Study sets, textbooks, questions
Upgrade to remove ads
Terms in this set (325)
is the accumulation and evaluation of evidence about information to determine and report on the degree of correspondence between the information and established criteria.
Auditing should be done by a ____, _____ person.
a competent, independent person.
To do an audit, there must be information in a verifiable form and some standards (criteria). Such criteria is:
FASB & IASB
any information used by the auditor to determine whether the information being audited is stated in accordance with established criteria.
ex: transaction data, communication with outsiders, observations, client testimony
the final stage of the auditing process is
preparing the audit report--> communicates the auditor's findings to users
the recording, classifying, and summarizing of economic events to provide financial information for decision making.
Auditors focus on
determining whether recorded information properly reflects the economic events that occurred during the accounting period.
Information Risk reflects
the possibility that the information upon which a business decision was made was inaccurate.
-auditing reduces information risk
causes of information risk:
remoteness of information
biases and motives of the provider
complex exchange transactions
Remoteness of information
Decision makers do not have firsthand knowledge and must rely on information provided by others.
biases and motives of the provider
Information is provided by someone whose goals are inconsistent with those of the decision maker and may be biased.
Higher volumes of transactions increase the likelihood of undetected errors.
Complex exchange transactions
Transactions are increasingly complex and more difficult to record properly. Complex accounting standards are difficult to interpret and apply.
reducing information risk:
user verifies information
user shares information risk with management
audited financial statements are provided
User verifies information
The user may go to the business to verify the information. This is often costly and impractical.
User shares information risk with management
Management is responsible for providing reliable information, and may be held responsible in a lawsuit if inaccurate information is provided.
Audited financial statements are provided
External auditors are engaged to provide assurance that the financial statements are reliable.
An assurance service is
an independent professional service that improves the quality of information for decision makers.
-CPAs or other professionals
Section 404 of the Sarbanes-Oxley Act now requires
assurance regarding internal controls for larger public companies.
An attestation service is a type of service in which
the CPA issues a report about a subject matter or assertion that is made by another party
-audit or historical financial statement/internal controls over financial reporting
Other Assurance Services
do not meet the definition of attestation services. A written report is not required, and it need not be about reliability or compliance.
-tax services, management consulting, accounting & bookkeeping
Primary types of audits performed by CPA firms (3)
evaluates the efficiency and effectiveness of any part of an organization's operating procedures and methods
Determines whether the auditee is following specific procedures, rules, or regulations set by some higher authority
financial statement audit
Determines whether the financial statements are stated in accordance with specific criteria. The criteria are normally U.S. GAAP or international accounting standards.
Primary types of auditors (4)
- Certified public accounting firms
- Government accountability office auditors
- Internal revenue agents
- Internal auditors
Certified public accounting firms
Responsible for auditing financial statements of all publicly traded companies, most other large companies, smaller companies, and noncommercial organizations
Government Accountability Office Auditors
An auditor working for the U. S. Government Accountability Office (GAO). The GAO reports solely to Congress.
internal revenue agents
(think of IRS)
Responsible for enforcing federal tax laws
-audit tax returns for compliance with tax laws
employed by many organizations and function similarly to GAO auditors.
Three general requirements must be met to become a CPA, though the specifics differ among states.
2. Uniform CPA examination
Although the Sarbanes-Oxley Act and the SEC restrict auditors from providing many consulting services to public company audit clients, audit firms are not restricted from providing consulting
to private companies and public companies that are not audit clients.
Three main factors that affect the structure of all firms are:
The need for independence from clients
The importance of a structure to encourage competence
The increased litigation risk faced by auditors
6 organizational structures available to CPA firms
Limited Liability Companies
Limited Liability Partnership
Act—Established the Public Company Accounting Oversight Board (PCAOB).
PCAOB (Public Company Accounting Oversight Board)
Provides oversight for auditors of public companies including:
Establishing auditing, attestation, and quality control standards for public company audits.
Performing inspections of audit engagements and quality controls.
Securities and Exchange Commission (SEC)
A federal government agency that assists in providing investors with reliable information upon which to make investing decisions.
The Securities Act of 1933
Requires most companies planning to issue new securities to the public to submit a registration statement to the SEC for approval.
The Securities Exchange Act of 1934
Provides additional protection for investors by requiring public companies to file detailed annual reports with the commission.
The Securities Acts of 1933 and 1934
Require financial statements and the opinion of an independent public accountant as part of the registration statement and subsequent reports.
Several reports required by the SEC are of interest to auditors: (4)
form s-1, 8-k, 10-k, 10-q
(think of securities)
"S" forms must be completed prior to issuing new securities to the public
report significant events of interest to investors
annual report with detailed financial information, including audited financial statements
quarterly report containing certain financial information and auditor reviews of financial statements
the american institute of certified public accountants sets rules and standards that all members/practicing CPAs must follow in four major areas:
Compilation and review standards
Other attestation standards
Code of Professional Conduct
The Auditing Standards Board (ASB) of the AICPA issue auditing standards called
Statements of Auditing Standards (SASs) which apply to audit engagements not covered by PCAOB standards
-generally accepted auditing standards (GAAS)
The Accounting and Review Services Committee issues
Statements on Standards for Accounting and Review Services (SSARS) that apply to preparation, compilation, and review services
Statements on Standards for Attestation Engagements apply to
assurance on non financial information
The AICPA Professional Ethics Executive Committee sets rules of conduct that CPAs are required to meet.
The AICPA Professional Ethics Executive Committee sets rules of conduct that CPAs are required to meet.
International Standards on Auditing (ISAs)
are issued by the International Auditing and Assurance Standards Board (IAASB) of the International Federation of Accountants (IFAC).
-do not override a country's regulations governing audit practices
worldwide organization for the accountancy profession.
works to improve uniformity of auditing practices throughout the world.
PCAOB standards only apply to
audits of U.S. Public companies and brokers and dealers registered with the SEC
AICPA Auditing Standards
Applicable to private entities in the United States
The ASB issued a Preface to the Codification of Auditing Standards containing the "Principles Underlying an Audit in Accordance with Generally Accepted Auditing Standards" (the principles) to provide a framework for the two objectives of conducting an audit of financial statements:
Obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error; and
Report on the financial statements, and communicate as required by GAAS, in accordance with the auditor's findings.
principles provide structure for the codification:
to provide an opinion about the financial statements
possess appropriate competence and capabilities
comply with ethical requirements
maintain professional skepticism and exercise professional judgement
obtain reasonable assurance whether the financial statements are free from material misstatement
plan work and supervise assistants
determine and apply materiality level(s)
identify and assess risks of material misstatement based on understanding of entity and its environment including internal controls
obtain sufficient appropriate audit evidence
express opinion on financial statements in a written report
whether financial statements were presented fairly in accordance with financial reporting framework
Principles versus Auditing Standards
The principles underlying auditing standards are general.
The standards (SASs issued by the AICPA and ASs issued by the PCAOB) provide specific guidance.
Classification of Auditing Standards
SASs issued by the AICPA have two classification numbers: an SAS number identifying the order in which it was issued and an AU-C number indicating its location in the Codification of Auditing Standards.
Auditing Standards issued by the PCAOB are also numbered consecutively as issued. The PCAOB recently reorganized their standards by topic.
Standards of Performance
The AICPA principles and auditing standards are minimum standards of performance.
When auditors want more specific guidelines, they must use less authoritative sources.
For a CPA firm, quality control includes
the methods used to ensure that the firm meets its professional responsibilities to clients.
Elements of Quality Control: (6)
-Leadership responsibilities for quality within the firm
-Relevant ethical requirements
-Acceptance and continuation of client relationships and specific engagements
Public accounting firms must enroll in an AICPA-approved practice-monitoring program
The AICPA has established audit practice and quality centers to improve audit practice quality.
The Center for Audit Quality (CAQ) is a public policy organization affiliated with the AICPA serving investors, public company auditors, and the capital markets.
The Private Companies Practice Section (PCPS) provides practice management information to firms of all sizes.
Conduct of CPA firm personnel
GAAS and Interpretations
Continuing education requirements
AICPA practice sections
Code of professional conduct
PCAOB and SEC
Parts of standard unmodified opinion audit report
Audit report address
Signature and address of CPA firm
Audit report date
Parts of Standard Unmodified Opinion Audit Report (8)
Audit report address
Signature and address of CPA firm
Audit report date (received sufficient appropriate evidence)
Conditions for standard unmodified opinion audit report
Includes all financial statements
Sufficient appropriate evidence accumulated
Financial statements are presented fairly in accordance with GAAP or other framework
No circumstances requiring the addition of an emphasis-of-matter paragraph or modification
auditor unable to form opinion as to whether the financial statements are fairly presented; or auditor is not independent
auditor concludes the financial statements are not presented fairly
auditor concludes financial statements are fairly presented but the scope of the audit has been material restricted or applicable accounting standards were not followed in preparing the financial statements
unmodified opinion with emphasis of matter explanatory paragraph or nonstandard wording
a complete audit took place with satisfactory results and financial statements are fairly presented but the auditor believes that its important or is required to provide additional information
Two significant audit reporting differences for public companies.
The standard unmodified opinion audit report is different. (introductory paragraph, scope paragraph, opinion paragraph)
Auditors of larger public companies must also issue an opinion on internal control over financial reporting.
Section 404(b) of the Sarbanes-Oxley Act requires the auditor of a public company to
report on the effectiveness of internal control over financial reporting.
PCAOB Auditing Standard 5 requires
the audit of internal control to be integrated with the audit of financial statements.
However, the auditor may issue separate reports (introductory paragraph, scope paragraph, definition paragraph, inherent limitations paragraph, opinion paragraph, cross reference paragraph)
The most important causes of the addition of an emphasis-of-matter paragraph or a modification of wording under both AICPA and PCAOB audit standards:
Lack of consistent application of generally accepted accounting principles as illustrated in Figure 3-5
Substantial doubt about going concern as illustrated in Figure 3-6
Auditor agrees with departure from promulgated accounting principles
Emphasis of other matters
Reports involving other auditors as illustrated in Figure 3-7
Examples of emphasis of other matters include the following:
financial statement comparability
related party transactions
Three conditions requiring a modification to the audit opinion:
auditor is not independent
Three types of reports may be appropriate:
qualified opinion-->scope limitation or departure from GAAP
adverse opinion-->material misstatement
disclaimer opinion-->lack of independence or knowledge and severe scope limitation
A misstatement in the financial statements can be considered material if
knowledge of the misstatement will affect a decision of a reasonable user of the statements.
Three levels of materiality are used for determining the type of opinion to issue:
highly material-->adverse or disclaimer
Decisions regarding materiality in specific audit situations involves judgment on the part of the auditor based on:
Materiality decisions—Non-GAAP condition
Dollar amounts compared with a benchmark
Nature of the item
Materiality decisions—Scope limitations conditions
Modification of the audit opinion can arise from several different circumstances:
Auditor's Scope Has Been Restricted—>qualified or disclaimer opinion
Statements Are Not in Conformity with GAAP—>adverse opinion or qualified
Auditor's decision process for audit reports
Determine whether any condition exists requiring a departure from a standard unmodified opinion report.
Decide the materiality for each condition.
Decide the appropriate type of report for the condition, given the materiality level.
Write the audit report.
Determine if more than one condition requiring a departure or modification exists.
US public companies have to prepare financial statements filed with SEC and GAAP but may be engaged to
report on financial statements in accordance with IFRS
can be defined broadly as a set of moral principles or values.
conduct that differs from what they believe is inappropriate given the circumstances.
There are two primary reasons why people act unethically:
The person's ethical standards differ from general society's
The person chooses to act selfishly
a situation a person faces in which a decision must be made about appropriate behavior.
The following are rationalization methods commonly employed that can result in unethical behavior:
Everybody does it.
If it's legal, it's ethical.
Likelihood of discovery and consequences.
The following six-step approach is one method for resolving ethical dilemmas:
Obtain the relevant facts.
Identify the ethical issues from the facts.
Determine who is affected by the outcome of the dilemma and how each person or group is affected.
Identify the alternatives available to the person who must resolve the dilemma.
Identify the likely consequence of each alternative.
Decide the appropriate action.
The term professional means
a responsibility for conduct that extends beyond satisfying individual responsibilities and beyond the requirements of our society's laws and regulations.
A CPA, as a professional, recognizes a responsibility to
the public, to the client, and to fellow practitioners, including honorable behavior, even if that means personal sacrifice.
the CPA firm's primary responsibility is
to the users of the financial statements.
Members of the AICPA agree to follow
the Code of Professional Conduct.
The Code consists of principles and rules, in addition to interpretations.
Only members in public practice can audit financial statements, which is addressed in
The Code offers the following for members to evaluate threats to compliance with the Code:
Identify threats. Threats fall into seven broad categories that are detailed in Table 4-3.
Evaluate the significance of the threat.
Identify and apply safeguards. Safeguards fall into three broad categories:
Safeguards created by the profession, legislation, or regulation.
Safeguards implemented by the client.
Safeguards implemented by the firm.
Interpretations of Rules of Conduct:
arise when there are frequent questions from practitioners concerning a specific rule.
Applicability of the Rules of Conduct:
apply to all members. However, the independence rule only applies to attestation services.
The value of auditing is dependent on
public's perception of the independence of auditors.
Independence consists of two components:
Independence of mind (also referred to as independence in fact)
Independence in appearance
The most significant interpretations involving independence include: (6)
Related financial interest issues
Consulting, bookkeeping, and other nonattest services
Litigation between CPA firm and client
Network of firms
Interests—The Code prohibits covered members from owning any stock or other direct investment in audit clients.
A Direct versus Indirect Financial Interest—Ownership of stock by a covered member or immediate family is direct financial interest. A close, but not direct, ownership interest is an indirect financial interest.
Financial Interests (Cont.)
Material or Immaterial—
Any direct ownership interest is prohibited, regardless of materiality. Materiality affects only whether ownership is a violation of independence for indirect ownership.
Financial Interests of Close Relatives—
Close relatives are defined as parent, sibling, or nondependent child. Ownership by a close relative is usually not a violation of independence unless the ownership is material to the relative, or enables the relative to exericise significant influence over the attest client.
Any of these relationships between a CPA and the client could affect independence:
Loans, other than normal lending procedures
Employment of immediate and close family members
Joint closely held investments with clients
Director, officer, management, or employee of a company
Auditors of public companies must also comply with the independence requirements of the
Sarbanes-Oxley Act, the PCAOB, and the SEC.
Sarbanes-Oxley and the SEC restrict the nonaudit services that can be provided to publicly held companies.
Sarbanes-Oxley also requires that an audit committee of the public company be responsible for the appointment, compensation, and oversight of the auditor.
There are also rules concerning the following issues:
Conflicts arising from employment relationships
Shopping for accounting principles ("opinion shopping")
Engagement and payment of audit fees by management
Integrity and Objectivity Rule
shall maintain objectivity and integrity, shall be free of conflicts of interest, and shall not knowingly misrepresent facts or subordinate his or her judgment to others.
General Standards Rule
Compliance with Standards Rule
Accounting Principles Rule
Confidential Client Information Rule
Practitioners are not permitted to disclose confidential client information without the client's consent.
Exceptions to Confidentiality Rule:
Obligations related to technical standards
Subpoena or summons and compliance with laws and regulations
Response to ethics division
Contingent Fees Rule
member of public firm can't perform/receive contingent fee from a client that the member's film also performs for the client:
audits/review FS, compilation of FS that a 3rd party will use, examination of prospective financial info, or prepare an original/amended tax return
Commissions and Referral Fees Rule
member of a public practice can't commission recommend or refer to a client a product or service that the member's firm also perform for the client: audits/review FS, compilation of FS that a 3rd party will use, examination of prospective financial info,
Advertising and Solicitation Rule
a public practice member shouldn't seek to obtain clients by advertising/solicitation that is false or misleading
Form of Organization and Name Rule
member shouldn't practice public accounting under a misleading firm name; can only practice in an organization permitted by state law/regulation
The Acts Discreditable Rule:
a member shouldn't commit a discreditable act
ailure to comply with the rules of conduct can be enforced by the following organizations:
AICPA Professional Ethics Division-->suspend or expel a member.
State Board of Accountancy--> rescind the CPA certificate and the license to practice
PCAOB-->Has the authority to investigate and discipline firms and individuals for noncompliance with Sarbanes-Oxley and impose sanctions, including suspension or revocation of the firm's registration.
primary focus of auditing is on
issuing an opinion on the financial statements
steps to develop audit objectives
divide FS into cycles
know mg assertions about FS
know general audit objectives for classes of transaction, accounts, and disclosures
know specific audit objectives for classes of transactions, accounts, and disclosures
financial statements and internal controls
SOX increases responsibility for financial statements
CEO and CFO must certify quarterly and annual financial statements submitted to SEC
Errors versus Fraud:
An error is an unintentional misstatement of the financial statements, whereas fraud is intentional.
For fraud, there is a distinction between
misappropriation of assets, usually committed by employees, and fraudulent financial reporting, usually committed by management.
Fraudulent Financial Reporting versus Misappropriation of Assets:
Fraudulent financial statements present users with incorrect financial information that is used for decision making. Misappropriation of assets is harmful to creditors, stockholders, and others because the assets have been taken from their rightful owners, the company.
However, the standards do recognize that fraud is more difficult to detect because those who are committing the fraud
attempt to conceal the fraud.
Auditor's Responsibilities for Discovering Illegal Acts
direct effect->same as for errors and fraud
Audit Procedures When Noncompliance Is Identified or Suspected:
understand situation and discuss with management
obtain sufficient appropriate evidence
pay attention to tax/pension laws
Reporting Identified or Suspected Noncompliance:
Unless the matter is inconsequential, the auditor should communicate with those charged with governance of matters of noncompliance.
Aspects of Professional Skepticism:
A questioning mindset (trust but verify) and a critical assessment of audit evidence.
Elements of Professional Skepticism: (6)
Questioning mindset—"trust but verify"—a disposition to inquiry with some sense of doubt.
Suspension of judgment—withholding judgment until appropriate evidence is obtained.
Search for knowledge—a desire to investigate beyond the obvious, with a desire to corroborate.
Interpersonal understanding—recognition that people's motivations and perceptions can lead them to provide biased or misleading information.
Autonomy—the self-direction, moral independence, and conviction to decide for oneself, rather than accepting the claims of others.
Self-esteem—the self-confidence to resist persuasion and to challenge assumptions or conclusions.
Elements of the Judgment Process: (5)
Identify and define the issue.
Gather the facts and information and identify the relevant literature.
Perform the analysis and identify potential alternatives.
Make the decision.
Review and complete the documentation and rationale for the conclusion.
divides classes of transactions and account balances that are closely related into segments.
cycles used in the text (SAPIC)
Sales and collection cycle
Acquisition and payment cycle
Payroll and personnel cycle
Inventory and warehousing cycle
Capital acquisition and repayment cycle
The most efficient way to conduct audits is to
obtain some combination of assurance for each class of transactions and for the ending balances in the related accounts.
Audit objectives for each class of transactions include:
Transaction-related audit objectives
Balance-related audit objectives
Presentation and disclosure-related audit objectives.
Management assertions are
implied or expressed representations by management about classes of transactions and the related accounts and disclosures in the financial statements.
Assertions by management are directly related to the financial reporting framework (U.S. GAAP or IFRS) that forms the
criteria that management uses to record and disclose accounting information in financial statements.
Management assertions lead to
the audit objectives.
The PCAOB standards describe five categories of management assertions:
Existence or occurrence
Valuation or allocation(accuracy, classification,cutoff)
Rights and obligations
Presentation and disclosure
AICPA and IFRS describe three categories of assertions:
Assertions about classes of transactions and events
Assertions about account balances
Assertions about presentation and disclosure
transaction related audit objectives (6)
posting and summarization
Relationship Among Management Assertions and Transaction-Related Audit Objectives
For each management assertion, there are general transaction-related audit objectives as well as specific transaction-related audit objectives
Balance-related and presentation and disclosure-related audit objectives
rights and obligation
detail tie in
-accuracy, classification, cutoff, detail tie in, realizable value go into vacation and allocation
specific balance related audit objectives
each objective should be tailored to the account being audited
four phases of the audit
plan and design an audit approach
perform tests of control and substantive tests of transactions
perform substantive analytical procedures and tests of details of balance
complete the audit and issue the audit report
Phase 1 of audit
plan and design an audit approach
2 considerations to how an auditor approaches the audit: Sufficient appropriate evidence must be accumulated to meet the auditor's professional responsibility.
The cost of accumulating the evidence should be minimized.
Risk assessment procedures include the following:
Obtain an understanding of the entity and its environment.
Understand internal control and assess control risk.
Assess risk of material misstatement.
Phase 2 perform tests of control and substantive tests of transactions
Tests of controls allow the auditor to evaluate the effectiveness of internal controls and determine whether the controls can be relied upon to reduce planned control risks.
Substantive tests of transactions allow the auditor to evaluate the client's recording of transactions.
Phase 3 perform substantive analytical procedures and tests of details of balance
Analytical procedures consist of evaluations of plausible relationships among financial and nonfinancial data.
Tests of details test for monetary misstatements in the financial statements.
phase 4 complete the audit and issue the audit report
, the auditor will reach an overall conclusion as to whether the financial statements are fairly presented.
After the conclusion, the auditor must issue an audit report that will accompany the client's financial statements.
The auditor must make four major decisions regarding what evidence to gather and how much to accumulate:
Which audit procedures to use?
What sample size to select for a given procedure?
Which items to select from the population?
When to perform the procedures?
An audit program includes all of the above information for a given audit.
Audit standards require that the auditor accumulate
sufficient appropriate evidence to support the opinion issued.
The two determinants of the persuasiveness of evidence are
appropriateness (reliability relevancy of evidence) and sufficiency.
Relevance of evidence means that
the evidence must pertain to or be relevant to the audit objective that is being tested.
Reliability of evidence refers to
the degree to which evidence is believable or worthy of trust. Reliability depends on the following characteristics: (6)
Independence of provider
Effectiveness of client's internal controls
Auditor's direct knowledge
Qualifications of individuals providing the information
Degree of objectivity
Sufficiency of evidence refers to
the quantity of evidence obtained.
The sample size that is considered sufficient is affected by two factors:
The auditor's expectation of misstatements
The effectiveness of the client's internal controls
Every audit procedure obtains one or more of the following types of evidence: (PICARIRO)
Inquiries of the client
The inspection or count of a tangible asset by the auditor.
The receipt of a direct written response from a third party verifying the accuracy of information that was requested by the auditor.
auditor's examination of the client's documents and records to substantiate the information in the financial statements.
Documents can be internal (prepared by the client's organization) or external (prepared or handled by someone outside the organization who is a party to the transaction).
Using documents to support recorded transactions (occurrence) is called vouching.
Testing from source documents to recorded amounts (completeness objective) is called tracing.
Procedures—The evaluation of financial information through analysis of plausible relationships among financial and nonfinancial data and are required during planning and completion phases of all audits. Purposes of analytical procedures include:
Understand the Client's Industry and Business—Used in planning to gain knowledge about the client.
Assess the Entity's Ability to Continue as a Going Concern—Many ratios can be an indicator of potential financial problems.
Indicate the Presence of Possible Misstatements in the Financial Statements—The presence of unusual fluctuations noted in comparing current and prior years could signal misstatements.
Provide Evidence Supporting an Account Balance—If reliable relationships exist, substantive analytical procedures can be used to support account balances.
Appropriateness of Types of Evidence
The effectiveness of a client's internal controls has significant influence on the reliability of most types of audit evidence, especially internal documentation and analytical procedures.
Physical examination and recalculation involve the auditor's direct knowledge and are likely to be highly reliable.
Inquiry alone is usually not sufficient to provide appropriate evidence to satisfy any audit objective.
Cost of Types of Evidence:
Inquiries of the client
Purposes of Analytical Procedures During the Audit Engagement:
Analytical procedures are required in the planning phase as part of risk assessment to understand the client's business and industry.
Analytical procedures are often done during the testing phase of the audit as substantive tests in support of an account balance.
Analytical procedures are required during the completion phase of the audit, serving as a final review for material misstatements.
Types of Analytical Procedures
Auditors compare client data with:
Similar prior-period data
Client-determined expected results
Auditor-determined expected results
Short-Term Debt-Paying Ability:
Liquidity Activity Ratios:
Accounts receivable turnover
Days to collect receivables
Days to sell inventory
Ability to Meet Long-Term Debt Obligations
Debt to equity
Times interest earned
Earnings per share
Gross profit percentage
Return on assets
Return on common equity
Audit documentation is
the record of the audit procedures performed, relevant audit evidence, and conclusions the auditor reached.
Purposes of Audit Documentation:
Basis for planning the audit
Record of the evidence accumulated and the results of the tests
Data for determining the proper type of audit report
Basis for review by supervisors and partners
Ownership of the Audit Files: All audit files are the property of the auditor.
Requirements for Retention of Audit Documentation:
Auditing standards require records of private companies be retained for a minimum of five years.
Sarbanes-Oxley Act requires auditors of public companies to maintain audit files for a minimum of seven years.
Contain data of a historical or continuing nature. These provide a convenient source of information that is used from year to year:
Copies of company documents such as articles of incorporation, bylaws, bond indentures, and long-term contracts
Analyses of accounts from previous years that have continuing importance
Information related to understanding internal controls and assessing control risk
Results of analytical procedures from prior years' audits for comparison
Working Trial Balance—Each line in the trial balance is supported by a lead schedule. A typical lead schedule for Cash is included in Figure 7-4.
Adjusting Entries—Auditors propose adjusting entries for material misstatements. An adjusting entry to Cash is illustrated in Figure 7-4.
Supporting Schedules—Major types:
Trial balance or list
Reconciliation of amounts
Substantive analytical procedures
Summary of procedures
Examination of supporting documentation
Preparation of Audit Documentation—
Audit documentation should be in sufficient detail to provide a clear understanding of the work performed, evidence obtained, and conclusions reached.
Documentation should have these characteristics:
Identified with the client's name, period covered, description of the contents, initials of the preparer, date of preparation, and an index code.
Files should be indexed and cross-referenced to aid in organization.
Documentation should clearly indicate the audit work performed through memos, initialing the procedures in the audit program, or tick marks on the schedules.
Include sufficient information to fulfill the audit objectives.
Conclusions reached about the segment of the audit should be clearly stated.
Three main reasons that the auditor should properly plan the audit engagement:
Enable the auditor to obtain sufficient appropriate evidence for the circumstances.
Help keep audit costs reasonable.
Avoid misunderstandings with the client.
Three risk terms relevant to audit planning
acceptable audit risk, client business risk, risk of material misstatement
phases of planning stage
accept client and perform initial audit planning
understand client's business and industry
perform preliminary analytical procedures
set preliminary judgements of materiality and performance materiality
acceptable audit risk
A measure of how willing the auditor is to accept that the financial statements may be materially misstated after the audit is completed and an unmodified opinion has been issued.
client business risk
The risk that the entity fails to achieve its objectives or execute its strategies.
Risk of material misstatement:
The risk that the financial statements contain a material misstatement due to fraud or error prior to the audit.
Initial audit planning involves four things:
The auditor decides whether to accept a new client or continue serving an existing client.
The auditor identifies why the client wants or needs an audit.
To avoid misunderstandings, the auditor obtains an understanding with the client about the terms of the engagement.
The auditor develops the overall strategy for the audit, including engagement staffing and any required audit specialists.
New Client Investigation:
CPA firms must take care in accepting new clients. The new (successor) auditor is required by auditing standards to communicate with the predecessor auditor.
Due to confidentiality requirements, the client must consent to this communication.
The purpose is to determine if the client lacks integrity or if there were disputes about accounting principles.
CPA firms evaluate existing clients to determine whether a continuing client presents risks due to lack of integrity.
Identify Client's Reasons for Audit
Risk factors associated with the client's reasons for an audit include the likely statement users and the intended uses of the statements.
Obtain an Understanding with the Client
A clear understanding of the terms of the engagement should exist between the auditor and the client. Auditing standards require that there be an engagement letter which includes the engagement's objectives.
Develop Overall Audit Strategy
After understanding the client's reason for an audit, the auditor should develop and document a preliminary audit strategy.
Select Staff for Engagement and Evaluate Need for Outside Specialists
The CPA firm must select staff for the engagement who are knowledgeable about the client's business. If the CPA firm lacks expertise, they may need to hire outside specialists.
understand the client's business and industry
Auditing standards require the auditor to perform risk assessment procedures to obtain an understanding of the client's business and its environment to assess risk of material misstatements.
understand the client's business and industry elements
industry and external environment
managements and governance
objectives and strategies
measurements and performance
Industry and External Environment
risks associated with specific industries affect client business risk
risks common to all clients in certain industries
industries have unique accounting requirements the auditor must understand
Business Operations and Processes
The auditor should understand factors such as major sources of revenue, key customers and suppliers, sources of financing, and information about related parties that may increase client business risk.
-tour client facilities and operations
-identify related parties (disclosed in financial statements)
Management and Governance
the auditor needs to assess management's philosophy and operating style and its ability to identify and respond to risk. Governance includes the organizational structure as well as operations of the board of directors and the audit committee.
-code of ethics
-minutes of meetings
Client Objectives and Strategies
Reliability of financial reporting
Effectiveness and efficiency of operations
Compliance with laws and regulations
Measurement and Performance
A client's performance measurement system includes key performance indicators (KPIs) that management uses to evaluate progress toward its objectives
sales per employee
unit sales growth
Web site visitors
Perform Preliminary Analytical Procedures
financial ratios and industry standards
the magnitude of misstatements that individually, or when aggregated with other misstatements, could reasonably be expected to influence the economic decision of users.
5 steps to applying materiality
1. Set materiality for the financial statements as a whole
2. Determine performance materiality
3. Estimate total misstatement in segment
4. Estimate the combined misstatement
5. Compare combined estimate with preliminary or revised judgement about materiality
Factors Affecting Preliminary Materiality Judgment:
Materiality is a relative rather than an absolute concept.
Benchmarks are needed for evaluating materiality.
Qualitative factors also affect materiality.
determine performance materiality, which can also be referred to as
the allocation of the preliminary judgment about materiality to segments
PCAOB standards refer to performance materiality as tolerable misstatement.
Performance materiality for an account is often set at 50-75 percent of overall materiality.
Auditors have three major difficulties when allocating materiality to balance sheet accounts:
Auditors expect certain accounts to have more misstatements than others.
Both overstatements and understatements must be considered.
Relative audit costs affect the allocation.
Auditors document all misstatements found for each audit segment.
These may be known misstatements or likely misstatements.
Known misstatements are those that
the auditor can determine the amount of misstatement in the account.
There are two types of likely misstatements:
Differences between management's and the auditor's judgment about estimates of account balances
Projections of misstatements based on the auditor's tests of a sample
Auditors accept some level of ________ or ___________ in performing audits.
risk or uncertainty
Risk of Material Misstatement at the Overall Financial Statement Level:
Refers to the risks that relate pervasively to the financial statements as a whole and potentially affect a number of different transactions and accounts.
Risk of Material Misstatement at the Assertion Level:
There are two components to risk at the assertion level:
Inherent risk—Susceptibility of an assertion to material misstatement.
Control risk—Risk that internal controls will not prevent or detect material misstatement.
Risk assessment procedures include the following: (IDA-O2)
Inquiries of management and others within the entity
Observation and inspection
Discussion among engagement team members
Other risk assessment procedures
risk assessment procedures include
assessing the risk of material misstatement due to fraud or error.
The auditor's consideration of fraud risk is made at both the
Financial statement level and
Assertion level for classes of transactions, account balances, and presentation and disclosures.
Auditor must determine whether any of the risks identified are a
significant risk (fraud)
require special attention
Nonroutine transactions, including related-party transactions,
often represent significant risk.
significant risks (cont.)
Account balances or transactions that require estimates for which significant measurement uncertainty exists also may require more attention.
Audit Risk Model
PDR= AAR / IR * CR
planned detection risk =
Planned Detection Risk
risk that the audit evidence for an audit objective will fail to detect misstatements exceeding performance materiality.
-dependent on AAR, IR, CR
The auditor's assessment of the susceptibility of an assertion to material misstatement.
The auditor's assessment of the risk that a material misstatement could occur in an assertion and not be prevented or detected by the client's internal controls.
Acceptable Audit Risk
How willing the auditor is to accept that the financial statements may be materially misstated after the audit is complete and an unmodified opinion has been issued.
Auditors must decide appropriate
acceptable audit risk
Auditors must first decide
engagement risk and use it to modify acceptable audit risk.
engagement risk is
the risk that the auditor (or firm) will suffer harm after the audit is finished, even though the report was correct.
-closely related to client business risk
Factors Affecting Acceptable Audit Risk:
The degree to which external users rely on the statements based on these factors:
Distribution of ownership
Nature and amount of liabilities
The likelihood that a client will have financial difficulties after the audit based on these factors:
Profits (losses) in previous years
Method of financing growth
Nature of the client's operations
Competence of management
The auditor's evaluation of management's integrity
Assessing inherent risk is an attempt by the auditor to
predict where misstatements are most and least likely in the financial statement segments
-affects amount of audit evidence
-assess the factors that make up the risk
-takes place during planning phase and is updated through audit
Factors to Consider when Assessing Inherent Risk: (2R2FJINCM)
Nature of the client's business
Results of previous audits
Initial versus repeat engagement
Complex or nonroutine transactions
Judgment required to correctly record account balances and transactions
Makeup of the population
Factors related to fraudulent financial reporting
Factors related to misappropriation of assets
In addition to modifying audit evidence, the auditor can also make the following changes to respond to risks:
The engagement may require more experienced staff.
The engagement will be reviewed more carefully than usual.
Audit Risk for Segments
risk of material misstatement, control risk, and inherent risk are assessed for each audit objective in each segment of the audit.
Relating Performance Materiality and Risks to Balance-Related Audit Objectives
Although it is common to assess inherent and control risks for each balance-related audit objective, it is not common to allocate materiality to those objectives.
One major limitation in the application of the audit risk model is the difficulty of measuring the components of the model. It is a highly subjective process, so most auditors use broad categories such as low, medium, and high.
Tests of Details of Balances Evidence-Planning Worksheet
Auditors develop various types of decision aids to help link judgments affecting audit evidence with appropriate evidence to accumulate.
Revising Risks and Evidence
The audit risk model is primarily a planning model and is of limited use in evaluating results.
If audit evidence suggests that the risk is higher than originally thought, the auditor must revise the original assessment and consider the effect of the revision on evidence requirements.
The concepts of materiality and risk in auditing
are closely related and inseparable.
Risk is a measure of uncertainty.
Materiality is a measure of magnitude.
Fraudulent Financial Reporting
Reporting—An intentional misstatement or omission of amounts or disclosures with the intent to deceive users.
Most cases involve an attempt to overstate income, but can also understate income.
Earnings management involves fraud to meet earnings goals.
Income smoothing is a form of earnings management that shifts income from year to year to reduce fluctuations.
Misappropriation of Assets
Fraud that involves theft of an entity's assets. Normally perpetrated by lower level employees, but can involve upper management.
Incentives/Pressures—Management or other employees have incentives or pressures to commit fraud.
Opportunities—Circumstances provide opportunities for management or employees to commit fraud.
Attitudes/Rationalization—An attitude, character, or set of ethical values exists that allows management or employees to commit a dishonest act, or they are in an environment that imposes sufficient pressure that causes them to rationalize committing a dishonest act.
Sources of Information to Assess Fraud Risks
-communicate among audit team (how management could perpetrate/conceal fraud, how anyone could misappropriate assets, how audit might respond to susceptibility of fraud, how/where financial statement might be susceptible to fraud)
-inquiries of management
Identified Risks of Material Misstatement Due to Fraud
Auditing standards require that the auditor presume there is a risk of fraud in revenue recognition. If the auditor concludes that this assumption does not apply, it must be documented in the working papers.
Management is responsible for implementing corporate governance and control procedures to
minimize the risk of fraud, through a combination of prevention, deterrence, and detection measures.
The AICPA identifies three elements to prevent, deter, and detect fraud:
Culture of honesty and high ethics
Management's responsibility to evaluate risks of fraud
Audit committee oversight
Culture of Honesty and High Ethics
implement antifraud programs and controls that are based on core values embraced by the company.
-setting the tone at the top
-creating a positive workplace environment
-hiring and promoting appropriate employees
Management's Responsibility to Evaluate Risks of Fraud
Identifying and Measuring Fraud Risks: Effective fraud oversight begins with management recognition that fraud is possible and almost any employee is capable of it. Figure 10-6 reflects the percentage reduction in losses from fraud due to these antifraud controls.
Mitigating Fraud Risks: Management is responsible for implementing controls to mitigate fraud risks.
Monitoring Fraud Prevention Programs and Controls: Management should periodically evaluate antifraud programs and ensure controls are effective. Internal audit plays a key role in monitoring.
Audit Committee Oversight
primary responsibility to oversee the organization's financial reporting and internal control process.
The audit committee is a deterrent to fraud by senior management by:
Direct reporting of key findings by internal auditors to the audit committee
Periodic reports by ethics officers about whistleblowing
Other reports about lack of ethical behavior or suspected fraud
When an auditor identifies risks of material misstatements due to fraud, the auditor develops responses at three levels:
Overall Responses—Assign more experienced personnel to the audit or bring in a fraud specialist
Responses at the Assertion Level—Changing the nature, timing, and extent of audit procedures
Responses Related to Management Override:
Examine journal entries and other adjustments for evidence of possible misstatements due to fraud.
Review accounting estimates for biases.
Evaluate the business rationale for significant unusual transactions.
Update Risk Assessment Process
The auditor's assessment of risk of material misstatement due to fraud is ongoing throughout the audit.
The auditor should be alert for the following conditions during the audit:
Discrepancies in the accounting records
Conflicting or missing audit evidence
Problematic or unusual relationships between the auditor and management
Results from substantive or final review stage analytical procedures that indicate a previously unrecognized fraud risk
Responses to inquiries made throughout the audit that are vague or implausible or that produce evidence that is inconsistent with other information
Revenue and Accounts Receivable Fraud Risks
The Committee of Sponsoring Organizations (COSO) found that more than half of financial statement frauds involve revenue and accounts receivable, and related cash.
Three main types of revenue manipulation are:
Premature revenue recognition
Manipulation of adjustments to revenue
Warning Signs of Revenue Fraud—Two of the most useful are:
Misappropriation of Receipts Involving Revenue
Revenue—Rarely as material as fraudulent financial reporting, but is costly because it is a direct loss of assets (cash). Usually involve one of the following:
Failure to Record a Sale—One of the most difficult types of fraud to detect.
Theft of Cash Receipts After a Sale Is Recorded—To hide the theft, the perpetrator must reduce the customer's account in one of three ways:
Record a sales return or allowance.
Write off the customer's account.
Apply the payment from another customer to the customer's account.
Warning Signs of Misappropriation of Revenues and Cash Receipts
Receipts—Analytical procedures and comparisons are helpful
Inventory Fraud Risks
fictitious inventory has been at the center of several major cases of fraudulent financial reporting.
Auditors are required to verify the existence of physical inventories, but audit testing is done on a sample basis.
If inventory is stored in several locations, it is relatively easy for the client to move inventory to the sample testing site.
Warning Signs of Inventory Fraud
Analytical procedures, especially gross profit margin percentage and inventory turnover, are effective.
Purchases and Accounts Payable Fraud Risks
Companies may deliberately attempt to understate accounts payable and overstate income.
Misappropriation in the Acquisition and Payment Cycle
The most common fraud in the acquisition area is for payments to be issued to fictitious vendors and depositing the cash in fictitious accounts.
Other Areas of Fraud Risk
Fixed Assets—Companies may capitalize repairs to increase the amount of assets on the balance sheet.
Intangible Assets—The values of intangible assets, especially goodwill, are based on estimates and are susceptible to manipulation.
Payroll Expense—Rarely an area for fraudulent financial reporting, but often an area of misappropriation by payment to fictitious employees or overstatement of payroll hours.
Frauds are often detected by
Internal audit, or by accident.
When fraud is suspected, the auditor may
use inquiry to determine whether fraud actually exists.
For inquiry to be effective, the auditor must be skilled in:
Evaluating responses to inquiry
Observing behavioral cues:
Other Responsibilities When Fraud Is Suspected
Audit software analysis
Expanded substantive testing
Consider other audit implications
Auditors must document the following matters related to consideration of material misstatements due to fraud:
Significant decisions made during the discussion among engagement team in planning the audit
Procedures performed to obtain information necessary to identify and assess the risks of material fraud
Specific risks of material fraud that were identified at both the overall financial statement level and the assertion level and the auditor's response to those risks
Reasons supporting a conclusion that there is not a significant risk of material improper revenue recognition
Results of procedures performed to address the risk of management override of controls
Other conditions and analytical relationships indicating that additional auditing procedures or other responses were required, and the actions taken by the auditor in response
The nature of communications about fraud made to management, the audit committee, or others
internal control objectives
provide management with reasonable assurance that the company achieves its objectives and goals
Reliability of Reporting
Efficiency and Effectiveness of Operations
Compliance with Laws and Regulations
Management's Responsibilities for Establishing Internal Control
Management must establish and maintain the entity's internal controls.
Internal control systems are designed with two concepts in mind:
Reasonable Assurance—Management designs a system that provides reasonable assurance considering the costs involved.
No system of internal controls can be completely effective
Effectiveness depends on the competency and dependability of the employees
Collusion is still possible
Management's Section 404 Reporting Responsibilities
Section 404 of Sarbanes-Oxley requires management of all public companies to issue an internal control report that includes the following:
Statement of responsibility
Management must also identify the framework used for the evaluation.
Often COSO's 2013 Internal Control-Integrated Framework.
Management's assessment of internal control over financial reporting consists of two key aspects:
Management must evaluate the design of internal control.
Management must test the operating effectiveness of the controls.
-included in the 10k annual report filed with SEC
Auditor Responsibilities for Understanding Internal Control—
Must obtain an understanding of internal control relevant to the audit.
Auditors are primarily concerned about:
Controls over the reliability of financial reporting
Controls over classes of transactions
COSO's Internal Control—Integrated Framework (CRICM)
The COSO Framework describes five components of internal control:
1. Control environment 4. Information and communication
2. Risk assessment 5. Monitoring
3. Control activities
The updated COSO framework includes a total of 17 broad principles that provide guidance to support all three internal control objectives:
The Control Environment (tone at the top)
consists of the actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about internal control and its importance to the entity.
The control environment has five underlying principles: (IBOCA)
Integrity and ethical values
Board of director or audit committee participation
Commitment to competence
process for identifying and analyzing risks that may prevent the organization from achieving its objectives.
There are four underlying principles related to risk assessment:
Have clear objectives
Determine how risks should be managed
Consider potential for fraud
policies and procedures that help ensure that necessary actions are taken to address the risks to the achievement of the entity's objectives.
There are three underlying principles related to control activities:
Develop control activities that mitigate risks to an acceptable level
Develop general controls over technology
Establish appropriate policies, procedures, and expectations
Control activities generally fall into the following five types: (PAPIA)
Adequate separation of duties
Proper authorization of transactions and activities
Adequate documents and records
Physical control over assets and records
Independent checks on performance
1. Adequate Separation of Duties—There are four general guidelines for adequate separation of duties to prevent both fraud and errors:
Separation of the custody of assets from accounting
Separation of the authorization of transactions from the custody of related assets
Separation of operational responsibility from record-keeping responsibility
Separation of IT duties from the user departments
2. Proper Authorization of Transactions and Activities
This is composed of both general authorization that management establishes through policies and procedures and specific authorization that applies to individual transactions.
Adequate Documents and Records
Proper design of documents and records include:
Prepared at the time a transaction takes place
Designed for multiple use
Constructed to encourage correct preparation
4. Physical Control Over Assets and Records
to maintain internal control, assets and records must be protected.
independent checks on performance
Careful and continuous review of the first four control activities. This is often called independent checks or internal verification. Personnel responsible for verification must be independent of those originally responsible for preparing the data.
Information and Communication
purpose is to initiate, record, process, and report the entity's transactions and maintain accountability for related assets.
Involves ongoing or periodic assessment of the quality of internal control by management. In larger companies, the internal audit department is essential for this function.
IT controls address the risks related to technology. There are two categories:
General Controls—Controls that apply to all aspects of the IT function
Application Controls—Controls that operate at the process level and apply to processing transactions
There are six categories of IT general controls:
Administration of the IT Function—Oversight by the board of directors or senior management is necessary for effective IT controls
Separation of IT Duties—Data control should be separated into the following categories:
Systems Development—This includes:
Purchasing or developing software that meets the organization's needs
Testing all new software to ensure that it is compatible with existing software, which may be done as pilot testing or parallel testing
Physical and Online Security—Often called cybersecurity
Physical Controls—Controls over computer equipment including hardware, software, and backup data files
Online Access Controls—Includes proper user IDs and passwords
Backup and Contingency Planning—IT must have backup and contingency plans because IT systems are subject to power failures, fire, excessive heat or humidity, and even sabotage.
Hardware Controls—These controls are built into computer equipment by the manufacturer to detect and report equipment failure.
application controls may be manual or automated and include the following:
Input controls (includes batch, hash total-->summary of codes from all records in a batch that don't represent a meaningful total)
IT infrastructure can impact the effectiveness of internal controls.
Local area networks (LANs) connect equipment within a small cluster of buildings.
Wide area networks (WANs) connect equipment in larger, even worldwide geographic areas.
Database management systems enable companies to share information across several platforms.
Enterprise resource planning (ERP) systems integrate many areas of the company into one accounting information system.
Companies use firewalls, encryption techniques, and digital signatures to increase security over IT systems.
IT services are often outsourced to service centers, including application service providers (ASPs) and cloud computing environments.
There are four steps in the process of understanding controls
Obtain and document understanding of internal control.
Assess control risk
Design, perform, and evaluate tests of controls.
Decide planned detection risk and substantive tests.
Obtain and Document Understanding of Internal Control
Narrative—Written description of client's internal controls including:
The origin of every document and record in the system
All processing that takes place
The disposition of every document and record in the system
An indication of the controls relevant to the assessment of control risk
Flowchart—A diagram of the client's documents flow in the organization.
Internal Control Questionnaire—Illustrated
Auditors use the following methods to evaluate implementation:
Update and evaluate auditor's previous experience with the entity.
Make inquiries of client personnel.
Examine documents and records.
Observe entity activities and operations.
Perform walkthroughs of the accounting system.
Determine Assessed Control Risk Supported by the Understanding Obtained
The auditor makes a preliminary assessment of control risk based on entity-level control risks as well as IT general controls.
Components of the control risk Matrix include:
Identify audit objectives.
Identify existing controls.
Associate controls with related audit objectives.
Auditing standards define three levels of the absence of internal controls:
Control Deficiency—The design or implementation of internal controls does not permit company personnel to prevent or detect misstatement.
Significant Deficiency—A deficiency that is less severe than a material weakness, but important enough to merit attention.
Material Weakness—Exists if a significant deficiency, or combination of significant deficiencies, result in a reasonable possibility that internal control will not prevent or detect material financial statement misstatement.
Identify Deficiencies, Significant Deficiencies, and Material Weaknesses—involves the following process:
Identify existing controls.
Identify the absence of key controls.
Consider the possibility of compensating controls.
Decide whether there is a significant deficiency or material weakness.
Determine potential misstatements that could result.
Identify Deficiencies, Significant Deficiencies, and Material Weaknesses (cont.)
associates control risk and deficiency with each related audit objective
Purpose of Tests of Controls
to test the effectiveness of controls in support of a reduced control risk for the audit
The auditor uses four types of procedures to test controls:
Make inquiries of appropriate client personnel.
Examine documents, records, and reports.
Observe control-related activities.
Reperform client procedures.
Extent of Procedures
depends on preliminary assessed control risk
If the auditor wants a lower control risk, more extensive tests of controls are applied, both in number and extent of tests.
The extent of tests of controls is also dependent on the following:
Reliance on evidence from the prior year's audit
Testing of controls related to significant risks
Testing less than the entire audit period
There is significant overlap between tests of controls and procedures to obtain an understanding. However, there are two primary differences:
In obtaining an understanding of internal control, the procedures are applied to all controls identified during that phase. Tests of controls are applied only when the assessed control risk has not been satisfied.
Procedures to obtain an understanding are performed on only one or a few transactions. Tests of controls are performed on larger samples and often at more than one point in time
Understanding Internal Controls on Outsourced Systems—
When clients use service centers for processing transactions, the auditor may need to obtain an understanding of the controls of the service center.
Reliance on Service Center Auditors—
It has become increasingly common for service centers to engage their own CPA firm to obtain the understanding necessary for an audit and issue a report to be used by the auditors of their customers.
The auditor uses the control risk assessment and results of tests of controls to determine
planned detection risk and related substantive tests for the audit.
-the auditor links the control risk assessment with each balance related audit objective
audit reporting on internal control
The auditor must communicate significant deficiencies and material weaknesses in writing to those charged with governance as soon as the auditor becomes aware of their existence
The auditor will issue an unqualified opinion on internal control over financial reporting when two conditions are met:
There are no identified material weaknesses as of the end of the fiscal year.
There have been no restrictions on the scope of the auditor's work.
The differences for smaller companies that are not subject to Section 404(b):
Reporting—no requirement for a report on internal control
Extent of Internal Controls—may be less extensive, e.g. adequate separation of duties is difficult in smaller companies
Extent of Understanding Needed—sufficient to assess risk for the audit
Assessing Control Risk—the auditor will assess control risk at maximum when controls are ineffective or nonexistent for any audit objectives
Extent of Tests of Controls Needed—the auditor will not perform tests of controls when control risk is assessed at maximum
Auditing in More Complex IT Environments
When traditional source documents and accounting records exist only electronically, the auditors must change their approach by auditing through the computer.
Test Data Approach-->audit predicted results of key control procedures based on an understanding of internal control
Parallel Simulation (common using generalized audit software (GAS)) -->auditor prepares a program to simulate all or part of a client's application system
Embedded audit module approach
Auditors insert an audit module into the client's application system to identify specific types of transactions.
Risk Assessment Procedures
Auditors use the results of risk assessment procedures to determine the type and amount of further audit procedures necessary to form an opinion on the fairness of the financial statements.
The amount of evidence needed for tests of controls depends on two things
The extent of evidence obtained in gaining the understanding of internal control
The planned reduction in control risk
Substantive tests of transactions
Used to determine whether all six transaction-related audit objectives have been satisfied for each class of transactions.
Substantive Analytical Procedures
Although not required, substantive analytical procedures may be used to audit an account balance. The two most important purposes of substantive analytical procedures are:
Indicate possible misstatements in the financial statements
Provide substantive evidence
Tests of Details of Balances
The primary emphasis of tests of balances is on the balance sheet.
The auditor must decide which type of test to select for obtaining sufficient appropriate evidence and the cost of the evidence is an important consideration. Types of tests in order of increasing cost:
Substantive analytical procedures
Risk assessment procedures
Tests of controls
Substantive tests of transactions
Tests of details of balances.
Relationship Between Tests of Controls and Substantive Tests
When test of controls show deviations that lead the auditor to believe that there may be material misstatements, the auditors then perform substantive tests to determine whether a material misstatement actually occurred.
Relationship Between Substantive Analytical Procedures and Other Substantive Tests -
Analytical procedures only indicate the likelihood of misstatement.
The combination of the types and amounts of evidence needed in an audit
The types of evidence chosen and the extent of use by the auditor varies widely from audit to audit, based on levels of internal control effectiveness and inherent risks.
design of the audit program
risk assessment procedures to determine the appropriate emphasis on each of the other four types of tests, and design the specific audit procedures for each type of test.
-The audit program will include procedures to satisfy all audit objectives, but here we focus on designing audit programs to satisfy transaction-related and balance-related audit objectives.
Besides the risk assessment procedures, the audit program is designed in three additional parts:
Tests of controls and substantive tests of transactions
Substantive analytical procedures
Tests of details of balances
Auditors follow a four-step approach to reduce assessed control risk:
Apply the transaction-related audit objectives to the class of transactions being tested, such as sales.
Identify key controls that should reduce control risk for each transaction-related audit objective.
Develop appropriate tests of controls for all internal controls that are used to reduce the preliminary assessment of control risk below maximum (key controls).
For potential types of misstatements related to each transaction-related audit objective, design appropriate substantive tests of transactions, considering deficiencies in internal control and expected results of the tests of controls in step 3.
Tests of Details of Balances - The key decisions involved in designing tests of details of balances: (ISA3D)
Identify Significant Risks and Assess Risk of Material Misstatement
Set Performance Materiality
Assess Control Risk for the Sales and Collection Cycle
Design and Perform Tests of Controls and Substantive Tests of Transactions
Design and Perform Substantive Analytical Procedures
Design Tests of Details of Accounts to Satisfy Balance-Related Audit Objectives
Level of Disaggregation of Planning Activities
The levels range from overall audit to balance-related audit objectives
Illustrative Audit Program
auditing standards require the auditor to use a written audit program
Relationship of transaction-related audit objectives to Balance-related and Presentation and disclosure-related audit objectives
Tests of details of balances are the primary test to reduce detection risk to an acceptable level.
Even when all transaction-related audit objectives are met, the auditor will still rely primarily on substantive tests of balances to meet the following balance-related audit objectives:
Rights and obligations
Sets with similar terms
ACCT 402 Final
Becker Audit 3
Becker Audit 3
Other sets by this creator
Chapter 8 Controls for Information Security
Other Quizlet sets
1.1-Audited Financial Statements - The Basics
Intermediate Accounting Chapter 1
Accounting Midterm Review
Auditing Exam 1 ( Power Point) Overview