Assessing Risk & Developing Planned Response Flashcards
Developing overall engagement strategy - 4 things
1) determine characteristics that define scope (basis for reporting, industry-specific reporting requirements, entity’s locations)
2) determine reporting objectives of engagement to plan timing of audit, nature of communications requirements and key dates for expected communications
3) consider important factors that determine focus of audit team’s efforts (materiality levels, preliminary areas for potential misstatements, financial reporting developments)
4) determine nature/timing/extent of resources necessary to perform engagement
Process of developing audit strategy helps auditor - 3 things (resources)
1) determine type and amount of resources to assign to specific audit areas
2) plan timing of resources
3) manage/direct/supervise resources (when meetings are held, how reviews will take place)
5 considerations for planning initial (first) audits
1) arrangements with previous auditor
2) major issues with initial selection discussed with mgmt
3) obtain sufficient audit evidence regarding opening balances
4) personnel with appropriate capabilities and competence assigned
5) other personnel to assist with firm’s quality control function
developing detailed audit plan
1) reviewing correspondence, last year’s workpapers, perm files, FS, auditor reports
2) discussing matters that may affect audit with firm personnel responsible for nonaudit services to entity
3) inquiring about current business developments affecting entity
4) reading current year interim FS
5) discussing type/timing/scope of audit w/mgmt, BOD, AC
6) considering effects of applicable/new accounting pronouncements
7) coordinating assistance of entity personnel
8) determining extext of involvement of specialists, consultants
9) establishing timing of audit work
10) establishing and coordinating staffing requirements
audit plan MUST HAVE these 3 things:
1) description of nature/extent/timing of planned risk assessment procedures sufficient to assess risks of material misstatement
2) nature/extent/timing of planned further audit procedures for each material class of transactions/account balances/disclosure
3) other audit procedures to comply with GAAS
developing detailed plan for attest engagement
1) while detailed plan not required, accountant should prepare /retain sufficient documentation to allow engagement teams/partners to satisfy supervision/review/QC responsibilities
2) accountant should determine nature/extent/timing of planned procedures in order to achieve engagement objectives
understanding entity - external factors
1) industry (market, competition (demand/price/capacity), cyclical, product technology, supply)
2) regulatory (framework, accounting principles, legislation, taxation, gov policies, environmental)
3) nature of entity
4) entity’s objectives and strategies and related business risks that may result in material misstatement
5) measurement and review of entity’s financial performance
6) IC, including selection and application of accounting policies
7) other
a) general level of economic activity (recession, growth)
b) interest rates and availability of financing
c) inflation and currency revaluation
understanding entity - internal factors
a) business operations (related parties, nature of revenue sources, products/services//markets, suppliers/clients, R&D)
b) investments (M&A, disposals, investments in nonconsolidated entities)
c) financing (structure, with related parties, derivatives)
d) financial reporting (accounting principles, rev rec, FV, inventory, FS presentation and disclosures)
e) IT environment - software, devices, telecom, technology services (cloud), emerging technology (AI, crypto, blockchain)
f) objectives and strategies - industry developments, new products/services, expansion of business, regulatory requirements, new accounting requirements, use of IT, risk appetite of entity
g) financial performance (pressure to misstate, reliance on IT)
auditor should identify the relevant factors that define the nature of an entity, including the impact on the risk of material misstatement (e.g., its operations, ownership and governance structure, investment and financing plans, selection of accounting policies, and objectives and strategies), and document the procedures performed to obtain that understanding. In particular, that understanding establishes a frame of reference within which the auditor plans the audit and exercises professional judgment about assessing risks of material misstatement of the financial statements and responding to those risks throughout the audit.
this helps:
1) establish materiality and reevaluate that throughout the audit
2) consider appropriateness of chosen accounting policies and adequacy of disclosures
3) identify special areas of consideration might be necessary
4) develop expectations when performing analytical procedures
5) design and perform further audit procedures to reduce audit risk
6) evaluate sufficiency/appropriateness of audit evidence obtained
auditor should use professional judgment to determine the extent of the understanding required of the entity and its environment, including its internal control. The auditor’s primary consideration is….
whether the understanding that has been obtained is sufficient to assess risks of material misstatement of the financial statements
auditor should identify and document entity’s business processes, comprised of: (IT)
a) inputs
b) actors - either automated or actual person that carries out business process
c) actual activity or process that transforms the input
d) outputs - generation of entity’s FS or mgmt reports
auditor should obtain understanding of entity’s IT systems infrastructure and document procedures to obtain understanding of…
a) description of functions of system
b) change control process
c) security evaluation
d) system documentation should be reviewed for completeness, accuracy, timeliness
how to update understanding of entity’s business and ICs:
1) reading documentation for prior year’s audit and review of interim
2) reading most recent annual and prior interim financial information
3) consider results of audit procedures performed
4) inquire mgmt of changes in business activities
5) inquire mgmt about significant changes in ICs related to preparation of interim financial information
attestation engagements: what is attestation risk?
the risk that the accountant expresses an inappropriate opinion or conclusion, as applicable, when the underlying subject matter or subject matter information (or assertion) is materially misstated.
Attestation risk is not applicable to an agreed‐upon procedures engagement, as the design .of procedures in that type of engagement is the responsibility of the specified party(ies).
3 objectives of audit engagement ORC
Operations
Reporting
Compliance
CRIME
Control environment EBOCA
Risk assessment SAFR
Information and communication systems OIE
Monitoring SOD
Existing control activities CATP
C - control environment EBOCA
Ethics
Board Independence & Oversight
Organizational Structure
Competence
Accountability
- sets tone of org, influencing control consciousness of employees
1) assignment of authority and responsibility - important in an IT environment due to the potential access to data by multiple users. When multiple users have access to a particular database, the potential for manipulation increases
2) human resource policies and practices - in a computerized environment, the need for skilled employees operating with a high degree of integrity is of great importance.
3) management’s philosophy and operating style - management’s failure to commit sufficient resources to address security risks presented by IT may adversely affect internal control by allowing improper changes to be made to computer programs or to data, or by allowing unauthorized transactions to be processed.
R - risk assessment SAFR
Specify Objectives
Assess Changes (in environment)
Fraud
Risk Analysis
- identification, analysis and management of risks relevant to the prep of FS that are fairly presented in conformity with applicable reporting framework
1) requires the inclusion of a strict policy of control over changes in programs and inappropriate access to data to prevent data alteration or manipulation
I - information and communication OIE
Obtain Information
Internally Communicate
Externally Communicate
- procedures and records relevant to financial reporting and communication to individuals of their roles and responsibilities pertaining to IC over financial reporting as well as to those charged with governance and regulatory authorities
1) quality of the information has a direct relationship to the relevance and appropriateness of the decision‐making process. For instance, continuous control modules (CCM) embedded within the software system enable management to monitor transaction processing of all data. Physical controls over hardware ensure actions that could affect data integrity are only carried out by responsible personnel.
M - monitoring SOD
Separate and Ongoing Evaluations
Deficiency Communication
- assessing IC performance over time to ensure that controls continue to operate effectively
1) Management is responsible for establishing and maintaining proper internal controls. Management must monitor controls to consider whether they are operating as intended and that they are modified as appropriate for changes in conditions.
E - existing control activities and control environment CATP
Control Activities
Technology
Policies and Procedures
- policies and procedures that ensure mgmt directives are carried out and necessary actions are taken to address risks that threaten achievement of entity objectives (authorization, seg of duties, safeguarding, asset accountability, performance reviews)
1) information processing - authorization of transactions and the maintenance of adequate documents and records (audit trail)
2) segregation of duties - adequate controls must be established within the IT department to compensate for the lack of segregation of duties that would normally be available in a manual system.
3) physical controls - access to assets is often possible through the computer system. As such, the need for enhanced physical controls is of great importance in an IT environment. It is also important to have adequate backup for computer files, as their destruction or damage could result in significant problems for a business entity.
identifying controls relevant to financial reporting
controls over FS that present according to GAAP and manage risk of material misstatement
whether and how a control prevents, detects, corrects material misstatement in either classes of transactions, account balances, or disclosures
identifying controls relevant to financial reporting - factors to consider
1) materiality
2) size of entity
3) nature of entity’s business
4) diversity and complexity of entity’s operations
5) applicable legal and regulatory requirements
6) nature and complexity of systems that are part of entity’s ICs
identifying controls relevant to financial reporting - accounting review and engagements (preparation, compilation, review)
engagement to prepare financial statements is a nonattest engagement and does not require the accountant to be independent. The accountant is not required to verify the accuracy or completeness of the information provided by management or otherwise gather evidence to express an opinion or conclusion on the financial statements.
compilation engagement is a no‐assurance engagement. There is no expectation that the accountant would obtain an understanding of internal control in this type of engagement. The accountant only needs to be able to have competence and capabilities to read the financial statements for obvious departures from the applicable financial reporting framework.
review engagement provides limited assurance. There is no requirement in a review to obtain a specific understanding of the design of internal controls;
identifying controls relevant to financial reporting - attestation engagements (control risk and attestation risk)
Control risk is the risk that a material misstatement could occur in the subject matter and not be prevented, or detected and corrected, on a timely basis by internal control
Attestation risk is the risk that the accountant expresses an inappropriate opinion or conclusion, as applicable, when the underlying subject matter or subject matter information (or assertion) reported on is materially misstated.
Attestation risk is not applicable to an agreed‐upon procedures engagement, as the design of procedures in that type of engagement is the responsibility of the specified party(ies).
IT general controls apply when?
apply to all aspects of IT function BEFORE TRANSACTIONS ARE PROCESSED (vs. application controls that operate at the process level and apply to processing transactions)
outside controls that provide protection for applications and mitigate:
risk of system crash
risk of unauthorized processing
risk of unauthorized master file updating
risk of unauthorized change to application software
IT general controls - 6 types
1) admin of IT function (tone at the top, control environment)
2) segregation of duties
3) system development (segregation of roles)
4) physical and online security
5) backup and contingency planning
6) hardware controls (to detect system failure)
IT general controls - admin of IT function
1) admin of IT function (tone at the top, control environment)
attitude of sr mgmt and BOD
resource allocation to IT function
involvement of IT in decision making, signal to IT importance
IT steering committee
smaller org = CIO relied upon by BOD
if assigned to lower level employees who don’t have any authority or outsourced, may signal less importance
IT general controls segregation of duties ARC
ARC “Protect you from a flood of problems”
Authority
Record keeping
Custody of related assets
IT general controls - system development
BOD
CIO or IT Mgr
Security Admin (physical assets and online security)
System development (purchase and/or develop/test software) (“authorization”)
system analysts - architect designs system
programmers - create/write the program, document it (cannot be user of system - violation of segregation of duties)
Operations (“recording/record keeping”)
Librarian - program moves from programmer to librarian , who controls the use of the program and does not release it back to the programmers when they need to make changes
network administrator - maintains network, supports all users using network
computer operators - import data into the computer system
Data control (“custody”)
database admin - “hold keys”, super user logins and all data for company (cannot have access to operations or system development - violation of segregation of duties)
data input/data output
IT general controls - physical and online security
Security admin
IT general controls - backup and contingency planning
power failure, fire, excessive heat/humidity, water damage, sabotage, terrorism
battery backups, generators
disaster recovery plan
offsite storage
outsource to firms that specialize in secure data storage
hot site - secondary site to continue to conduct business
cold site - secondary site that would need a bit of time to get going, but less expensive
IT general controls - hardware controls
6) hardware controls
built into computer equipment to detect and report equipment failure
IT application controls (what are they and what do the controls surround?)
IT application controls - designed to achieve specific control objectives related to specific accounting tasks. They pertain to the processing of individual applications. The auditor is responsible for identifying and documenting an entity’s relevant IT application controls within the flow of an entity’s transactions for a significant business process and must consider the effect of these controls on the completeness, accuracy, and reliability of an entity’s data.
Application controls - **controls that surround the applications themselves **
designed for each software specifically
manual or automated controls - input, processing, and output controls
IT application controls - INPUT CONTROL
1) input control - info entered is authorized, accurate and complete (garbage in, garbage out)
-management authorization
-adequate prep of input source documents
-competent personnel
-adequately designed input screens with preformatted prompts for transaction information
-online based input controls for ecommerce applications where external parties perform the initial art of the transaction inputting
-check digit - purpose of a check digit is to verify that the information on the barcode has been entered correctly
-validity check - computer-performed validation test of input accuracy such as validation of customer number against customer master file
-edit check - auto controls programmed into application to help prevent invalid data being entered
-limit test - user has to enter SSN before any other input; check over $$$ threshold is void
-pull-down menu
-immediate error correction procedures to provide for early detection and correction of input errors
-accumulation of errors in an error file for subsequent follow up by data input personnel
IT application controls - INPUT CONTROL (record count vs hash total, vs financial total)
record count hash total financial total
count account# $ owed
1 1256 200
2 3645 300
3 2542 500
4 2569 650
5 5987 100
6 4386 350
7 6598 200
8 3749 125
9 5823 275
45 36555 2700
IT application controls - PROCESSING CONTROL
2) processing control - prevent and detect errors while transaction data are processed
this is where the general controls during the development stage provide essential control for minimizing processing errors
specific processing controls are often programmed into the software to prevent, detect, and correct processing errors
-validation test - ensures particular type of transaction is appropriate for processing (does tran code = predetermined code?)
-sequence test - determines that data submitted for processing are in the correct order (payroll transactions in dept order before processing?)
-arithmetic accuracy test - checks accuracy of processed data (does sum of net pay + withholdings = gross pay?)
-data reasonableness test - determines whether data exceed prespecified amounts (does gross pay > 60 hours for week?)
-completeness test - determines that every field in a record has been completed ( are emp #, name, etc. included for every employee?)
IT application controls - OUTPUT CONTROLS
3) output controls - detects errors after processing
-review data for reasonableness by knowledgeable employees
-reconcile (compare sample of transactions, reconcile to manual control totals, compare number of units processed to number submitted)
Preventative controls
qualified personnel, adequate training
segregating duties to prevent fraud
controlling physical access and system access (key cards, passwords, biometrics)
Detective controls
QC
reconcilement
Corrective controls
backup copies
procedures to correct errors
DR plan
computer emergency response team (CERT) to react to security breaches and take corrective action timely
-determine problem exists
-contain the problem quickly to minimize damage
-identify why problem occurred
-repair damage and correct problem (retore backup, reinstall corrupted program)
-determine prevention in future
-determine whether to prosecute perpetrator
understanding business processes - walkthrough and document
1) classes of transactions that are significant to financial reporting
2) procedures (auto and manual) to initiate/authorize/record/process/report transactions in FS
3) related (electronic or manual) accounting records and supporting information that are significant to FS
4) how info systems capture events and conditions other than transactions that are significant to FS
5) financial reporting process used to prep FS, including significant estimates and disclosures
6) controls around JEs, especially those recording nonrecurring, unusual transactions or adjusting transactions
understanding relevant controls - identify and document; consider effect on completeness, accuracy, reliability of data
1) identifies and records all valid transactions
2) describes transactions in sufficient detail to permit proper classification for financial reporting
3) measures value of transactions that permit proper value in FS
4) determines correct time period to record
5) presents transactions (and disclosures) in FS
auditor should obtain an understanding of IT systems that are:
auditor should obtain an understanding of IT systems that are, directly or indirectly, the source of financial transactions or the data used to record financial transactions and document the procedures performed to obtain that understanding.
understanding risk - perform risk assessment to:
auditor should perform risk assessment to determine whether relevant internal controls are effectively designed and operating and use to:
1) identify types of potential misstatements
2) consider factors that affect the risks of misstatements
3) design tests of controls and substantive procedures
evaluating design of control involves:
Evaluating the design of a control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing or detecting and correcting material misstatements
Implementation of a control means:
Implementation of a control means that the control exists and that the entity is using it
Procedures to obtain audit evidence about the design and implementation of relevant controls may include:
1) inquiry of personnel (NOT SUFFICIENT BY ITSELF)
2) observation of application of specific controls
3) inspection of documents and reports
4) tracing transactions through systems relevant to financial reporting
Benefits of IT systems
consistently apply predefined business rules and perform complex calculations in processing large voumes of transactions or data
enhance timliness, availability and accuracy of information
facilitate additional analysis of information
enhance ability to monitor performance, policies and procedures
reduce risk of control circumvention
enhance ability to achieve segregation of duties via security controls in applications, databases, operating systems
use of barcode technology to eliminate human data entry and improve perpetual inventory recordkeeping speed and accuracy
Risks of IT systems
reliance on systems or programs that could be processing data inaccurately or processing inaccurate data
unauthorized access to data resulting in destruction or change in data
unauthorized change to data in master files
unauthorized change to systems or programs
failure to make necessary changes to systems or programs
inappropriate manual intervention
potential loss of data or inability to access data
possibility of IT personnel gaining access beyond necessary, breaking down segregation of duties
SOC 1 vs SOC 2 reports (implications of using a 3rd party service provider)
SOC® 1 report addresses internal controls over financial reporting, the SOC® 2 report focuses on operational and compliance controls
SOC® 1 reports are for management of the service organization, user entities, and user auditors (design of controls over financial reporting)
SOC® 2 reports are restricted and are only for parties that are knowledgeable about the nature of the service provided by the service organization (design and operating effectiveness of operational and compliance controls)
limitations of controls
human judgment, human failures
lack of understanding of purpose of control
collusion
mgmt override- mgmt is in a unique position to perpetrate fraud because of its ability to manipulate accounting records and prepare fraudulent financial statements by overriding established controls that otherwise appear to be operating effectively
**mitigation/detection: examine JEs and other adjusting entries for evidence of possible misstatement due to fraud; review accounting estimates for biases that could result in misstatement due to fraud; evaluate business rationale for significant unusual transactions
segregation of duties not possible due to small number of employees
identification of a risk of material misstatement due to fraud involves the application of professional judgment and includes the consideration of the attributes of the risk, including:
1) type of risk, ie fraudulent financial reporting, misappropriation of assets
2) significance of risk - magnitude could result in possible material misstatement
3) likelihood of risk - will it result in material misstatement
4) pervasiveness of risk - whether potential risk is pervasive to FS as a whole or specifically to a particular assertion/account/class of transactions
conditions that may indicate increased risk of fraud
a. discrepancies on accounting records
1) transaction not recorded in a complete or timely manner
2) unsupported or unauthroized balanes or transactions
3) last minute adjustments
4) evidence of unauthorized access
5) tips to auditors about alleged fraud
6) overly complex transactions
b. conflicting or missing evidence
1) missing documents
2) documents appearing to be altered
3) unavailability of original documents
4) significant unexplained items on recons
5) inconsistent/vague explanations from mgmt or employees
6) unusual discrepancies between entity’s records and confirmations
7) missing inventory or physical assets
8) unavailable electronic evidence inconsistent with retention policies
9) inability to produce evidence of key ssytem development and program change testing and implementation
c. problematic or unusual relationships between auditor and mgmt
1) denial of access to records/employees
2) undue time pressures imposed by mgmt
3) complaints by mgmt about conduct of audit, intimidation
4) unusual delays by entity in providing information
5) unwillingness to facilitate auditor access to key electronic files
6) denial of access to key IT operations staff
7) unwillingness to add/improve disclosures to make them more complete or clear
8) unwillingness to address identified deficiencies in IC timely
net income doesn’t tie well to cash flows
changes in inventory/AP/sales is inconsistent with prior period
profitability or bad debt write offs aren’t comparable to industry trends or data
sales volumes don’t compare well to production statistics
fraud triangle
opportunity
pressure (earnings)
rationalization
Identifying fraud
error = unintentional; fraud = intentional
primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management.
Misstatement #1 - misstatement arising from fraudulent financial reporting; committed by mgmt to deceive FS users
manipulation, falsification, alteration of accounting records; misrepresentation or omission of events, transactions; intentional misapplication of accounting principles
Misstatement #2 - misappropriation of assets; committed against entity most often by employees
embezzling, theft, or causing entity to pay for goods not received
risk factors to consider: pressure/incentive to commit?; perceived opportunity?; able to rationalize?
Ways to identify fraud (and help the team identify fraud)
-discussions with audit team regarding fraud - brainstorming helps newer auditors learn, allows consideration of known external and internal factors, professional skepticism, should continue throughout the audit, document discussions
-inquiries of mgmt regarding fraud - knowledge of, aware of allegations of, mgmt’s communication of process to identify, mgmt’s communication of views on business practices and ethical behavior, any significant transactions entered into?
-auditor should address the risk of management override of controls apart from any conclusions regarding the existence of more specifically identifiable risks by designing and performing audit procedures to:
1) test appropriateness of JEs
2) review accounting estimates for bias
3) evaluate whether any transactions suggest they may have been entered into to engage in fraudulent activity or misappropriate assets
ways to respond to risk of material misstatement due to fraud
1) response that has an overall effect on how the audit is conducted, including (1) assignment of personnel and supervision, (2) management’s selection of accounting principles, and (3) using audit procedures that include an element of unpredictability.
2) response to identified risks involving the nature, extent, and timing of the auditing procedures to be performed. The auditor should consider changing the nature, extent, and timing of audit procedures to address specifically identified risks.
3) response involving the performance of certain (innovative, inventive) procedures to further address the risk of material misstatement due to fraud involving management override of controls.
a) performing procedures on a surprise or unannounced basis
b) ask that inventories be counted at period end or close to period end to minimize risk of balance manipulation
c) making oral inquiries of major customers
d) performing substantive analytical procedures
e) interviewing personnel
assessing fraud on other types of engagements (compilation, review)
Compilation engagements provide no assurance. There is no responsibility on the part of the practitioner to perform any procedures to identify or respond to fraud risk.
Review engagements provide limited assurance. Inquiry, analytics, and other procedures are designed and performed to provide limited assurance, which is substantially less than the reasonable assurance expressed in an audit.
Discuss with appropriate parties; ask they bring in legal or regulatory, obtain legal advice, communicate with regulator
In a review, if the accountant becomes aware of any actual, suspected, or alleged fraud or noncompliance with laws or regulations affecting the subject matter, the accountant should communicate (either written or oral) the matter as soon as practicable to the appropriate level of management
assessing fraud on other types of engagements (attestation)
attestation engagement - Examination engagements require an assessment of attestation risk, similar to financial statement audits, to provide reasonable assurance whether any material modifications should be made to the underlying subject matter in order for it to be in conformity with stated criteria.
In both examination and review engagements, the accountant should make inquiries of appropriate parties to determine whether they have knowledge of any actual, suspected, or alleged fraud
In an agreed‐upon procedures engagement, the design of procedures is the responsibility of the specified party(ies). Those procedures may or may not include fraud‐related procedures.
assessing risk of material misstatement - risk assessment procedures
auditor should identify risks of material misstatement by obtaining an understanding of the entity and its environment, including relevant controls that relate to the risks, and by considering the particular classes of transactions, account balances, and disclosures in the financial statements.
Risk assessment procedures:
1) inquiries of mgmt
2) analytical procedures
3) observation and inspection
assessing risk of material misstatement - risk assessment procedures - analytical procedures
analytical procedures applied at two phases of all audits:
1) initial planning stages to help plan nature.timing.extent
2) overall review of financial information I the final review stage of audit
analytical procedures should focus on:
1) enhancing auditor’s understanding of client’s business and transactions and events that have occurred since last audit
2) identify areas that represent specific risks relevant to audit
identify unusual transactions, amounts, events
auditor should develop expectations of relationships reasonably expected to exist
assessing risk of material misstatement - risk assessment procedures - observation and inspection
observation of entity activities and operations
inspection of documents, records
reading mgmt reports
physical observation of premises
auditor should remain alert when inspecting records or documents for arrangements or other information that may indicate the existence of related party relationships or transactions that management has not previously identified or disclosed to the auditor (bank and legal confirmations, BOD/AC meeting minutes)
examples of conditions and events that may indicate the existence of risks of material misstatement or significant unusual transactions that may have been entered into to engage in fraudulent financial reporting or to conceal misappropriation of assets:
operations in unstable economy
operations exposed to volatile markets
complex regulation
going concern, liquidity issues
achieving stated objectives only marginally
capital, credit constraints
changes in industry, supply chain
new products, services
expansion into new locations
reorgs
changes in key personnel
significant transaction with related parties
IC weaknesses
new financial reporting systems
past misstatements, errors
new accounting pronouncements
pending litigation
transactions that lack commercial or economic substance
3 relevant assertion items TAP
Transactions
Account Balances
Presentation and Disclosure
Assertions: COVERU
Completeness
Offs (cut)
Valuation, allocation, & accuracy
Existence & Occurrence
Rights and Obligations
Understandability & Classification
1) Assertions about classes of transactions and events for the period under audit: COVEU
-Existence & occurrence: Transactions and events that have been recorded or disclosed have occurred, and such transactions and events pertain to the entity.
-Completeness: All assets, liabilities, and equity interests that should have been recorded have been recorded, and all related disclosures that should have been included in the financial statements have been included.
Liabilities/Expenses = Completeness, more risk that client understates. Test from source docs to ledger.
-Valuation/allocation/accuracy: Amounts and other data relating to recorded transactions and events have been recorded appropriately, and related disclosures have been appropriately measured and described.
-cutOff: Transactions and events have been recorded in the correct accounting period.
-Understandability & classification: Transactions and events have been recorded in the proper accounts.
2) Assertions about account balances at the period end: CVER
-Existence. Assets, liabilities, and equity interests exist
Assets/Revenues = Existence, more risk that client overstates. Test from ledger to source docs.
-Rights and obligations. The entity holds or controls the rights to assets, and liabilities are the obligations of the entity.
-Completeness. All assets, liabilities, and equity interests that should have been recorded have been recorded.
-Valuation/allocation/accuracy. Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded.
3) Assertions about presentation and disclosure: CVERU
-Existence & occurrence. Disclosed events and transactions have occurred
-Rights and obligations. Disclosed events and transactions pertain to the entity.
-Completeness. All disclosures that should have been included in the financial statements have been included.
-Understandability & classification. Financial information is appropriately presented and described and information in disclosures is clearly expressed
-Valuation/allocation/accuracy. Financial and other information is disclosed fairly and at appropriate amounts.
assertions by class
Transaction cycles: PP&E
Completeness = “tracing” = trace sample of fixed assets from fixed asset schedule/FA requisition form to the GL; examine repair and maintenance expense for additions or disposals
Off(cut) = examine purchases and sales shortly before and after period end
Valuation/allocation/accuracy = recalculate depreciation to verify reasonableness
Existence & occurrence = “vouching” = vouch sample of receiving reports to vendor invoices to determine that items have been properly received and properly paid for
Understandability & classification = examine all charges made to repairs/maintenance expense to verify capitalization vs expense
Transaction cycles: stock
treasury stock
stock transactions
board minutes
articles of incorporation
stock transfer agent
stock certificate
retained earnings
Transaction cycles: inventory
asset tagging
controls
observation
calculation
comingled goods
related accounts
quantity
presentation
analytical review
obsolete/damaged goods
Transaction cycles: investments
segregation of duties
outside confirmations
physical inspection
cutoff
confirmations
reasonableness/appropriateness
knowledge/skill
Transaction cycles: cash
bank confirmation (open/closed acct)
bank reconciliation
cutoff, i.e. bank statement
Transaction cycles: payroll expenses (ARC)
Authorization = supervisor/HR
recording = payroll dept
custody = treasurer
Completeness = “tracing” = trace timesheets to payroll report/register
Off(cut) = pull sample of timesheets before and after cutoff
Valuation/allocation/accuracy = confirm valuation of payroll expense on IS by comparing amounts recorded in payroll to total amount of checks issued and outstanding; compare labor rates to employee records; recalculate based on sample of payroll checks
Existence & occurrence = “vouching” = vouch payroll report back to entries made in payroll register back to sample of timesheets
Understandability & classification = review sample of paychecks and determine whether classified into proper expense item on IS
Transaction cycles: revenue/sales (ARC)
author = credit, i.e. sales order
custody = warehouse
reconcile = shipping, i.e. lading
recording = billing/AR/acctg, i.e. invoice & GL
Completeness = “tracing” = trace sample of sales orders to the shipping documents to sales invoices to sales journal
Off(cut) = compare sample of sales invoices shortly before and after cutoff with shipment dates and dates sales were recorded
Valuation/allocation/accuracy = compare prices to sales terms on invoices to ensure correct amount was computed
Existence & occurrence = “vouching” = vouch sales journal back to invoices back to shipping docs back to sales orders
Understandability & classification = “examine” = examine sample of sales invoices for proper classification into the appropriate revenue accounts
Transaction cycles: expense/purchase (ARC)
author = purchasing dept - approve/prepare PO
custody = warehouse
reconciliation = receiving dept - match with blind PO, prepare receiving report
recording = acctg/AP - receives outside doc/invoice, match to PO/receiving report, prepare and approve payment
cash disbursement = treasury dept - review docs, prepare checks/remittance advice, sign checks, mark voucher as paid, mail checks
Completeness = “tracing” = determine prenumbered listings of purchase orders/vouchers and trace PO/voucher samples to receiving reports to invoices (PO+receiving reports+ invoices = “VOUCHER PACKAGE”) to purchase journal
Off(cut) = determine that dates applied to vouchers/POs with dates that were recorded in sales journal; examine purchases immediately before and after cutoff
Valuation/allocation/accuracy = recalculate amounts recorded on vendor invoices
Existence & occurrence = determine if expenditures were properly authorized and properly presented on receiving report.
Understandability & classification = examine sample of purchases and determine whether they were properly classified
Significant risks (Risks Requiring Special Audit Attention)
Significant risks are often derived from business risks that may result in a material misstatement AND SHOULD BE DOCUMENTED BY AUDITOR:
whether risk is risk of fraud
whether risk is related to recent significant economic, accounting or other developments therefore requiring special attention
complexity of transactions
whether risk involves significant transactions with related parties
degree of subjectivity in measurement of financial information, especially the degree of uncertainty
whether risk involves significant nonroutine transactions that are outside normal course of business or unusual
Routine, noncomplex, systematic transactions are less likely to be significant risks because they have lower inherent risk
Substantive tests - audit procedure that examines the financial statements and supporting documentation to see if they contain errors (NET)
Nature
Extent
Timing
further procedures responsive to identified risks
In order to reduce audit risk to an acceptably low level, the auditor should determine overall responses to address risks of material misstatement at the financial statement level, and should design and perform further audit procedures whose nature, extent, and timing are responsive to the assessed risks of material misstatement at the relevant assertion level.
1) emphasize to audit team the need to maintain professional skepticism in gathering an evaluating audit evidence
2) assign more experienced staff or those with specialize skills
3) provide more supervision
4) incorporate additional elements of unpredictability in the selection of audit procedures to be performed
5) make general changes to audit procedures, i.e. perform substantive procedures at period end rather than interim date
6) if there is a more effective control environment the auditor can have more confidence in internal control and the reliability of audit evidence generated internally
7) if there are weaknesses, the auditor may consider:
a) performing more audit procedures at period end rather than interim
b) seeking more extensive audit evidence
c) modifying audit procedures to obtain more persuasive audit evidence
d) increasing number of locations to include in scope
8) use substantive approach which emphasizes substantive procedures or use of combined approach which tests controls along with performance of substantive procedures
9) perform further audit procedures that are responsive to the risks of material misstatement at the relevant assertion level, considering:
a) significant of risk
b) likelihood that MM will occur
c) characteristics of class of transactions, account balance, or disclosure involved
d) nature of specific controls used by entity and whether they are manual or automated
e) whether auditor expects to obtain audit evidence to determine if controls are effective in preventing or detecting MM
f) results of data analytic output used to determine relationships and interpret results to provide basis for developing audit procedures
10) auditor’s assessment of identified risks at relevant assertion level provides basis for considering appropriate audit approach for designing and performing further audit procedures
11) regardless of approach, auditor should design and perform substantive procedures for all relevant assertions related to each material class of transactions, balances, disclosures
12) auditor must specifically analyze transactions that have higher risk of MM from audit data analytic output by determining relationships among variables and interpreting results to provide a basis for developing planned audit procedures
13) for a smaller entity, auditor may rely less on authorization and approval for audit evidence regarding the validity of related party transactions and instead may consider performing other audit procedures (inspecting documents, confirmations)
14) nature of further audit procedures refers to their purpose (tests of controls or substantive procedures) and their type, that is, inspection, observation, inquiry, confirmation, recalculation, reperformance, or analytical procedures.
15) Certain audit procedures may be more appropriate for some assertions than others, i.e. for revenue, tests of controls may be more responsive to the assessed risk of misstatement of the completeness assertion, whereas substantive procedures for assessed risk of misstatement of the occurrence assertion.
16) higher auditor’s assessment of risk = more reliable and relevant evidence is sought
17) timing - when audit procedures are performed or the period or date to which the audit evidence applies.
18) higher risk of MM = more likely auditor will decide to perform substantive audit procedures nearer to period end date or unannounced
19) contrary argument is that performing audit procedures before the period end may assist the auditor in identifying significant matters at an early stage of the audit, and resolve w/mgmt or develop effective audit plan to address
20) If the auditor performs tests of the operating effectiveness of controls or substantive testing before the period end, the auditor should consider the additional evidence that is necessary for the remaining period
21) when considering when to perform audit procedures, consider:
a) effectiveness of control environment
b) when relevant info is available
c) nature of risk
d) period or date to which audit evidence relates
22) extent - quantity of a specific audit procedure to be performed; for example, a sample size or the number of observations of a control activity. determined by the judgment of the auditor after considering the materiality, the assessed risk of material misstatement, and the degree of assurance the auditor plans to obtain
Auditor should use professional judgment in determining the nature, extent, and timing of the testing of journal entries and other adjustments, considering:
1) risk of MM due to fraud
2) effectiveness of controls over JEs and other adjustments
3) financial reporting process and nature of evidence that can be examined
4) characteristics of fraudulent entries or adjustments
5) nature and complexity of accounts
6) JEs or other adjustments processed ouside of normal course of business
control risk =
inherent risk =
audit risk =
detection risk =
risk of material misstatement =
risk of material misstatement and detection risk are positively/directly or inversely related?
control risk = risk that material misstatement that could occur in a transaction or adjusting entries will not be prevented or quickly detected by internal controls (can be assessed by auditor, but cannot be changed/reduced by auditor)
inherent risk = susceptibility of transactions to be recorded in error or to be influenced by mgmt’s fraudulent activities (can be assessed by auditor, but cannot be changed/reduced by auditor)
audit risk = Risk that auditor expresses an inappropriate opinion when financial statements are materially misstated
detection risk = risk that material misstatement would not be caught by audit procedures
risk of material misstatement = auditor’s combined assessment of inherent risk and control risk (both exist independently of the audit of FS
risk of material misstatement and detection risk are inversely related: higher risk of MM = lower risk of detection risk that can be accepted by auditor
auditor must consider audit risk and must determine a materiality level for the financial statements as a whole for the purpose of:
1) determining extent and nature of risk assessment procedures
2) identifying and assessing the risks of material misstatement
3) determining the nature, timing, extent of further audit procedures
4) evaluating whether the FS as a whole are fairly presented in all material respects in conformity with applicable reporting framework
5) obtaining reasonable assurance about whether the consolidated FS as a whole are free from material misstatement whether due to error or fraud
auditor often applies a percentage to a chosen benchmark as a step in determining materiality for the financial statements as a whole; the auditor considers factors such as:
1) elements of FS (asset, liab, equ, income, exp) and the FS measures defined in GAAP
2) whether there are FS items on which users tend to be focused
3) nature of entity and industry and changing economic environment in which it operates
4) size, nature of ownership, way it’s financed
5) relative volatility of the benchmark
auditor should consider whether misstatements of lesser amounts than the financial statement materiality level could reasonably be expected to influence economic decisions of users and thus cause the auditor to evaluate them as material; should consider factors such as the extent to which the misstatement:
1) affects compliance with regulatory requirements, debt covenants, contractual requirements
2) relates to incorrect selection or application of accounting policy currently immaterial but expected to become material
3) masks change in earnings or other trends
4) affects ratios used to evaluate entity’s financial position
5) has effect of increasing mgmt’s compensation
6) is significant with regard to previous communications to users
7) related parties
8) omission of information not required by framework but is in auditor’s professional judgment to be important to users’ understanding of financial position
9) affects other information that will be communicated to users in audited FS
10) misclassification
11) too costly to correct
12) represents risk that other undetected misstatements would affect auditor’s evaluation
13) changes loss into income or vice versa
tolerable misstatement
application of performance materiality to a particular audit sampling procedure and may be the same amount or an amount smaller than performance materiality.
performance materiality
Performance materiality = amount less than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole.
auditor should determine one or more levels of performance materiality for classes of transactions, account balances, and disclosures.
Performance materiality is a planning concept related to the auditor’s determination of materiality for planning the financial statement audit in such a way that misstatements, combined for all of the tests in the entire audit, do not exceed materiality for the financial statements.
i.e. auditor should normally set performance materiality for a specific audit procedure at less than the financial statement materiality so that when the results of the audit procedures are aggregated, the required overall assurance is attained.
Group vs component auditor - when and when not to reference CA
No reference is made to the CA when:
1) CA is associated with or retained by group audit engagement team
2) group audit partner is satisfied with CA’s work
3) portion of FS examined by CA is immaterial
Conditions for referencing component auditor (CA)
1) component’s FS are prepared using the same financial reporting framework, unless certain criteria are met
2) CA has performed audit that meets GAAS/PCAOB requirements
3) CA’s report is not restricted as to use
Group partner can make reference to CA in group report if:
1) group partner indicates dollar amounts audited by CA (total assets, revenues)
2) obtain CA’s permission to include name
3) presents CA’s report
4) if group partner chooses not to name the CA in the group report the group partner should indicate dollar amounts audited by CA (total assets, revenues)
when and when not to use work of CA
1) group engagement team or component auditor should perform audit of component using materiality of component
2) group engagement team should be involved in risk assessments and should inquire about significant business activities, susceptibility of component to MM
3) group team should review component auditor’s documentation incl audit program and workpapers (to ascertain that sufficient appropriate audit evidence has been obtained)
4) If it isn’t possible to rely on work of CA, a qualified or disclaimed report may be appropriate
5) If CA’s report is qualified, the group partner must assess materiality to group FS as a whole
WHEN NOT TO USE CA WORK:
1) CA lacks independence relevant to group audit
2) group engagement team has concerns about ability to make reference or otherwise use work of CA; group engagement team ultimately responsible for obtaining sufficient appropriate evidence to support auditor report
when is a component unit significant?
1) Individually significant to the group financial statements = audit the financial information
2) Due to specific nature or circumstances, likely to include significant risks of material misstatement in the group financial statements = audit the financial information or one or more accounts, classes of transactions, or disclosures
3) if not significant, then analytical procedures at the group level may be appropriate
Work of specialists engaged by auditor
types of specialists:
valuation (appraiser, FV experts)
amounts derived by specialized techniques (actuary)
quantity/conditions (engineers, geologists)
interpretation (attorney, regulatory experts)
NOT INTERNAL AUDIT
Work of specialists engaged by auditor - how to evaluate
evaluate competence, capabilities, and objectivity
inquire regarding threats to objectivity
use variety of sources
obtain knowledge of qualifications, professional license, association, etc.
obtain agreement as to roles and responsibilities
include within scope of QC policies and procedures
auditor’s responsibilities vs specialist’s responsibilities
auditor’s responsibilities:
establish agreement relating to nature, scope, objectives of work including form and content of specialist’s report
understand significant assumptions and methods used
specialist’s responsibilities:
appropriateness and reasonableness of methods and assumptions used and applications of procedures
accept findings of specialist and related FS assertions, unless auditor’s procedures determine findings are unreasonable
work of specialists engaged by mgmt
evaluating mgmt’s specialists SINCE ENGAGED BY MANAGEMENT NOT AUDITOR - consider objectivity, competency, capabilities of specialist
obtain work incl technical or professional standards
use variety of sources
inherent threats to objectivity SINCE ENGAGED BY MANAGEMENT NOT AUDITOR - evaluate specialist relationship with client (perform additional procedures, consider using auditor specialist to corroborate work)
work of IA - effects
1) may impact nature, timing, extent of audit procedures
2) may provide direct assistance in performing procedures (understanding IC, control risk assessment, substantive procedures)
3) responsibility for opinion cannot be shared with IA
work of IA - consideration of IA work
1) obtain understanding of IA function, incl IC (status in org, nature/timing/extent of their work, limitations on scope of activities?)
2) identify IA activities that are relevant to audit
3) assess the competence and objectivity (education level, professional certification/experience)
4) may change or reduce work of independent auditor
can an independent auditor share responsibility with IA (who is assessed to be competent and objective) for evaluation of significant accounting estimates and/or materiality of misstatements?
NO and NO
may IA provide direct assistance to independent CPA in obtaining understanding of IC structure, performing tests of controls, performing substantive tests?
YES YES YES
auditor must perform tests of compliance with laws and regulations that are fundamental to an entity’s business that have a direct or indirect effect on the entity’s financial statements for an engagement
unavoidable risk exists that some material misstatements are not detected. Inherent limitations on the auditor’s ability to detect material misstatements are greater for the following reasons:
1) Many laws and regulations relate principally to the operating aspects of an entity, and therefore do not affect the financial statements and are not captured by the entity’s information system
2) Noncompliance may involve conduct designed to conceal it, such as collusion, forgery, or intentional misrepresentations made to the auditor.
3) A court of law, not the auditor, determines if an act constitutes noncompliance.
While the audit conducted according to GAAS contains no specific procedures designed to detect noncompliance of laws and regulations, certain audit procedures may bring noncompliance of laws and regulations to the auditor’s attention including:
1) inquiring of mgmt and those charged with governance about whether the entity is in compliance with such laws and regulations
2) inspecting correspondence with relevant regulatory or licensing authorities
if non-compliance with laws or regulations becomes apparent:
1) auditor should obtain understanding of nature of the act and circumstances in which it occurred
a) examine supporting documents and compare them to accounting records
b) confirm info with 3rd parties
c) determine whether transaction has been properly authorized
d) consider whether similar transactions have occurred and apply procedures to identify them
e) discuss with mgmt and those charged with governance
2) obtain further information to evaluate possible effect on FS
3) obtain sufficient appropriate audit evidence to form an opinion and report at the level specified in the governmental audit requirement about whether the entity complied in all material respects with applicable compliance requirements
4) identify audit and reporting requirements specified in governmental audit requirement and perform procedures to address those requirements
5) consult w/mgmt a level above those involved to obtain understanding of nature of act
6) consult with client’s legal counsel or other specialists if mgmt’ response is unsatisfactory
If management or those charged with governance are unable to provide sufficient information supporting compliance with laws and regulations, the auditor should evaluate the effect of the lack of sufficient appropriate audit evidence on the auditor’s opinion.
The auditor should also evaluate the implications of noncompliance in relation to other aspects of the audit and take appropriate action.
It may be necessary for the auditor to modify the audit opinion based on noncompliance with laws and regulations.
1) should issue qualified or adverse if determines noncompliance with laws/regulations has material effect of FS and that the act has not been properly accounted for or disclosed
2) should express qualified or disclaim opinion if precluded by client for obtaining sufficient appropriate audit evidence to evaluate whether noncompliance with laws/regulations that could be mateiral have occurred
3) should withdraw from engagement if client refuses to accept auditor’s report as modified and include reasons for withdrawal in writing to those charged with governance
4) determine whether you have the responsibility to notify outside parties of noncompliance
5) include description of noncompliance and results of discussions with those charged with governance as well as with 3rd parties in audit documentation
auditor should request from management written representations that are tailored to the entity and the governmental audit requirements:
1) mgmt understands their responsibility for understanding and complying
2) mgmt acknowledges responsibility for design, implementation, maintenance of controls around compliance with governmental programs in accordance with compliance requirements
3) mgmt states that they have identified and disclosed to auditor all government programs and related activities subject to governmental audit requirement
4) mgmt states they have made available to auditor all contracts, grant agreements, correspondence relevant to programs related to governmental audit requirement
5) mgmt states all known noncompliance has been disclosed to auditor
6) mgmt states they believe entity has complied
7) mgmt has made all documentation available to auditor
8) mgmt understands responsibility for taking corrective action
conditions that increase risk in accounting estimates
1) differing interpretation of accounting principles
2) required complex or subjective judgment
3) assumptions about effects of future events
4) potential lack of consistency from period to period
5) management bias
factors that impact risk in accounting estimates
1) complexity and subjectivity associated with process
2) availability and reliability of data
3) number and significance of assumptions made
4) degree of uncertainty associated with assumptions
auditor responsibilities regarding accounting estimates
1) recognized and disclosed accounting estimates are reasonable (related disclosures are adequate, are in accordance with applicable financial reporting framework)
2) obtain understanding of following as basis for risk identification and assessment:
requirements of applicable financial reporting framework
how mgmt identifies relevant transactions and events that require estimation for presentation or disclosure
how mgmt makes the estimates including what data the estimates are based on
method/model, controls, use of specialist, assumptions, changes in method/assumptions from prior
auditor responsibilities regarding risk with related parties
1) identify material related party transactions that could affect FS
2) common ownership or mgmt control relationships (obtain understanding of mgmt’s responsibilities, activities, relationships with entity components)
3) consider business purpose served by components
4) transactions should not be assumed to be outside of ordinary course of business, absent evidence to the contrary
conditions that may indicate related parties
1) borrowing or lennding interest free or below market rate
2) selling RE at price significantly different than FMV
3) nonmonetary exchanges
4) loans without written terms
conditions that could lead to transactions without substance:
1) lack of sufficient working capital or credit
2) urgent desire to improve earnings or stock price
3) overly optimistic forecasted earnings
4) concentrated dependence on few customers or products
5) declining industry, incl obsolete products/services
6) significant litigation
IT general controls - physical and online security
Security admin
