Cpa Aud Su1 CC Merged

1
CPA AUD – STUDY UNIT 1

Engagement Responsibilities
Rapid Review
Overall Objectives and Conducting an Audit

The purpose of an audit is to provide financial statement users with an opinion by the auditor on
whether the financial statements are presented fairly, in all material respects, in accordance with the
applicable financial reporting framework. An auditor’s opinion enhances the degree of confidence that
intended users can place in the financial statements.
The auditor’s objective is to obtain reasonable (not absolute) assurance about whether financial
statements as a whole are free from material misstatement, whether due to fraud or error.
Under the ASB’s standards (for nonissuers), financial statements implicitly or explicitly include
management’s assertions about the fair presentation of information. These include assertions about
● Classes of transactions and events for the period (income statement and statement of cash flows)
■ Occurrence
■ Completeness
■ Accuracy
■ Cutoff
■ Classification
■ Presentation
● Account balances at period end (the balance sheet)
■ Existence
■ Rights and Obligations
■ Completeness
■ Accuracy, Valuation, and Allocation
■ Classification
■ Presentation
The PCAOB’s AS 1105, Audit Evidence, describes five assertions to be applied selectively to the
financial statement transactions, balances, and disclosures. These are essentially the same as those
issued by the Auditing Standards Board (ASB).
1. Existence or Occurrence
2. Completeness
3. Valuation or Allocation
4. Rights and Obligations
5. Presentation and Disclosure
The degrees of responsibilities imposed on auditors are categorized as unconditional responsibility,

presumptively mandatory responsibility, and responsibility to consider.
Copyright © 2023 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.
2 CPA AUD – Study Unit 1
Accounting and Review Services
The Statements on Standards for Accounting and Review Services (SSARSs) define preparation,
compilation, and review services. An accountant should not report on the unaudited financial
statements of a nonissuer or submit them to the client or others unless (s)he complies with the
SSARSs.
An accountant must issue a report when (s)he compiles or reviews financial statements.
A preparation is the presentation in statement form of information of management without attaching

a report.
A compilation is the presentation in statement form of information that is the representation of

management without expressing any assurance in a report.
A review consists of applying analytical procedures, making inquiries of management, and obtaining
representations from management that provide a reasonable basis for expressing limited assurance.
Independence is required for a review but not a preparation or a compilation.
Attestation Engagements
In an attestation engagement, a practitioner performs an examination, a review, or agreed-upon

procedures. The report is directly on subject matter, or an assertion about subject matter (for
examinations or reviews), that is the responsibility of another party.
● In an examination or review engagement, a party who is not the practitioner makes an assertion
about whether the subject matter is measured or evaluated in accordance with suitable criteria.
● In an agreed-upon procedures engagement, the practitioner applies procedures to subject matter

and reports the results of those procedures.
Additional Professional Services
Assurance and advisory services are independent professional services that improve the quality,
relevance, and usefulness of information, or its context, for decision makers. The practitioner needs
to be independent.
Consulting services are professional services that use the practitioner’s technical skills, education,
observations, experiences, and knowledge of the consulting process. The practitioner need not be
independent.
CPA AUD – Study Unit 1 3
Quality Control
Quality control standards apply to the conduct of a firm’s practice as a whole. They require that a
CPA firm have a quality control system.
The six control elements include

1. Leadership responsibilities for quality within the firm (the “tone at the top”),
2. Relevant ethical requirements,
3. Acceptance and continuance of client relationships and specific engagements,
4. Human resources,
5. Engagement performance, and
6. Monitoring.
The Sarbanes-Oxley Act also requires public accounting firms to adopt quality control standards.
1

Professional Responsibilities
Rapid Review
Code of Professional Conduct
Principles are goal-oriented but nonbinding.

● Responsibilities. Exercise sensitive professional and moral judgments.
● The public interest. Act to benefit the public interest.
● Integrity. Use the highest degree of integrity.
● Objectivity and independence. Maintain objectivity and, when providing attestation services, be
free of conflicts of interest and independent in fact and appearance.
● Due care. Use due care.
● Scope and nature of services. Follow the Principles of the Code of Professional Conduct in
determining the nature and scope of services.
All of the following Rules must be followed by members in public practice:

(1)
● Integrity and Objectivity
● Independence
(1)
● General Standards
(1)
● Compliance with Standards
(1)
● Accounting Principles
(1)(3)
● Acts Discreditable
● Contingent Fees
(2)
● Commissions and Referral Fees
● Advertising and Other Forms of Solicitation
● Confidential Client Information
● Form of Organization and Name
(1)
These Rules also apply to members in business.
(2)
This Rule also applies in part (referrals) to all members and in part (commissions) to members in public
practice.
(3)
This Rule also applies to other members (those not in public practice or in business).
Conceptual framework. Members in public practice and members in business should apply the
conceptual framework when no specific rule applies.
● Identify threats. Threats are relationships or circumstances that a member encounters in various
engagements and work assignments that may compromise compliance with the rules.
● Evaluate the significance of a threat. The member should determine whether an identified threat
is at an acceptable level. A threat is at an acceptable level when a reasonable and informed third
party who is aware of the relevant information would be expected to conclude that the threat would
not compromise the member’s compliance with the rules.
● Identify and apply safeguards. If, in evaluating the significance of an identified threat, the
member concludes that the threat is not at an acceptable level, the member should apply
safeguards to eliminate the threat or reduce it to an acceptable level.
Independence
A member must be independent of mind and in appearance when performing auditing or attestation
services.
Independence is impaired if a covered member has the following interests or relationships:

● Direct financial interest in a client
● Loans to or from a client or its officers, directors, or ≥10% owners (with some exceptions)
● Material indirect financial interest in a client
● Trustee of a trust or executor of an estate with direct or material indirect financial interest in a client
● Material joint, closely held investment with a client
● Firm partner or professional employee owns more than 5% of a client
● Associated (or formerly employed) with a client as an officer, director, or manager
● Immediate family members who hold key positions with the client
● If certain nonattest services are performed for an attest client
● Assuming management responsibilities for an attest client
Integrity and Objectivity
A member must (1) maintain objectivity and integrity, (2) be free of conflicts of interest, (3) not
knowingly misrepresent facts, and (4) not subordinate his or her judgment to others
A conflict of interest may be permitted if disclosures are made and consent is obtained, but an
independence objection cannot be overcome by disclosure and consent.
A member’s opinion may differ from others. Thus, if a member concludes that appropriate action
was not taken and a material misrepresentation of fact or violation of laws or regulations exists, the
member should consider ending the relationship.
Professional Standards
General standards rule. A member shall comply with the general standards and interpretations
issued by designated bodies.
Compliance with standards rule. A member who performs professional services shall comply with
standards issued by designated bodies.
Accounting principles rule. Any material departure from an accounting principle issued by an
AICPA-designated standards setter prevents a member from
● Expressing an opinion that the statements are presented in conformity with GAAP and
● Stating that (s)he is not aware of any material modifications that should be made to achieve
conformity with GAAP.
Responsibilities to Clients
Confidential client information rule. A member in public practice must not disclose confidential
client information without the client’s consent.
Other Responsibilities
Acts discreditable rule. A member must not commit an act that is discreditable to the profession.
Advertising and other forms of solicitation rule. A member in public practice must not seek to
obtain clients by false, misleading, or deceptive advertising or other forms of solicitation.
Contingent fees rule. Contingent fees are prohibited for audits, examinations, reviews, and many
other services.
Commissions and referral fees rule. Prohibited commissions are those received when a member in
public practice (1) recommends or refers a product or service to a client or to be supplied by a client
and (2) also performs an audit, review, compilation, or examination for a client.
● A permitted commission must be disclosed to any person or entity to whom the member
recommends or refers a related product or service.
Form organization and name rule. A member may practice public accounting only in a form of
organization allowed by law or regulation that conforms with resolutions of the AICPA Council.
Other Pronouncements on Professional Responsibilities
The Public Company Accounting Oversight Board has the following responsibilities:
● Register public accounting firms.
● Oversee the audit of public companies (issuers).
● Establish or adopt standards on auditing, quality control, ethics, and independence.
● Inspect registered audit firms.
● Conduct investigations and disciplinary proceedings on registered public accounting firms.
The Sarbanes-Oxley Act of 2002 requires

● Preapproval of services by audit committees
● Disclosure of fees paid to the accountant categorized by audit, audit-related, tax, and all other
● Rotation of audit partners
● Communications by the auditor with the audit committee
● The auditor to avoid most nonaudit services
● Audit committees to be established by issuers
● The CEO and CFO to certify the appropriateness of the financial statements in a statement to
accompany the audit report
1

Planning and Risk Assessment
Rapid Review
Pre-Engagement Acceptance Activities

Before agreeing to conduct an audit, the auditor should determine that management understands its
obligations for (1) fair presentation of the financial statements and (2) the design, implementation, and
maintenance of internal control.
Client acceptance includes the continued evaluation of the integrity of existing and new clients.
Concluding that management lacks integrity causes the auditor to reject a potential client or end a
relationship with an existing client.
The auditor should communicate with the predecessor auditor before final acceptance of the
engagement, and both must protect the confidentiality of client information.
The auditor should agree with management or those charged with governance upon the terms of
the audit. The audit scope, responsibilities, limitations, financial reporting framework, and fees for
services should be set forth in a contract evidenced by an engagement letter.
Planning an Audit
Planning continues throughout the audit. The size and complexity of the entity, the auditor’s
experience with the entity, and changes in circumstances during the audit affect planning.
An audit plan based on the audit strategy must be developed and documented for all audit
engagements. It includes the nature, timing, and extent of procedures expected to reduce audit risk to
an acceptably low level.
Risk assessment procedures are performed to obtain an understanding of the entity and its
environment, including its internal control, to identify and assess the risks of material misstatement
(RMMs) at the levels of the financial statements as a whole and relevant assertions. The RMM is the
combined assessment of inherent risk and control risk.
● The plan also includes a description of further procedures at the relevant assertion levels
of material classes of transactions, account balances, and disclosures as well as any other
procedures required by GAAS or PCAOB standards.
Supervision includes consideration of the competencies of the team members, such as whether
they (1) have enough time for the work, (2) understand the instructions, and (3) carry out the work in
accordance with the audit plan.
● It also includes tracking engagement progress, addressing significant findings, and modifying the
approach if necessary.
Audit team members should be included in the discussion about the susceptibility of the statements
to material misstatements due to fraud or error, especially fraud. Moreover, the discussion should
emphasize professional skepticism.
Understanding the Entity and Its Environment

The auditor obtains an understanding of the entity and its environment, including its internal
control, to identify and assess the risks of material misstatement of the financial statements, whether
due to fraud or error. The understanding provides a basis for designing and implementing responses
to the assessed RMMs.
Risk assessment procedures are performed to obtain the understanding. They include (1) inquiries
of management and others within the entity, (2) analytical procedures, and (3) observation and
inspection.
The auditor obtains an understanding to include consideration of external and internal factors and
other auditor-developed information.
● External factors auditors should consider include changes in the supply chain, economic factors
such as supply and demand, the effects of business cycles, and governmental actions.
● Internal factors auditors should consider include the entity’s objectives and strategies and the
related business risks. Other auditor-developed information auditors should consider include prior-
period information about the entity and its environment.
The auditor obtains an understanding of relevant internal controls to determine the types of possible
misstatements, identify what affects the RMMs, and design further procedures.
Audit Risk and Materiality

Audit risk and materiality are considered in planning and performing the audit, evaluating the results,
and forming an opinion on the financial statements. They also are reflected in the auditor’s report.
Audit risk is the risk that an auditor expresses an inappropriate opinion on materially misstated
financial statements. Its components are inherent risk, control risk, and detection risk.
Audit risk = Inherent risk × Control risk × Detection risk
Audit risk = Risk of material misstatement × Detection risk
Misstatements, including omissions, are material if there is a substantial likelihood that, individually
or in the aggregate, they would influence the judgment made by a reasonable user based on the
financial statements. Materiality is defined for planning purposes at three related levels:
1. At the financial statement level;
2. For a particular account balance, class of transactions, or disclosure; and
3. For performance.
When evaluating audit findings, the auditor considers uncorrected misstatements and should
accumulate identified misstatements. To evaluate accumulated misstatements and communicate
misstatements to appropriate parties, the auditor may classify them as factual, judgmental, or
projected.
Audit Data Analytics and Analytical Procedures

ADAs help auditors process large volumes of data.
ADAs are methods of performing various audit procedures, including those applied in risk
assessment, tests of controls, substantive analytical procedures, tests of details, or final review.
The auditor should plan and perform ADAs and other procedures with professional skepticism and
exercise professional judgment.
The five basic steps an auditor may use to plan, perform, and evaluate the results of an ADA include
(1) plan the ADA, (2) access and prepare the data, (3) consider the relevance and reliability of the
data used, (4) perform the ADA, and (5) evaluate the results and conclude whether the purpose and
specific objectives have been achieved.
Analytical procedures are evaluations of financial information made by a study of plausible

relationships among both financial and nonfinancial data.
● A basic premise is that plausible relationships among data may reasonably be expected to exist
and continue in the absence of known conditions to the contrary.
Analytical procedures may be applied not only as risk assessment procedures but also as substantive
procedures.
The five sources of information used to develop analytical procedures include (1) financial information
from comparable prior periods, (2) anticipated results, (3) relationships among elements of financial
information, (4) comparable information from the client’s industry, and (5) relationships between
financial and relevant nonfinancial information.
The effectiveness and efficiency of analytical procedures depend on the following factors: (1) nature
of the assertion, (2) plausibility and predictability of the relationship, (3) availability and reliability of
the data used to develop the expectation, and (4) precision of the expectation.
Inconsistent fluctuations or relationships or significant differences should result in (1) inquiries of

management, (2) corroboration of responses with other audit evidence, and (3) performance of any
necessary other procedures.
Auditors apply ratio analysis in all stages of the audit as analytical procedures. An auditor should
understand not only how to calculate each ratio but also the potential explanations of changes in a
ratio from period to period.
Consideration of Fraud in a Financial Statement Audit

The auditor should plan and perform the audit to obtain reasonable assurance about whether the
financial statements are free of material misstatement, whether caused by fraud or error. The risk due
to fraud must be specifically assessed.
Management and those charged with governance are primarily responsible for programs and controls
that prevent, deter, and detect fraud.
Fraud is intentional. The three conditions ordinarily present when fraud exists are pressures or
incentives to commit fraud, an opportunity to commit fraud, and the capacity to rationalize misconduct.
The types of fraud relevant to the auditor include misstatements arising from fraudulent financial
reporting or misappropriation of assets.
Obtaining information for identifying fraud risks includes inquiring of (1) management, (2) those
charged with governance, (3) the internal auditors, and (4) others.
● It also involves considering (a) fraud risk factors and (b) the results of analytical procedures
performed as risk assessment procedures.
Responses to the assessment of fraud risks should reflect a critical evaluation of the audit evidence.
Responses may have an overall effect on the audit, involve further audit procedures performed in
response to assessed fraud risks at the assertion level, or address management override.
Communications about fraud are required given evidence that fraud may exist.
Consideration of Laws and Regulations in an Audit of Financial Statements

Noncompliance is an intentional or unintentional act or omission by the entity that is contrary to laws
or regulations. It includes an act in the name of the entity or on its behalf.
● The auditor’s primary responsibility for noncompliance is to obtain sufficient appropriate audit
evidence regarding material amounts and disclosures that are determined by laws and regulations
generally recognized to have a direct effect on their determination.
Other laws and regulations do not have a direct effect. However, compliance with them may be
(1) fundamental to the entity’s operations or the continuance of its business or (2) necessary to avoid
material penalties.
● The auditor’s responsibility regarding the second category of laws and regulations is to perform
specified procedures to identify noncompliance that may materially affect the financial statements.
The auditor’s response to detected noncompliance is to consider effects on the financial statements
and the implications for other audit aspects, especially the reliability of management’s representations.
Disclosure of possible noncompliance with laws and regulations to outside parties ordinarily is not
the auditor’s responsibility and would violate the duty of confidentiality. Any disclosure would be the
responsibility of management.
1

Strategic Planning Issues
Rapid Review
Using the Work of Internal Auditors
The understanding of the internal audit function should be sufficient to identify activities relevant to
audit planning. This function is part of the monitoring component of internal control.
If the external auditor plans to use the work of the internal auditors to obtain audit evidence or to
provide direct assistance, the auditor should assess the competence and objectivity of the internal
auditors. (Their work may provide useful information about internal control, affect the overall risk
assessment and decisions about audit procedures, and provide direct evidence about material
misstatements.)
Judgments about matters affecting the report should always be those of the auditor. If the work of
the internal auditors significantly affects the auditor’s work, the auditor should evaluate the quality
and effectiveness of the internal auditors’ work.
Using the Work of a Specialist
An auditor’s specialist is an individual or organization possessing expertise in a field other than

accounting or auditing. The work in that field is used to assist the auditor in obtaining sufficient
appropriate audit evidence (e.g., asset valuations or actuarial estimations). An auditor’s specialist
may be either an internal specialist (who is a partner or staff member, including temporary staff, of the
auditor’s firm or a network firm) or an external specialist.
● The auditor should evaluate whether the auditor’s specialist has the necessary competence,
capabilities, and objectivity for the auditor’s purpose.
● The auditor should obtain an understanding of the expertise of the auditor’s specialist sufficient to
determine the nature, scope, and objectives of the work and evaluate the adequacy of that work
for the auditor’s purposes.
● An auditor’s specialist may be referred to and identified in the report if the reference will facilitate
an understanding of an additional paragraph or a departure from an unmodified opinion.
A management’s (company’s) specialist is an individual or organization possessing expertise in a

field other than accounting or auditing. The work in that field is used to assist the entity in preparing
the financial statements. A management’s specialist may be either employed by the entity or engaged
by the entity.
● The auditor does not refer to a management’s specialist in an auditor’s report.
Related Parties
Assurance of detecting material related party transactions cannot be given, but the auditor should
be aware of their possible existence and of certain relationships that should be disclosed.
● Thus, the auditor should understand management responsibilities and the relationship of each
component to the total entity, be aware that such transactions may have been improperly
motivated, determine the existence of related parties, and identify and examine transactions with
related parties.
The auditor should perform audit procedures to identify, assess, and respond to the risks of material
misstatement (RMMs) arising from the entity’s failure to appropriately account for or disclose related
party relationships, transactions, or balances.
Accounting Estimates and Fair Value
Some financial amounts cannot be measured precisely and must be estimated. Estimation
uncertainty results because of the nature and reliability of the information available to management.
Some estimates have
● Low estimation uncertainty and may result in lower RMM, for example, depreciation and warranty
obligations.
● High estimation uncertainty and may result in higher RMM, for example, costs of litigation and
value of financial instruments.
The degree of estimation uncertainty not only affects RMM but the susceptibility of intentional or
unintentional management bias.
The objective of the auditor is to obtain sufficient appropriate audit evidence about whether
accounting estimates, including fair value accounting estimates, are reasonable and related
disclosures are adequate.
● The auditor performs risk assessment procedures to assess the RMM. The auditor reviews prior-
period estimates to identify management bias.
The auditor should

● Determine whether specialized skills are necessary in the audit.
● Evaluate how management made the estimate, the data used, the method of measurement, and
the assumptions used.
● Test the operating effectiveness of controls over the estimation process.
● Develop a point estimate or range to evaluate management’s estimate.
The difference between the auditor’s estimate and management’s estimate is considered a
misstatement. The auditor uses judgment to consider the materiality of that misstatement.
1

Internal Control Concepts and Information Technology
Rapid Review
Introduction to Internal Control
The objective of the auditor is to identify and assess the risks of material misstatement (RMMs),
whether due to fraud or error, at the financial statement and relevant assertion levels.
● This is achieved through understanding the entity and its environment, including the entity’s internal
control, to provide a basis for designing and implementing responses to the assessed RMMs.
Internal control is a process–effected by those charged with governance, management, and other
personnel–designed to provide reasonable assurance regarding the achievement of objectives
related to
● The reliability of financial reporting,
● The effectiveness and efficiency of operations, and
● Compliance with applicable laws and regulations.
Auditing standards (and the COSO’s internal control framework) define the following five interrelated
components (a useful memory aid is “Controls stop CRIME,” with E representing the control
environment):
1. Control activities are the policies and procedures that help ensure that management directives
are carried out.
2. The risk assessment process is the entity’s identification and analysis of relevant risks.
■ Relevant risks include events and circumstances that may adversely affect an entity’s ability to
initiate, authorize, record, process, and report financial data consistent with financial statement
assertions.
3. The information system, including related and relevant business processes, supports the
identification, capture, and exchange of information in a form and time frame that enable people to
carry out their responsibilities.
■ An information system consists of (1) physical and hardware elements (infrastructure),
(2) people, (3) software, (4) data, and (5) manual and automated procedures.
4. Monitoring of controls assesses the effectiveness of internal control over time.

5. The control environment sets the tone of an organization, influencing the control consciousness
of its people. This component is the foundation for the other components.
■ It includes governance and management functions and the attitudes, awareness, and actions of
management and those charged with governance regarding internal control and its importance.
Because of its inherent limitations, internal control can be designed and operated to provide only
reasonable assurance that the entity’s objectives are met.
Understanding Internal Control
The auditor should obtain an understanding of each of the five components of internal control to
identify and assess the risk of material misstatement and to design further audit procedures.
● The auditor must understand the design of relevant controls and determine whether they have
been implemented.
● The auditor should also obtain an understanding of the selection and application of accounting
policies and consider whether they are appropriate.
The evaluation of design considers whether a control (alone or with others) can effectively prevent,
or detect and correct, material misstatements. A control has been implemented if it exists and the
entity is using it.
The understanding also should consider the effect on information technology (IT) controls
and manual procedures. IT affects the basic ways in which transactions are initiated, recorded,
processed, and reported.
Documentation of the understanding is required by GAAS. Its form and extent are influenced by
the size and complexity of the entity and the nature of the internal controls.
● For example, a complex information system that electronically initiates, authorizes, records,
processes, and reports a large volume of transactions requires extensive documentation.
Flowcharting
Flowcharting is a useful tool for systems development as well as for understanding internal controls.
● A system flowchart provides an overall view of the inputs, processes, and outputs of a system.
● A program flowchart represents the specific steps in a computer program and the order in which
they will be carried out.
● A document flowchart depicts the flow of documents through an entity.
Internal Control and Information Technology
IT changes the control risks but not the goals of an information system. Changes in risks result from
● The need to maintain availability of IT systems,
● The volatility of transaction trails,
● Decreased human involvement,
● Uniformity of transaction processing,
● Potential for unauthorized access,
● The vulnerability of data,
● Reduced segregation of duties, and
● Reduced authorization of transactions.
Two basic processing modes are (1) batch and (2) online, real-time.
General controls include controls over (1) data center and network operations; (2) systems software
acquisition, change, and maintenance; (3) access security; and (4) application system acquisition,
development, and maintenance.
Application controls include (1) input controls, (2) processing controls, and (3) output controls over
a particular application.
1

Internal Control --
Sales-Receivables-Cash Receipts Cycle
Rapid Review
The cycle approach to the audit divides the auditee’s transactions, balances, and related control
activities into groupings of related items. Flowcharting is useful for understanding how these
functions are performed, including the flow of documents and information and the implementation of
control activities.
Responsibilities/Organizational Structure/Flowcharts
Management is responsible for the establishment of controls to ensure

● Proper acceptance of the customer order;
● Granting of credit approval in accordance with credit limits;
● Safeguarding of assets associated with the sale;
● Timely shipment of goods to customers;
● Billing for shipments at authorized prices;
● Accounting for and collection of receivables; and
● The recording, safeguarding, and depositing intact of cash (checks) received.
The auditor is required to obtain an understanding of the entity and its environment, including its
internal control, to assess the risks of material misstatement and to design further audit procedures.
Relevant functions in the sales-receivable-cash cycle include sales, credit management, inventory
control, warehousing, shipping, billing, receiving, the mail room, cash receipts, accounts receivable,
and the general ledger.
● The organizational structure should segregate duties and responsibilities so that an individual
is not in the position both to perpetrate and conceal fraud or errors. Authorization of a transaction,
recording of the transaction, and custody of assets associated with the transaction should be
segregated.
■ However, cost-benefit considerations may prevent complete segregation. Compensating
controls (e.g., more supervision) will then be needed.
Typical documents in a manual system are customer orders, sales orders, invoices, packing slips,
bills of lading, remittance advices, daily remittance lists, and deposit tickets.
Typical control activities in the sales-receivables portion of the cycle include

● Routing the sales order copy through the Credit Manager to ensure that goods are shipped only to
customers who are likely to pay
● Routing the shipping copy through the Inventory Warehouse to ensure that goods are released
only upon proper approval of the order
● Matching of the packing slip copy held by Shipping to ensure that all goods released from the
Inventory Warehouse are received by Shipping on a timely basis
● Matching of the copies held by the Billing department to ensure that all goods shipped are invoiced
to customers
● Use of prenumbered documents to permit detection of unrecorded or unauthorized transactions
● Periodic reconciliation of the accounts receivable subsidiary ledger with the general ledger to
ensure that all invoices are recorded in customers’ accounts
Typical control activities in the cash receipts portion of the cycle include
● Two clerks being present in the Mail Room during the opening and recording of the receipts
● Endorsing checks “For Deposit Only into Account Number XXXX” immediately upon opening the
mail
● Depositing all cash intact daily
● Periodic reconciliation of the accounts receivable subsidiary ledger and the accounts receivable
control account in the general ledger
● Monthly statements sent to customers to ensure that failure to receive and/or record payments
made by customers is detected
● Employees responsible for handling cash are bonded
● Use of a lockbox system to ensure that cash receipts are not abstracted by mail clerks or other
employees (e.g., lapping)
Controls in a Cash Sale Environment
Cash sales cycles often lack the segregation of duties necessary for the proper framework of control.
For example, the sales clerk often authorizes the sale, records the sale, and has custody of the
assets related to the sale.
Other Sales-Receivables Related Transactions
Sales returns and allowances should have controls to assure proper approval and processing. The
key controls include approval by the sales department to return goods, receipt of the returned goods
by the receiving department and preparation of a receiving report, and the separate approval of the
credit memo related to a sales return or allowance.
Technology Considerations
Computer processing typically replaces the activities of clerks performing recording functions. Manual
periodic reconciliations of the accounts receivable subsidiary file and general ledgers are usually
replaced by daily computer reconciliations. Sophisticated systems may replace the paper flow with
computer control over authorization of the release of goods for packing and shipping.
Typical controls implemented include

● Access controls (e.g., passwords and device authorization tables),
● Preformatted screens to avoid data entry errors,
● Field checks to test the characters in a field,
● Validity tests to determine that a customer exists in the accounts receivable master file and that
ordered part numbers exist on the inventory master file,
● Reasonableness tests to test inventory quantities and billing amounts, and
● Error listings in order to compile and evaluate the errors.
If a firm uses an Internet website, likely changes include direct entry of the order by the customer,
elimination of the sales order department, and payment by credit card.
Additional controls may include a firewall between the customer and internally stored client data,
passwords for authorized or preferred customers, and encryption procedures for storage and
transmission of sensitive information.
1

Internal Control -- Purchases, Payroll, and Other Cycles
Rapid Review
Purchases Responsibilities/Organizational Structure/Flowchart

Management is responsible for the establishment of controls over the purchases-payables-cash
disbursement cycle to ensure
● Proper authorization of purchases;
● Ordering the proper quality and quantity of goods on a timely basis;
● Acceptance only of goods that have been ordered;
● Receipt of proper terms and prices from the vendor;
● Payment only for the goods and services that were ordered, received, and properly invoiced; and
● Payment on a timely basis (e.g., to take advantage of cash discounts).
The auditor is required to obtain an understanding of the entity and its environment, including its
internal control, to assess the risks of material misstatement and to design further audit procedures.
Relevant functions in this cycle include inventory control, purchasing, receiving, warehousing,
accounts payable, cash disbursements, and the general ledger.
● The organizational structure should segregate duties and responsibilities so that no one is in the
position both to perpetrate and conceal errors or fraud. Authorization of a transaction, recording of
the transaction, and custody of assets associated with the transaction should be segregated.
■ However, cost-benefit considerations may prevent complete segregation. Compensating
controls (e.g., more supervision) will then be needed.
Typical documents in a manual system are (1) requisitions, (2) purchase orders, (3) receiving
reports, (4) vendor invoices, (5) payment vouchers, and (6) checks.
Typical control activities include

● Prenumbering of documents and checks;
● Acceptance of goods only if an approved purchase order is on hand;
● Omission of the quantity from Receiving’s copy of the purchase order;
● Comparison of price and terms on the invoice with other information from the vendor;
● Preparation of vouchers and entries only if goods are authorized, ordered, and invoiced;
● Use of a tickler file;
● Check signing after examining supporting documents;
● Dual signatures on checks in excess of a preset amount;
● Mailing of checks by the signor;
● Cancellation of supporting documents after check signing;
● Reconciliation of the tickler file with Accounts Payable;
● Physical counts of inventory and reconciliation with perpetual records; and
● Comparison by Accounts Payable of the vendor’s invoice with other documents.
Purchases Technology Considerations

Sophisticated systems may replace the internal paper flows with electronic transmissions. Ordinarily,
the manual files and ledgers are replaced by digital files.
Computer-related controls include

● Access controls (passwords, device authorization tables, and access logs),
● Preformatted data entry screens to ensure proper input,
● Field checks to test the characters in certain fields to verify that they are appropriate,
● Validity tests to assure the propriety of supplier transactional data, and
● Tests of quantities ordered and received to determine if they are within acceptable limits.
Electronic Data Interchange (EDI)

Electronic data interchange (EDI) is the communication of electronic documents directly from a
computer in one entity to a computer in another entity. EDI eliminates paper documents.
Advantages include speed, reduction of clerical errors, and elimination of repetitive clerical tasks. EDI
also eliminates document preparation, processing, filing, and mailing costs.
Accordingly, auditors must seek new forms of evidence to support assertions about EDI transactions
and must evaluate electronic signatures and reviews when testing controls. Auditing an EDI
application requires consideration of the audit trail and activity log.
EDI often uses a VAN (value-added network) as a third-party service provider, and reliance on
controls provided by the VAN may be critical.
Successful implementation of EDI begins with identifying the work processes and flows that support
the entity’s objectives.
Payroll Responsibilities/Organizational Structure/Flowchart

Management is responsible for the establishment of controls to ensure (1) proper authorization
and calculation of the payroll; (2) safeguarding of assets associated with the payment of payroll;
(3) proper distribution of the payroll; and (4) proper accounting for the payroll transactions.
The auditor must obtain an understanding of the entity and its environment, including its internal
control, to assess the risks of material misstatement and to design further audit procedures.
Relevant functions include human resources (personnel), payroll (an accounting function responsible
for calculating payroll), timekeeping, cost accounting, accounts payable, and cash disbursements.
● The organizational structure should segregate duties and responsibilities so that an individual is
not in the position both to perpetrate and conceal fraud or errors.
Typical documents in a manual system are (1) clock cards, (2) job time tickets, (3) the payroll
register, (4) payment vouchers, and (5) checks.
Typical control activities include

● Human resources’ authorization of employees, pay rates, and deductions;
● Supervisory approval of work performed;
● Timekeeping’s reconciliation of the clock cards and job time tickets;
● Payroll accounting’s calculation of pay;
● Cash disbursement’s signing of checks without authorizing, preparing, or accounting for
transactions;
● Paycheck distribution by an individual with no other functions relative to payroll;
● Safeguarding of unclaimed checks by the CFO; and
● Maintenance of a separate payroll account.
Payroll Technology Considerations
Computer processing avoids physical preparation, handling, and safeguarding of payroll checks.
Direct deposit into employees’ bank accounts is a typical control. Digital files and data transmission
replace the file cabinets and forms. Moreover, several of the accounting clerk’s functions are replaced
by computer programs, including some of the duties of timekeeping and payroll.
The following are typical computer-related controls:

● Passwords and identification numbers provide access controls.
● Preformatted data entry screens are used to avoid data entry errors.
● Validity checks are made to ensure that an employee record exists on the personnel file before
any transactions are accepted.
● Time records are reconciled with the production time logged in the shops.
● Reasonableness tests are made when appropriate, e.g., testing to ensure that total hours recorded
for an employee are not in excess of the acceptable limit.
● Exception reports identify incorrect transactions.
Other Cycles
Other cycles follow the basic pattern of the segregation of duties illustrated in the previous
discussions of controls. Other cycles include those for (1) property, plant, and equipment;
(2) investing; (3) financing; and (4) inventory and warehousing.
1

Responses to Assessed Risks
Rapid Review
Assessing Risks of Material Misstatement (RMMs)
The risk of material misstatement is the combined assessment of inherent risk and control risk.
● To assess RMMs, the auditor uses audit evidence gathered from obtaining the understanding of
the entity, including that from (1) evaluating the design of controls and (2) determining whether
they have been implemented.
● The assessment of RMMs is used to determine the nature, timing, and extent of further audit
procedures.
● If the risk assessment is based on the expectation that controls are operating effectively at the
relevant assertion level, the auditor tests the effectiveness of suitably designed controls.
● An auditor identifies the risks that require special audit consideration, such as the (1) potential
for fraud; (2) recording of complex, related party, or significant unusual transactions; or (3) use of
subjective estimates.
● The auditor may be unable to obtain sufficient appropriate audit evidence about some relevant
assertions by applying substantive procedures alone. In that case, tests of controls may be
essential.
Auditor’s Response to Risks
To reduce audit risk to an acceptable level, the auditor makes overall responses to the assessed
RMMs at the financial statement level (e.g., more professional skepticism, more supervision, more
experienced staff). At the relevant assertion level, the auditor responds by designing and performing
audit procedures by considering
● The level of assessed risk;
● The likelihood of a material misstatement;
● The characteristics of the transaction class, balance, or disclosure; and
● Whether the auditor intends to rely on the operating effectiveness of controls.
Nature, Timing, and Extent of Further Procedures
The nature of further procedures is a function of purpose and type.

● Purpose relates to whether it is a substantive procedure or a test of controls.
● Type includes inspection, observation, inquiry, confirmation, recalculation, reperformance, or

analytical procedure.
Timing is when the procedures are performed or the date or period of the audit evidence. The
greater the RMM, the more likely that procedures will be performed at the end of the period or at
unpredictable times. Performing procedures at interim would typically require additional evidence to
address the remaining period.
Extent is the quantity, such as the number of sampled items.
Tests of Controls
The auditor tests suitably designed controls at the relevant assertion level in two circumstances:
1. The risk assessment is based on the expectation that controls are operating with some degree of
effectiveness (i.e., the auditor intends to rely on the controls).
2. Substantive procedures alone are inadequate to obtain sufficient appropriate evidence (e.g.,
significant IT integration).
Dual-purpose testing involves performing both a test of details and a test of controls on the same
transaction.
The nature of tests of controls typically includes (1) inquiry (however, inquiry alone is not a
sufficient procedure), (2) inspection (e.g., of electronic files), (3) observation, (4) reperformance, and
(5) recalculation.
The timing of tests of controls depends on whether the objective is to test at a moment in time or for
a period.
The extent of tests of controls typically depends on (1) frequency of use, (2) expected rate of control
deviations, (3) relevance and reliability of needed evidence, (4) evidence from tests of other controls,
(5) planned reliance on the control, and (6) time during the period for which reliance is sought.
Substantive Procedures
Substantive procedures are performed to detect material misstatements at the relevant assertion
level.
The nature of substantive procedures includes tests of details and substantive analytical
procedures.
The timing of substantive procedures may be at interim or year end.
The greater the RMM, the greater the extent of relevant procedures. The extent of substantive
procedures may be reduced if controls are effective.
Control Risk in a Computer Environment
Assessing control risk in a computer environment involves the same objectives and concepts and
many of the same procedures as in a manual system.
● Controls outside the computer system can be tested using procedures applicable to a manual
system, but certain controls relating to input, processing, and output of data are internal to the
computer system. They should be tested by procedures that are not traditionally performed in a
manual system.
Approaches used in testing computer systems include auditing around the computer or auditing
through the computer. For example, the latter uses the computer to test the processing logic and
controls within the system and the records produced. This approach may be accomplished in several
ways, including processing test data, parallel simulation, creation of an integrated test facility, and
programming embedded audit modules.
1

Internal Control Communications and Reports
Rapid Review
Communicating Internal Control Related Matters Identified in an Audit

Auditors should communicate significant deficiencies and material weaknesses in internal control
identified during an audit. The communication should be in writing to management and to those
charged with governance (e.g., board of directors). However, the auditor is not required to perform
procedures specifically to identify deficiencies in internal control.
A deficiency in internal control exists when the design or operation of a control does not allow
management or employees, in the normal course of the assigned functions, to prevent, or detect and
correct, misstatements on a timely basis.
A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less

severe than a material weakness but that merits attention by those charged with governance.
A material weakness is a deficiency, or combination of deficiencies, in internal control that results

in a reasonable possibility that a material misstatement of the financial statements will not be
prevented or timely detected and corrected.
The Auditor’s Communication with Those Charged with Governance

The communication is best made prior to the audit report release date, but no later than 60 days
afterward. The types of matters to be communicated include
● The auditor’s responsibilities under GAAS,
● The planned scope and timing of the audit,
● Significant audit findings or issues,
● Significant difficulties encountered during the audit,
● Any uncorrected misstatements,
● Disagreements with management,
● Difficult or contentious matters for which the auditor consulted those outside the engagement team,
● Management’s consultation with other accountants,
● Significant issues discussed or subject to correspondence with management, and
● Independence aspects.
The Sarbanes-Oxley Act of 2002 requires the auditor to report (1) all critical accounting policies
and practices to be used, (2) all material alternative treatments of financial information within GAAP
discussed with management, (3) ramifications of the use of alternative disclosures and treatments,
and (4) the treatment preferred by the auditor.
Reporting on an Entity’s System of Internal Control

Under the PCAOB’s standards, every public company (an issuer) must include in its annual report a
management report with an assessment of the design and effectiveness of the company’s internal
control over financial reporting as part of an integrated audit of the financial statements. An
accelerated filer (an issuer with market equity of at least $75 million) must obtain annually an auditor’s
report on internal control over financial reporting.
● Nonissuers may have an audit of internal control under the AICPA’s standards as part of an
integrated audit of the financial statements, but it is not a required part of the financial statement
audit.
The auditor should plan and perform the audit to obtain sufficient appropriate evidence to obtain
reasonable assurance about whether material weaknesses exist.
● The auditor begins by understanding overall risks, then focuses on entity-level controls and
works down to significant classes of transactions, account balances, and disclosures and their
relevant assertions. Auditors should test the design and operating effectiveness of controls to form
an opinion.
● The auditor may issue an unmodified opinion only when no identified material weaknesses exist
and when no restrictions are imposed on the scope of the auditor’s work. A material weakness
results in an adverse opinion.
Service Organizations
A financial statement audit may be performed for an entity that uses another organization’s services
as part of its own information system. Thus, the understanding of internal control required to
assess the risk of material misstatement and plan the audit may extend to controls at the service
organization.
● The auditor should obtain an understanding of the nature and significance of the services provided
by the service organization and their effect on the user entity’s internal control, then design and
perform audit procedures responsive to those risks.
The service auditor reports on controls at a service organization in one of the following System and
Organization Controls (SOC) reports:
● Report on management’s description of a service organization’s system and the suitability of the
®
design of controls (a SOC 1 , type 1 report) or
● Report on management’s description of a service organization’s system, the suitability of the

®
design of the controls, and the operating effectiveness of controls (a SOC 1 , type 2 report).
■ This report may allow the user auditor to conclude that controls are operating effectively.
1

Evidence -- Objectives and Nature
Rapid Review
Nature, Sufficiency, and Appropriateness

Audit evidence is all information used by the auditor in arriving at the conclusions on which the audit
opinion is based.
Forms of audit evidence include

● Oral information
● Visual information
● Paper documents
● Electronic information
Sources of evidence include information from

● Management including (1) the financial reporting process used to prepare the financial statements
and related disclosures (initial entries and supporting records) and (2) information obtained outside
the financial reporting process (e.g., the risk management system, minutes of meetings, and
internal auditors’ activities)
● External information and parties including, for example, confirmations, responses to inquiries,
and analysts’ reports
● Auditors including, for example, data obtained and used to (1) analyze industry trends in the
client’s industry and (2) evaluate the reasonableness of an accounting estimate
Sufficiency is the measure of the quantity of evidence.
Appropriateness is the measure of the quality of evidence. It depends on relevance and reliability.
The auditor typically relies on persuasive, rather than conclusive, evidence because of inherent
limitations of the audit. They include (1) the nature of financial reporting (e.g., use of accounting
estimates dependent on forecasts), (2) the nature of audit procedures (e.g., the possibility of
management fraud involving collusion), and (3) the need to perform the audit within a reasonable time
period and to achieve a balance between benefit and cost.
Management implicitly or explicitly makes assertions about the recognition, measurement,

presentation, and disclosure of information in the financial statements. Auditor evidence supports or
refutes these assertions.
Risk assessment procedures are used to obtain an understanding of the entity and its environment,
including internal control, that permits the auditor to assess the risks of material misstatement at the
financial statement and relevant assertion levels.
Tests of controls test the operating effectiveness of controls in preventing, or detecting and
correcting, material misstatements at the relevant assertion level. They are required when the
auditor’s risk assessment is based on an expectation of the operating effectiveness of controls or
when substantive procedures alone do not provide sufficient appropriate evidence.
Substantive procedures are used to detect material misstatements at the relevant assertion level.
They include tests of details and substantive analytical procedures. They should be performed for all
relevant assertions about each material (1) transaction class, (2) account balance, and (3) disclosure.
The auditor should use the following, singly or in combination, as risk assessment procedures, tests
of controls, or substantive procedures:
● Inspection of records or documents
● Inspection of tangible assets
● Observation
● Inquiry
● External confirmation
● Recalculation
● Reperformance
● Analytical procedures (including audit data analytics and scanning)
A test of existence tests from the recorded balance to the proof of financial event. A test of
completeness tests from the proof of financial event to the recorded balance.
Use of Data and Information

Relational databases are the most common databases. They use primary keys and foreign keys to
relate to each other.
Computer-assisted audit techniques (CAATs) is the use of computer software by the auditor to
perform audit functions more efficiently and effectively.
Generalized audit software (GAS) is software that is written to interface with many different client
systems to perform audit tasks.
External Confirmation
Audit evidence is more reliable (persuasive) when it is (1) obtained from independent sources
external to the entity, (2) obtained directly, and (3) in documentary form.
The greater the assessed risk of material misstatement (RMM), the more persuasive the audit
evidence obtained should be. Thus, confirmation might be used when a more effective procedure is
needed as it requests a direct written response from an external party.
● The positive confirmation requests a reply regardless of whether the respondent agrees with the
information stated. The blank form requests the recipient to fill in an account balance.
● The negative confirmation requests the recipient to respond only if (s)he disagrees with the
information stated. These requests are not used as the only substantive procedure unless the
RMM is low, many small balances are involved, and the auditor has no reason to believe that the
recipients are unlikely to consider the requests.
● When the auditor has not received replies to positive confirmation requests, (s)he should apply
alternative procedures to the nonresponses to reduce audit risk to an acceptably low level.
● Confirmation of accounts receivable is a generally accepted auditing procedure. The

presumption is that the auditor will normally confirm accounts receivable.
Audit Documentation
Working papers should be prepared to provide (1) a clear understanding of the work performed
(including the nature, timing, extent, and results of audit procedures performed), (2) the audit
evidence obtained and its source, and (3) the conclusions reached.
● Audit documentation provides the principal support that the audit was planned and performed in
accordance with GAAS and the principal support for the opinion expressed.
● Audit documentation should enable an experienced auditor to understand (1) the procedures
performed under GAAS or other requirements; (2) the results and evidence obtained; and
(3) significant findings or issues, the conclusions drawn, and the judgments made.
1

Evidence -- The Sales-Receivables-Cash Cycle
Rapid Review
Apply the CAPE CROC acronym as a mnemonic for management’s assertions.
Substantive Testing of Sales and Receivables

The Completeness assertion is tested by
● Reconciling the subsidiary and general ledgers;
● Using analytical procedures (e.g., ratio and trend analysis);
● Accounting for the numerical sequence of sales-related documents, such as sales orders, shipping
documents, and invoices; and
● Tracing shipping documents to sales invoices and journal entries.
The Accuracy, valuation, and allocation assertion is tested by (1) obtaining a management
representation letter, (2) evaluating management’s disclosures, (3) comparing general ledger
balances with financial statement balances, (4) aging accounts receivable, (5) tracing subsequent
cash receipts, and (6) reviewing delinquent customers’ credit ratings.
The Presentation assertion is tested by evaluating note disclosures to determine that accounting
policies, pledges of accounts receivable, and any significant sales or receivables transactions with
related parties are disclosed.
The Existence assertion is tested by (1) confirming accounts receivable and (2) vouching a sample
of recorded receivables to shipping documents.
The Cutoff assertion is tested by (1) tracing shipping documents to the accounting records for
several days prior to and after year end and (2) tracing the daily remittance list for several days prior
to and after year end.
The Rights and obligations assertion is tested by

● Considering the motivation and opportunity for factoring receivables and inquiring of management
as to whether such transactions have occurred,
● Tracking cash receipts to determine that the entity is collecting and depositing the proceeds into
bank accounts controlled by the entity, and
● Determining whether sales have been made with a right of return and what the expected and
actual returns are after year end.
The Occurrence assertion is tested by vouching samples of recorded sales transactions to customer
orders and shipping documents.
The Classification assertion is tested by inspecting the financial statements for proper recordkeeping.
Substantive Testing of Cash
The Completeness assertion for cash receipts is tested by tracing the daily remittance list to the last
validated deposit ticket for the period.
● Completeness for cash disbursements is tested by determining the last check written for the period
and tracing the effect to the accounting records.
● Completeness is also tested by determining that all outstanding checks have been listed on the
bank reconciliation.
The Accuracy, valuation, and allocation assertion is tested by (1) comparing a sample of daily
remittance lists with deposits, journal entries, and ledger postings and (2) comparing general ledger
balances with financial statement balances. Special circumstances, such as holdings of foreign
currency, may require additional testing.
The Presentation assertion is tested by (1) inquiring management about disclosure and
(2) evaluating financial statement note disclosures.
The Existence assertion is tested by (1) counting cash on hand, (2) requesting bank confirmations,
(3) inspecting or preparing bank reconciliations, (4) requesting cutoff bank statements, (5) preparing a
schedule of interbank transfers, and (6) preparing a proof of cash.
The Cutoff assertion is tested by (1) inspecting and tracing the items on the daily remittance lists
for several days prior to and after year end and (2) tracing the last check written for the year to the
records.
The Rights and obligations assertion is tested by (1) requesting bank confirmations and
(2) inquiring of management.
The Occurrence assertion is tested by vouching a sample of recorded cash receipts and cash
disbursements back to recorded receivables and vouchers, respectively.
The Classification assertion is tested by (1) determining that restricted cash (e.g., sinking funds
and compensating balances) is reported in the noncurrent asset section of the balance sheet and
(2) assessing the statement of cash flows.
1

Evidence -- The Purchases,
Inventory, Payroll, and Other Cycles
Rapid Review
Substantive Testing of Accounts Payable and Purchases
The Completeness assertion is tested by (1) reconciling subsidiary ledger balances with the general
ledger control balance, (2) using analytical procedures, (3) tracing subsequent payments, and
(4) searching for unvouchered payables.
The Accuracy, valuation, and allocation assertion is tested by (1) obtaining management
representations and (2) comparing general ledger balances and financial statement balances.
The Presentation assertion is tested by observing whether financial statement components are
appropriately presented, described, and disclosed.
The Existence assertion is tested by sampling small, zero, and large balances from the activity in the
client’s recorded payables account and requesting that the balance due be provided by the creditor.
The Cutoff assertion is tested by (1) performing a cutoff test to determine if all goods for which
title has passed to the client at year end are recorded in inventory and accounts payable and
(2) performing a cash disbursement cutoff test to test the recording of cash disbursements and the
associated accounts payable reduction (e.g., inspecting the last check written and tracing to the
accounts payable subsidiary ledger).
The Rights and obligations assertion is tested by obtaining management representations about the
nature of recorded liabilities.
The Occurrence assertion is tested by vouching recorded payables to documentation.
The Classification assertion is tested by inspecting the financial statements for the presentation.
Substantive Testing of Inventory
Most tests for inventory are similar to those of accounts payable and purchases except that the
emphasis is on the valuation and allocation and the existence assertions.
The Accuracy, valuation and allocation assertion is tested by (1) comparing recorded costs with
current cost to replace the goods, (2) calculating the turnover ratio, and (3) testing the costs of
manufactured items.
The Existence assertion is tested by observation and test counts of the physical inventory taken by
the client.
Substantive Testing of Property, Plant, and Equipment (PPE)
The following are typical accounts considered in the audit of PPE:

● Buildings, equipment, improvements, and vehicles, including associated depreciation expense,
repairs, maintenance, and accumulated depreciation;
● Land; and
● Finance leases and associated amortization expense.
Repairs and maintenance expense is tested with PPE because of questions of classification of costs
allocated to PPE assets versus expense.
Classification of leases as operating leases, which are expensed, and finance leases, which are
capitalized as assets, is an important topic for the candidate.
Substantive Testing of Investments

The balances include
● Noncurrent items such as equity, bonds, certain loans, and goodwill;
● Current items, including trading, held-to-maturity, and available-for-sale securities classified as

current; and
● Revenues generated from investments.
Recent exams have included questions on auditing derivatives.
Substantive Testing of Noncurrent Debt

The following balances are included in this audit plan:
● Noncurrent notes payable, mortgages payable, and bonds payable and
● Related interest expense.
An important assertion for noncurrent debt is completeness, i.e., is all debt recorded? One useful
analytical procedure is to reconcile interest expense with the recorded noncurrent debt. An
unexplained excess of interest expense might indicate unrecorded debt.
Substantive Testing of Equity

The following typical balances for a corporation are included in this audit plan:
● Common and preferred stock,
● Additional paid-in capital,
● Retained earnings,
● Treasury stock, and
● Accumulated other comprehensive income.
The auditor tests the assertions. But the required audit effort typically is less than for other accounts
and balances. Inherent risk is low because of the stability of many of the balances.
Substantive Testing of Payroll
The following balances are included in the audit plan:

● Payroll expense,
● Inventories (for manufacturing firms),
● Accrued payroll and vacation compensated absences,
● Payroll tax liability, and
● Pension costs and other post-employment benefit (OPEB) costs.
Traditionally strong controls often have minimized the audit effort for payroll.
The cutoff assertion is especially relevant to an audit of accrued payroll.
1

Evidence -- Key Considerations
Rapid Review
Consideration of Litigation, Claims, and Assessments
Management is responsible for adopting policies and procedures to identify, evaluate, and account for
litigation, claims, and assessments (LCA). Accordingly, it is the primary source of information about
LCA.
The auditor should obtain evidence relevant to the circumstances indicating an uncertainty as to
possible loss from LCA, the period in which the underlying cause for legal action occurred, the
probability of an unfavorable outcome, and the amount or range of potential loss.
A letter of inquiry to external legal counsel is the auditor’s primary means of obtaining corroboration
of the information provided about material LCA by management. The letter includes a list that
describes and evaluates pending or threatened LCA with respect to which legal counsel has
performed substantive effort.
● For each matter, legal counsel should be requested to provide the following information:
■ The nature of the matter, the progress of the case, and the entity’s intended action;
■ The probability of an unfavorable outcome;
■ An estimate, if possible, of the amount or range of loss; and
■ Omission of any pending or threatened LCA from management’s list.
● The letter also includes a management list that describes and evaluates unasserted claims
and assessments that management considers to be probable and have at least a reasonable
possibility of an unfavorable outcome. Legal counsel is requested to comment on any
disagreements with that list.
● Legal counsel may limit the response to matters to which substantive attention has been given.
The opinion in the auditor’s report is modified if (1) legal counsel refused to respond and the
auditor cannot obtain sufficient appropriate evidence by performing alternative procedures, or
(2) management refuses permission for the auditor to communicate or meet with external legal
counsel.
● External legal counsel’s refusal to provide (orally or in writing) information requested in a letter of
inquiry may be a scope limitation sufficient to preclude an unmodified opinion.
Subsequent Events and Subsequently Discovered Facts
Subsequent events occur between the date of the financial statements and the date of the auditor’s
report. The auditor should perform audit procedures designed to obtain sufficient appropriate
audit evidence that all subsequent events that require adjustment of, or disclosure in, the financial
statements have been identified and accounted for properly.
Subsequently discovered facts become known to the auditor after the date of the auditor’s report.
Had they been known to the auditor at that date, they might have caused the auditor to revise the
auditor’s report.
● If a subsequently discovered fact becomes known to the auditor after the report release date,
the auditor should discuss the matter with management and, if appropriate, those charged with
governance to determine whether the financial statements need revision and, if so, inquire how
management intends to respond and perform necessary audit procedures on the revision.
Unaudited events occurring after the date of the auditor’s report may be disclosed by management
to prevent the statements from being misleading. “Unaudited” in this instance means that the auditor
need not perform procedures on the revision of the statements, and the report date is not changed.
Written Representations
The auditor is required to obtain, as part of an audit in accordance with GAAS, representations from
management. They complement other audit procedures but do not provide sufficient appropriate
evidence or affect the other audit procedures.
● Among other things, written representations should include the responsibilities of management
relative to the audit.
The auditor disclaims an opinion or withdraws from the engagement if management does not
provide the representations regarding management’s responsibilities for the audit or the auditor
concludes that such representations are unreliable because of doubts about management’s integrity.
Auditor’s Consideration of an Entity’s Ability to Continue as a Going

Concern
The auditor must evaluate whether a substantial doubt exists about an entity’s ability to continue
as a going concern for a reasonable period of time, within 1 year after the date the financial
statements are issued or available to be issued. (But a reporting framework not U.S. GAAP may
specify another period of time.)
● The evaluation is based on relevant conditions and events prior to the date of the auditor’s report.
Such conditions and events include negative trends, financial difficulties, internal matters, and
external matters.
Given substantial doubt, the auditor should (1) consider management’s plans for responding to the
adverse effects of the conditions and events, (2) obtain information about the plans, and (3) consider
the likelihood that the adverse effects will be mitigated and the plans can be effectively implemented.
If the auditor has a substantial doubt, the audit report for a nonissuer should include a separate
section titled Substantial Doubt About the Entity’s Ability to Continue as a Going Concern.
The wording of the auditor’s conclusion should include the phrases “substantial doubt” and “going
concern.”
1

Evidence -- Sampling
Rapid Review
Sampling Fundamentals
Audit sampling applies an audit procedure to fewer than 100% of the items under audit for the
purpose of drawing an inference about a characteristic of the population.
● The auditor expects the sample to (1) represent the population and (2) provide a reasonable basis
for conclusions about it.
● Sampling may be statistical or nonstatistical.
Statistical sampling is an objective method of determining sample size, selecting the items to be
examined, auditing those items, and drawing an inference about the population.
● Its primary characteristic is random selection.
● It also provides a means of quantitatively assessing precision (how closely the sample represents
the population) and reliability (confidence level, the percentage of times the sample will
adequately reflect the population).
● Statistical sampling helps the auditor design an efficient sample, measure the sufficiency of the
evidence obtained, and evaluate the sample results.
Nonstatistical (judgment) sampling uses the auditor’s subjective judgment to determine the sample
size (number of items to examine) and sample selection (which items to examine). This subjectivity is
not always a weakness.
● The auditor, based on other audit work, may be able to test the most material and risky
transactions and emphasize the types of transactions subject to high risk of material misstatement.
Sampling risk is the risk that the auditor’s conclusion based on a sample may differ from the
conclusion when the same procedure is applied to the entire population.
● The advantage of statistical sampling is that sampling risk can be measured and controlled.
● Two types of erroneous conclusions may be drawn because of sampling risk:
1. Controls are more effective than they actually are (overreliance), or a material misstatement
does not exist when in fact it does exist (incorrect acceptance). This type of error affects audit
effectiveness and is more likely to result in an inappropriate opinion.
2. Controls are less effective than they actually are (underreliance), or a material misstatement
exists when in fact it does not exist (incorrect rejection). This type of error affects audit
efficiency and results in more work.
Nonsampling risk is the risk of an erroneous conclusion caused by a factor not related to sampling
risk. For example, the auditor may apply inappropriate procedures or misinterpret audit evidence and
not recognize misstatements or control deviations.
The basic steps in a statistical plan are to

1. Determine the objectives of the plan,
2. Define the population,
3. Determine acceptable levels of sampling risk,
4. Calculate the sample size,
5. Select the sampling approach (e.g., random number, systematic, or block),
6. Take the sample,
7. Evaluate the sample results, and
8. Document the sampling procedures.
Sample sizes are dependent on population size, acceptable risk, variability in the population, and
tolerable misstatement in variables sampling (or the tolerable deviation rate in attribute sampling).
Attribute sampling tests binary (yes/no or error/nonerror) questions. It is used to test the
effectiveness of controls because it can estimate a rate of occurrence of control deviations in a
population.
Variables sampling applies to dollar values or other quantities. Mean-per-unit, difference estimation,
and ratio estimation are methods of variables sampling.
Monetary-unit sampling (MUS), also known as probability-proportional-to-size (PPS) or dollar-

unit sampling (DUS), is an approach to variables sampling that uses attribute sampling methods to
estimate monetary amounts. It uses a monetary unit (e.g., a dollar) as the sampling unit.
Statistical Sampling in Tests of Controls (Attribute Sampling)
The steps for testing controls are as follows:

1. Define the objectives of the plan,
2. Define the population,
3. Define the deviation conditions,
4. Determine the sample size,
5. Perform the sampling plan, and
6. Evaluate and document the sample results.
Classical Variables Sampling (Mean-per-Unit)
The steps for mean-per-unit sampling are as follows:

1. Define the objectives of the plan,
2. Define the population and the sampling unit,
3. Determine the sample size,
4. Select the sample,
5. Execute the plan, and
6. Evaluate and document the results.
Monetary-Unit Sampling (MUS)
Advantages of MUS are that (1) the largest items are selected for testing; (2) it is ideal for testing
overstatement errors; (3) small sample sizes may be appropriate; and (4) it is relatively easy to apply,
especially if no misstatements are discovered.
Disadvantages of MUS are that (1) items with zero or negative balances have no chance of selection,
(2) it is useful only for detecting overstatement errors, (3) sample sizes become relatively large if a
significant amount of misstatement is expected, and (4) the calculated allowance for sampling risk
tends to be overstated when a significant amount of misstatement is found in the sample.
The steps in MUS are similar to those of other sampling methods.
1

Reports -- Opinions and Disclaimers
Rapid Review
The Auditor’s Reporting Responsibility
The purpose of an audit is to provide the users of the financial statements with an opinion as to
whether the financial statements are presented fairly, in all material respects, in accordance with the
applicable financial reporting framework (e.g., GAAP).
● The auditor forms an opinion on the fairness of the statements based on the audit evidence
obtained and clearly expresses that opinion through a written report (hard copy or electronic).
Presented fairly means the financial statements as a whole are free from material misstatement,
whether due to fraud or error. The auditor gains reasonable assurance regarding fair presentation.
● The evaluation of fairness should include consideration of the qualitative aspects of the entity’s
accounting practices.
The Auditor’s Report
The report for an audit of a nonissuer in accordance with GAAS (AICPA standards) should include
the following:
● Title
● Addressee
● Opinion
● Basis for Opinion
● Responsibilities of Management for the Financial Statements
● Auditor’s Responsibilities for the Audit of the Financial Statements
● Signature of the Auditor
● Auditor’s Address
● Date of the Auditor’s Report
AICPA and PCAOB reports are similar. But the PCAOB report differs in the following ways:
● A different title (“Report of the Independent Registered Public Accounting Firm” instead of
“Independent Auditor’s Report”)
● Use of the term “unqualified opinion” instead of unmodified opinion
● A requirement that it be addressed to the board of directors and shareholders
● The opinion paragraph presented in the first section of the report
● A reference to PCAOB standards rather than GAAS
● A statement that the public accounting firm is required to be independent
● A requirement that the report be manually signed by the audit firm
● A requirement to include the year that the audit firm was first engaged
● Use of the section titled “Critical Audit Matters”
An unmodified opinion is the conclusion that the financial statements are presented fairly, in all
material respects, in accordance with the framework.
A qualified opinion is the conclusion that, except for the matter(s) described in the basis for
qualified opinion paragraph, the financial statements are presented fairly, in all material respects, in
accordance with the framework. These are presented when
● The auditor has obtained sufficient appropriate audit evidence and misstatements are material but
not pervasive.
● The auditor has not obtained sufficient appropriate audit evidence and the possible effects of
undetected misstatements are material but not pervasive.
An adverse opinion is the conclusion that, because of the significance of the matter(s) described
in the basis for adverse opinion paragraph, the financial statements are not presented fairly
(misstatements are material and pervasive).
A disclaimer of opinion is the conclusion that, because of the significance of the matter(s) described
in the basis for disclaimer of opinion paragraph, the auditor has not been able to obtain sufficient
appropriate audit evidence and the possible effects of undetected misstatements could be material
and pervasive on the financial statements.
Pervasive effects on the statements are not confined to specific elements, accounts, or items of the
statements; represent or could represent a substantial proportion of the statements; and are, with
regard to disclosures, fundamental to users’ understanding of the statements.
A misstatement arises from fraud or error. It is a difference between (1) the amount, classification,
presentation, or disclosure of a financial statement item and (2) the amount, etc., required for it to be
presented fairly.
The auditor may choose to include, or be required to include, an emphasis-of-matter or other-

matter paragraph in the auditor’s report.
Addressing and Dating the Report

The auditor’s report should be addressed to those for whom the report is prepared. It may be
addressed to the entity whose statements are being audited or to those charged with governance.
The date of the audit report is no earlier than the date on which the auditor has obtained
sufficient appropriate evidence to support the opinion.
When a subsequent event disclosed in the financial statements occurs after the date of the report but
before the report release date, the auditor may use dual-dating or the later date as the date for the
entire report.
Qualified Opinions
Financial statements may be fairly presented except for the effects or possible effects of a certain
matter. If the opinion is qualified because of such effects, the auditor should describe the matter
resulting in the qualification.
The inability to obtain sufficient appropriate evidence that is material but not pervasive may result
from circumstances not controlled by the entity, circumstances related to the nature or timing of the
work, or limitations imposed by management.
When a qualified opinion results from an inability to obtain sufficient appropriate evidence, the opinion
should indicate that the qualification pertains to the possible effects on the financial statements, not to
the scope limitation itself.
Misstatements that are material but not pervasive include inappropriate selection or application of
accounting principles, unjustified change in accounting principles, inadequate disclosure, or failure to
provide basic financial statements.
Adverse Opinions
The auditor should include a Basis for Adverse Opinion section preceding the opinion paragraph that
describes the matter resulting in the modification.
The opinion should state that, because of the significance of the matter(s) described in the Basis for
Adverse Opinion section, the financial statements are not presented fairly in accordance with the
framework.
Disclaimers of Opinion
Disclaimers of opinion can result if the auditor is not independent but is required to report by law or
regulation, the auditor is reporting on a single financial statement, or an accountant is associated with
the unaudited financial statements of an issuer.
1

Reports -- Other Modifications
Rapid Review
Group Audits and Component Auditors
GAAS apply to an audit of a group of financial statements. In some cases, part of the group audit is
performed by a component auditor who is not part of the group engagement team.
● A component auditor performs work on the financial information that will be used as audit
evidence for the group audit. A component auditor may be a member of (1) the group engagement
partner’s firm, (2) a network firm of the group engagement partner’s firm, or (3) another
autonomous firm.
The group engagement partner is responsible for the group engagement, its performance, and the
report on the group statements.
● The partner decides either to assume responsibility for, and thus be required to be involved in,
the work of a component auditor to the extent that work relates to the expression of an opinion
on the group financial statements or not assume responsibility for, and accordingly refer to, the
audit of a component auditor in the auditor’s report on the group financial statements.
● (S)he also (1) is required to be satisfied that those performing the group audit engagement
collectively possess the appropriate competence and capabilities; (2) is responsible for the
direction, supervision, and performance of the group audit; and (3) should determine whether
sufficient appropriate audit evidence can reasonably be expected to be obtained regarding the
consolidation process.
A reference in the auditor’s report on the group financial statements to a component auditor is not
a qualification of the opinion. Rather, it is intended to communicate that the auditor of the group
financial statements is not assuming responsibility for the work of the component auditor and the
component auditor is the source of the audit evidence with respect to those components for which the
reference is made.
● If no reference to a component auditor is made, the group auditor assumes responsibility for the
work of the component auditor.
Consistency of Financial Statements
The auditor should evaluate whether the comparability of the financial statements between or among
periods has been materially affected by a change in accounting principle or adjustments to correct a
material misstatement in previously issued financial statements.
If the auditor’s report does not state otherwise, it implies that comparability between or among periods
has not been materially affected by such changes or corrections.
Changes affecting consistency require an emphasis-of-matter paragraph for nonissuers or an

explanatory paragraph for issuers. This paragraph follows the opinion paragraph and describes the
change, referring to the entity’s disclosures relating to the change.
Changes in classification (e.g., a title of “Cash in Bank” to “Cash”) from previously issued statements
typically do not require recognition in the auditor’s report unless the change is the correction of a
material misstatement or a change in principle.
Uncertainties and Going Concern
An uncertainty is expected to be resolved at a future date, at which time conclusive evidence

regarding its outcome is expected to be available. If the auditor concludes that sufficient evidence
supports the assertions about an uncertainty, an unmodified report is ordinarily appropriate.
● Management is responsible for estimating the effect of future events on the financial statements or
determining that a reasonable estimate is not possible and making required disclosures.
After considering an entity’s ability to continue as a going concern, the auditor may conclude that
substantial doubt exists. In this case, a separate section should be added to the auditor’s report
titled Substantial Doubt About the Entity’s Ability to Continue as a Going Concern.
● The auditor’s additional paragraph should include the terms “substantial doubt” and “going
concern.”
Comparative Financial Statements
A continuing auditor should update the report for the one or more prior periods presented in
comparative form. An updated report is not a reissuance of a previous report. It considers information
from the audit of the current-period statements, is issued with the report on those statements, and is
dated as of the latest audit.
The report applies to individual financial statements. Thus, an auditor may (1) express a qualified or
an adverse opinion, (2) disclaim an opinion, or (3) include an additional paragraph for one or more
statements for one or more periods while issuing a different report on the other statements.
During the audit, the auditor should be alert for circumstances or events affecting the prior-period
financial statements presented and should consider their effects when updating the report.
If the prior-period financial statements were not audited, reviewed, or compiled, the financial
statements should be clearly marked to indicate their status.
Emphasis-of-Matter and Other-Matter Paragraphs (AICPA Standards)
An emphasis-of-matter paragraph is included in the report on an audit of a nonissuer. It draws

users’ attention to a matter appropriately presented or disclosed in the financial statements that is
fundamental to users’ understanding of the financial statements.
● An emphasis paragraph with an appropriate section title is permitted but never required in a report
on an audit of an issuer.
An other-matter paragraph is used to draw users’ attention to any matter not presented or
disclosed in the financial statements that is relevant to users’ understanding of the auditor’s audit,
responsibilities, or report.
1

Related Reporting Topics
Rapid Review
Interim Financial Information
Interim financial information (IFI) covers a period of (1) less than a full year or (2) the 12 months
ending on a date other than fiscal year end.
A review of interim financial information (IFI) provides the accountant with a basis for reporting
whether material modifications should be made for such information to conform with the applicable
financial reporting framework (i.e., negative assurance).
● A review does not entail testing of accounting records, obtaining corroborating evidence, or
applying certain other auditing procedures.
● The procedures ordinarily are limited to inquiries and analytical procedures. However, because a
review of IFI is performed for audit clients, it is expected that the accountant will have a knowledge
of the business and internal controls.
■ Procedures that should be performed include analytical procedures, reading the minutes of
meetings, and obtaining reports of auditors who have reviewed IFI of significant components of
the entity or investee.
The auditor should accumulate misstatements unless they are clearly trivial.
The Auditor’s Responsibilities Relating to Other Information Included in

Annual Reports
Other information is financial or nonfinancial information that is included in an entity’s annual report.
The auditor need not corroborate other information but should read it to identify material
inconsistencies within the statements. The auditor’s responsibility is to respond appropriately when
the other information may undermine the credibility of the statements and the auditor’s report.
Required Supplementary Information
RSI is information that the designated accounting standards setter has determined must accompany
the basic financial statements.
The auditor should (1) inquire about whether the RSI is within the guidelines, whether methods of
measurement or presentation have changed, and any significant assumptions or interpretations;
(2) compare the RSI for consistency with basic statements, management’s responses to inquiries,
and other audit evidence; and (3) obtain management’s written representations relevant to its
responsibilities for RSI and compliance with guidelines.
Supplementary Information in Relation to the Financial Statements as a

Whole
SI is presented outside the basic statements and is not necessary for the statements to be fairly
presented in accordance with the applicable financial reporting framework.
An auditor ordinarily does not report on nonrequired supplementary information (e.g., statistical
data abstracted from the financial statements). However, when an auditor is engaged to report
on supplementary information, an opinion is expressed as to its fairness relative to the financial
statements.
Engagements to Report on Summary Financial Statements
Summary financial statements are derived from audited statements. The auditor’s objective is to
form an opinion on whether the summary statements are consistent with the audited statements.
Financial Statements Prepared in Accordance With a Financial Reporting

Framework Generally Accepted in Another Country
An independent auditor practicing in the U.S. may report on the financial statements of a U.S. entity
prepared in conformity with accounting principles generally accepted in another country for use
outside the U.S.
If financial statements prepared in accordance with a reporting framework generally accepted in

another country also are intended for use in the United States, the auditor should report using the
U.S. form of report.
Reports on Application of Requirements of an Applicable Financial

Reporting Framework
AU-C 915 should be applied by an accountant in public practice, other than a continuing accountant,
who has been requested to issue a written report on (1) the application of the requirements of a
financial reporting framework to a specific transaction involving facts or circumstances of a specific
entity or (2) the type of report that may be issued on a specific entity’s statements.
● It also applies to oral advice believed to be an important factor in the decisions about accounting
principles made by a principal to the transaction.
Audits of Financial Statements Prepared in Accordance with Special

Purpose Frameworks
Audit opinions may be expressed on the fairness of financial statements presented using the
following special purpose frameworks:
● The cash basis is used to record cash receipts and cash payments.
● The tax basis is used to file income tax returns.
● The regulatory basis is used to comply with the requirements of a regulatory agency.
● The contractual basis is used to comply with an agreement between the entity and a third party.
● An other basis is a set of logical, reasonable criteria applied to all material items in the
statements.
1

SSARSs -- Preparation, Compilation,
and Review Engagements
Rapid Review
Preparation
Statements on Standards for Accounting and Review Services (SSARSs) describe responsibilities
of the accountant for engagements to (1) prepare, (2) compile, or (3) review financial statements in
accordance with the applicable financial reporting framework (typically GAAP).
● SSARSs should be adapted as necessary when those services are performed on other historical
or prospective financial information.
A preparation engagement is a nonattest service that does not require the accountant to (1) be
independent or (2) determine whether (s)he is independent of the entity. Furthermore, the
accountant need not
◙ Verify the accuracy or completeness of management’s information,
◙ Obtain evidence to express an opinion or a conclusion, or
◙ Include a report with the financial statements.
The accountant’s name is not required to be identified or associated with the financial statements.
A preparation provides no assurance on the financial statements, and the accountant should include
on each page of the financial statements and notes a notation that no assurance is provided.
The basic difference between a preparation and a compilation is that a compilation requires a report
and a preparation does not.
Compilation
A compilation is a service performed to assist management in presenting financial information in the

form of financial statements without undertaking to obtain or provide any assurance. A compilation
can be of a (1) financial statement, (2) prospective financial statement, (3) pro forma financial
statement, or (4) other historical financial statement.
An accountant need not be independent to perform a compilation.

● When the accountant is not independent, the report should be modified. The accountant should
indicate his or her lack of independence in a final paragraph of the accountant’s compilation.
The accountant should obtain an understanding of (1) the applicable framework and (2) the
significant accounting policies intended to be used in compiling the financial statements.
● But an accountant is not prevented from accepting a compilation engagement for an entity in an
industry with which the accountant has no prior experience.
● The accountant may obtain the understanding by, for example, consulting (1) AICPA guides,
(2) industry publications, (3) financial statements of other entities in the industry, (4) textbooks and
periodicals, (5) appropriate continuing professional education, or (6) individuals knowledgeable
about the framework or the industry.
The accountant is not required to make inquiries or perform other procedures to verify, corroborate,
or review information provided by the entity but should read the compiled financial statements and
consider whether they appear to be in appropriate form and free of obvious material misstatements.
● The report states that (1) the statements were compiled in accordance with SSARSs and (2) the
accountant does not express an opinion or a conclusion or provide any assurance.
The accountant may compile financial statements that omit substantially all the disclosures required
by an applicable reporting framework if the omission is not intended to mislead users.
Review
The objective of a review is to obtain sufficient appropriate review evidence that no material
modifications should be made to the statements for them to be in accordance with the applicable
financial reporting framework. The accountant must be independent to perform a review.
In a review, the accountant should possess or obtain a sufficient understanding of the industry in
which the entity operates, including the accounting principles and practices generally used in the
industry.
● The accountant also should obtain knowledge about the entity, including an understanding of
(1) the entity’s business and (2) its accounting principles and practices.
■ The understanding should suffice to (1) identify the assertions in the financial statements
having a greater likelihood of material misstatement and (2) design procedures to address
those risks.
Review procedures primarily consist of (1) applying analytical procedures, (2) making inquiries of
management, and (3) obtaining representations from management.
● A review is substantially less in scope than an audit, the objective of which is the expression of an
opinion on the financial statements as a whole.
● A review does not involve (1) obtaining an understanding of the entity’s internal control;
(2) assessing fraud risk; (3) testing accounting records through inspection, observation,
confirmation, or the examination of source documents; or (4) other procedures ordinarily
performed in an audit.
1

SSAEs -- Examination, Review, and
Agreed-Upon Procedures Engagements
Rapid Review
Concepts Common to All Attestation Engagements (AT-C 105)

The purpose of an examination or review attestation engagement is to provide users of information
with an opinion or conclusion regarding subject matter or an assertion about the subject matter as
measured against suitable and available criteria.
An examination engagement results in an opinion; a review engagement results in a conclusion.
The subject matter of an attestation engagement can take many forms (in contrast with an audit of
financial statements).
The three types of attestation engagements are (1) examinations, (2) reviews, and (3) agreed-upon
procedures.
The basic concept of an attestation engagement is that a party who is not the practitioner makes
an assertion about whether the subject matter is measured or evaluated in accordance with suitable
criteria. The practitioner gathers evidence and reports on the subject matter or assertion.
● The party who engages the practitioner is the engaging party. The party responsible for the
assertion is the responsible party. Most often the engaging party is the responsible party.
All attestation engagements require the practitioner to be independent.
Examination Engagements (AT-C 205)

Attestation examination subject matter can take many forms so long as it can be measured and
evaluated against suitable criteria. The objectives of an examination engagement are to
● Obtain reasonable assurance on whether subject matter is free from material misstatement,
● Express an opinion about whether the subject material is in accordance with the criteria or the
responsible party’s assertion is fairly stated, and
● Communicate as required.
Although similar in nature, examinations and audits do have significant differences (e.g., the subject
matter of an examination is not historical financial statements).
Materiality should be considered, and professional judgment should be used when determining the
nature, timing, and extent of examination procedures.
Restriction of the report to the appropriate limited parties should be noted in a separate paragraph
of the report.
Review Engagements (AT-C 210)
In a financial statement review, the practitioner provides limited assurance about whether material
modifications to the financial statements are necessary in order to be in accordance with the
applicable financial reporting framework.
In an attestation review, the practitioner provides limited assurance about whether material
modifications should be made to the subject matter in order for it to conform to specific criteria.
Despite some similarities, attestation reviews differ from financial statement reviews in significant
ways (e.g., the subject matter of attestation reviews does not consist of historical financial
statements).
The objectives of a financial statement review are to

● Obtain limited assurance about whether material modification to the subject matter is necessary
to be in accordance with the criteria,
● Express a conclusion about whether the practitioner is aware of any material modifications that
should be made to the subject matter or the responsible party’s assertion, and
Analytical procedures and inquiries should be performed when possible.
For misstatements that are material but not pervasive, a qualified conclusion is generally expressed.
For misstatements that are both material and pervasive, the practitioner should withdraw from the
engagement.
Agreed-Upon Procedures Engagements (AT-C 215)
An agreed-upon procedures engagement is an attestation engagement in which an independent

practitioner performs specific procedures on subject matter and reports the findings without providing
an opinion or conclusion.
The objectives of an agreed-upon procedures engagement are to

● Apply specific procedures to subject matter,
● Issue a written report that describes the procedures applied and the findings, and
Certain factors should be present in order for the practitioner to accept the engagement (e.g., the
procedures can be performed and reported on in accordance with AT-C 215).
To avoid ambiguity, procedures to be performed should be associated with specific actions to be

taken. Additional procedures need not be performed outside the scope of the engagement.
Prospective Financial Information (AT-C 305)
Practitioners may perform examination or agreed-upon procedures engagements for prospective

financial statements (PFSs) and compliance attestations, but not reviews.
● A financial forecast consists of PFSs that present an entity’s expected financial position, results
of operations, and cash flows. It is based on the responsible party’s assumptions reflecting
conditions it expects to exist and the course of action it expects to take.
● A financial projection differs from a financial forecast because it is also based on one or more
hypothetical assumptions.
Reporting on Pro Forma Financial Information (AT-C 310)
Pro forma financial information (PFFI) shows “what the significant effects on historical financial
information would have been had a consummated or proposed transaction (or event) occurred at an
earlier date.” This standard applies to examinations and reviews. Compilations of PFFI are subject to
the accounting and review standards (SSARSs).
Compliance Attestation (AT-C 315)
A practitioner may be requested to provide assurance about the entity’s compliance with specified
financial or nonfinancial requirements (laws, regulations, rules, contracts, or grants). Examinations
and agreed-upon procedures engagements may be performed.
Management’s Discussion and Analysis (AT-C 395)
Management’s discussion and analysis (MD&A) may be presented in an annual report or other
documents filed with the SEC. MD&A is a written assertion that may be examined or reviewed by the
practitioner.
1
Governmental Audits
Rapid Review
Government Auditing Standards
The Government Accountability Office (GAO) establishes generally accepted government auditing
standards (GAGAS) and issues Government Auditing Standards (the Yellow Book). GAGAS pertain
to auditors’ professional qualifications and the quality of their work, the performance of field work, and
the characteristics of meaningful reporting.
The ethical principles that guide the work of auditors in accordance with GAGAS are
◘ The public interest
◘ Integrity
◘ Objectivity
◘ Proper use of government information, resources, and positions
◘ Professional behavior
Independence. Audit organizations and auditors must be independent in both mind and appearance.
The standards include a conceptual framework for independence similar to the AICPA’s that requires
auditors to (1) identify threats to independence, (2) evaluate the significance of the threats identified,
and (3) apply safeguards as necessary to eliminate the threats or reduce them to an acceptable level.
Continuing professional education. Government auditors are required to acquire 80 hours of

continuing education every 2 years. At least 24 hours should directly relate to governmental
auditing.
Quality control and assurance. Each audit organization must establish a system of quality control
and have an external peer review at least once every 3 years.
GAGAS provide for audits and attestation engagements.

● Financial audits include financial statement audits. These audits are primarily concerned with
whether financial statements are presented fairly, in all material respects, in conformity with an
applicable financial reporting framework (typically GAAP).
● Other types of financial audits provide different levels of assurance and entail various scopes
of work, such as (1) auditing compliance with requirements relating to government programs and
(2) auditing internal control that is integrated with an audit of the financial statements.
● Attestation engagements concern examining, reviewing, or performing agreed-upon procedures

on a subject matter or an assertion about a subject matter and reporting on the results. They
include reporting on an entity’s internal control over financial reporting and on compliance with
requirements of laws, regulations, etc.
● Performance audits aim to (1) improve program performance and operations, (2) reduce costs,
(3) facilitate decision making by parties responsible for corrective action, and (4) contribute to
public accountability.
■ These audits assess (1) program effectiveness, (2) internal control, (3) compliance with legal or
contractual requirements, and (4) prospective analyses.
● Standards for financial audits. Government Auditing Standards incorporates AICPA standards
for financial audits. However, in some cases, the following additional standards have been
established that expand on GAAS:
■ Compliance with GAGAS. Audit reports should state that the audit was performed in
accordance with GAGAS.
■ Licensing and certification. Auditors should be CPAs or work for CPAs.
■ Auditor communication. Auditors should communicate pertinent information to individuals

contracting for or requesting the audit and legislative committees that oversee the audited entity.
■ Results of previous engagements. Auditors should determine whether the audited entity has
taken appropriate corrective action to address findings and recommendations from previous
engagements.
■ Investigations or legal proceedings. Auditors should inquire of management about legal
proceedings and evaluate the effect of proceedings on the audit.
■ Reporting on internal control; compliance with laws, regulations, contracts, and grant
agreements; and fraud. The report (or separate reports) on financial statements should
describe the scope of the testing of internal control over financial reporting and compliance with
laws and regulations and grant or contract provisions and include the results of the tests.
■ Developing and reporting elements of a finding. The elements needed for a finding depend
on the objectives of the audit but include criteria, condition, cause, and effect or potential
effect. Findings should be reported so that management understands the need for corrective
action.
■ Audit documentation. The auditor should document supervisory review, before the report
release date, of the evidence that supports the findings and conclusions contained in the
auditors’ report.
■ Reporting to outside parties. Auditors should report fraud and noncompliance directly to
outside parties if management fails to (1) meet requirements to report such information to
external parties or (2) timely and appropriately respond to fraud or noncompliance that is likely
to be material and involves funding from a government agency.
■ Obtaining and reporting views of responsible officials. Auditors should obtain and report
the views of responsible officials of the audited entity about the findings, conclusions, and
recommendations as well as any planned corrective actions.
■ Reporting confidential or sensitive information. If certain pertinent information is prohibited
from public disclosure, auditors should disclose in the report that certain information has been
omitted.
■ Distributing reports. Audit organizations in government entities should distribute audit reports
to those charged with governance, the appropriate officials of the audited entity, and the
appropriate oversight bodies or organizations requiring or arranging for the audits.
Compliance Audits (AU-C 935)
A compliance audit is a program-specific or organization-wide audit of compliance requirements

(laws, rules, regulations, contracts, or grants) that applies to government programs. It is normally
performed with a financial statement audit.
The guidance applies when an auditor performs a compliance audit in accordance with GAAS,
financial audit standards in Government Auditing Standards, and a governmental audit requirement
(GAR) that requires an opinion on compliance.
The auditor’s objectives are to obtain sufficient appropriate evidence to form an opinion and report
at the level specified in the GAR on whether the entity complied, in all material respects, with the
compliance requirements.
● The auditor should also identify any additional audit and reporting requirements that supplement
GAAS and Government Auditing Standards and perform and report on the related procedures.
The auditor may issue a separate report on compliance, or it may be included with a report on internal
control over compliance required by the GAR.
Federal Audit Requirements and the Single Audit Act
The Single Audit Act requires nonfederal entities that expend $750,000 or more of federal awards
in a fiscal year to have a single audit in accordance with the Single Audit Act unless they properly
elect to have a program-specific audit.
● The single audit is in lieu of any financial audit required under individual federal awards. It
encompasses the entity’s financial statements and schedule of expenditures of federal awards.
● The auditor uses a risk-based approach in determining which federal programs are major
programs.
● The schedule of audit findings and questioned costs includes any instances of known
questioned costs greater than $25,000 or of known questioned costs when likely questioned costs
exceed $25,000 for compliance requirements for a major program.
According to the Single Audit Act, the auditor must conduct the audit in accordance with GAGAS. The
scope of the audit extends to, among other things, expressing or disclaiming an opinion on whether
● The financial statements are presented fairly, in all material respects, in conformity with GAAP and
● The schedule of expenditures of federal awards is presented fairly, in all material respects, in
relation to the financial statements as a whole.

Cpa Aud Su1 CC Merged

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cpa Aud Su1 CC Merged

Uploaded by

Copyright:

Available Formats

1

CPA AUD – STUDY UNIT 1

Overall Objectives and Conducting an Audit

● Account balances at period end (the balance sheet)

The degrees of responsibilities imposed on auditors are categorized as unconditional responsibility,

Accounting and Review Services

A preparation is the presentation in statement form of information of management without attaching

A compilation is the presentation in statement form of information that is the representation of

Independence is required for a review but not a preparation or a compilation.

In an attestation engagement, a practitioner performs an examination, a review, or agreed-upon

● In an agreed-upon procedures engagement, the practitioner applies procedures to subject matter

Additional Professional Services

The six control elements include

CPA AUD – STUDY UNIT 2

Code of Professional Conduct

Principles are goal-oriented but nonbinding.

● The public interest. Act to benefit the public interest.

● Integrity. Use the highest degree of integrity.

● Due care. Use due care.

All of the following Rules must be followed by members in public practice:

Independence is impaired if a covered member has the following interests or relationships:

Integrity and Objectivity

Other Pronouncements on Professional Responsibilities

The Sarbanes-Oxley Act of 2002 requires

● Rotation of audit partners

● Communications by the auditor with the audit committee

● The auditor to avoid most nonaudit services

● Audit committees to be established by issuers

CPA AUD – STUDY UNIT 3

Pre-Engagement Acceptance Activities

Understanding the Entity and Its Environment

Audit Risk and Materiality

Audit risk = Inherent risk × Control risk × Detection risk

Audit risk = Risk of material misstatement × Detection risk

Audit Data Analytics and Analytical Procedures

Analytical procedures are evaluations of financial information made by a study of plausible

Inconsistent fluctuations or relationships or significant differences should result in (1) inquiries of

Consideration of Fraud in a Financial Statement Audit

Consideration of Laws and Regulations in an Audit of Financial Statements

CPA AUD – STUDY UNIT 4

Using the Work of Internal Auditors

Using the Work of a Specialist

An auditor’s specialist is an individual or organization possessing expertise in a field other than

A management’s (company’s) specialist is an individual or organization possessing expertise in a

Accounting Estimates and Fair Value

The auditor should

● Test the operating effectiveness of controls over the estimation process.

● Develop a point estimate or range to evaluate management’s estimate.

CPA AUD – STUDY UNIT 5

Introduction to Internal Control

4. Monitoring of controls assesses the effectiveness of internal control over time.

Understanding Internal Control

Internal Control and Information Technology

CPA AUD – STUDY UNIT 6

Management is responsible for the establishment of controls to ensure

Typical control activities in the sales-receivables portion of the cycle include

● Use of prenumbered documents to permit detection of unrecorded or unauthorized transactions

● Depositing all cash intact daily

● Employees responsible for handling cash are bonded

Controls in a Cash Sale Environment

Other Sales-Receivables Related Transactions

Typical controls implemented include

● Preformatted screens to avoid data entry errors,