Module #04: Financial Statement Audit Process

Definition of Auditing
 Auditing is defined as the systematic process of objectively obtaining and evaluating
evidence in order to be able to establish a degree of correspondence between an assertion
(financial statements) and an established criteria (PFRS) and evaluating the results to the
intended users.

Complete Set of Financial Statements

1. Statement of Financial Position
2. Statement of Comprehensive Income
3. Statement of Changes in Owner’s Equity
4. Statement of Cash Flows
5. Notes to the Financial Statements

Objective of an audit and an auditor

 The objective of an audit ends with the expression of an opinion, while an auditor’s
objective is to obtain reasonable assurance that the financial statements are free from
material misstatement. The end objective of the engagement itself is to be able to get
your report while the auditor’s end objective is to be able to obtain reasonable
assurance.

Responsibilities of Management
1. Identifying the financial reporting framework
2. Preparation and presentation of the financial statements
3. Implementing an effective internal control structure
4. Selecting accounting policies
5. Making accounting estimates

The preparation and presentation of the financial statements is the responsibility of the
management and not the auditor. The responsibility of the auditor would be the auditor’s report.

Basic Concepts
1. Auditor Independence
o The auditor must not be easily influenced. Your decision is not subordinate or
easily subordinated to that of others. Independence has 2 kinds:
a. Independence In Mind
 Only the auditor, themselves can determine if they’re
independent.
b. Independence In Appearance
 Whenever you look independent in the eyes of the public.

Example: Henry Sy, assuming he is an auditor, he is engaged in the audit of X company. The
management of X company gave Henry Sy a Toyota Vios. There is an impairment in
independence. Though there is no independence in mind, because for Henry Sy, the Toyota Vios
car is very immaterial, there is still independence in appearance because in the eyes of the
public, a car is a car.

2. Professional Skepticism
o The auditor must adopt an attitude of questioning mind, meaning, the auditor
must not be gullible or easily convinced with whatever the client is presenting.
 The management representation is not a substitute for sufficient and appropriate
evidence.

3. Conduct of an Audit
o As a general rule, it must comply with the PSAs and the practice statements.
There are exceptional circumstances where we have to depart for justifiable
reasons.

Example: If the Auditor was belatedly appointed, then chances are, the client would request that
the confirmation letters no longer be sent because the client would argue that by the time the
auditor would receive the confirmation reply then the financial statement would have already
been released. If that would be the case, sending of confirmation letters is a required procedure
under the PSA, but the auditor would have no choice but to permit the client, but what would be
the remedy, we would have to perform an alternative procedure, tracing the collection in the
subsequent cash receipts.

4. Scope of the Audit

o The laws, rules, and regulations are always superior to the PSAs. There are two
types of audit evidences:
a. Accounting Records
 general journal, special journal, general ledger
b. Other Information
 all evidence gathered by the auditor that does not form part of
the accounting records (e.g. minutes of the meeting, third-party
confirmation, controls manual)
5. Audit Materiality
o Materiality is considered to be material if it can affect one’s decision. The audit
materiality is actually our threshold or cut-off point. The lower the tolerable
misstatement of the auditor, the higher the audit procedure that must be
performed.

Example: If the risk of material misstatement is high, use B; If the risk of material misstatement
is low, use A.
A B

Planning Materiality (PM) 100% 100%

Tolerable Error (TE) 75% 50%

Summary of Audit Difference (SAD) 25% 15%

6. Audit Risk
o So in general, a type of information risk is actually audit risk. An audit risk is
actually the risk or likelihood that the auditor will issue an inappropriate opinion.
It is expressed either Quantitative or Non-quantitative.
 Quantitative is usually a certain percentage (i.e. 8% of total assets)
 Non-quantitative is setting audit risk at either Low, Medium or High

Formula: Inherent Risk x Control Risk x Detection Risk

 o Inherent risk and control risk is actually a component of the risk of material
misstatement.
o The risk of material misstatement is the risk that the financial statements are
materially misstated prior to the audit. There are 2 kinds:
a. Inherent risk
 The risk that there is a misstatement even in the absence of an
internal control structure. (e.g. cash and inventory are highly
liquid assets, and they are always susceptible to theft, without
any consideration of internal control, you have to consider the
fact that it is prone to theft)
b. Control risk
 Risk that there is a misstatement that is not prevented or
detected by the internal control structure. (e.g. there is no
segregation of duties, so custody, authorization, recording,
and execution (CARE), must be, as a rule, assigned to different
people. If it is assigned to one person, it is considered a material
deficiency in the internal control structure.)

 Inherent risk and Control risk are independent components, we cannot alter them, we
cannot modify them, we can only respond and how do we respond? We respond by
setting up our detection risk.

 The relationship between the risk of material misstatement and detection risk is actually
inverse. Whenever you have a high risk of material misstatement, the lower detection
risk level that you should set. Whenever you have a lower risk of material misstatement,
the higher the acceptable detection risk that will be accepted by the auditor. The reason
for this is we want to achieve efficiency and effectiveness of our audit.

 Detection Risk - is the risk that the misstatement is not actually detected by the auditor.

Financial Statement Audit Process

1. Pre-engagement
2. Audit Planning
3. Internal Control
4. Substantive Testing
5. Audit Completion
6. Audit Report
7. Post-audit Responsibilities

Pre-Engagement
 Involves screening of new and existing clients. In the pre-engagement, you are trying to
determine: Should I accept this new client? or Should I continue with a client that I
already have?
 Usually we prepare a checklist, we do our research for a prospective or a recurring client.
The important thing is we have to consider the ethical requirements as early as pre-
engagement.

What are the two primary ethical requirements that you should consider:
1. Independence
 o Annual Independence Confirmation (sometimes conducted every May 2)
wherein the auditor actually accomplishes a checklist to ensure that they have no
conflict of interest in the engagement. The checklist is the firm’s way of
ensuring that all the people that are assigned in the team are independent. On a
per engagement basis.
2. Professional Competence
o General rule, if you are not competent, do not accept the engagement. Except
when you have time to gain the competence or if you have the money to hire
experts to help you or to assist you in the engagement. Minimum, if you do not
accept the engagement, at least refer to another CPA.

What are the things that are considered in the pre-engagement?

 You must communicate with your predecessor auditor. It is the successor auditor that
initiates the communication. Client permission is always required.

The predecessor auditor is the auditor for last year. The successor auditor is the current year
auditor.

What are the questions that you must ask the predecessor auditor?
 What are the disagreements between the predecessor auditor and management, especially
disagreements on the accounting principles and audit procedures?
 What are the reasons for the change in auditor?
 What are the matters that bear an integrity on management?

For example, the successor auditor would like to communicate with the predecessor auditor. The
first thing he must do is to get the consent from the client. If the client does not accept, reject the
engagement. If the client says yes, then the successor auditor will now communicate with the
predecessor auditor. The predecessor cannot immediately respond to the successor auditor. The
predecessor auditor must first get the consent of the client. If the client refuses to give his
consent, reject the engagement. If the client gives his consent, continue. The predecessor auditor
can now freely communicate with the successor auditor.

Contents of Engagement Letter (MISUROT)

1. Management’s responsibility for the FS
2. Inherent Limitation of the Audit
3. Scope of the Engagement
4. Unrestricted Access to Documents and Records
5. Reports that are to be issued
6. Objectives of the engagement
7. Time Table and Fees

When to send a separate engagement letter (audit of a component)

 You have an audit of a component, whenever there is actually a parent and a subsidiary
relationship. If you are the auditor of the subsidiary, also the auditor of the parent, is
there a requirement for you to send a separate engagement letter to the parent company.
There are instances cited by the standard when it is appropriate to send a separate
engagement letter (IOSALE):
o Independence of component management
 If highly independent, issue a separate audit report
o Ownership by the parent
o Separate
  whenever a separate audit report is issued
o Who appointed the component auditor
o Legal requirements
o Extent of any work performed by other auditors

When to send a new engagement letter

 General rule, if it’s a recurring client, we no longer send another engagement letter
because at times there are instances where it's the same as the prior year. But again, there
are instances that would move the auditor to still send a new engagement letter despite
the fact that this is a recurring client:
o If there is a misunderstanding
o Whenever there is a legal requirement or a new law requiring you to send an
engagement letter annually
o Whenever there is a change in reporting framework, ownership, nature or size of
the entity, terms of the engagement or whenever there is a change in senior
management.

Change in Terms of Engagement

 Whenever you are initially contacted by the client, and the client told you that “I will
hire you for an audit engagement.” Then, two days later the client changed his mind and
now informs you “We will no longer be performing audits, instead we’ll be performing
reviews” (or vice versa). Is that allowable under the standard?

a. Review to Audit
 There are no restrictions. The level of assurance that you can obtain
went higher from limited to reasonable.
b. Audit to Review
 There is a limitation as to the scope because from a reasonable assurance
you are now going down to limited assurance.

What are the things that you should consider whether you should still continue with the
engagement?
 Change in Circumstance
o for example, the client hired you because the client will be obtaining a loan from
a bank and then eventually the client was informed by the bank that a review
engagement would already suffice, then there is a change in circumstance that
justifies the change in engagement and even though it is a change from audit to
review you should still accept the justification of the client.
 Whenever there are misunderstandings
o you can still continue with the engagement despite the fact that it is from an
audit to a review

Whenever there are no justifiable reasons given by the client and its changing the engagement
from audit to review, you should no longer continue with the engagement because why is the
client restricting the scope of the engagement.

Audit Planning
 You have to be able to determine the strategy or approach that will be adopted by the
auditor. You have to be aware of the strengths and weaknesses of your clients during this
stage. There are two kinds of strategies adopted by the auditor:
 1. With reliance
 Whenever there is a less than high risk, meaning, the client has a strong
internal control structure
2. No reliance
 Whenever you have a high risk client, or whenever the client has weak
controls.

Control Risk Assessment Approach Implications

High – Ineffective ICS No Reliance No Test of Control

More evidence
More procedures
More ST

Less than high – Effective ICS Reliance Test of Controls

Less evidence
Less procedures
Less ST

Steps:
1. Obtaining an understanding of the client and its environment
2. Determining the need for experts
3. Establishing materiality and assessing risk
4. Assessing the possibility of non-compliance
5. Identifying related parties
6. Performing preliminary analytical procedure
7. Development of overall audit strategy and detailed audit plan; preparation of preliminary
audit program

a. Audit Plan
 Summary of the procedures from the start to the end of the audit;
Performs risk assessment procedures:
 Inquiry,
 Inspection,
 Observation, and
 Analytics
b. Audit Program
 Procedure on an account or per transaction cycle; the to-do list

Contents of Audit Plan (CORNIK)

– Coordination, Direction, Supervision and Review
– Other Matters (General Concern, Related Parties)
– Risk and Materiality
– Nature, Timing, and Extent of Procedures
– Internal Control
– Knowledge of Entity or Environment

Study and Evaluation of Internal Control

  The end product is to be able to determine the nature, timing, and extent of your audit
procedure, also known as, the scope of your audit.
 What are the different procedures in the study and evaluation of internal control?
o Inquiry
o Inspection
o Observation, and
o Reperformance

 We also conduct the walkthrough here. Walkthrough is going through the transaction
cycles of the client and tracing through the system, the different source documents.
There is no need to gather samples because you are just trying to study the internal
control of the client.

 Study of the internal control is always required but the evaluation of internal control is
not always required. You only evaluate the internal control when the strategy that you
are going to adopt is the reliance approach.

Steps:
 Obtain and document understanding of internal control
 Make a preliminary assessment of control risk
 Determine the auditor’s response to risk assessment
 Reassess control risk
 Determine the nature, timing, and extent of audit procedure

Substantive Testing
Procedures in Substantive Testing:
 Inquiry - Weakest
 Inspection
 Observation - 2nd Strongest

 Recalculation
 Confirmation - Strongest

Two types of substantive testing:

1. Substantive Analytics
o Less effective procedure, more reliance on substantive analysis, lesser
reliance on test of detail.
2. Test of Detail
o All the other procedures, except analytics. More effective procedure,
more reliance on test of detail, lesser reliance on substantive analysis.

Two types of test of detail:

1. Test of Balance
o Trying to perform a procedure in relation to the ending balance.
2. Test of Transaction
o Trying to perform a procedure in relation to the transactions

Recommendation Letter → Where you actually communicate with your clients, the different
areas of internal control that actually needs improvement.
 After performing our procedures, there are now audit findings and audit differences,
meaning these are the items that require adjustments in the client books, provided that the
amount is material.

If the client accepts your proposal there is no problem, you will still issue an unqualified
opinion. However the client now wishes to stick with the original amount in the financial
statement and does not wish to accept your proposal, then that is the time that you have no choice
but to modify your report.

Steps:
 Description of Substantive test
 Reporting of Audit Findings
o PAJE (Proposed Adjusting Journal Entries)
o CAJE (Client Adjusting Journal Entries)
 Resolution of Audit Differences

Summary
Procedures (Summarized)

Risk Assessment Process Test of Controls Substantive Test

Inquiry Inquiry Inquiry Inspection

Inspection Inspection Observation Observation
Observation Reperformance Analytics
Analytics Recalculation
Confirmation

Analytics

Planning Required

Evidence Optional

Opinion Required

Completing the Audit

 The most important thing that we should consider here is the subsequent events review.
In the subsequent events review, we identify what are the events or transactions that
happened after the reporting date, which are usually covered by IAS 10 - Events after the
Reporting Period, whether there is a need for an adjustment in the financial statement or
an additional disclosure.
 In completion, you do your final review of the financial statements, and you ensure that
all required disclosures are actually there in the financial statements.

Steps:
 Final materiality judgments
 Summarize and evaluates audit findings
 Reviews working papers
 Reviews financial statement presentation and disclosure
 Considers subsequent events
Post-audit Responsibilities
So the different auditors report that would be issued:
1. Unqualified opinion
o is issued whenever the financial statements are fairly stated in all material
respects, it is actually known as the most common opinion.
2. Adverse Opinion
o whenever the financial statements are very materially misstated.
3. Qualified Opinion
o aka except for, when the financial statements are either just materially misstated
or there is a material scope limitation then the opinion that you would issue is
Qualified, the wording would be “the financial statements are fairly stated in all
material respect except for the inventory account which should be reports as etc.
4. Disclaimer
o when you have a very material scope limitation, you usually issue disclaimer
whenever the auditor was not able to gather sufficient and appropriate evidence
or there are impairment in independence that it's not appropriate for you to issue
an audit report.

Steps:
 Considering events during the audit
 Analyzing the activities within the audit
 Producing recommendations