A3: Engagement Acceptance, Planning, & Risk Assessment Flashcards
Client Acceptance
Ensure integrity of client management
If scope limitation imposed by management (eg, lack of records) will result in disclaimer of opinion, do not accept engagement
If limit will result in qualified opinion or limit beyond management’s control, okay to accept
Engagement Letter
-audit scope and objective, auditor and management responsibilities, inherent limitations of audit/risks that misstatements won’t be found, audit timing/client assistance/ document availability/fee arrangements
New Client
- must speak to old CPA before accepting (w/ client permission)
- management integrity, disagreements, reasons for change, communications on fraud/ illegal acts/internal control issues
- review old CPA’s workpapers/evidence
Discover issue with old CPA report
Request meeting with client and old CPA to resolve
Planning Process
- obtain knowledge of business/industry
- audit strategy
- audit plan
- risk assessment
Audit Strategy
-scope of audit, reporting objectives, timing, required communications, factors determining focus of nature (preliminary views of materiality, audit risk, internet control; areas of higher risk of material misstatement)
Materiality
- smaller level of misstatement that could be material to any one of F/S
- both qualitative and quantitative judgment
- preliminary assessment revised during audit
Audit Plan
- outlines Nature, Extent, Timing (“NET”) of specific procedures to be performed
- must be in writing
- risk assessment procedures, tests of controls, and substantive tests
Assertions
C – Completeness O - cutOff V – Valuation, allocation and accuracy E – Existence and occurrence R – Rights and obligations U – Understandability and classification
Transaction Assertions
-completeness, cutoff, accuracy, classification, occurrence
Balance Assertions
-completeness, allocation and valuation, rights and obligations, existence
Presentation and Disclosure Assertions
-completeness, understandability and classification, rights and obligations, valuation and accuracy
Client’s Internal Auditors
- not independent
- consider objectivity (who report to) and competence (reputation, workpapers)
- can’t share responsibility for decisions, judgments or assessments
- I/As can assist with testing
- CPA must test areas of high risk/subjectivity
Use of Specialist
- CPA must understand specialist’s work and evaluate adequacy of work for audit purposes
- evaluate competence and objectivity
- client’s specialist may be acceptable
- audit report may refer to specialist if modified opinion b/c of their work
Audit Risk
-risk of issuing unmodified opinion when there are material misstatements
AR = Risk of Material Misstatement * Detection Risk
Misstatement Types
- Factual: known misstatements
- Judgmental: management estimates the CPA considers unreasonable or application of accounting policies CPA considers inappropriate
- Projected: estimate of misstatements in population, projected from those in audit sample
Risk of Material Misstatement
-risk that F/S are materially misstated
-exists independently of F/S audit
RMM = Inherent Risk * Control Risk
Inherent Risk
-risk of material misstatement, in absence of controls
Control Risk
-risk that controls will not timely prevent/ detect material misstatement
Detection Risk
- risk that CPA will not detect material misstatement
- CPA controls Detection Risk
Impact of Risk on Audit
- higher RMM, need lower DR
- higher RMM, more audit work required
- even if low RMM, must always do substantive tests on all assertions
Fraud Types
- fraudulent financial reporting (lying)
- misappropriation of assets (stealing)
- corruption (cheating)
Fraud Characteristics/Triangle
- Incentives/Pressures: reason to commit
- Opportunity: no effective controls
- Rationalization/Attitude: justify behavior (ethics/integrity)
*existence of all factors doesn’t indicate there is fraud; their absence doesn’t indicate lack of fraud
Responsibilities concerning fraud
- MR: design/implement programs & controls to prevent/deter/detect fraud
- AR: design audit to obtain reasonable assurance whether F/S are free of misstatements due to error or fraud; must assess risk due to fraud during planning
Auditor Fraud Procedures
- team must discuss fraud risk, brainstorm how it could be committed
- make inquiries regarding fraud risk (issuers: ask about response to whistleblowers)
- consider results of analytical tests (required relating to revenue)
- must document fraud risk assessment and response (include support if improper revenue recognition not identified as fraud risk)
Fraud Risk Factors
- presumption of risk: revenue recognition, management override of controls
- considerations: fraud triangle, size/ complexity of entity, degree of judgment and subjectivity or complex accounting principles
Responses to Fraud Risk
- general (more personnel, more supervision, increased unpredictability of audit testing)
- alter Nature/Extent/Timing of test (“NET”)
- risks of management override (examine journal entries for adjustments, review estimates for bias, evaluate unusual transactions)
Evidence of Fraud
- may be indicative of problem w/ management integrity (consider withdrawing)
- reevaluate fraud risk, effectiveness of controls, appropriateness of audit procedures
Communications Regarding Fraud/Crimes
- any indication of (even immaterial) fraud discussed w/ mgt 1 level about those involved
- any causing material misstatement discussed w/ senior mgt & those charged w/ governance
- CPA talks to outsiders: comply w/ legal/ regulatory requirements, successor auditor (w/ client permission), response to subpoena, to funding/other agency (client has gov’t financial assistance)
Responsibilities over Compliance with Laws/ Regulations
- MR: ensure that operations are in accordance with laws and regulations
- AR: reasonable assurance that F/S free to material misstatements; not responsible to prevent noncompliance or detect all noncompliance
Auditor Procedures concerning Noncompliance
- get rep letter from mgt
- obtain understanding of legal/regulatory framework and how entity complies w/ it
- evidence on elements of F/S determined by laws & regulations w/ direct effect on F/S
- indirect effect: only inquiries, inspect correspondence w/ regulatory agencies
- noncompliance found/suspected: discuss w/ mgt, consider withdrawal if unsatisfied
Reporting on Legal Noncompliance
- material effect on F/S and not disclosed: qualified or adverse
- insufficient evidence: qualified or disclaimer
- inadequate client response: withdraw
Steps in Assessing Risks of Material Misstatement
I – understand of entity, env and Internal control M – assess risk of Material Misstatement A – Assessed level of risk response C – Control testing P – Perform substantive testing A – Audit evidence evaluation
Procedures to obtain understanding of entity
- risk assessment procedures required
- analytical procedures required (PCAOB requires analytics related to revenue)
- no need to test effectiveness of controls (may perform control tests/substantive tests concurrently w/ risk assessment procedures)
- inquiries of management/others
- observation and inspection
- understanding selection/application of accounting policies, & internal control system
- discuss risk assessment w/ audit team
Assessing Risks of Material Misstatement
- assess overall F/S level risks as well as risks related to specific balance/transaction/ disclosure assertion
- significant risk: when inherent risk is very high; fraud risk, recent economic/accounting developments, related party transactions, improper revenue recognition, unusual/ complex transactions, estimates/subjective measurements, illegality
Required Documentation – Material Misstatement Risk Assessment
-audit team discussion, elements of understanding of entity, assessment of misstatement risks, identified risks and controls
Internal Control Objectives
- reliability of financial reporting, effectiveness/ efficiency of operations, compliance w/ laws/ regulations
- internal control can be overcome by: collusion, management override, human error
Components of Internal Control
C – Control Environment R – Risk Assessment I – Information and communication systems M - Monitoring E – Existing control activities
Control Environment
-integrity and ethical values, commitment to competence, participation of those charged w/ governance, management philosophy and operating style (concern if focus on meeting budget, dominated by on person, or compensation based on performance), organizational structure, human resource policies and procedures
Risk Assessment (internal control)
- entity’s understanding/analysis of risks to achievement of objectives
- changes in external/internal circumstances
Information and communication systems
- procedures/records to initiate, authorize, record, process and report transactions, events and conditions
- accounting system, AIS
- communicating roles and responsibilities
Monitoring
-assesses quality of internal control over time, management and supervision activities, evaluations of internal control, internal audit
Existing control activities
P – Prenumbered documents
A – Authorization of transactions
I – Independent checks
D – Documentation
T – Timely performance reviews (analytics)
I – Information processing controls (application and general controls)
P – Physical controls for safeguarding assets (security)
S – Segregation of duties (“ARC” – Authorization, Recordkeeping, Custody)
Understanding of Internal Control
- element of assessment of risk of material misstatement, even if no plan to rely on controls/tests of controls in audit
- evaluate design and implementation of identified controls
Types of Controls
- preventive controls: only valid transactions are permitted
- detective controls: errors are discovered and corrected
Design and Implementation of Controls
- design: whether it is capable of preventing/ detecting/correcting material misstatements
- implementation: if it exists and is being used
Procedures to obtain evidence about control design and implementation
- inquiries (inquiries alone insufficient)
- observe use of controls
- inspect documents/records
- observe premises and facilities
- walkthrough: trace transactions through entire accounting system
Document Understanding of Internal Controls
F – Flowcharts (graphical depiction of understanding)
I – Internal control questionnaires (for employees)
N – Narratives (written version of flowchart)
D – Documentation (client’s manuals, etc.)
IT Impact on Internal Control
- if evidence is not retrievable, difficult to determine timing of control/substantive tests
- may be impossible to reduce detection risk through substantive tests alone (need to do control tests of IT)
Types of IT Controls
- manual: performed by people, useful when judgment/discretion needed
- automated: performed by IT, useful for high volume/recurring transactions
- general: relate to many applications, support proper operation of system
- application: relate to processing of individual transactions, ensure they are authorized
Segregation of Duties in IT
C – Control group O – Operators P – Programmers A – Analyst (system) L – Librarian -weakness if anyone does/supervises another area
Service Organizations and Internal Control
-service org’s systems considered part of client’s information system
Service Auditor Reports
- Type 1: mgt description of system, opinion on design and implementation (no opinion on operating effectiveness); user CPA may not rely to reduce control risk for relevant areas
- Type 2: mgt description of system, opinion on design, implementation and operating effectiveness; may provide evidence allowing reduction in assessed level of control risk
Responding to Assessed Risks of Material Misstatement
-design audit procedures that address risks for each relevant assertion of each account/ balance/disclosure
Nature, Extent and Timing of Tests (“NET”)
- nature: purpose (control/substantive) and type (inquiry/confirmation/etc)
- extent: quantity (# of observations, sample size)
- timing: interim (strong controls) or at period end (weak controls)
Audit Approaches
- substantive approach: only substantive tests (control risk high b/c no effective controls, control ineffective, or control tests inefficient)
- combined approach: both control tests and substantive tests, less substantive if effective controls (but don’t eliminate substantive tests)
- control tests required if heavy use of IT (even if control risk high)
- dual purpose test: serves as both test of controls and a substantive test
Planning Tests of Significant Risks
- if relying on effective operation of controls, must test controls in current period
- must perform relevant substantive tests (details, or detail and substantive analytics)
Control Testing
- evidence regarding operating effectiveness of controls
- nature: inquiry (alone insufficient), observation, inspection, reperformance
- extent: only need to test few automated IT controls
- timing: if interim, supplement with additional evidence for remaining period
Audit Evidence Hierarchy
A – Auditor knowledge
E – External evidence
I – Internal evidence
O – Oral evidence
Perform Substantive Tests
- used to detect material misstatements
- required for each material transaction/ balance/disclosure
“NET” of Substantive Tests
- nature: tests of details, substantive analytical procedures
- extent: generally refers to sample size
- timing: interim only if low risk of material misstatement, if interim need to supplement with additional procedures for remaining period
Audit evidence evaluation
-results of tests may lead to reassessment of risk of material misstatement, should then modify planned audit procedures
Sufficient Appropriate Evidence
- use judgment, consider significance/ likelihood of misstatements, mgt’s responses/ controls, results of procedures, source/ reliability/persuasiveness of evidence
- PCAOB factors: uncorrected misstatements, results of procedures, risk assessment, appropriateness of evidence obtained
Documentation of Evidence Evaluation
-overall response, NET of audit procedures, linkage of procedures w/ assessed risks, results of audit procedures, conclusions reached
