AUDITING & ATTESTATION – 3 PLANNING & SUPERVISION
TIP PIE ACDO “The auditor must adequately plan the work and must properly supervise any assistants” Audit committee of client’s board of directors is responsible for the selection and appointment of independent external auditor, and for reviewing the nature and scope of the engagement. Auditor has interaction with audit committee in planning phase. Sarbanes-Oxley Act: 1. Auditors report to and are overseen by the client’s audit committee. 2. Audit committee pre-approves all services provided by auditor. 3. Specified non-audit services are prohibited “Those charged with governance” = bear responsibility to oversee the obligations, financial reporting process, and strategic direction of entity. = “board of directors” and “audit committee” In new client relationship, new CPA is required to talk to old CPA. Client permission is needed to talk to Old CPA, otherwise it is scope limitation. Auditor then should consider whether or not to accept engagement. Before accepting, talk to old CPA regarding: 1. Information that might bear on management integrity 2. Disagreements with management over accounting principles, auditing procedures, or other similarly significant matters 3. Predecessor’s understanding as to the reasons for the change of auditors 4. Communication to management, the audit committee, and those charged with governance regarding fraud, illegal acts by client, and matters relating to internal control. After acceptance, inquire with the old CPA regarding: 1. Making specific inquiries about the audit (i.e. audit problems) 2. Reviewing the predecessor’s audit documentation (workpapers for evidence) If new CPA uncovers potential problems relating to old CPA’s audit, new CPA should ask client to arrange meeting involving new and old CPA and the client. If management refuses or successor auditor is not satisfied with the resolution, the new auditor should consider the implications and whether to resign. Preliminary Engagement Activities: After accepting, consider whether or not to continue the engagement 1. Assess the auditability of the client a. The integrity of management (increases the likelihood of FS misrepresentation) b. The availability and adequacy of the client’s accounting records (lack of records = scope limitation) c. The ability of the auditor to perform the audit after consideration of: i. The auditor’s knowledge of client’s industry and possible need for a specialist ii. The auditor’s independence of the client iii. Scope limitations iv. Staffing needs of the engagement v. The auditor’s ability to comply fully with the Code of Professional Conduct 2. Client’s business risk: risk that events may occur that will negatively impact the company. 3. CPA’s business risk: risk that management will not prove to be profitable and whether to accept the engagement Evaluate compliance with ethical requirements 1. Independence: auditor independence in fact and appearance 1
2. Quality control policies and procedures: part of pre-acceptance phase of engagement, accountant must document compliance with the firm’s quality control policies and procedures regarding acceptance or continuance of clients and engagements. Engagement letter = a signed contract to establish understanding with the client. It is presumptively mandatory requirement (required in most circumstances). It is accepted, signed, and dated by client. Understanding should include: 1. Objectives of the Engagement (it is to express an opinion) 2. Management’s responsibilities: a. Financial statements b. Accounting policies c. Internal control d. Compliance with laws e. Making all financial records available to auditor f. Providing management representation letter (at the end of the audit) g. Adjust FS to correct material misstatements identified by auditor h. Affirming in the management representation letter that effects of any uncorrected misstatements are immaterial 3. Auditor’s responsibilities: a. Conduct audit in accordance with GAAS b. Obtain reasonable assurance that FS are free of material misstatement c. Obtain understanding of entity, its environment, internal control, assess risk d. If audit is incomplete, unable to form opinion, decline to express opinion or decline to issue report 4. Limitations of the Engagement a. Material misstatement may remain undetected b. Audit is not designed to detect error or fraud that is immaterial to FS c. Audit is not designed to provide assurance on internal control, or identify significant deficiencies d. If deficiencies discovered, ensure that those charged with governance are aware 5. Other matters a. Audit is subject to inherent risks that errors and fraud will not be detected 6. Documentation a. Document understanding with client through written communication. Client engagement letter should be accepted signed and dated by client. Planning the audit Objective of planning phase: develop overall strategy of audit, including conduct, organization, and staffing. Nature, extent, and timing of planning will vary based on the size and complexity of the entity, and on auditor’s experience and understanding of entity. (The NET we cast over the audit.) Auditor is required to: • Obtain understanding of entity and environment (internal control, assess risk, design audit procedure) • Obtain knowledge of client’s industry and business • Use analytical procedures as planning procedure • Develop and document an audit plan • Consider materiality and audit risk Knowledge of Client’s industry: Common sources of industry info: AICPA accounting and audit guides
2
Trade publications and professional trade associations Government publications AICPA Accounting Trends and Techniques (annual survey of accounting practices) Knowledge of Client’s business: Tour client facilities (meet personnel and observe general operation) Review financial history of client (previous audit reports, audit files, interim FS, meeting minutes, SEC filings, tax returns) Obtain understanding of client accounting (methods, policies, unusual events, related party transactions) Inquiry of client personnel (current business developments) Analytical Procedures Analytical procedures are used: • Planning the nature, extent, and timing of other auditing procedures (REQUIRED) • Substantive tests to obtain evidential matter (OPTIONAL) • Overall review in the final review stage of the audit (REQUIRED) GAAS requires: Analytical procedures performed during planning: • During planning, analytical procedures consist of a review of data aggregated at high level (i.e. compare FS to budget or anticipated results) • Generally, financial data is used, though relevant nonfinancial data (i.e. # of employees, square footage of selling space, volume of goods produced) may also be considered • Purpose: to enhance the auditor’s understanding and identify unusual transactions and events, and amounts Overall Audit Strategy General: Characteristics of engagement, Reporting objectives (incl. NET of required communications), Preliminary evaluations of materiality, Involvement of other auditors, specialists, internal auditors, Effect of information technology, Knowledge from prior experience with entity Resource allocation: allocate appropriate resources to engagement (staff, skills, experience) Communication with Those Charged with Governance: required to communicate the planned scope and timing of audit The Audit Plan: must be written • Components: auditor must develop an audit plan in which specific audit procedures are documented. Plan should include description of nature, extent, timing of: o Planned risk assessment procedures (REQUIRED in all FS audits): Assess risk of material misstatement Results affect whether and to what extent further audit procedure are necessary o Planned further audit procedures Applied at relevant assertion level for material account balance, transaction class, and disclosures Include tests of operating effectiveness of controls, include NET of planned substantive procedures • Relationship of audit strategy and audit plan (plan follows strategy) • Need for Specialist (either from within the audit firm or outside) o Complex systems, extensive use of e-commerce, significant audit evidence is only available in e-form • Timing of audit procedures (testing at interim date, effect of IT) Written audit plan is required! Materiality Misstatement: consider what level of misstatement is material, alone or when aggregated with other misstatements Known Misstatements = specific misstatements identified during the audit Likely Misstatements = misstatements that auditor considers likely to exist, either due to differences between auditor and management judgments regarding estimates or based on extrapolation from audit evidence 3
Tolerable Misstatement (tolerable error) = maximum error in a specific population auditor is willing to accept Misstatements must be communicated to management. Auditor should 1. Distinguish between known and likely misstatements 2. Request management to review the situation and make appropriate corrections If management refuses to correct some or all, auditor should consider implications on auditor’s report Materiality = amount of error or omission that would affect judgment of reasonable person Preliminary judgment about materiality: During planning phase, auditor establishes preliminary level of materiality Tolerable error is typically lower than overall FS materiality limits Because the FS are interrelated, the auditor should use the smallest level of misstatement that could be material to any one of the financial statements. This preliminary assessment of materiality ordinarily will be revised as the audit progresses Evaluation of audit findings Size of misstatement is often evaluated in comparison to a relevant financial base (net income, gross sales, gross margin, total assets, total liabilities) Auditor must consider the effects, individually and aggregate, of uncorrected misstatements (both known and likely) Prior period misstatements may affect the FS of current period Misstatements are more likely to be considered material if they: Affect trends in profitability or mask a change in trend, or change loss into income Affect the entity’s compliance with loan covenants, contracts, or regulatory provisions Increase management compensation, indicate a pattern of management bias, or involve fraud Affect significant FS elements, such as those involving recurring earnings (as opposed to nonrecurring) Can be objectively determined, as opposed to including an element of subjectivity Documentation Requirements – Auditor should document: Planning levels of materiality and tolerable misstatement, the basis for those levels, and any subsequent changes Known and likely misstatements that were corrected by management Summary of uncorrected misstatements, the auditor’s conclusion regarding whether such misstatements cause the FS to be materially misstated, and basis for conclusion Documents of uncorrected misstatements should include: o Separate identification of known and likely misstatements o The aggregate effect on the FS o Relevant qualitative factors affecting materiality judgments ***If material risk is high, then detection risk is low.*** Audit Risk - Risk that the auditor may unknowingly fail to modify appropriately the opinion on FS that are materially misstated - Should be reduced to a low level before an opinion on FS is expressed The audit risk model: the risk that the auditor will give the wrong opinion. AR Audit Risk (should be low)
=
RMM Risk of Material Misstatement (assessed by auditor)
X
DR Detection Risk (controlled by auditor) 4
***RMM = Exists independently of the financial statement audit. So in simple words... AR (giving a wrong opinion) = RMM (error in client’s accounting system) X DR (our audit work not finding the mistake) AR Audit Risk (should be low)
=
IR Inherent Risk
X
CR Control Risk
X
DR Detection Risk (controlled by auditor)
So in simple words... AR (giving a wrong opinion) = IR (error in client’s accounting system) X CR (internal controls/auditor did not catch it) X DR (our audit work not finding the mistake) Risk of Material Misstatement (RMM): - Exists independently of financial statement audit - Auditor assess by performing risk assessment procedures and test of controls - Can be subdivided into inherent risk (IR) and control risk (CR) Inherent Risk (IR) - The susceptibility of a relevant assertion to a material misstatement, assuming there are no related controls - Mistake in client’s accounting system - Auditor assesses but cannot change the inherent risk (whether client’s system is good or not, it can’t be changed) - Assertions involving complex calculations, amounts derived from estimates, and cash have relatively higher inherent risk than assertions without those characteristics Control Risk (CR) - Risk that a material misstatement that could occur in a relevant assertion will not be prevented or detected on a timely basis by the entity’s internal control - Auditor assesses but cannot change the control risk (whether client’s internal control is good or not, it can’t be changed) - Function of the effectiveness of the design and operation of internal control ** Inherent risk and control risk exist independently of the audit, and auditor generally cannot change these risks. RMM IR x CR
DR
Auditor cannot change the risk of material misstatement, but can change his assessment of this risk as the audit progresses. Detection Risk (DR) - The risk the auditor will not detect a misstatement that exists in a relevant assertion = auditor will miss the mistake - Is a function of the effectiveness of audit procedures - Can be subdivided into tests of details risk (TD) and substantive analytical procedures risk (AP) - Auditor CAN change detection risk by varying the nature, extent, and timing of audit procedures. Example 1: acceptable level of DR decreases, the assurance provided from substantive procedures should increase: 5
1. Change the nature of substantive tests from less effective to more effective procedure (direct test toward independent parties outside the entity rather than toward parties or documentation inside the entity) 2. Change the extent of substantive tests (use larger sample size) 3. Change the timing of substantive tests (perform substantive tests at year-end rather than at interim) Example 2: acceptable level of DR increases, the assurance that must be obtained from substantive tests decreases, allowing for somewhat less persuasive evidence to be used, for a reduced extent of testing, or for more testing to be performed at interim. Substantive procedures always required!!! RMM and DR have inverse relationship. When auditor determines that risk of material misstatement is high, detection risk should be set at a low level. Conversely, when the risk of material misstatement is low, the auditor can justify a higher detection risk. Auditor CAN change detection risk by varying the nature, extent, and timing of audit procedures. RMM and the assurance required from substantive procedures have direct relationship. Greater risk requires more persuasive evidence, a larger sample size, and/or a shift from interim to year-end testing. Audit risk and materiality are affected by the size and complexity of the entity. They must be considered at both the FS level and the account balance, individual transaction class, or disclosure item level. Considerations at Financial Statement Level At the FS level, the auditor should consider risks that have a pervasive effect on the FS, potentially affecting many relevant assertions. FS level audit risk often relates to entity’s control environment. Purpose: o Design risk assessment procedures o Identify and assess risk o Design further audit procedures o Evaluate the FS taken as a whole Auditor’s response: o The competency of personnel assigned to the engagement o The potential need for a specialist o The appropriate level of supervision of assistants Considerations at the Account Balance, Transaction Class, or Disclosure Item Level Purpose: At account balance, transaction class, or disclosure item level, used to determine the nature, extent, and timing of audit procedures to be applied to specific account balances, transaction classes, or disclosure items. The audit risk model may be useful in this regard. Inverse relationship between audit risk and materiality. The risk of a very large misstatement may be low, whereas the risk of small misstatement may be high. The more material the misstatement is, the less likely the auditor will miss it. Audit Procedures: performed to obtain evidence on which to base the audit opinion 1. Risk assessment procedures: obtain an understanding of the entity and its environment, including internal control, in order to assess the risk of material misstatement. 2. Tests of controls: (CRIME) auditor tests internal controls. Evaluate the operating effectiveness of internal control in preventing or detecting material misstatements. Tests of controls are necessary when: a. The auditor’s risk assessment is based to some extent on the operating effectiveness of internal control b. Substantive procedures alone are deemed to be insufficient 6
3. Substantive procedures: auditor tests $$$ balances. Used to detect material misstatements, and include tests of details and substantive analytical procedures. They are performed in response to the planned level of DR, which may be based on the results of tests of controls. Test of controls are ALWAYS necessary. *****MUST understand the fundamentals and memorize the assertions of the following FS Assertions made by management: All of the “A CPA CO CARE about CURVed assertions” Financial Statement Assertions – Assertions by mgmt fall into 3 categories: (“A CPA CO CARE about CURVed assertions”) 1. Transactions and Events • C – Completeness – all transactions and events that should have been recorded have been recorded • P –Proper period cutoff – transactions and events have been recorded in the correct (proper) accounting period • A –Accuracy – amounts and other data relating to recorded transactions and events have been recorded appropriately • C –Classification – transactions and events have been recorded in the proper accounts • O – Occurrence – transactions and events that have been recorded have occurred and pertain to entity 2. Account Balances • C – Completeness – all assets, liabilities, and equity interests that should have been recorded have been recorded • A – Allocation and Valuation – assets, liabilities, and equity interests are included in the FS at appropriate amounts, and any resulting valuation or allocation adjustments are appropriately recorded • R – Rights and Obligations – the entity holds or controls the rights to assets, and liabilities are the obligations of the entity • E – Existence – assets, liabilities, and equity interests exist. 3. Presentation and Disclosure • C – Completeness – all disclosures that should have been included in the FS have been included • U – Understandability and Classification – financial information is appropriately presented and described and disclosures are clearly expressed • R – Rights and Obligations, and Occurrence – disclosed events and transactions have occurred and pertain to the entity • V – Valuation and Accuracy – financial and other information are disclosed at fairly and at appropriate amounts Financial Statement Assertions:
“A CPA CO CARE about CURVed assertions”
Drafting the Audit Plan = REQUIRED After sufficient planning information has been gathered, an audit plan should be drafted. - Is a listing of detailed audit procedures - Set out procedures specifying the nature, extent, and timing of the work to be performed CPA gathers evidence to support the expressed opinion Proper Supervision = TIP PIE ACDO When assistants are used, proper supervision includes: (don’t have to memorize, just know them) 1. Directing the efforts of assistants 2. Communicating with the audit team 3. Informing assistants of their responsibilities 4. Staying informed regarding significant accounting and auditing issues 5. Reviewing the work performed by assistants 6. Dealing with differences of opinion among members of the audit team Extent of supervision depends on: complexity of subject matter and qualifications of assistants
7
Role of the client’s internal auditors is NOT judgment. When planning the audit, the auditor should consider the extent of involvement of the client’s internal auditors in the performance of the audit. While internal auditors must maintain objectivity and integrity, they are NOT independent of the client, their employer. The independent external auditor cannot share with the internal auditor any of the responsibility for audit decisions, judgments, or assessments made as part of the audit. External Auditor Responsibilities • Obtain an understanding of the internal audit function. • If the auditor decides to make us of the internal auditor’s work, competence and objectivity must be assessed. • The higher the level of the reporting of internal auditor, the more objectivity that can be assumed • If internal auditor’s work is used, external auditor must evaluate their work by reperforming or examine some tests • The external auditor remains solely responsible for the report on the FS. While the internal auditor may assist with regard to routine ministerial tasks, he may NOT be utilized to make judgment calls, which remain the responsibility of independent auditor. CPA must judge and assess, NOT internal auditors. Using the Work of a Specialist – use of a specialist when: (don’t have to memorize, just know them) 1. Valuation of restricted securities and works of art 2. Determination of physical characteristics (i.e. mineral reserves, fungible goods) 3. Determination of specialized estimates (i.e. actuarial calculations) 4. Interpretation of technical standards or legal documents The Specialist: - Should have an understanding of the auditor’s use of the specialist’s findings. - Does not have to use the same methods as client in calculating amounts. The auditor must understand the nature of specialist’s work and be able to evaluate the findings for their suitability in corroborating FS amounts. The auditor must be satisfied as to the professional competence and reputation of the specialist. **Treat the specialist like one of your staff, which is the following: 1. R – Reputation 2. I – Independent 3. P – Professional Competency 4. P – Program Steps Based on the specialist’s work, if the auditor decides to add an explanatory paragraph or depart from unqualified opinion, auditor may refer to the specialist in the report. If the auditor is expressing a standard unqualified opinion, no reference should be made to the specialist. Fraud and Illegal Acts
Errors = Unintentional misstatements or omissions of amounts or disclosures Fraud = Intentional action that results in misstatement of FS 1. Fraudulent Financial Report = LYING. Intentional misstatements or omissions of amounts or disclosures in the FS, designed to deceive FS users. Usually acts of management and may involve: a. Manipulation b. Misrepresentation c. Intentional misapplication of accounting principals 2. Misappropriation of Assets = STEALING. Involves theft of an entity’s assets. 8
Fraud Risk Factors include: 1. Incentive/Pressures: a reason to commit fraud 2. Opportunity: a lack of effective controls 3. Rationalization/Attitude: an attempt to justify fraudulent behaviour Due to the concealment aspects of fraud and the need to apply judgment in evaluating fraud risk, even a properly planned and executed audit may fail to detect fraud. The more indirect the effect of error or fraud is on the FS, the less chance the auditor has of detecting it. It is management’s responsibility to design and implement programs and controls to prevent, deter, and detect fraud. The auditor has a responsibility to design (design = plan and perform) the auditor to obtain reasonable assurance about whether the FS are free of material misstatement, whether caused by error or fraud. Auditor should maintain an attitude of professional scepticism, including questioning mind and critical assessment. Auditor should perform the following procedures: 1. Discuss fraud risk with engagement personnel 2. Obtain information to identify specific fraud risks 3. Assess fraud risk and develop an appropriate response 4. Evaluate audit evidence regarding fraud 5. Make appropriate communications about fraud 6. Document the auditor’s consideration of fraud Discussion among engagement personnel is REQUIRED as part of planning Consideration of the risk of management override of controls – major factor in fraud Discussion should involve all key members of audit team, may include specialists, and may occur in multiple locations. Communication should continue throughout the audit. When inquiring of entity personnel regarding their views of fraud risk – the auditor should direct inquiries to management, employees involved in financial reporting, operating personnel, internal auditors, in-house legal counsel, those charged with governance, etc. o Inconsistent responses indicate a need for additional evidence Analytical Procedures – required during the planning stage AND final stage When planning, auditor is specifically required to perform analytical procedures relating to revenue, in order to identify unusual relationships that might be indicative of fraud. They often use data aggregated at high level, and may only provide broad indication regarding fraud risk. The attributes of risk: 1. Type of risk: Does it involve fraudulent financial reporting or misappropriation of assets: Lying or Stealing? 2. Significance of the risk: Can it lead to a material misstatement? 3. Likelihood of the risk: How likely is this to happen? 4. Pervasiveness of the risk: Does it affect the FS as a whole or only specific accounts, transactions, or assertions? (So wide spread problem or limited to one area or one person) There is a presumption in every audit that the following two risks exist: → Improper revenue recognition 9
→ Management override of controls Additional Considerations of the following factors: → The size, complexity, and ownership characteristics of the entity o Large entities may have audit committee, internal audits, formal code of conduct o Smaller entity may lack such features → The Greatest Risk is when: o Management judgment is involved o Highly complex accounting principles The auditor is required to respond to the results of the risk assessment on three levels: 1. Overall, General Response – auditor should consider the overall fraud risk when: a. Assigning personnel to the engagement b. Determining the appropriate level of supervision of engagement personnel c. Evaluating management’s selection and application of accounting principles d. Incorporating an appropriate level of unpredictability in the selection of auditing procedures from one year to next 2. Response Encompassing specific audit procedures: a. Nature – change nature of specific procedures by seeking evidence that is more reliable b. Extent – vary the extent of testing by increasing sample size, performing testing at a more detailed level c. Timing – judgement to determine the appropriate timing for audit procedures The auditor uses a “NET” because a CPA CAREs about CURVed assertions” 3. Response addressing risks related to management override a. Examine journal entries and other adjustments (scrutinizing the journal entries at the highest level is essential) b. Review accounting estimates for biases (ex. completely manipulate and over-exaggerate the values) c. Evaluate the business purpose for significant unusual transactions (ask questions when complex situation) Significant Fraud Risk – Withdraw! Examples of responses to identified risks: Revenue recognition - Perform substantive analytical procedures relating to revenue - Confirm with customers contract terms and absence of side agreements - Inquire of entity personnel regarding unusual conditions - Physically observe shipments close to period end - Test controls surrounding the electronic processing of revenue transactions Revenue recognition criteria: 1. Must have signed agreement (arrangement) 2. Must be a delivery – risk and rewards 3. Must be a fixed or determinable price 4. Collectability Inventory quantities - Material Misstatement Concern: Failure to reconcile books to physical inventory - Examine inventory records - Observe inventory counts on unannounced basis - Conduct inventory counts at different locations on same date - Conduct inventory counts at or near the end of the period - Perform more rigorous examination and additional testing during observation - Compare quantities for the current period with prior periods 10
Management Estimates: - Engage a specialist to evaluate management’s estimate. - Develop an independent estimate - Perform a retrospective review of prior period estimates (how good were last year’s estimates?) Evaluating Audit Evidence – Conditions identified during fieldwork: a) Discrepancies in the accounting records b) Conflicting or missing evidential matter c) Problematic or unusual relationships between the auditor and management Analytical Procedures are REQUIRED during planning and final review. When performed at completion of audit, it may indicate a fraud risk that was not previously identified. Auditor should pay careful attention to unusual relationships relating to year-end revenue and income. Misstatement caused by fraud (even immaterial misstatements) may be indicative of an underlying problem with management integrity – WITHDRAW The auditor may need to reevaluate the assessment of fraud risk, the assessed effectiveness of controls, and the appropriateness of the audit procedures applied A final evaluation should be made regarding the assessment of the risks of material misstatement due to fraud Management and those charged with governance – Generally, any indication of fraud (even immaterial fraud) should be discussed with an appropriate level of management, at least one level above those involved. - Fraud that causes a material misstatement: discuss with senior mgmt and report directly to those charged with governance - Fraud involving senior management: report directly to those charged with governance - Identified risk factors that represent significant deficiencies or material weaknesses: communicate with senior management and those charged with governance Parties outside the entity that we must communicate with: 1. To comply with certain legal and regulatory requirements 2. To a successor auditor 3. In response to a subpoena 4. To a funding agency Complete documentation of the auditor’s risk assessment and response is required. Including: - Planning among engagement personnel regarding fraud risk - Procedures performed to obtain information related to fraud risk - Specific identified risks of material misstatement due to fraud - If the auditor has not identified improper revenue recognition as a fraud risk, support for this conclusion - Results of procedures performed to address the risk of management override of controls - Other conditions and analytical relationships that warranted further audit work - Nature of communications made about fraud Record retention is now MANDATORY under GAAS, AICPA, and Sarbanes-Oxley (SOX for 7 years)!!! Fraud = intentional Errors = unintentional Illegal Acts = violations of law 11
→ Auditor’s responsibility to detect illegal acts that have a material and direct effect on FS is the same as that for errors and fraud. → Auditor has a responsibility to plan and perform the audit to obtain reasonable assurance that the FS are free of material misstatement. → Auditor is under no obligation to look for illegal acts having an indirect effect on the FS. → Generally, the less the act affects the FS, the less likely it is that the auditor will discover it. → The auditor generally does not include procedures specifically to detect illegal acts, but may discover such acts through other procedures, such as reading minutes or making inquiries of management or of legal counsel. Auditor’s Response to Illegal Acts When we suspect there is a problem – Possible illegal acts: 1. Obtain an understanding of the situation 2. Inquire of management at a level above those involved 3. Consult the client’s legal counsel 4. Apply additional audit procedures, if necessary When we have found a problem – Detected illegal acts: 1. Consider the effects of the illegal act on FS 2. Evaluate the materiality of the illegal act (consider quantitative and qualitative factors) 3. Evaluate the disclosure of loss contingencies, including possible fines, penalties, and damages 4. Consider the implications for other areas of the audit 5. Communicate the illegal act to those charged with governance Effect of illegal act on auditor’s report: 1. Departure from GAAP – “Except For” qualified or adverse 2. Insufficient Evidence – “Except For” qualified or disclaimer 3. Client Refuses to modify report – Withdraw If client fails to take appropriate action regarding any illegal act (including those that are non-material), then withdraw! Those charged with governance should be adequately informed of illegal acts unless they are clearly inconsequential. This could be oral or written, but oral communications should be documented. Ordinarily, the auditor is not responsible to communicate this disclosure to anyone other than senior management and those charged with governance, but it may be required in some circumstances. For example: o Comply with certain legal and regulatory requirements o To a successor auditor o In response to a subpoena o To a funding agency Risk Assessment
TIP PIE ACDO (Fieldwork) -
Second GAAS standard of fieldwork requires auditor to obtain understanding of entity and its environment, including internal control. Must perform risk assessment procedures to obtain this understanding.
Audit Steps: “IM A CPA” I – Internal Control – Understand entity and its environment, including internal control M – Material Misstatement – Assess risk of material misstatement A – Assessed Risk Response – Respond to assessed risk level by designing further audit procedures based on assessment C – Control Testing – Test internal controls to evaluate their operating effectiveness P – Perform Substantive Testing – Perform substantive tests 12
A – Audit Evidence – Evaluate sufficiency and appropriateness of audit evidence obtained I – Internal Control – Understand entity and its environment, including internal control Obtaining understanding is critical – it establishes a frame of reference within which the audit is planned and performed Risk assessment procedures: 1. Inquiries – of management, others in entity, board of directors, internal auditors, legal counsel 2. Analytical Procedures – required in planning and final stage – compare recorded amounts to expectations 3. Observation and Inspection – inspect company documents, read reports, board minutes 4. Discussion Among the Audit Team – significant audit risk, management overrides, may be held with the discussion involving fraud risk 5. Other Procedures – review external info, fraud risk assessment results, prior period evidence Auditor may perform substantive procedures or tests of controls concurrently with risk assessment procedures. Risk assessment may change as more evidence is obtained; the auditor should revise the assessment and modify planned audit procedures. Factors to understand: • Industry, Regulatory, and Other External Factors • Nature of the Entity (operations, ownership, governance, investments, structure, financing) • Objectives, Strategies, and Business Risks o Business risk: often arises from change or complexity o Example: competitive risk may render a company’s product obsolete or reduce value, and failure to recognize this change could result in a material misstatement of inventory • Entity’s Financial Performance (management measures this performance, auditor should obtain an understanding) • Internal Control, Including the Selection and Application of Accounting Policies M – Material Misstatement – Assess risk of material misstatement When assessing risk, consider whether substantive tests alone are insufficient to reduce detection risk to an acceptably low level (i.e. whether evaluation of controls is also necessary – covered later). Significant Risks: Factors that may be indicative of significant risks: • Nonroutine, unusual, or complex transactions • Business risks • Fraud risk • Significant related party transactions • Accounting estimates • Accounting principles that are subject to different interpretations Respond to assessed risk level by designing further audit procedures based on assessment. Response to significant risks: • Evaluate the design of the entity’s related controls • Determine whether the controls have been implemented • Evaluate whether and how management responds to such risks (if mgmt doesn’t respond, go to those charged with governance) Test internal controls to evaluate their operating effectiveness Test of controls: Test strengths to be relied upon, not weaknesses Identify controls that are likely to prevent or detect and correct material misstatements in specific relevant assertions. If risk assessment is based on effective operation of those controls, they must be tested by the auditor.
13
Identify specific internal controls relevant to specific assertions. Controls that are more directly related to an assertion are more effective in preventing/detecting and correcting it, than those indirectly relating to an assertion. Situations that reflect management integrity or lack of records = Qualifying, Disclaiming, or Withdrawing! Documentation Requirements: Document the following: • Discussion among the audit team • Key elements of understanding of the entity and its environment (including all components of internal control) • The assessment of the risks of material misstatement • Identified risks and related controls evaluated by the auditor • Control factors used/helped plan the audit engagement • Control factors that helped ensure management rules/directives were followed *****The documentation may include any item the auditor can FIND: F – Flowchart I – Internal Control Questionnaire or Checklists N – Narrative D – Decision table Flowcharts: - Depicts auditor’s understanding of system. - A symbolic diagram representing the sequential flow of authority, processes, and documents - Adequate flowchart shows the origin of each document in the system, its subsequent processing, and its final disposition - IT flowcharts are initially created to document the logic and existing flow of a computer program - Flowchart Organization: o Show the general flow of documents and data o Start at top of page and move from top to bottom and from left to right o Use descriptive wording geared to the reader o Avoid intersecting flow lines by using off-page/on-page connectors - MUST SEE FLOWCHARTING SYMBOLS on page A3-42!!!!! Internal Control Questionnaires: - Used for each item of management assertions: “a CPA CO CAREs about CURVed assertions” - Generally, consists of a list of questions to be answered by “YES” or “NO” response - Negative response is designed to draw attention to a possible weakness in internal control - Written explanations are required for “NO” answers - The questionnaire format can be open-ended, requiring explanation by employee being interviewed Narratives: - Hard to “see” weaknesses - Is a written version of a flowchart - Appropriate for less complex control structures (flowcharts are appropriate for more complex structures) Decision Trees or Tables: - Decision Trees are graphic illustrations that depict the logic of an operation or process - Decision Tables are graphic illustrations that depict the logical relationships of a system in table form Flowchart Sequential Decision Tree Logical
14
Internal Control
TIP PIE ACDO (Internal Control) Entity Objectives: 1. Reliability of financial reporting – Most RELEVANT to audit and auditor MUST consider and understand 2. Effectiveness and efficiency of operations 3. Compliance with applicable laws and regulations 5 Components of Internal Control: CRIME 1. C – Control Environment: the overall tone of the organization 2. R – Risk Assessment: management’s identification of risk 3. I – Information and Communication Systems: a means of recording transactions and communicating responsibilities 4. M – Monitoring: assessment of internal control performance over time 5. E – Existing Control Activities: control policies and procedures Control Testing = Internal Control (CRIME) Substantive Testing = $$$ Balance Testing Auditor should focus on: How a specific control prevents, or detects and corrects, material misstatements Generally, those controls that pertain to the first objective, reliability of financial reporting, are most relevant to the audit; it is primarily those controls that the auditor must consider and understand. The auditor need not assess all controls related to financial reporting, but use professional judgement in determining it. ***It’s a “CRIME” not to have strong internal control.*** ***CPA required understanding for each element of “CRIME” as it pertains to financial reporting.” The auditor should obtain an understanding of the five components of internal control sufficient to: 1. Evaluate the design of relevant controls and determine whether they have been implemented. 2. Assess the risk of material misstatement – identify types of potential misstatement 3. Design the nature, extent, and timing of further audit procedures a. Identify types of potential misstatement b. Consider factors that affect the risks of material misstatement c. Design tests of controls d. Design substantive procedures A CPA tests internal control in order to adequately plan the “NET” audit. Limitations of internal control: Human error Deliberate circumvention of controls by collusion of two or more people Management override of internal control Segregation of duties may be difficult to achieve in a smaller entity (cost/benefit issue) Effect of Information Technology on Internal Control - IT system may make it impossible to reduce detection risk through substantive testing alone – MUST also perform control testing. - A CPA must document all evaluations. IT Benefits: 15
-
The ability to process large volumes of transactions and data accurately and consistently Improved timeliness and availability of information Facilitation of data analysis and performance monitoring Reduction in the risk that controls will be circumvented Enhanced segregation of duties through effective implementation of security controls
IT Risks: - Potential reliance on inaccurate systems - Unauthorized access to data which may result in loss of data and/or data inaccuracies - Unauthorized changes to data, systems, or programs - Failure to make required changes or updates to systems or programs Auditor should:
1. Document use of programs 2. Perform tests more often during the year
Organization Structure of IT Department (Segregation of duties): C – Control group: responsible for internal control in IT dept. Maintain error log and determine its cause. O – Operators: input data P – Programmers: write and develop computer programs A – Analysts: identify and design the overall system (programmers do the detailed work) L – Librarian: track programs, maintain data storage, controls access to programs Weakness:
1. Anyone doing more than one job 2. Anyone supervising another area
CRIME Most important ones for the test is C – Control Environment and E – Existing Control Activities Risk Assessment by Management
Control Environment Information and Monitoring Communication Systems
Existing Control Activities
**Examiners’ questions focus on the control environment and on an entity’s existing control activities C – Control Environment: the overall tone of the organization - Sets the tone of an organization - Integrity and ethical values - Competence - Participation of those charged with governance - Management’s philosophy and operating style - Organizational structure - Assignment of responsibility - Human resource policies The following circumstances would raise concerns regarding management’s philosophy and operating style: Management consumed with meeting the budget Management dominated by one person Management compensation contingent upon the entity’s financial performance (=bonus and stock options) The control environment has a pervasive effect on the auditor’s risk assessment, and preliminary judgments about its effectiveness may influence the nature, extent, and timing of further audit procedures to be performed. 16
R – Risk Assessment: management’s identification of risk relevant to the FS - CPA should obtain understanding and knowledge - Entity’s identification of risks to achievement of its objectives - The assessment by management of risk facing the entity, not the auditor’s assessment of control risk - Risks are generally related to changes, for example: (don’t have to memorize, just know them) 1) Change in regulatory environment 2) New personnel 3) New information systems or technology 4) Rapid expansion of operations 5) New business models 6) Corporate restructuring 7) Expansion or acquisition of foreign operations 8) Adoption of new accounting principles or pronouncements I – Information and Communication Systems: a means of recording transactions and communicating responsibilities - CPA should obtain understanding and knowledge - Support the identification, capture, and exchange of information in a timely and useful manner The accounting information system: → Classes of transactions significant to FS → Accounting processing (both automated and manual), from initiation of a transaction to FS → Accounting records (both electronic and manual), supporting information, and specific accounts involved in initiating, authorizing, recording, processing, and reporting transactions → Ways other significant events are captured by the system → Financial reporting process, including development of significant accounting estimates and disclosures Auditor should obtain understanding of: 1. Methods used to communicate roles and responsibilities 2. Communication between mgmt and those charged with governance, audit committee, and external parties 3. Initiating, authorizing, recording, processing, and reporting entity transactions, conditions, and events M – Monitoring: assessment of internal control performance over time - CPA should obtain understanding and knowledge of activities to monitor internal control - Process that assesses the quality of internal control (design and control operations) performance over time - Establishing and maintaining internal control is a responsibility of management, for example: - Internal audit function - Regular management and supervisory activities - Other procedures such as mailing customer statements E – Existing Control Activities: control policies and procedures - CPA should obtain understanding and knowledge - Policies and procedures that ensure management directives are carried out and risks are addressed - Strong internal control has “PAID-TIPS” - P – Pre-numbering documents - A – Authorization of transactions - I – Independent checks to maintain asset accountability - D – Documentation - T – Timely and appropriate performance reviews - I – Information processing controls - P – Physical controls for safeguarding assets - S – Segregation of duties 17
P – Pre-numbering documents • All transactions are recorded Completeness • No transactions are recorded more than once Existence • Example: Your Checkbook A – Authorization of transactions • Authorization should occur before commitment of resources • Example: Signed approval I – Independent checks to maintain asset accountability • Independent checks involve the verification of work previously performed by others: o Review of bank reconciliations o Comparison of subsidiary records to control accounts o Comparison of physical counts of inventory to perpetual records • Example: Checks and balances D – Documentation • Evidence of transactions and a basis for responsibility for the execution and recording of transaction • Example: Paper trail T – Timely and appropriate performance reviews • Comparison of actual performance to budgets, forecasts, and prior periods • Comparison of financial and nonfinancial information • Example: Analytical procedures I – Information processing controls • Ensure that transactions are valid, authorized, and completely and accurately recorded • Application controls: processing of individual “applications” (i.e. controls surrounding payroll) • General controls: information processing throughout the company (i.e. access controls, controls over data center, network operations) P – Physical controls for safeguarding assets • Physical segregation of security of assets • Authorized access to assets and records • Periodic counting and comparison of actual assets with amounts shown in accounting records • Example: Security S – Segregation of duties • One individual provides a crosscheck on the work of another individual • Assigning different people the responsibilities of authorizing, recording transactions, and maintaining custody of the related assets reduces the opportunities for any individual to both perpetrate and conceal errors or fraud • Internal control environ. should detect fraud by one person, NOT 1. Collusion 2. Management override • Client should separate these functions: o A – Authorization o R – Recordkeeping o C – Custody of related assets ****Segregation of duties is your ARC to protect against a flood of troubles. Client should separate these functions: A – Authorization R – Recordkeeping C – Custody of related assets An audit does not require an understanding of all control activities Auditor’s primary consideration should be if a control prevents, or detects and corrects, material misstatements 18
Effect of Service Organizations on Internal Control Service organizations: for example, are ADP and Paychex Service organization’s services are considered to be part of an entity’s information system when those services affect the initiation, execution, processing, or reporting of the user company’s transactions. Service auditor: the service organization’s auditor (ex. ADP’s auditor) User auditor: we, the independent CPA User auditor’s responsibilities: - Consider effect of service bureau on internal control of user organization - Obtain the necessary understanding of user organization’s internal control to plan the audit - Assess control risk at the user organization - Perform substantive procedures - Make inquiries of the service auditor’s professional reputation - User auditor should not make reference to the report of the service auditor Service auditor’s responsibilities: - Inquire of management regarding subsequent events that effect user’s organizations - Obtain a management representation letter - Responsible for representations in service auditor’s report and exercising due care in applying procedures - Report should describe the scope and nature of the auditor’s procedures - Two types of reports a service auditor may provide: - Report on Controls Placed in Operation: May aid auditor in obtaining an understanding of controls; however, it is provided when tests of operating effectiveness were not performed, and therefore it does not provide the user auditor with a basis for reducing the assessment of control risk - Report on Controls Placed in Operation and Tests of Operating Effectiveness May provide evidence that would allow a reduction in the assessed level of control risk Responding to Assessed Risks
I – Internal Control – Understand entity and its environment, including internal control M – Material Misstatement – Assess risk of material misstatement A – Assessed Risk Response – Respond to assessed risk level by designing further audit procedures based on assessment C – Control Testing – Test internal controls to evaluate their operating effectiveness P – Perform Substantive Testing – Perform substantive tests A – Audit Evidence – Evaluate sufficiency and appropriateness of audit evidence obtained “IM A CPA”: A – Assessed Risk Response – Respond to assessed risk level by designing further audit procedures based on assessment To reduce audit risk to low level, auditor should respond to assessed risk in two ways: - Overall response: address risk at FS level - Response at assertion level, the NET (nature, extent, timing) of audit procedures are designed to address risks Overall Response: Auditor may • Address increased need for professional skepticism • Assign more experienced staff • Increase supervision • Incorporate greater level of unpredictability • Change the NET, such as shifting substantive procedures closer to period end
19
General approach may consist of only Substantive Approach, or a combined approach of tests of controls and substantives procedures. Response to Risks at the Relevant Assertion Level - Link between the assessed level of risk at the relevant assertion level and the “NET” of further audit procedures. ***Three elements of further audit procedures can be varied by the auditor. We cast our “NET” over the audit. N – Nature E – Extent T – Timing Nature: - Includes the audit’s purpose - test of control vs. Substantive procedure - Includes the audit’s type – inspection, observation, inquiry, confirmation, recalculation, reperformance, or analytical procedure - The HIGHER the auditor’s risk assessment, the more reliable the evidence must be. - Auditor varies the nature of audit procedures to achieve the desired level of reliability and relevancy - If the info provided by entity’s system is used, must test its accuracy and completeness - Responding to assessed risks, nature of audit procedure is of primary importance Extent: - Refers to quantity to be performed - # of observations or sample size - The HIGHER the auditor’s assessment, the greater the extent of audit procedures - Also consider the tolerable misstatement and degree of assurance Timing: - May be performed at an interim date or at period end - The HIGHER the auditor’s risk assessment, the closer to period end substantive procedures should be - Auditor should consider when relevant info is available In designing further audit procedures that are responsive to assessed risks, auditor should consider: 1) Significance and likelihood of risk 2) Characteristics of transaction, balance, or disclosure 3) Nature of controls used (i.e. automated or manual) 4) Whether auditor expects to test the operating effectiveness of controls Audit procedures should be performed to determine whether the FS are presented in a manner that classifies and describes financial information appropriately, and includes adequate disclosure of material matters. Audit Approach – the auditor’s specific approach to identified risks at the relevant assertion level may consist of either a substantive approach or a combined approach. Substantive Approach: $$$ Balance – Use when: - No strong controls to be relied upon - Not efficient to test the operating effectiveness of controls Cost/Benefit Combined Approach: Tests of operating effectiveness of controls and substantive procedures. If controls are effective, less assurance will be needed from substantive procedures Tests of Controls May Be Required – IT 20
-
Where large amount of info is initiated, authorized, recorded, processed, or reported electronically, substantive procedures alone may not be sufficient Where highly electronic environments
Dual-Purpose Tests: - Is a tests of controls performed concurrently with a test of details on the same transaction - Purpose of test of controls: Evaluate the operating effectiveness of a control - Purpose of test of details: Support relevant assertions or detect material misstatements Material misstatements that the auditor detects through performance of substantive procedures should be considered by the auditor when assessing operating effectiveness. Audit Approach Status of Internal Control
Risk Level
Perform Control Tests
Perform Substantive Testing
None/Weak
High
No (unless heavy use of IT)
Yes – Maximum
Some
Medium
Yes
Moderate
Strong
Low
Yes
Minimum (never eliminate for material balances, transaction classes, or disclosures)
“IM A CPA”: C – Control Testing – Test internal controls to evaluate their operating effectiveness Tests of controls: performed when the auditor’s risk assessment is based on the assumption that controls are operating effectively, or when substantive procedures alone are insufficient. (Test Control Strengths, typically not weaknesses) Obtaining an understanding of internal control includes evaluating the design of controls and determining whether they have been implemented. Auditor is not required to evaluate operating effectiveness as part of obtaining an understanding of internal control. Inspect client records, documenting use, and changes to IT programs. Only those controls that are suitably designed to prevent or detect material misstatements are subject to tests of operating effectiveness. Nature of Tests of Controls: Tests of the operating effectiveness of controls include: inquiries, inspection, observation, and reperformance. o Inquiry alone is not sufficient o Observation be supported with inquiry or inspection Obtain evidence about the operating effectiveness of: o Controls directly related to relevant assertions o Other indirect controls that affect the direct controls As the planned level of assurance about operating effectiveness increases, the auditor should obtain more reliable or more extensive audit evidence. Hierarchy: 1. Personal observation/knowledge 21
2. External evidence 3. Internal evidence 4. Oral evidence Extent of tests of controls: How frequently the control is performed The length of time during which the auditor wishes to rely on the control The relevance and reliability of the evidence to be obtained The extent to which other tests provide audit evidence about the same assertion The extent to which the auditor wishes to rely on the operating effectiveness of the control The expected deviation rate from the control Timing of tests of Controls: Test at particular time versus testing throughout a period: when tests of controls are performed at one particular time, they provide evidence that controls operated effectively only at that time. Controls tested throughout the period provide evidence of operating effectiveness during that period Controls are tested only during an interim period should be supplemented by additional evidence for the remaining period Roll Forward If controls have changed since they were last tested, operating effectiveness must be retested in the current period Even if controls have not changed, operating effectiveness must be tested at least once every third year. Higher the assessed risk, or greater the intended reliance on controls, the more frequently the auditor will choose to test operating effectiveness Weak control environment may result in more frequent testing “IM A CPA” – P – Perform Substantive Testing – Perform substantive tests Substantive procedures/tests: $$$ Balances Analytical Ratios Substantive procedures are used to detect material misstatements at the relevant assertion level. Substantive procedures should be designed to be responsive to assessed risks; however, regardless of the assessed risk, substantive procedures are required for each material transaction class, account balance, or disclosure. Procedures include: - Agreement of FS to the underlying accounting records - Examination of material journal entries or adjustments made while preparing the FS Two types of substantive procedures: - Tests of details applied to transaction classes, account balances, and disclosures - Substantive analytical procedures Auditor may use only substantive analytical procedures, only tests of details, or combination: • Substantive analytical procedures are often used when there is a large volume of predictable transactions • Tests of details are more appropriate when obtaining evidence regarding the existence and valuation of account balances • To determine which substantive procedures to use is affected by the operating effectiveness of controls Directional testing:
22
In designing substantive procedures to test the existence or occurrence assertion, the auditor should select from FS amounts and obtain evidence supporting the inclusion of those amounts in FS. o Vouching = Support ouching In designing substantive procedures to test the completeness assertion, the auditor should select from evidence indicating that an item should be included in the FS, and then determine whether the item is in fact included. o Tracing = Coverage racing -
Vouching = Support Tracing = Coverage
ouching racing
See chart on page A3-63 Risks overstated assets and revenue Vouch to support/existence/occurrence ouching Financial Statements Trial Balance General Ledger Subsidiary Ledger Books of Original Entry Source Documents Execution of Event Transaction Approved Risk understated liabilities and expenses Trace for completeness/coverage racing The greater the risk of material misstatement, the less detection risk that can be accepted, and the greater the extent of substantive procedures. If controls are operating effectively, the extent of substantive procedures may be reduced. Sample size is affected by the planned level of detection risk, the tolerable misstatement, the expected misstatement, and the nature of the population Timing of substantive procedure: Interim Testing – if substantive procedures are performed at an interim date, the auditor should perform further substantive procedures (may combine with tests of controls) to provide a reasonable basis for extending audit conclusions to period end. Performing substantive procedures at interim date, increases risk that auditor will not detect FS material misstatements In certain situations, such as those in which there is an identified fraud risk, the auditor may choose to perform substantive procedures at or near period end. Evidence obtained from substantive tests performed in a prior audit generally is not sufficient for the current period “IM A CPA” – A – Audit Evidence – Evaluate sufficiency and appropriateness of audit evidence obtained 23
Audit evidence obtained may cause the auditor to modify his or her initial risk assessment. Example: The auditor should not assume that an identified instance of fraud or error is an isolated occurrence, but instead should consider whether such instance affects the assessed risk of material misstatement When there is a change in the assessed level of risk, the auditor should modify planned audit procedures accordingly. The auditor uses judgment to evaluate the sufficiency and appropriateness of audit evidence, but should consider: 1. Significance and likelihood of potential misstatements 2. Effectiveness of management’s responses and controls 3. Experience gained during previous audits 4. Results of audit procedures performed 5. Source, reliability, and persuasiveness of audit evidence obtained 6. Understanding of the entity and its environment
24