff tests
cash balances, 13-7
cash disbursements, 12-17,
12-23, 12-31
cash receipts, 11-33
inventory, 13-22
purchase return, 12-32
purchases, 12-17, 12-23,
12-31–12-32
sales, 11-32–11-33
sales returns, 11-33
Cycle counts, 13-17
I-6  In d e x
D Direct and material effect, 4-10,
Data. See also Audit data
analytics (ADA)
accessing and preparing, 7-6,
7-20–7-21, 7-26–7-27, 7-32,
7-39–7-40
availability of, 9-11
company acquisition and, 7-12
comparing over several years,
7-12
complete determination,
7-6, 7-11
documentation of reliability of,
7-13, 7-20–7-21
electronic, from outside the
entity, 7-7
graphing, 7-19
internal controls over, 7-7
need for cleaning determination,
7-6, 7-11–7-12
relevance and reliability of,
7-6–7-7, 7-12–7-13,
7-20–7-21, 7-32, 7-40
reliability, factors affecting, 9-11
steps associated with accessing
and preparing, 7-11–7-13
Data center and network
operations controls, 6-24
Debit-to-equity ratio, 4-19
Dell Computers, 12-5
Deloitte & Touche LLP, 1-12, 3-12
Departures from applicable
financial reporting
framework, 15-15–15-17,
15-34
Depreciation
expense, examining entries for,
13-35–13-36
reasonableness of, 13-36
Desired level of assurance
consideration of, 10-12–10-13
defined, 8-18, 10-12
Detection risk. See also Audit risk
as controlled by auditor,
3-17–3-18
defined, 3-17
sample size decisions and, 3-21
substantive procedures and, 9-17
Detective controls. See also
Internal control(s)
application of, 8-8, 8-10
assessing, 8-9
defined, 8-8
examples of, 8-8–8-9
IT application controls and
manual follow-up, 8-8
as “key controls,” 8-10
management level reviews, 8-9
performance indicators, 8-9
preventative controls
comparison, 8-10
reconciliations, 8-8–8-9, 8-10
variation of, 8-8
Deviation rate
accurate, 8-18
expected, 8-18
tolerable, 8-17
Difference method, 10-30, 10-31,
10-33
4-11
Disclaimer of opinion,
15-18–15-19, 15-29
Disclosure committee, 11-24
Disclosures. See also Tests of
details of presentation and
disclosure
to audit committee, 2-22
cash and cash equivalents,
13-5
engagement partners, 15-21
property, plant, and equipment,
13-31
purchasing process, 12-25
revenue process, 11-23–11-25
Discounts, 4-6
Documentation. See also Working
papers
assembly and retention of,
14-17, 14-18
audit data analytics (ADA),
7-9–7-10
checklists and preformatted
questionnaires, 6-29, 6-31
classical variables sampling,
10-39–10-40
combination, 6-29, 6-30
completion of, 14-17–14-18
credit sales process, 6-30
data reliability, 7-13
flowcharts and logic diagrams,
6-29, 6-30
internal controls, 6-29–6-30
narratives, 6-29
nonstatistical sampling, 10-32
old, discarding, 14-18
PPS sampling, 10-27–10-28
in quality control system, 3-27
substantive analytical
procedures use, 9-12
substantive procedure results,
9-26–9-27
tests of controls, 8-29–8-31
as varied from client to client,
5-24
vouch recorded payables to
supporting, 12-31
Doubtful accounts, evaluating
allowance for, 11-37
Dual dating, 15-23–15-24
Dual purpose test, 9-7
Due care defense, 2-32
Due diligence defense, 2-34
Due professional care, AICPA
Code, 2-23, 2-24
Duplicate payments, 12-9
Duty of care, 2-32–2-33
E Alexander Grant & Co
Earnings per share (EPS) ratio,
4-12
Economic upturns and
downturns, 4-9
Electronic funds transfer, 11-20,
12-18
Electronic invoice presentment
and payment (EIPP)
systems, 12-12, 12-22
Emphasis-of-matter paragraph
auditor use of, 15-10–15-11
consistency, 15-9, 15-10, 15-11
defined, 15-7
examples of, 15-8, 15-9, 15-10,
15-11
placement of, 15-11
requirement, 15-11
Employee Retirement Income
Security Act (ERISA), 12-48
Employees
as financial statement user, 1-9
fraud, 12-9
hiring, 12-39
receive services from, 12-40
relations with, 4-5, 4-6
Employment relationships, SEC
rules on, 2-21
Engagement letter
defined, 3-6
example of, 3-6–3-7
purpose of, 3-6
Engagement partners, 14-17, 15-21
Engagement quality control
reviewer, 14-17
Engagement wrap-up
completion of documentation,
14-17–14-18
completion of working paper
review, 14-16–14-17
engagement quality review,
14-17
final analytical procedures, 14-11
final evaluation of findings,
14-11–14-16
overview, 14-10–14-11
Enron, 2-4, 3-4
Entity-level controls. See also
Internal control(s)
control activities, 6-11–6-14
control environment, 6-7–6-9
defined, 6-7
information and
communication, 6-14–6-16
monitoring activities, 6-16–6-17
risk assessment process,
6-10–6-11
in small entities, 6-17–6-18
understanding, 8-3
ERISA (Employee Retirement
Income Security Act), 12-48
Ernst & Ernst v. Hochfelder (1976),
2-35, 2-36
Ernst & Young (EY), 1-12, 3-12
ERS. See Evaluated receipt
settlement
Escott v. BarChris Construction
Corp (1968), 2-34–2-35
ESM Government Securities v.
(1987), 2-40
Estimation uncertainty. See also
Accounting estimates
amount of, 9-19–9-20
defined, 9-19
higher, 9-20
lower, 9-20
Ethics
code of professional, 2-3
reasoning example, 2-19
rules for members in private
practice, 2-10
of WorldCom, 2-4–2-5
Ethics and Independence Rules,
PCAOB, 2-2, 2-20–2-21
Evaluated receipt settlement (ERS)
advance shipping notice (ASN),
12-22
automation of, 12-12
defined, 12-21
electronic payment, 12-22
initiating transaction,
12-21–12-22
internal controls of system, 12-23
key transaction elements, 12-21
receiving goods, 12-22
recording payables, 12-22
Examining subsequent payments,
12-32
Executing transactions, 8-3–8-4
Executive directors, 4-24
Existence assertion
cash and cash equivalents, 13-5
cash balances, 12-21, 12-23
category, 5-4
confirmations in meeting,
11-36–11-37
defined, 5-5
inventory, 3-23, 13-17
property, plant, and equipment,
13-31
Expansion factor, for PPS
sampling, 10-20
Expectations, 9-11
Expected misstatements, 10-13,
10-20
Expenses, classification of, 12-17,
12-23, 12-42
Extent of audit procedures, 3-21
External confirmation, 5-13, 5-14
F
Factual misstatements, 9-26,
14-14
False positives, 7-16
Familiarity threat, 2-8, 2-10
FASB. See Financial Accounting
Standards Board (FASB)
Federal Accounting Standards
Advisory Board (FASAB),
2-25
Fees and renumeration, rules of
conduct, 2-25–2-26
Filtering or grouping process, 7-16
Final analytical procedures, 14-11
Final evaluation
of audit findings, 14-11–14-16
of control risk, 14-12–14-13
of fraud risk, 14-12–14-13
of inherent risk, 14-12–14-13
of materiality, 14-11
of misstatements, 14-14
of uncorrected misstatements,
14-14–14-16
Financial Accounting Standards
Board (FASB)
accounting principles, 2-25
role of, 1-17–1-18

Financial reporting
applicable framework, 1-4
departure from applicable
framework, 15-15–15-17
fraudulent, 3-26
information systems relevant
to, 6-15
internal controls over. See
internal controls over
financial reporting (ICFR)
international standards (IFRS),
1-4
Financial statement audits
conducting, 1-11
limitations of, 1-6–1-7
purpose of, 1-6
Financial statements
adjustment to correct a material
misstatement and,
15-9–15-10
audit report on, 1-19–1-25
change in accounting principle
and, 15-8–15-9
compilation of, 15-30–15-31
consistency of, 15-8–15-10
defined, 1-4
group, 5-23
issuance date of, 15-7
materiality and, 1-20
preparation of, 1-11
purpose of audit of, 1-4
reasonable assurance and,
1-19–1-20
review of, 15-32–15-34
SEC rules on, 2-22
users of, 1-9–1-10
Financing activities
analytical procedures, 13-39
audit strategy determination,
13-41
bond trustee and, 13-40
control risk assessment,
13-40–13-41
defined, 13-37
flow of transactions, 13-38
fraud risk assessment,
13-40–13-41
inherent risk assessment,
13-39–13-40
initial procedures, 13-41, 13-42,
13-44, 13-45
substantive analytical
procedures, 13-42,
13-45–13-46
substantive tests of long-term
debt, 13-41–13-44
substantive tests of
stockholders’ equity,
13-44–13-47
tests of details of balances, 13-42,
13-44, 13-45, 13-46
tests of details of presentation
and disclosure, 13-42, 13-44,
13-45, 13-46–13-47
tests of details of transactions,
13-42, 13-43, 13-45, 13-46
transfer agent and, 13-40
understanding the entity and its
environment and, 13-38
First Data Corporation, 13-39
Flowcharts, 6-29
FOB destination, 11-32, 12-31
FOB shipping point, 11-32, 12-31
Foreign Corrupt Practices Act of
1977, 2-36
Forensic accounting, 14-13
Foreseen class, 2-30
Form 10-K filing deadline, 14-7,
14-8
Fraud
attitudes and rationalization to
justify, 3-29
constructive, 2-28
defined, 2-28, 3-25
determination of, 14-12
discovery of, 14-12–14-13
examples of, 3-26
incentive and pressures to
commit, 3-27–3-28
as intentional act, 3-25
inventory, SEC settlements, 13-18
misappropriation of assets, 3-26
opportunities to perpetrate,
3-28–3-29
payroll, reducing, 12-44
in payroll process, 12-37
pervasive, 14-13
red flags, 3-25–3-26
responsibility of preventing and
detecting, 3-26
risk factors, 3-26
Fraud risk
auditor consideration of, 9-6
defined, 3-25
final evaluation of, 14-12–14-13
incentives and pressures that
increase, 3-27–3-28
internal control deficiency and,
11-28
lapping, 11-26
opportunities to increase,
3-28–3-29
professional skepticism and, 3-27
reevaluation of, 14-12
Fraud risk assessment
audit data analytics (ADA) in,
12-27, 12-44
cash and cash equivalents, 13-4
financing activities, 13-40–13-41
fraud risk actors in, 3-26
inventory, 13-17–13-18
payroll process, 12-43–12-44
process, 3-30
property, plant, and equipment,
13-32
purchasing process, 12-27
revenue process, 11-26–11-27
Fraud risk factors, 3-26
Fraudulent financial reporting,
3-26
Funds of Funds, Ltd. v. Arthur
Andersen & Co. (1982), 2-29
G Immaterial misstatements,
GASB (Government Accounting
Standards Board), 2-25
General public, as financial
statement user, 1-10
General standards, AICPA Code,
2-23–2-24
Generally accepted accounting
principles (GAAP), 1-4, 1-6,
1-11, 2-25, 13-41
Generally accepted auditing
standards (GAAS)
on ADA tested data, 7-10
audit principles, 1-15–1-16
defined, 1-15
Going concern
assumption, 14-18–14-19
audit procedures that may
identify issues, 14-20
auditor’s evaluation of, 14-19
with emphasis-of-matter
paragraph, 15-8
management evaluation, 14-19
reasonable period of time and,
14-19
substantial doubt of entity
continuing as, 14-20
Goods and services
receipt of, 12-14–12-15
requisition of, 12-14
Government Accounting
Standards Board (GASB),
2-25
Governments, as financial
statement user, 1-9
Grant Thornton LLP, 1-12, 3-12
Gross negligence, 2-28
Gross operating cycle, 4-18
Gross profit margin, 4-16
Gross sales, 11-10
Group audit, 5-23
Group engagement team, 5-23
Group financial statements, 5-23
Grouping or filtering process,
7-16
Groupon, 11-10
H
Haphazard selection, 10-10–10-11
HealthSouth (2003), 2-40
High risk assertions
audit evidence and, 5-9, 9-7
with qualitative analysis, 3-18
with quantitative analysis, 3-19
Horizontal analysis, 4-15
Human risks, 6-18
I 6-15–6-16
IASB (International Accounting
Standards Board), 2-25
IDEA software, 7-26, 7-27
Illegal acts
assurance and, 4-10
auditor responsibility regarding,
4-10
defined, 4-10
direct and material effect, 4-10,
4-11
material but indirect effect,
4-10, 4-11
qualitative characteristics
of, 14-15
Immediate family members, 2-15,
2-16
  Index  I-7
Imprest bank accounts, 13-3
Imprest payroll bank account,
12-34
Incentive and pressures to
commit fraud, 3-27–3-28
Independence
activities that impair, 2-14,
2-15
close relatives and, 2-15
covered members, 2-14–2-15
critical nature of, 2-16
defined, 2-12
employment or association
with attest client and,
2-17–2-18
facets of, 2-12–2-13
immediate family members
and, 2-15, 2-16
independent in appearance,
2-13
independent in fact, 2-12–2-13
key individuals and
requirements, 2-13–2-17
key position and, 2-15
nonattest services and,
2-18–2-20
PCAOB Ethics and
Independence Rules,
2-20–2-21
rule, 2-12–2-23
rule interpretation, 2-16
SEC rules, 2-21–2-22
Independent bank reconciliation,
6-21
Independent concept, 1-5, 1-23,
1-27
Independent in appearance,
2-13
Independent in fact, 2-12–2-13
Indirect effect, 4-10, 4-11
Information
confidential, 2-26
defined, 1-5
matching, 7-26–7-30, 7-37
materiality, 1-7
reliable sources, 4-21
Information and communication.
See also COSO framework;
Entity-level controls
communication with external
parties (principle 15),
defined, 6-14
internal communication of
information (principle 14),
6-15
principles, 6-14–6-16
principles overview, 6-5
relevant and quality
information (principle 13),
6-14–6-15
Information processing controls,
6-12
Information technology (IT)
benefits and risks of systems,
6-23
defined, 4-26
risks, 4-26
system installation, 4-26
I-8  In d e x
Information technology (IT)
controls. See also Internal
control(s)
application, 6-24, 6-25–6-27
dependent-manual, 6-27–6-28
general, 6-23, 6-24
illustrated, 6-24
payroll process, 12-43
purchasing process, 12-26
revenue process assertions and,
11-25–11-26
Information-processing, 6-12
Inherent risk. See also Audit risk
in blended approach, 3-24
defined, 3-16
example traits of, 3-16
final evaluation of, 14-12–14-13
high, 3-19
low risk assertions, 3-20
reevaluation of, 14-12
relationship to business risk,
4-3
RMM and, 3-17
substantive procedures and,
9-17
understanding purchasing
process and, 12-6
Inherent risk assessment
cash and cash equivalents,
13-4
factors, 3-16
financing activities, 13-39–13-40
inventory, 13-14
property, plant, and equipment,
13-31
in purchasing process,
12-8–12-11
in revenue process, 11-9–11-12
Initial procedures. See also
Substantive procedures
cash balances, 13-6, 13-7
defined, 9-8
inventory, 13-19, 13-20–13-21
long-term debt, 13-41, 13-42
payroll process, 12-45, 12-46
property, plant, and equipment,
13-33, 13-34
purchasing process, 12-29,
12-30
revenue process, 11-29,
11-30–11-31
shareholders’ equity, 13-44,
13-45
tracing beginning balance as,
9-9, 11-31, 12-46
trial balance as, 9-9, 11-31
types of, 9-8–9-9
Input controls, 6-26
Inquiry procedure, 5-12, 8-13
Inspection
for assertions, 5-12
defined, 5-11
inventory entries, 13-21–13-22
procedure, 8-14
tracing, 5-11–5-12
vouching, 5-11
Integrated audit
defined, 1-6, 15-26
requirement to perform, 15-29
Integrity and objective rule,
2-11–2-12
Intended users, 1-4
Interest-rate swaps, 13-41
“Interim” period, 3-21
Interim period, substantive
procedures at, 9-15
Internal auditors
audit evidence from, 5-22
consideration example, 5-22
defined, 5-20
direct assistance from, 5-22
objectivity and competence
of, 5-21
using the work of, 5-20–5-22
work use determination,
5-21–5-22
Internal audits
defined, 1-8
determined by those charged
with governance, 1-8
function, 6-16
Internal control(s). See also Tests
of controls
adverse opinion on the
effectiveness of, 15-28–15-29
audit strategies for cash with,
13-5
auditor understanding of, 6-3
authorization, 6-12
automated, 8-11–8-12
compliance objectives of, 6-4
components of, 6-4–6-5
COSO framework and, 6-4–6-6
data, 7-7
deficiency in, 6-32, 6-33–6-34
detective, 8-8–8-10
documenting, 6-29–6-30
effectiveness of, 3-17
entry-level, 6-7–6-18
of ERS system, 12-23
evaluation and communication
of deficiencies, 6-16–6-17
exceptions, investigation of,
8-28
history of PCAOB standards
and inspection activities, 8-6
identifying strengths and
weaknesses in, 6-31–6-32
importance of, 6-3
information technology (IT),
4-26, 6-23–6-28
inherent limitations of, 6-6
IT application controls, 8-12
IT general controls (ITGCs),
8-11–8-12
IT-dependent manual controls,
8-12
management letters and,
6-33–6-34
manual, 8-11
material weakness, 6-32
objectives of, 6-4
operation objectives of, 6-4
organizational structure, 6-4,
6-6
overview, 6-2–6-3
performance reviews, 6-12
physical, 6-13
preventative, 8-7–8-8, 8-10
principles of, 6-5
reasonable assurance and,
1-25–1-26
redundant, 12-16
reporting objectives of, 6-4
segregation of duties, 6-13
significant deficiency, 6-32, 8-28
strong system of, 8-19
to test, identifying, 8-5
transaction-level, 6-19–6-22
types of, 8-7–8-13
walk-through, 6-19
Internal controls over financial
reporting (ICFR)
audit report on, 1-25–1-28
material weakness in, 1-28
modified opinion on,
15-27–15-29
purpose of audit of, 1-4
reasonable assurance and,
1-25–1-26
reports on the audit of,
15-26–15-30
unqualified opinion on
effectiveness of, 15-26–15-27
International Accounting
Standards Board (IASB), 2-25
International Auditing and
Assurance Standards Board
(IAASB), 1-17, 7-3
International Federation of
Accountants (IFAC), 1-17
International financial reporting
standards (IFRS), 1-4
Interpretations, 2-6
Inventory
accounting estimates, tests of,
13-26–13-27
ADA as risk assessment
procedure, 13-18
ADA ranking of, 7-8–7-9
analytical procedures for,
13-13–13-14
assessing risk of material
misstatement and,
13-12–13-13
audit strategy determination,
13-18–13-19
auditing, 13-11–13-28
binding contracts for future
purchases of goods, 13-27
clerical accuracy, testing, 13-25
compilation of values, 13-15
completeness of, 13-17
confirming, 13-26
consignment, 13-17
consignment agreements and
contracts, 13-26
control overlap, 13-15
control risk assessment,
13-15–13-17
controls, testing, 13-17
costs of goods sold, 13-27
cutoff tests, 13-22
cycle counts, 13-17
developing a knowledge
perspective and,
13-12–13-13
entity and its environment,
13-12–13-13
evaluation of client’s past
experience selling, 7-9
example industry traits and,
13-12–13-13
existence of, 3-23, 13-17
flow of transactions, 13-12
fraud risk assessment,
13-17–13-18
inherent risk assessment,
13-14
initial procedures, 13-19,
13-20–13-21
inspecting entries in accounts,
13-21–13-22
items representing
unacceptable variation,
7-14–7-15
key controls, 13-16–13-17
manufactured, testing costs of,
13-25–13-26
misstatements, SEC
settlements, 13-18
phantom, indicators of, 13-14
pricing, testing, 13-25
restatements related to, 13-15
rights and obligations, 13-17
risk of material misstatement
(RMM), 13-19
SKU or UPC label, 13-17
specialized or highly technical,
13-26
steps in accounting for, 13-16
substantive analytical
procedures, 13-19, 13-21
substantive tests for,
13-19–13-28
test counts working paper,
13-24
tests of details of balances,
13-20, 13-22–13-27
tests of details of transactions,
13-19, 13-21–13-22
tests of presentation and
disclosure, 13-20, 13-27
underlying cost of, 7-8
valuation at historical cost,
13-17
valuation at net realizable
value, 13-17
valuation of, 3-24
WCGW and example controls,
13-16
Inventory observation
auditor, 13-22
of beginning inventories, 13-25
conclusion of, 13-24
performing, 13-23–13-24
preparing for, 13-24
timing and extent of, 13-23
Inventory turnover in days, 4-18
Inventory-taking plans, 13-23
Investing activities, 13-28. See
also Property, plant, and
equipment
Investors, as financial statement
user, 1-9
IT. See Information technology

IT application controls. See also
Information technology (IT)
controls
as automated controls, 8-12
common test of, 8-12
credit sales, 11-17–11-18
defined, 6-25
example, 6-26
independent checks, 6-25
input controls, 6-26
manual follow-up procedures
that support, 8-20
output controls, 6-26–6-27
over program changes and/or
access to data files, 8-20
overview, 6-24
payroll process, 12-43
processing controls, 6-26
purchasing process, 12-26
revenue process, 11-26
selecting and designing, 8-24
tests of, 8-20–8-21
types of, 6-25
IT auditors, 5-20
IT general controls (ITGCs). See
also Information technology
(IT) controls
access controls, 6-25
application system acquisition,
development, and
maintenance controls, 6-25
auditor testing of, 8-20–8-21
data center and network
operations controls, 6-24
defined, 6-24, 8-11
importance of, 8-12
overview, 6-23
program change controls,
6-24–6-25
in revenue process, 11-26
selecting and designing,
8-24
system software acquisition,
change, and maintenance
controls, 6-24
types of, 8-11
IT-dependent manual controls.
See also Information
technology (IT) controls
blockchain, 6-28
defined, 6-27, 8-12
evaluation of, 8-12
example, 6-27–6-28
selecting and designing, 8-25
ITGCs. See IT general controls
J
Judgmental misstatements, 9-26,
14-14
K Securities Act of 1933 and,
Key performance indicators
(KPIs), 4-12
Key position, working for attest
client in, 2-15
Kickbacks, 12-27
Kiting, 13-7, 13-8
KPIs (key performance
indicators), 4-12
KPMG, 1-12, 2-5, 3-12
L Letter of recommendations. See
Lapping, 11-26
Laws, compliance with, 4-10
Lead schedules, 5-26, 13-34
Legal cases
1136 Tenants’ Corp v. Max
Rothenberg & Co. (1971),
2-28–2-29
Bily v. Arthur Young & Co.
(1992), 2-31–2-32
Credit Alliance Corp. v. Arthur
Andersen & Co. (1985), 2-31
Ernst & Ernst v. Hochfelder
(1976), 2-35, 2-36
Escott v. BarChris Construction
Corp (1968), 2-34–2-35
ESM Government Securities
v. Alexander Grant & Co
(1987), 2-40
Funds of Funds, Ltd. v. Arthur
Andersen & Co. (1982), 2-29
HealthSouth (2003), 2-40
liability to clients, 2-28–2-29
Rosenblum v. Alder (1983),
2-30–2-31
Rusch Factors v. Levin (1968),
2-30
Ultramares Corp. v. Touche
(1931), 2-29–2-30
United States v. Natelli (1975),
2-39–2-40
United States v. Simon (1969),
2-39
United States v. Weiner (1978),
2-40
Legal letters
defined, 14-4
example, 14-4–14-5
explanations, 14-5
Legal liability
burden of proof and, 2-32
cases illustrating liability to
client, 2-28–2-29
to clients, 2-27
under common law, 2-27–2-33
contract law, 2-27–2-28
criminal liability, 2-39–2-40
due care defense, 2-32
due diligence defense, 2-34
duty of care and, 2-32–2-33
Foreign Corrupt Practices Act
of 1977 and, 2-36
Private Securities Litigation
Reform Acts of 1995 and
1998 and, 2-36–2-37
proportionate liability, 2-37
Sarbanes-Oxley Act (SOX) and,
2-37–2-38
scienter and, 2-36
2-34–2-35
Securities Act of 1934 and,
2-35–2-36
under statutory law, 2-33–2-40
to third parties, 2-29–2-32
tort law, 2-28
Legal responsibilities, 2-3
Lenders, as financial statement
user, 1-9
Management letters
Liability. See Legal liability
Limited assurance, 1-4
Liquidity
defined, 4-13
ratios, 4-17–4-19
Litigation contingencies,
14-6–14-7
Loan balances, confirmation of,
13-8
Lockbox system, 11-20
Logic diagrams, 6-29, 6-30
Logical sampling unit, 10-18
Logitech International, 13-18
Long-term debt. See also
Financing activities
analytical procedures to audit,
13-39
initial procedures, 13-41, 13-42
substantive analytical
procedures, 13-42
substantive tests of, 13-41–13-44
tests of details of balances,
13-42, 13-44
tests of details of presentation
and disclosure, 13-42, 13-44
tests of details of transactions,
13-42, 13-43
Loss contingencies
audit procedures for, 14-3–14-7
defined, 14-3
identification of, 14-4
legal letters and, 14-4–14-5
likelihood categories, 14-3
litigation, 14-6–14-7
probable, 14-3
reasonably possible, 14-3
remote chance of, 14-3
risk assessment and, 14-4
Low risk assertions
audit evidence and, 5-9
examples of, 3-19–3-20
with quantitative analysis, 3-20
Lower-of-cost-or-NRV problem,
13-18
M performing the ADA, 7-28–7-29
Management assertions
accuracy, 5-4
accuracy and valuation, 5-4, 5-6
categories of, 5-3
classification, 5-4, 5-5
classification and
understandability, 5-4, 5-6
completeness, 5-4, 5-5, 5-6,
12-37
cutoff, 5-4–5-5
defined, 5-3
effective responses to, 9-7
existence, 5-4, 5-5, 11-36–11-37,
12-21, 12-23, 13-17, 13-31
as guide, 5-3
occurrence, 5-4
occurrence and rights and
obligations, 5-4, 5-6, 12-25
PCAOB standards, 5-6
relevant, 5-6–5-7, 5-12, 5-13,
9-7, 12-29
  Index  I-9
rights and obligations, 5-4, 5-5,
11-24, 11-36–11-37, 13-5,
13-17, 13-31
risk of material misstatement
(RMM), 5-22
risk of misstatement, 12-9
types by category, 5-4
valuation and allocation, 5-4,
5-5–5-6, 13-5, 13-31
Management bias, 9-20
Management letters
defined, 6-33
example, 6-33–6-34
professional judgment in, 6-34
Management level reviews, 8-9
Management participation threat,
2-8
Management representation
letter
defined, 14-22
example, 14-22–14-23
explanations, 14-24
management refusal to sign,
14-24
Manual controls. See also Internal
control(s)
defined, 8-11
tests of controls, 8-19
Manual follow-up of exceptions,
8-25
Market share, 11-6
Master price file, 11-13
Matching information in key data
fields
accessing and preparing the
data for ADA, 7-27
audit data analytics (ADA),
7-25–7-30
defined, 7-25
evaluating results and drawing
conclusions, 7-29–7-30
evaluating the relevance and
reliability of data for,
7-27–7-28
example of, 7-26
IDEA software, 7-26, 7-27
overview of example, 7-26
planning the ADA, 7-26
Material misstatements. See also
Misstatements
adjustment to correct,
15-9–15-10
discovery of, 1-7
inventory and, 13-12–13-13
pervasive, 15-14
unmodified opinion with
consistency emphasis-
of-matter paragraph for
correction of, 15-10
Material weakness
control deficiency as, 8-28–8-29
defined, 1-28, 6-32, 8-28
in ICFR, 1-28, 6-32
management correction of, 8-29
Materiality
of account balance or
transaction, 5-22
concept use, 3-10–3-11
I-10  In d e x
Materiality (Cont’d)
defined, 1-7, 3-10
example, 3-14–3-15
final evaluation of, 14-11
financial statements and, 1-20
level at starting point, 3-13
performance, 3-13
planning, 3-11–3-13
practices in major public
accounting firms, 3-12
qualitative, 3-11
quantitative, 3-11
results of determination of,
3-21
setting, 3-11–3-13
McGladrev LLP (RSM), 3-12
McKesson & Robbins Company,
13-22
Mean-per-unit estimation, 10-33,
10-34–10-35
Misappropriation of assets, 3-26
Misclassified receivables, 11-10
Misleading visualization, 7-35
Misstatements
defined, 9-26
evaluation of, 9-26–9-27
examples of causes of, 9-26
expected, 10-13
expected misstatement and,
10-20
factual, 9-26, 14-14
final evaluation of, 14-14
identification of, 9-26–9-27
immaterial, 14-15
indicators in revenue process,
11-8
inventory, 13-18
judgmental, 9-26, 14-14
margin of error for, 3-12–3-13
material, 1-7, 13-12–13-13,
15-9–15-10
none found, 10-23
performance materiality and,
3-13
pervasive, 15-14
projected, 9-26, 10-23, 14-14
resolution of, 9-26–9-27
risk of material (RMM), 3-17,
3-18, 3-22, 3-24
some found, 10-23–10-26
tolerable, 10-13, 10-20, 10-36,
10-37
uncorrected, 14-14–14-16
upper limit, 10-22–10-23
working paper analysis of,
14-14–14-15
Modified opinions. See also
Opinions
adverse, 15-15–15-17
defined, 15-14
departures from applicable
financial reporting
framework and, 15-15–15-17
disclaimer of opinion and,
15-18–15-19
on ICFR, 15-27–15-29
for public company, 15-20
qualified, 15-–15-18
scenarios, 15-14
scope limitation and,
15-17–15-20
situations that cause, 1-24
summary of situations causing,
15-20
Monitoring. See also COSO
framework; Entity-level
controls
defined, 6-16
internal audit function, 6-16
ongoing procedures, 6-16
principles, 6-16–6-17
principles overview, 6-5
selecting and designing, 8-24
Monthly statements of receivable
balances, 6-20, 6-21, 11-19
Monthly statements received
from vendors, 12-13, 12-18
Multidimensional analysis, 4-20
N controls activities for, 12-38
Narratives, 6-29
National Association of State
Boards of Accountancy
(NASBA), 1-18
Nature of audit procedures, 3-21
Negative confirmation, 5-14
Net operating cycle, 4-18–4-19
Net realizable value (NRV), 13-18
New product revenues to total
revenues ratio, 11-7
Nonattest services
AICPA rule for, 2-18–2-20
client functions in connection
with, 2-18–2-19
defined, 2-18
ethics reasoning example, 2-19
independence and, 2-18–2-20
for non-public clients, 2-20
before performing, 2-19
SOX and, 2-37–2-38
Non-audit fees, 2-22
Non-executive directors, 4-24
Nonsampling risk, 10-7
Nonstatistical sampling
advantages of, 10-28–10-29
applying for substantive testing,
10-28–10-32
audit procedures application,
10-30
audit sampling technique
selection, 10-28
defined, 10-8
disadvantages of, 10-29
document conclusions, 10-32
representative sample selection,
10-29–10-30
results do not support book
value, 10-31
sample results evaluation,
10-30–10-31
sample size determination, 10-29
steps in planning and
executing, 10-8–10-9
use of, 10-8–10-9
working paper, 10-32
North American Industry
Classification System
(NAICS), 12-5–12-6
Notable items
characteristics of, 7-15
cluster analysis and, 7-18–7-25
defined, 7-15
examples of, 7-15
false positives, 7-16
high-margin items removal
from, 7-16–7-17
large number of, 7-16–7-17
tools for searching for, 7-15–7-16
O
Observation procedure, 5-12, 8-14
Occurrence
of cash disbursements, 12-20,
12-23
of cash receipts, 11-22
of payroll, 12-41
of purchases, 12-16, 12-23
of revenues, 11-10
of sales, 11-17–11-18
Occurrence and rights and
obligations assertion, 5-4,
5-6, 12-25
Occurrence assertion, 5-4
Operational (performance)
audits, 1-7–1-8
Opinions
adverse, 15-15–15-17,
15-28–15-29
adverse, effectiveness of ICFR,
1-28
defined, 1-19
disclaimer of, 15-18–15-19
modified, 1-24, 15-14–15-20
modifying, 15-14–15-22
qualified, 15-15, 15-16
on revised financial statements,
15-25
unmodified, 15-4–15-14
unqualified, 8-28, 15-5–15-6,
15-26–15-27
wrong, 1-20
Opportunities to perpetrate fraud,
3-28–3-29
Ordinary negligence, 2-28
Other beneficiaries, 2-29
Output controls, 6-26–6-27
Over-the-counter receipts, 11-20
P substantive tests for,
Packing slip, 6-20, 11-14
Pay periods, 12-38, 12-47
Payables
classification of, 12-17, 12-23
completeness of, 12-17, 12-23
recorded, vouch, 12-31
recording, 12-22
turnover in days, 4-18
unconfirmed, reconciling,
12-33
valuation of, 12-17
Payroll
accuracy of, 12-41
auditing, 12-34–12-48
classification of expenses and,
12-42
completeness of, 12-41
completeness of payables, 12-42
cutoff, 12-41
fraud, reducing, 12-44
occurrence of, 12-41
recording and paying, 12-40
Payroll accounts, 12-47
Payroll authorization, 12-38
Payroll changes, authorizing,
12-40
Payroll disbursement, 12-38
Payroll journal, 12-38
Payroll preparation, 12-40
Payroll process
analytical procedures, 12-36
audit data analytics (ADA),
12-47
audit data analytics (ADA) in
fraud risk assessment, 12-44
client’s, understanding,
12-35–12-36
completeness assertion in,
12-37
database, 12-38
defined, 12-34
entity and its environment,
12-35–12-37
flows, 12-38–12-42
fraud in, 12-37
fraud risk assessment,
12-43–12-44
higher inherent risk and, 12-37
imprest payroll bank account
and, 12-34
initial procedures, 12-45, 12-46
initiating transactions,
12-39–12-40
key assertions, 12-35
lower inherent risk and, 12-37
nature of transactions and
balances, 12-34–12-35
pay periods and, 12-38, 12-47
receive services from
employees, 12-40
recording and paying payroll,
12-40
risk of material misstatement
(RMM) and audit strategy,
12-44–12-45
substantive analytical
procedures, 12-46, 12-47
12-45–12-48
tests of controls for, 12-43
tests of details of balances,
12-46, 12-48
tests of details of transactions,
12-46, 12-47
tests of presentation and
disclosure, 12-46, 12-48
WCGW and key controls,
12-40–12-42
Payroll tax returns, 12-38, 12-40
Payroll transactions
databases, 12-38
example flow of, 12-39
initiating, 12-39–12-40
recording document, 12-38
source documents and
electronic files, 12-38
types of, 12-34

PCAOB (Public Company
Accounting Oversight
Board). See also specific
standards
auditing standards topical
organization, 1-14
confirmation standard,
5-14–5-15
defined, 1-13–1-14
disclosure of engagement
partners, 15-21
Ethics and Independence Rules,
2-2, 2-20–2-21
internal control over financial
reporting, 8-6
management assertions, 5-6
material weakness definition,
1-28
release of new audit report, 1-24
role of, 1-13–1-14
Staff Audit Practice Alerts, 3-27
in using the work of another
auditor, 5-23
Performance
appraisal, promotion, and
compensation processes,
3-27
indicators, 8-9
materiality, 3-13
Performance measurement
(client approaches)
cash earnings per share (CEPS)
ratio, 4-13
earnings per share (EPS) ratio,
4-12
key performance indicators
(KPIs), 4-12
liquidity, 4-13
price-earnings (PE) ratio, 4-12
profitability, 4-12–4-13
solvency, 4-13
sustainable cash flow from
operations, 4-13
Performance reviews, 6-12
Performing substantive
procedures, 9-3
Permanent file, 5-25
Pervasive misstatements, 15-14
Physical controls, 6-13
Planning and supervision, AICPA
Code, 2-23, 2-24
Planning materiality, 3-11–3-13
PM. See Projected misstatements
Population
auditing every item in, 10-5
book value of, 10-21
defined, 10-9
defining, 10-16
estimated standard deviation,
10-34–10-35
expected rate of deviation in,
8-18
in probability-proportionate-to-
size (PPS) sampling, 10-17
reciprocal, 10-16
selecting specific items from,
9-18
size of, 8-18, 9-17, 10-34
stratification of, 10-13
substantive procedures and,
9-17–9-18
two, matching characteristics
of, 7-15
Positive confirmation, 5-14
PPS sampling. See Probability-
proportionate-to-size (PPS)
sampling
Practitioner, 1-4
Predecessor auditors, 3-5
Prelist of cash receipts, 6-21
Preparers, responsibility of, 1-11
Preventative controls. See also
Internal control(s)
defined, 8-7
designing, 8-7–8-8
detective controls comparison,
8-10
effective, absence of, 8-8
examples of, 8-7
Price-earnings (PE) ratio, 4-12
PricewaterhouseCoopers (PwC),
1-12, 3-12
Primary beneficiary, 2-29
Principles, 2-6
Private Securities Litigation
Reform Acts of 1995 and
1998, 2-36–2-37
Privity of contract, 2-27
Probability-proportionate-to-size
(PPS) sampling
advantages of, 10-17
AICPA, 10-17
applying to substantive testing,
10-16–10-28
audit procedures application,
10-22
defined, 10-17
disadvantages of, 10-17
documentation, 10-27–10-28
expansion factors for, 10-20
limitations of, 10-18
population in, 10-17
reliability factors for evaluating,
10-25
representative sample selection,
10-21–10-22
sample results evaluation,
10-22
sample selection, 10-18
sample size determination,
10-18–10-21
sampling unit in, 10-18
uses for, 10-17
Processing controls, 6-26
Procurement process. See
Purchasing process
Professional competence
AICPA Code, 2-23
in quality control system, 3-27
Professional judgment
in combining evidence, 10-26
defined, 1-12
in PPS sampling use, 10-17
in sample size determination,
10-18–10-21, 10-29
in selecting and evaluating
sample items, 10-11
Professional responsibilities, 2-3
Professional skepticism
appropriate application of, 3-27
client management honesty
and, 3-15
defined, 1-12, 3-15
elements that might cause, 3-15
example of, 3-15
fraud risk and, 3-27
impediments to application
of, 3-27
importance of, 3-27
planning and performing audit
with, 1-12
Professionalism, accounting and,
2-3–2-5
Professionals, 2-4
Profit margin, 4-16–4-17
Profitability, 4-12–4-13
Profitability ratios, 4-16–4-17
Program change controls,
6-24–6-25
Projected misstatements (PM).
See also Misstatements
calculation of, 10-23–10-24
defined, 9-26, 10-23
determination example, 10-24
evaluation of, 14-14
in UML calculation, 10-23
Property, plant, and equipment
ADA as risk assessment
procedure, 13-32
analytical procedures, 13-30
audit strategy determination,
13-32
collateral for loans and, 13-36
completeness, 13-31
control risk assessment,
13-31–13-32
depreciation expense entries,
13-35–13-36
depreciation reasonableness,
13-36
developing a knowledge
perspective and, 13-29–13-30
disclosures, 13-31
example industry traits and,
13-29–13-30
existence, 13-31
flow of transactions, 13-28–13-29
fraud risk assessment, 13-32
impairment, examining,
13-36–13-37
importance, understanding,
13-29–13-30
inherent risk assessment, 13-31
initial procedures, 13-33, 13-34
as investing activities, 13-28
lead schedule, 13-34
plant assets inspection, 13-36
repairs and maintenance
expense entries and, 13-35
restatements of, 13-31
rights and obligations, 13-31
risk of material misstatement
(RMM) assessment,
13-29–13-30
substantive analytical
procedures, 13-33, 13-34
substantive tests for, 13-32–13-37
  Index  I-11
tests of details of balances,
13-33, 13-36–13-37
tests of details of transactions,
13-33, 13-35–13-36
tests of presentation and
disclosure, 13-33, 13-37
understanding the entity and its
environment and, 13-29
valuation and allocation, 13-31
vouch plant asset additions and,
13-35
vouch plant asset disposals and,
13-35
Proportionate liability, 2-37
Public Company Accounting
Oversight Board. See PCAOB
Purchase orders, 12-12, 12-14
Purchase requisition, 12-12
Purchases
accuracy of, 12-16, 12-23
audit strategy for assertions,
12-11–12-12
completeness of, 12-16, 12-23
control activities for, 12-11–12-17
cutoff, 12-17, 12-23
databases, 12-13
example flow of transactions
for, 12-13
initiating and authorizing,
12-12–12-13
occurrence of, 12-16, 12-23
receipt of goods and services,
12-14–12-15
recording, 12-15, 12-16
recording document, 12-12
redundant controls, 12-16
returns and allowances,
12-24–12-25
source documents and
electronic files, 12-12
transaction flows, 12-12–12-15
WCGW and key controls,
12-15–12-17
Purchases journal, 12-12
Purchasing database, 12-18
Purchasing process
analytical procedures, 12-7
audit data analytics (ADA) and,
12-27
client’s, understanding, 12-4–12-6
control activities for
adjustments and
disclosures, 12-24–12-25
control activities for cash
disbursements, 12-18–12-21
control activities for purchases,
12-11–12-17
defined, 12-4
disclosures, 12-25
duplicate payments, 12-9
employee fraud and, 12-9
entity and its environment and,
12-4–12-8
evaluated receipt settlement
(ERS), 12-21–12-24
example industry traits and, 12-5
factors that misstate assertions,
12-8
fraud risk assessment, 12-27
I-12  In d e x
Purchasing process (Cont’d)
importance of understanding,
12-5
industry-related factors in, 12-6
inherent risks in, 12-8–12-11
initial procedures, 12-29, 12-30
key assertions, 12-4
nature of transactions and
balances, 12-3–12-4
in operating cycle, 12-5
purchase returns and
allowances, 12-24–12-25
relevant assertions in, 12-29
risk of material misstatement
(RMM) and, 12-28
substantive analytical
procedures, 12-29,
12-30–12-31
substantive procedures for,
12-28–12-33
tests of controls in, 12-26
tests of details of balances,
12-30, 12-32–12-33
tests of details of presentation
and disclosure, 12-30, 12-33
tests of details of transactions,
12-29–12-30, 12-31–12-32
Purchasing transactions, 12-3
Q
QC10, 3-2
Qualified opinion. See also
Opinions
defined, 15-15
for departure from financial
reporting framework, 15-16
for scope limitation, 15-17–15-18
Qualitative analysis
classical variables sampling,
10-39
high risk assertion with, 3-18
Qualitative materiality, 3-11
Quality, 1-5
Quantitative analysis
classical variables sampling,
10-38–10-39
high risk assertion with, 3-19
low risk assertions with, 3-20
Quantitative materiality, 3-11
Questionnaires, preformatted,
6-29
R Recording sales, 11-16
Random selection, 10-9–10-10,
10-21, 10-37
Ratio analysis
defined, 4-16
example, 4-19
liquidity and activity ratios,
4-17–4-19
profitability ratios, 4-16–4-17
solvency ratios, 4-19
Ratio method, 10-30, 10-31, 10-33
Ratios
ability of cash flow from
operations to cover current
debt and dividends, 4-18
acid-test (quick), 4-17–4-18
cash earnings per share (CEPS),
4-13
current, 4-17
debit-to-equity, 4-19
earnings per share (EPS), 4-12
gross operating cycle, 4-18
gross profit margin, 4-16
inventory turnover in days, 4-18
liquidity and activity, 4-17–4-19
net operating cycle, 4-18–4-19
payables turnover in days, 4-18
price-earnings (PE), 4-12
profit margin, 4-16–4-17
profitability, 4-16–4-17
receivables turnover in days, 4-18
return on assets (ROA), 4-17
return on stockholders’ equity
(ROE), 4-17
solvency, 4-19
sustainable free cash flow, 4-18
times-interest-earned, 4-19
Reasonable assurance
defined, 1-19
financial statements and,
1-19–1-20
and internal controls, 1-25–1-26
use in definition, 1-27
Reasonable period of time, 14-19
Recalculation, 5-15–5-16
Receivable confirmation,
5-13–5-14
Receivables
classification of, 11-18
existence of, 11-18
misclassified, 11-10
overstatement of, 11-12
turnover in days, 4-18
valuation, at historic cost, 11-18
Receiving report
defined, 11-23, 12-12
importance of, 12-14–12-15
preparing, 12-14–12-15
Reciprocal population, 10-16
Reconciliations
bank, 6-21, 8-19, 12-18, 13-10
detective controls, 8-8–8-9, 8-10
unconfirmed payables, 12-33
Recording cash disbursements,
12-18, 12-19, 12-20
Recording payables, 12-22
Recording payroll, 12-40
Recording purchases, 12-15,
12-16
Recording transactions, 8-4
Redundant controls, 12-16
Refund rights, 11-9
Regression analysis
access and prepare the data for
ADA, 7-32
defined, 7-30
evaluating the relevance and
reliability of data for, 7-32
evaluating the results and
drawing conclusions, 7-34
linear, estimating, 7-30–7-31
overview of example, 7-31
perform the ADA, 7-33
plan the ADA, 7-31–7-32
in searching for notable items,
7-16
steps for, 7-30
use of, 4-20
Regulations, compliance with,
4-10
Related parties. See also Risk
assessment
audit guidance with, 4-22
company transactions with, 4-22
defined, 4-22
example, 4-23
procedures to confirm,
4-22–4-23
Relevance of audit evidence, 5-8
Relevant assertions
defined, 5-6, 9-7
evidence for, 5-13
identification of, 5-6–5-7
in purchasing process, 12-29
Reliability
of audit evidence, 5-8
data, 7-6–7-7, 7-13, 7-20–7-21,
7-27–7-28, 7-40
as need for audit and assurance
services, 1-10
Reliability factor
determination of, 10-20
PPS samples, 10-25
for risk of incorrect acceptance,
10-19–10-20
for zero overstatements, 10-20
Reliance on controls approach,
audit strategy, 3-22–3-23
Remittance advice, 6-21, 11-19
Remittance report, 6-21, 11-19
Remoteness, 1-10
Repairs and maintenance
expense, 13-35
Reperformance, 5-15–5-16, 8-14
Report of cash balances, 12-18
Report of vendor invoices due,
12-18
Reporting phase, 3-8, 3-10
Reputation, 4-5, 4-6, 4-8, 4-9
Requisition goods and services,
12-14
Restatements
of long-lived assets, 13-31
related to expense recording
and liabilities, 12-10
related to inventory, 13-15
of revenues, 11-11–11-12
Results of analytical procedures,
interpreting, 9-12
Results of testing controls. See
also Tests of controls
additional tests of controls
determination, 8-27–8-28
audit risk assessment revision
and, 8-28
control risk conclusions and,
3-22
decision tree, 8-26, 8-27
example, 8-29
investigation of exceptions and,
8-28
Return on assets (ROA) ratio,
4-17
Return on stockholders’ equity
(ROE) ratio, 4-17
Revenue process
analytical procedures for,
11-6–11-8
audit data analytics (ADA) as
substantive test,
11-31–11-32
audit data analytics (ADA) in,
11-27
auditing, 11-1–11-47
bill-and-hold transactions and,
11-10
client’s, understanding,
11-4–11-6
consignment sales, 11-9
consignment sales and, 11-9
control activities for cash
receipts, 11-18–11-22
control activities for credit
sales, 11-12–11-18
control activities for sales
adjustments and revenue
process disclosures,
11-23–11-25
disclosures, control activities
over, 11-24–11-25
entity and its environment and,
11-4–11-8
example industry traits and,
11-5–11-6
factors that contribute to
misstatements in,
11-9–11-12
fraud risk assessment,
11-26–11-27
gross sales and, 11-10
inherent risks in, 11-9–11-12
initial procedures, 11-29,
11-30–11-31
key assertions, 11-4
nature of, 11-3
refund rights and, 11-9
risk of material misstatement
(RMM) and, 11-27–11-28
substantive analytical
procedures, 11-29, 11-31
substantive tests for,
11-28–11-38
tests of controls in, 11-25–11-26
tests of details of balances,
11-30, 11-33–11-37
tests of details of presentation
and disclosure, 11-30,
11-38
tests of details of transactions,
11-29, 11-32–11-33
transaction classes for, 11-3
Revenue recognition, 11-11
Revenues
classes of transactions of, 11-3
completeness of, 11-10
occurrence of, 11-10
overstatement of, 11-12
premature recognition of, 11-3
pressure to overstate, 11-9
process of earning and
recognizing, 11-4–11-5
process of generating, 11-5
restatements of, 11-11–11-12
trends, 11-7

Review engagement
analytical procedures and
inquiries in, 15-32–15-33
conclusion of, 15-33–15-34
conditions for acceptance of,
15-32
defined, 15-32
departures from applicable
financial reporting
framework and, 15-34
guidance on, 15-32
Review report, 15-33–15-34
Right of return, 11-11
Rights and obligations assertion
cash and cash equivalents, 13-5
category, 5-4
confirmations and, 11-36–11-37
controls over, 11-24
defined, 5-5
inventory, 13-17
property, plant, and equipment,
13-31
Risk. See Audit risk
Risk analysis decision tree,
7-14–7-15
Risk assessment. See also specific
types of risk
ADA use as procedure,
7-13–7-17
analytical procedures in,
4-14–4-21
applying ADA as procedure,
7-17–7-37
audit risk in, 3-15
audit strategy and, 3-21
closing procedures and,
4-27–4-28
control risk, 8-3–8-6
corporate governance and,
4-23–4-25
decision tree, 7-14–7-15
fraud risk in, 3-25–3-30
graphic illustration of, 4-3
internal control and
information technology and,
4-26–4-27
loss contingencies and, 14-4
materiality in, 3-10
procedures for accounting
estimates, 9-21–9-22, 9-24
professional skepticism in, 3-14,
3-15
related parties and, 4-22–4-23
understanding the client and,
4-3–4-12
Risk assessment phase
audit data analytics (ADA) use
in, 5-17
audit risk in, 3-9
auditor access to results,
4-20–4-22
defined, 3-8
illustrated, 3-10
as iterative process, 3-9
management assertions in, 5-3
overview, 3-9
setting planning materiality in,
3-11–3-13
Risk assessment procedures, 5-11
Risk assessment process. See also
COSO framework; Entity-
level controls
defined, 6-10
principles, 6-10–6-11
principles overview, 6-5
selecting and designing, 8-24
Risk factors
examples of, 6-11
external, 6-11
fraud, 3-26
internal, 6-11
Risk of incorrect acceptance
classical variables sampling,
10-36
defined, 10-6
determination of, 10-19
reliability factor for, 10-19–10-20
results of, 10-7
Risk of incorrect rejection
classical variables sampling,
10-35–10-36
defined, 10-6–10-7
sample size and, 10-20
selected percentages, 10-36
Risk of material misstatement
(RMM)
assessing, 11-5–11-6
audit strategy and, 11-27–11-28,
12-28, 12-44–12-45
inventory and, 13-19
property, plant, and equipment
and, 13-29–13-30
purchasing process and, 12-28
revenue process and,
11-27–11-28
Risk response
elements affecting, 9-6
at financial statement level,
9-5–9-6
procedures for accounting
estimates, 9-22–9-23, 9-25
Risk response phase
audit data analytics (ADA) use
in, 5-17
defined, 3-8
overview, 3-9
Risks
analysis and management of,
6-10
human, 6-18
identification of, 6-10
information technology (IT),
4-26
Risks of material misstatement
(RMM)
assessment of, 3-17
audit evidence of, 9-5
in audit risk model, 3-18
defined, 3-17
high, 3-24, 9-8, 9-10
identification of, 9-16
impact on level of substantive
testing, 9-3
low, 3-22
of management assertions, 5-22
reliance on controls approach,
3-22
substantive approach, 3-24
RMM. See Risks of material
misstatement
ROA (return on assets) ratio, 4-17
ROE (return on stockholders’
equity) ratio, 4-17
Roll-forward procedures,
9-15–9-16
Rosenblum v. Alder (1983),
2-30–2-31
RSM LLP, 1-12
Rules of conduct, 2-6
Rusch Factors v. Levin (1968), 2-30
S 10-23–10-27
Safeguards
documenting, 2-10
evaluating the effectiveness
of, 2-9
in guiding CPA, 2-9
identifying and applying, 2-9
Sale returns, 11-23
Sales
accuracy of, 11-17–11-18
classification of, 11-18
completeness of, 11-17
cutoff of, 11-18
cutoff test for, 11-32–11-33
occurrence of, 11-17–11-18
Sales adjustment transactions,
11-10
Sales adjustments
defined, 11-23
disclosure committee and, 11-24
documents and records, 11-23
sales returns and allowances,
11-24
uncollectible accounts, 11-24
Sales cycle database, 6-20, 6-21
Sales invoice, 6-20
Sales orders
defined, 6-20, 11-14
filling, 11-15
shipping, 11-15–11-16
Sales process
common documents and files,
6-19–6-20
credit sales initiation, 6-20
database, 11-19
delivering goods, 6-20
example transaction flows,
6-19–6-21
recording sales, 6-20–6-21
risks and controls, 6-20–6-21
Sales returns, cutoff test for,
11-33
Sales revenue and accounts
receivable validation
accessing and preparing the
data for ADA, 7-39–7-40
evaluating results and drawing
conclusions, 7-41–7-42
evaluating the relevance and
reliability of data for, 7-40
overview, 7-38
performing the ADA, 7-40–7-41
planning the ADA, 7-38–7-39
Sales to capacity ratio, 11-6
Sales to total assets ratio, 11-6
Sales turnover, 11-7
  Index  I-13
Sample results evaluation
classical variables sampling,
10-38–10-39
difference method, 10-30, 10-31
no misstatements found, 10-23
PPS sampling, 10-23–10-27
qualitative assessment, 10-39
qualitative considerations,
10-26–10-27
quantitative assessment,
10-38–10-39
ratio method, 10-30, 10-31
some misstatements found,
upper misstatement limit
(UML), 10-22–10-23
Sample size
calculation of, 10-21
detection risk and, 3-21
expected misstatement and,
10-20
factors that influence,
10-11–10-13
risk of incorrect rejection and,
10-20
substantive procedures and,
9-17
tests of controls and, 8-17
tolerable misstatements and,
10-20
Sample size determination
audit decision-making example,
10-42–10-43
book value of population tested
and, 10-19
calculation, 10-21
classical variables sampling,
10-34–10-37
estimated population standard
deviation, 10-34
expansion factors and, 10-20
expected misstatement and,
10-20
factors that influence, 10-29
formula, 10-19
in nonstatistical sampling, 10-29
planned allowance for sampling
risk, 10-36
population size, 10-34
in PPS sampling, 10-18–10-21
professional judgment in,
10-18–10-21, 10-29
risk of incorrect acceptance
and, 10-19–10-20, 10-36
risk of incorrect rejection and,
10-35–10-36
tolerable misstatement and,
10-19–10-20
tolerable misstatements and,
10-37
Samples
decision to audit, 10-15–10-16
PPS systematic selection
process, 10-22
random, selecting, 10-21
representative, selecting,
10-21–10-22, 10-29–10-30
steps in planning and
executing, 10-15
I-14  In d e x
Sampling. See also Audit
sampling
classical variables, 10-33–10-40
haphazard selection,
10-10–10-11
methods, 10-9–10-11
nonstatistical, 10-8–10-9,
10-28–10-31
probability-proportionate-to-
size (PPS), 10-16–10-28
professional judgement in
selection of sample items,
10-11
random selection, 10-9–10-10
statistical, 10-8
stratification, 10-10
systematic selection,
10-10–10-11
Sampling interval
book value equal or greater to,
10-24
calculating, 10-21
Sampling risk
allowance for, 10-23, 10-36
defined, 10-5, 10-6
risk of incorrect acceptance,
10-6, 10-7
risk of incorrect rejection,
10-6–10-7
when conducting substantive
tests, 10-6
Sampling unit
defined, 10-9
defining, 10-16
logical, 10-18
in probability-proportionate-to-
size (PPS) sampling, 10-18
Samsung, 4-7
Sarbanes-Oxley Act (SOX)
attest clients and, 2-17
audit committee and, 2-20, 4-25
changes for auditors, 2-37–2-38
changes for management of
public companies, 2-38
Corporate and Criminal Fraud
Accountability Act, 2-38
creation of, 2-4
defined, 2-37
independence guidelines, 2-18
non-audit fees and, 2-22
Scanning, 5-16
Scienter, 2-36
Scope limitation
characteristics of, 15-14
defined, 15-17
disclaimer of opinion,
15-18–15-19
example, 15-19–15-20
imposed by management, 15-17
modified opinion on ICFR,
15-29
qualified opinion for,
15-17–15-18
scenarios, 15-17
Search for unrecorded liabilities,
12-32
Sears Holding Corporation, 13-3
Securities Act of 1933, 2-34–2-35
Securities Act of 1934, 2-35–2-36
Securities and Exchange
Commission (SEC)
audit committee disclosure,
2-22
Form 10-K filing deadline, 14-7,
14-8
general standard of auditor
independence, 2-20
independence rules, 2-21–2-22
prohibited relationships,
2-21–2-22
role of, 1-13
Segregation of duties, 6-13, 8-25
Selection
haphazard, 10-11
random, 10-9–10-10, 10-21,
10-37
systematic, 10-10–10-11, 10-22
Self-interest threat, 2-9
Self-review threat, 2-9
Shareholders’ equity. See also
Financing activities
initial procedures, 13-44, 13-45
substantive analytical
procedures, 13-45–13-46
substantive tests of, 13-44–13-47
tests of details of balances,
13-45, 13-46
tests of details of presentation
and disclosure, 13-45,
13-46–13-47
tests of details of transactions,
13-45, 13-46
Shipping goods, 11-15–11-16
Significant deficiency, 6-32, 8-28
Significant risk
accounting estimates as, 9-23
defined, 3-16, 9-8
substantive procedures and, 9-8
SKU or UPC inventory label,
13-17
Small entities
internal control in, 6-17–6-18
risk of management override,
6-18
Software-based audit techniques,
8-14
Solvency
defined, 4-13
ratios, 4-19
Specialists
defined, 5-18
IT auditors, 5-20
report assessment, 5-19
scope determination, 5-19
using work of, 5-18–5-19
Starbucks, 14-26
State boards of accountancy, 1-18
Statements on Auditing
Standards (SASs), 1-15, 1-16
Statements on Quality Control
Standards (SQCSs), 1-16
Statements on Standards for
Accounting and Review
Services (SSARSs), 1-16
Statements on Standards for
Attestation Engagements
(SSAEs), 1-16
Statistical analysis, 7-16
Statistical audit sampling, 9-18
Statistical sampling, 10-8
Statutory law
auditor liability under,
2-33–2-40
criminal liability, 2-39–2-40
defined, 2-33
Foreign Corrupt Practices Act
of 1977 and, 2-36
legal liabiliity under, 2-33–2-40
Private Securities Litigation
Reform Acts of 1995 and
1998, 2-36–2-37
Sarbanes-Oxley Act (SOX) and,
2-37–2-38
Securities Act of 1933 and,
2-34–2-35
Securities Act of 1934 and,
2-35–2-36
Stratification, 10-10, 10-13
Subordination of judgment,
2-12
Subsequent events
audit procedures to identify,
14-9
auditor objective, 14-9
defined, 14-8
examples of, 14-8–14-9
inquiries of management
regarding, 14-10
nature of procedures for,
14-9–14-10
period illustration, 14-8
Type I, 14-8
Type II, 14-8
Subsequently discovered facts
audit procedures, 15-23
become known after report
release date, 15-24–15-25
become known before report
release date, 15-22–15-24
defined, 15-22
dual dating and, 15-23–15-24
example, 15-24
time gap illustration, 15-22
Substantive analytical procedures
audit reasoning example, 9-11
cash balances, 13-6, 13-7
conducting, 9-2
decision to use, 9-9
defined, 9-7, 9-9
documentation in working
papers, 9-12
examples that provide
persuasive evidence, 9-10
factors impacting effectiveness
and efficiency, 9-9–9-10
interpreting results of, 9-12
inventory, 13-19, 13-21
long-term debt, 13-42
payroll process, 12-46, 12-47
property, plant, and equipment,
13-33, 13-34
purchasing process, 12-29,
12-30–12-31
revenue process, 11-29, 11-31
shareholders’ equity,
13-45–13-46
use of, 9-10
Substantive approach, audit
strategy, 3-24
Substantive procedures
ADA and, 9-13–9-14
for audit of inventory, 9-8
audit risk and, 9-3–9-5
confirmation bias and, 9-14
control risk and, 9-17
defined, 3-21, 5-11, 9-3
detection risk and, 9-17
determining, 10-14
documenting results of,
9-26–9-27
dual purpose test, 9-7
extent of, 9-16–9-18
impact o RMM and, 9-3
inherent risk and, 9-17
initial procedures, 9-8–9-9
at interim date, 9-14–9-16
low RMM and, 3-22
nature of, 9-7–9-14
performance factors, 9-15
performing, 9-1–9-36
reliability of data and, 9-11
roll-forward procedures and,
9-15
sample size and, 9-17
significant risk and, 9-8
tests of details, 9-13
timing of, 9-14–9-16
in working papers, 9-27
at year-end, 9-16
Substantive tests
for accounts payable, 12-30
audit data analytics (ADA) as,
7-37–7-42, 12-31
audit data analytics (ADA) as,
applying, 7-38–7-42
audit data analytics (ADA) as,
using, 7-37–7-38
for cash balances, 13-5–13-11
classical variables sampling for,
10-33–10-40
determining objectives of, 10-14
factors that influence the
sample size, 10-11–10-13
at interim date, 7-37
for inventory, 13-19–13-28
of long-term debt, 13-41–13-44
matching information, 7-37
nonstatistical sampling for,
10-28–10-32
for payroll process, 12-45–12-48
probability-proportionate-to-size
sampling for, 10-16–10-28
for property, plant, and
equipment, 13-32–13-37
for purchasing process,
12-28–12-33
for revenue process,
11-28–11-38
sampling risk when conducting,
10-6
of stockholders’ equity,
13-44–13-47
tests of details of balances,
11-30
tests of details of presentation
and disclosure, 11-30

tests of details of transactions,
11-29
Sufficient audit evidence, 5-7,
5-9–5-10
Sufficient relevant data, AICPA
Code, 2-23
Sunbeam Corporation, 2-4, 11-10
Suppliers, as financial statement
user, 1-9
Sustainable cash flow from
operations, 4-13
Sustainable free cash flow, 4-18
System software acquisition,
change, and maintenance
controls, 6-24
Systematic selection, 10-10–10-11
T procedures, 11-33
Tainting percentage (TP), 10-24
Technology. See also Information
technology (IT)
changes in, 4-4
control activities over, 6-13–6-14
Test counts, working paper, 13-24
Tests of controls. See also Internal
control(s)
additional, determination of,
8-27–8-28
attribute sampling, 8-19
benchmarking, 8-22–8-23
control exceptions (deviations),
8-19–8-20
defined, 3-21, 5-11, 8-13
desired level of assurance, 8-18
documenting conclusions,
8-29–8-31
example of process, 8-15
examples of selecting and
designing, 8-23–8-25
expected rate of deviation in the
population, 8-18
extent of, 8-17–8-21
extent of testing table, 8-18
factors in identifying, 8-16–8-17
factors that influence sample
size, 8-17
inquiry procedure, 8-13
inspection procedure, 8-14
at interim date, 8-22
inventory, 13-17
IT application controls,
8-20–8-21
manual controls, 8-19
observation procedure, 8-14
for payroll, 12-43
PCAOB evidence on, 8-12–8-13
performing, in control risk
assessment, 8-5
procedures for, 8-13–8-14
in purchasing process, 12-26
reperformance, 8-14
results of, 8-26–8-29
in revenue process, 11-25–11-26
selecting and designing,
8-16–8-17
software-based techniques, 8-14
summary of selecting and
designing, 8-23–8-25
timing of, 8-21–8-22
tolerable deviation rate, 8-17
top-down approach, 8-16
working paper, 8-29–8-30
“yes or no” decision, 8-26
Tests of details, 9-13. See also
specific types of tests of
details
Tests of details of balances
cash balances, 13-6, 13-8–13-11
confirmation of accounts
payable, 12-32–12-33
confirmation of accounts
receivable, 11-33
evaluating the allowance for
doubtful accounts, 11-37
long-term debt, 13-42, 13-44
payroll process, 12-46, 12-48
property, plant, and equipment,
13-33, 13-36–13-37
purchasing process, 12-30,
12-32–12-33
reconcile unconfirmed payables
to vendor statements, 12-33
revenue process, 11-30,
11-33–11-37
shareholders’ equity, 13-45,
13-46
substantive tests, 11-30
Tests of details of presentation
and disclosure
cash and cash equivalents, 13-5,
13-11
inventory, 13-20, 13-27
long-term debt, 13-42, 13-44
payroll process, 12-46, 12-48
property, plant, and equipment,
13-33, 13-37
purchasing process, 12-30,
12-33
revenue process, 11-30, 11-38
shareholders’ equity, 13-45,
13-46–13-47
substantive tests, 11-30
Tests of details of transactions
audit data analytics (ADA), 7-37
cash balances, 13-6, 13-7–13-8
cutoff tests for cash receipts,
11-33
cutoff tests for sales and sales
returns, 11-32–11-33
examining subsequent
payments, 12-32
inventory, 13-19–13-20,
13-21–13-22
long-term debt, 13-42, 13-43
payroll process, 12-46, 12-47
property, plant, and equipment,
13-33, 13-35–13-36
purchase cutoff test,
12-31–12-32
purchasing process, 12-29–12-30,
12-31–12-32
revenue process, 11-29,
11-32–11-33
search for unrecorded
liabilities, 12-31
shareholders’ equity, 13-45,
13-46
substantive tests, 11-29
vouch recorded payables, 12-31
vouch revenue transactions,
11-32
Third parties
defined, 2-29
liability to, 2-29
payment processor, 12-22
Those charged with governance
communication with,
14-24–14-26
continuing as going concern
and, 14-21
defined, 1-8, 4-24
management representation
letter and, 14-22–14-24
written representation and,
14-21–14-22
Threats
adverse interest threat, 2-8
advocacy threat, 2-8
documenting, 2-10
evaluating the significance of,
2-9
familiarity threat, 2-8, 2-10
identifying, 2-8–2-9
management participation
threat, 2-8
self-interest threat, 2-9
self-review threat, 2-9
undo influence threat, 2-9
Time cards, 12-38
Time-series analysis, 4-20
Times-interest-earned ratio, 4-19
Timing
of audit, 8-22
of audit procedures, 3-21
of substantive procedures,
9-14–9-16
of tests of controls, 8-21–8-22
Tolerable deviation rate, 8-17
Tolerable misstatements. See also
Misstatements
classical variables sampling,
10-37
defined, 10-13
ratio of desired allowance for
sampling risk to, 10-36
sample size and, 10-20
upper misstatement limit
(UML) and, 10-26–10-27
Top-down approach, 8-16
Tort law, 2-28
Toshiba, 3-28, 3-29–3-30
Trace revenue transactions, 11-32
Tracing, 5-11–5-12
Transaction flows
authorization, 8-3
cash and cash equivalents, 13-3
cash receipts, 6-21–6-22,
11-19–11-21
consideration, 8-4
credit purchases, 12-12–12-15
execution, 8-3–8-4
financing activities, 13-38
inventory, 13-12
property, plant, and equipment,
13-28–13-29
recording, 8-4
  Index  I-15
sales process, 6-19–6-21,
11-13–11-16
understanding, 8-3–8-4
Transaction-level internal
controls
audit strategy for assertions,
6-19
defined, 6-19
example, 6-22
for purchases, 12-11
transaction flows—cash
receipts, 6-21–6-22
transaction flows—sales
process, 6-19–6-21
walk-through, 6-19
Transactions
authorization of, 8-3
bill-and-hold, 11-10
cash disbursement, 12-18–12-21
cash receipts, 11-20–11-22
clustering, 7-15
credit sales, 11-15–11-18
executing, 8-3–8-4
factors that influence sample
size in testing, 10-12
financial, recording, 13-40
multiple, below key threshold,
7-24–7-25
payroll, 12-34
purchase, 12-15–12-16
purchasing, 12-3
recording, 8-4
revenue, 11-3
sales adjustment, 11-10
scanning, as initial procedure,
9-9
screening decision, 9-16
subject to management
discretion, 9-10
tests of details of, 11-29,
11-32–11-33
trace revenue, 11-32
vouch revenue, 11-32
Transfer agent, 13-40
Trends
analysis of, 4-15
in grows margins compared
with market share, 11-7
revenue, 11-7
Trial balance, obtaining as initial
procedure, 9-9, 11-31
Type I subsequent events, 14-8
Type II subsequent events, 14-8
U
Ultramares Corp. v. Touche (1931),
2-29–2-30
UML. See Upper misstatement
limit
Uncollectible accounts
allowance for, evaluating, 11-37
determining, 11-24
Uncollectible accounts expense
to accounts receivable write-offs
ratio, 11-7
to net credit sales ratio, 11-7,
11-8
Uncorrected misstatements,
evaluation of, 14-14–14-16
I-16  In d e x
Understandability, management
assertion, 5-4, 5-6
Understanding the client
compliance with laws and
regulations and, 4-9
entity and, 4-3–4-7
industry and business
environment and, 4-8–4-9
performance measurement
approaches and, 4-12–4-13
in risk assessment, 4-3
Understanding the entity and its
environment, 4-4–4-6
cash and cash equivalents, 13-3
changes in technology and,
4-4–4-6
client’s reputation and, 4-5, 4-6
discounts and, 4-5, 4-6
factors that influence, 4-4–4-7
financing activities, 13-39
guidance in, 4-4
importer or exporter of goods
and, 4-4, 4-5
inventory, 13-12–13-13
major customers and, 4-4, 4-5
major suppliers and, 4-4, 4-5
operations and, 4-5, 4-6
ownership structure and, 4-5, 4-7
payroll process, 12-35–12-37
property, plant, and equipment
and, 13-29
relations with employees and,
4-5, 4-6
selection/application of
accounting principles and,
4-5, 4-6
significant accounts and classes
of transactions and, 4-5, 4-6
sources of financing and, 4-5,
4-6–4-7
warranties and, 4-4–4-6
Understanding the industry and
business environment
demand and, 4-8, 4-9
economy and, 4-8, 4-9
legal, political, and regulatory
environment and, 4-8, 4-9
level of competition and, 4-8,
4-9
overview, 4-8
reputation and, 4-8, 4-9
Undo influence threat, 2-9
United States v. Natelli (1975),
2-39–2-40
United States v. Simon (1969),
2-39
United States v. Weiner (1978),
2-40
Unmodified audit report
addition paragraph for,
15-7–15-12
components of, 1-22, 15-5
defined, 1-21
emphasis-of-matter paragraph,
15-7–15-8
example of, 1-21–1-22, 15-4
illustrated, 1-21
standard, 15-3–15-12
unmodified opinion, 15-4
Unmodified opinion
based in part on report
of another auditor,
15-12–15-13
with consistency emphasis-
of-matter paragraph, 15-9,
15-10, 15-11
defined, 15-4
with going concern emphasis-
of-matter paragraph, 15-8
Unqualified audit report on
effectiveness of ICFR
components of, 1-27
defined, 1-26
example of, 1-26–1-28
illustrated, 1-26–1-27
unqualified opinion on, 8-28
Unqualified audit report on
financial statements
components of, 1-23
defined, 1-22
example of, 1-22–1-23,
15-5–15-6
illustrated, 1-22–1-23
summary of components of,
15-6
unmodified audit report and,
1-22
Unqualified opinion on
effectiveness of ICFR
defined, 15-26
example, 15-26–15-27
summary of components, 15-27
Upper misstatement limit (UML). What can go wrong (WCGW)
See also Sample results cash receipts, 11-21
evaluation credit sales, 11-16–11-18
calculation example, 10-26 defined, 8-4
calculation of, 10-23 identifying, 8-4
defined, 10-22 inventory, 13-16
tolerable misstatements and, payroll process, 12-40–12-42
10-26–10-27 purchases, 12-15–12-17
use of, 10-22–10-23 in selecting controls for
testing, 8-16
V
Work of others
Valuation
another auditor, 5-23
cash balances, 12-21, 12-23
internal auditors, 5-20–5-22
of inventory, 3-24, 13-17
specialist, 5-18–5-20
of payables, 12-17
using, 5-18–5-23
of receivables, 11-18
Working paper review
Valuation and allocation
defined, 14-16
assertion
engagement partner and,
cash and cash equivalents,
14-17
13-5
example, 14-16–14-17
category, 5-4
items to consider in, 14-16
defined, 5-5–5-6
Working papers
property, plant, and equipment,
classical variables sampling,
13-31
10-40
Vendor invoice, 12-12
current file, 5-25–5-26
Vendors, fictitious or phantom,
defined, 5-24
12-27
elements of, 5-24
Visualization
examples of, 5-26–5-29
audit data analytics (ADA),
illustrated, 5-27, 5-28
7-34–7-36
inventory working paper,
characteristics of, 7-34–7-35
13-24
defined, 5-17, 7-34
lead schedules, 5-26
for dual purposes, 7-36
likely misstatement,
misleading, 7-35
14-14–14-15
in searching for notable items,
nonstatistical sampling, 10-32
7-15–7-16
permanent file, 5-25
undistorted, 7-36
PPS sampling, 10-27–10-28
use of, 7-35
preparation and storage, 5-26
Vouchers
substantive analytical
defined, 12-12, 12-18
procedures use, 9-12
purpose of, 12-17
substantive procedures in, 9-27
Vouching
tests of controls, 8-29–8-30
defined, 5-11
WorldCom, 2-4–2-5, 3-4, 4-28,
for revenue transactions, 11-32
13-31
W Written representation,
Walk-through 14-21–14-22
defined, 6-19
performing, 11-13 Y
Warranties, 4-4–4-6 Year-end, substantive procedures
Waste Management, 2-4 at, 9-16
Wells Fargo, 5-5 “Year-end” period, 3-21, 3-22
 WILEY END USER LICENSE AGREEMENT
Go to www.wiley.com/go/eula to access Wiley’s ebook EULA.