auditing & attestation
TRANSCRIPT
Becker’s Review Course
Auditing & Attestation AUD CPA Review Notes
Lydia McCracken V.4.0
1
Contents A1 – Audit Reports .....................................................................................................................................................3
M1: Professional Standards ................................................................................................................................................ 3 M2: Audit Engagements ...................................................................................................................................................... 3 M3: Forming an Audit ......................................................................................................................................................... 4 M4: Unmodified (Unqualified) Opinion .............................................................................................................................. 5 M5: Modified Due to Financial Statement Issues ............................................................................................................... 7 M6: Modified Opinions Due to Audit Issues ....................................................................................................................... 8 M7: Emphasis-of-Matter, Other-Matter, And Explanatory Paragraph ............................................................................. 10 M8: Reporting with Different Opinions and Other Auditors ............................................................................................ 11 M9: Subsequent Events .................................................................................................................................................... 13 M10: Other Information and Supplementary Information ............................................................................................... 14 M11: Special Purpose and Other Frameworks ................................................................................................................. 16
A2- Quality Control, Engagement Acceptance, Planning, and Internal Control ............................................................ 17
M1: Quality Control ........................................................................................................................................................... 17 M2: Documentation .......................................................................................................................................................... 19 M3: Terms of Engagement ................................................................................................................................................ 20 M4: Planning ..................................................................................................................................................................... 21 M5: Using the Work of Others .......................................................................................................................................... 22 M6: Materiality ................................................................................................................................................................. 23 M7: Risk Assessment (Part 1) ............................................................................................................................................ 24 M8: Risk Assessment (Part 2) ............................................................................................................................................ 24 M9: The Effect of Information Technology on the Audit .................................................................................................. 27
A3 – Risk, Evidence, and Sampling ............................................................................................................................ 28
M1: Fraud Risk................................................................................................................................................................... 28 M2: Audit Risk ................................................................................................................................................................... 30 M3: Identifying, Assessing, and Responding to Risk ......................................................................................................... 30 M4: Specific Areas of Engagement ................................................................................................................................... 32 M5: Sufficient Appropriate Evidence ................................................................................................................................ 32 M6: Procedures to Obtain Evidence ................................................................................................................................. 33 M7: Financial Ratios .......................................................................................................................................................... 36 M8: Sampling (Part 1) ....................................................................................................................................................... 37 M9 Sampling (Part 2) ........................................................................................................................................................ 38 M10: Audit Data Analytics ................................................................................................................................................ 39
A4 – Performing Further Procedures, Forming Conclusions, and Communication ....................................................... 40
M1: Revenue Cycle ............................................................................................................................................................ 40 M2: Expenditure Cycle ...................................................................................................................................................... 42 M3: Cash Cycle .................................................................................................................................................................. 42 M4: Inventory Cycle .......................................................................................................................................................... 43 M5: Investment Cycle ....................................................................................................................................................... 44 M6: Other Transaction Cycles ........................................................................................................................................... 46 M7: Matters That Require Special Consideration ............................................................................................................. 47 M8: Misstatements and Internal Control Deficiencies ..................................................................................................... 49 M9: Written Representations ........................................................................................................................................... 50 M10: Communication with Management and Those Charged with Governance ............................................................ 50
A5 – Integrated Audits, Attestation Engagements, Compliance, and Government Audits ........................................... 52
M1: Integrated Audit Procedure ....................................................................................................................................... 52 M2: Communication and Reporting in an Integrated Audit ............................................................................................. 54 M3: Attestation Engagements and Standards .................................................................................................................. 56
2
M4: Agreed-Upon Procedures and Prospective Financial Statements ............................................................................. 57 M5: Reporting on Controls at a service Organization ....................................................................................................... 60 M6: Reporting on Compliance .......................................................................................................................................... 61 M7: Government Audits ................................................................................................................................................... 62 M8: Single Audits .............................................................................................................................................................. 64
A6 – Accounting and Review Service Engagements, Interim Reviews, and Ethics and Professional Responsibilities ..... 66
M1: SSARS Engagements .................................................................................................................................................. 66 M2: Preparation Engagements ......................................................................................................................................... 68 M3: Compilation Engagement .......................................................................................................................................... 68 M4: Review Engagement .................................................................................................................................................. 69 M5: Review Reports .......................................................................................................................................................... 71 M6: Interim Reviews ......................................................................................................................................................... 73 M7: The AICPA Cod of Professional Conduct .................................................................................................................... 76 M8: Ethical Requirements of the SEC and PCAOB ............................................................................................................ 79 M9: Ethical Requirement of the GAO and DOL ................................................................................................................. 81
KEY
Important Note
Exam Tricks
“Exact wording to be used.”
Acronyms
3
A1: Audit Reports M1: Professional Standards
(1) Professional Standards
• Statements on Auditing Standard → AICPA → Nonissuer (Private)
• Public Company Accounting Oversight Board Auding Standards → Issuer (Public)
• Generally Accepted Government Auditing Standards → Government
• Statements on Standards for Attestation Engagement →AICPA → Attest services
• Statements on Standards for Accounting and Review Services → AICPA → Unaudited F/S of nonissuer
(2) Auding Guidance: The GAAS Hierarchy
• SAS (Nonissuer – Private) and PCAOB AS (Issuer – Public) o “Must” = Is required o “Should” = Presumptively mandatory requirement o “May”, “Might”, and “Could” = Explanatory material that does not impose a professional requirement
M2: Audit Engagements (1) Audit Process Overview
• Engagement Acceptance
• Assess Risk and Plan Response
• Perform Procedures and Obtain Evidence
• Form Conclusion
• Reporting
(2) The Independent Audit Function: The Basics (GAAS)
• Management Responsibilities: Financial Statements & Internal Controls
• Auditor Responsibilities: Attest function (Opinion) o Professional Skepticism: Professional judgement. Make assessment yourself, each year. o Impediments to acting with professional skepticism
▪ Center for Audit Quality (CAQ)
• Confirmation
• Overconfidence
• Anchoring
• Availability o Ethical Requirements → Independence in both FACT and APPEARANCE o Professional Judgement in planning & performing an audit
▪ Making decisions:
• Materiality
• Audit risk
• Nature, Extent, and Timing (NET) → To support Audit opinion (not FS)
• Reasonable Assurance and Inherent Limitations of an Audit o Free from material misstatement o High, but NOT absolute level of assurance (reasonable) o Inherent Limitations
▪ Nature of Financial Reporting
• Judgement by management
• Subjective decisions
• Accounting Estimates ▪ Nature of Audit Procedures
• May not provide complete information – Impairment, Warranties, Contingencies, Lawsuits. Fraud may (will) be concealed.
EXAM TRICK Weak Internal Control ≠
Adverse Opinion
4
▪ Cost-Benefit Balance
• Plan effective audit
• Direct effort to most expected to contain risk
• Use testing
(3) Determine the Nature and Scope of the Engagement
• Single period or multiple periods
• Nonissuer (Private Company) – One OR the other o Financial Statement audit only o Integrated audit (Financials and internal controls)
• Issuer (Public Company) - MUST perform an integrated audit
(4) Overall Objectives of Audit Engagements
• Objectives of the Financial Statement Audit o Obtain reasonable assurance o Report on the financial statements
• Objectives of the Internal Controls Audit o Express an opinion on the effectiveness of the internal controls over the financial reporting o Reasonable assurance about whether material weakness exist
M3: Forming an Audit (1) Forming and Opinion on the Financial Statements
• When forming an opinion, the auditor should evaluate whether, based on the applicable financial reporting framework:
o Adequately disclosed o Consistent o Accounting estimates are reasonable o FS is relevant, reliable, comparable, and understandable o Adequate disclosure o Terminology used appropriate o Fairly presented o Represent the underlying transactions
(2) Types of Opinions
• Unmodified (Unqualified) Opinion = Clean Opinion o An unmodified/unqualified opinion states that the financial statements present fairly, in all
material respects. o Unmodified → Nonissuer (Private) o Unqualified → Issuer (Public)
• Modification to Auditor’s Opinion o Types of Modified Opinions:
▪ Qualified Opinion: “Except for” the financial statements are presented fairly (Could be a GAAP or GAAS issue)
▪ Adverse Opinion: Do NOT present fairly (GAAP issue) ▪ Disclaimer of Opinion: Auditor does NOT express an opinion (GAAS issue)
o No piecemeal opinions!
• Definition of Pervasive = VERY MATERIAL
Departure from GAAP is
permissible if financial statements
would be otherwise misleading
(unmodified/unqualified opinion).
5
M4: Unmodified (Unqualified) Opinion (1) Unmodified Audit Opinion (Nonissuers) – MR DIM REPPORTS CRAME
• Content of the Audit Report – GAAS Standards – Report example on Page A1-21 o Title: “Independent” o Addressee: Usually to the Board of Directors or stakeholders. General Rule → Not Management o Introductory Paragraph: Identify the entity, state that the FS being audited, Nature of the
engagement, date/period covered. o Management’s Responsibility Section: Management Responsibility Design, Implementation and
Maintenance (MR DIM) o Auditor’s Responsibility Section – REPPORTS CRAME
▪ Responsibility ▪ Express → Auditing standards generally accepted in the US ▪ Plan ▪ Performing procedures to Obtain ▪ Risk of material misstatement ▪ Internal Control “TEST” ▪ Financial Statements ▪ Internal Control effectiveness ▪ Reasonableness of significant Accounting estimates made by Management ▪ Evaluating overall presentation
o Auditor’s Opinion: ▪ Presents fairly, in all material respects → Explicit Statement ▪ Identification of the applicable financial reporting framework and its origin
o Other Reporting Responsibilities o Signature of the Auditor: Manual/printed signature of the auditor’s firm o Auditor’s Address: City and State in which auditor practices o Date of the Auditor’s Report → The auditor’s report should be dated no earlier than the date
on which the auditor has obtained sufficient appropriate audit evidence on which to base the auditor’s opinion on the financial statements.
▪ Dual dating (in a later chapter)
• Reference to Auditing Standards in the Auditor’s Report o Audits in Accordance with Two Sets of Standards
▪ Additional language should be added to the Auditor’s Responsibility paragraph to describe the standards.
o Audits in Accordance with GAAS and PCAOB Standards (Nonissuer) ▪ Use the report required by the PCAOB ▪ Amend the PCAOB (issuer) report to state that audit was also conducted in accordance
with GAAS.
GAAS → Auditor’s Responsibility paragraph GAAP → Management’s Responsibility paragraph and Opinion paragraph
Un
mo
dif
ied
Au
dit
Op
inio
n R
epo
rt
6
(2) Unqualified Audit Opinion (Issuer) – RAPMEE RAPMEE
• Content of the Audit Report – PCAOB Standards – Report example on Page A1-25 o Title: “Report of Independent Registered Public Accounting Firm” o Addressee: Board of Directors/Stakeholders o Opinion Section – 1st Section
▪ Section title, “Opinion on the Financial Statements” ▪ Date/period covered ▪ State they were audited ▪ Opinion = present fairly ▪ Identification of applicable financial reporting framework
o Basis for Opinion Section ▪ Management Responsibility is the FS ▪ Auditor’s Responsibility is to express an opinion ▪ Auditor is a public Accounting firm ▪ Audit is conducted in Accordance with the standards of the PCAOB ▪ Auditor’s Plan and Perform ▪ Obtain reasonable assurance to make sure the financial are free of Material
Misstatements ▪ Examining Evidence ▪ Evaluating Estimates
o Critical Audit Matters (CAMs) – Most complex, difficult and judgmental o Signature, Tenure, Location → Year the auditor began serving o Report Date: Report shows the FINAL date of the auditor’s responsibility.
• Critical Audit Matters (CAMs): Definition and Identification – Most audits at least 1 CAM o Communicated to the Audit Committee o Material o Challenging, subjective, or complex auditor judgement o For each Cam identified, the audit report should include - IPAD
▪ Identification of the CAM ▪ Description of the Principal ▪ How the CAM was Addressed ▪ Reference to financial accounts or Disclosures
• If NO CAMs are Identified – “We determined that there are no critical audit matters.”
• Other Reporting Requirements of CAMs o Disclaiming, qualifying, restricting, or minimizing MAY NOT be used o May communicate CAM related to prior period (optional) o Communication of CAMs is not required for audits of (1) Brokers and Dealers reporting under
Exchange Act Rule 17a-5, (2) Investment companies registered under the Investment Company Act of 1940 (3) Employee stock purchase, savings, and similar plans (4) Emerging growth companies
o Bases for determining a CAM should be documented
• Management Reports on Internal Control Over Financial Reporting (Issuer ONLY) o Management makes the report about the internal controls, auditor needs to review it (SOX) o Auditor must include statements in the Basis for Opinion section that:
▪ The company is not required to have, nor was the auditor engaged to perform, an audit of its internal control over financial reporting.
▪ As part of the audit, the auditor is required to obtain an understanding of internal control over the financial reporting but not for the purpose of expressing an opinion on the effectiveness of the company’s internal control over financial reporting; and
▪ The auditor expresses no such opinion. o Most issuers are required to have an integrated audit.
Un
qu
alif
ied
Au
dit
Op
inio
n R
epo
rt
R R
A A
P P
M M
E E
E E
PCAOB Auditing Standards → Basis of Opinion (1st Section) GAAP → Opinion on the Financial Statements section
7
(3) Required Auditor Reporting of Certain Audit Participants
• Filing of Form AP = Public Company (Issuer) o Goes to the PCAOB not the SEC o *Includes name of the engagement partner
▪ IFRS requires it to be in the audit report o Filed by the 35th day after the audit report is first filed
M5: Modified Due to Financial Statement Issues (1) Financial Statement Issues: Qualified or Adverse Opinion
• Qualified Opinion vs. Adverse Opinion (GAAP Problems) o Qualified opinions – Material but not pervasive o Adverse – Both material & pervasive o Most common GAAP problems:
▪ GAAP consistency change (unjustified) = Auditor disagrees ▪ Inadequate disclosures ▪ Departure from GAAP (unjustified) ▪ Unreasonable accounting estimates
• Nature of Material Misstatement (≠GAAP) o Appropriateness of accounting polices (≠GAAP)
▪ Not GAAP ▪ Does not represent underlying transactions ▪ Entity has not complied with framework requirements
o Application of Accounting Policies (≠GAAP) ▪ Not is accordance with framework ▪ Not consistent between periods or similar transactions/events ▪ Error in application
o Appropriateness of Financial Statements Presentation or Disclosures (≠GAAP) ▪ Not include all required disclosures ▪ Disclosures not presented in accordance of framework ▪ Not enough disclosure for fair presentation
(2) Nonissuer Reports
• Form and Content of Auditor’s Report (Nonissuer – Private) o Qualified Opinion – GAAP issue (Material but not pervasive)
▪ Introductory Paragraph ▪ Management’s Responsibility Paragraph ▪ Auditor’s Responsibility Paragraph → Qualified audit opinion ▪ Basis for Qualified Opinion Paragraph → Immediately before the Opinion Paragraph
• Description and qualification
• Explanation of how disclosures are misstated
• Practicable → Reasonably obtainable ▪ Qualified Opinion Paragraph → “except for… presented fairly”
o Adverse Opinion – GAAP issue (Very Material and Pervasive) ▪ Introductory Paragraph ▪ Management’s Responsibility Paragraph ▪ Auditor’s Responsibility Paragraph → Adverse audit opinion ▪ Basis for Adverse Opinion Paragraph → Immediately before the Opinion Paragraph
• Description and qualification
• Explanation of how disclosures are misstated
• Nature of omitted information ▪ Adverse Opinion Paragraph → “Because of… do not present fairly
Other CPA/Auditor is just like your staff – Check on:
1. Reputation 2. Independence 3. Professional competency 4. Program steps
Make sure omission does not make FS false, fraudulent, deceptive, misleading, otherwise WITHDRAW!
8
(3) Issuer Reports
• Form and Content of Auditor’s Report (Issuer – Public) o Qualified Opinion – GAAP issue (Material but not pervasive)
▪ Opinion Section → “Except for…” or “With the exception of…” ▪ Additional Paragraph(s) → immediately following the opinion paragraph
• All the substantive reasons
• Disclosure of the principal effect ▪ Basis for Opinion Section → Same as standard issuer audit report ▪ Critical Audit Matters → Same as standard issuer audit report
o Adverse Opinion – GAAP issue (Very Material and Pervasive) ▪ Opinion Section → “because of the effects of matters discussed… do not present
fairly.” ▪ Additional Paragraph(s) → immediately following the opinion paragraph
• All the substantive reasons
• Disclosure of the principal effect ▪ Basis for Opinion Section → Same as standard issuer audit report ▪ Critical Audit Matters → Same as standard issuer audit report
M6: Modified Opinions Due to Audit Issues (1) Audit Issues: Qualified Opinion or Disclaimer
• Qualified Opinion vs. Disclaimer (GAAS Problem) o Qualified opinions – Material but not pervasive (unable to obtain sufficient evidence) o Disclaimer – Both material & pervasive, the auditor is not independent o Common GAAS Problems – Examples Page A1-42
▪ Insufficient evidence ▪ Going concern ▪ Not independent
o Causes of Scope Limitation ▪ Can be due to circumstances or management ▪ Example: Missed Beg. Inv. → COGS → IS
▪ If management will not remove the limitation the auditor should communicate with those charged with governance and determine whether it is possible to perform alternative procedures.
o Unaudited Financial Statements (GAAS issue)
▪ Association with Financial Statements
• Consents to the use
• Prepared the financial statements
• When auditor is not independent = DISCLAIM an opinion and should specifically state that the auditor is not independent.
▪ Disclaimer on Unaudited Financial Statements
• Accountant must read the financial statements
• “Unaudited” should be clearly marked on each page
• If client refuses to correct an obvious error, the auditor should add a paragraph modifying the disclaimer. If client refuses modified disclaimer, auditor should withdraw.
The inability to perform a specific procedure is not a limitation on the scope of
the audit if the auditor is able to obtain sufficient appropriate audit evidence by
performing alternative procedures.
EXAM TRICK: NEVER Adverse Opinion!
9
(2) Nonissuer Reports
• Form and Content of Auditor’s Report (Nonissuer – Private) o Qualified Opinion – GAAS issue (Material but NOT pervasive)
▪ Introductory Paragraph ▪ Management’s Responsibility Paragraph ▪ Auditor’s Responsibility Paragraph → “…basis for the qualified audit opinion.” ▪ Basis for Qualified Opinion Paragraph → Immediately before the Opinion Paragraph.
Description the reasons. ▪ Qualified Opinion Paragraph → “except for… presented fairly”
o Disclaimer of Opinion – GAAS Issue (Material and Pervasive) ▪ Introductory Paragraph → Auditor was engaged (we tired) ▪ Management’s Responsibility Paragraph ▪ Auditor’s Responsibility Paragraph → Modify “Because of the matter(s) described…” ▪ Basis for Disclaimer of Opinion Paragraph → Immediately before the Opinion Paragraph.
Description the reasons. ▪ Disclaimer of Opinion Paragraph → “Because of… not been able to obtain sufficient
appropriate evidence.” “Do not express an opinion”
(3) Issuer Reports
• Forms and Content of Auditor’s Report (Issuer – Public) o Qualified Opinion – GAAS issue (Material but not pervasive)
▪ Opinion Section → Modified: “Except for…” OR “With the exception of…” ▪ Additional Paragraph(s) → immediately following the opinion paragraph
• Reasons for inability to obtain sufficient appropriate evidence ▪ Basis for Opinion Section → “Except as discussed above…” Same as standard issuer
audit report ▪ Critical Audit Matters → Same as standard issuer audit report
o Disclaimer of Opinion – GAAS issue (Very Material and Pervasive) ▪ Disclaimer of Opinion Section
• Section title “Disclaimer of Opinion”
• “Were engaged to audit…”
• Statement that auditor was not able to obtain sufficient appropriate audit evidence
• “Do not express an opinion…” ▪ Additional Paragraph(s) → immediately following the opinion paragraph
• Substantive reasons
• Disclosure of any reservations ▪ Basis for Disclaimer of Opinion Section
• Title “Basis for Disclaimer of Opinion”
• Eliminate “Our responsibility…”
• Eliminate “We conducted our audit in accordance…” ▪ Critical Audit Matters → OMITTED
o Disclaimer of Opinion due to lack of independence ▪ Not title ▪ No intro/opinion paragraph ▪ No scope/basis of opinion paragraph ▪ “We are not independent… not audited… we do not express an opinion…”
EXAM TRICK: Must use the EXACT wording. Additional words or phrases are wrong answers.
EXAM TRICK: No audit evidence/work = No audit opinion = Disclaimer
10
M7: Emphasis-of-Matter, Other-Matter, And Explanatory Paragraph (1) Emphasis-of-Matter Paragraphs (Nonissuer – Private)
• When referring to a matter that is appropriately presented or disclosed
• Does not affect the auditor’s opinion
• Report requirements: o Immediately after the opinion – before Other-Matters o Heading “Emphasis-of-Matter” o Describe matter and location of disclosure o Indicate auditor opinion is not modified with respect to the matter
• Use of Emphasis-of-Matter Paragraphs: o Use REQUIRED - GAASP:
▪ Going concern ▪ Justified change in Accounting principal (Auditor’s concurrence is implicit) ▪ Subsequently discovered facts lead to change in Audit opinion ▪ Special Purpose framework (Refer to note in FS that discusses the change in detail)
o Use MAY be Necessary – Professional Judgement ▪ Uncertainty ▪ Major catastrophe ▪ Related party ▪ Subsequent events
(2) Other-Matter Paragraphs (Nonissuer – Private)
• Other-matter paragraphs refer to matters other than those presented or disclosed in the financial statements that are relevant to the user’s understanding.
• Report Requirements: o Immediately after opinion paragraph and after any Emphasis-of-Matter paragraph o Heading “Other-Matter”
• Use of Other-Matter Paragraphs: o Use REQUIRED:
▪ Restricts the use ▪ Change in audit opinion ▪ Predecessor auditor not issued ▪ Comparative form with not audited, reviewed, or complied ▪ Material inconsistency in other information ▪ Report on supplementary information ▪ To refer to required supplementary information ▪ Restrict the use when special purpose financial statements ▪ Report on compliance
o Use MAY be Necessary – Professional Judgement ▪ Describe the reasons why the auditor cannot withdraw ▪ Further explanation of the auditor’s responsibilities ▪ Prepared in accordance with a different general-purpose framework
(3) Explanatory Paragraphs (Issuers – Public)
• Report Requirements o Appropriate title and location of matter discussed o Generally, follows the opinion paragraph
• Use of Emphasis-of-Matter Paragraphs: o Use REQUIRED
▪ Going concern ▪ Material change ▪ Change in reporting entity
11
▪ Change in an investee ▪ Material misstatement in previous FS corrected ▪ Other information inconsistent ▪ Required by SEC has been omitted ▪ Supplementary information been omitted, or departs materially, or auditor is unable ▪ Prior year opinion is updated ▪ Prior year audit report is not presented ▪ Required to report on the company’s internal controls over financial reporting but such
report is not required to be audited o Use MAY be Necessary – Professional Judgement. Like emphasis-of-matter/other-matters.
(4) Other Audit Considerations
• Lack of Consistency o Comparability of FS from year to year o Consistency is implied in the auditor’s report o Acceptability of a Change in Accounting Principle – JUSTIFIED
▪ Criteria:
• Newly adopted
• Methods of accounting for change is acceptable
• Disclosure is adequate
• Preferable ▪ If criteria are met, auditor should include an emphasis-of-matter (explanatory)
paragraph. o If change in accounting principle is immaterial, no revision to the report is necessary. If the
effect is material, an emphasis-of-matter (explanatory) paragraph should be added.
M8: Reporting with Different Opinions and Other Auditors (1) Reporting on Comparative Financial Statements
• Reporting with different Opinions o Unmodified Prior year with current year Qualified (Nonissuer)
▪ Qualified opinion → “Except for… 20x1 FS… present fairly” o Unmodified current year with disclaimer on prior year (Nonissuer)
▪ Auditor’s responsibility → “Except as explained in the Basis for Disclaimer of Opinion paragraph…”
▪ Basis for disclaimer of opinion on 20x1 operations and cash flows ▪ Disclaimer of Opinion → “Because of… we do not express an opinion… December 31,
20x1” ▪ Opinion → “In our opinion… present fairly, in all material respects”
o Unqualified prior year with current year qualified (Issuer) ▪ Opinion → “except for… 20x2… present fairly” ▪ Additional paragraph
o Unqualified current year with disclaimer on prior year (Issuer) ▪ Opinion → In our opinion… balance sheet… 20x2 and 20x1 (both)
• Updating (Changing) Prior Opinions – only DORCS change their mid o Format (updated opinion) – Auditor should disclose in an emphasis-of-matter, or other-matter
paragraph (nonissuer), or explanatory paragraph (issuer): ▪ Date of previous report ▪ Opinion type previously ▪ Reason for prior opinion ▪ Changes that occurred ▪ Statement that the “opinion… is different”
No title required for these
explanatory paragraphs
12
• Reporting with Predecessor Auditor Presented o Report of the Predecessor Auditor Presented:
▪ In deciding to whether to reissue their report, the predecessor auditors should:
• Read the statements for the current period
• Compare
• Obtain a letter of representation from the successor auditor
• Inquire and obtain a letter of representation from management
• Date report as appropriate: o Unrevised → Original Date. Revised → Dual date
o Report of the Predecessor Auditor Not Reissued: ▪ Successor auditor does not present predecessor auditor’s report, successor auditor only
expresses an opinion on the current period FS and indicate in an other-matter paragraph (nonissuer) or explanatory paragraph (issuer):
• Prior period was audited by a predecessor
• Type of opinion
• Nature of any emphasis-of-matter, other-matter, or explanatory paragraph
• Date of the pervious predecessor auditor’s report
• Do not name the predecessor auditor’s name (unless they were acquired or merges with the successor).
o Prior Period Statements Reviewed or Compiled: ▪ Report should include other-matter (nonissuer) or explanatory paragraph (issuer):
• Service (review or compilation) performed
• Date
• Material modifications
• Less in scope than an audit o Prior Period Statements Not Audited, Reviewed, or Compiled:
▪ Report should include other-matter (nonissuer) or explanatory paragraph (issuer). ▪ Auditor assumes NO responsibility for prior year.
(2) Reporting on Audits of Group Financial Statements
• Understanding the Component Auditor o Independent o Competence o Extent of involvement in the work o Get information o Operates in a regulatory environment
• Determining Whether to Make Reference o OPTION 1: Make No References in the Audit Report = Assume Responsibility
▪ The group engagement team should determine the work to be performed ▪ Significant components:
• Significant due to individual financial significance – should be audited by group engagement team or component auditor
• Significant due to significant risks of material misstatements – group engagement team or component auditor
▪ Components that are not significant: Group engagement team performs analytical procedures
o OPTION 2: Make Reference = Divide Responsibility ▪ To make reference to component auditor, these two requirements have to be met:
• Component auditor has performed an audit
Prior CPA
should:
Current (new)
CPA should:
If component auditor is NOT independent OR group engagement team has serious concerns the team should not use the work of component auditor.
13
• Component auditor’s report is not restricted use ▪ Report on the group financial statements should clearly indicate [in the auditor’s
responsibility paragraph (nonissuer) or the Opinion on the FS and Basis for Opinion sections (issuer)]:
• Component was not audited by the auditor
• Magnitude of the portion
• Using different financial reporting o Framework used o Taking responsibility for evaluating the appropriateness of the
adjustments
• NOT state audit was performed in accordance with GAAS or PCAOB. Component auditor performed additional procedures.
M9: Subsequent Events (1) Recognition of Subsequent Events
• Recognized Subsequent Events = $$ Recorded (looking back) – before year end o Example: settlement of litigation
• Nonrecognized Subsequent Events = Footnote (looking forward) – after year end (Business combination)
(2) Management’s Responsibility for Subsequent Events
• Subsequent Event Evaluation Period o General Rule: Management responsible up to the date FS issued o Public Companies → Through the issuance date o Private Companies → Through the date the FS become available for issuance
• Reissuance of Financial Statements → Should not recognize event
• Revised Financial Statements → Considered reissued
(3) Auditor’s Responsibility for Subsequent Events - PRIME
• During the subsequent period, auditors should perform the following procedures: o Post Balance Sheet Transactions o Representation Letter o Inquiry o Minutes o Examine
• Procedure example: Compare the latest available interim FS with the statements being audited
(4) Auditor’s Responsibility After the Original Date of the Auditor’s Report
• NO active responsibility after the original auditor’s report
• If an auditor becomes aware of material information that would have affected the report, and those persons are currently relying or are likely to rely on the financial statements covered by the report, the auditor should take appropriate action.
• Becomes aware before the report release date, should consider adjusting the financials
• Auditor Action o Information materially affects report discovered after issuance of the report,
▪ Advice client to revise the FS ▪ Advice client to disclose information ▪ FS and auditors report should not be relied upon
• Report Date o Adjustments or disclosures are made after the original date, may dual date (responsible for
certain events only) o Alternatively, later date may be used for the report (broadens responsibilities)
14
o When an auditor issues a report that is dual dated for subsequent events occurring after the original date of auditor’s report, but before issuance of related financial statements, the auditor’s responsibility for events occurring subsequent original data is limited to specific event referenced (MCQ-02548 & MCQ-04612).
• Client Refusal o Auditor should notify each member of the board (MCQ-03107)
▪ Additional Steps – DAR
• Disassociate
• Alert Agencies
• Relying parties
M10: Other Information and Supplementary Information (1) Other Information
• Auditor’s responsibility o Generally, not responsible o Should read the other information
• Material Inconsistency o Determine if anything needs to be revised o Audited FS require revision → If management refuses, auditor should modify the opinion or
withdraw. o Other information requires revision → Auditor should:
▪ Include other-matter(nonissuer) or explanatory (issuer) paragraph ▪ Withhold ▪ Withdraw (False, fraudulent, deceptive, misleading)
• Material Misstatement of Fact o If management refuses, request that they consult with qualified third party o Auditor should notify those charged with governance
• Disclaimer of Opinion on Other Information (Optional) o May Include other-matter(nonissuer) or explanatory (issuer) paragraph
(2) Reporting on Supplementary Information
• In relation to the FS as a whole. Auditor has two objectives: o Evaluate presentation o Report on whether it is fairly stated
• Conditions for Reporting o To report an opinion on the supplementary information, FIVE conditions are MET:
▪ Derived from/relates to the information used to prepare the FS ▪ Same period as FS ▪ Auditor issued an auditor’s report ▪ Neither adverse nor disclaimer ▪ Supplementary information will accompany the audited Financial Statements
• Management Responsibility: Auditor must obtain an agreement of management that it acknowledges and understands its responsibilities.
• Audit Procedures o Using the same materiality levels used in the FS audit:
▪ Inquire of management ▪ Information complies ▪ Obtain understanding of methods used ▪ Compare and reconcile ▪ Inquire regarding any significant assumptions ▪ Evaluate the appropriateness and completeness if the information ▪ **Obtain written representation from management regarding the information
15
o PCAOB Standards: Guidance for Issuers (Public) ▪ Additional requirements for audit procedures
• Evaluate the appropriateness of methods
• Reconcile
• Use the same materiality considerations ▪ Requirements for evaluation of audit results for supplementary information:
• Fairly stated
• Accumulated misstatements should be communicated to management
• Material, either individually or in combination
• Reporting for Nonissuers (Private) o Presentation of Audit Report
▪ Other-matter paragraph (Example Page A1-85)or separate report ▪ Separate Report → Reference to the report, date, nature of the opinion, modification
o Forming an Opinion on Supplementary Information ▪ Material Misstatement → Management refuses to revise, auditor should modify the
opinion or withhold the report ▪ Effects of Modification to the Audit report on the FS:
• Qualified opinion on FS = Qualified opinion on supplementary information.
• Adverse or Disclaimer of Opinion on FS = PROHIBITED from expressing an opinion on the supplementary information.
• Reporting for Issuers (Public) o Presentation of Audit Report → Explanatory paragraph or separate report o Not earlier than date of the auditor’s report or date obtained sufficient appropriate evidence o Forming an Opinion on supplementary Information
▪ Material Misstatement → Describe the material misstatement and express a qualified or adverse opinion (GAAP problem)
▪ Inability to obtain sufficient appropriate evidence → Disclaim an opinion and describe the reason (GAAS problem)
▪ Effects of Modification to the Audit report on the FS:
• Qualified opinion on FS = Qualified opinion on supplementary information.
• Adverse or Disclaimer of Opinion on FS = Adverse or disclaim opinion on supplementary information
(3) Required Supplementary Information
• Required Procedures = Limited Procedures o Inquire of management o Consistent with management responses o Written management representation
• Reporting on Supplementary information - Other-matter Paragraph Required (nonissuer) ▪ Included ▪ Omitted ▪ Some missing & some presented ▪ Identified material departures ▪ Not able to complete ▪ Unresolved doubts
o Should include a disclaimer of opinion and describe any departure o PCAOB Standards: Guidance for Issuers (Public)
▪ Not required to add explanatory paragraph, unless:
• Omitted
• Material departure
• Unable to complete
• Unresolved doubts
Rep
ort
D
efic
ien
cies
&
Om
issi
on
s
16
M11: Special Purpose and Other Frameworks (1) Special Purpose Framework
• Types of Special Purpose Frameworks o Cash Basis o Tax Basis o Regulatory Basis o Contractual Basis o Other Basis
• Private company does not necessarily have to comply with GAAP.
• Additional Requirements for the Auditor o Obtain understanding of:
▪ Purpose ▪ Intended users ▪ Steps taken by management (framework is acceptable)
o Management acknowledges and understands its responsibility o Obtain an understanding of the contract
(2) Auditor’s Report on Special Purpose Financial Statements
• Difference From Standard Auditor’s Report o Non-GAAP Titles o Management Responsibility Paragraph: Reference its responsibility for determining that the
applicable financial reposting framework is acceptable in the circumstances o Emphasis-of-Matter Paragraph:
▪ Indicate special purpose framework ▪ Refer to the notes ▪ Accounting other than GAAP
o Other-Matters Paragraph: To restrict use o Regulatory Basis Financial Statements Intended for General Use
▪ Fairly presented ▪ Prepared in accordance
o Auditor’s Report Prescribed by Law or Regulation – not acceptable, should reword the prescribed form
• Reports on Special Purpose FS o Format:
▪ Title ▪ Addressee ▪ Introduction – Identifies the framework ▪ Management’s responsibility – Acceptable framework ▪ Auditor’s responsibility ▪ Opinion – Intended for general use
• Fair on “that” basis
• Regulatory basis “general” use – dual opinion ▪ Emphasis-of-matter ▪ Other-matter – Restricts the use (regulatory basis) ▪ Auditor signature ▪ Auditor’s city and state ▪ Report date
(3) Other Country Framework
• IFRS is an acceptable framework there = for not considered “other” country framework.
• Engagement Acceptance – Obtain understanding: Purpose, Fair presentation framework, User, and Steps taken by management to ensure framework is acceptable
OCBOA
17
• Engagement Performance – Comply with GAAS and consider whether the application of GAAS requires special purpose consideration in the circumstances of the engagement.
• Reporting: Distribution Outside the US o ONLY outside the use, two reporting options:
▪ Report of the other country or report set out in the ISA ▪ US form of report
• Reporting: Distribution In the US o Use in the United States include an emphasis-of-matter paragraph
(4) Reports on Application of the Requirements of an Applicable Financial Reporting Framework
• Reporting Accountant o May not report on a hypothetical transaction o Not required to be independent
• Reporting Accountant’s Report o Nature of the engagement o AICPA or PCAOB standards o Description of specific transactions, facts, circumstances, assumptions, and source of the
information o Description of the reasons for the reporting accountant’s conclusion o Preparers are responsible (Management is responsible) o Restricting use: Management, Board of Directors, Specific parties: Prior and current auditors o Not independent, add a statement indicating
A2: Quality Control, Engagement Acceptance, Planning, and Internal Control M1: Quality Control
(1) Applicability – The AICPA Code of Professional Conduct requires adopting a system of quality control (2) Elements of Quality Control
• The six interrelated elements of quality control are – HELP ME o Human resources o Engagement/ Client acceptance and continuance o Leadership responsibilities o Performance of the engagement o Monitoring o Ethical requirements
• Human Resources – HELP ME o Recruitment and hiring, determining capabilities and competencies, assigning personnel to
engagements. Professional development, performance evaluation, compensation, & advancement
• Engagement/Client Acceptance and Continuance – HELP ME o Deciding whether to accept or continue relationship
▪ Minimize the likelihood if association with client whose management lacks integrity ▪ Reasonably expect to complete with professional competence ▪ Can comply with legal and ethical requirements
o Obtain an understanding with the client regarding the nature, scope o The firm should have policies and procedures for withdrawal
• Leadership Responsibilities for Quality Within the Firm – HELP ME o The firm’s leadership bears ultimate responsibility for the firm’s quality control system.
• Performance – HELP ME o Ensure that the engagement is appropriately supervises, and appropriately reviewed o Allow consultation with experts inside or outside the firm with respect to complex, unfamiliar,
unusual, difficult, or contentious issues
18
• Monitoring – HELP ME o Ongoing consideration and evaluation of the design and effectiveness of the quality control
system o A partner should bear responsibility for the monitoring process o Monitoring procedures:
▪ Include performance of engagement quality control reviews, post-issuance reviews, and inspections
• Peer review
• A “wrap-up” or second partner “reissuance” review – SOX requires such review for every public company audit report
▪ Evaluation of deficiencies noted, and corrective action taken o Peer Review: Must have every 3 years to maintain membership of AICPA
• Ethical Requirements – HELP ME o To maintain public confidence in the profession o Independence encompasses impartiality o Annually confirm their independence in writing
(3) Other Considerations
• Nature and Extend of Quality Control – Depend on: o Firm size o Organizational structure o Nature and complexity of its practice o Operating autonomy o Cost-benefit consideration
• Relationship Between Auditing and Quality Control Standards o GAAS vs Quality Control
▪ GAAS → Relate to the conduct of each individual audit engagement ▪ Quality Control →Relate to the conduct of all professional activities of the firm’s
practice as a whole
(4) Reviewing The Work of Others
• Review Considerations o Performed in accordance with professional standards o Issues need further consideration o Consultations have taken place o Nature, Extent, and Timing (NET) of the work performed o Work performed supports the conclusions o Evidence obtained is sufficient and appropriate
• Engagement Partner Review o The engagement partner should review:
▪ Critical areas of judgement ▪ Significant risks = Always revenue recognition and management override
• Documentation Requirements: Who performed the work, who reviewed the audit, and date of review
(5) Quality Control Standards for NONISSUER Engagements
o Objective – Provide reasonable assurance that: o Audit complies with professional standards o Issues a report that is appropriate
o Engagement Partner Responsibility for Quality o Remain alert for evidence of noncompliance
Quality Control Deficiencies ≠ Failed GAAS/GAAP
19
o Independence requirements o Procedures regarding client acceptance o Competence o Responsibility for direction, supervision, and performance o Responsibility for reviews being performed o Sufficient appropriate audit evidence has been obtained
o Engagement Quality Control Review o Performed only when required by the firm’s policies and procedures. Should be COMPLETED
before the engagement partner releases the audit report o Should include:
▪ Discussion of significant findings ▪ Reading the FS ▪ Review of audit documentation ▪ Evaluation of the conclusions
(6) Quality Control Standards for ISSUER Engagements
• PCAOB standards require an engagement quality review and concurring approval of audit report
• Engagement Quality Review Process o PCAOB standards quality reviewer is required to hold discussions with the engagement partner,
evaluate the significant judgements made, and the overall conclusion. ▪ Significant judgments, planning, risks identified, materiality ▪ Response to significant risks ▪ Materiality, corrected and uncorrected (SOAP “Summary of Adjustments Past”) ▪ Firm’s independence ▪ Document ▪ FS, report on internal controls ▪ Filed with the SEC ▪ Consultations ▪ Communications with management, audit committee, regulatory bodies ▪ Evaluate CAMs
• Concurring Approval of Issuance o Deficiency exists when:
▪ Failed to obtain sufficient appropriate evidence ▪ Inappropriate overall conclusion ▪ Report is not appropriate ▪ Not independent
M2: Documentation (1) Overview
• Supports auditor’s opinion (NOT client’s financial statements)
• Audit documentation should provide: o Basis for the auditor’s report and conclusion o Audit was conducted in accordance with GAAS
(2) Audit Documentation Requirements
• Overall Requirements o Planning, conducting, and supervising the audit o Accounting records reconcile with the financial statements (compliance with standards) o “experienced auditor” can understand:
▪ Nature, extend and timing of the audit procedure (NET), Results, Findings or issues, and Conclusions
o Include who performed the audit, who reviewed and date of review
PROBLEMS
- Workpapers belong to auditor - May not disclose without the client’s permission OR court order
20
• Retention and completion
Retention Completion
SAS Rules (Nonissuer) 5 Years 60 Days
PCAOB (Issuer) 7 Years 45 Days
• Nature and Extent of Audit Documentation o The objective of detailed substantive testing is to detect material misstatements o The specific quantity, type and content are based on the auditor’s judgement:
▪ Complexity, Risk of material misstatement, and Exceptions identified
• Specific Contents (of workpapers) o Permanent File → Carry forward from year to year o Current File → This year’s “stuff”
• Significant Audit Findings o Application of accounting principles o Significant risks o Material misstatements o Cause significant difficulty
M3: Terms of Engagement (1) Appointment of The Auditor
• Audit Committee → Responsible for the selection and appointment of the independent external auditor
• Sarbanes-Oxley Act → Generally applies to public companies (issuer)
(2) Client Acceptance and Continuance
• The Auditor should assess: o Firm’s ability to meet reporting deadline → time and complexity, availability of audit staff o Firm’s ability to staff the engagement → both experience and availability o Independence o Integrity of client management o Group audits
(3) Preconditions for an Audit
• Applicable financial reporting framework (US GAAP/IFRS)
• Management Responsibility o Financial Statements o Internal controls o Provide auditors → access to all information and persons
• Management-Imposed Scope Limitation o IF MAJOR → should NOT accept an engagement o Scope limitation that does not preclude engagement acceptance → qualified opinion
(4) Agreement on Audit Engagement Terms
• Required Content o Objective o Responsibility of auditor o Responsibility of management o Unavoidable risks o Financial reporting framework o Expected form and content of reports
Audit is subject to inherent limitations/risks that errors/fraud will not be detected → If discovered by CPA, MUST report.
FRAUD:
1. Financial Statement Fraud (lying) 2. Asset Misappropriation (stealing) 3. Corruption (cheating)
21
(5) Recurring Audits
• Revising the terms of the engagement – Misunderstanding, Change in senior management, Change in ownership, Change in nature or size of entity, Legal or regulatory, and Framework being used
(6) Initial Audit
• Communication with predecessor auditor = Mandatory o If client is unwilling – consider withdrawing o Inquires include:
▪ Management integrity ▪ Disagreements with management ▪ Reasons for the change ▪ Fraud, noncompliance
(7) Change in Engagement
• From Audit to: Compilation or Review
• Change must be justified
• Acceptable Reasons o Change in client requirements o Misunderstanding as to the nature of service
• Unacceptable Reasons o Uncover errors or fraud o Create misleading or deceptive financial statements
• Scope Limitation o Client refuses to allow correspondence with legal counsel o Client refuses to provide a signed representation letter
• Compilation/Review report not permitted
M4: Planning (1) Overview of Planning
• Depend on the size and complexity of client, and previous experience of auditor → PCAOB Standards
• Engagement partner is responsible for → Planning, Supervising, and Compliance
• CPA documents evidence to support → Their expressed opinion
(2) Knowledge of the Client’s Business and Industry
• Not required to have prior experience, however the auditor must obtain an understanding of the client’s industry and business.
o Knowledge of the client’s industry → AICPA accounting, audit guides…etc. o Knowledge of the client’s business → Client facilities, Financial history, Client accounting, Client
personnel
(3) Developing the Audit Strategy
• Overall Audit Strategy: Written → Nature, Extent and Timing (NET) o Nature: Factors that determine the focus of the audit. Preliminary evaluation of materiality. To
develop the overall audit strategy. o Extent: Scope of the audit o Timing: Reporting objectives, audit timing, and required communication. The auditor is required
to communicate the planned scope and timing of the audit with those charged with governance.
Ask prior CPA about & review prior CPA
workpapers (their evidence)
Consider Withdrawing
The “NET” that the auditor uses to “COVER U”, the client’s records and internal.
control.
Strong Internal Controls = More interim audit work Weak Internal Controls = More Year-end audit work
Nature → Type Extent → Scope Timing → When
22
(4) Developing the Audit Plan
• A written audit plan is required
• Risk assessment procedures are required in all financial statements’ audits
• Further audit procedures: o Test of Controls → Auditor’s test internal controls to: Understand them and rely on them.
▪ Effectiveness of internal controls at preventing and detecting material misstatements o Substantive Tests → Auditor’s test account balances ($$)
▪ Tests of details (as applied to transactions classes, account balances, and disclosures) and analytical procedures
(5) Consideration of Financial Statement Assertions
• Financial Statement Assertions – COVER U o Completeness – Account balances, transactions, disclosures o Cutoff – Correct accounting period o Valuation, Allocation, and Accuracy – Account balances, transactions, disclosures o Existence and Occurrence – Balances exist, and transactions o Rights and Obligations – Account balances, disclosures o Understandability and Classification – Disclosures are clearly expressed
(6) Written Audit Plan
• Drafting the Audit Plan o After sufficient planning information has been gathered, an audit plan should be drafted. A
written audit plan is required for every audit. o The audit plan is a listing of audit procedures o The audit plan can change during the audit.
• Group Audit Plan → Different audit teams in different locations
M5: Using the Work of Others (1) Client’s Internal Auditors
• Not independent, but must maintain objectivity and integrity
• Cannot share with the internal auditor any of the responsibility for audit decisions, judgements, or assessments.
o Consider: To whom the internal auditors report. The higher the level the more objectivity can be assumed.
• Judgement and Assessment → CPA/Auditor must decide, NOT internal auditor
• Evaluate the Internal Audit Function o Direct Assistance: Internal auditors’ competence and objectivity must be assessed
▪ Prior experience, Prior evaluation, Talk to management o Use work of Internal Auditor: Competence, objectivity, and application of a systematic and
disciplined approach o External auditor should supervise o External auditor remains solely responsible
(2) Using the Work of a Specialist
• Who is a Specialist? o Auditor’s Specialist → Employed by the auditor’s firm, or a network, or an external specialist o Management’s Specialist → Used by the entity to assist the entity in preparing the FS
• Use an Auditor’s Specialist o Determine the need – Example: Actuarial calculations (pensions) o Understand the Specialist field of expertise (treat the CPA firm specialist like one of your staff)
▪ QUIRK → Qualifications, Understands objectives, Independent, Reputation, Knowledge
23
o The auditor must be satisfied as to the professional competence, capabilities, and objectivity ▪ A specialist who is related to the client may be acceptable in some circumstances.
o Agreement with the auditor’s specialist should be in writing ▪ Evaluate the adequacy of the work – Inquires, Reviewing the working papers, Reviewing
reports, and Engaging in discussion with another specialist regarding inconsistencies. o Extend of evidence (work papers) depends on significance, risk of material misstatements, and
the knowledge, skill, and ability of the specialist o Effects on the auditor’s report:
▪ Specialist’s findings are not in conformity (GAAP issue) = Qualified or Adverse Opinion ▪ Unmodified (unqualified) opinion, no reference should be made to the work of the
specialist.
• Use of Management’s Specialist o Treat management specialist like one of your staff o EXCEPT → Not independent, and therefore no judgement as to the financial determination o Auditor Should:
▪ Evaluate the competence, capabilities, and objectivity ▪ Understand the work of the specialist ▪ Evaluate the appropriateness
(3) Using the Work of an IT Auditor
• Must consider the impact of IT
• IT Auditor, not a specialist
• IT Auditor may be used to → Obtain an understanding of internal controls, assessing risks, performing test work, and substantive procedures
• IT Auditor must be informed – Responsibilities, Objectives, Nature of the entity’s business, Risk-related issues, Problems, and Detailed approach.
• Audit partner remains responsible
(4) Using the Work of a Component Auditor
• Group auditor may decide to reference the component auditor or assume responsibility for their work
• Component Auditor may be part of the group engagement’s firm, or a network firm, or another firm
• Group auditor is responsible for the direction, supervision, and performance
• Agreement with the component auditor should be in writing
• Review communication with the component auditor must include: o Compliance/noncompliance with laws or regulations o Responses to risks o A list of corrected and uncorrected misstatements (SOAP) o Indicators of possible management bias o Identified material weakness and significant deficiencies
M6: Materiality (1) Overview
• Determine materiality for the financial statements as a whole: consider quantitative and qualitative judgement
• Following factors used to make preliminary assessment: o Percentage o Benchmark o User focuses their attention: Size of entity, revenue, gross profit, net assets o Prior period financial results o Known or expected changes
Auditor should use the smallest level of misstatement that could be material to any one of the FS.
24
• Tolerable Misstatements → Maximum error in a population that the auditor is willing to accept (Example Page A2-47)
• Cycle test three categories: Transactions, Account Balances, and Disclosures o Revenue, Expenditure, Inventory, Investments, PP&E, Payroll, and Financing (Covered in A4)
• Changes in materiality levels = change in “NET”
• REVEW TBS-002265
M7: Risk Assessment (Part 1) (1) Overview
• CPA tests internal controls in order to adequately plan the “NET” audit procedures
• Primary Purpose: Risk assessment procedures o Identify and assess risk of material misstatement (Audit Planning) o Make informed judgements: Materiality, accounting procedures, special audit consideration,
expectations for analytical procedures
• Risk Assessment Procedures, auditor performs: o Understanding of entity o Inquire audit committee and management o Perform analytical procedures o Discussion among engagement team
(2) Obtaining an Understanding of the Entity and Its Environment
• Industry Factors
• Regulatory Factors: Laws & regulations, Taxation, Government policies, Environmental requirement
• Applicable Financial Reporting Framework: Accounting procedures, industry-specific practices, and disclosures
• Technological Factors: Automation, connectivity, security
(3) Other Risk Assessment Procedures
• Analytical Procedures → Required during: (1) Planning Stage (2) Final Review Stage
• Define → Analytical procedures are evaluations of financial information made by a study of plausible relationships among both financial and nonfinancial data.
• GAAS Requires: o During planning compare financial statements to budgeted or anticipated results o Planning nature, extent, and timing o Enhancing the auditor’s understanding of the entity o Identifying unusual transactions and events
• Discuss the susceptibility of the financial statement to the material misstatement o Areas of significant audit risk, selection & application of accounting principles, disclosure o Exercise professional skepticism
• Also consider – external information and prior period evidence
• Auditor’s assessment of risk may change as additional audit evidence is obtained
• Required: o Analytical Procedures, o Risk Assessment Procedures o Test Operational Effectiveness of Controls
M8: Risk Assessment (Part 2) (1) Overview of Internal Control
• Entity’s objectives may be divided into three categories: o Reliability of financial reporting → Financial Statement fraud (lying) o Effectiveness and efficiency of operations → Asset misappropriation (stealing)
25
o Compliance with applicable laws and regulations → Corruption (cheating)
(2) Components of Internal Control
• Five Components of Internal Control – CRIME o Control Environment o Risk Assessment o Information and Communication Systems o Monitoring o Existing Control Activities
• Control Environment – CRIME o Tone at the top o Communication and enforcement of integrity and ethical values o Commitment to competence o Participation of those charged with governance o Management’s philosophy and operating style o Assignment of authority and responsibility over IT operations o Organizational structure o Assignment of authority, responsibility, and accountability o HR polices o Raise concerns:
▪ Management consumed with meeting the budget ▪ Management domi nated by one person ▪ Management compensation contingent upon entity’s financial performance
o Those charged with governance: ▪ Overseeing the financial reporting and disclosure process ▪ Prevention AND detection of error and fraud ▪ Overseeing “whistle-blower” procedures
• Risk Assessment – CRIME o By management o Risks may arise when there are changes such as new personnel, regulatory changes... etc. o Page A2-60 has more examples
• Information and Communication Systems – CRIME o Support the identification, capture, and exchange of information in a timely and useful manner o Accounting Information System – Obtain understanding of:
▪ Accounting processing, from initiation of a transaction to inclusion in the financial statements.
▪ Initiating, authorizing, recording, processing, and reporting transactions ▪ Development of significant accounting estimates and the inclusion of appropriate
disclosures ▪ Controls surrounding JE – Scrutinize period end unusual JEs
Monitor
Control Activites
Risk Assessment
Control Environment
CPA is required to understand each element of “CRIME” as it relates to financial reporting.
Weak Control Environment → More substantive procedures, balance sheet date Strong Control Environment → Reduce the extend of testing, interim date
26
▪ Processes used to develop accounting estimates
• Monitoring – CRIME o Establishing and maintaining internal control, is a responsibility of management o Present and functioning
• Existing Control Activities – CRIME o RULE – In a well-designed internal control environment, fraud and errors should be prevented
and/or detected by employees in the ordinary course of their job/business. o Control activities include the following procedures – PAID TIPS
▪ Prenumbering of documents – Your checkbook ▪ Authorization of transactions – Signed approval ▪ Independent checks to maintain asset accountability – checks & balances ▪ Documentation – Paper trail ▪ Timely and appropriate performance reviews – analytical revie
• Comparison of actual performance to budgets, forecasts, and prior periods
• Comparison of financial and nonfinancial information ▪ Information processing controls
• These controls ensure that transactions are valid, properly authorized, and completely and accurately recorded (application controls and general controls)
▪ Physical controls to safeguarding assets
• Physical segregation and security of assets
• Authorization access to assets and records
• Periodic counting and comparison of actual assets ▪ Segregation of duties - ARC
• Individuals do not perform incompatible duties
• Work of one individual provides a cross-check on the work of another individual
• Authorization
• Record Keeping
• Custody of assets
(3) Auditor’s Consideration of Internal Control
• Preventative Controls → Before the processing activity occurs
• Detective Controls → After processing has been completed
• CPA Responsibility → An understanding of each element of “CRIME” as it pertains to financial reporting o Evaluate Design – Capable of preventing or detecting and correcting o Evaluate Implementation – Exists and is being used o Procedures include:
▪ Inquiry of entity personnel ▪ Observation ▪ Inspection of documents ▪ Walk-throughs: Can be performed by selecting a single transaction and/or Identifying
the key steps ▪ Other procedures – Inquiry alone is NOT sufficient: Observe individuals performing their
information processing and control procedures, Re-perform, Inspect, Corroborate inquiry responses with others
• Documentation many include any item an auditor can FIND: o Flowcharts o Internal control questionnaire: Negative response draws attention to possible weakness in IC o Narrative: Hard to see weaknesses in internal control o Documentation
Internal Control → Prevent and/or detect and quickly correct. Exception: (1) Collusion (2) Management Override
27
(4) Other Audit Considerations
• If evidence is not retrievable it is difficult to determine timing of control testing and substantive testing
• Manual Controls → Suitable when judgement and discretion are required (large, unusual, or nonrecurring transactions). Manual controls are also used to monitor automated controls.
• Automated Controls → High volume or recurring transactions
• IT General Controls → Relate to many applications and support the effective functioning and proper operation of the information system
• IT Application Controls → Apply to processing of individual transactions
M9: The Effect of Information Technology on the Audit (1) Overview
• Information technology (IT) encompasses automated means of originating, processing, storing, and communicating information
(2) The IT Environment
• An auditor documents his or her understanding of the entity’s IT environment during risk assessment.
(3) Difference Between Manual and Computerized (IT) Environments
• Segregation of Duties – COPAL (see table above)
• Disappearing Audit Trail – Without any paper documentation, audit tests should be performed on a continuous basis.
• Potential for increased errors and irregularities (negative/disadvantage) o Increase the likelihood that fraud remain undetected
▪ Remote access to data, Unauthorized access
• Potential for increased supervision and review (positive/advantage) o Integration of audit procedures in application programs o Affords greater opportunity to perform analytical procedures
(4) Effect of Information Technology on Evidence Gathering
• CPA’s responsibility to guide IT auditor(treat like staff)
• Auditing Around the Computer o Tests input data, process the data independently, and then compares o Emphasis on input and output staged of data processing
• Computer Assisted Auditing Techniques (CAATs) – Emphasis on input and processing stages o Transaction Tagging – Electronically mark specific transaction and follow them through the
client’s system.
IT Benefits - The ability to process large volumes of transactions and data accurately and consistently - Improved timeliness - Enhanced segregation – COPAL → Control Group → Operators → Programmers → Analyst (system) → Librarian
IT Risks - Potential reliance on inaccurate systems - Unauthorized access to data - Unauthorized changes to data - Failure to make required changes or updates - Inappropriate manual intervention Potential data loss
Substantive testing alone may not be sufficient. Test
of control should be performed to assess risk in
a highly computerized system.
Manual → Auditing around the computer Computer Assisted Auditing Techniques (CAATs) → Auditing through the computer
28
o Embedded Audit Modules – Collect transaction data for auditor (Example: auditor want to examine all transactions affecting a specific account code that are greater than $500.)
o Test Data – The results are known already. The client’s system is used to process the auditor’s data, off-line which still under the auditor’s control (Example: Invalid number, excess pay rate, excess hours)
o Integrated Test Facility – Similar to test data approach, except with live data ▪ The test data must be separated from the live data before the reports are created. This
is usually accomplished by processing test data to a dummy account (Example: a fictitious customer, branch, vendor… etc.)
▪ Client personnel are not informed o Parallel Simulation – Auditor reprocess some or all the client’s live data
▪ With controlled processing, observes an actual processing run ▪ With controlled reprocessing, uses an archived copy (auditor’s control)
• Generalized Audit Software Packages (GASPs) – Allow auditor to perform tests of control and substantive tests directly on the client’s system.
o Advantages: ▪ Much higher percentage of transactions ▪ Little technical knowledge of client’s hardware and software feature
A3: Risk, Evidence, and Sampling M1: Fraud Risk
(1) Overview of Fraud
• Fraud V. Error o Fraud → Intentional act o Error → Unintentional misstatement or omission
• Fraud Risk Factors – Fraud Triangle: o Pressure (Incentives) – Reason to commit fraud o Opportunity – A lack of effective controls o Rationalization (Attitude) – An attempt to justify fraudulent behavior (ethics & integrity)
(2) Consideration of Fraud During an Audit
• Reasonable Assurance – Not ABSOLUTE o Concealment aspect of Fraud o Difficult to detect o Therefore, even a quality audit may not uncover fraud
• Responsibility o Management → Design and implement programs and controls to prevent, detect, and correct
fraud. o Auditor → Plan and perform (design) the audit to obtain reasonable assurance of detecting
material errors and fraud (based on the auditor’s assessment of risk).
• Obtaining Information o Inquire of entity personnel regarding their views on fraud risk
▪ Direct inquiries to: Management, employees, internal auditors, in-house legal team, those charged with governance
▪ Greater Risk when: Inconsistent responses, unsatisfactory responses = need for additional evidence
o Consider the results of analytical procedures: Required during planning stage & final review o Evaluate fraud risk factors
Audit documentation is required to include a description of the discussion among engagement personnel regarding the risk of material misstatement due to fraud. Include risk factors identified.
29
• Identifying Risks o Attributes of Risk
▪ Type of Risk: Does it involve fraudulent FS, asset misappropriation, or corruption? ▪ Significance of the risk: Material misstatements? ▪ Likelihood of the risk: How likely is it to happen? ▪ Pervasiveness of the risk: Does it affect FS as a whole or specific accounts, transactions,
or assertions? o Presumptions of Risk
▪ Improper revenue recognition → Required to do analytical procedures ▪ Management override of controls
o Two areas where there is susceptibility to manipulations: High degree of management judgement (subjectivity) and Highly complex accounting principles
• Responding to Assessed Fraud Risk o Overall, General Response
▪ Assigning personnel ▪ Supervision ▪ Evaluating management’s selection and application of accounting principles ▪ Unpredictability in the selection of auditing procedures
o Response Encompassing Specific Audit Procedure ▪ Alters the nature, timing and extend of audit procedures
o Response Addressing Risk Related to Management Override ▪ Examine journal entries and other adjustments ▪ Review accounting estimates for biases ▪ Evaluate the business purpose for significant unusual transactions (Enron)
• Evaluating Audit Evidence – Conditions identified during field work: o Discrepancies o Conflicting or missing evidential matter o Problematic relationship between the auditor and management o Objections by management to the auditor meeting privately with the audit committee o Accounting policies that appear inconsistent o Frequent changes in accounting estimates (to manipulate results) o Tolerance of violations
(3) Communications
• Management and those charged with governance o Any indication of fraud (even immaterial) should be discussed with an appropriate level of
management at least one level above those involved. (MCQ-08392) o Causes a material misstatement → Reported directly to those charged with governance o Fraud involving senior management → Directly to those charged with governance o Deficiencies or material weakness → Senior Management and those charged with governance
• Parties outside the entity – CPA must communicate with: o Legal and regulatory requirements o Successor auditor o Subpoena o Funding agency o Authorities
Only fraud that causes a material misstatement to the FS or involving senior management should be reported to those charged with governance.
Management is typically in the best position to perfect raid immaterial fraud because management can override controls to manipulate accounting graphics and prepare fraudulent financial statements.
30
M2: Audit Risk (1) Overview
• Audit Risk – Auditor may unknowingly fail to appropriately modify the opinion on financial statements that are materially misstated.
• Misstatements include – Inaccuracies, departures, omissions, incorrect estimates, inappropriate selection or application of accounting policies, inappropriate classification, aggregation, or disaggregation of information.
• Types of Misstatements: o Factual misstatements: No doubt (it is wrong) o Judgmental Misstatements: Accounting estimates are unreasonable or inappropriate o Projected Misstatement: Auditor’s best estimate of samples
(2) Audit Risk Model
*RMM: Auditor can either make a single overall assessment or separately assess IR and CR
• Inherent Risk: Assuming that there are no related controls. Usually high inherent risk: High volume, Complex, Estimates, Cash
• Control Risk: Could occur in a relevant assertion will not be prevented or detected. Effectiveness of the design and operation of internal controls. Hight if: No effective controls, Not operating effectively, Not efficient to test.
• Detection Risk: Auditor will not detect a material misstatement (CPA controls, NET)
M3: Identifying, Assessing, and Responding to Risk (1) Identifying and Assessing the Risks of Material Misstatement
• FS Level Risks → Relate pervasively to the financial statements
• Assertion Level Risks → “COVER U” – Transactions, account balance, or disclosure
• Factors that may be indicate significant risks include Related parties, Improper revue recognition, Complex transactions, Estimates or other subjective measurements, and Noncompliance
• Risk assessment procedures are always required in financial statement audits
• Required Documentation: o Discussion among the audit team o Key elements of the understanding o The risk assessment o Identified risk and related controls
AR = RMM x DR Audit Risk = Risk of Material Misstatement x Detection Risk (Should be low) (Assessed by Auditor) (Controlled by Auditor)
Inherent Risk x Control Risk
Step 1: Determine Audit Risk Step 2: Assess Inherent Risk Step 3: Assess Control Risk Step 4: Determine Detection Risk
Inherent risk and control risk differ from detection risk in that they
exist independently of the financial statement audit.
A significant risk exists when inherent risk is exceptionally high.
31
• PCAOB Standards – RMM associated with a particular location or business unit, determination of audit procedures include:
o The nature and amount of assets, liabilities, and transactions executed at the location or business
o Materiality o Specific risks associated with the location or business o The effectiveness of the control environment
(2) Responding to the Assessed Risks of Material Misstatement
• Overall response to FS level risk: Communicate to audit team, Assign staff, Supervision, Greater level of unpredictability, and Pervasive changes to NET
• Response to risks at the relevant assertion level – COVER U o Design audit procedures that address the RMM for each relevant assertion of each significant
account, balance, or disclosure. o Nature → Purpose of audit procedure (test of control vs substantive tests), and type of
procedure (inspection, observation, confirmation) o Extent → Quality to be performed (such as sample size) o Timing → Interim date (strong controls), or period end (weak controls)
• Audit Approach – A substantive approach only OR a combined approach (NEVER controls only) o Substantive Approach: When control risk is assessed at maximum due to no strong controls to
rely on or cost/benefit relationship. o Combined Approach: Test operating effectiveness of controls AND substantive procedures o Test of Controls REQUIRED: Significant usage of IT o Dual-Purpose tests: Test of control that is performed concurrently with test of details
(3) Responding to RMM: Test of Controls
• Required when there is strong controls and IT
• Inspect client records documenting use and changes to IT programs
• Auditor may choose to test the operating effectiveness of controls concurrently with obtaining an understanding of internal control.
• Auditor is required to obtain an understanding of the design and implementation of internal control.
• Audit Evidence Hierarchy – vowels o Auditor Knows o External evidence o Internal evidence o Oral evidence
o U know it
• Extent of tests of controls – more reliance means more reliable and extensive evidence
• Timing of tests of controls – controls tested throughout the period provide evidence of operating effectiveness during that period.
(4) Responding to RMM: Substantive Procedures
• Overview o Substantive procedures ARE required. o $$ balances o Analytical procedures o Ratios
• Nature → Test of details and substantive analytical procedures at end of audit
• Timing → Substantive interim testing only when RMM is low
If relying on operating effectiveness of internal controls to mitigate significant risk, test of controls MUST be performed in current period. *If there is no significant risk then test controls every three years.
32
M4: Specific Areas of Engagement • Auditor’s responsibility – Reasonable assurance. Auditor is not responsible for preventing
noncompliance and cannot be expected to detect noncompliance with all laws and regulations. o Get signed management representation letter o When noncompliance is identified or suspected, auditor should discuss the matter with
management at least on level above and when appropriate to those charged with governance o Reporting noncompliance in the auditor’s report
▪ Material effect on the FS: GAAP issue = qualified/adverse ▪ Insufficient evidence: GAAS issue = Qualified/disclaimer ▪ Client Response/Refusal: GAAS issue = withdraw
• Evaluating contingencies → The audit risk = Expenses and liabilities understates o Auditor should ask management about controls adopted to identify, evaluate, and account for
such items. ▪ Review minutes ▪ Invoices from lawyers ▪ Correspondence from taxing authorities ▪ Confirmations for hidden bank loans ▪ Client representation letter ▪ Send an inquiry letter to the client’s attorneys
• Related Party Transactions → Audit Risk = Accuracy and Completeness o Related party transactions are not considered to be arm’s-length transactions o Auditor should obtain understanding sufficient to:
▪ Recognize fraud risk factors ▪ Conclude whether financial statement achieve fair presentation ▪ Sufficient appropriate evidence appropriately identified, accounted for, and disclosed.
o Documentation → Names of ALL identified related parties
M5: Sufficient Appropriate Evidence (1) Audit Evidence
• Support for the audit opinion
• Objective of substantive testing → detect material misstatement
• Document: o Risk of material misstatement o Test of controls o Substantive procedures o Other audit procedures
(2) Types of Audit Evidence
• If auditor cannot have access to all accounting data = scope limitation
• Corroborating evidence → Observation, Inquiry, and inspection
(3) Obtaining Sufficient Appropriate Audit Evidence
• Reasonable (not absolute) assurance. Auditor is not guarantor!
• Cost alone or difficulty in obtaining evidence is NOT a valid basis for omitting a procedure for which there is no appropriate alternative.
• Sufficiency of audit evidence – valid and relevant o Auditor’s knowledge or observation o External evidence (sent directly to auditor is more reliable) o Internal evidence o Oral evidence (documentary form is more reliable than oral evidence)
• Relevance of evidence must relate to the financial statement assertions (COVER U)
33
(4) Evaluating the Sufficiency and Appropriateness of Audit Evidence
• Results of further audit procedures: o Reassess the risks o Identify control deficiencies o Identify misstatement
• The results of further audit procedures should be used to determine whether the assessed risks of material misstatement at the relevant assertion level is still appropriate.
o Test of control – controls are not functioning effectively, higher assessment of the risks of material misstatement
o If fraud is discovered = affects the assessed RMM o Whether it is consistent with or contradicts relevant assertions
• All relevant audits evidence. Contradictory evidence should be documented, need additional procedures
M6: Procedures to Obtain Evidence (1) Standard Auditing Procedures – C the FIVE CARROT WARS
• Confirmation
• Footing, Cross-footing, and recalculation
• Inquiry
• Vouching – Directional testing: Revenue & Assets not overstated
• Examination and Inspection
• Cutoff Review – No back dating
• Analytical Procedures
• Reperformance
• Reconciliation
• Observation
• Tracing – Directional testing: Expenses & Liabilities not understated
• Walk-through
• Auditing related accounts simultaneously
• Representation letter
• Subsequent events review – Contingencies, unrecorded liabilities, disclosures
(2) Types of Audit Procedures
• Substantive Procedures o Test of Details – Applied to transactions, balances, and disclosures
▪ Ending balances: When an account has high turnover rate with many transactions occurring during the year the auditor generally focuses on testing the ending balance (auditor must be satisfied that internal control is strong).
▪ Transactions: When account has relatively few transactions occurring during the year (such as account for Land or Treasury Stock)
o Analytical Procedures – Plausible relationships among financial and nonfinancial data. Generally, involves comparison of recorded amounts to independent expectations developed by auditors. Developing an expectation should be the first thing performed when applying analytical procedures.
▪ Required during planning and final review stages. ▪ Investigate any significant differences. ▪ Relationships involving IS accounts tend to be more predictable than relationships
involving only BS accounts. ▪ Documentation:
• Auditor’s expectations
• Factors
• Results
34
• Additional audit procedures performed due to unexplained differences
• Results of additional procedures ▪ When analytical procedures are used as the principal substantive test of significant
financial statement assertion, the auditor is required to document both the auditor’s expectations and the factors considered in developing that expectation. (MCQ-02311)
• Directional Testing
o If test starts with source documents, it is most likely related to completeness (Trace). o If test starts with items in the financial statements, the proper assertion is most likely to be existence (Vouch).
• External Confirmation – Direct written response to the auditor from a third party (oral confirmation does not meet the criteria).
o Positive Confirmation → Must respond o Negative Confirmation → No news is good news o Management Refusal to allow external confirmation procedures
▪ Evaluate the validity and reasonableness of management’s refusal ▪ Perform alternative procedures
o Exceptions: Should be investigated!
(3) Review of Relevant Assertions C O V E R U
Account Balances C V E R Transactions & Events C O V E U Presentation & Disclosures C V R U
35
36
M7: Financial Ratios (1) Liquidity Ratios
𝐶𝑢𝑟𝑟𝑒𝑛𝑡 𝑅𝑎𝑡𝑖𝑜 = 𝐶𝑢𝑟𝑟𝑒𝑛𝑡 𝐴𝑠𝑠𝑒𝑡𝑠
𝐶𝑢𝑟𝑟𝑒𝑛𝑡 𝐿𝑖𝑎𝑏𝑖𝑙𝑖𝑡𝑖𝑒𝑠 𝑄𝑢𝑖𝑐𝑘 𝑅𝑎𝑡𝑖𝑜 =
𝐶𝑎𝑠ℎ+𝑆ℎ𝑜𝑟𝑡 𝑇𝑒𝑟𝑚 𝑀𝑎𝑟𝑘𝑒𝑡𝑎𝑏𝑙𝑒 𝑆𝑒𝑐𝑢𝑟𝑖𝑡𝑖𝑒𝑠+𝑅𝑒𝑐𝑖𝑒𝑣𝑎𝑏𝑙𝑒𝑠 (𝑛𝑒𝑡)
𝐶𝑢𝑟𝑟𝑒𝑛𝑡 𝐿𝑖𝑎𝑏𝑖𝑙𝑖𝑡𝑒𝑠
(2) Activity Ratios
AR Turnover = Sales (net)
Average AR Days Sales in AR =
Ending AR
Sales (net)/365
Inventory Turnover = COGS
Average Inventory Days in Inventry =
Ending Inventory
COGS/365
AP Turnover =COGS
Average AP Days in AP =
Ending AP
COGS/365
Cash Converstion Cycle = Days sales in AR + Days in Inventory − Days in AP
Assets Turnover = Sales (net)
Average Total Assets
(3) Profitability Ratios
Profit Margin = Net Income
Sales (net) Return on Assets =
Net Income
Average Total Assets
Return on Sales = Income before interest income,interest expense,and taxes
Sales (net)
Return on Equity = Net Income
Average Total Equity Gross (profit)Margin =
Sales (net)−COGS
Sales (net)
Operating Cash Flow Ratio = Cash Flow from Operations
Ending Current Liabilites
(4) Investor Ratios
Basic EPS = Income Availabe to Common Shareholders
Weighted Average Common Shares Outstanding
Price Earnings Ratio = Price Per Share
Basic EPS Dividend Payout Ratio =
Cash Dividend
Net Income
(5) Long-Term Debt Paying Ability Ratios
Debt to Equity = Total Liabilities
Total Equity Total Debt Ratio =
Total Liabilites
Total Assets
Equity Multiplier = Total Assets
Total Equity Times Interest Earned =
EBIT
Interest Expense
37
M8: Sampling (Part 1)
• Sampling Methods – Both are GAAS o Statistical Sampling – Evaluated quantitatively o Nonstatistical Sampling – Evaluated using the auditor’s judgement
• Types of Sampling o Attribute Sampling: Testing internal controls – Testing for specific characteristics (error seeking) o Variable Sampling: Substantive testing (account balances) – Estimating the dollar value of the
population.
• Sampling Risk – Probability that the sample is wrong o Sampling Risk in Substantive Testing
▪ Risk of incorrect Acceptance (Beta Risk): Sample results fail to identify an existing material misstatement (lack of effectiveness)
▪ Risk of incorrect Rejection (Alpha Risk): Sample results mistakenly indicate a material misstatement (lack of efficiency)
o Sampling Risk in Test of Controls ▪ Risk of Assessing Control Risk Too Low (Beta Risk): Risk of over reliance (lack of
effectiveness) ▪ Risk of Assessing Control Risk Too High (Alpha Risk): Risk of under reliance (lack of
efficiency)
• Sampling in Test of Controls: Attribute Sampling o Attribute Sampling: Estimate the rate (percentage) of occurrence (exception) of a specific
characteristic. o Planning consideration:
▪ Tolerable deviation rate: tolerable mistakes (risk of misstatements) ▪ Auditor’s allowable risk of assessing control risk too low (beta risk)
• Step for Attribute Sampling: o Define the objective of the test o Define the population o Define the sampling unit o Define the attributes of interest o Determine sample size
▪ Risk of assessing control risk – inverse relationship ▪ Tolerable deviation rate – inverse relationship ▪ Expected deviation – direct relationship
o Select sample size o Evaluate the sample results
𝑺𝒂𝒎𝒑𝒍𝒆 𝑫𝒆𝒗𝒊𝒂𝒕𝒊𝒐𝒏 𝑹𝒂𝒕𝒆 + 𝑨𝒍𝒍𝒐𝒘𝒂𝒏𝒄𝒆 𝒇𝒐𝒓 𝑺𝒂𝒎𝒑𝒍𝒊𝒏𝒈 𝑹𝒊𝒔𝒌 = 𝑼𝒑𝒑𝒆𝒓 𝑫𝒆𝒗𝒊𝒂𝒕𝒊𝒐𝒏 𝑹𝒂𝒕𝒆 o Form conclusions about the internal control tested
▪ If the upper deviation is less – may rely on the controls ▪ If the upper deviation exceeds – not rely on the controls
o Document the sampling procedure – auditor must document each step in the audit sampling
• Discovery Sampling: Population deviation is zero or near zero
• Stop-or-go Sampling: Avoid oversampling for attributes, fewer errors are expected
Rule 1: Assume population is normally distributed (bell-shaped curve) Rule 2: Samples are unrestricted and randomly selected Rule 3: If sample is large enough and is randomly selected, will likely have same statistical characteristics as the underlying population. Rule 4: Standard Deviation is a measure of “variability” →Sample Risk
The deviation rate in the sample is the auditor’s best estimate of the deviation
in the population from which it was selected.
38
M9 Sampling (Part 2) • Sampling in Substantive Test: Variables Sampling
o Also, knowns as “estimation sampling” o Estimate the dollar value of the population
• Tolerable Misstatement: The maximum monetary misstatement in the related account balance or class of transaction that the auditor is willing to accept. Related to the auditor’s preliminary judgements about materiality levels.
• Stratified Sampling: Separated into relatively homogeneous groups o Reduce sample size o Used when population has highly variable recorded amounts
• Variable Sampling Plans – TBS-765700 o Classical Variable Sampling: Measure’s sampling risk by using the variation of the underlying
characteristic of interest ▪ Mean-Per-Unit- Estimation: Does not require BV of the population to estimate true value ▪ Ratio Estimation: Highly effective when the calculated audit amounts are approximately proportional to the client’s book amounts. ▪ Difference Estimation: Used instead of ratio estimation when the differences are nor nearly proportional to book values.
• Steps for Variable Sampling o Define the objective of the test – Estimate the value of the account balance o Define the population o Define the sampling unit o Determine sample size
▪ Acceptable level of risk – Inverse relationship ▪ Tolerable misstatement – Inverse relationship ▪ Population Variability (Standard Deviation) – Direct relationship ▪ Expected misstatement – Direct relationship ▪ Assessed level of Risk – Direct relationship
o Select sample size o Evaluate the sample results – obtain “point estimate” of the true balance o Form conclusions about the balances tested o Document the sampling procedure – auditor must document each step in the audit sampling o Additional consideration when using Audit Data Analytics (ADAs)
• Probability-Proportional -to-Size (PPS) Sampling – TBS-010010 o Sampling unit is defined as an individual dollar in a population. Automatically stratified the sample. o Primary objective is to identify overstatement errors o PPS Sample Size Determination:
Sampling Interval =Tolerable Misstatement
Reliability Factor
Sample Size = Recorded Amount of the Population
Sampling Interval
Sampling For: Variable Sampling → Misstatement Attribute Sampling → Deviation
39
▪ Reliability Factor: Risk of incorrect acceptance and are generally obtained from a table ▪ Formula assumed auditor’s expected misstatement is zero
M10: Audit Data Analytics (1) Defining Audit Data Analytics
• Discover patterns, relationships, and anomalies
• Benefits of ADAs o Better understanding o Advanced assessment of risk o Expanded audit coverage o Increased efficiency o Enhanced fraud detection o Improved communication and visualization
(2) Audit Data Analytic Tools and Techniques
• Steps in Applying ADAs o Plan ADA o Access and obtain the data (access to and sourcing the data) o Review an analyze the relevance and reliability o Perform ADA o Evaluate and address the outcome
• Most ADA are performed using a software
• ADA Techniques: o Descriptive Analytics – What happened or what is happening with data (summary statistics,
data sorting, aging data, data reduction) o Diagnostic Analytics – Understand the underlying cause of results, essentially, why something
happened with the data (clustering, drill-down & drill-through analysis, period-over-period analysis, variance analysis…)
o Predictive Analytics – Make predictions, estimates, and assertions, what will happened in the future (classification, forecasting, regression analysis…)
o Prescriptive Analytics – Most advanced and complex. Build on predictive analytics. How to make something happen. Prescribe courses of actions to help optimize decisions (what-if analysis, machine learning, natural language processing…)
(3) Applying Audit Data Analytics
• Risk Assessment
• Test of Controls – Support evidence in evaluating the design and operating effectiveness of IC
• Substantive Procedures – Detect material misstatements o Test of Details: performed on both transactions and balances o Analytical procedures
• Concluding the Audit – Forming an overall conclusion, gain comfort no material misstatements went unidentified or assessed
(4) Sourcing and Reviewing Data Used in Audit Data Analytics
• Sourcing data, ensure it is complete, accurate, relevant, and reliable
• ADA Data Sources: o Information systems o Data storage functions o Internal and reporting sources o External sources
• ADA Data Types – Structured: Organized and easily searchable; Unstructured: Not organized and difficult to sort.
40
• Data may be: Numeric, text, time data, and geographic data
• Perform general IT controls (GITC) testing to ensure there are sufficient controls internal to the information systems and its functions
• Reliability Procedures: o Flowcharts or data diagrams o Test of controls o Confirmations o Recalculation/reperformance o Employ GITCs o Evaluate spreadsheets o Compare data
• Increasing reliability: Auditor sourced data, source independent, controls, original documents, evidence documented (rather than oral).
(5) Procedures Performed on Visualizations and Reports
• Auditor can determine: Trends, outliers, and anomalies
• Using Data Visualization o Auditor must understand and evaluate the output o Easy-to-read graphs, charts, pr other visuals to provide the auditor with insights to make
decisions.
• Interpreting results o Regression analysis: Evaluate relationships between variables. Show the direction and strength
of the relationship. Typically uses scatter plots (may use regression output to set expectations) o Variance Analysis: Demonstrates comparative information (budgeted vs actual) o Period-Over-Period Analysis: Demonstrates comparative information. Compare financial or
non-financial value (bar or column chart) o Classification: Show relationship among variables. Predictive analytic (scatter plots). o Trend Analysis: Develop expectations of future results (line chart)
• Evaluating and grouping potential misstatements o Clearly consequential – does not pose material misstatement individually or in aggregate o Not clearly consequential – possible misstatement (must perform additional procedures)
A4: Performing Further Procedures, Forming Conclusions, and Communication M1: Revenue Cycle
(1) Transaction Cycles
41
(2) Fraud Risk Related to Revenue Cycle
• There should be a presumption in every audit that there is risk of material misstatement due to revenue recognition fraud (early revenue recognition, fictitious sales, failure to record returns, channel stuffing…)
(3) Internal Controls Related to the Revue Cycle
• Sales o Preparation of sales order – Serially numbered sales order o Credit approval – Approved sales order o Shipment - Serially numbered bill of lading o Billing - Serially numbered sales invoice o Accounting
• Accounts Receivable o Sales o Collection of cash receipts o Uncollectable receivables o Sales returns - Serially numbered receiving report o Sales discount
• Cash – ARC o Cashier o AR Department o Accounting department
(4) Performing Specific Procedures to Obtain Evidence: The Revenue Cycle
• Auditing Sales Transactions o Completeness – Trace: Shipping Doc. → Invoice → Sales Journal o Cutoff – Effort to boost revenue o Valuation, Allocation, and Accuracy o Existence and Occurrence – Vouch: Sales Journal → Invoice → Shipping Doc. o Understandability and Classification
• Auditing Accounts Receivable o Completeness o Valuation, Allocation, and Accuracy – AR Aging → G/L o Existence and Occurrence – Confirm. Risk of overstating assets! o Rights and Obligations – Receivable might have been factored or sold.
• Accounts Receivable Confirmation o Confirmations generally provide evidence regarding existence and rights and obligations. They
do not provide reliable evidence regarding valuation or completeness. Generally required unless: (1) immaterial (2) ineffective (3) RRM is very low.
o Positive Confirmation – Customers are requested to respond. ▪ Best used when:
• Large individual accounts
• Expected errors
• Internal control is weak ▪ “Blank” confirmation is when the recipient is requested to fill in the balance. ▪ Requires the recipient to do more work, hence more nonresponses!
o Negative Confirmation – Recipient is requested to respond only if balance differ. ▪ Used when:
• RMM is low
• No big accounts
• Recipients are expected to respond o Confirmation Exceptions: Timing difference, Misstatement
Match Shipping Order Invoice
Segregation of Duties Authorization Record Keeping Custody
42
o Confirmation nonresponse: Followed up with second (or third) confirmation requests. Alternative procedures should be performed if no response.
• Auditing Presentation and Disclosure o Completeness o Valuation, Allocation and Accuracy o Rights and Obligations o Understandability and Classification
M2: Expenditure Cycle (1) Internal Controls Related to the Expenditure Cycle
• Purchases o Purchase Requisition: Properly approved, serially numbered o Purchase Orders: Properly approved. Multiple copies, for:
▪ The requisition department ▪ The vendor ▪ The receiving department ▪ The accounting department
o Receipt of Goods/Services: Blind copy so receiving department counts the good received! ▪ Authority to accept incoming goods should be based on an approved purchase order
• Accounts Payable: o Recoding the payable: Match – Receiving report, purchase order, and vendor invoice o Approving invoice for payment and recording payment
• Cash Disbursement: Approving the payment and signing the check should be segregated
(2) Performing Specific Procedures to Obtain Evidence: The Expenditure Cycle
• Auditing Accounts Payable o Completeness – risk of understating liabilities! Searching for unrecorded Liabilities:
▪ Review disbursements from Jan, Feb… ▪ Identify disbursements related to expenses incurred before year end ▪ Confirm year end liability
o Valuation, Allocation, and Accuracy o Existence and Occurrence – not as much of a concern as completeness o Rights and Obligations
• Auditing Purchase Transactions o Completeness – Trace: Voucher → Purchase order o Cutoff o Valuation, Allocation, and Accuracy – Recompute o Existence and Occurrence o Understandability and Classification
• Auditing Presentation and Disclosure o Completeness o Valuation, Allocation and Accuracy o Rights and Obligations o Understandability and Classification
M3: Cash Cycle (1) Two common cash fraud schemes:
• Lapping: Today’s cash received cover yesterday’s theft o One of the best methods to guard against that is the use of lock box system.
• Kiting: Cash recorded in two places at once. When a check drawn on one bank is deposited in another bank and no record is made of a disbursement in the balance of the first bank until after year end. Kiting may be used to cover a cash shortage or to pad the company’s cash position.
43
o To detect kiting, a bank transfer schedule should be prepared and bank cutoff statement. o Indication of kiting → Low average balance compared to high level of deposit.
(2) Performing Specific Procedures to Obtain Evidence: The Cash Cycle
• Auditing the Cash Balance o Completeness, Valuation and Allocation, Existence – Bank confirmation!
▪ Standard Bank confirmation also provides evidence about actual loans, contingent liabilities, discounted notes, pledged collateral and guarantee or security agreements.
o Bank Reconciliation – primary evidence regarding year-end cash balance
• Auditing Cash Receipts and Cash Disbursements o Completeness – Trace: Remittance advice to the cash receipts journal and deposit slips. o Cutoff o Valuation, Allocation, and Accuracy o Existence and Occurrence – Vouch:
▪ Cash Receipts: Cash receipts journal to remittance advices, deposit slips, and bank statement.
▪ Cash Disbursements: Cash disbursements journal to canceled checks, voucher package, and the bank statement.
• Auditing Presentation and Disclosure o Completeness o Valuation, Allocation and Accuracy o Rights and Obligations o Understandability and Classification
M4: Inventory Cycle (1) Internal Controls Related to the Inventory Cycle
• Purchasing – Serially numbered
• Receiving – Verification of quantities, detection of damaged goods, preparation of receiving report and delivery of goods received to the warehouse department
• Warehouse – Custodian
• Shipping
(2) Performing Specific Procedures to Obtain Evidence: The Inventory Cycle
• Auditing Inventory Balance o Dual-Purpose Test:
▪ Evaluating management’s instructions and procedures for inventory ▪ Observing the performance of management’s count procedures ▪ Inspecting the inventory to ascertain its existence and condition ▪ Performing test counts
o If inventory count was before year-end, evidence for “gap” period o Inventory held off site: Significant? Yes, observe. No, confirmation. o Completeness o Valuation, Allocation, and Accuracy: mathematical accuracy, obsolete or damaged goods,
vendor invoices. o Existence and Occurrence o Rights and Obligations
• Auditing Presentation and Disclosure o Completeness o Valuation, Allocation and Accuracy o Rights and Obligations o Understandability and Classification
44
M5: Investment Cycle (1) Internal Controls Related to the Investment Cycle
• Segregation of Duties – ARC: o Authorization of Purchase or sale of investment o Record Keeping o Custody of Investment
(2) Performing Specific Procedures to Obtain Evidence: The Investment Cycle
• Auditing the Investment Balance o Completeness
▪ If there is a high volume of material investment, search for unrecorded purchases ▪ Auditor should confirm securities held by third-party custodians
o Valuation and Allocation ▪ Obtain and foot listing ▪ Review schedule of investment activities ▪ Recalculate ending values of investments ▪ Determine permanent impairment ▪ Assess reasonableness and appropriateness of assumptions
o Existence – Confirmation and Examination o Rights and Obligations – Confirmation
• Auditing Investment Transactions o Completeness – Analytical procedures (interest and dividend) o Cutoff o Valuation, Allocation, and Accuracy – Validity of recorded gains/losses, discounts/premiums
amortization o Existence and Occurrence – Analytical procedures (dividends and interest) o Understandability and Classification
• Auditing Presentation and Disclosure o Completeness o Valuation, Allocation and Accuracy o Rights and Obligations o Understandability and Classification
(3) Auditing Particular Types of Investments
• Marketable Securities o Trading or AFS investments should be held at FV and classification of Level 1, Level 2, or Level 3
should be disclosed. ▪ Trading debt or equity:
• Earnings = realized and unrealized gains/losses ▪ AFS debt securities
• OCI = unrealized gains/losses, Earnings = realized gains/losses o HTM debt securities should be carried at amortized cost o Auditor should inquire management and obtain written representation concerning
managements intend and ability with respect to holding vs selling securities in the near term.
• Investment in Securities when Valuations are Based on the Investee’s Financial Results – Equity Method o Obtain and read investee’s FS o If not audited request that they should o If carrying amount is materially different than fair value, obtain sufficient appropriate evidence o If there is a difference between the FS periods of the entity and investee that could have a
material effect
45
(4) Investments Measured at Fair Value
• Measuring Fair Value – Exit Price! o Level 1: Identical active market o Level 2: Similar active market OR Identical inactive market o Level 3: Estimates and valuation methods (DCFs)
• Management’s Responsibility – Making fair value measurements and disclosures in accordance with GAAP
• Auditor’s Responsibility o The auditor should:
▪ Understand the entity’s process for determining FV measurements and disclosures ▪ Understand relevant controls ▪ Assess the risk ▪ Evaluate whether the method used is in conformity with GAAP ▪ Need for specialist ▪ Test FV (check following list) ▪ Disclosures are in conformity with GAAP ▪ Sufficiency, competency, and consistency of evidence ▪ Obtain relevant management representation ▪ Communicate relevant matters with those charged with governance
o The auditor may: ▪ Verify quoted market prices ▪ Do significant assumptions provide a reasonable basis? ▪ Management’s intent and ability ▪ Modifications made to observable information ▪ Valuation model appropriateness ▪ Test underlying data ▪ Develop independent FV estimates ▪ Review subsequent events
• Using the Pricing Information from Third Parties as Evidence o Pricing Services:
▪ Reliability ▪ Nature and source of the evidence ▪ Circumstances under which it is obtained ▪ Relevance: relationship with the assertion or the objective of the control being tested ▪ When using information from multiple pricing services, less information is needed about
the particular methods and inputs used by the individual services. o Broker-Dealers:
▪ Relevance and reliability ▪ Market maker for similar instruments ▪ Relationship with entity ▪ Quote is binding ▪ Limitations on the quote
• Impairment Indications o An impairment loss resulting from a decline in fair value that is other than temporary o Auditor should evaluate management’s decision o Auditor should consider if impairment needs to be recorded o Situations that may indicate impairment loss:
▪ FV is significantly below cost ▪ Downgraded by a rating agency ▪ Financial condition deteriorated ▪ Dividends reduced/eliminated, or interest payments not made (cash flow issues) ▪ Recorded losses subsequent to the end of the reporting period
46
M6: Other Transaction Cycles (1) Property Plant and Equipment Cycle
• Internal Controls o Acquisition – Requisition form o Subsidiary Ledgers o Physical Security – Serial number o Written Polices – Written depreciation polices, capitalization polices o Disposition – sequentially numbered
• Performing Specific Procedures to Obtain Audit Evidence o Auditing PP&E Balance
▪ Completeness – Foot fixed asset schedule and agree to general ledger. Foot schedule pf additions and dispositions and agree to fixed asset schedule. Select a sample of fixed asses and trace to the fixed asset subsidiary ledger
▪ Valuation and Allocation – Recalculate accumulated depreciation, evaluate fixed asset for impairment.
▪ Existence – Vouch additions to fixed asset accounts by examining internal documents, external documents, and inspection the actual asset. Selecting older fixed assets and teat for unrecorded retirements.
▪ Rights and Obligations – Invoices, deeds, title documents o Auditing PP&E Transactions
▪ Completeness – Trace purchase requisitions to receiving reports. Review related repair and maintenance expense ( capitalize?). Review lease and rental agreements (operating or financing lease?)
▪ Cutoff – purchases and disposition right before and after year-end ▪ Valuation and Allocation – Recalculate depreciation. Evaluate the reasonableness of
gains/losses and removal of accumulated depreciation. ▪ Existence – Vouch a sample of purchases and a sample of disposition. ▪ Understandability and Classification – Repairs and maintenance expense and review
lease transactions. o Auditing Presentation and Disclosure
▪ Completeness – Include: Depreciation methods, useful lives, depreciation expense for the period, liens and mortgages…
▪ Valuation, Allocation and Accuracy ▪ Rights and Obligations – Inquire: Loan agreements, minutes, and other documents ▪ Understandability and Classification
(2) Payroll and Personnel Cycle
• Internal Control o Service Organization – Controls placed in by the service organization are considered to be part
of the user’s organization’s information systems (Covered more in A5)
• Segregation of Duties o Authorization to employ and pay o Supervision o Timekeeping and cost accounting o Payroll check preparation o Check distribution
• Performing Audit Procedures o Auditing Payroll Accrual – Analytical procedures and the recalculation of payroll (if strong
controls). Completeness, existence, and right & obligations (if weak controls). ▪ Completeness – Unrecorded Liabilities ▪ Valuation and Allocation ▪ Existence – Supporting documents
Payroll Department = Record Keeping (not custodial) Should not be authorized to change hours or rates, nor sign checks.
47
▪ Rights & Obligations o Auditing Payroll Transactions
▪ Completeness ▪ Cutoff ▪ Valuation ▪ Existence ▪ Understandability and Classification
o Auditing Presentation and Disclosure ▪ Completeness ▪ Valuation, Allocation and Accuracy ▪ Rights and Obligations ▪ Understandability and Classification
(3) Financing Cycle
• Auditing Debt Balance o Completeness – Debt agreement. Trace new debt contracts to the financial statements o Valuation – Recompute interest payable o Existence – Confirm o Rights & Obligations
• Auditing Debt Transactions o Completeness – Examine new debt agreements and board minutes, review interest expense for
payments to debt holders not included in the dent listing. Examine lease agreements. o Cutoff – Debt activity before and after year-end o Valuation, Allocation & Accuracy – Sample debt receipts and payments and compare interest
expense to debt balance o Existence – Verify the existence of new debt. Review board minutes. Inspect the agreements o Understandability & Classification – Examine the due dates (short vs long term)
• Auditing Presentation and Disclosure to Debt o Completeness – Required disclosures:
▪ Maturity dates, interest rates, call and conversion privileges, and assets ledged as collateral
▪ Future and sinking fund payments and maturities for each of the next five years ▪ Restrictive loan covenants
o Valuation, Allocation and Accuracy o Rights and Obligations o Understandability and Classification
• Auditing Equity Balance and Transactions o Completeness – If client used stock transfer agent (third-party) = confirmation. If not, then
review stock certificate book. ▪ Foot the shares outstanding in the stock certificate book and agree total to general
ledger. o Valuation o Existence – Confirmation and inspection of stock certificate book o Understandability and Classification
M7: Matters That Require Special Consideration (1) Litigation, Claims, And Assessments
• Management is responsible to identify and account for contingent liabilities
• Auditor should obtain audit evidence relevant to: o Period in which underlying cause of legal action occurred o Degree of probability o Amount or range of potential loss
48
• Letter of inquiry to client’s attorney is prepared by management and sent by the auditors to the attorneys
o Refusal by client could result in a disclaimer od opinion or withdrawal (scope limitation)
• Responses By Attorneys – professional opinion o Substantial attention limitation o Confidentiality limitations o Refusal to respond = Preclude an unmodified opinion
(2) An Entity’s Ability to Continue as a Going Concern
• Auditor is responsible to evaluate the evidence to determine if there is substantial doubt about the entity’s ability to continue going concern, and reasonable period of time.
o FASB → Issuance + 1 Year o GASB → FS Date + 1 Year + Information that may raise substantial doubt shortly thereafter o Other Frameworks → Issuance + 1 Year
• Factors That May Include Substantial Doubt – FINE o Financial difficulties (loan defaults, debt restructuring) o Internal matters (labor difficulties) o Negative trends (negative cash flows) o External matters (legal proceedings, new legislation)
• Mitigating Factors → MUST include both intend and ability
• Reporting for Nonissuers o May add emphasis-of-matter → IF going concern basis of accounting is appropriate and
substantial doubt has been mitigated. o Should add emphasis-of-matter → IF going concern basis of accounting is appropriate and
substantial doubt remains. (“substantial doubt” and “going concern”)
• Reporting for Issuers o Explanatory paragraph when there is going concern uncertainty o Auditor is not precluded from choosing to disclaim an opinion due to a going concern
uncertainty
• Documentation Requirements o Auditor believes there is substantial doubt, following should be included:
▪ Conditions and events ▪ Mitigating factors ▪ Audit work performed to evaluate management’s plans ▪ Auditor’s conclusion ▪ Effect of the auditor’s conclusion on the FS, related disclosures, and auditor’s report
• Other Going Concern Considerations o IF going concern disclosures are inadequate, a departure from GAAP exists = Qualified or
Adverse opinion o IF management is unwilling to perform or extend its evaluation to meet the period of time
required (departure from GAAP) = Qualified or Adverse opinion o IF entity is using going concern basis of account and it is inappropriate = Adverse opinion o IF removed in a subsequent period, the emphasis-of-matter (explanatory) paragraph of prior
period need not be repeated.
(3) Accounting Estimates
• Measurement or recognitions in FS of an account, disclosure, transaction, or event that generally involves subjective assumptions and measurement uncertainty.
• Auditor’s Responsibility o Evaluate the degree of estimation uncertainty o Assess management’s written policies and practices
Management is the primary source of information. Attorney is corroborating information.
49
o Verify that all material estimates are developed o Determine the accounting estimates are reasonable (apply professional skepticism and focus on
significant assumptions) o Ensure estimates are properly accounted for and disclosed
• Audit Procedures o Review and test the procedures used by management to develop the estimates
▪ Methods: Conformance with framework, appropriateness, if company has changed its method determine reason for change and evaluate appropriateness of change.
▪ Data: Test the accuracy and completeness of t company-produced data and evaluate the reliability and relevance of the data the company used that was obtained from an external source.
▪ Significant Assumptions: Evaluate the reasonableness o For critical accounting estimates understand how management analyzed the sensitivity to
change of its significant assumptions. o Develop independent estimates and compare o Evaluate subsequent events and transactions. May need to consider using a specialist to assist
audit of level 3 valuation performed by management.
M8: Misstatements and Internal Control Deficiencies • Identification of misstatement: Clearly Trivial = not material = inconsequential
• Evaluation of Misstatement o Size of misstatement o Effects, both individually and in aggregate, of uncorrected misstatement o Consider additional risk of undetected misstatements o Prior period misstatements may affect current period FS
• Documentation Requirements o Auditor should document:
▪ Amount below which misstatements are clearly trivial ▪ All misstatements accumulated during the audit ▪ Auditors’ conclusion about uncorrected misstatements
o Documentation of uncorrected misstatements should include: ▪ Aggregate effect on FS ▪ Evaluation of whether materiality levels have been exceeded ▪ Effect of uncorrected misstatements on key ratios, trends, compliance, and contractual
requirements
• Material misstatements might be due to material weakness in the internal controls (RMM should be reassessed).
• Adjusting entries (review FAR textbook if you need to) o Watch for:
▪ Shipping terms and whose role ▪ Perpetual or periodic inventory system ▪ Consignment role and whereabouts of goods
The auditor should also evaluate whether the difference between reported estimate and the best estimate supported by audit evidence indicates possible management bias.
Auditor should consider management bias – Examples:
• Selective corrections of misstatements
• Bias in selection and application of accounting principles
• Bias in accounting estimates
• Identification by management of additional adjusting JE that offset misstatements accumulated by the auditor.
50
M9: Written Representations • Purpose of Representation Letter
o To confirm representations explicitly or implicitly given to the auditor o To indicate and document the continuing appropriateness of such representations o To reduce the possibility of misunderstanding concerning matters that are subject of the
representation
• Requirements: o Final piece of evidence matter – End of the auditor’s fieldwork o Letter is mandatory – Refusal could result in disclaimer of opinion or withdrawal o Dated same date as audit report o Signed by CEO & CFO o Representations o Materiality – Materiality consideration do not apply to items not directly related to the FS
amounts (Example: Availability of minutes of stockholders’ and directors’ meetings) o Doubt about reliability of written representation
• Contents: o Financial Statements – Management is responsible for FS and Internal Controls (design,
implementation, and maintenance) o Completeness of Information o Fraud o Laws and Regulations o Uncorrected Misstatements o Litigations and Claims o Estimates o Related Party Transactions – Identified and properly accounted for o Subsequent events
• When performing an integrated audit, written representation regarding internal control!
M10: Communication with Management and Those Charged with Governance (1) Those Charged with Governance
• “Those charged with governance” refers to those who oversee the obligations and strategic direction of an entity.
• Audit Committees o Is a committee of the board of directors o Not employees o No material financial interest in the entity o Purpose:
▪ SEC strongly recommends it; NYSE requires it! ▪ Many accounting firms support the formation of an audit committee ▪ Strengthens the public’s sense of the independence of the public accountant
o Specific Functions: ▪ Selects and appoints independent auditor (and sets the audit fee) ▪ Assures auditors independence ▪ Reviews the nature and details of the audit engagement ▪ Reviews the quality of the auditor’s work ▪ Ensures recommendations given by auditor are given proper attention ▪ Maintains lines of communication between auditors and BoD ▪ Solve any disagreements related to accounting treatments ▪ Evaluates internal controls ▪ Makes reports to BoD and shareholders when necessary
o Communication: ▪ Have appropriate access
51
▪ Meet without management ▪ Communication with audit committee is sufficient
(2) Internal Control Communications
• Applicability o Financial Statement Audit (nonissuer) – SAS o Integrated Audits
▪ Audit of Internal Control (nonissuer) – SAS ▪ Audit of Internal Control (issuer) – PCAOB
• Definitions o Control Deficiency:
▪ Deficiency in design
• Control is missing, or existing control does not achieve the desired objective. ▪ Deficiency in operation
• Properly designed control does not operate as designed or is performed by inappropriate person.
o Significant Deficiency: Less severe than material weakness, yet important enough to merit attention by those charged with governance.
o Material Weakness: A deficiency or a combination of deficiencies that result in a reasonable possibility that a material misstatement will not be prevented or detected and corrected. Indicators of material weakness:
▪ Identification of fraud ▪ Restatement of previously issued FS to correct material misstatements ▪ Identification by auditor of material misstatements ▪ Ineffective oversight by those charged with governance ▪
• Evaluation of Control Deficiencies o The severity of a deficiency, or a combination of deficiencies, depends on not only whether a
misstatement has occurred, but also on: ▪ Magnitude of misstatements ▪ Reasonable possibility that the controls will fail to prevent or detect and correct the
misstatement.
• Significant and material deficiencies must be communicated on a timely basis in writing to management and those charged with governance.
o If previously communicated deficiencies have not been corrected, auditor should communicate again, and refer to the previously issued written communication.
o Timing of communication: ▪ Recommended: By release date ▪ Required: By release date + 60 days
• Communication Requirements – Example: Page A4-80 o Definition of significant deficiencies and material deficiencies o Description of the deficiencies o Sufficient information to understand the context of the communication o A restriction regarding the use of the communication to management and those charged with
governance.
The auditor has a responsibility to evaluate control deficiencies identified during the audit and , in some cases, to report those deficiencies.
52
A5: Integrated Audits, Attestation Engagements, Compliance, & Gov. Audits M1: Integrated Audit Procedure
(1) Overview
• Auditors of issuers are required to perform an integrated audit. o Exempt → <$75 million outstanding common equity held by nonaffiliates (Dodd-Frank Act)
• Objective is to express an opinion on the effectiveness of the entity’s internal control over financial reporting (Material weakness = Ineffective internal controls).
(2) Conditions for Engagement Performance
• Auditor Requirements o Plan and perform an integrated audit to achieve the objectives of both engagements. Provide
sufficient appropriate evidence to support both opinions.
• Management Requirements o Issuers (Public)
▪ Sarbanes-Oxley Act of 2002 requires issuers annual report to contain an internal control report that:
• States management is responsible for establishing and maintaining an adequate internal control structure
• Contains an assessment of the effectiveness of the internal control structure o Nonissuers (Private)
▪ An audit of internal control can only be performed if management:
• Accepts responsibility
• Evaluates the effectiveness
• Supports its assessment
• Provides a written assessment: If management refuses to furnish a written assessment, auditor should withdraw from the engagement.
• Written Representation (Issuer & Nonissuer) o Auditor should obtain written representation in which management:
▪ Acknowledges its responsibility ▪ States management assessment ▪ Affirms that management did not rely on the auditor’s procedures ▪ Management has disclosed all deficiencies ▪ Describes any fraud ▪ Any significant changes after year end (subsequent events)
(3) Planning the Engagement (Issuer & Nonissuer)
• Overall Planning – Developing a strategy o Matters affecting the industry o Prior knowledge o Matters concerning the entity and its business o Relative complexity of entity operations o Management’s method of evaluating control effectiveness o Judgements about materiality o Previously communicated deficiencies o Nature and extent of available evidence o Scaling the audit
• Fraud Risk Assessment o Auditor should consider management fraud and management override of controls as areas of
high risk. ▪ Significant or unusual transactions ▪ Period-end JE and adjustments
53
▪ Related party transactions ▪ Significant management estimates
• Using the work of others: o Sufficiently competent and objective o Auditor should consider the risk with a particular control, in determining whether and to what
extent to use the work of others.
(4) Top-Down Approach (Issuer & Nonissuer)
• Auditor evaluates the overall risk at the FS level (entity level) and then moves down to the accounts, transactions, and disclosure, and finally the assertions level (COVERU)
• The auditor should assess the risk that material weakness in that area might exist, as well as the risk that such weakness will lead to a material misstatement in the financial statement.
(5) Testing Controls (Issuer & Nonissuer)
• Components of ICFR – CRIME o Control Environment o Risk Assessment o Information and Communication o Monitoring o Existing Controls
• Test of Controls o Evaluate the design – Applied as prescribed, satisfy the company’s control objectives, and can
effectively prevent or detect (correct) material misstatement (walk-throughs) o Evaluate the operation – Operating as designed and implemented by people who are qualified
to implement them effectively (Inquiry alone is NOT sufficient. Inspection of documentation, observation, recalculation and reperformance)
o The auditor is responsible for obtaining sufficient appropriate evidence to support an opinion of the effectiveness of the entity’s internal control overall, NOT each individual control.
o Determine the effect of identified deficiencies (Risk? Evidence? Effectiveness?) o Appropriate timing for tests of controls o Element of unpredictability
• Use of Service Organization o Obtain an understanding o Evidence that the controls at the service organization are operating effectively
• Benchmarking: Low risk, no change, or automated →Does not need to repeat testing every year!
(6) Evaluating Control Deficiencies (Issuer & Nonissuer)
• Determine whether there is identified deficiencies o Determine the magnitude o Reasonable possibility that control will fail
• Compensating controls should be tested and that may limit the severity of an identified deficiency
(7) Forming an Opinion (Issuer & Nonissuer)
• If required disclosures have not been included in management report, auditor should be stated in the auditor’s report.
• If management report is incomplete or improperly presented, auditor should modify their report to discuss the situation
• If management report contains additional information, auditor should disclaim an opinion on such information.
54
M2: Communication and Reporting in an Integrated Audit (1) Communication with Management and Those Charged with Governance - Nonissuer
• Management should communicate in writing with management and those charged with governance any significant deficiencies and material weaknesses. Including those remediated during the audit and those that were previously communicated.
• Communication should be made no later than 60 days following the release date
• If auditor concludes that oversight audit committee is ineffective, must communicate conclusions in writing with board of directors
• Auditor is not responsible to search for control deficiencies that are less severe than a material weakness but those identified should be reported.
(2) Communication with Management and Those Charged with Governance – Issuer
• Management must communicate in writing with management and audit committee all material weaknesses identified during the audit.
• If audit committee is ineffective, communicate to board of directors
• Auditor is not responsible to search for control deficiencies that are less severe than a material weakness but those identified should be reported.
• Audit does not provide assurance that ALL control deficiencies pr all significant deficiencies have been identified.
(3) Reporting on Internal Control – Nonissuer
• Auditor must report directly on the effectiveness of the internal controls
• Two sperate report OR one combined report o When using two separate reports, Other-Matter paragraph is included making a reference to
the other report and indicating the nature of the opinion express → “Pointer”
Separate Report: Intro Management Responsibility Auditor’s Responsibility Definitions Inherent Limitation Opinion “Pointer” – Other-Matter
Combined Report: Intro Management Responsibility Auditor’s Responsibility Definitions Inherent Limitation Opinion
• Report Date: No earlier than date on which sufficient appropriate evidence is obtained. Should coincide with the date on the FS report.
• Other Considerations: o If management fails to include, auditor’s report should describe the omitted weakness, and
communicate (in writing) with governance. o If management does not fairly present, auditor’s report should fairly describe material
weakness. o Auditor should consider effect of adverse opinion on the FS opinion, whether FS was affected by
the material weakness.
(4) Reporting on Internal Control – Issuer
• Two sperate report OR one combined report o When using two separate reports, Explanatory paragraph is included making a reference to the
other report and indicating the nature of the opinion express → “Pointer”
Communication = Internal Reporting = External
Material Weakness = Adverse Opinion Auditor should define “material weakness” and state the material weakness noted. Preceding the opinion paragraph, the report should include Basis Of Opinion paragraph.
55
Separate Report: Opinion (and Pointer) Basis for Opinion (MR & AR) Definition & Limitation “We have served as the Company’s Auditor since [Year]”
Combined Report: Opinion on FS and IC Basis for Opinion (MR & AR) Definition & Limitation CAMs “We have served as the Company’s Auditor since [Year]”
• Report Date: No earlier than date on which sufficient appropriate evidence is obtained. Should coincide with the date on the FS report.
• If management fails to include, auditor’s report should describe the omitted weakness, and communicate (in writing) with governance.
• If management does not fairly present, auditor’s report should fairly describe material weakness.
• Auditor should consider effect of adverse opinion on the FS opinion, whether FS was affected by the material weakness.
• Reporting on Previously Reported Internal Control Weakness: o If pervious material weakness has been eliminated, management may wish an independent
auditor attest to the improvements in internal control ▪ Voluntary engagement (may be performed any time of the year) ▪ Auditor objective is to express an opinion on whether previously reported material
weakness has been eliminated. ▪ Auditor may perform if:
• They have sufficient overall knowledge
• Management accepts responsibility for the effectiveness of internal controls (written report)
▪ Testing is limited to controls specifically identified by management ▪ Must obtain evidence about design and operating effectiveness
(5) Scope Limitation – Issuer & Nonissuer
• Scope Limitation o Withdraw or Disclaim Opinion o When disclaiming an opinion, a separate paragraph should include the substantive reasons for
the disclaimer. o A disclaimer of opinion should:
▪ Modify the first paragraph of the introductory paragraph ▪ Omit the scope paragraph (issuer)/ Amend the auditor responsibility paragraph
(nonissuer) ▪ Include explanatory paragraph (issuer)/ Basis of disclaimer of opinion paragraph
(nonissuer)
• Subsequent Events o Auditor Should:
▪ Inquire management ▪ Obtain written representation from management ▪ Inquire and examine subsequent period
• Component auditor may be involved in the audit of Internal Controls (same as FS audit)
Material Weakness = Adverse Opinion Auditor must include a definition of “material weakness”, a statement that a material weakness has been identified, and an identification of the material weakness described in management’s assessment.
56
M3: Attestation Engagements and Standards (1) Introduction
• Assurance on subject matters other than basic financial statements
• Definition – Examination, review, or an agreed-upon procedures report on subject matter or assertion about the subject matter, that is the responsibility of another party (usually management)
• Attestation Engagements (Subject Matter) o Preparations and compilation are also allowed for prospective financial statements (SSARS standards).
(2) Attestation Standards
• Attestation standards are intended to provide guidance and set boundaries, also provide a measure of quality, and describe the objectives to be achieved.
• Attestation standards differ from GAAS in: o No reference made to historical financial statements o No reference is made to GAAP
• Common Concept – CAPE CORP o Compliance with all attestation standards relevant o Acceptance and continuance are satisfactory performed o Preconditions for an attestation engagement
▪ Practitioner must be independent ▪ Responsible party takes responsibility for subject matter ▪ Subject matter is appropriate, criteria to be applied are appropriate, practitioner expects to
be able to obtain the evidence needed, opinion the conclusion, or finding in a written report. o Engagement documentation standards o Acceptance of a change in the terms as reasonable when applicable o Other practitioners allowed (like a staff member) o Responsibility for quality control o Professional skepticism and professional judgement
• Attestation Risk = IR x CR x DR → Same as Audit Risk
• Additional Reporting Requirements o A report may be issued on the assertion itself OR on the subject matter to which the assertion
relates ▪ Written assertion is generally obtained ▪ If material misstatements or deviation, then conclusion should be expressed directly to the
subject matter o If reporting on the assertion, it should accompany the practitioner’s report, or the assertion
should be clearly stated in the report.
• Scope Restrictions o Examination → Qualified, Disclaimer, or Withdraw o Review → Withdraw
Audit Engagements → SAS (nonissuer)/PCAOB (issuer) Preparation, Compilation, and Review Engagement → SSARS Attest Engagements → SSAE
57
(3) Reporting
M4: Agreed-Upon Procedures and Prospective Financial Statements (1) Agreed-Upon Procedure Engagements
• Issue a report of findings based on specific agreed-upon procedures
• Conditions – I AM SURE o Independence of the practitioner(even though no opinion is given) o Agreement of the parties regarding procedures to be performed, criteria to be used, and any
materiality limits o Measurability and consistency (reasonably consistent measurements and findings) o Sufficiency of the procedures is the responsibility of the specified parties NOT the practitioner o Use of the report is restricted to the specified parties o Responsibility for the subject matter (client is responsible or provide evidence that third party is) o Engagement to perform agreed-upon procedures on prospective FS must include a summary of
significant assumptions.
• Reporting (Required Elements) o Title, independent, signature, city and state, and a date o Identification of specified parties, the subject matter, nature of the engagement, and
responsible party o Procedures performed are those agreed to by specified parties, and a description of any
materiality limits o Sufficiency is responsibility of the specified party, AND disclaimer of responsibility for the
sufficiency o Conducted in accordance with attestation standards o List of procedures AND related findings o Not engaged to and did not conduct an examination or review. Does not express an opinion or
conclusion. o Restriction of use o Where applicable:
▪ Reservations or restrictions concerning procedures or findings ▪ Description of nature of the assistance by a specialist
• Explanatory Language o Disclosure of stipulated facts, assumptions, or interpretations o Conditions of records, controls, or data to which the procedures were applied o Practitioner has no responsibility to update o Sampling risk
(2) Prospective Financial Statements
• May be partially expired
• Cannot be completely expired
• Pro forma FS and partial presentation are NOT prospective financial
• Types of Prospective Financial Statements o Financial Forecast → Expected financial results, expected conditions, expected courses of action o Financial Projection → Hypothetical assumptions, “what-if” type of scenarios
• Use of Prospective Financial Statements o General Use → Only a financial forecast is appropriate for general use
58
o Restricted Use → Used by responsible party alone, both financial forecast and financial projection are appropriate for limited use.
• Engagement Types o Preparation o Compilation o Examination o Agreed-Upon Procedures – I AM SURE o Review of prospective financial statements is NOT ALLOWED!
• Preparation of Prospective Financial Statements o Very similar to the requirements for a preparation of historical FS o A practitioner should NOT prepare prospective FS that
▪ Excludes the summary of significant assumptions ▪ Financial projection excludes either an identification of the hypothetical assumption OR
description of the limitations on the usefulness of the presentation
• Compilation of Prospective Financial Statements o Purpose - Proper assembling of the financial data based on the responsible party’s assumptions
▪ No assurance ▪ Read the prospective FS and consider whether they are in conformity with AICPA
standards ▪ Be aware of obvious inappropriate assumptions used ▪ Independence is NOT required, but lack of independence should be disclosed. Permitted
(not required) to disclose reasons (all or nothing) o Report
▪ Identification of entity, prospective FS, and date or period covered ▪ Management is responsible ▪ Performed the compilation in accordance with SSARS ▪ Do NOT express an opinion, a conclusion, nor provide any assurance ▪ Prospective results may not be achieved ▪ No responsibility to update ▪ Signature, date, city and state ▪ Refer to “financial projection” or “financial forecast” depending on what the report
covers
• Examination of Prospective Financial Statements o Purpose – Express an opinion on whether:
▪ Conformity with AICPA standards ▪ Reasonable basis for prospective FS
o Independence is required o Appropriate sufficient evidence must be obtained o Report
▪ Title, independent, signature, city and state, date ▪ Identification of prospective FS ▪ Criteria against which the prospective FS information was measured and evaluated ▪ Responsible party ▪ Practitioner’s responsibility it to express an opinion ▪ Examination was conducted in accordance of AICPA standards ▪ Standards require that practitioner plan and perform the examination to obtain
reasonable assurance ▪ Reasonable basis for opinion ▪ Nature of an examination engagement ▪ Opinion ▪ Prospective results may not be achieved ▪ No responsibility to update
59
▪ For Projection → Identification of the hypothetical assumptions (1st paragraph), a description of the projection’s purpose (1st paragraph), reference to the hypothetical assumptions (3rd & 4th paragraph), and a restrictive use paragraph
o Modification of Opinion ▪ Guidelines not followed → Qualified or Adverse ▪ Assumptions not disclosed → Adverse ▪ Basis not reasonable → Adverse ▪ Scope limitation → Disclaimer of Opinion
• Pro Forma Financial Statements – Demonstrate the effect of a future or hypothetical event by showing how it might have affected the historical financial statements if it had occurred during the period covered by those financial statements.
o Based on management's assumptions directly attributable to transaction or event o Labeled accordingly to prevent confusion o May be examined or reviewed o Understanding of events and evaluate the pro forma adjustments including any assumptions on
which adjustments are based o Refer to the financial statements from which the historical information is derived and state
whether such financial statements were audited or reviewed o Check the math!!!
60
M5: Reporting on Controls at a service Organization (1) Reporting on Controls at a Service Organization
• Relationship between the entity and the service organization o Service organization controls → Client controls o Service organizations often have an auditor perform an attestation examination engagement to
report on the controls of service organization that are relevant to the user entities internal control over financial reporting or are relevant to the security and confidentiality of the information processed by service.
• Objectives – Service Auditor: o Obtained reasonable assurance
▪ Management description of IC fairly presents the system ▪ Control objectives suitably designed ▪ When included in the scope of the engagement → Controls operated effectively to
provide reasonable assurance (achieved throughout the specified) o Report in accordance with findings
• Procedures o Assess the suitability of the criteria o Obtain understanding of the service organization system o Obtain evidence regarding management’s description o Obtain evidence regarding design o Obtain evidence regarding operating effectiveness (Type 2 Reports ONLY) o Updated written representation o Consider subsequent events
• SOC 1® and SOC 2® Reports – Both have restricted use! o SOC 1® – Evaluating the impact that certain relevant controls at the service organization have
on financial statements of the user entity. o SOC 2® – Give assurance to a broad range of users regarding the controls in place at a service
organization relevant to one or more of the trust service criteria of security, availability, processing, integrity, confidentiality, and privacy.
• Type 1 and Type 2 Reports o Type 1 – Report on the design and implementation of a service organization’s controls (no
assurance about effectiveness). Report contains the following: ▪ Management's description ▪ A written assertion by management
• Organization’s system fairly presents and design and implementation of system as a specified date
• Controls in management’s description were suitably designed to achieve the control objectives as of the specified date
▪ The auditor’s opinion o Type 2 – Report on the design, implementation, and operating effectiveness of the service
organization’s controls. ▪ Management's description ▪ A written assertion by management
• Organization’s system fairly presents and design and implementation of system as a specified date
• Controls in management’s description were suitably designed to achieve the control objectives as of the specified date
• The controls related to the control objectives outlined in management’s description operated effectively throughout specified.
▪ The auditor’s opinion
61
(2) User Auditor Considerations
• User Auditor Responsibility o Understanding of the nature and significance of the services provided by the service
organization and the effect on the user entity’s internal control. ▪ SOC 1® Type 1 Report – Aid the user auditor in obtaining an understanding of controls ▪ SOC1® Type 2 Report – Assurance about the design, implementation, and operating
effectiveness of the service organization’s internal controls.
• Such evidence can allow reduction of control risk
• Auditor should be stratified regarding: o Service auditor’s confidence and independence o Adequacy of the standards o The period covered by the report is appropriate o Adequacy of the period covered by the test of controls and the time
elapsed since then performance of test of controls o Whether any complementary controls are relevant o Whether the test of controls performed are relevant and provides
sufficient appropriate audit evidence
• Reporting by the User Auditor o Qualified Opinion or Disclaimer of Opinion → Unable to obtain sufficient appropriate audit
evidence regarding service provided by a service organization o No reference of service auditor report if unmodified opinion o Permitted to make a reference to explain a modification of the user auditor’s opinion
M6: Reporting on Compliance (1) Compliance Reporting
• Contractual agreements OR regulatory requirements in connection with a FS audit
• Attestation engagement: Compliance with requirements of specific laws and regulations OR on internal control over compliance
• Compliance and internal control over compliance as part of a single audit engagement (A5:M8)
(2) Compliance Report in Connection With Audited Financial Statements
• The auditor must have audited the client’s financial statements and may only issue negative assurance on compliance.
• Negative Assurance – Nothing came to the auditor’s attention. All the following must apply: o No identification of noncompliance o Auditor expressed unmodified or qualified opinion on the FS o The applicable covenant or regulatory requirements have been subjected to audit procedures as
part of the FS audit
• Identification of Noncompliance o Should describe the noncompliance o IF an adverse opinion or disclaimer of opinion a report can only be issued when there are
identified instances of noncompliance.
• Report on Compliance → In writing, separate report OR provided in one or more paragraphs in the auditor’s report on the financial statements.
(3) Attestation Standards: Compliance Attestation
• Two types of engagements: o Compliance with specified requirements o Internal control over compliance
• Agreed-Upon Procedures Engagements
An SSAE does NOT provide a legal determination of an entity’s compliance. However, such report may be useful to legal counsel.
62
o The objective is to present specific findings to assist users in evaluating an entities compliance with specified requirements or the entities internal control over compliance based on procedures agreed upon by the users of the report.
• Examination Engagements o Examined entities compliance with requirements of or a written assertion about compliance
with specified requirements o A practitioner may perform an examination engagement if the following conditions were met:
▪ The responsible party accepts responsibility for the entity's compliance and the effectiveness of the entity's internal control over compliance
▪ The responsible party evaluates the entities compliance ▪ Sufficient evidential matter exists or could be developed to support management
evaluation
• Overall Requirements for Compliance Examination o Perform a risk assessment o Design responses to risk assessment o Determine if supplementary audit requirements exist o Obtain written representation o Prepare reports o Prepare required documentation
• Required Documentation o The assessed risk of material noncompliance – Procedures performed, documentation o Responses to risk assessment – Procedures performed and results, test of controls o The basis or rationale of materiality levels o Compliance with supplemental requirements
M7: Government Audits (1) Sources of Government Auditing Standards
• GAAS: Are applicable to all audits (AICPA)
• GAGAS (Yellow Book): Additional standards applicable to government expand the auditor’s requirements. GAGAS contains standards for audits of:
o Government organizations, programs, activities, and functions o Government assistance received by contractors, BFPs, and other nongovernmental
organizations
(2) Purpose and Types of Government Audits
• Financial Audits o GAAP basis financial statements o Financial statements in conformity with special purpose frameworks
• Attestation Engagements o Incorporate the AICPA standards for examinations, reviews, and agreed-upon procedures o Subjects of attestation could include:
▪ Compliance with specified laws, regulations, rules, contracts, or grants ▪ Effectiveness of internal control over compliance is specified requirements ▪ Presentation of MD&A ▪ Reliability of performance measures
• Performance Audits o Provide objective analysis, findings, and conclusions to improves program performance and
operations, reduce costs, facilitate decisions, among other things.
“Unconditional requirements” → Auditor MUST comply “Presumptively mandatory requirements” → Auditor SHOULD comply otherwise document reason for not complying.
63
o Some objectives may overlap with the objectives of attestation engagement o Key categories of performance audit objectives include:
▪ Effectiveness, Economy, and Efficiency – Evaluate whether programs are meeting their goals and objectives.
▪ Internal Control – Evaluating internal control over effective and efficient operations, reliable reporting, or compliance with laws and regulations.
▪ Compliance – Evaluating compliance with criteria established by provisions of law, regulations, contracts, and grant agreements. Compliance requirements can be either financial or non-financial.
▪ Prospective Analysis – Evaluate events that may occur in the future, or this is just action step and entity may take in response to future needs.
o Auditor’s must decide if supplementary audit requirements exist.
(3) Government Auditing Standards (GAGAS)
• Standards for Financial Audits: Performing Financial Audits o The auditor should evaluate whether appropriate corrective actions to address climate links and
recommendations from previous audit and attestation engagements have been addressed. o GAGAS requires additional attention to fraud, noncompliance with laws and regulations, and
abuse. The auditor should: ▪ Consider compliance with contracts or grant agreements ▪ Consider the occurrence of abuse:
• Abuse involves deficient or improper behavior
• Auditors are not required to deduct abuse because abuse is subjective
• Awareness of abuse material to the audit results in the auditor performing further testing
▪ Auditors should avoid interference with investigations or legal proceedings o Developing Findings – The elements to of a fining include:
▪ Criteria: Define expectations of a program or operation ▪ Condition: The situation or status that exists ▪ Cause: The reason for the condition or the deviation from the criteria ▪ Effect or Potential Effect: Clear logical link between the condition and the deviation
from the criteria o Audit Documentation – Before the audit report is issued, auditor should document evidence of
supervisory review of the work performed that supports the findings, conclusions, and recommendations. Departure from GAGAS and the impact on the audit due to noncompliance should be documented as well.
• Standards for Financial Audits: Reporting on Financial Audits o Auditors should include a statement in the audit report that they complied with GAGAS o Weather or nor the auditor is disclaiming an opinion, auditor should also report on internal
control over financial reporting and compliance with the regions of law, regulations, contracts, or grant agreements that have material effect on the financial statement.
▪ GAGAS does not require the auditors to express it opinion on internal controls, however a report on internal control and compliance should describe the scope of the auditors testing and any findings.
o Communicate Deficiencies ▪ In the report of internal controls and compliance the auditor should communicate
significant deficiencies and material weaknesses in internal control ▪ Auditors should also repot/communicate:
• Fraud and noncompliance with laws or regulations that have material effect on the financial statements.
o The auditor has an additional responsibility to communicate fraud to individuals contracting for or requesting the audit (if audit committee of client does not take appropriate action) MCQ-06349
64
• Noncompliance with provisions that has a material effect
• Abuse that is material either quantitatively or qualitatively o Report Views of Responsible Officials
▪ Auditors must report their findings and solicit and report the views of responsible officials along with any planned corrective actions.
o When confidential/sensitive information has been omitted from the report, the audit should disclose in the report that certain information has been omitted and the reasons for the omission.
o Written Representations From Management ▪ Management is responsible for entities compliance with laws and regulations ▪ There are no violations (possible violations) of laws or regulations whose effects should
be considered for disclosures in the financial statements ▪ Management has identified and disclosed in writing to auditor all the laws and
regulations that have a direct material effect on the financial statements
M8: Single Audits (1) Overview of Single Audits
• Entities that expand total federal assistance equal to or in excess of $750,000 in a fiscal year to have an audit performed in accordance with the Single Audit Act (2 CFR 200)
• The act allows for either a single or program-specific audit. To get program specific audit the grant recipient must meet the following criteria:
o Awards are expended under a single federal program o No FS audit is required
• Objectives of the single audit: o Audit the FS and reporting on a separate schedule of expenditure of federal awards o Compliance audit of federal awards
• Materiality determinations o Separately in relation to each major program o A major program is one that has $750,000+ in assistance or classified as high risk
The Yellow Book report is an additional report required under GAGAS, differs from the standard nonissuer FS report in: The Auditor’s Responsibility Paragraph Other-Matter Paragraph referencing GASGAS repot (pointer)
SUMMARY: The audit threshold for federal audit requirement is expenditure of $750,000 of federal financial assistance. Single audits are generally required unless they restrictive requirement of a program-specific audit format. Program-specific audits are used when the expenditures are made on their only one program AND the terms of the award do not require financial statements audits.
65
• Program-Specific Audits: The auditor must contact the Inspector General of applicable federal agency and obtain a current program specific audit guide.
(2) Auditee Responsibilities
• Auditor selection – Procurement standards. Proposals made by auditors must have been evaluated for: o Responsiveness o Relevant experience o Availability of qualified staff o Peer review o Copy of the audit organization’s peer review report
• Report Submission – Must be submitted by the auditee within 30 days of receipt or nine months after the end of the audit.
o Reports must be retained for three years from the date of submission by both the auditor and the auditee.
(3) Auditor’s Responsibility
• The Scope of The Audit: To express an opinion regarding the fair presentation of financial statements and relevant schedules. In addition, the auditor should consider internal control, compliance, and previous audit findings.
o Internal Control → Over compliance using major programs. The audit must be planned to support a low assessed level of control risk of noncompliance for major programs. The auditor should keep in mind the following:
▪ The audit is not required to test controls that are ineffective ▪ Significant deficiencies and material weaknesses must be reported ▪ When controls are deemed ineffective, additional test of compliance must be
considered o Compliance → Express an opinion regarding major program compliance with statuses,
regulations, and terms and conditions of related federal award. o Previous Audit Findings → The auditor is required to follow up on audit findings from previous
audits.
• Audit Reporting – The Auditor Should (Page A5-84) o Expressing opinion in accordance with GAAP o SEFA Report o GAGAS (Yellow Book) Report o Single Audit Report o Schedule of findings and questioned costs
• Audit Findings – Auditor must report: o Significant deficiencies and material weaknesses o Material noncompliance o Question cost (excess of $25,000) o The circumstances concerning in a modified opinion o Known or likely fraud affecting a federal award
• Major Program Determination o Risk based approach – Consider:
▪ Current and prior audit experience ▪ Oversight by federal agencies ▪ Inherent risk
o Four-step Process ▪ STEP 1: Identify type A ($750,000 or more) and type B (not meeting the type A
requirement) program ▪ STEP 2: Identify type A programs that are low risk
66
• **CANNOT be low risk if they have: Material weakness, modified opinion, or questioned costs that exceed 5% of total federal awards
▪ STEP 3: Identify type B programs that are high risk based on professional judgement ▪ STEP 4: At minimum, all Type A programs not identified as low risk and all Type B
programs identified as high risk. o Percentage of coverage – For low-risk auditees, the auditor must test 20% of total federal
awards expended. And 40% of other auditees. o Indications of higher risk
▪ Multiple internal control structures ▪ Week monitoring ▪ Not recently audited as major
o The inherent risk of federal program is increased by ▪ The complexity of the program ▪ Being in the early phase of the program's lifecycle
A6: Accounting and Review Service Engagements, Interim Reviews, and Ethics & Professional Responsibilities
M1: SSARS Engagements (1) Levels of Service
• Preparation → No assurance; Independence is not required (non-attestation service)
• Compilation → No assurance; Independence is not required but must be disclosed if not since there is a report required (attestation engagement)
• Review → Limited assurance; Independence is required (assurance and attestation engagement)
** When more than one service is rendered, issue a report that is appropriate with the highest level of service rendered.
(2) Professional Standards
• Statements on Standards for Accounting and Review Services (SSARS) o Accounting and Review Service committee of the AICPA (Nonissuers) o An accountant should:
Attest = Repot Non-attest = No Report Assurance = Opinion (reasonable)/Conclusion (limited) No Assurance = No opinion/conclusion
67
▪ Sufficient knowledge to identify applicable SSARS ▪ Exercise professional judgement ▪ Justify departures from SSARS
• SSARS does NOT apply o Few adjusting entries o Consulting o Preparing tax returns o Bookkeeping o Data processing services o Reviews for nonissuers whose annual FS are audited (SAS applies to these engagements)
(3) Elements of SSARS Engagements
• Three-Party Relationship o Management → Responsible for FS framework and internal controls o Auditor → Knowledge of the accounting principles and practice o Intended users
• Establish an understanding with the client → Engagement letter
• Compilation or Reviews Conducted in Accordance with SSARS and Another Set of Standards o Special Purpose Framework: Not considered appropriate unless
▪ A description of material difference from GAAP ▪ Similar disclosures are prepared in accordance with GAAP
o Financial Reporting Framework Generally Accepted in Another Country ▪ Distributed only outside the US → Report in accordance with SSARS or another set of
standards. ▪ Distributed in the US → Should be reported in accordance with SSARS
(4) Subsequent Events and Subsequently Discovered Facts
• The accountant should request that management consider whether each such event is appropriately reflected in the financial statements.
• Before Release Date o Accountant should discuss matter with management (governance) and determine whether FS
need revision. o If management updates, accountant should later date or dual date o If management does not revise, accountant should modify the review report
• After Release Date o Accountant should take appropriate action:
▪ Advise client to immediately disclose ▪ Discuss the matter with management
• If management revises, accountant should perform the review procedures necessarily and later date or dual date. If revised FS differs, must disclose in an emphasis-of-matter paragraph.
o Management should: ▪ Notify anyone who is known to be using the report ▪ Issue revised FS as soon as possible ▪ Issue subsequent period’s FS with appropriate disclosures
o If client refuses to proceed, the accountant should notify appropriate entity personnel and: ▪ Notify client that accountant’s report must no longer be associated ▪ Notify, if applicable, any regulatory agencies ▪ Notify persons known to be relying on the report
o If client refuses to cooperate, accountant disclosure should state that their report should no longer be relied on or be associated with the financial statements.
68
(5) Reporting Fraud and Noncompliance with Laws and Regulations
• Such matters should be communicated to an appropriate level of management
• Consider the impact
• If materially misstated, the accountant should obtain additional or revised information
• If entity will not provide additional revised information the accountant should withdraw.
• Inconsequential matters: Need not be communicated
• Documentation: May be made in writing or orally, but oral communication should be documented
• Other options: Consider withdrawing or consulting legal counsel if fraud or noncompliance involve the owner of the business
• Confidentiality
M2: Preparation Engagements • Establishing understanding with the client → Engagement Letter, should include:
o Objectives o Management’s responsibility o Each page of the financial statements will include a statement indicating that no assurance is
provided. o Accountant’s responsibility o Limitations of the engagement o Financial reporting framework o Example is on Page A6-12
• Preparation Requirements o Understanding of the financial reporting framework and the significant accounting polices o Management understands and accepts responsibility o Each page indicates “No assurance is provided” on the FS o If the accountant is unable to indicate a statement on each page, they should:
▪ Issue a disclaimer ▪ Perform a compilation engagement
• Other Preparation Consideration o When using a special purpose framework accountant must include a description of the financial
reporting framework (on the face or in a note) o Inaccurate or incomplete FS, accountant should disclose the material misstatement (or consider
withdrawing) o Omission of all disclosures, the accountant should
▪ Disclose such omissions ▪ Not intended to mislead (example bank only wants to look at IS and BS)
• Documentation should include: o Engagement Letter o Financial Statements o Significant findings or issues
M3: Compilation Engagement (1) Compilation of Financial Statements
• No assurance → Independence is not required, lack of must be disclosed
• Engagement Letter o Objectives o Management’s responsibility o Accountant’s responsibility o Limitations o Applicable framework
• Compilation Report Example Page A6-18
69
(2) Compilation Requirements
• Reading the financial statements (never associate with false, fraudulent, or misleading FS)
• Noncompliance → Request management to consider the effect
• FS might be inaccurate or incomplete → If client refuses, accountants should withdraw o Management has failed to provide records → Withdraw
• Documentation o Engagement letter o Financial statements o Accountant’s report o Any significant findings or issues
(3) Reporting on Compilation
• Independence is not required (no assurance)
• Must disclose lack of independence on report
• Statement that engagement was performed in accordance with SSARS
• Accountant did not audit or review the FS and does not express an opinion
• Additional Paragraphs: o Special purpose framework o Not independent o Known departures o Supplementary information
• Reporting in accordance with special purpose framework o Reference management’s responsibility o Refer to the note to the FS
• Omission of substantially all disclosures o Accountant’s report clearly indicates o Not intended to mislead
• Restricted use is not required
• Departure from reporting framework – Disclose or withdraw
M4: Review Engagement (1) Review of Financial Statements (Nonissuer)
• Limited assurance = Independence is required
• Inquiry and analytical procedures
• Review procedures should be tailored to the specific engagement
(2) Review Requirements
• The performance requirements applicable to a review – U LIAR CPA: o Understanding of client o Learn sufficient knowledge of the business o Inquires o Analytical procedures o Review o Client representation letter o Professional judgment o Accountant should communicate results
Note – Page A6-22: - No title - No separate paragraph - No assurance
EXAM TRICK: Do not issue an “adverse opinion”
Compilation vs Preparation - Substantially the same - Compilations requires a report - Compilation requires the consideration of independence
70
• Understanding with Client – U LIAR CPA o Engagement letter
▪ Objectives of engagement ▪ Management’s responsibility ▪ Accountant’s responsibility ▪ Limitations ▪ Applicable framework
• Learn Sufficient Knowledge of the Entity’s Business – U LIAR CPA o NOT Required (not auditing)
▪ Test of controls ▪ Perform audit tests ▪ Assess fraud risk ▪ Communicate with predecessor accountant
o Designing Review Procedures – Analytical procedure & inquires
• Inquiries Should Be Addressed to Appropriate Individuals – U LIAR CPA o The inquiries are of internal personnel not external people o Consider reasonableness and consistency of management’s responses o Not required to corroborate management’s responses with other evidence
• Analytical Procedures Should Be Performed – U LIAR CPA o Trends & Ratios & Comparisons
▪ Comparing current and prior period FS ▪ Comparing financial and nonfinancial data ▪ Comparing actual and budget FS ▪ Comparing ratios with industry ▪ Comparing relationships among elements in the FS ▪ Look for predictable patterns
• Review: Other Procedures – U LIAR CPA o Read the financial statements o Agree or reconcile with accounting records o Consider the effects of any going concern uncertainties o Incorrect, incomplete, or otherwise misleading, consider the effect on review report
• Client Representation Letter from Management – U LIAR CPA o Required o Should include:
▪ Management fulfilled its responsibility (FS) ▪ Maintaining IC ▪ Provided accountant all relevant information ▪ Responded fully and truthfully ▪ Disclosed its knowledge of fraud ▪ Allegation or suspected fraud ▪ Noncompliance ▪ Uncorrected misstatements are immaterial ▪ Known actual or possible litigation ▪ Estimates are reasonable ▪ Related parties ▪ Subsequent events
o If management does not provide written representation, accountant should withdraw from the engagement.
• Professional Judgment to Evaluate Results – U LIAR CPA o Incomplete review or no representation letter → Prevent issuance of a review report o Documentation should include:
▪ Engagement letter ▪ Findings
71
▪ Inquiry and responses ▪ Analytical procedures performed and expectations ▪ Communications with management ▪ Management rep letter ▪ Copy of the reviewed FS and the accountant’s review report
• Accountant Communicates Results – U LIAR CPA o Title: “independent” o Introduction o Management Responsibility
▪ Preparation of fair presentation of FS ▪ Internal control
o Accountant’s responsibility ▪ SSARS ▪ Limited assurance – Provide reasonable basis for the accountant’s conclusion
o Accountant’s conclusion – Not aware of any material modification
M5: Review Reports (1) Reports on Review Engagement
• Accountant independence is required
• Review Report Modification o Accountant should modify when FS does not include:
▪ Description of special purpose framework ▪ Summary of significant accounting policies ▪ Description of how special purpose framework differs from GAAP
• Emphasis-Of-matter Paragraph: Discuss uncertainties or inconsistencies, or to emphasize any matter already disclosed in the financial statements (Example: subsequent event, significant related party transactions or changes in accounting principles)
o May include – Important litigation, major catastrophe, unusually important subsequent events
• Other-Matter Paragraph: Accountant considers it necessary to communicate a matter other than those that are presented or disclosed in the financial statements.
• Reporting on FS that are prepared in accordance with special purpose framework – the review report should:
o Reference management’s responsibility o Include emphasis-of-matter paragraph o If prepared using the regulatory or contractual basis of accounting, include a description of the
purpose
• Accountant may choose whether to reference (and split responsibility) with other accountants or not.
• Departures from the applicable financial reporting framework → Modify the report or withdraw
• Report Modification – Separate paragraph after the accountant’s conclusion under the heading “Known Departures”
• Report modification is not adequate → Withdraw
• Consideration of an Entity’s Ability to Continue as a Going Concern o Alleviated → May include an emphasis-of-matter paragraph o Remains → Should include an emphasis-of-matter paragraph
(2) Reporting on Comparative Financial Statements
• Update all periods to current
• Periods in Question
EXAM TRICK: The examiners frequently have incorrect responses to questions that suggest that audit test work, including testing of internal controls, is to be performed.
72
o Compiled to Reviewed – Prior periods should be updated and issued as the last paragraph of the current period’s report
o Reviewed to Compiled – Issue a compilation report and add a paragraph OR reissue the prior period report (combined (no review procedures are performed) or separately).
o Compiled/Reviewed to Prepared – No requirement reference to prior period
• Other Requirements o Columnar Form – Clear indication so that the user does not inappropriately extend the
accountant’s compilation report to such FS o Omission of Required Disclosure – Not comparable, accountant should not issue report on
comparative financial statements when not all the periods presented omit all disclosures o Discovered Subsequent Events (affecting previous reports) – Other-Matter Paragraph:
▪ Date of original report ▪ Statements of the prior period have changed ▪ Reason for change
• Other Accountants Involved in Prior Periods o If predecessor Accountant decides to reissue their report (they are not required to), they should:
▪ Decide if the report is still appropriate ▪ Perform the following procedures:
• Read the statements
• Compare
• Obtain a letter from the successor o Predecessor’s report NOT reissued
▪ Not presented, the successor is not required to make reference to the compilation or review report on the prior period FS. However, successor accountant may include an additional paragraph:
• Prior periods were compiled or reviewed by other accounts
• Date of their report
• Description of any modifications o Restated prior period Financial statements
▪ The predecessor or successor accountant report on the change prior period financial statements, as restated
▪ Successor accountant may report only under restatement adjustment
• Reporting when one period is audited o Reissue the prior period report or include an other-matter paragraph o Audited to Unaudited: Add an other-matter paragraph
▪ Prior period from statements are audited ▪ Date ▪ opinion expressed ▪ no auditing procedures have been performed since the previous report date
o Unaudited to Audited: Should include an other-matter paragraph ▪ Service performed in prior period ▪ Date ▪ Material modification ▪ A statement that the service was less in scope ▪ Should be marked “unaudited”
73
M6: Interim Reviews (1) Overview
• Applicability: Nonissuer (SAS) – Auditor may conduct a review if: o Latest FS have been audited o Auditor has been engaged to audit the current FS
• Applicability: Issuer (PCAOB) – Required by the SEC to file quarterly
(2) Procedures (Same as nonissuer)
• The performance requirements applicable to a review – U LIAR CPA: o Understanding of client o Learn sufficient knowledge of the business o Inquires o Analytical procedures o Review o Client representation letter o Professional judgment o Accountant should communicate results
• Understanding with Client – U LIAR CPA o Determine the framework o Obtain agreement of management responsibility for:
▪ Preparation and fair presentation of FS ▪ Design, implementation, and maintenance of IC ▪ Access to information and persons
o Engagement letter – Required ▪ Objectives of engagement ▪ Management responsibility ▪ Accountant’s responsibility (SAS for nonissuer; PCAOB for issuer) ▪ Limitations ▪ Applicable framework
• Learn Sufficient Knowledge of the Entity’s Business – U LIAR CPA o Purpose
▪ Determine material misstatements ▪ Evaluate likelihood of misstatements ▪ Select appropriate inquiries and analytical procedures
o Planning ▪ Read the documents ▪ Read the most recent FS ▪ Consider the results ▪ Inquiry: Changes in business activities and related parties
o Obtaining Knowledge ▪ Initial Review → Make inquires of the predecessor auditor ▪ Significant deficiencies may result in a scope restriction (if auditor cannot perform a
review)
• Inquiries Should Be Addressed to Appropriate Individuals – U LIAR CPA o The inquiries are of internal personnel not external people o Consider reasonableness and consistency of management’s responses o Not required but may be appropriate to inquiry the entity’s lawyer o Not required to corroborate management’s responses with other evidence regarding mitigating
factors as to continue going concern
• Analytical Procedures Should Be Performed – – U LIAR CPA o Trends & Ratios & Comparisons
▪ Comparing current and prior period FS
74
▪ Relationships between financial and nonfinancial data ▪ Actual Vs budget financials ▪ Comparing ratios with industry ▪ Comparing relationships among elements in the FS ▪ Look for predictable patterns
• Review: Other Procedures – U LIAR CPA o Read minutes o Reports of any component auditors o Reconcile with the accounting records o Read the interim financial information
• Client Representation Letter from Management – U LIAR CPA o Required o If management does not provide written representation, accountant should withdraw from the
engagement.
• Professional Judgment to Evaluate Results – U LIAR CPA o Scope Limitations
▪ Unable to perform necessary procedures or management does not provide appropriate representation → NO review report should be issued!
• Auditor Communicates Results – U LIAR CPA o Problem → Management → Audit Committee → Board of Directors → Withdraw (get legal
advice) o Communications are required with respect to:
▪ Fraud and noncompliance ▪ Significant deficiencies and material weaknesses
o If auditor cannot complete the review, auditor should communicate to appropriate level of management (and those charged with governance):
▪ The reason ▪ Auditor is precluded from issuing a review report ▪ Any material modifications that the auditor has become aware of during the review
• Departures from any applicable financial reporting framework → Modify the report o Basis for modification paragraph immediately following the conclusion o If modification is not sufficient to address the deficiencies → Withdraw
• Going Concern o Nonissuers – Emphasis-of-matter paragraph
▪ Management’s plan does not alleviate the doubt ▪ Not included in prior years report
o Issuers – Not required to include an explanatory paragraph (permitted) o Issuer and Nonissuer – If disclosures are inadequate then modify the report!
(3) Other Uses of Interim Financial Information
• When interim information included in a note to the financial statements is not marked audited, the auditor would disclaim an opinion on the interim financial information
• Quarterly information required by the SEC has not been reviewed, an explanatory paragraph should be added to the auditor’s report indicating that the auditor was unable to review.
• Quarterly information required by the SEC has been omitted, an explanatory paragraph should be added
Each page of the interim financial information should be clearly marked unaudited.
Interim financial information presented in a registration statement should clarify that the report is not considered to be a report or part of the registration statement within this context.
75
76
M7: The AICPA Code of Professional Conduct (1) Overview
• AICPA’s Code of Professional conduct governs any service that a member of the AICPA performs.
• A professional code of conduct is distinguishing mark of a profession that accepts a high degree of responsibility toward the public.
• The code is separated into parts: o Members in public practice o Members in business o Other members
(2) Principles
• Responsibility
• Public interest
• Objectivity and independence – Maintain objectivity and be free of conflicts of interest. Independent in fact in appearance.
• Due care
• Scope and nature of services – Observe the principles of the code of professional conduct
• This requires members to: o Have adequate internal quality control o Determine whether any conflicts of interest o Professionalism
Covered Member: Audit team and office/boss “chain of command” Immediate Family: Spouse and dependents (living under your roof) Close Relatives: Parents, siblings, and adult kids (must invite to wedding)
77
(3) Rules
• Independence Rule o Independence is not required for compilation and non-attestation services o Independence must be maintained by covered members o Members must have independence of mind and in appearance
• Independence Impaired By Financial Interests o A covered member has a direct financial interest (stock owned, even if in a blind trust) or
immaterial indirect financial interest (mutual funds). o A covered member or his immediate family has loan to or from a client o Acceptance of a gift o Independence is impaired if a close relative has financial interests in the attest client that the
covered member knows or has reason to believe his material. o Independence is not impaired in a financial institution client by:
▪ Fully collateralized car loans ▪ Cash advance or credit card balances not exceeding $10,000 ▪ Bank account that is fully insured by the government (Below FDIC limit $250,000) ▪ Passbook loan
• Independence Impaired By Employment Relationships o Client officer joins CPA firm o Family works for client o CPA firm employee joins client as executive o CPA discussing job at client
• Independence Impaired By Business Relationships o Member makes management decisions o Independence not impaired:
▪ By being a member of or an honorary trustee ▪ Membership in the same trade association Country Club
• Other Reasons Independence May Be Impaired o A client who is more than one year overdue in payment of professional fees o Actual or threatened litigation may impair independence
▪ Independence is not impaired by a suit for immaterial dollar amount for work unrelated to attestation service
• Integrity And Objectivity Rule - CPA/ CPA firm/ Firm employees
• General Standards Rule – A member must comply with the following standards: o Professional Competence: knowledge of technical subject matter or the ability to obtain that
knowledge o Do Professional Care
▪ Skill commonly possessed by others ▪ Critically review work done by dose assisting
o Planning and Supervision o Sufficient Relevant Data: afford a reasonable basis for conclusions or recommendations
• Compliance with standard Rule: Measure of quality of performance
• Accounting Principles Rule: General rule GAAP should be followed o Rare Exception → Unusual circumstances may justify a departure from GAAP if a compliance
would cause the financial statements to be misleading.
• Confidential Client Information Rule - Should not disclose any confidential client information without the specific consent of the client. Exceptions:
o Subpoena or summons o Quality review/Peer review
The most heavily tested area of the Code Of Conduct and professional responsibility is the independence rule!!
78
o Ethics division order trial board of the AICPA or disciplinary board of a state CPA society o Your legal defense team when client is suing you
• Contingencies Rule - General rule not allowed o Contingencies are permitted in the following cases:
▪ Fixed by courts or other public authorities or in tax matters if they are based on results of court proceedings.
▪ Contingent fees are permitted for compilations of financial statements expected to be used by third parties only if the member includes a statement that the member is not independent.
• Acts Discreditable Rule – Member shall not commit: o Failure to return records to client o Discrimination or harassment o Failing to follow applicable standards or procedures o Negligence in preparing financial statements or records o Solicitation for disclosures of CPA examination questions o Failure to timely file a personal or firm tax return o A member whose employment relationship is terminated should not take or retain original or
copies from the firm's clients’ files o Disclosure of confidential information
• Advertising And Other Forms Of Solicitation Rule o A member in public practice shall not seek to obtain clients by advertising or other forms of
solicitation in a manner that is false, misleading, or deceptive. o Advertisements and sore situations are misleading or deceptive if they:
▪ Create faults or end justified expectations ▪ Implied the ability to influence a court, regulatory agent, or official ▪ Intentionally underestimate fees ▪ It would mislead or deceive a reasonable person
• Commissions And Referral Fees Rule – Impair independence o A member in public practice should not for a commission recommend or refer to apply any
product or service when the member or the member’s firm also performs for that client: ▪ An audit or review of financial statements ▪ Compilation when the member does not disclose a lack of independence ▪ An examination
o A member performing other services not prohibited above may receive a commission, but the Commission must be disclosed to the client.
• Ownership Of CPA Firms – Must be over 50% owned by CPS
(4) Conceptual Framework
• A conceptual framework approach requires entities to: o Identify threats to compliance o Evaluate the significance of the threat o Apply safeguards to eliminate the threats
• Threats To The Compliance With Fundamental Principles o Adverse Interest Threat - Not active objectivity o Advocacy Threat - Promote a client's interests, independence is compromised o Familiarity Threat - Too sympathetic o Management Participation Threat - Assume management's responsibility o Self-Interest Threat - Could benefit financially o Self-Review Threat - Evaluate your own work o Undue Influence Threat - Subordinate judgment
• Safeguards That Might Eliminate Or Reduce Threats o Safeguards fall into one of the following categories for conceptual framework for:
▪ Public practice:
79
• Safeguards implemented by the profession, legislation, or regulation
• Safeguards implemented by the client
• Safeguards implemented by the firm ▪ Business:
• Safeguards implemented by the profession, legislation, or regulation
• Safeguards implemented by the employing organization
M8: Ethical Requirements of the SEC and PCAOB (1) The Sarbanes-Oxley Act of 2002
• SOX Title I: Public Company Accounting Oversight Board (PCAOP) o PCAOB composed of five members (2 members must be CPAs & 3 cannot be CPAs) o The board is subject to oversight by the SEC and has duty too:
▪ Register public accounting firms that prepare audit reports for issuers ▪ Establish rules relating to the preparation of the audit reports for issuers ▪ Conduct inspections, investigations, and disciplinary proceedings concerning registered
public accounting firms o The PCAOB must conduct annual inspections for public accounting firms that regularly provide
audit reports from more than 100 issuers; and every three years for those that have fewer than 100.
o Registration with PCAOB: Only registered firms can audit in SEC issuer o Each registered firm must adhere to the following auditing standards:
▪ Audit documentation must be maintained for seven years ▪ Provide a concurring or second partner review ▪ Describing the audit reports the scope of testing
o Quality control standards required for registered firms o Investigations and Sanction – The PCAOB can impose the following sanctions:
▪ Temporarily suspension or permanent revocation PCAOB registration ▪ Bar of a person ▪ Limitation on the activities ▪ Civil monetary penalties ▪ Censure ▪ Require professional education or training
• SOX Title II: Auditor Independence o Prohibited services when auditing issuer:
▪ Bookkeeping ▪ Financial information systems design and implementation ▪ Appraisal and evaluation services ▪ Actuarial services ▪ Management functions or HR services ▪ Internal audit outsourcing services ▪ Service as a broker, dealer, investment advisor, or investment banker ▪ Legal services ▪ Expert services unrelated to auto
o Audit partner requirements – Must rotate off the audit every five years (under PCAOB rules, auditors of issuers must also disclose the name of the engagement partner).
o Registered firms must report to audit committee ▪ The critical accounting policies and practices to be used ▪ Alternative accounting treatments discussed with corporation’s management ▪ Material written communication between audit firm and management
Test services are permissible is pre-approved by audit committee.
80
o Conflict of Interest – The audit firm cannot have employed in the issuers CEO, CFO, controller, chief operating accounting officer, or any other person serving in an equivalent position for a one-year period preceding the audit (cool-off period)
• SOX Title III, Section 303: Improper Influence on Conduct of Audits o It is unlawful to take any action to fraudulently influence, coerce, manipulate, or mislead any
independent CPA engaged in the performance of an audit of the financial statements of an issuer.
(2) Independence Requirements of the SEC
• Principles of Independence – SEC looks to weather a client relationship or service provided to an audit: o Create signature or conflicting interest o Results in the auditor acting as management o Places the auditor in a position of auditing his or her own work o Places the auditor in a position of being advocate for the audit client
• Circumstances That Impair Auditor Independence o Financial relationships: All direct investments and material indirect investments o Other financial interest in an audit client:
▪ Loans two or from an audit client or officers, directors ▪ Savings /checking account balances that exceed $250,000 (FDIC insured limit) ▪ Credit card balances in excess of $10,000
o Exceptions ▪ Any solicited gift or inheritance and is disposed of as soon as practicable ▪ New audit engagement and auditor disposes of financial interests as soon as practicable ▪ Immediate family member has financial interests, and they dispose as soon as
practicable
• Non audit services impaired independence (same as those listed above)
• Contingent fees impair independence
• Lead audit partner in conquering partner on that audit engagement team must rotate off the other engagement after five years.
o Required “time-out” period is also five years o Small accounting firms with fewer than five clients who are issuers and have fewer than ten
partners may be exempt from the partner rotation requirement
• Independence is impaired when audit committee fails to administer engagement. Pre-approval not required for non-audit services that do not exceed 5% of total revenues
• Compensation impairs independence if an audit partner earns or receives compensation based on selling engagements to audit client.
(3) Independence Requirements of the PCAOB
• Independence standards o Responsibility not to contribute to violations knowingly or recklessly o Auditor independence o Contingent fees o Tax transactions - may not provide confidential or aggressive tax transactions o Tax services for persons in financial reporting oversight roles - not provide tax services to
corporate officers o Audit committee pre-approval of certain tax services - corporate tax returns o Audit committee pre-approval of main audit services related to internal control over financial
reporting o Communication with audit committee concerned independents
81
M9: Ethical Requirement of the GAO and DOL (1) The Government Accountability Office (GAO)
• Ethical Principles: Serving the public interest, Integrity, Objectivity, Proper use of government information, resources, and positions, and Professional behavior.
• General Standards o Independence of mind and in appearance o Professional judgment o Competence o Quality control and assurance
(2) GAGAS conceptual framework for independence
• Threats To Independence o Self-Interest Threat: Financial or other interest will inappropriately influence in auditor’s
judgment or behavior o Self-Review Threat: Auditor or audit organization that has provided non audit services for
inappropriately evaluate the results of previous judgments o Bias Threat: Auditor will take position that is not objective o Familiarity Threat: Relationship with management or personnel of an audited entity will lead
and auditors to take a position that is not objective o Undue Influence Threat: External influences or pressures will impact the auditor’s ability to
make independent and objective judgments o Management Participation Threat: Assuming management responsibilities. No safeguard will
reduce the threat to acceptable level. o Structural Threat: Audit organization placement within government entity will impact the audit
organization's ability to perform work and report results objectively
• Safeguards – Eliminate or reduce to an acceptable level of threats o Consulting an independent third party o Involving another audit organization o Having professional staff member o Removing an individual from an audit team
• Evaluation of Non-audit Services o Consideration of management's ability to effectively oversee the non-audit service to be
performed. The auditor should determine: ▪ Entity has this ignited an individual who possesses suitable skills, knowledge, or
experience ▪ Individual understands the services to be performed sufficiently to oversee them
o The auditor should document consideration of management ability o Auditors performing a non-audit services should obtain assurance that the audited entity
management performs the following functions in connection with non-audit services: ▪ Assumes all management responsibilities ▪ Oversee the services ▪ Evaluates the adequacy and results ▪ Accepts responsibility for the results
(3) Department Of Labor (DOL)
• Independence is Required
• Impairment of Independence o Any direct financial interest or material in direct financial interest o An accountant or a member of the accounting firm maintains financial records for the employee
benefit plan
• Independence Not Impaired – Page A6-93