i-75 Flashcards
purpose of an audit
to provide financial statement users with an opinion on whether the financial statements are presented fairly in all material respects with the reporting framework (GAAP or IFRS, or something else)
who are financial statements produced for?
primarily for outside decision makers: investors, potential investors, creditors
are financial statements trustworthy?
no reason for outsiders to trust financial information produced by management (the insiders)
-management might be bias, they might not have good knowledge, they might not be ethical
-independent audit function is designed to add credibility to financial statements
public (issuer) vs private (nonissuer)
-SEC requires a publicly traded company to release their financial statements to the public every three months
-BUT with public companies, they aren’t audited every quarter. they are likely audited after the 4th quarter closes, and just reviewed after the other three quarters close
-for a calendar year corporation, march 31 ends the first quarter, and three month financial statements must be released to show the performance of the quarter
-with private companies, since the SEC has no jurisdiction, they are not required to have a audit or review
management role of the audit
responsible for the preparation and fair presentation of the financial statements
-before, during and after the audit
auditor role of the audit
obtain reasonable assurance as to whether the financial statements are presented fairly
-then they can express an opinion on the financial statements
what’s included in a complete set of financial statements?
-income statement, balance sheet, statement of stockholder’s equity (issuer), statement of retained earnings (nonissuer), statement of cash flows, and related footnotes
statements on auditing standards (SAS) - non issuer
-generally accepted auditing standards (GAAS) for non issuers are issued by the AICPA’s auditing standards board (ASB) in the form of statements on auditing standards
-auditors are required to comply with SAS, and should be prepared to justify any departures from GAAS
statements on auditing standards (SAS) - issuer
-audits of issuers must comply with PCAOB
PCAOB standards
-SOX created PCAOB in 2002
-PCAOB is required to be followed by the CPA when auditing a public traded company, and is optional when auditing a non issuer
-PCAOB establishes auditing and related professional practice standards to be used in the preparation and issuance of audit reports for issuers
-public accounting firms must register with PCAOB in order to audit a public company
-registered firms are subject to board inspection, disciplinary proceedings and sanctions
who makes up the PCAOB?
-made up of 5 board members who are financially literate
-two members must be or have been a CPA, the other three must not be CPAs
-a CPA can only act as chair of the board of PCAOB if they have practiced as a CPA for the past five years
-no members of the board can receive payments from a public accounting firm other than retirement payments
-PCAOB is NOT a government agency, but they do report to the SEC
oversight by audit committee
-in each org, management is in charge of day to day operations
-stockholders elect a board of directors to guide and oversee the management
-audit committee of the board of directors normally appoints and works with the independent auditor to reinforce independence from management
who is on the audit committee?
-members of the board of directors who are NOT also management (can’t be CEO, CFO, etc)
-the board members who are independent from management will hire and then work with the independent audit firm
how can you add credibility to financial statements?
-before the financial statements are released, an independent expert is brought in to gather evidence and report those findings in hopes of adding credibility
-that examination and reporting process is known as an attestation
proper use of the term “audit”
-when an attestation is carried out on historic financial information, it is know as an audit
-an audit is one type of attestation
-only use the word audit when you are looking backwards at historic financial statements
-an audit is the highest level of attestation service a CPA may provide (because it involves providing an opinion and therefore the CPA must be independent)
what is an attestation?
an independent CPA comes into add credibility by gathering evidence and providing an opinion on the financials
attestation examination
-examination is an attestation engagement where the financial statements can look forward
-OR use examination when the CPA is doing the same level of service (opinion expression) but not looking at historic financial statements
-example: sometimes an auditor is asked to report on financial statements that show what next years results might look like. in an examination, the CPA reports on whether the financial statements for new year present fairly
why is being independent so important?
-having an independent mental attitude allows the auditor to make unbiased evaluations of the assertions made by management –> independence in fact
-by maintaining independence, the public has more faith in the work of the auditor –> independence in appearance
how can an auditor remain independent?
-they can have NO direct financial interest –> even 1 share of stock in the client company is violating independence
-they can have NO material indirect financial interest (mutual fund) –> this is judged on a case by case basis; not an automatic violation of independence
what is a covered member?
member of the audit engagement team, or someone in the CPA firm, who can influence the team members or influence the audit engagement, and the firm itself is a covered member
-a covered member can NOT have direct financial interest or material indirect financial interest in an audit client
rules on the immediate family of a covered member
-immediate family (spouse, dependents) can have NO direct financial interest in an audit client
-they CAN hold employment with the client provided there is no influence or impact on the financial statements
rules on close relatives of a covered member
-close relative (parent, sibling, or child who is not a dependent) can have a financial interest in an audit client as long as it is NOT material to that individual
-CAN work for the client as long as there is not a significant relationship to the financial statements
overview of the audit
-pre planning: client contact and deciding the accept the engagement (need to have knowledge of industry/company, need to be independent, and need to be able to conduct yourself with professional competence)
-once pre planning is over, the steps of the audit are:
1. planning
2. understanding the client and it’s environment included internal control
3. assessing the risks of misstatements and designing further audit procedures
4. performing further audit procedures
5. completing the audit overall review of work that was done
6. issuing the audit opinion
what is client contact like in the pre plan stage of the audit?
-reporting company can contact the CPA about a possible audit or the CPA can contact the reporting company
-once the discussion starts, the CPA should begin to gather evidence about the reporting company
-even before seeing financial statements or any figures, the CPA will talk to representatives from the client company
-tour the companies facilities; the CPA is interested in the quality of the records and the accounting system, so specially make sure you tour the accounting department and meet the accounting personnel
what does gathering information about a potential client include?
-initial information is gathered (for integrity) to help the CPA decide whether to do the audit
-the audit committee may be having the same discussions with several CPA firms at the same time
-the audit committee must pre approve all services provided by the auditor
what does “those charged with governance” mean?
-those charged with governance refers to those who bear responsibility to oversee the obligations, financial reporting process, and strategic direction of an entity
-encompasses the board of directors and the audit committee
-the auditor is required to communicate certain matters to those charged with governance
-sometimes (not too common) management is roped into this term, since management is responsible for achieving the objectives of the entity
what general client information should the CPA gather?
**consider ALL of these BEFORE acceptance
-what is the industry?
-who are the owners, do they have integrity?
-what is the financing?
-why does the company want an audit?
-has there been previous auditors and if so, why are they being changed?
-what is the history of the company?
-what are the future plans for the company?
-what types of systems and records are in place? can the company even be audited, do they have adequate records?
-are there any accounting problems?
-is there an audit committee or is management dominated by one individual?
timing of the audit
-although the early appointment of the auditor allows the auditor to plan a more efficient audit, an auditor is permitted to accept an engagement near or after year end
-the auditor should consider whether late appointment will interfere with the scope of the audit work which may lead to a qualified or disclaimer of opinion and should discuss this with the client
determining the nature and scope of the audit - for issuers
-the client is an issuer, the auditor must performed an integrated audit of the client’s financial statements and the auditor will attest to management’s assertions regarding internal controls over financial reporting
-in an integrated audit, the auditor must report on both the fair presentation of financial statements and internal controls over financial reporting
determining the nature and scope of the audit - for non issuers
-integrated audits may be performed for non issuers
-when auditing non issuers, the auditor must determine if an audit is the most appropriate engagement or whether a review or compilation may be more appropriate
management’s attitude towards internal control
-auditor should determine very early in the process whether management maintains an adequate internal control environment sufficient to provide reliable financial reporting
-the control environment is the foundation for all other components of internal control
-managements disregard for its responsibility to maintain an adequate internal control environment may lead the auditor to decide not to accept a new engagement because the risk of financial statement misstatement is too high
when you tour a companies facilities in the pre planning stage of the audit, what are some questions the CPA could ask?
-are all transactions posted?
-are the ledgers and subsidiary ledgers in balance and up to date? responses of no is higher risk
-are reconciliations up to date? responses of no is higher risk
-look at past financial statements and latest interim statements as well as the tax returns for the last few years
how to select the independent auditors
-the audit committee should interview the candidates for the job and then extend an offer to the firm considered best suited for the work
-the CPA firm should not accept the engagement without further investigation
-further investigation: talking with third parties who have knowledge about the client’s integrity
predecessor auditor
-one who was engaged to audit a prior financial statement audit even if they audit was not completed
-if a new client relationship, it is presumptively mandatory to make inquiries of the predecessor auditor, and client permission is needed
-if the client is unwilling, that’s a red flag, and the new auditor needs to consider the implications and whether the engagement should be accepted
communication with the predecessor auditor
-oral or written
-if the client refuses to give permission, the CPA may continue if the reason for the denial is viewed as legitimate (like an ongoing legal case)
information from the predecessor auditor - before accepting the engagement
-does the management have an appropriate amount of integrity?
-were there any significant disagreements between the auditor and management?
-what is the predecessor’s understanding of the reason why the company decided the change auditors?
-were there any communications between the auditor and those charged with governance regarding matters relating to internal control, fraud, or illegal acts?
decision to accept the audit
-there are no authoritative guidelines, so it’s up to the auditors professional judgment on how to decide whether to accept an engagement or not
-some questions to ask:
are there known accounting or auditing problems, any management imposed scope limitations (not being able to talk to management’s outside legal counsel)?
are the records in good shape so that an audit is actually possible (documents are available to view)?
is the CPA firm completely independent of the report company?
does the management have enough integrity so that the CPA feels comfortable?
does the CPA firm have sufficient knowledge of the industry so that proper evaluations can be made?
if a CPA is not familiar with the client’s industry or company when the engagement is accepted, is that okay?
-yes, the engagement can still be accepted IF the CPA plans to become familiar with both the industry and company prior to the start of audit fieldwork
reasons NOT to accept a new client
-management lacks integrity
-inadequate financial records or management is unwilling to provide all records
-there is high risk of intentional manipulation of financial statements
planning stage of the audit
-once the decision has been made to accept the engagement, the auditor is then concerned with the planning, internal control and evidence gathering through substantive testing
-the first of these fieldwork standards is what we call the “planning” stage
what is done in the planning stage of the audit?
-the procedures that an auditor may consider usually involve the auditor reading the records relating to the entity (if they did the audit last year) and discussion with other firm personnel and personnel of the client
-an example of those procedures is to determine the extent of involvement, if any, of consultants, specialists, and internal auditors
-analytical procedures are performed (unconditional): reads latest financials, quarterly statements, interim statements; perform ratio and trend analysis of sales from prior year to current year
analytical procedures - planning stage
-enhance the auditors understanding of the transactions and events that have occurred since the last audit
-read the financial statements and compare sales trends, current year to prior year
estimates - planning stage
-so much of GAAP is based on estimating
-bad debt expense, depreciation expense, warranty expense. –> all based on estimates
-the reasonableness of client estimates are assessed early in the planning stage as part of analytical procedures
documenting the understanding with the client - planning stage
-absolute requirement
-specific form is up to the 2 parties; written is required BUT it should be an engagement letter, but that’s up to the two parties
-if it isn’t an engagement letter, it still must be in writing (signed memo or other form that has all of the necessary elements in writing)
-it can NOT be oral
-the purpose of the audit needs to be clear so confusion isn’t occurring later on
documenting the responsibilities of management in the engagement letter
-management is responsible for preparing the financial statements, and for the selection and application of accounting principles
-having adequate internal control
-following all applicable laws
-providing the auditor with a management representation letter at the end of the audit engagement
-management is responsible for adjusting the financial statements to correct material misstatements identified by the auditor
documenting the auditors responsibilities in the engagement letter
-auditor will follow GAAS or PCAOB
-will provide an reasonable basis of opinion on the financial statements based on the audit work which requires:
-that the auditor obtain an understanding of the entity and its environment including internal controls sufficient to assess risk and design appropriate auditing procedures (internal control stage)
-auditor will provide reasonable assurance about whether the financial statements are free of material misstatement whether caused by error or fraud (evidence stage)
limitations on the engagement included in the engagement letter
-since an auditor obtains only reasonable assurance, a material misstatement may remain undetected
-an audit is NOT designed to detect an error or fraud that is immaterial to the financials
-an audit is NOT designed to provide assurance on internal control or to identify significant deficiencies (unless its public). however, the auditor is responsible for ensuring those charged with governance are aware of any significant deficiencies noted
-if any significant deficiencies are discovered, the auditor must report them to the audit committee
items included in the engagement letter
-limitations of the engagement: “an audit is subject to inherent risks that fraud may exist and not be detected”
-fees: include what the fee is based on (like a travel expense), so the auditor determines if they get paid up front or gets reimbursed
-frequency of payment: is it weekly, monthly, one time up front?
-rep letter at the end of the audit: client should be told in the engagement letter about the importance of the rep letter at the end of the audit
-involvement of specialists, internal auditors, or even the predecessor auditor would be included
-clients signature
supervision of assistants during audit planning
-CPA gathers evidence to support your opinion
-the engagement partner is responsible for planning the audit and supervising the work of the engagement team members
extent of supervision during audit planning
-nature of the company including its size and complexity
-nature of the work assigned to each member of the team
-risk of material misstatement
-knowledge skill and ability of each team member
during audit planning, who is considered an assistant?
-anyone who reports to the engagement partner (interns to staff auditors)
-they should be informed of their responsibilities and the objectives of the procedures that they are to perform
-part of the assistants responsibility is to properly evaluate audit results, and the in charge auditor would likely discuss this with them
knowledge of the client’s industry entails:
-once the engagement is accepted, the auditor must obtain an understanding
-obtaining knowledge about the client’s industry helps to highlight practices unique to that industry that may have an effect on the clients financial statements
-the most common source of industry information is: AICPA accounting and audit guide
-other sources: trade associations and publications, government publications, AIPCA accounting trends (like an annual survey of accounting practices)
knowledge of the client’s business entails:
-the auditor should obtain knowledge about the client’s business before commencing the audit
-understanding the client’s business provides information regarding events and transactions that may affect the client’s financial statements
-auditor may tour the client facility: consider the methods the entity uses to process accounting information in planning the audit because such methods influence the design of internal control –> the extent to which computer processing is used in significant accounting applications, as well as the complexity of the processing, may also influence the nature, timing and extent of audit procedures
-business cycles and reasons for business fluctuations: helps to better understand events, transactions, and practices that may affect the financial statements, to plan and perform appropriate audit tests, and to properly understand and evaluate the results of those tests
what is NET?
-nature: what type of testing
-timing: when to test
-extent: how much testing
developing the overall strategy
-overall audit plan regarding the NET of your audit work:
-develop the audit plan early to help the auditor determine the resources needed to complete the audit
-determine the involvement of other auditors, specialists and client’s internal auditors
-develop the assignment of staff to specific audit areas including assigning more experienced staff to higher risk areas
-develop the timing of testing: interim vs year end and the timing of audit team meetings
audit team meetings in the planning stage entails:
-pre audit planning meetings are typically held to plan technical and personnel aspects of the audit
-assistants should be informed of their responsibilities and the objectives of the procedures that they are to perform
scope of the audit
-entity, its locations, its reporting currency
-knowledge about any parent subsidiary relationships within the entity
-knowledge of the entity gained from prior experience with the entity
-the use of service organizations (like ADP for payroll)
what is positive about having prior experience with the entity?
-knowledge of an entity’s business is ordinarily obtained through experience with the entity or its industry and inquiry of personnel of the entity
-audit documentation from prior years may contain useful information about the nature of the business, its org structure, its operating characteristics, and transactions that may require special consideration like a multiple element arrangement
planning considerations to develop an overall audit strategy
-factors that determine the focus of the audit teams efforts includes:
-preliminary evaluations about materiality, audit risk (risk we give the wrong opinion) and internal control
-areas where there is a higher risk of material misstatement
-significant industry developments
-managements commitment to the design and operation of internal control
preliminary assessment of materiality
-at the beginning of the audit, in the planning stage, the CPA should set a preliminary standard for the dollar amount that makes the difference
-the quantitative aspect of materiality; all misstatements of this amount or more will be viewed as material
-other misstatements will be judged based on their cause
-based on past annual and interim financial statements using the size of net income or net assets
-threshold can go up and down as more information is obtained and more evidence is gathered
materiality
-misstatement is viewed as being material if 1. the error is large enough to affect an outsider’s decision or 2. if the error is a type that would affect an outsider’s decision
-one type of error that would affect an outsiders decision is an illegality found on the financial statements
materiality and tolerable misstatement
-use the smallest level of misstatement that could be material to any one of the financial statements
-materiality will be revised as the audit progresses
concept of materiality
-recognizes that some matters are important for fair presentation of financial statements in conformity with GAAP, while other matters are not important
-auditor’s consideration of materiality is influenced by the auditors perception of the needs of a reasonable person who will rely on the financial statements
-materiality judgments are made in light of surrounding circumstances and involve both quantitative and qualitative judgments
performance materiality
-established by the auditor to help provide assurance that several immaterial misstatements do not combine to a material undetected amount of misstatement
-set by the auditor at a lower level than that of materiality for the financial statements as a whole and less than materiality for the account balance (tolerable misstatement) being tested
risk assessment procedures
-required in all financial statement audits
-used to obtain an understanding of the entity and its environment including its internal control in order to assess the risk of material misstatement and determine the NET of further audit procedures
-do not provide audit evidence sufficient to support an audit opinion
-at the conclusion of risk assessment procedures, the auditor can finalize the audit plan and determine the NET of further audit procedures
further audit procedures
-risk assessment will determine the further audit procedures
-include tests of operating effectiveness of internal controls and substantive procedures
-tests of controls are used to evaluate the operating effectiveness of internal controls in preventing or detecting material misstatements
further audit procedures - substantive testing
-dollar size testing used to detect material misstatements and includes tests of details, account balances, disclosures and analytical procedures
-the planning stage is where the auditor and management discuss the timing of the inventory testing
-performed in response to the planned level of detection risk which in turn may be based on the results of tests of controls
-detection risk is the risk that the auditor fails to detect a material misstatement
detection risk
-risk that the auditor fails to detect a material misstatement
audit risk
-risk that the auditor will give the wrong opinion on the financial statements
-risk that the auditor gives an unmodified opinion when financial statements do no present fairly
-chance that: material misstatement will occur in a company’s accounting process (inherent risk) and not be detected or prevented by the company’s own internal control procedures (control risk) and not be detected by the independent auditors so that it winds up in the financial statements (detection risk)
-why we give only reasonable assurance
what risk does the auditor have control over?
detection risk
-only thing auditor can do for inherent and control risk is assess it and try to estimate how much risk there is
inherent risk
-possibility of a material misstatement before considering the client’s internal controls
-built in chance that a material misstatement will occur within the accounting system of the reporting entity
-CPA must assess the level of this risk, no control over this
-no amount of internal control or auditing can minimize inherent risk
in the planning stage of an audit, what does the auditor consider with inherent risk?
-auditor will assess the risk that material errors exist in the clients financial statements prior to even considering the clients internal controls
-auditor’s assessment of the inherent risk of errors in the financials has nothing to do with the actual amount of errors and the auditor can do nothing to minimize the risk
-auditor must assess inherent risk and respond to the auditor’s assessment of inherent risk
reasons to assess inherent risk high examples
-if turnover in the accounting department is high, that’s risky
-if the accounting department personnel are not CPA’s, the auditor fears that they don’t know basic GAAP rules
-if many accounting estimates are present, the greater the assessment of inherent risk because estimates are subject to bias
-certain accounts need to be estimated according to GAAP rules
-the more estimates are present the higher the inherent risk; doesn’t mean there is a problem, it means the auditor thinks there may be a problem
-if many related party transactions are present, the auditor will assess inherent risk high because there may not be a legitimate business purpose behind all of them
-if accounting transactions are complex and difficult to determine when revenue should be recognized, inherent risk will be assess high by the auditor
-technological advances causing inventory to be obsolete is a serious risk to a company and if this happen during the period under audit, then there is a risk that inventory is overvalued –> external circumstance that is influencing business risk and this is why its important for the auditor to know the industry and the company before starting fieldwork
inherent risk - summary
- part of overall audit risk
- inherent risk is assessed by the auditor very early in the audit process (planning stage)
- auditor either assess inherent risk high or low depending on factors like client personnel, related party transactions, turnover, estimates in the financial statements, technological advances impacting inventory, complex transactions
- although the auditor assess inherent risk, this assessment has nothing to do with the actual level of risk the auditor faces
COSO
5 components of internal control
-control environment
-risk assessment
-information and communication
-monitoring
-existing control activities
how can you document internal control?
-flowchart, narrative, questionnaire
assessing control risk
-how much risk do we think we are facing?
-did the controls catch errors or did errors end up on the financial statements?
-start at the top: highest level of risk of risk is assumed until the auditor sees controls working
-professional skepticism requires the auditor to initially assess control risk at the max, high risk for problems, until the auditor is satisfied otherwise
control risk
-risk that the client’s own internal controls are not good enough to catch errors therefore those errors wind up as material misstatements in the financial statements
-the auditor cannot minimize this risk, only assess
-auditor’s assessment will determine the next series of audit procedures –> NET
preliminary assessment of internal control for control risk - looking weak
-after coming to an understanding of the five components of internal control, a preliminary assessment of control risk is made
-if the assessment is that control risk appears to be poor, the auditor sets control risk at the max level and must lower detection risk, carrying out a max amount of substantive procedures (evidence gathering), or use substantive procedures that generate audit evidence of a particularly high level, lowering the extent of tests of controls
-must document this
once you determine internal control is weak and control risk is at max level, what is the next step?
-start the evidence gathering process, known as the substantive approach to further audit procedures; internal control is over
-no reason to spend time on internal controls after the auditor has gained an understanding of all 5 components and documented the weaknesses
-auditor moves on to the evidence gathering stage of the audit and hopefully can gather enough evidence to support the opinion regarding fair presentation of the amounts in the financial statements
preliminary assessment of internal control for control risk - looking good
auditor has a decision to make:
-would testing the internal controls further in order to reduce the assessment of control risk save audit time and cost?
-in other words, would spending five hours to do tests of the specific controls in a system save the auditor more or less than five hours of substantive procedures time?
should the auditor test controls if there is no savings of overall audit time expected?
-there is no reason to carry out any tests of controls if overall audit time will not be reduced
-must be documented –> “controls look good, decided not to test controls”
-if no reduction in audit time is expected, control risk is set a max level and a max amount of substantive procedures is performed, and the substantive approach (not doing test of controls) is to test specific controls only if there’s a benefit expected
when do we test controls?
-if as a result of coming to an understanding of internal control and documenting the understanding, if the auditor thinks the controls might be pretty good, if further testing of those controls will reduce audit time and effort, then the auditor should perform those tests of controls using a “combined approach” to further audit procedures
-if the auditor tests the controls and the clients controls pass the auditor’s tests, that’s good news
-result is that the auditor can do less evidence gathering, less substantive testing, saving time and cost
-auditor can then assess control risk “below the max” IF the controls pass the auditors test (N - test of controls and substantive; E - not as much; T - some at interim which increases detection risk)
what part of audit risk can an auditor control and minimize?
detection risk
risk of material misstatement is high/above the max - what does that mean for detection risk?
-if the risk of material misstatement is high, the auditor has no choice but to lower detection risk and with it, overall audit risk can be lowered by performing more substantive tests
-NET: substantive tests rather than test of controls; more testing rather than less; test closer to year end
-auditor does NOT assess detection risk, but instead makes a decision to lower it or not
risk of material misstatement is low/below the max - what does that mean for detection risk?
-auditor could take a chance and raise detection risk by deciding to perform less substantive tests, or perform them earlier in the year (interim), or test controls instead of substantive tests
what is the acceptable level of detection risk inversely related to?
-assurance provided by substantive tests
-ex: if the accepted level of detection risk decreases, more assurance is required from substantive tests
who are related parties?
-equity method (more than 50%) investees and subsidiaries
-management, principal owners, and immediate family members of officers
related party transactions
-all companies have related parties and often engage in transactions with them
-not illegal but it does pose risks for the audit
-normal course of business: auditor is concerned about whether the transaction is accounted for properly and disclosed properly
-outside the normal course of business: auditor is concerned about whether the transaction is accounted for properly, disclosed properly and whether the transaction was properly authorized –> look at board of director minutes
-auditor’s primary concern with related party transactions is whether they are appropriately accounted for and disclosed because if they are not, material misstatements can occur
-if one party can influence the other, then free market dealings cannot be assumed; cannot assume “arms length” transactions
-the entity need NOT include a statement that the related party transactions were consummated on terms equivalent to those that prevail in arms lengths transactions, the auditor expects that they are favorable terms; it’s okay provided its properly accounted for and disclosed
disclosure of related party transactions
disclose the related party transactions in GAAP based financial statements should include:
-nature of the relationship (how are they related)
-a description of the transaction (purchase and sale, services)
-dollar value of the transactions (if there’s no amount, this needs to be disclosed)
-amounts due from or to the related party at the balance sheet date
-how many periods will this transaction impact us
-terms and manner of settlement if not obvious
examples of potential related party transactions
-borrowing or lending at very high or very low interest rates compared to the current market rate (one company is absorbing expenses of the other)
-real estate sales at amounts that are very different from appraised values
-sale with as commitment to re purchase
-although the auditor will obtain an understanding of the business purpose of the transaction, auditor will not attempt to establish whether a particular transaction would have occurred and what the terms would have been if the parties were unrelated
challenges for the auditor regarding related parties
-the business structure may be deliberately designed to obscure related party transactions
-related parties operate through a complex range of relationships and structures and a related party transaction could involve multiple related parties
-information systems may be ineffective in summarizing transactions and outstanding balances between an entity and its related parties
-related party transactions may not be conducted under normal market terms and conditions, some may involve no exchange of consideration
audit procedures regarding related parties
-FIRST THING: inquire to management about the identity of related parties, the relationship of the entity with those parties, whether transactions with those parties have occurred, the nature and purpose of the transactions
-auditors should request from management the names of all related parties and inquire whether transactions occurred with them
-review filings with the SEC for the names of related parties
-the auditor performs procedures to identify material transactions that may be indicative of previously undetermined relationships
-reviewing confirmations of compensating balance arrangements ($x left behind to satisfy the bank) for indications that balances were maintained for or by related parties
when should the auditor be alert for related party information?
-while inspecting certain records and documents
-bank confirmations and legal confirmations
-minutes of meetings of shareholders and directors
-loan covenants that include compensating balance requirements
-conflict of interest statements
fraud definition
-an intentional act that involves the use of deception that results in a material misstatement in the financial statements
auditor responsibility regarding fraud
-must plan the audit to provide reasonable assurance of detecting material misstatements whether due to error or fraud (difference between error and fraud is intent)
-much easier to detect a good faith error than a bad faith fraud, especially if there is collusion (two or more parties engaged in fraud)
-in an audit, issuer or non issuer, the auditor must assess the risk of material misstatement due to fraud, and document it and discuss the risk in brainstorming sessions
two types of fraud
-fraudulent financial reporting/management fraud: management overriding internal controls (there is a presumption in every audit that revenue is overstated due to fraud)
-misappropriation: stealing, defalcation
being alert for possible fraud
-special consideration must be given at every step throughout an audit to the possibility that fraud exists
-especially in assessing inherent risk (but also in assessing control risk and performing substantive procedures to reduce detection risk), the auditor must place extra emphasis on detecting fraud
periodic fraud brainstorming
-very important to maintain professional skepticism throughout the engagement
-one of the challenges in detecting fraud in a specific audit is being able to anticipate how fraud might have occurred in a particular company, overstatement of revenue due to earnings management, management override of controls
-brainstorming sessions must be carried out at the beginning of each audit and possibly throughout the audit periodically
goals for brainstorming fraud
-at beginning of the engagement
-since every audit is unique, the goal of brainstorming is to assess the potential for material misstatement due to fraud
-historically, auditors have sometimes failed to recognize and adapt to the risks of a particular audit
-each audit is unique and each audit has its own particular problems
-the brainstorming sessions help the audit team to focus on the unique characteristics of each audit engagement
-documentation is required to include a description of the discussion regarding the risk of material misstatement due to fraud
fraud triangle
incentives and pressure, opportunity, ability to rationalize
fraudulent reporting - incentives and pressure
-fraud is more likely when the members of management or other employees have an incentive to commit fraud or they face pressures that make fraud more likely
fraud risk factors
-factors whose presence often have been observed in circumstances where frauds have occurred
-a fraud risk factor is a specific situation or action that increases the likelihood of fraud occurring
-do not prove that fraud has taken place nor do they automatically indicate that the risk of fraud is high; the presence of fraud risk factors will increase the auditors assessment of inherent risk
examples of opportunities to commit fraudulent financial reporting
-significant, unusual or highly complex transactions, especially those happening near year end
-a number of reported balances are based on significant estimations, each estimate presents an opportunity to cook the books
-management is dominated by one person; can override all controls or a small group without compensating controls or ineffective oversight
-there has been high turnover of senior management
-lack of segregation of duties
-high turnover of accounting or IT personnel
fraud triangle - opportunity
-fraud is more likely when the members of management or other employees have the opportunity to commit fraud
-if proper controls are not in place so that officials have inappropriate access to records or to assets, the risk of fraud has to be considered to be elevated
-if duties are not properly segregated, fraud is more likely
fraud triangle - ability to rationalize
-fraud is more likely when the members of management or other employees are able to rationalize the action
-ex: frequent disputes erupt between management and the auditor; known history of violations of securities regulations or other laws
examples of incentives or pressures to misappropriate assets
-management or other employees have significant amount of personal debts
-employee layoffs have occurred or are anticipated
-compensation levels have recently changed and people may have gotten a salary reduction or not the raise they were expecting
-job promotions were inconsistent with a person’s expectations
examples of opportunities to misappropriate assets
-large amounts of cash are on hand
-inventory items are small and are of high value
-company holds assets (such as bearer bonds) that can be easily converted to cash
-company does a poor job of screening employees with access to assets
-lack of physical safeguards for assets such as cash and inventory
-reconciliation of assets to the related records is not done in a timely fashion
-there is inadequate record keeping so that periodic reconciliation is not possible
-inadequate management understanding of IT controls
-no mandatory vacation plan for employees
examples of ability to rationalize misappropriation of assets
-apparent displeasure or dissatisfaction with the company
-change in life style (country club, keeping up with members; suddenly downsizing)
-just borrowing temporarily, planning to pay it back
-not always easy to observe these but if discovered they would be considered high risk to rationalize theft
-unusual delays, auditor requests take much longer than expected
data analytics definition
-art and science of discovering and analyzing patterns, identifying anomalies, and extracting other useful information in data related to the subject matter of an audit through analysis, modeling, or visualization for the purpose of planning or performing an audit
-are we trying to detect risk, or are we testing a control, or are we using we searching for material misstatements?
4 purposes of audit data analytics (ADA)
-risk assessment
-test control
-substantive procedures
-evaluating conclusions
5 step approach to ADA
- plan the ADA with the audit team
- extract and prepare the data
- consider the relevance and reliability of the data used
- perform the ADA
- evaluate the results of the ADA
details of step 1 of ADA
plan the ADA with the audit team:
-describe the objective of the ADA; is the objective a risk assessment objective (trying to obtain an understanding of the environment and its internal control for the purpose of assessing the risk of material misstatement) or more of a substantive purpose (focuses on detecting material misstatements at the relative assertion level)
-use of ADA’s should be brainstormed in the planning stage with the audit team as to where the best use them and the related audit objectives with each ADA used
details of step 2 of ADA
extract and prepare the data:
-auditor needs to harvest the data from its source and prepare the data for use in the ADA
auditor should consider the type of data involved:
-structured: includes data in a spreadsheet, structured, organized in columns and rows could be inventory control or sales transactions; data is typically in a relational database and easily searchable by human queries
-semi structured: data that is tagged such as html or xml; doesn’t reside in a relational database but does have some organizational properties that makes it easier to analyze items like emails
-unstructured: data such as videos appearing on social media, or audio/text files on social media; not easily searchable and pose more of a challenge when using ADA
process of accessing and preparing the data for use in the ADA includes ETL
-extract: harvesting and pulling the data from its current source; auditor should understand where the data is stored prior to extraction and how the data will be extracted and by whom
-transform: process of cleaning or correcting the extracting data so that the data can be used in the ADA; errors in the data or in the data fields may indicate that controls over the data are not operating effectively
-load: the process of uploading the corrected data in the software that will be used to perform the ADA
details of step 3 of ADA
consider the relevance and reliability of the data used; data should have all 6 of the following attributes:
-accurate: data is free from significant errors
-complete: all the data that should be included is, and there is no material omissions (data that is accurate and complete has integrity; encrypted data would be considered of higher integrity because its more likely to be accurate and complete)
-consistent: the data files are well defined and managed
-freshness: data file contains the most up to date changes
-timeliness: the data is available when they are needed
-clarity and relatedness: data fields are related to the audit objectives of interest
details of step 4 of ADA
perform the ADA
-auditor would identify and address any notable items
-an item would be notable if it represents an items in the population that the auditor determine that the risk of material misstatement is suddenly higher than previously assessed
-if there are many notable items, the auditor should use a grouping or filtering process to identify the attributes of interest common to those groups and then should perform appropriate audit procedures to address the risk of material misstatements associated with the various groups
-if there is a small number of notable items, then the auditor can use a manual risk assessment and any further audit procedures should be made responsive to those risks of material misstatements
-in forming an overall conclusion, ADAs may cause the auditor to revise the previous risk assessment or procedures as necessary
details of step 5 of ADA
-evaluate the results of the ADA and decide whether the purpose and specific objectives have been achieved
-evaluate whether the ADA has been appropriately planned and performed; if not, refine and reperform the ADA
-documentation and considerations: document the performance of the ADA, the results of the ADA, and if any visualizations are used, include in the documentation any screenshots of graphics that support the auditor’s conclusion
data visualization
-use of various types of graphics such as bar charts, line charts, scatter plots or a combination of several graphics in formats such as what is known as a dashboard
-purpose of visualization is to make any relationships of interest in large data sets more identifiable
-use key performance indicators (KPI’s) to show what happened and why it happened
-see relationships between variables in a visual depiction to better illustrate a trend or unusual fluctuations in the relationship
-exploratory (research and analyze data to better understand it for yourself) or explanatory (report and communicate data to end users)
data analytics - skills needed for accountants
-critical thinking is needed in order to apply an analytics mindset to the data set and then be able to communicate the results to stakeholders who may not be of the statistician mindset
-the modern accountant will be able to analyze data using complex tools and models and then take that complex analysis and communicate it to a client in a visual way to make it more useful
-accountants need to be trained to extract data, transform data and load data onto a system for analysis
-accountants will also need knowledge of data visualization and analytics software like microsoft power BI and tableau
aka accounting skills of the future
ADA - benefits
-increased use of ADA include improved understanding of an entity’s operations and associated risks including fraud risk
-increased potential for detecting material misstatements and improved communication with audit stakeholders because the communication will involve a visualization rather than just text
data visualization - bar charts
compare data across categories and should always begin with a zero vertical axis to avoid distortion
data visualization - line chart
-shows changes in one variable, usually over time
-the horizontal axis of a line chart is usually a time line
data visualization - stacked bar chart
-allows the user to compare the subdivided totals across the years
-shows parts of a whole and shows changes in data over time
-typically four colors in the legend is enough
data visualization - pie chart
-weak choice for visualization
-pie chart is better than a table though
data visualization - scatter plot
-show the relationship between two sets of data
-relationship between the two variables is called correlation (can be positive or negative)
-relationship is positive when the values increase together; negative when one value decreases and the other increases
- -1 to +1
data visualization - dashboard
-allows a user to monitor an ongoing process by showing key performance indicators in one location
-the same dashboard might have a bar chart, a stacked bar chart, a line chart, and a table all in one place to track KPI’s in order to make important decisions easier
data visualization - typography and iconography
-typo: use of fonts in visual displays
-icono: choice of icons in visual displays like emojis
COSO - control environment
-tone at the top of the client company
-auditor wants to know as early as possible whether internal control is a priority of the company to top management
-auditor feels that if management displays ethical values, there is a chance that the rest of the company could fall in line
-do they have integrity? is management dominated by one individual? if yes, there’s a high risk for management override; if there’s an audit committee, that’s considered a low risk for management override
-auditor is concerned with management’s philosophy and operating style; look at an org chart
COSO - risk assessment
-what are the biggest risks to this client, to its industry and has the client considered those risks?
-every company has risks; changes put a strain on company’s financial reporting system, new territories, new personnel, new products
-client’s ability to foresee where problems might arise and take action in advance
-auditor needs to know whether the client is staying ahead of a changing landscape of risks
-client planning for changes adequately = risk assessed low; no steps to plan for risk = assessed high
COSO - existing control activities
-does the client have control policies and procedures in place to safeguard assets and segregate duties in response to the risk assessment?
-auditor should already know the industry standards
-no control activities = assessed high
-the auditor can’t minimize this risk only the client can by putting control activities in place
COSO - information and communication
-are the accounting systems capable of delivering the proper information to the correct party in a timely fashion?
-auditor wants to know if the information produced is reliable
-auditor assess the risk that the client’s accounting system is not capable of delivering the information in a timely manner
-only the client can minimize the information and communication risk by having quality communication systems in place
-know the information systems they are using
-identify and record all valid transactions, describe on a timely basis in enough detail to determine proper classification, measure the value properly, record in the proper time period, properly present and disclose, and communication responsibilities to employees
COSO - monitoring
-auditor seeks to determine whether the company makes a continuous assessment of its internal control over time so that the various procedures do not become outdated and lose their dependability
-does the company work to make sure that internal control evolves with changes over time?
-the auditor cant minimize this risk only the client can by having an internal audit staff
-if the client has internal audit staff, the auditor will assess the monitoring risk low
design, implementation and operating effectiveness of controls
-controls may be designed properly but not be put in place
-controls may be designed and put in place but not operating effectively
-only if all 3 are observed by the auditor, could the auditor lower the assessment of control risk
-when the auditor is gaining an understanding of internal control, the auditor is not yet determining control effectiveness
design of controls documentation
-by inquiry of personnel or inspection of documents, auditor attempts to learn the design of a particular system
-flowcharts (picture diagram with symbols - start and end, diamond = decision, pot looking = manual operation; useful with complex structure), memorandum (narrative description), or a questionnaire (yes = strength, no = weakness)
steps in carrying out tests of controls
- anticipate what material misstatements might arise within that system
- learn the design of the system through writing a memo, drawing a flowchart or completing a questionnaire
- look for specific control procedures that would prevent or detect the possible material misstatements that have been anticipated
- make certain that those specific control procedures are operating effectively and efficiently as designed –> where testing comes in
testing significant controls
to ensure significant controls are functioning as designed:
-inquire: talk to the employees
-re performance: see if the same results are achieved
-observation: observe the employee performing their duties
-inspection: looking for physical proof
results of tests of controls
-if a control passes the auditor’s test, auditor may be able to do less substantive testing than originally planned (increasing detection risk); auditor may be able to substitute analytical procedures for certain tests of details and balances
segregation of duties for tests of controls
-auditor knows that certain duties should be segregated
-observation and inquiry is show to test for segregation of duties
effect of IT on internal control
-when electronic data is not maintained indefinitely, the auditor must be careful to consider the appropriate timing for audit tests, making sure that testing is performed while data is still available
-an IT system may make it impossible to gather evidence using substantive procedures alone, in those cases, must do control testing as well
tests of controls when there is no audit trail
-auditor wishes to perform a test of controls over a procedure that leaves no audit trail, the auditor must use observation and inquiry to test the control
manual vs automated controls
-manual: internal controls performed by people and are more suitable when judgment and discretion are required such as when there are large usual or nonrecurring transactions; potential misstatements are difficult to predict, changes in circumstances that require changes in controls; help monitor automated controls
-automated: suitable for high volume or recurring transactions
general controls vs application controls
-general: policies and procedures that relate to the proper operation of the entire information system; include passwords, backup/recovery, administrative rights to the network; include segregating duties between systems analyst/software development, system maintenance, and computer operations
-application: relate to the processing of individual transactions and help to ensure that transactions occurred are authorized and are completely processed and reported; controls over input, and processing including controls over interfaces, e-commerce, manual follow ups of exception reports
IT benefits
-serves to increase efficient and effectiveness of internal control
-ability to process large volumes of transactions and data accurately and consistently
-improved timeliness and availability of information
-facilitation of data analysis
-reduction in the risk that controls will be circumvented
-enhanced segregation of duties through implementation of security controls
-enhanced ability to monitor the entity’s activities and its policies and procedures
IT risks
-potential reliance on inaccurate system
-unauthorized access to data
-unauthorized changes to data, systems or programs
-failure tp make required changes or updates to systems or programs
-inappropriate manual intervention
-potential loss of data
**auditor should perform tests more often during the year, not just once
inherent limitations of internal control
regardless of how strong a company’s internal control may appear, there are certain inherent limitations that prevent control risk from ever being reduced to zero:
-human error: can’t entirely prevent it, mistakes in judgment
-cost/benefit/reasonable assurance: auditor can try to convince client to spend more time and money on internal control but client is not going to spend more for internal control than the expected benefit
-situations and companies constantly evolve over time: controls need to change as well due to outdating
-management is dominated by one individual who can override internal control
-possibility of employee collusion: two people working together to steal from the company
inherent limitation of internal control vs weakness of internal control
weakness can be corrected with proper segregation of duties
-so, segregation of duties is NOT an inherent limitation
internal audit staff
-independent auditor may use the work of the client’s internal audit staff when gathering evidence in low risk areas of the audit ONLY if the independent auditor assess the internal audit staff as being competent and objective
-objectivity is typically strengthened by having the internal audit staff report to the audit committee of the board of directors
-the internal auditor cannot be threatened if all reports are made to the independent members who make up the audit committee rather than to any individual within management
-to further ensure objectivity, the internal audit staff should be free to do any testing that is considered necessary; management should place no limitation on the work of the internal audit department
internal audit departmeent
-monitors the design of a company’s internal control system on an ongoing basis as well as compliance with its policies and procedures
assessing the internal audit department
-department should keep internal control functioning at a high level
-an assessment of this department impacts the auditor’s overall view of a company’s internal control
-if internal audit department is very capable, the independent auditor might be able to do less testing than originally anticipated
competence of internal audit department
-evaluated based on factors such as education, experience, certification, and a review of the work that has been produced
objectivity of internal audit department
-evaluated based on the identity of the party to whom internal auditor reports
-preferably, the internal audit department reports to the audit committee of the board of directors
-there should be no limitations placed on the work of the internal audit department
-internal auditor should be allowed to be suspicious of anyone
need for a specialist
-substantive and other procedures can often require skills and abilities not possessed by every CPA
-the use of an outside specialist is not unusual in an audit
-a person possessing special skills or knowledge in a field other than accounting and auditing
use of a specialist
-because the CPA is going to rely on the work of the specialist, the CPA must check the person’s professional reputation as well as independence from the client company
-specialist is not required to be independent but that impacts credibility of the findings
-CPA must inform specialist of the intended use of the work
use of a specialist - disclosures by specialist
-CPA asks specialist to disclose all assumptions and methods that had to be used as well as any uncertainties in the findings
-because of reliance, the CPA needs to know about all limitations (if the specialist is only 90% sure rather than 100%, the CPA needs to know that)
do you need to mention the special in the audit report?
-if, as the result of the work performed by the specialist, the auditor decides to add explanatory language or change the audit opinion, the auditor may refer to the special in the auditor’s report
-otherwise, don’t refer to the specialist in the report since its implied that an auditor will sometimes hire a specialist
-if the findings of the specialist do not lead to any change in the audit repot, there is no need to mention the use of the specialist in the audit report
-if findings did result in a change in the wording of the audit report, auditor can mention the work of the specialist and can even identify the specialist if they want
SOC reporting
-audits of a service organization’s controls
-service companies get SOC audits performed every year showing that their systems and controls are up to date and functioning effectively
-AICPA recognized the need for instilling confidence in these service centers with an attestation engagement (SOC reports) to provide assurance
-as a result of SOC reports, service orgs have a CPA firm perform an engagement on their system processes and controls and issue a report which they could then provide to their clients and customers to instill confidence
-without SOC reports, potential trading partners would have to come to your business and perform audit procedures or tests of controls
SOC 1
-service companies whose product rolls up into their customer’s financial statements
-appropriate for service organizations whose controls impact their end customers financial reporting, ADP
-best suited for organizations that must instill confidence in their controls and safeguards over their customer’s financial data
