Professional Documents
Culture Documents
Aud Notes
Aud Notes
Aud Notes
A1 - Audit Reports
Professional Standards
● Statements on auditing standards (SAS) - issued by AICPA, for non issuers (private
companies)
● Public company actg oversight board auditing standards (PCAOB AS) - issuers (public
companies)
● Generally accepted government auditing standards (GAGAS) - issued by governmental
accountability office, for government organizations
● Statements on standards for attestation engagements - section AT-C, issued by AICPA,
for examination or review on a subject matter
● Statements on standards for actg and review services - section AR-C, issued by AICPA
for unaudited financial statements of private companies (non issuers)
● Levels of audit guidance:
○ Level 1 = SAS and PCAOB AS
■ Most authoritative
○ Level 2 = interpretive publications
○ Level 3 = other auditing publications
● Presumptively mandatory requirement of auditing standards - “should”
Audit Engagements
● Audit process:
○ Start with engagement acceptance
○ Assess risk and plan response
○ Perform procedures and obtain evidence
○ Form conclusions
■ Subsequent events
○ Reporting
● Independent audit function (GAAS) - determine whether FS have been presented fairly
based on the applicable financial reporting framework
● Mgmt’s responsibilities:
○ Financial statements
○ Internal control
● Auditor’s responsibilities: attest function (opinion)
○ Maintain professional skepticism
■ Professional skepticism - professional judgment, make assessment
yourself each year, recognition of circumstances which may exist that
cause FS to be materially misstated
■ Conditions that indicate possible fraud:
● Pressure
1
● Opportunity
● Rationalization
■ Impediments to acting with professional skepticism:
● Confirmation bias
● Overconfidence
● Anchoring
● Availability
○ Comply with ethical requirements = independence in both fact and appearance
○ Exercise professional judgment - in planning and performing an audit
■ Necessary for decisions about:
● Materiality
● Audit risk
● Nature, extent and timing of audit procedures (NET) to support
audit opinion (not FS)
● Evaluate whether sufficient, appropriate evidence has been
obtained
● Evaluating mgmt’s judgments in applying applicable framework
● Drawing conclusions based on evidence obtained
○ Obtain sufficient appropriate audit evidence
○ Comply with GAAS
● Weak internal control does not equal adverse opinion
● Reasonable assurance & inherent limitations of an audit - must have reasonable
assurance about whether FS are free from material misstatement, whether due to error
or fraud
○ Reasonable assurance = high but not absolute level of assurance
○ Inherent limitations:
■ Nature of financial reporting - involves judgment by mgmt & subjective
decisions (actg estimates)
● AR - bad debts
● Inventory - obsolete
● PP&E - life & salvage value
● Intangibles - cash flows
■ Nature of audit procedures - practical and legal limits on ability to obtain
audit evidence
● Mgmt may not provide complete information
○ Impairment
○ Warranties
○ Contingencies
○ Lawsuits
● Fraud may be concealed in such a way that it is difficult to detect
with audit procedures
○ Fraud = intentional/error = unintentional
■ Timeliness of financial reporting & balance between cost & benefit
2
● Unmodified (unqualified) opinion - clean opinion, states that FS are presented fairly in all
material respects
○ Unmodified = non issuers
○ Unqualified = issuers
● Modifications to auditor’s opinion - FS are materially misstated or auditor is unable to
obtain sufficient appropriate audit evidence to make conclusion
○ Types of modified opinions:
■ Qualified opinion - except for specific matters, FS are presented fairly
(GAAP or GAAS problem)
■ Adverse opinion - FS do not present fairly (GAAP problem)
■ Disclaimer of opinion - does not express opinion on FS
Unmodified/Unqualified Opinion
● Unmodified - for nonissuer (private company), when auditor concludes FS are presented
fairly in accordance with framework (best case scenario)
○ MN = unModified = Non public
○ 1st section of auditor report contains auditor’s opinion
○ Addressed to owner, not mgmt
4
● Integrated audit requires audit of both FS and internal control over financial reporting
● Filing of form AP (for public company/issuer) - must include name of engagement
partner & ID number
○ Form AP must be filed by 35th day after audit report is first filed or within 10 days
if audit report is included in a registration statement
● If using other CPA/auditor treat as your own staff
○ Check on:
■ Reputation
■ Independence
■ Professional competency
■ Program steps
● Opinion paragraph for nonissuer includes nature of engagement and specific FS
covered within the audit
● Explicitly state an explanation of assessing risk of material misstatement and designing
audit procedures to evaluate the risks
● Address audit report to the entity that initially engaged the auditors
● Change in actg principle = emphasis of matter paragraph added
● If a reasonably possible loss is disclosed, unqualified opinion with no modification is ok
● Exam trick
○ No audit evidence/work = no audit opinion = disclaimer
○ Not an adverse opinion
● Other matter paragraphs (nonissuers) - refers to matter other than those presented or
disclosed in the FS
○ To describe things not included in FS
○ Comes after opinion & emphasis of matters paragraphs
○ Not appropriate for KAM
○ Required for matter that restricts the use of the auditor’s report
● Explanatory paragraph (issuers) - does not affect auditor’s opinion, follows the opinion
paragraph
○ Required for:
■ Going concern
■ Other information that’s inconsistent with FS
■ Data required by SEC that’s been omitted
○ Maybe necessary: (use professional judgment)
■ Matter regarding FS in the auditor’s report
● Change in principal:
○ If material & nonissuer = emphasis of matter
○ If nonmaterial = no reference in audit report
Subsequent Events
● Recognized subsequent events - recorded if provide info about conditions that already
existed
● Nonrecognized subsequent events - footnote for events that provide info about events
that occur after the balance sheet date
● Mgmt responsibility for subsequent events - general rule is that mgmt responsible up to
date FS issued
○ Public companies = through date FS are issued
○ Other entities = through date FS are available to be issued
● Reissuance of FS - should not recognize events
○ Revised FS are considered reissued, do not recognized
● Auditor’s responsibility for subsequent events:
10
○ Post BS transactions
○ Representation letter from mgmt
○ Inquiry of legal counsel & mgmt
○ Minutes - review minutes of stockholders, directors, other committee meetings
during subsequent period
○ Examine - examine latest interim FS and compare them with FS under audit
● Auditor is responsible for events up until date of auditor’s report
● Auditor’s responsibility after original date of auditor’s report - no active responsibility to
make inquiries or perform further audit procedures
○ Exceptions:
● Auditor action - if info materially affects report & is discovered after issuance of the
report, auditor should advice client to disclose & reissue FS
○ Auditor’s report should not be relied upon
● Report date - if adjustments are made after original date of auditor’s report, auditor may
dual date the report to extend responsibility for the specific subsequent event
○ Later date may be used for the report but this extends auditor’s responsibility for
all subsequent activity
● Client refusal - if client refuses to proceed, auditor should notify each member of the
board & “DAR” them to fix it
○ Notify client that auditor’s report is disassociated with FS
○ Notify regulatory agency
○ Notify persons relying on FS that auditor’s report should no longer be relied on
● Regulatory basis FS intended for general use - express an opinion about whether FS are
fairly presented in all material respects in accordance with GAAP & prepared in
accordance with special purpose framework
○ Reports on special purpose FS - opinion section that identifies special purpose
framework and express opinion that FS are presented fairly on “that” basis
● Regulatory basis of actg (nonissuer) - FS and auditor’s report are intended for general
use, mgmt does not have a choice of frameworks, variances between regulatory basis of
actg and GAAP are not reasonably determinable and are presumed to be material
○ Dual opinion - fair on that basis & adverse on GAAP
● Other country frameworks:
○ Engagement acceptance - auditor should obtain understanding of purpose for
which FS are prepared, whether framework is a fair presentation framework,
intended users, steps taken by mgmt to determine whether framework is
acceptable
○ Engagement performance - auditor should comply with GAAS
● Reporting distribution outside the US:
○ Report of the other country or the report set out in the ISAs
○ US form of report that reflects that FS have been prepared in another country’s
framework
● Reporting accountant - not the auditor, prepares a written report on application of
requirements for applicable framework or type of report
○ Reporting accountant may not report on application of actg principles to maintain
independence
○ Should request permission from entity’s mgmt to consult with the continuing
accountant
■ Include description of reasons for continuing accountant’s conclusions
○ Separate paragraph at the end of report restricting its use to specified parties
■ Specific parties: prior or current auditors
○ If reporting accountant is not independent, statement indicating lack of
independence is required
● International basis of actg is not considered a special purpose framework
A2 - Internal Control
Quality Control
● AICPA code of professional conduct requires a system of quality control
○ System depends on size, nature and cost benefit of system
● Quality control elements: (HELP ME)
○ Human resources - recruiting/hiring, compensation, performance evaluation
■ Work is assigned to personnel with technical training required
○ Engagement/client acceptance - deciding whether to accept to continue a client
relationship, minimizes likelihood of association with a client who lacks integrity
■ Reasonable expected to complete with professional competence
■ Complies with legal/ethical requirements
13
Documentation
● Audit documentation - AKA working papers, provides evidence of basis for auditor’s
report and opinion, evidence that audit was conducted in accordance with GAAS
○ Does not support client FS
○ May not disclose without client’s permission or court order
○ Should indicate that actg records = FS
● Requirements:
○ Assist engagement team in planning and conducting the audit
○ Show the actg records reconcile with FS
○ Experienced auditor (with no connection to the work) can understand the nature,
extent and timing of audit procedures performed and conclusions reached
○ Show who performed the work
● Report release date - date which auditor grants client permission to use the report
○ SAS rules (non issuers) - keep work papers for 5 years
■ Complete audit documentation within 60 days of release date
○ PCAOB rules (issuers) - keep work papers for 7 years
■ Complete audit documentation within 45 days following the report release
date
15
Terms of Engagement
● Appointment of auditor:
○ Audit committee - responsible for selecting independent external auditor
○ Sarbanes oxley act - auditor reports to client’s audit committee, applies to public
company auditors
● Client acceptance:
○ Auditor should consider the follow:
■ Firm’s ability to meet reporting deadlines
■ Firm’s ability to staff the engagement (both experience and availability)
■ Independence
■ Integrity of client mgmt - minimize likelihood of association with a client
whose mgmt lacks integrity
■ Group audits
● Preconditions for an audit:
○ Applicable financial reporting framework - US GAAP & IFRS
○ Management responsibilities - fair presentation of FS, internal control, provide
auditor with access to all information & people
○ Mgmt imposed scope limitation - if major, auditor should not accept engagement
■ Lack of records = scope limitation
● Engagement letter contents:
○ Objective & scope of the audit
○ Auditor responsibilities
○ Mgmt responsibilities
○ Statement - because of inherent limitations unavoidable risk of some material
misstatements that may not be detected
○ Identify applicable financial reporting framework
○ Reference to expected form and content of reports
● Recurring audits - revise terms of engagement if any significant changes have occurred,
if not revised auditor should still issue new engagement letter
16
Planning
● Planning activities - depend on size and complexity of company and previous audit
experience
● Supervision of assistants - CPA documents evidence to support their expressed opinion
○ Nature, extent and timing of supervision - depend on size/complexity of entity,
nature of work assigned, assessed risk of material misstatement, qualifications of
assistants
● Knowledge of client’s busn - tour client facilities, review financial history, obtain
understanding of client actg, inquire of client personnel
● Overall audit strategy:
○ Factors that determine focus of audit (nature) - material audit risk and internal
control preliminary evaluations
○ Scope of the audit (extent) - size/complexity of busn, types of evidence the busn
has
○ Reporting objectives, audit timing, required communications (timing) - deadlines
for interim and final reporting, key dates for gmt meetings and those charged with
governance
■ Strong internal control = more interim
■ Weak internal control = more year end
○ Other considerations - smaller entities may have simpler audit strategy, auditor is
required to communicate planned scope and timing of the audit with those
charged with governance
● Developing audit plan (written) - based on audit strategy and outlines the NET of
procedures to be performed during the audit
○ Written audit plan is required
● Audit procedures - performed to obtain evidence on which to base the audit opinion
○ Risk assessment procedures - required in all FS audits, assess risks of material
misstatements
○ Audit procedures:
■ Test of controls - understand and rely on controls
17
● Drafting audit plan - once sufficient planning info is gathered, draft a written audit plan
(required) including a list of audit procedures which can be changed during the course of
the audit
● Group audit plans - different audit teams in different locations, use the work of
component auditors
Planning
● Client’s internal auditors - not independent, cannot make judgment, must maintain
objectivity and integrity
○ Cannot share audit decisions or judgments with internal auditors
○ Consider:
■ To whom internal auditors report
■ The higher the level, the more objectivity can be assumed
● High risk of material misstatement - internal auditor alone cannot eliminate direct testing
by CPA
○ CPA/auditor must decide but can rely on internal auditor for explanation
● Direct assistance - internal auditor’s competence and objectivity must be assessed
based on prior experience, prior evaluation and talking to mgmt
18
● Supervise and review - external auditor should supervise all work performed by internal
auditor on the audit
○ External auditor remains solely responsible for report on FS
● Guidance for supervising specialists:
○ SAS = private, nonissuer
○ PCAOB = public, issuer
○ Supervision - agree with IT auditor on nature scope and objectives of their work,
evaluate the adequacy of the work, audit partner is still responsible
● Using the work of a component auditor - if group auditor decides to make reference to
component auditor or assume responsibility for work
○ Component auditor - performs work on FS of a component that will be used as
audit evidence for a group audit, may be part of group engagement’s firm or a
network firm or another firm
○ Determine if component auditor is independent, will comply with ethical
requirements, professionally competent
○ Agree with component auditor in writing about nature scope and objectives of
work, nature extent and timing of communication
○ Must review work papers of the component auditor
■ Indicate possible mgmt basis
■ Identified material weaknesses and significant deficiencies
○ Extent of evidence - include discussion with component auditor about
components risk of material misstatement
○ Effect on auditor’s report - if group auditor makes reference to the component
auditor in the report, group auditor should indicate the magnitude of the work and
the group auditor taking responsibility of reviewing the work
Materiality
● Auditor should determine materiality for FS, performance materiality and specific
materiality levels for types of transactions & account balances
○ Consider quantitative and qualitative judgment
● Auditor should use smallest level of misstatement that could be material to any of the FS
● Factors to determine materiality:
○ Percentage
○ Benchmark (ex. Total rev, gross profit)
○ Size of the entity
○ Prior period financial results
○ Significant known or expected changed in entity’s circumstances
● Performance materiality - amount set by auditor at less than materiality for FS as a
whole, reduce to lowest level
● Tolerable misstatement - max error in a population that auditor is willing to accept
● Materiality in group audits - assess for the group of FS as a whole
○ Determine component materiality and materiality for particular classes
● Revising assessment of materiality - change in “NET”, raise or lower materiality
threshold as appropriate
Risk Assessment
● Risk assessment purpose - identify and assess risk of material misstatement (audit
planning), make informed judgment about other audit matters including materiality, actg
procedures, analytical procedures
○ CPA tests internal control in order to adequately plan the NET audit procedures
20
● General control - policies and procedures that relate to many applications and support
the effective functioning/proper operating of the info system
ME1 Review
● FS presentation in accordance with applicable reporting framework should include
adequate description of framework in FS
● Materiality for FS as a WHOLE - smallest level of misstatement that would be material
for any one of the FS
● Uncertainty may result in unmodified, qualified, adverse or disclaimer of opinion
● For cash basis of actg, no need to include emphasis of matter paragraph
● Quality control = assigning personnel, client acceptance, professional development
● Risk assessment for internal control involves:
○ Testing controls
○ Identifying specific internal control policies
○ Identifying types of potential misstatements
● Adverse opinion = GAAP problem exists which is very material
● Audit documentation should include:
○ Info about selection/application of actg principles
○ Identification of staff who performed audit work
○ Sufficient appropriate evidence has been obtained to support conclusions
reached
25
Audit Risk
● Audit risk - risk that auditor may unknowingly fail to appropriately modify opinion on FS
that are materially misstated
○ Material misstatement - departures from GAAP, omissions, incorrect
estimates/judgments
■ Types of misstatements:
● Factual = misstatement which there is no doubt
● Judgmental = involves an estimate
● Projected
● Audit risk model - risk that auditor will issue the wrong opinion
○ AR = RMM * DR
■ AR = audit risk, should be low
■ DR = detection risk, risk that auditor will not detect a material
misstatement, CPA controls through NET
● Risk: auditor misses the mistake (error/fraud) and gives wrong
opinion
■ RMM = IR * CR = risk of material misstatement, exists independent of FS
audit
● High RMM = select more effective substantive tests
● IR = risk of relevant assertion to a material misstatement, client
actg system has errors
○ High inherent risk:
■ High volume transactions
■ Complex calculations
■ Amounts derived from estimates
29
● Auditor controls detection risk and change NET in response to assessed level of RMM
○ Ex. high RMM = lower DR (more work)
○ Change nature of substantive tests
○ Change extent of substantive tests (larger sample size)
○ Change timing of substantive tests (more tests at year end)
● Audit risk and materiality - consider together to design NET of audit procedures and
evaluating results
● Increase tests of details = decreased detection risk
○ Test $ balances
○ Analytical procedures
○ Ratios
● Substantive interim testing - only if risk of material misstatement is low
○ Audit procedures:
■ Request mgmt provide names of all related parties
■ Test balances of accounts
■ Inquire any unapproved related party transactions
■ Review material transactions
○ Document names of all identified parties
○ If identify any previously unidentified related party transactions - inquire why
entity’s controls failed, request mgmt identify all transactions, reconsider risk
Financial Ratios
● Ratio analysis often used in analytical procedures
● Numerator of ratio has direct relationship, denominator has inverses relationship
● Liquidity ratios - short term ability to pay, focus on balance sheet accounts
● Activity ratios - how effectively use the assets
● Profitability ratios - measure financial performance
● Investor ratios - interest to investors
● Long term debt paying ability ratios - long term solvency
● Turnover ratio = average balance
● Days in = numerator is ending balance, denom is account / 365
● Cash conversion cycle = day sales in acct receivable + days in inventory - days of
payables outstanding
Sampling
● Sampling risk - sample is not representative of population and auditor’s conclusion
would be different if they examined 100% of the population
● Assumptions and rules of sampling:
○ Assume population is normally distributed (central limit theorem)
○ Samples must be unrestricted and randomly selected
■ Only area where CPA does not use judgment
○ Standard deviation is measure of variability, range of values within the population
(sample risk)
■ Variability = uncertainty = larger sample size
● Sampling methods:
○ Statistical sampling - evaluate results quantitatively
■ Random sample selection should be used
○ Nonstatistical sampling - evaluated using auditor judgment
● Professional judgment - used in both statistical and nonstatistical sampling to define
population and sampling unit, evaluate appropriateness of evidence
● Statistical sampling:
○ Attribute sampling - used for internal control, testing for specific characteristics
■ Risk of assessing control risk too low = beta risk = risk of overreliance
■ Risk of assessing control risk too high = alpha risk = risk of under reliance
○ Variables sampling - used in substantive testing to estimate dollar value of
population
■ Risk of incorrect acceptance = beta risk = auditor’s concern or fear
36
Expenditure Cycle
● Purchases:
○ Start with purchases requisition - properly approved serially numbered requisition
○ Purchase orders - must be properly approved
○ Receipt of goods - receiving department receives purchase order as
authorization to accept the goods with blind copy, must report the quantity
● Accounts payable:
○ Recording the payable - match the receiving report & the PO
○ Approving invoice for payment and recording payment
● Auditing accounts payable:
○ Completeness & accuracy assertions are more relevant than existence and
rights/obligations assertions
○ Review disbursements recorded
○ Identify disbursements related to expenses incurred before YE
○ Confirm YE liability
40
Cash Cycle
● Fraud risk related to cash cycle - high fraud risk, especially when internal control is weak
● Lapping - an employee withholds funds received by customer for personal use and fails
to apply these receipts of cash to customer’s receivable balance
○ Today’s receivable covers yesterday’s theft
● Kiting - check drawn on one bank is deposited in another bank and no record is made of
the disbursement in the balance of first bank until after year end
○ Cash recorded in two places at once
○ Look for unusual year end cash movements
○ Indicated by low average balance compared to high level of deposits
● Auditing cash balance:
○ Bank confirmation
○ Bank reconciliation - check year end math accuracy
● Cash receipts & cash disbursements:
○ Completeness - trace sample of remittance advices to cash receipts journal
○ Cutoff - test year end transactions
○ Valuation, allocation, accuracy
● Bank statements should be reviewed by internal auditor
Inventory Cycle
● Internal controls related to inventory cycle:
○ Warehouse - accounts as custodian for verified quantity of goods received
○ Observe beginning and ending physical inventory counts
○ Inspect inventory to confirm its existence and valuation
● If inventory is held offsite:
○ Significant?
■ Yes = observe
■ No = confirmation
● Auditing inventory transactions - audited as part of the audits of revenue cycle and
expenditure cycle
41
● Presentation and disclosure - cost method, raw materials, WIP inventory, finished goods
balances, consigned inventory, warranty obligations, etc.
Investment Cycle
● Auditing investment balance:
○ Completeness - if high volume of transactions, search for unrecorded purchases
is necessary
○ Valuation and allocation - look at changes during the year, investments not
reported at fair value, impairments of investments
○ Existence - confirmations and examination of any securities on hand
● Auditing investment transactions:
○ Completeness - use analytical procedures
○ Valuation, allocation, accuracy - did they properly calculate amortization
○ Existence and occurrence - analytical procedures to calculate investment income
○ Understandability and classification - AFS debt goes to OCI, trading debt and all
equity securities goes to current earnings
● Investments in securities when valuations are based on investee's financial results - use
equity method, FS are not audited (request that they should be), if different year end
then consider the impact of the gap
● Measuring fair value - amount asset could be sold for (exit price)
○ Hierarchy of inputs (level 1-3)
○ Management’s responsibility to make FV measurement and disclosures in
accordance with GAAP
○ Auditor’s responsibility:
■ Understand process for determining FV
■ Understand relevant controls
■ Assess the RMM
■ Evaluate whether the method is in conformity with GAAP
■ Consider need for specialist
○ Testing FV measurements:
■ Verify quoted market price
■ Determine whether mgmt’s assumptions are a reasonable basis
■ Mgmt’s intent that may affect FV
■ Whether modifications made to observable information reflect common
assumptions
■ Whether valuation model is appropriate
■ Test underlying data
■ Develop independent FV estimate
■ Consider use of a specialist
■ Consider subsequent events
● Pricing services - reliability depends on nature and source of evidence and
circumstances under which evidence is obtained
○ Relevance - relationship with assertion of control being tested
42
○ When using info from multiple pricing services, less info is needed about
particular methods and inputs used
● Broker dealers - is information relevant and reliable, is broker a market maker for similar
instruments
○ Relationship with broker and the entity
○ Is the quote binding
○ Limitations on the quote
● Impairment loss resulting from decline in FV other than temporary needs to be recorded
○ Auditor should evaluate basis for decision
○ FV is below cost and:
■ Adverse conditions related to specific security
■ Decline exists for extended period of time
■ Mgmt doesn’t have intent and ability to hold security for anticipated
recovery
○ External matters
● If auditor identifies conditions or events that may be indicative of substantial doubt,
everything is not FINE
● Mitigating factors - must include both intent and ability to carry out the planned
procedures
○ Plans to borrow money or restructure debt
○ Plans to sell assets
○ Plans to increase ownership equity
○ Plans to delay or reduce expenses
● Reporting for non issuers - wording depends on where or not substantial doubt has been
alleviated by mgmt’s plans
○ If going concern basis of actg is appropriate and substantial doubt has been
alleviated & if adequate disclosures are made = emphasis of matter paragraph
○ If going concern basis of actg is appropriate and substantial doubt remains =
separate section in auditor’s report
● Reporting for issuers - explanatory paragraph should be added when there is going
concern uncertainty
● Documentation requirements - conditions that gave rise to substantial doubt, mitigating
factors that auditor considers significant, audit work performed to evaluate mgmt’s plans,
effect of auditor’s conclusion on FS and related disclosures and resulting auditor’s report
● Other going concern considerations:
○ If going concern disclosures are inadequate = departure from GAAP
○ If mgmt is unwilling to perform or extend evaluation to meet required period of
time = qualified or adverse opinion
○ If FS have been prepared using going concern basis but is inappropriate =
adverse opinion
○ If auditor’s doubts are removed in subsequent period = going concern section
need not be repeated
● Accounting estimates:
○ Auditor’s responsibilities - evaluate degree of uncertainty, assess mgmt’s written
policies, verify all material estimates have been developed, determine that actg
estimates are reasonable
■ Apply professional skepticism
■ Focus on significant assumptions
● Audit procedures - auditor should obtain understanding of how mgmt developed its
estimates
○ Review and test procedures used by mgmt to develop the estimate
■ Methods - conformance with framework, appropriate based on auditor’s
understanding of company, if company has changed determine reason
why
■ Data - test accuracy and completeness of data, evaluate reliability
■ Significant assumptions - evaluate reasonableness of assumptions
● Auditor should evaluate whether difference between reported estimate and best estimate
supported by audit evidence indicates possible management bias
45
Written Representations
● Management representation letter - confirm representations given to the auditor,
indicates and document continuing appropriateness of such representations, reduces
the possibility of misunderstanding concerning matters that are subject of the
representations
○ Requirements:
■ Final piece of evidential matter
■ Letter is mandatory
■ Dated same as audit report
■ Signed by CEO & CFO
■ Representations
■ Materiality
■ Doubt about reliability of written representations
○ Contents:
■ Financial statements
46
■ Completeness of information
■ Fraud
■ Laws and regulations
■ Uncorrected misstatements
■ Litigation and claims
■ Estimates
■ Related party transactions
■ Subsequent events
■ Additional representations
● Written representation regarding internal control:
○ Only required when performing an integrated audit (includes audit of internal
control)
○ Obtain additional representations from mgmt
● For comparative FS, rep letter should cover all years presented in the report
● Testing controls:
○ Design effectiveness - use walkthroughs, inquiry, observation
○ Operating effectiveness - inquiry alone is not enough
○ Determine the effect of any identified control deviations on the risk assessment
■ Risk, evidence & effectiveness
● Benchmarking of automated controls - low risk and no change, may not need to repeat
testing
● Forming an opinion:
○ Mgmt report - indicate mgmt is responsible, describe the subject matter, identify
criteria by mgmt used to measure effectiveness, describe material weaknesses
identified by mgmt
■ If required disclosures for MW have not been included = state in auditor’s
report
■ If report is incomplete/improperly presented = state in auditor’s report
■ If report contains additional information = auditor should read additional
info to ensure there are no material inconsistencies and disclaim an
opinion on such information
● FS audit versus audit of internal control:
○ Relevant period - internal control audit is for a point in time, FS opinion is for a
period of time
○ Extent of testing - internal control is more limited
○ Interrelationship between 2 engagements - audit ToC applies to IC opinion, IC
testing leads to greater IC reliance, IC deficiency raises control risk so more
substantive testing, audit issues may be IC issues
● Integrated audit has different scope, purpose and procedures
● Standards:
○ Audit engagements = SAS/PCAOB standards
○ Preparation, compilation & review engagements = SSARS (statements on
standards for actg review services)
○ Attest engagements = SSAE (statements on standards for attestation
engagements)
● Attestation standards - provide guidance, set boundaries, provide a measure of quality
and describe the objectives
○ Differ from GAAS:
■ No reference to historical fS
■ No reference to GAAP
● Common attestation concepts: (CAPE CORP)
○ Compliance with attestation standards
○ Acceptance and continuance
○ Preconditions for attestation engagement are present
■ Practitioner is independent
■ Responsible party takes responsibility for subject matter
■ Subject matter is appropriate
○ Engagement documentation standards
○ Acceptance of a Change in terms of engagement is reasonable
○ Using the work of an Other practitioner is allowed
○ Responsibility for quality control
○ Professional skepticism and professional judgment
● Attestation risk (should be low) = inherent risk * control risk * detection risk
● Additional reporting requirements:
○ Report may be issued on assertion itself or on the subject matter to which the
assertion relates
○ If material misstatements or deviations then conclusion should be expressed
directly on subject matter
○ If reporting on the assertion then it should accompany practitioner’s report or be
clearly stated in the report
● Scope restrictions:
52
● Pro forma FS - demonstrates the effect of a future or hypothetical event by showing how
it might have affected the historical FS
○ Based on mgmt’s assumptions
○ Directly attributable to transaction (or event)
○ Practitioner should have an understanding of the event, evaluate the pro forma
adjustments and any assumptions used in the adjustments
55
Reporting on Compliance
● Compliance reporting:
○ Auditor may be asked to report on compliance with contractual agreements or
regulatory requirements in connection with FS audit
○ Report on an attestation engagement regarding entity’s compliance with specific
laws on internal control over compliance
○ Report on compliance and IC over compliance as part of a single audit
engagement when auditing a recipient of federal financial assistance
● Compliance reports in connection with audited FS:
○ Auditor may only issue negative assurance on compliance
■ No identified instances of noncompliance
○ Identified instances of noncompliance - describe the noncompliance, if
adverse/disclaimer of opinion, only report on compliance can only be issued
when there are identified instances of noncompliance
● Compliance attestation - SSAE report does not provide legal determination of an entity’s
compliance, may be useful to legal counsel or others
○ Compliance with specific requirements
○ Internal control over compliance
● Agreed-upon procedures engagements:
○ Compliance with specific requirements
○ Entity’s IC over compliance
○ Could be both of the above
● Objective of agreed-upon procedures - present specific findings to assist users in
evaluating entity’s compliance with specific requirements
● Examination engagements - examine entity’s compliance with requirements or a written
assertion about compliance
○ Practitioner may perform if:
■ Responsible party accepts responsibility of compliance
■ Responsible party evaluates entity’s compliance
■ Enough evidence exists to support mgmt’s evaluation
● Overall requirements for compliance examination:
○ Perform risk assessment
○ Design response
○ Determine if supplementary audit requirements exist
○ Obtain written rep from mgmt
57
○ Prepare reports
○ Prepare required documentation
■ Assessed risk of material noncompliance
■ Procedures performed
■ Documentation of internal control
■ Responses to risk assessment
■ Test of controls
■ Basis for materiality levels
Government Audits
● GAGAS - covers standards for audits for government organizations & government
assistance received by contractors, NFP orgs, other nongovernmental orgs
● Purpose and types of government audits:
○ Financial audits
○ Attestation engagements
58
○ Performance audits
■ Objectives:
● Effectiveness, economy, efficiency
● Internal control
● Compliance
● Prospective analysis
● Determine if supplementary audit requirements exist - may have audit requirements that
go beyond GAAS & GAGAS
● Standards for financial audits (performing financial audits) - GAGAS includes
requirements in addition to GAAS standards
○ Previous audits and attestation engagements
○ Fraud, noncompliance & abuse
○ Developing a finding
■ Criteria
■ Condition
■ Cause
■ Effect or potential effect
● GAGAS doesn’t require auditor to express an opinion on IC
● Communicate deficiencies in internal control, fraud & noncompliance:
○ Deficiencies in IC - communicate in repot
○ Instances of fraud/noncompliance - report to appropriate members of the org
○ Less than material findings - communicate in writing with appropriate officials
○ Present findings in auditor’s report - listing of findings & mgmt responses
included in report on IC and compliance
○ Report findings to outside parties - communicate to parties outside audited org
when mgmt fails to satisfy legal or regulatory requirements to report
● Distribution of reports - to those charged with governance, audited entity officials,
oversight bodies, all others authorized to receive report
● Yellow book report is an additional report required under GAGAS
○ FS audit looks same as standard nonissuer report except:
■ Auditor’s responsibility section includes reference to govt auditing
standards
■ Other-matter paragraph added referencing GAGAS report
● Reporting internal control - GAGAS required auditor to obtain understanding of design of
relevant controls, determine whether implemented, communicate all significant
deficiencies
○ Content of the report:
■ Assertion that evaluating compliance with laws, rules, regulations with
direct material effect on FS
■ Assertion that specific controls relating to financial reporting are
considered
■ Indication that either no weaknesses were found or that significant
deficiencies were found
59
Single Audits
● Audit recipients of federal financial assistance should be conducted in accordance with
GAAS & GAGAS
○ Apply single audit standards to federal financial assistance
■ 2 CFR 200 = codification of single audit act
● Single audit act - requires entities that expend total federal assistance equal to or greater
than $750,000 in a fiscal year (audit threshold)
○ Allows either a single or program-specific audit
■ Program-specific audit = only 1 program = no FS audit is required
■ Otherwise stuck with single audit
● Single audit objectives:
○ Audit of entity’s FS and separate schedule of expenditures of federal awards
○ Compliance audit of federal awards expended during the year as a basis for
issuing additional reports on compliance
● Materiality - considered separately in relation to each major program, not calculated at a
whole level
● Federal award recipients are subject to audit requirements associated with federal
financial assistance
● Program-specific audits - auditor must contact inspector general of applicable federal
agency and obtain a current program-specific audit guide
● Auditee responsibilities: (entity being audited)
○ Auditor selection - follow procurement standards established by federal
guidelines
■ Evaluate potential vendors based on:
● Responsiveness
● Relevant experience
● Availability of staff
● Results of peer reviews
○ Copy of audit org’s peer review report
○ Report submission - submit within the earlier of 30 days of receipt of auditor’s
report or 9 months after the end of audit period
● Auditor responsibilities:
○ Scope of the audit - express an opinion on FS and related schedules
■ Consider IC, compliance & previous audit findings
■ Internal control - consider IC over compliance as they relate to programs
● Must test controls to plan for low level of control risk for
noncompliance for major programs
■ Compliance - for each major program, did they follow the rules
■ Previous audit findings
● Audit reporting:
○ Express opinion on FS
○ Express opinion on schedule of expenditures of federal awards
○ Report on ICFR
■ Scope of testing
60
■ Results of tests
○ Report on compliance for each major program and IC over compliance
○ Provide schedule of findings and questioned costs including:
● Single audits require use of GAAS and GAGAS, five reports issued:
○ FS report
○ SEFA report
○ GAGAS report
○ Single audit report
○ Schedule of findings and questioned costs
● Audit findings - report significant deficiencies & MW in IC over major programs, material
noncompliance, questioned costs for a given type of compliance requirement if costs
exceed $25,000, known or likely fraud
● Audit documentation - maintained for 3 years after the date of issuance (both auditor and
auditee)
● Major program determination:
○ Risk-based approach - consider current and prior audit experience, oversight by
federal agencies, inherent risk
○ 4 step process:
■ Identify type A (>$750,000) and type B programs
■ Identify type A programs that are low risk
■ Identify type B programs that are high risk using professional judgment
■ At a minimum, major programs are all type A programs not identified as
low risk and type B programs identified as high risk
○ % of coverage:
■ Low risk auditees = auditor must test 20% of federal awards expended
■ High risk auditees = auditor must test 40% of federal awards expended
○ Criteria for federal program risk:
■ Multiple IC structures
■ Weak monitoring systems
■ Programs not recently audited as major
■ Complexity of program
■ Being in the early phase of a program’s life cycle
61
● Subrecipient - nonfederal entity that expends federal awards received from another
entity to carry out a federal program
Preparation Engagements
● Preparation engagements - nonissuer only, not compilation/review/audit
○ No assurance
○ Independence not required
○ Non-attest service
● Establish understanding with client through engagement letter including:
○ Mgmt responsibility
○ Objectives of engagement
63
Compilation Engagements
● Compilation - no assurance, independence not required (must disclose)
○ Nonissuer only
○ Establish understanding with client - engagement letter
■ Can accept engagement & then obtain understanding of the client’s
business and industry
● Compilation requirements:
○ Knowledge of industry actg principles and practices
○ Reading the FS - look for no obvious errors, no audit work
○ Noncompliance with laws & regulations, going concern & subsequent events
○ FS that may be inaccurate or incomplete
■ If client refuses to provide information = withdraw
○ Documentation - engagement letter, copy of FS, copy of accountant’s report are
all required
■ Compilation report doesn’t contain a title
■ Doesn’t require signature from accountant or be printed on accountant’s
letterhead
64
● Reporting on a compilation:
○ Accountant’s report - includes mgmt responsibility, reference to SSARS,
statement that accountant did not audit or review the FS
○ Additional paragraphs - if special framework, disclosures omitted or known
departures from framework
● Reporting on FS that are prepared with special purpose framework:
○ Explanation of mgmt’s responsibility
○ Include additional paragraph with reference to applicable special purpose
framework other than GAAP and refers to FS note that describes framework
○ If prepared for a contractual basis of actg, FS may not be suitable for another
purpose
● Omission of 1+ notes should be treated like a departure from the applicable financial
reporting framework
○ Accountant’s report should clearly indicate omission
● Compiled FS that omit GAAP disclosures are acceptable if:
○ FS are otherwise in conformity
○ Restricted use is not required
○ FS would not be misleading to users
○ Include disclaimer of opinion, reference to omission and statement that if
included the disclosures may influence the user’s opinion
○ Compilation report warns the user of missing disclosures
● Exam trick = do not issue an “adverse opinion” for departures from applicable framework
○ Disclose or withdraw from engagement
● If change from review engagement to compilation engagement, compilation report
should make no reference to original engagement
Review Engagements
● Review of FS - limited assurance on financial statements, independence required
○ Nonissuers = SSARS if review only, SAS if audit also
○ Issuer = PCAOB
● Review procedures - should be tailored to client, inquiry and analytical procedures
● Review requirements: (U LIAR CPA)
○ Understanding with client
○ Learn and obtain knowledge of client’s business
■ Not required:
● Test internal control
● Perform audit tests
● Assess fraud risk
● Communicate with predecessor accountant
○ Inquiries should be addressed to appropriate individuals
■ Inside company, not outside
■ Going concern inquiry
■ Identification of related parties
○ Analytical procedures
65
Review Reports
● Unmodified conclusion - limited assurance, nothing has come to auditor’s attention that
causes auditor to believe FS are not materially prepared
● Modified conclusion - when accountant determines that the FS are materially misstated
○ Qualified conclusion = material but not pervasive
■ Include basis for qualified conclusion paragraph before the conclusion
paragraph
○ Adverse conclusion = material and pervasive
■ Need basis for adverse opinion immediately before the conclusion
paragraph
● Title = independent accountant’s review report
● Emphasis of matter paragraph/other matter paragraphs
○ Required when:
■ Special purpose framework
● Describe the framework and state that it’s a basis other than
GAAP
● Potentially restrict the use of the report (regulatory/contractual
basis)
■ Prior period is audited
■ Going concern
○ Optional when:
■ Uncertainties or inconsistencies
■ Subsequent events
■ Significant related party transactions
66
● Reference to work of other accountant’s in review report - if entity decides not to assume
responsibility for audit or review performed, refer to other accountants in accountant’s
responsibility paragraph
● Current period compiled and prior period reviewed (downgraded) - issue compilation
report and add a paragraph describing the prior period responsibility, reissue prior
review report
● Current period prepared and prior period compiled or reviewed - no requirement to
reference prior period
● Columnar form - clear indication when FS have not been audited or reviewed so a user
doesn’t extend a compilation report to such FS
● Omission of required disclosures - not comparable, should not issue a report on
comparative FS
● Information affecting previous report - for subsequent events, include other matter
paragraph with original report date and indicating reason for changing report
● Other accountants involved in prior periods:
○ Prior accountant reissued report unchanged - old accountant should read
statements, compare and obtain letter from successor accountants
○ Prior report not reissued - successor is not required to make reference to prior
report
■ New accountant may make reference by including an additional
paragraph
● Reporting when 1 period is audited - reissue prior report or other matter paragraph in
current report
● Current period unaudited and prior period audited - add other matter paragraph indicated
the prior statements were audited with relevant date and that no audit procedures have
been performed since previous report date
○ Include basis for prior audit opinion
● Current period audited and prior period unaudited - upgraded service, add other matter
paragraph describing the prior period services
○ Either reissue prior period report or describe scope of previous engagement
Interim Reviews
● Nonissuers follow SAS for interim reviews if latest FS have been audited
○ Past audit or future audit
67
● Acts discreditable rule - failure to return records, discrimination or harassment, shall not
disclose confidential information
● Advertising and other forms of solicitation rule - generally ok unless in a manner that’s
false, misleading or deceptive
○ Intentionally underestimate fees = not allowed
● Commissions and referral fees rule - impair independence
○ Not allowed:
■ Audit or review of FS
■ Compilation where lack of independence is not disclosed
■ Examination of FS
● Ownership of CPA firms - must be over 50% owned by CPAs
● Conceptual framework - threats & safeguards, identify threats, evaluate significance of
threat, apply safeguards
○ Conceptual framework for members in public practice
○ Conceptual framework for independence
○ Conceptual framework for members in business
● Threats to compliances:
○ Adverse interest threat - not acting with objectivity
○ Advocacy threat - promote client’s interest or position
○ Familiarity threat - too sympathetic
○ Mgmt participation threat - acting as mgmt for client
○ Self-interest threat - could benefit financially
○ Self-review threat - evaluate your own work
○ Undue influence threat - subordinate judgment
● Evaluating significance of threat - use reasonable 3rd party standard for assessment
● Safeguards that may eliminate or reduce threat - profession, legislation or regulation to
prevent threats or implemented by employing organization
● Audit partner requirements - to audit an issuer/public company the partner must rotate
off the audit every 5 years (stay off for 5 years)
● Conflicts of interest - audit firm cannot have employed the issuer’s CEO, CFO, controller,
etc. for 1 year before the audit (1 year cool off period)
● SOX Title 3, Section 303 - cannot fraudulently influence, coerce, manipulate or mislead
an independent CPA
● Principles of independence: (prohibited services, independence has been impaired)
○ Conflict of interest
○ Audit acting as mgmt
○ Auditing their own work
○ Advocating for the client
● Investments in audit clients - direct investments and material indirect investments in
audit client are not allowed
● Covered persons - audit engagement team, all people who supervise or have mgmt
responsibility for audit
● Other financial interest in audit client:
○ Loans to or from an audit client
○ Savings and checking balances over $250,000
○ Credit cards over $10,000
● Exceptions:
○ Unsolicited gifts or inherited - dispose as soon as possible
○ Immediate family member has financial interest - dispose no later than 30 days
after person is aware of engagement
● Non audit services - impair independence
● Audit committee administration:
○ Preapproval not required for non-audit services less than 5% of total revenues
○ Required auditor reporting to audit committee
■ Material written communications between audit firm and mgmt
● Auditor independence is impaired if audit partner earns or receives compensation based
on selling engagements to an audit client
● PCAOB independence standards:
○ Responsibility not to knowingly contribute to violations
○ Contingent fees are not allowed
○ Must be independent of firm’s audit client throughout the audit period
○ May not provide tax services related to confidential or aggressive tax
transactions
■ Ok to prepare corporate tax return
■ Competence
■ Quality control and assurance - external peer review every 3 years
● GAGAS framework for independence:
○ Threats to independence:
■ Self-interest threat
■ Self-review threat
■ Bias threat
■ Familiarity threat
■ Undue influence threat
■ Mgmt participation threat - no safeguard could reduce the threat to an
acceptable level
● Custody of audited entity’s assets
● Setting policies for audited entity
■ Structural threat
○ Document any threats to independence and safeguards applied
● Evaluation of non-audit services - determine whether providing services would create a
threat
○ Consideration of mgmt’s ability to effectively oversee the non-audit service to be
performed
● DOL = department of labor
○ Independence is required when auditing FS submitted to DOL
○ Impairment of independence - direct financial interest or material indirect financial
interest in plan or plan sponsor
SE2
● To identify unusual sales transactions, an auditor would perform trend analysis for
quarterly sales
● If mgmt knows of material fraud and doesn’t disclose to the auditor -> integrity is
questioned
● Can be a country club member of a client and still be independent
● If electronic evidence that’s not retrievable after a certain period of time, timing of testing
is going to be difficult to determine
● For government auditing standards, must contain report describing scope of auditor’s
testing of compliance and internal control
74