AU-C 210.A31 notes that before accepting the audit engagement, the successor auditor should make specific inquiries of the predecessor auditor regarding the predecessor's understanding of the reasons for the change of auditors. Other inquiries (that also should be made prior to acceptance), are to obtain facts concerning:
management disagreements, i.e.,
auditing procedures, and
other issues, and
communications to those charged with governance regarding fraud, noncompliance with laws or regulations by the entity, and internal control related matters.
The successor's purpose in asking these questions is to gather information that may affect whether or not to accept the engagement.
The predecessor auditor has no responsibility to make any inquiry or carry out any auditing procedures for the period after the date of his report. Thus, the predecessor auditor could not give an opinion on any subsequent events occurring since his report was issued. The predecessor has not audited the current period, thus he would not be aware of the consistency of GAAP between periods. The predecessor auditor should permit the successor (with the client's permission) to review the prior workpapers. This review will allow the successor to evaluate all matters of continuing accounting significance (balance sheet accounts, contingencies, etc.).
The engagement letter should contain information such as:
the objective of the audit (an expression of an opinion on the financial statements);
the fact that management is responsible for:
the financial statements,
establishing and maintaining effective internal control over financial reporting,
identifying and ensuring that the entity complies with laws and regulations,
adjusting the financial statements to correct material misstatements,
making all financial records and related information available to the auditor, and
providing the auditor with a letter that confirms certain representations made during the audit;
the scope of the audit work to be performed (in accordance with GAAS);
the fact that the purpose of the audit is not to detect fraud but to enable the auditor to express an opinion as to the fairness of the financial statements;
mention that an audit includes obtaining an understanding of internal control and that the audit committee will be made aware of any discovered significant deficiencies;
additional work to be performed, such as tax, consulting, or other services (if applicable);
any limitations or restrictions on the scope of the study;
work to be performed by the client's staff (if applicable);
the basis of the auditor's fee; and
the audit work schedule and estimated date of completion.
This list is not inclusive, but it is illustrative of items that should be present. Items that would not be addressed in an engagement letter would be the conditions under which the auditor may modify the preliminary judgment about materiality (these would not be known to the auditor), internal control activities that would reduce the auditor's assessment of control risk (the auditor has not obtained an understanding of the design of internal control or tested controls at this point), and materiality matters that could modify the auditor's preliminary assessment of fraud risk.
The AU-C Glossary defines a service organization as "an organization or segment of an organization that provides services to user entities that are relevant to those user entities' internal control over financial reporting." Examples of service organizations would include a bank that provides a lockbox service (collection of all incoming customer payments) or a company that calculates and processes payroll.
If a service organization initiates, executes, and processes transactions in the user organization's accounting system, it may not be practical or possible for the user organization to implement its own controls over these activities and their effect on the financial statements. The auditor is still responsible for obtaining an understanding of the entity's internal control and for assessing the risk of material misstatement; therefore, in certain circumstances, the auditor must obtain information about the internal controls of the service organization.
The auditor may obtain information about the service organization's controls over the services provided to the user organization through sources such as user manuals, system overviews, technical manuals, the contract between the two entities, or reports by service auditors, internal auditors, or regulatory authorities.
A service auditor's report on internal control placed in operation at the service organization and its operating effectiveness would be the most efficient manner for obtaining information;
Input Controls (transactions captured, accurately recorded, and properly authorized), Processing Controls (transaction processing has been performed as intended), and Output Controls (accuracy of processing result). are all examples of application controls.
General IT controls are controls that apply to all systems components, processes, and data for an organization or IT environment. The objectives are to ensure the proper development and implementation of applications, as well as integrity of programs, data files, and computer operations.
Examples of general controls are program change controls, controls that restrict access to programs or data, controls over the implementation of new releases of packaged software applications, and controls over system software that restrict access to or monitor the use of system utilities that could change financial data or records without leaving an audit trail.
The FASB ASC Glossary defines related parties as, among others, management, owners, family members of owners or management, affiliates, or any party which "can significantly influence the management or operating policies" such that the entity might be "prevented from fully pursuing its separate interests."
Related party transactions must be fully disclosed in the notes to the financial statements, including the nature of the relationship involved, a description of the transaction, the dollar amounts of the transaction, and amounts due to and from related parties.
Transactions which the auditor should be particularly alert for include borrowing, lending, sale, or exchange of property at interest rates or prices significantly different from market rates or with no scheduled terms of repayment (AU-C 550).
The auditor is required to perform procedures for determining the existence of related parties, identifying related party transactions, and auditing and properly disclosing these transactions.