Final review Flashcards
Objectives ORC
Operations
Reporting
Compliance
CRIME
Control environment
Risk assessment
Information & communication
Monitoring
Existing Control Activities
C = EBOCA
Ethics
Board oversight
Organizational structure
Competence
Accountability
R = SAFR
Specify objectives
Asses changes in the control environment
Fraud
Risk analysis
I = OIE
Obtain information
Internally communicate
Externally communicate
M = SOD
Separate &
Ongoing evaluations
Deficiency communication
E = CATP
Control
Activities
Technology
Policies and procedures
SSARS - Statements on Standards for Accounting and Review Services
(types, assurance for each type, independence for each type, opinion/conclusion/report?)
SSARS - preparation, compilation (of either historical OR proforma) & reviews of historical FS (of unaudited FS for nonissuers)
Statements on Standards for Accounting and Review Services codified in AR-C
Preparation- no assurance, no independence, no opinion/conclusion/report
Compilation- no assurance, no independence but must disclose if not, no opinion or conclusion but yes report
Review- limited (negative) assurance, independence required, no opinion but yes conclusion
SSAE - Statements on Standards for Attestation Engagements
(types, independence for each type, assurance for each type, opinion/conclusion?)
SSAE - agreed-upon procedures, review or examination of proforma projections/forecasts (anything that IS NOT historical FS)
Attest engagements - exam, review, or AUP (agreed upon procedures) on a subject matter or assertion about a subject matter - WRITTEN CONCLUSION/WRITTEN ASSERTION
AUP, forecasts/projections, proforma FS, compliance, MD&A, reporting on controls at a service organization
agreed upon procedures - independence required, no assurance, list of procedures and findings
review (not historical FS) - independence required, limited (negative) assurance, conclusion
examination (not historical FS) - independence required, reasonable (positive) assurance, opinion
Which standards apply to REVIEW engagements?
SSAE - applies to anything that’s not historical financials so applies to review of management assertions
PCAOB - applies to quarterly reviews/interim for issuers that have annual audit
SAS - applies to quarterly reviews/interim for NON-issuers that have annual audit
SSARS - applies to reviews for NON-issuers annual financial statements that do NOT also get audited
Which standards apply to an AUDIT of a NON-issuer?
SAS - Statements on Auditing Standards published by Auditing Standards Board is comprised of Generally Accepted Auditing Standards (GAAS)
performance principle (assurance)
reasonable assurance must be obtained about whether FS as a whole are free of material misstatement, whether due to fraud or error
reporting principle (opinion)
based upon the sufficient appropriate evidence obtained (auditor should issue a written report expressing an opinion or make a statement that an opinion cannot be expressed)
Government Auditing Standards conducted under Government Accountability Office (GAO)
Generally Accepted Government Auditing Standards GAGAS or “Yellow Book”
Single Audit Act threshold?
Type A vs Type B program?
single audit is divided into two areas: compliance and financial
Threshold of $750,000 is related to expenses, not revenues.
Type A program - federal program that exceeds a quantifiable amount of federal awards expended, then determined whether high or low risk
minimum coverage rule:
high risk - recipient that has high risk of noncompliance with federal laws and regulations; audit 40% of total awards expended
low-risk - recipient that has low risk of noncompliance with federal laws and regulations; audit 20% of total federal awards expended
Type B program - any program that doesn’t meet Type A requirement
AICPA Code of Professional Conduct: (“SPROID”)
- scope and nature of services principle
- public interest principle
- responsibilities principle
- objectivity & independence principle
- integrity principle
- due care principle
AICPA Code of Professional Conduct
Adverse threat
Advocacy threat
Familiarity threat
Management participation threat
Self-Interest threat
Self-review threat
Undue influence threat
member’s interests are in opposition of client (litigation)
member will promote client’s interests or position, lack of objectivity/compromise indep
member will be too sympathetic due to long close relationship
member will take on role of client mgmt
member could benefit from interest in or relationship with client
member will not appropriately evaluate results of previous judgment
member will subordinate judgment to client due to coercion or agression
AICPA Code of Professional Conduct
Independence Rule
-unpaid fees threat
-financial interest threat
-mutual funds threat
-retirement/savings account threat
-unpaid fees threat: compliance with independence rule would not/could not be reduced to acceptable level = impaired
-financial interest threat: direct or material indirect financial interest in client or firm employee or their immediate family own >5% of client’s securities = impaired
-mutual funds threat: owns >5% of shares in diversified mutual fund, need to evaluate whether ownership is material indirect financial interest
-retirement/savings account threat: employee or immediate family member self-directs investments or has ability to supervise or participate = direct financial interest = impaired; if interest is defined benefit plan = not considered a financial interest unless they can direct or supervise or participate
AICPA Code of Professional Conduct
Independence Rule
Partnerships
LLC
Trust/estate
Partnerships: direct financial interest = impaired (limited partnership = indirect financial interest as long as no control/supervise/participate)
LLC: managing interest = direct financial interest = impaired; non-managing = indirect interest
Trust/estate: investment decision-making, >10% of client’s securities or total assets = impaired
AICPA Code of Professional Conduct
Independence Rule
-deposit accounts
-loans
-leases
deposits: no self-interest threat if balance is insured by state/fed gov deposit insurance, any uninsured is immaterial
loans: no self-interest threat if unsecured loan is immaterial to net worth or is a home mortgage or is a secured loan; or a collateralized auto loan, collateralized CSV of life insurance policy, cash collateralized loan
leases: must be an operating lease, terms comparable with other leases of similar nature
AICPA Code of Professional Conduct
Independence Rule
(simultaneous employment, honorary director/trustee, appraisal/valuation services, forensic accounting, witness, IA services, tax services)
simultaneous employment with client = independence impaired
honorary director or trustee = independence not impaired as long as position is clearly honorary (no voting)
appraisal, valuation, actuarial services = independence not impaired if service provided was solely for nonfinancial statement purposes, otherwise, independence is impaired
forensic accounting = litigation consultant (not impaired)
expert witness = impaired unless witness for a large group where client is small percentage of group and is not lead
internal audit services = impaired if client outsources IA function to covered member
tax services = not impaired as long as services are prep/submit/pay tax returns and covered member does not have control over client’s funds & client reviews/signs returns
PCAOB Ethics and Independence Rules
FORM AP - (Auditor Reporting of Certain Audit Participants)
filed with PCAOB for each new issuer audit and discloses: name of engagement partner, info of any other audit firm participating in audit whose work constituted at least 5% of total audit hours and aggregate info of any other firms whose participation was less than 5% of total audit hours
filing required no more than 35 days after audit firm files the audit report with SEC; for IPOs filing is required within 10 days after auditor's report is first included in a document filed with SEC
Government Accountability Office
Government Auditing Standards (GAGAS)
Independence of Mind
Independence in Appearance
Independence of mind: (professional judgment not compromised)
Independence in appearance: (professional skepticism not compromised)
Professional skepticism
IMPEDIMENTS & MITIGATIONS
impediments - inherent pressures (maintaining client relationships, keep costs down, avoid conflicts w/mgmt), inappropriate levels of confidence or trust in mgmt, personal bias, lack of training and expertise
mitigate with setting tone at top that emphasizes need for professional skepticism, maintaining promotion and compensation processes that enhance it, assigning personnel with appropriate background
Professional judgment
Professional judgment is the accumulated knowledge that an auditor gains through experience and training to make critical judgments in an objective, professionally skeptical manner. Overlaying this with professional and ethical standards results in ability to make informed decisions
“Communication to those charged with governance”
4 required communications
opinion
mgmt responsibilities
GAAS/reasonable not absolute
auditor responsibilities
1) auditor is responsible for forming and expressing an opinion about whether the financial statements that have been prepared by management with the oversight of those charged with governance are presented fairly, in all material respects, in conformity with the applicable financial reporting framework.
2) audit of FS does not relieve mgmt or those charged with governance of their responsibilities
3) auditor is responsible for performing the audit in accordance with generally accepted auditing standards and that the audit is designed to obtain reasonable, rather than absolute, assurance about whether the financial statements are free of material misstatement
4) auditor should communicate the auditor’s responsibility with respect to other information prepared by management that accompanies the audited financial statements.
“Communication to those charged with governance”
Internal controls and control deficiencies
Control deficiencies identified during the audit that upon evaluation are considered significant deficiencies or material weaknesses should be communicated in writing to management and those charged with governance as a part of each audit
Statement on Quality Control Standards (SQCS) 8 - A Firm’s System of Quality Control “HELPME”
1) HR (recruiting, hiring practices, professional development)
2) Engagement & acceptance (policies and procedures on services performed)
3) Leadership (tone at top)
4) Performance (guidance on supervision, review)
5) Monitoring
6) Ethics (policies and procedures that spell out ethics)
Developing overall engagement strategy - 4 things that help determine amount, timing and supervision of resources
1) determine characteristics that define scope (basis for reporting, industry-specific reporting requirements, entity’s locations)
2) determine reporting objectives of engagement to plan timing of audit, nature of communications requirements and key dates for expected communications
3) consider important factors that determine focus of audit team’s efforts (materiality levels, preliminary areas for potential misstatements, financial reporting developments)
4) determine nature/timing/extent of resources necessary to perform engagement
audit plan MUST HAVE these 3 things in order to achieve audit objectives:
1) description of nature/extent/timing of planned risk assessment procedures sufficient to assess risks of material misstatement
2) nature/extent/timing of planned further audit procedures for each material class of transactions/account balances/disclosure
3) other audit procedures to comply with GAAS
developing detailed plan for attest engagement
1) while detailed plan not required, accountant should prepare /retain sufficient documentation to allow engagement teams/partners to satisfy supervision/review/QC responsibilities
2) accountant should determine nature/extent/timing of planned procedures in order to achieve engagement objectives
auditor should identify the relevant factors that define the nature of an entity, and document the procedures performed to obtain that understanding. In particular, that understanding establishes a frame of reference within which the auditor plans the audit and exercises professional judgment about assessing risks of material misstatement of the financial statements and responding to those risks throughout the audit.
this helps:
1) establish materiality and reevaluate that throughout the audit
2) consider appropriateness of chosen accounting policies and adequacy of disclosures
3) identify special areas of consideration might be necessary
4) develop expectations when performing analytical procedures
5) design and perform further audit procedures to reduce audit risk
6) evaluate sufficiency/appropriateness of audit evidence obtained
auditor should obtain understanding of entity’s IT systems infrastructure and document procedures to obtain understanding of…
a) description of functions of system
b) change control process
c) security evaluation
d) system documentation should be reviewed for completeness, accuracy, timeliness
attestation engagements: what is attestation risk? Does it apply to AUP?
the risk that the accountant expresses an inappropriate opinion or conclusion, as applicable, when the underlying subject matter or subject matter information (or assertion) is materially misstated.
Attestation risk is not applicable to an agreed‐upon procedures engagement, as the design of procedures in that type of engagement is the responsibility of the specified party(ies).
whether a control is relevant to financial reporting?
whether and how a control prevents, detects, corrects material misstatement in either classes of transactions, account balances, or disclosures
identifying internal controls relevant to financial reporting - accounting review and engagements SSARS (preparation, compilation, review)
preparation - does not require the accountant to be independent. The accountant is not required to verify the accuracy or completeness of the information provided by management or otherwise gather evidence to express an opinion or conclusion on the financial statements.
compilation engagement is a no‐assurance engagement. There is no expectation that the accountant would obtain an understanding of internal control in this type of engagement. The accountant only needs to be able to have competence and capabilities to read the financial statements for obvious departures from the applicable financial reporting framework.
review engagement provides limited assurance. There is no requirement in a review to obtain a specific understanding of the design of internal controls
IT general controls apply when?
apply to all aspects of IT function BEFORE TRANSACTIONS ARE PROCESSED (vs. application controls that operate at the process level and apply to processing transactions)
outside controls that provide protection for applications and mitigate:
risk of system crash
risk of unauthorized processing
risk of unauthorized master file updating
risk of unauthorized change to application software
IT general controls - 6 types
1) admin of IT function (tone at the top, control environment)
2) segregation of duties
3) system development (segregation of roles)
4) physical and online security
5) backup and contingency planning
6) hardware controls (to detect system failure)
IT general controls - system development (ARC segregation of duties can protect you from a “flood” of problems)
System development (purchase and/or develop/test software) (“authorization”)
system analysts - architect designs system
programmers - create/write the program, document it (cannot be user of system - violation of segregation of duties)
Operations (“recording/record keeping”)
Librarian - program moves from programmer to librarian , who controls the use of the program and does not release it back to the programmers when they need to make changes
network administrator - maintains network, supports all users using network
computer operators - import data into the computer system
Data control (“custody”)
database admin - “hold keys”, super user logins and all data for company (cannot have access to operations or system development - violation of segregation of duties)
IT application controls (what are they and what do the controls surround?)
Application controls - **controls that surround the applications themselves **
designed for each software specifically
manual or automated controls - input, processing, and output controls
IT application controls - INPUT CONTROL
info entered correctly: check digit, pull down list, validity check, limit test
IT application controls - PROCESSING CONTROL
data processed correctly: sequence test, validation test, data reasonableness test, completeness test
IT application controls - OUTPUT CONTROL
detect errors after processing data: reconcilement, review for reasonableness by knowledgeable employees
Preventative controls
qualified personnel, adequate training
segregating duties to prevent fraud
controlling physical access and system access (key cards, passwords, biometrics)
Detective controls
QC
reconcilement
Corrective controls
backup copies
procedures to correct errors
DR plan
computer emergency response team (CERT) to react to security breaches and take corrective action timely
-determine problem exists
-contain the problem quickly to minimize damage
-identify why problem occurred
-repair damage and correct problem (restore backup, reinstall corrupted program)
-determine prevention in future
-determine whether to prosecute perpetrator
SOC 1 vs SOC 2 reports (implications of using a 3rd party service provider)
SOC 1 report addresses internal controls over financial reporting, the SOC 2 report focuses on operational and compliance controls
Type 1 report provides a report of procedures / controls an organization has put in place as of a point in time.
Type 2 report has an audit period and provides evidence of how an organization operated its controls over a period of time.
limitations of controls
human judgment, human failures
lack of understanding of purpose of control
collusion
mgmt override**mitigation/detection: examine JEs and other adjusting entries for evidence of possible misstatement due to fraud; review accounting estimates for biases that could result in misstatement due to fraud; evaluate business rationale for significant unusual transactions
segregation of duties not possible due to small number of employees
fraud triangle
opportunity
pressure (earnings)
rationalization
assessing fraud on other types of engagements (SSARS - compilation, review)
Compilation engagements provide no assurance. There is no responsibility on the part of the practitioner to perform any procedures to identify or respond to fraud risk.
Review engagements provide limited assurance. Inquiry, analytics, and other procedures are designed and performed to provide limited assurance, which is substantially less than the reasonable assurance expressed in an audit.
Discuss with appropriate parties; ask they bring in legal or regulatory, obtain legal advice, communicate with regulator
In a review, if the accountant becomes aware of any actual, suspected, or alleged fraud or noncompliance with laws or regulations affecting the subject matter, the accountant should communicate (either written or oral) the matter as soon as practicable to the appropriate level of management
assessing fraud on other types of engagements (SSAE/attestation - AUP, review of anything not historical FS, examination)
attestation engagement - Examination engagements require an assessment of attestation risk, similar to financial statement audits, to provide reasonable assurance whether any material modifications should be made to the underlying subject matter in order for it to be in conformity with stated criteria.
In both examination and review engagements, the accountant should make inquiries of appropriate parties to determine whether they have knowledge of any actual, suspected, or alleged fraud
In an agreed‐upon procedures engagement, the design of procedures is the responsibility of the specified party(ies). Those procedures may or may not include fraud‐related procedures.
assessing risk of material misstatement - risk assessment procedures
Risk assessment procedures:
1) inquiries of mgmt
2) analytical procedures
3) observation and inspection
assessing risk of material misstatement - risk assessment procedures - analytical procedures
analytical procedures applied at two phases of all audits:
1) initial planning stages to help plan nature, timing, extent
2) overall review of financial information in the final review stage of audit
analytical procedures should focus on:
1) enhancing auditor’s understanding of client’s business and transactions and events that have occurred since last audit
2) identify areas that represent specific risks relevant to audit
identify unusual transactions, amounts, events
auditor should develop expectations of relationships reasonably expected to exist
assessing risk of material misstatement - risk assessment procedures - observation and inspection
observation of entity activities and operations
inspection of documents, records
reading mgmt reports
physical observation of premises
auditor should remain alert when inspecting records or documents for arrangements or other information that may indicate the existence of related party relationships or transactions that management has not previously identified or disclosed to the auditor (bank and legal confirmations, BOD/AC meeting minutes)
3 relevant assertion items TAP
Transactions
Account Balances
Presentation and Disclosure
Assertions: COVERU
Completeness
Offs (cut)
Valuation, allocation, & accuracy
Existence & Occurrence
Rights and Obligations
Understandability & Classification
Assertions for assets/revenues
Assertions for liabilities/expenses
Assets/Revenues = Existence, more risk that client overstates. Test from ledger to source docs. VOUCH
Liabilities/Expenses = Completeness, more risk that client understates. Test from source docs to ledger. TRACE
assertions by class
Transaction cycles: PP&E
Completeness = “tracing” = trace sample of fixed assets from fixed asset schedule/FA requisition form to the GL; examine repair and maintenance expense for additions or disposals
Off(cut) = examine purchases and sales shortly before and after period end
Valuation/allocation/accuracy = recalculate depreciation to verify reasonableness
Existence & occurrence = “vouching” = vouch sample of receiving reports to vendor invoices to determine that items have been properly received and properly paid for
Understandability & classification = examine all charges made to repairs/maintenance expense to verify capitalization vs expense
Transaction cycles: stock
treasury stock
stock transactions
board minutes
articles of incorporation
stock transfer agent
stock certificate
retained earnings
Transaction cycles: inventory
asset tagging
controls
observation
calculation
comingled goods
related accounts
quantity
presentation
analytical review
obsolete/damaged goods
Transaction cycles: investments
segregation of duties
outside confirmations
physical inspection
cutoff
confirmations
reasonableness/appropriateness
knowledge/skill
Transaction cycles: cash
bank confirmation (open/closed acct)
bank reconciliation
cutoff, i.e. bank statement
Transaction cycles: payroll expenses (ARC)
Authorization = supervisor/HR
recording = payroll dept
custody = treasurer
Completeness = “tracing” = trace timesheets to payroll report/register
Off(cut) = pull sample of timesheets before and after cutoff
Valuation/allocation/accuracy = confirm valuation of payroll expense on IS by comparing amounts recorded in payroll to total amount of checks issued and outstanding; compare labor rates to employee records; recalculate based on sample of payroll checks
Existence & occurrence = “vouching” = vouch payroll report back to entries made in payroll register back to sample of timesheets
Understandability & classification = review sample of paychecks and determine whether classified into proper expense item on IS
Transaction cycles: revenue/sales (ARC)
author = credit, i.e. sales order
custody = warehouse
reconcile = shipping, i.e. lading
recording = billing/AR/acctg, i.e. invoice & GL
Completeness = “tracing” = trace sample of sales orders to the shipping documents to sales invoices to sales journal
Off(cut) = compare sample of sales invoices shortly before and after cutoff with shipment dates and dates sales were recorded
Valuation/allocation/accuracy = compare prices to sales terms on invoices to ensure correct amount was computed
Existence & occurrence = “vouching” = vouch sales journal back to invoices back to shipping docs back to sales orders
Understandability & classification = “examine” = examine sample of sales invoices for proper classification into the appropriate revenue accounts
Transaction cycles: expense/purchase (ARC)
author = purchasing dept - approve/prepare PO
custody = warehouse
reconciliation = receiving dept - match with blind PO, prepare receiving report
recording = acctg/AP - receives outside doc/invoice, match to PO/receiving report, prepare and approve payment
cash disbursement = treasury dept - review docs, prepare checks/remittance advice, sign checks, mark voucher as paid, mail checks
Completeness = “tracing” = determine prenumbered listings of purchase orders/vouchers and trace PO/voucher samples to receiving reports to invoices (PO+receiving reports+ invoices = “VOUCHER PACKAGE”) to purchase journal
Off(cut) = determine that dates applied to vouchers/POs with dates that were recorded in sales journal; examine purchases immediately before and after cutoff
Valuation/allocation/accuracy = recalculate amounts recorded on vendor invoices
Existence & occurrence = determine if expenditures were properly authorized and properly presented on receiving report.
Understandability & classification = examine sample of purchases and determine whether they were properly classified
control risk =
inherent risk =
audit risk =
detection risk =
risk of material misstatement =
risk of material misstatement and detection risk are positively/directly or inversely related?
control risk = risk that material misstatement that could occur in a transaction or adjusting entries will not be prevented or quickly detected by internal controls (can be assessed by auditor, but cannot be changed/reduced by auditor)
inherent risk = susceptibility of transactions to be recorded in error or to be influenced by mgmt’s fraudulent activities (can be assessed by auditor, but cannot be changed/reduced by auditor)
audit risk = Risk that auditor expresses an inappropriate opinion when financial statements are materially misstated
detection risk = risk that material misstatement would not be caught by audit procedures
risk of material misstatement = auditor’s combined assessment of inherent risk and control risk (both exist independently of the audit of FS
risk of material misstatement and detection risk are inversely related: higher risk of MM = lower risk of detection risk that can be accepted by auditor
auditor must consider audit risk and must determine a materiality level for the financial statements as a whole for the purpose of:
1) determining extent and nature of risk assessment procedures
2) identifying and assessing the risks of material misstatement
3) determining the nature, timing, extent of further audit procedures
4) evaluating whether the FS as a whole are fairly presented in all material respects in conformity with applicable reporting framework
5) obtaining reasonable assurance about whether the consolidated FS as a whole are free from material misstatement whether due to error or fraud
auditor often applies a percentage to a chosen benchmark as a step in determining materiality for the financial statements as a whole; the auditor considers factors such as:
1) elements of FS (asset, liab, equ, income, exp) and the FS measures defined in GAAP
2) whether there are FS items on which users tend to be focused
3) nature of entity and industry and changing economic environment in which it operates
4) size, nature of ownership, way it’s financed
5) relative volatility of the benchmark
performance materiality
Performance materiality = amount less than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole.
tolerable misstatement
application of performance materiality to a particular audit sampling procedure and may be the same amount or an amount smaller than performance materiality.
Work of specialists engaged by auditor
types of specialists:
valuation (appraiser, FV experts)
amounts derived by specialized techniques (actuary)
quantity/conditions (engineers, geologists)
interpretation (attorney, regulatory experts)
NOT INTERNAL AUDIT
Group vs component auditor - when and when not to reference CA
No reference is made to the CA when:
1) CA is associated with or retained by group audit engagement team
2) group audit partner is satisfied with CA’s work
3) portion of FS examined by CA is immaterial
Conditions for referencing component auditor (CA)
1) component’s FS are prepared using the same financial reporting framework, unless certain criteria are met
2) CA has performed audit that meets GAAS/PCAOB requirements
3) CA’s report is not restricted as to use
Group partner can make reference to CA in group report if:
1) group partner indicates dollar amounts audited by CA (total assets, revenues)
2) obtain CA’s permission to include name
3) presents CA’s report
4) if group partner chooses not to name the CA in the group report the group partner should indicate dollar amounts audited by CA (total assets, revenues)
when is a component unit significant?
1) Individually significant to the group financial statements = audit the financial information
2) Due to specific nature or circumstances, likely to include significant risks of material misstatement in the group financial statements = audit the financial information or one or more accounts, classes of transactions, or disclosures
3) if not significant, then analytical procedures at the group level may be appropriate
work of specialists engaged by mgmt
evaluating mgmt’s specialists SINCE ENGAGED BY MANAGEMENT NOT AUDITOR - consider objectivity, competency, capabilities of specialist
obtain work incl technical or professional standards
use variety of sources
inherent threats to objectivity SINCE ENGAGED BY MANAGEMENT NOT AUDITOR - evaluate specialist relationship with client (perform additional procedures, consider using auditor specialist to corroborate work)
auditor responsibilities regarding accounting estimates
1) recognized and disclosed accounting estimates are reasonable (related disclosures are adequate, are in accordance with applicable financial reporting framework)
2) obtain understanding of following as basis for risk identification and assessment:
requirements of applicable financial reporting framework
how mgmt identifies relevant transactions and events that require estimation for presentation or disclosure
how mgmt makes the estimates including what data the estimates are based on
method/model, controls, use of specialist, assumptions, changes in method/assumptions from prior
conditions that may indicate related parties
1) borrowing or lending interest free or below market rate
2) selling RE at price significantly different than FMV
3) nonmonetary exchanges
4) loans without written terms
conditions that could lead to transactions without substance:
1) lack of sufficient working capital or credit
2) urgent desire to improve earnings or stock price
3) overly optimistic forecasted earnings
4) concentrated dependence on few customers or products
5) declining industry, incl obsolete products/services
6) significant litigation
audit evidence - sufficiency, appropriateness
audit evidence - reasonable assurance
sufficiency: measure of the quantity of audit evidence
appropriateness: measure of the quality of evidence; i.e. relevance and reliability in providing support for conclusions on which auditor’s opinion is based
reasonable assurance: obtained when auditor has obtained sufficient appropriate evidence to reduce audit risk (risk that auditor expresses an inappropriate opinion when FS are materially misstated) to an acceptably low level
Audit procedures:
1) risk assessment procedures
2) substantive procedures
3) tests of controls
1) risk assessment procedures: obtain understanding of entity and its environment, incl IC to assess risks of material misstatement at FS and relevant assertion levels
2) substantive procedures: tests of details or classes of transactions, account balances and disclosures, and substantive analytic procedures to detect material misstatements at the relevant assertion level
(audit procedures include: inspection of records or documents, inspection of tangible assets, observation, remote observation tools, inquiry, confirmation, recalculation, reperformance, analytical procedures (study of plausible relationships among financial and nonfinancial data))
3) tests of controls: test operating effectiveness of controls in preventing or detecting material misstatements at the relevant assertion level
substantive procedures include: FIVE CARROT CARS
footing
inquiry
vouching
examination
confirmation
analytical procedures
reperformance
reconciliation
observation
tracing
cutoff review
audit related accounts
subsequent events review
auditor should design sufficient tests of controls to obtain sufficient appropriate audit evidence that the controls are operating effectively throughout the period of reliance, considering following factors:
frequency of performance of control
length of time relied upon the effectiveness of control
relevance and reliability of audit evidence obtained to support control preventing/detecting/correcting material misstatements at relevant assertion level
extent that audit evidence is obtained from tests of other controls related to the relevant assertion
extent to which auditor plans on relying on the operating effectiveness of the control in the assessment of risk
expected deviation from control
AUDIT RISK =
AUDIT RISK = (INHERENT RISK X CONTROL RISK = RISK OF MATERIAL MISSTATEMENT) X (ANALYTIC PROCEDURES X TESTS OF DETAILS = DETECTION RISK)
RMM higher = DR lower/higher?
if risk of material misstatement is higher it means that the acceptable level of detection risk should be lower; more substantive procedures needed
sampling risk -
sampling risk - possibility that conclusions about a test of controls or substantive test would be different if test had been applied to the entire population rather than the test sample.
what is complement to sampling risk?
complement to sampling risk is confidence or reliability - if auditor accepts 5% sampling risk, the reliability/confidence level is 95%
sampling risk varies _______? to sample size - (greater or smaller?) the sampling risk you’re willing to accept, the (larger or smaller?) the sampling size needs to be
sampling risk varies INVERSELY to sample size - greater the sampling risk you’re willing to accept, the smaller the sampling size needs to be
nonsampling risk -
nonsampling risk - all aspects of audit risk that are not due to sampling:
1) failure to properly define audit population
2) failure to clearly define nature of audit exception
3) failure to recognize an error when one exists in the sample
4) failure to evaluate sample findings properly
Statistical sampling -
Statistical sampling - laws of probability can be used to make statements about a population. For a sampling plan to be statistical, the following two requirements must be met:
a) sample must be statistically selected (eg random number table selection)
b) sample results must be mathematically evaluated (eg systematic interval)
Nonstatistical sampling -
Nonstatistical sampling - any sampling plan that does not meet all the rigorous requirements of statistical sampling
haphazard - no conscious bias
block sampling - contiguous population items (all invoices processed on a certain date)
discovery sampling - use when expected occurrence rate is near zero, designed to yield sample size large enough so if auditor is wrong at least one occurrence will be produced, used to search for very critical characteristic that might indicate more serious issue
Variable sampling (substantive procedures) - PPS/MUS
$ value in sample gives indication of $ value in population
population automatically stratified by monetary value; large dollar amounts have higher probability of being selected, thus OVERSTATEMENTS ARE MORE LIKELY DETECTED
Use when you expect a LOW error rate
AUDIT RISK = (INHERENT RISK X CONTROL RISK = RISK OF MATERIAL MISSTATEMENT) X (ANALYTIC PROCEDURES X TESTS OF DETAILS = DETECTION RISK)
PPS/MUS example:
CPA is performing PPS sampling of client’s AR that is reported at $1.2 million with over 1000 customers, tolerable misstatement is $40,000, allowance for sampling risk/risk of incorrect acceptance is 10%, so rate of confidence/reliability is 90%.
AICPA audit guide:
risk of incorrect acceptance of 5% = confidence level of 3
risk of incorrect acceptance of 10% = confidence level of 2.31
risk of incorrect acceptance of 15% = confidence level of 1.90
1) What is sampling interval?
2) What is the sample size for PPS/MUS sample?
1) tolerable misstatement of $40,000 / confidence level factor of 2.31 = $17,316
2) $1.2 million / sampling interval $17,316 = sample size of 69.30 or 70 rounded since you can’t sample 0.3 of an item
(so CPA will examine 70 account balances to test for overstatement. If no misstatements are found in the sample, then CPA can conclude with confidence that $1.2 million is not overstated by more than the $40,000. No misstatements in sample does NOT mean that the risk of incorrect acceptance is reduced)
attribute sampling (tests of controls)
error rate in sample indicates error rate in population
Attribute sampling - tests of controls, also may be used in substantive tests not intended to project misstatement in $$$/monetary terms
AUDIT RISK = (INHERENT RISK X CONTROL RISK = RISK OF MATERIAL MISSTATEMENT) X (ANALYTIC PROCEDURES X TESTS OF DETAILS = DETECTION RISK)
Classical variables sampling (substantive tests)
Attribute sampling (tests of controls)
alpha risk (efficiency) vs beta risk (effectiveness)
sampling risk with test of controls: risk of assessing control risk too low = beta risk; risk of assessing control risk too high = alpha risk
sampling risk with substantive tests: risk of incorrect acceptance = beta risk = balance balance accepted as correct when it isn’t; risk of incorrect rejection = alpha risk = balance rejected as incorrect when it’s correct
Analytical procedures:
Analytical procedures: evaluations of financial information (with comparisons made between both financial and nonfinancial data) made by a study of plausible relationships reasonably expected to exist and continue by investigating fluctuations/relationships inconsistent with other relevant information or significant deviation from predicted amounts
1) planning = required
2) substantive testing = optional
3) overall review = required
audit data analytics (ADA) - the practice of using models and visuals to discover patterns and anomalies within an audit dataset
5 steps
1) plan
2)access and prepare data
3) consider relevance and reliability of data used
4) perform ADA
5) evaluate results and conclude on whether purpose and objectives were met
audit data analytics (ADA) - 1) plan
1) plan ADA
a) risk assessment
b) test of controls
c) substantive procedures
d) combination of all three major steps of audit process
audit data analytics (ADA) - 2) access and prepare data
2) access and prepare data for purposes of ADA - TIE OUT THE DATASET
verify accuracy and completeness of data sets that are used to complete planned procedures
audit data analytics (ADA) - 3) consider relevance and reliability of data used (attribute, structure, source)
3) consider relevance and reliability of data used (attribute, structure, source)
a) attribute = data that can be classified and counted that holds the following:
1) immutable - not changeable
2) copyable
3) indivisible
4) accumulative
b) structure is the particular manner in which data is organized so it can be properly managed. Common data structure:
1) array (table, database)
2) queues
3) stack
4) hash
5) tree (decision process)
c) source is identified as initial place where information use for analysis is first digitized. Common data source:
1) relational databases
2) public databases
3) flat files
4) streaming data
5) cloud storage
audit data analytics (ADA) - 4) perform ADA
4) perform ADA
Perform procedures using outputs (e.g., reports and visualization) from audit data analytic techniques to determine relationships among variables, interpret results, and determine additional procedures to be performed. Traditional techniques:
1) descriptive analytics (describe - mean, median, mode - what happened in the past)
2) predictive analytics (what might happen in the future)
3) prescriptive analytics (how did we respond to it)
audit data analytics (ADA) - 5) evaluate results and conclude on whether purpose and objectives were met
5) evaluate results and conclude on whether the purpose and specific objectives of performing the ADA have been achieved
a) properly document work via flow charts, data visualizations, reports
b) implement continuous control monitoring to facilitate future reviews
c) store ADA audit program, audit workpapers, etc. within central repository to facilitate peer review and related QC measures
special consideration - going concern
going concern audit requirements:
1) conclude based on audit evidence obtained whether substantial doubt about ability to continue as a going concern for a reasonable period of time
a) one year beyond FS date
b) consider time period required by applicable financial reporting framework
2) assess adequacy of uncertainty disclosures
3) determine implications on auditor’s report
a) emphasis-of-matter paragraph
b) disclaimer of opinion is an option
format of rep letter:
format of rep letter:
1) addressed to auditor
2) reps should be made no earlier than auditor’s report (same day)
3) signed by CEO and CFO
4) mgmt’s reps may be limited to matters considered material
5) mgmt’s refusal constitutes a scope limitation: DISCLAIM AN OPINION OR WITHDRAW
TYPE 1 vs TYPE 2 SUBSEQUENT EVENTS:
TYPE 1 SUBSEQUENT EVENTS: provide additional evidence about conditions existing at FS date
1) provide additional evidence about conditions existing at FS date
2) affect inherent estimates in FS
3) require actual adjustment
4) product warranty reserves, settlement of litigation
TYPE 2 SUBSEQUENT EVENTS: conditions or events arising after FS date
1) conditions or events arising after FS date
2) fire, flood, theft, bond issuance, business acquisition
3) disclosure but no adjustment to the FS
subsequent events footnote:
subsequent events footnote:
1) requires entities to disclose date through which subsequent events have been evaluated and whether that date is the date of issuance
2) required regardless of whether entity recognizes or discloses a subsequent event in FS
3) auditor’s report date cannot be earlier than date of mgmt’s subsequent events evaluation note (same date as rep letter)
subsequently discovered facts:
1) through audit report date:
2) after audit report date, but before release:
audit report dating options written representations when audit report is changed: if mgmt refuses to appropriately revise FS - MODIFY OPINION TO QUALIFIED OR ADVERSE (depending on pervasiveness)
subsequently discovered facts:
1) through audit report date: Perform audit procedures to evaluate all subsequent events that may require adjustment of, or disclosure in, the financial statements
2) after audit report date, but before release:
a) not required to perform any audit procedures, but must consider impact on FS if event becomes known
b) discuss matter w/mgmt and determine whether the financial statements need revision and, if so, determine if management intends to address the matter in the financial statements
audit report dating options
1) dual dating - “2/1/201X, except for Note X as to which the date is 2/14/201X”
2) date entire report for a later date which means a larger responsibility for subsequent events extends the date of the report and must extend subsequent procedures to the later date
written representations when audit report is changed:
1) request written representations from mgmt as of new audit report date
2) request written representations from mgmt for dual date report as of the additional date of the report
a) do any previous representations need to be modified?
b) have any other events occurred subsequent to date that need adjustment/disclosure?
if mgmt refuses to appropriately revise FS - MODIFY OPINION TO QUALIFIED OR ADVERSE (depending on pervasiveness)
subsequent events for UNAUDITED FS
-disclose event that arose after original report date “Event (Unaudited) Subsequent to the Date of the Independent Auditor’s Report”
-auditor is not required to perform any procedures on revision and auditor report carries the original date
If fact known to auditor AFTER report release date:
1) discuss matter w/mgmt (and those charged w/governance if necessary) and determine if management intends to address the matter in the financial statements
2) audit report dating options
1) dual dating - “2/1/201X, except for Note X as to which the date is 2/14/201X”
2) date entire report for a later date which means a larger responsibility for subsequent events extends the date of the report and must extend subsequent procedures to the later date
If auditor’s opinion changes from original opinion:
1) disclose in Other Matter paragraph: date of previous report, type of opinion previously expressed, substantive reasons for different opinion, auditor’s opinion on revised FS is different that previously expressed opinion
if mgmt DOES NOT revise FS when needed:
1) if FS HAVE NOT been provided to 3rd parties, advise client not to disseminate until FS and auditor’s reports have been revised
2) if FS HAVE been provided , take action to ensure that anyone in receipt before revision is informed that those FS should not be relied upon
if client refuses cooperation:
1) auditor may notify regulatory bodies as well as each person known to rely on the FS
2) consult with attorney regarding privileged communication state statutes
Emphasis-of-Matter (non-issuer):
required by GAAS, or is included at the auditor’s discretion, and that refers to a matter appropriately presented or disclosed in the financial statements that, in the auditor’s
professional judgment, is of such importance that it is fundamental to users’ understanding of the financial statements.
1) justified change in accounting principle
2) change in audit opinion
3) going concern
4) special purpose framework
Other-Matter (non-issuer):
required by GAAS, or is included at the auditor’s discretion, and that refers to a matter other than those presented or disclosed in the financial statements that, in the auditor’s
professional judgment, is relevant to users’ understanding of the audit, the auditor’s responsibilities, or the auditor’s report.
When should an auditor modify their opinion?
Departures from unmodified opinion: except for vs because of; scope limitation; fraud/misleading FS
report structure: issuers:
1) Title “Report of independent registered public accounting firm”
2) Addressee (BOD & shareholders)
3) Opinion (or disclaimer of)
4) Modified opinion (reasons for modified opinion)
5) Explanatory paragraph (if PY opinion changed, special purpose framework, going concern, mat change in acctg principles, correction of PY misstatement)
6) Basis for opinion (FS are mgmt resp, opinion auditor resp, PCAOB/SEC, audit procedures) (DISCLAIM: remove “our resp to express opinion”, “we conducted audit”)
7) Critical Audit Matters (def of CAM, considerations, how CAM was addressed) (DISCLAIM/ADVERSE= NO CAM)
8) Signature, location, tenure
9) Report date
report structure: non-issuers
1) Title “Independent”
2) Intro (“we have audited”)
3) Mgmt resp (for prep/presentation of FS, GAAP, incl design/impl of IC)
4) Auditor resp (for express opinion w/GAAS, define audit procedures, IC considered but no opinion, “sufficient appropriate audit evidence to express opinion”) DISCLAIM=”suf app audit ev not obtained to express opinion”)
5) Qualified opinion basis (nature and extent of misstatement)
6) Auditor opinion (“in our opinion” “FS present fairly” “in accordance w/GAAP”) QUALIFIED=”EXCEPT FOR”; ADVERSE/DISCLAIM=”BECAUSE OF”; DISCLAIM=”DOES NOT EXPRESS OPINION”
7) Emphasis of matter (if PY opinion changed, special purpose framework, going concern, mat change in acctg principles, correction of PY misstatement)
8) Other matter (Req if auditor report restricted, predecessor report not reissued, optional for any other relevant matter not presented or disclosed)
compilation report structure SSARS
CAR MR ARSOM
Intro
Compiled
Reviewed or Audited (not)
Management Responsibility
Accountant’s Responsibility
SSARS issued by the AICPA
Objective of a compilation is to assist
Management
7) signature of accountant
8) city/state
9) date of report
10) each page of FS complied by auditor MAY include “see accountant’s compilation report”
review report structure SSARS
RAISD RAP RAS BAM
“Independent Accountant’s Review”
R Reviewed (which FS, which period)
A Analytical procedures
I Inquiries of company management
S Substantially less in scope than audit
D Do not express an opinion
“Management’s Responsibility for the FS”
R Responsibility of mgmt for prep/fair presentation of FS
A Accordance with accounting principles
P Preparation and fair presentation due to design/impl/maint of ICs
“Accountant’s Responsibility”
R Responsibility of accountant (conduct review)
A Accordance
S SSARS (obtain limited assurance; results provide reasonable basis for report)
“Accountant’s Conclusion”
B Based on review
A not Aware
M Material modifications (to be in accordance with GAAP)
City/State of issuing office
signature of firm or accountant
each page of reviewed financial statements should reference review report
accountant’s city/state
date of report
Objective of PCAOB AS No.5:
1) establishes requirements for performing exam of design and operating effectiveness of ICFR
2) objective is to form an opinion by obtaining sufficient evidence providing reasonable assurance about whether material weaknesses exist as of date specified in mgmt assessment
3) integrated into FS audit to achieve both engagement objectives simultaneously
elements of auditor report on IC:
title that includes “independent”
mgmt responsibility
identification of mgmt’s report over IC
auditor’s responsibility
definition of ICFR
statement that it was performed under PCAOB standards
obtaining reasonable assurance whether material misstatement exists
summary of procedures performed
auditor believes procedures provide a reasonable basis for opinion
inherent limitations in projecting conclusion to future periods
opinion
signature of firm
city/state of issuing office
date of audit report (same as FS audit date)
Reports on Internal Controls for Issuers: 404(a) & 404(b), elements in Item 9A.
Section 404(a)—Management’s Annual Report on the Effectiveness of Internal Control Over Financial Reporting. Management must evaluate and disclose any change during a fiscal quarter that materially affected, or is reasonably likely to materially affect, internal control over financial reporting
Section 404(b)—Attestation Report of the Registered Public Accounting Firm
10-K Item 9A. Controls and Procedures:
1) mgmt’s responsibility
2) framework used (COSO)
3) effectiveness as of year end
4) disclosure of material weakness
5) statement of auditor attestation (or lack thereof)
Performing integrated audit:
Required top-down approach:
1) begin at FS level and entity-level controls
2) second, consider IC over significant accounts, classes of transactions and disclosures that present reasonable possibility of material misstatement
reissuing reports - subsequent events
a) dual dating: 2/1/20XX except for Note X, as to which the date is 2/14/20XX; this limits auditor’s responsibility to the specific event referred to in that note X
b) date report for a later date: responsibility for subsequent events extends to the date of the report, so you must extend subsequent event procedures to the new date of the report
Reporting on consistency - change in accounting principle, estimate, classification, entity
principle = Justified & material = emphasis of matter paragraph & reference disclosure
principle = Not justified = auditor should evaluate whether change is material misstatement and therefore modify opinion
estimate = if change is correction of material misstatement = emphasis of matter & reference disclosure
classification = if not change in principle nor estimate and not a correction of material misstatement, no need to include
entity = if due to transaction or event no need to include, otherwise emphasis of matter & reference disclosure; if prior year not restated then departure from applicable framework which is QUALIFIED OR ADVERSE
Required supplementary information “RSI” - additional information required to be presented by other accounting standard setters (FASB, GASB)
1) presented along with basic FS
2) considered essential part of financial reporting
3) GAAS audits require Other Matters paragraph
4) required audit procedures for RSI:
a) obtain written representations for mgmt acknowledging responsibility and assertion that the data was measured and presented in conformity with prescribed guidelines
b) inquire about methods of preparing RSI
c) compare for consistency with mgmt’s responses, FS and knowledge obtained during audit
5) RSI Other Matters paragraph:
a) RSI accompanies FS
b) RSI is omitted in entirety
c) RSI is partially missing
d) material departures from guidelines
e) inability to complete necessary procedures
f) unresolved doubts
Special Purpose Framework: REQUIRED EMPHASIS OF MATTER PARAGRAPH:
1) identify applicable financial reporting framework
2) mgmt is responsible for prep and fair presentation of special purpose framework FS
3) mgmt is responsible for determining framework is acceptable in the circumstances
4) description of purpose for which FS are prepared
1) FS are prepared in accordance with special purpose framework
a) refer to note that describes basis
b) alternatively, describe the basis
2) state that framework is a comprehensive basis of accounting other than GAAP
Special Purpose Framework: Report modifications for contractual or regulatory basis:
1) add Other Matter paragraph restricting use of auditor’s report to relevant parties
DO NOT USE GAAP TERMS: instead of BS use “statement of assets, liabilities”, instead of IS use “statement of revenues and expenses”
Liquidity ratios: current ratio (working capital ratio)
current assets/ current liabilities
may question ability to continue as going concern
Liquidity ratios: quick ratio (acid-test ratio)
(current assets - inventory - prepaids) / current liabilities
measures the ability of a company to use its near cash or quick assets to extinguish or retire its current liabilities immediately
Activity ratios: A/R turnover ratio
net sales / avg A/R for turnover in 1 year
(net sales / avg A/R)/365 for turnover in days
how fast are you collecting receivables?
closer to a turnover of 12 means that turnover is monthly; lower number indicates turnover not as quick
Activity ratios: Days in A/R
(ending A/R / net sales) x 365
how many days in A/R before collection?
Activity ratios: Inventory turnover ratio
COGS / avg inventory
how fast are they selling inventory? any obsolete goods or pricing overstatement?
COGS
Beg inventory + purchases - ending inventory
Activity ratios: Days in inventory
(ending inventory / COGS) x 365
how many days before selling inventory?
Activity ratios: operating cycle
days sales in A/R + days in inventory
how many days from acquiring inventory to cash recognition? (how efficient is the business?)
Activity ratios: working capital turnover
net sales / avg working capital
how effectively is working capital used?
Activity ratios: asset turnover
net sales / avg total assets
how effective are you using assets?
Profitability ratios: gross profit margin
(net sales - COGS) / net sales
Profitability ratios: return on assets
net income / avg total assets
Profitability ratios: return on investment
net income / investment
may reveal inconsistencies with industry
Solvency ratios: times earned interest
income before taxes and interest / interest charges
measures a company’s ability to meet debt obligations
Solvency ratios: debt to equity
total liabilities / total equity
indicates relative proportion of shareholders’ equity and debt used to finance a company’s assets
Solvency ratios: total debt ratio
total liabilities / total assets
indicates the percentage of a company’s assets that are provided via debt
