Aud Notes

AUD EXAM
Expected Date: November 19, 2022
A1 - Audit Reports
Professional Standards
● Statements on auditing standards (SAS) - issued by AICPA, for non issuers (private
companies)
● Public company actg oversight board auditing standards (PCAOB AS) - issuers (public
companies)
● Generally accepted government auditing standards (GAGAS) - issued by governmental
accountability office, for government organizations
● Statements on standards for attestation engagements - section AT-C, issued by AICPA,
for examination or review on a subject matter
● Statements on standards for actg and review services - section AR-C, issued by AICPA
for unaudited financial statements of private companies (non issuers)
● Levels of audit guidance:
○ Level 1 = SAS and PCAOB AS
■ Most authoritative
○ Level 2 = interpretive publications
○ Level 3 = other auditing publications
● Presumptively mandatory requirement of auditing standards - “should”
Audit Engagements
● Audit process:
○ Start with engagement acceptance
○ Assess risk and plan response
○ Perform procedures and obtain evidence
○ Form conclusions
■ Subsequent events
○ Reporting
● Independent audit function (GAAS) - determine whether FS have been presented fairly
based on the applicable financial reporting framework
● Mgmt’s responsibilities:
○ Financial statements
○ Internal control
● Auditor’s responsibilities: attest function (opinion)
○ Maintain professional skepticism
■ Professional skepticism - professional judgment, make assessment
yourself each year, recognition of circumstances which may exist that
cause FS to be materially misstated
■ Conditions that indicate possible fraud:
● Pressure
1
● Opportunity
● Rationalization
■ Impediments to acting with professional skepticism:
● Confirmation bias
● Overconfidence
● Anchoring
● Availability
○ Comply with ethical requirements = independence in both fact and appearance
○ Exercise professional judgment - in planning and performing an audit
■ Necessary for decisions about:
● Materiality
● Audit risk
● Nature, extent and timing of audit procedures (NET) to support
audit opinion (not FS)
● Evaluate whether sufficient, appropriate evidence has been
obtained
● Evaluating mgmt’s judgments in applying applicable framework
● Drawing conclusions based on evidence obtained
○ Obtain sufficient appropriate audit evidence
○ Comply with GAAS
● Weak internal control does not equal adverse opinion
● Reasonable assurance & inherent limitations of an audit - must have reasonable
assurance about whether FS are free from material misstatement, whether due to error
or fraud
○ Reasonable assurance = high but not absolute level of assurance
○ Inherent limitations:
■ Nature of financial reporting - involves judgment by mgmt & subjective
decisions (actg estimates)
● AR - bad debts
● Inventory - obsolete
● PP&E - life & salvage value
● Intangibles - cash flows
■ Nature of audit procedures - practical and legal limits on ability to obtain
audit evidence
● Mgmt may not provide complete information
○ Impairment
○ Warranties
○ Contingencies
○ Lawsuits
● Fraud may be concealed in such a way that it is difficult to detect
with audit procedures
○ Fraud = intentional/error = unintentional
■ Timeliness of financial reporting & balance between cost & benefit
2
● Direct efforts to areas most expected to contain risks of material

misstatement
● Use testing and other means to examine populations for
misstatement
● Determine nature & scope of the engagement - auditor may be hired for a single period
or multiple periods, audit may be single FS or complete FS
○ Nonissuers (private companies) - could have FS audit only or integrated audit
■ Integrated audit - audit of FS and internal controls
○ Issuers (public companies) - must perform integrated audit
● Overall objectives of audit engagements
○ FS audit - obtain reasonable assurance & to report on the FS
○ Audit of internal control over financial reporting - required for public companies,
express opinion on effectiveness of company’s internal control over financial
reporting and obtain reasonable assurance about whether material weaknesses
exist
Forming an Audit Opinion
● When forming an opinion, evaluate:

○ FS adequately disclose significant actg policies selected
○ Actg policies selected are consistent with framework
○ Actg estimated made by mgmt are reasonable
○ Information presented in FS is relevant, reliable, comparable and understandable
○ Terminology in FS is appropriate
● Departure from GAAP is permissible if FS would be otherwise misleading
3
● Unmodified (unqualified) opinion - clean opinion, states that FS are presented fairly in all
material respects
○ Unmodified = non issuers
○ Unqualified = issuers
● Modifications to auditor’s opinion - FS are materially misstated or auditor is unable to
obtain sufficient appropriate audit evidence to make conclusion
○ Types of modified opinions:
■ Qualified opinion - except for specific matters, FS are presented fairly
(GAAP or GAAS problem)
■ Adverse opinion - FS do not present fairly (GAAP problem)
■ Disclaimer of opinion - does not express opinion on FS
● Pervasive = very material
Unmodified/Unqualified Opinion
● Unmodified - for nonissuer (private company), when auditor concludes FS are presented
fairly in accordance with framework (best case scenario)
○ MN = unModified = Non public
○ 1st section of auditor report contains auditor’s opinion
○ Addressed to owner, not mgmt
4
● Unqualified - issuer, auditor concludes FS are presented fairly in accordance with

framework (best case scenario)
○ PQ = Public company = unQualified
● Basis for opinion - second section of auditor’s report, refer to GAAS for nonissuers
○ Auditor is required to be independent
○ Discuss evidence obtained is sufficient
● When relevant, auditor should include separate section in auditor’s report titled
“substantial doubt about entity’s ability to continue as a going concern”
● Key audit matters (KAM) - for private companies, describe each key submitter with
appropriate subheading, significant items that were communicated (average 2+ per
company per year)
○ Critical audit matter (CAM) - public company
■ Relates to accounts or disclosures that are material to FS and involve
challenging, subjective or complex auditor judgment
■ For each CAM, auditor report should include:
● Identification
● Description of principal considerations to determine it was a CAM
● Description of how CAM was addressed in the audit
● Reference to relevant FS accounts or disclosures
○ Determined based on professional judgment
○ Include why matter was significant and how it was addressed for each matter
■ If auditor is involved, must include description of each matter in audit
report
● Responsibilities of mgmt - includes preparation of FS & internal control
● Responsibility for auditor - obtain reasonable assurance, obtain understanding of internal
control
● Other information (when relevant) - separate section if needed, mgmt is responsible for
the other info, auditor is responsible to read other info
● Date of auditor’s report - should be dated no earlier than date on which auditor has
obtained sufficient appropriate audit evidence
○ Dual date
● Audits in accordance with GAAS and PCAOB standards - for private
company/nonissuer, use the report required by the PCAOB
○ Nonissuers have the option whether to engage the auditor to communicate key
audit matters for private companies
● Basis for opinion (for public, unqualified) = RAPMEE
○ Responsibility of mgmt
○ Auditor responsibility
○ Auditor is a public actg firm
○ Audit was conducted in accordance with standards of PCAOB
○ Auditor plan and perform audit to obtain reasonable assurance that FS are free
from material misstatement
○ Audit includes:
■ Examining on a test basis the evidence
5
■ Evaluating actg principles used and significant estimates

● Unqualified (public companies) - must include year auditor began serving as company’s
auditor
○ Report date should show final date of auditor’s responsibility
○ Mgmt reports on internal control over financial reporting
● Integrated audit requires audit of both FS and internal control over financial reporting
● Filing of form AP (for public company/issuer) - must include name of engagement
partner & ID number
○ Form AP must be filed by 35th day after audit report is first filed or within 10 days
if audit report is included in a registration statement
● If using other CPA/auditor treat as your own staff
○ Check on:
■ Reputation
■ Independence
■ Professional competency
■ Program steps
● Opinion paragraph for nonissuer includes nature of engagement and specific FS
covered within the audit
● Explicitly state an explanation of assessing risk of material misstatement and designing
audit procedures to evaluate the risks
● Address audit report to the entity that initially engaged the auditors
● Change in actg principle = emphasis of matter paragraph added
● If a reasonably possible loss is disclosed, unqualified opinion with no modification is ok
Modified Opinions Due to FS Issues

● Qualified versus adverse opinion - material GAAP problem but not pervasive is qualified
opinion (except for), very material GAAP problem is adverse opinion
○ Common GAAP problems:
■ GAAP consistency change (unjustified), auditor disagrees
■ Inadequate disclosure
■ Departure from GAAP (unjustified)
■ Unreasonable actg estimate
● Nature of material misstatements - inappropriate acctg policies, incorrect application of
actg policies, appropriateness of FS presentation
○ Material misstatements ≠ GAAP
● Nonissuer auditor reports - private company, qualified opinion is material GAAP problem
○ Opinion paragraph states qualified opinion except for specific issue
6
○ Problem is described in ‘basis for qualified opinion paragraph’

● Make sure omission does not make FS:
○ False
○ Fraudulent
○ Deceptive
○ Misleading
■ If so, withdraw
● Adverse opinion for non issuer - very material and pervasive GAAP issue
○ Auditor report differences:
■ Opinion section - because of the significance of the matter described, FS
do not present fairly
■ Basis for adverse opinion - include description of matter giving rise to
modification
■ No KAM
● Issuer reports - public company, qualified opinion
○ Opinion paragraph - includes exception and reference to paragraph that
discloses the information
○ Additional paragraph - except for paragraph should be added immediately
following opinion paragraph with no heading
■ Includes all substantive reasons
■ Disclosure of principal effects
● Adverse opinion for issuer
○ Auditor report differences:
■ Opinion section - because of the matters, FS are not presented fairly
■ Additional paragraphs - immediately following opinion section, include
paragraph with all substantive reasons and disclosure of principal effects
● Omit statement of cash flows = qualified opinion
Modified Opinions Due to Audit Issues

● Qualified opinion versus disclaimer = GAAS problem, unable to obtain sufficient
appropriate audit evidence
○ Qualified opinion - expressed when auditor is unable to obtain sufficient
appropriate audit evidence, material not pervasive
○ Disclaimer of opinion - unable to obtain evidence, material and pervasive
■ Or if auditor is not independent
● Inability to perform a specific procedure is not a limitation on the scope of the audit if the
auditor can obtain sufficient appropriate audit evidence by performing alternative
procedures
● When the auditor is not independent but required by law to report on FS, auditor should
disclaim an opinion and specifically state they are not independence
○ If they choose to provide reasons for lack of independence, list all reasons
● Nonissuer auditor report differences
○ Qualified opinion:
■ Opinion section says “except for”
7
■ Basis for qualified opinion includes description of issue

○ Disclaimer of opinion:
■ Opinion section - auditor does not express an opinion, describe in the
basis, auditor was “engaged to audit”
■ Basis for disclaimer - include reason for inability to obtain evidence,
should not include auditor responsibilities or audit evidence obtain is
sufficient
■ Auditor’s responsibility - only include auditor’s role to conduct an audit,
omit audit steps & that evidence is sufficient
● Issuer auditor report differences
○ Qualified opinion:
■ Opinion section says “except for”
■ Additional paragraph - added immediately after opinion paragraph,
describe reasons for inability to obtain sufficient appropriate audit
evidence
■ Basis for opinion - refer to paragraph that describes the issue
○ Disclaimer of opinion:
■ Opinion section - “were engaged to audit”, “do not express an opinion”
■ Additional paragraph - immediately after opinion, include all substantive
reasons for disclaimer and any reservation of fair presentation
■ Basis for disclaimer of opinion - eliminate the entire second paragraph,
eliminate “our responsibility is to express an opinion…”
■ Omit critical audit matters (CAM)
● Exam trick
○ No audit evidence/work = no audit opinion = disclaimer
○ Not an adverse opinion
Emphasis of Matter, Other Matter & Explanatory Paragraphs

● Emphasis of matter paragraphs (nonissuers) - included in audit report when required by
GAAS, used to refer to matter that’s appropriately presented/disclosed in FS and is
important to understanding to FS
○ To emphasize something important within the FS
○ Describe matter being emphasized, location of relevant disclosures and indicate
that auditor’s opinion is not modified because of the matter
○ Not appropriate for KAM or if the matter modifies the opinion on the FS
8
● Other matter paragraphs (nonissuers) - refers to matter other than those presented or
disclosed in the FS
○ To describe things not included in FS
○ Comes after opinion & emphasis of matters paragraphs
○ Not appropriate for KAM
○ Required for matter that restricts the use of the auditor’s report
● Explanatory paragraph (issuers) - does not affect auditor’s opinion, follows the opinion
paragraph
○ Required for:
■ Going concern
■ Other information that’s inconsistent with FS
■ Data required by SEC that’s been omitted
○ Maybe necessary: (use professional judgment)
■ Matter regarding FS in the auditor’s report
● Change in principal:
○ If material & nonissuer = emphasis of matter
○ If nonmaterial = no reference in audit report
Reporting with Different Opinions & Other Auditors

● Reporting on comparative FS
○ Reporting with different opinions:
■ Opinion section changes, basis for opinion may change
● If the format differs from previous opinion, auditor should disclose reason in an emphasis
of matter or other matter paragraph (nonissuer) or explanatory paragraph (issuers)
○ Disclose the following:
■ Date of previous report
■ Opinion for prior opinion
■ Reason for prior opinion
■ Changes that have occurred
■ Statement that the opinion is different
● Report of the predecessor auditor presented:
○ Predecessor auditors should:
■ Reed statements for current period
■ Compare statements audited with current statements
■ Obtain letter of representation from current auditor
■ Inquire and obtain letter of representation form mgmt near date of
reissuance
■ Date the report as appropriate:
9
● Unrevised - original report date

● Revised - dual date used to show date of each audit
● Report of the predecessor auditor not reissued:
○ Indicate in other matter paragraph or explanatory paragraph FS from prior period
were audited by predecessor auditor, include type of opinion
● Prior period FS not audited - clearly mark to indicate the FS are unaudited
● Prior period statements not audited, review or compiled - clearly mark and include an
other matter paragraph or explanatory paragraph
○ Auditor assumes no responsibility
● Reporting on audits of group FS:
○ Group engagement partner - AKA principal auditor for public companies,
responsible for auditor’s report
○ Must oversee:
■ Reputation
■ Independent
■ Competent
■ Program steps
○ Determine whether to make reference to the component in the auditor’s report
■ Make no reference in audit report = assume responsibility
■ Make reference in audit report = divide responsibility
● Clearly indicate that component was not audited by the auditor of
the group & magnitude of the portion of FS audited by the
component auditor
○ Significant component - individual financial significance to the group or likely to
include significant risks
■ Financial significance - should be audited by group engagement team or
component auditor
■ Significant risk of material misstatement - group engagement team or
component auditor should perform audit
● Modified opinion issued by component auditor - include in emphasis of matter paragraph
○ Modify opinion if previous FS are restated to conform with GAAP
Subsequent Events
● Recognized subsequent events - recorded if provide info about conditions that already
existed
● Nonrecognized subsequent events - footnote for events that provide info about events
that occur after the balance sheet date
● Mgmt responsibility for subsequent events - general rule is that mgmt responsible up to
date FS issued
○ Public companies = through date FS are issued
○ Other entities = through date FS are available to be issued
● Reissuance of FS - should not recognize events
○ Revised FS are considered reissued, do not recognized
● Auditor’s responsibility for subsequent events:
10
○ Post BS transactions
○ Representation letter from mgmt
○ Inquiry of legal counsel & mgmt
○ Minutes - review minutes of stockholders, directors, other committee meetings
during subsequent period
○ Examine - examine latest interim FS and compare them with FS under audit
● Auditor is responsible for events up until date of auditor’s report
● Auditor’s responsibility after original date of auditor’s report - no active responsibility to
make inquiries or perform further audit procedures
○ Exceptions:
● Auditor action - if info materially affects report & is discovered after issuance of the
report, auditor should advice client to disclose & reissue FS
○ Auditor’s report should not be relied upon
● Report date - if adjustments are made after original date of auditor’s report, auditor may
dual date the report to extend responsibility for the specific subsequent event
○ Later date may be used for the report but this extends auditor’s responsibility for
all subsequent activity
● Client refusal - if client refuses to proceed, auditor should notify each member of the
board & “DAR” them to fix it
○ Notify client that auditor’s report is disassociated with FS
○ Notify regulatory agency
○ Notify persons relying on FS that auditor’s report should no longer be relied on
Other Info & Supplementary Info

● Other information - mgmt report, financial summaries, employment data, planned capital
expenditures, financial ratios, quarterly data, etc.
● Auditor responsibility - determine and obtain written acknowledgement stating which
docs make up annual report, not responsible for other information
○ Auditor should read other information for material inconsistencies
● Audited FS require revision - if mgmt refuses, modify audit opinion or withdraw
● Other info requires revision - if mgmt refuses, communicate with governance
● Reporting on supplementary info:
○ Supplementary info - presented outside basic FS
■ Auditor must: evaluate presentation and report on whether supplementary
info is fairly stated
■ Mgmt must: prepare info in accordance with applicable criteria, provide
auditor with written representations
11
● Reporting for nonissuers - auditor’s report on supplementary info can be presented in

separate section in auditor’s report or in a separate report
○ Forming an opinion on supplementary info:
■ Material misstatement - modify the opinion or withhold the report (if
separate)
■ If adverse or disclaimer of opinion, auditor is prohibited from expressing
an opinion on the supplementary info
● Reporting for issuers - auditor may either include auditor’s report of supplementary info
in the audit report or separate statement
○ Report date - no earlier than date of audit report and date which obtain sufficient
appropriate evidence
○ Forming an opinion:
■ Material misstatements - describe material misstatement and express a
qualified or adverse opinion on supplementary info
■ Inability to obtain sufficient appropriate evidence - disclaim an opinion on
supplementary info
■ If qualified opinion, auditor should have qualified opinion on
supplementary info
■ When auditor expresses adverse or disclaimer on FS, must express
adverse or disclaimer on supplementary info
● Required supplementary info - auditor’s opinion on FS does not cover required
supplementary info
○ Required procedures - inquire mgmt, determine if supplementary info is
consistent, obtain written mgmt representations
○ Reporting on supplementary info for nonissuer - separate section in auditor’s
report
● PCAOB standards for issuers - do not require auditor to add explanatory paragraph
unless:
○ Required info is omitted
○ Material departures from guidelines
○ Auditor is unable to complete procedures
○ Unresolved doubts about conformance with required supplementary info
Special Purpose & Other Country Frameworks

● Types of special purpose frameworks: (OCBOA)
○ Cash basis
○ Tax basis
○ Regulatory basis
○ Contractual basis
○ Other basis
■ Contractual & other basis is not OCBOA
● Additional requirements of auditor - obtain understanding of purpose, intended users &
steps by mgmt to determine applicable framework
● Other matter paragraph - restrict use of the auditor’s report if required
12
● Regulatory basis FS intended for general use - express an opinion about whether FS are
fairly presented in all material respects in accordance with GAAP & prepared in
accordance with special purpose framework
○ Reports on special purpose FS - opinion section that identifies special purpose
framework and express opinion that FS are presented fairly on “that” basis
● Regulatory basis of actg (nonissuer) - FS and auditor’s report are intended for general
use, mgmt does not have a choice of frameworks, variances between regulatory basis of
actg and GAAP are not reasonably determinable and are presumed to be material
○ Dual opinion - fair on that basis & adverse on GAAP
● Other country frameworks:
○ Engagement acceptance - auditor should obtain understanding of purpose for
which FS are prepared, whether framework is a fair presentation framework,
intended users, steps taken by mgmt to determine whether framework is
acceptable
○ Engagement performance - auditor should comply with GAAS
● Reporting distribution outside the US:
○ Report of the other country or the report set out in the ISAs
○ US form of report that reflects that FS have been prepared in another country’s
framework
● Reporting accountant - not the auditor, prepares a written report on application of
requirements for applicable framework or type of report
○ Reporting accountant may not report on application of actg principles to maintain
independence
○ Should request permission from entity’s mgmt to consult with the continuing
accountant
■ Include description of reasons for continuing accountant’s conclusions
○ Separate paragraph at the end of report restricting its use to specified parties
■ Specific parties: prior or current auditors
○ If reporting accountant is not independent, statement indicating lack of
independence is required
● International basis of actg is not considered a special purpose framework
A2 - Internal Control
Quality Control
● AICPA code of professional conduct requires a system of quality control
○ System depends on size, nature and cost benefit of system
● Quality control elements: (HELP ME)
○ Human resources - recruiting/hiring, compensation, performance evaluation
■ Work is assigned to personnel with technical training required
○ Engagement/client acceptance - deciding whether to accept to continue a client
relationship, minimizes likelihood of association with a client who lacks integrity
■ Reasonable expected to complete with professional competence
■ Complies with legal/ethical requirements
13
■ Firm should have policies for withdrawal

○ Leadership responsibilities - ultimate responsibility for firm’s quality control
system
■ Tone at the top: (CRIME)
● Control environment
● Risk assessment
● Information
● Monitoring
● Existing control activities
○ Performance of the engagement - ensure that engagement is properly
supervised and work is appropriately reviewed
■ Allow consultation with experts when necessary
○ Monitoring - ongoing consideration and evaluation of the design and
effectiveness of the quality control system
■ A partner should bear responsibility for the monitoring process
■ Monitoring procedures:
● Engagement quality control reviews
● Post issuance reviews
● Inspections of completed engagements
● Peer review conducted under AICPA standards
■ Peer review - every 3 years at least, determine and report whether CPA
firm being reviewed has developed adequate policies for elements of
quality control and is following them in practice
○ Ethical requirements - to maintain public confidence in the profession
■ Independence encompasses impartiality
■ Confirm independence in writing at least annually
● GAAS versus quality control standards:
○ GAAS - relates to conduct of each audit engagement
○ Quality control standards - relate to conduct of all professional activities of the
firm’s practice as a whole
● Quality control deficiencies - failed quality control does not mean failed GAAP & GAAS
● Review considerations:
○ Work has been performed in accordance with professional standards and
applicable laws & regulations
○ Significant findings or issues needing further consideration
○ Appropriate consultation has taken place
○ Work performed supports the conclusion
○ Evidence obtained is sufficient and appropriate
● Engagement partner review - partner should review critical areas of judgment or other
important areas
● Documentation requirements - who performed the work, date work is completed, who
reviewed audit documentation, date of review
● Quality control standards for nonissuers - provide reasonable assurance that audit
complies with professional standards and issues a report that is appropriate
14
○ Remain alert for evidence of noncompliance

○ Form a conclusion on compliance with independence requirements
● Engagement quality control review - performed only when required by firm’s policies
○ Complete before engagement partner releases audit report
○ Included:
■ Discussion of significant findings
■ Reading the FS
■ Review of audit documentation
■ Evaluation of the conclusions
● Quality control standards for issuers - PCAOB standards require engagement quality
review and concurring approval of audit report issuance
● Engagement quality review process - PCAOB standards says quality reviewer is require
to hold discussions with engagement partner to evaluate significant judgments made by
team and overall conclusion
○ Evaluate risks identified and materiality
○ Evaluate materiality, corrected/uncorrected misstatements
○ Review firm’s independence
○ Review FS and internal control
○ Evaluate communications with mgmt, audit committee and regulatory bodies
● Concurring approval of issuance - PCAOB standards, significant engagement deficiency
exists when:
○ Team fails to obtain sufficient appropriate evidence
○ Reached inappropriate overall conclusion
○ Engagement report is not appropriate for circumstances
○ Firm is not independent
Documentation
● Audit documentation - AKA working papers, provides evidence of basis for auditor’s
report and opinion, evidence that audit was conducted in accordance with GAAS
○ Does not support client FS
○ May not disclose without client’s permission or court order
○ Should indicate that actg records = FS
● Requirements:
○ Assist engagement team in planning and conducting the audit
○ Show the actg records reconcile with FS
○ Experienced auditor (with no connection to the work) can understand the nature,
extent and timing of audit procedures performed and conclusions reached
○ Show who performed the work
● Report release date - date which auditor grants client permission to use the report
○ SAS rules (non issuers) - keep work papers for 5 years
■ Complete audit documentation within 60 days of release date
○ PCAOB rules (issuers) - keep work papers for 7 years
■ Complete audit documentation within 45 days following the report release
date
15
● Nature and extent of audit documentation - objective of detailed substantive testing is to

detect material misstatement
○ Auditor should consider:
■ Complexity and size of entity
■ Risk of material misstatement
■ Nature and extent of any exceptions identified
○ Permanent file (continuous) - carry forward from year to year
○ Current file - this year’s stuff
■ Contains audit plan, FS and auditor’s report, trial balance, adjusting JE
■ Also records tests of controls and substantive tests
● Significant audit findings - should be included in documentation, include matters related
to selection and application of actg principles, significant risk, material misstatements
and cause significant difficulties
○ Or included in other matters paragraph
Terms of Engagement
● Appointment of auditor:
○ Audit committee - responsible for selecting independent external auditor
○ Sarbanes oxley act - auditor reports to client’s audit committee, applies to public
company auditors
● Client acceptance:
○ Auditor should consider the follow:
■ Firm’s ability to meet reporting deadlines
■ Firm’s ability to staff the engagement (both experience and availability)
■ Independence
■ Integrity of client mgmt - minimize likelihood of association with a client
whose mgmt lacks integrity
■ Group audits
● Preconditions for an audit:
○ Applicable financial reporting framework - US GAAP & IFRS
○ Management responsibilities - fair presentation of FS, internal control, provide
auditor with access to all information & people
○ Mgmt imposed scope limitation - if major, auditor should not accept engagement
■ Lack of records = scope limitation
● Engagement letter contents:
○ Objective & scope of the audit
○ Auditor responsibilities
○ Mgmt responsibilities
○ Statement - because of inherent limitations unavoidable risk of some material
misstatements that may not be detected
○ Identify applicable financial reporting framework
○ Reference to expected form and content of reports
● Recurring audits - revise terms of engagement if any significant changes have occurred,
if not revised auditor should still issue new engagement letter
16
● Initial audit - talk to prior CPA is mandatory, client permission is needed

○ If client is unwilling to agree, consider withdrawing
○ Communicate with prior cpa before and after accepting new client
○ Auditor should make written inquiries of the prior auditor about mgmt integrity,
disagreements with mgmt, reasons for change in auditors
● Change in engagement from audit to compilation or to review
○ Change must be justified
■ Reasons for change:
● Change in client requirements
● Misunderstanding as to nature of service to be rendered
● Scope limitations - client refuses correspondence with legal counsel, client refuses to
provide a signed rep letter
○ Consider withdrawing
Planning
● Planning activities - depend on size and complexity of company and previous audit
experience
● Supervision of assistants - CPA documents evidence to support their expressed opinion
○ Nature, extent and timing of supervision - depend on size/complexity of entity,
nature of work assigned, assessed risk of material misstatement, qualifications of
assistants
● Knowledge of client’s busn - tour client facilities, review financial history, obtain
understanding of client actg, inquire of client personnel
● Overall audit strategy:
○ Factors that determine focus of audit (nature) - material audit risk and internal
control preliminary evaluations
○ Scope of the audit (extent) - size/complexity of busn, types of evidence the busn
has
○ Reporting objectives, audit timing, required communications (timing) - deadlines
for interim and final reporting, key dates for gmt meetings and those charged with
governance
■ Strong internal control = more interim
■ Weak internal control = more year end
○ Other considerations - smaller entities may have simpler audit strategy, auditor is
required to communicate planned scope and timing of the audit with those
charged with governance
● Developing audit plan (written) - based on audit strategy and outlines the NET of
procedures to be performed during the audit
○ Written audit plan is required
● Audit procedures - performed to obtain evidence on which to base the audit opinion
○ Risk assessment procedures - required in all FS audits, assess risks of material
misstatements
○ Audit procedures:
■ Test of controls - understand and rely on controls
17
■ Substantive procedures - test account balances

■ Other audit procedures - letter to client’s attorney for example to comply
with GAAS
● Timing of audit procedures - discuss with mgmt
○ Type = nature
○ Scope = extent
○ When = timing
● Assertions: (COVER UP)
○ Completeness
○ Cutoff - transactions recorded in correct actg period
○ Valuation, allocation & accuracy
○ Existence and occurrence
○ Rights & obligations - acct balances and disclosures
○ Understandability of presentation and classification
● Drafting audit plan - once sufficient planning info is gathered, draft a written audit plan
(required) including a list of audit procedures which can be changed during the course of
the audit
● Group audit plans - different audit teams in different locations, use the work of
component auditors
Planning
● Client’s internal auditors - not independent, cannot make judgment, must maintain
objectivity and integrity
○ Cannot share audit decisions or judgments with internal auditors
○ Consider:
■ To whom internal auditors report
■ The higher the level, the more objectivity can be assumed
● High risk of material misstatement - internal auditor alone cannot eliminate direct testing
by CPA
○ CPA/auditor must decide but can rely on internal auditor for explanation
● Direct assistance - internal auditor’s competence and objectivity must be assessed
based on prior experience, prior evaluation and talking to mgmt
18
● Supervise and review - external auditor should supervise all work performed by internal
auditor on the audit
○ External auditor remains solely responsible for report on FS
● Guidance for supervising specialists:
○ SAS = private, nonissuer
○ PCAOB = public, issuer
● Use of an auditor’s specialist:

○ Determine the need for a specialist
○ Understand the specialist’s field of expertise - test specialist like one of you staff
■ Evaluate the relevance of specialist’s work:
● Qualifications
● Understands objectivity
● Independent
● Reputation
● Knowledge
○ Agreement with auditor’s specialist - agree in writing when appropriate
○ Evaluate adequacy of the work - inquiries of specialist, review work papers,
perform procedures, review reports, engage in discussion with another specialist
○ Effect on auditor’s report - if specialist finding are not in conformity with GAAP,
qualified or adverse opinion would be issued
■ If auditor is expressing a clean (unmodified/unqualified) opinion, no
reference to specialist work
● Use of mgmt’s specialist - treat them like one of your own staff, same procedures as
audit specialist
○ Evaluate competence, capabilities and objectivity
○ Understand the work
○ Evaluate the appropriateness
○ Except: not independent therefore no judgment as to final determination
● Using the work of an IT auditor - consider the impact of IT on the entity’s FS
○ Consider appropriate competence and capabilities and technical expertise
○ Must be informed about their role in the audit
■ Objectives of the workr
■ Nature of the busn
■ Risk related issues
■ Problems that may arise
■ Detailed approach
19
○ Supervision - agree with IT auditor on nature scope and objectives of their work,
evaluate the adequacy of the work, audit partner is still responsible
● Using the work of a component auditor - if group auditor decides to make reference to
component auditor or assume responsibility for work
○ Component auditor - performs work on FS of a component that will be used as
audit evidence for a group audit, may be part of group engagement’s firm or a
network firm or another firm
○ Determine if component auditor is independent, will comply with ethical
requirements, professionally competent
○ Agree with component auditor in writing about nature scope and objectives of
work, nature extent and timing of communication
○ Must review work papers of the component auditor
■ Indicate possible mgmt basis
■ Identified material weaknesses and significant deficiencies
○ Extent of evidence - include discussion with component auditor about
components risk of material misstatement
○ Effect on auditor’s report - if group auditor makes reference to the component
auditor in the report, group auditor should indicate the magnitude of the work and
the group auditor taking responsibility of reviewing the work
Materiality
● Auditor should determine materiality for FS, performance materiality and specific
materiality levels for types of transactions & account balances
○ Consider quantitative and qualitative judgment
● Auditor should use smallest level of misstatement that could be material to any of the FS
● Factors to determine materiality:
○ Percentage
○ Benchmark (ex. Total rev, gross profit)
○ Size of the entity
○ Prior period financial results
○ Significant known or expected changed in entity’s circumstances
● Performance materiality - amount set by auditor at less than materiality for FS as a
whole, reduce to lowest level
● Tolerable misstatement - max error in a population that auditor is willing to accept
● Materiality in group audits - assess for the group of FS as a whole
○ Determine component materiality and materiality for particular classes
● Revising assessment of materiality - change in “NET”, raise or lower materiality
threshold as appropriate
Risk Assessment
● Risk assessment purpose - identify and assess risk of material misstatement (audit
planning), make informed judgment about other audit matters including materiality, actg
procedures, analytical procedures
○ CPA tests internal control in order to adequately plan the NET audit procedures
20
● Risk assessment procedures - obtain understanding of entity, understand internal

control, inquire audit committee, mgmt, perform analytical procedures
○ Fraud risk = pressure, opportunity, rationalization
● Industry factors - pressure/competitive environment which may give rise of risk of
material misstatement
● Regulatory factors - pressure from laws/regulations, taxation, govt policies,
environmental policies
● Technological factors - ways that tech directly affects the entity’s industry
○ Automation
○ Connectivity
○ Security
● Analytical procedures - required to be performed during the audit
○ Planning stage = required
○ Final review stage
● Risk assessment discussion - with audit team, include areas of significant audit risk,
company’s application of actg principles, disclosures
● Other procedures - prior period evidence to the extent that its still relevant
● Risk assessment procedures and audit evidence - required in FS audit
● Ongoing assessment - understanding of an entity and its environment is a continuous
process throughout the audit, risk assessment may change as additional audit evidence
is acquired
● Internal control - process designed to provide reasonable assurance about the
achievement of the entity’s objectives
○ Reliability of financial reporting
○ Effectiveness and efficiency of operations
○ Compliance with applicable laws and regulations
● Components of internal control: (CRIME)
○ Control environment - set tone of organization, provides discipline and structure
as the foundation for all other components, “tone at the top”
○ Risk assessment - by management, entity’s identification of risks
■ Changes in operating environment
■ New personnel
■ Rapid expansions of operations
○ Info and communication systems - CPA is required to understand/knowledge,
support the identification, capture and exchange of info in a timely and useful
manner
■ Controls surrounding JEs, scrutinize period end unusual JEs
○ Monitoring - assesses quality of internal control performance over time
■ Establishing and maintaining internal control is responsibility of mgmt
■ Make sure internal controls are present and functioning
○ Existing control activities - help ensure that mgmt directives are carried out and
unnecessary steps to address risks are taken
21
■ In a well-designed internal control environment, fraud & errors should be

prevented and/or detected by employees in the ordinary course of their
job/business
● Pervasive effect of control environment - impacts the nature extent and timing of further
audit procedures to be performed
○ Weak control environment - may perform more substantive procedures as of
balance sheet date rather than at interim
○ Strong control environment - may perform tests at interim date rather than
balance sheet date
● Control activities in a strong system of internal control: (PAID TIPS)
○ Prenumbering the documents
○ Authorization of transactions
○ Independent checks to maintain asset accountability
○ Documentation - paper trail
○ Timely and appropriate financial performance reviews
○ Information processing controls
○ Physical controls for safeguarding assets - security
○ Segregation of duties
■ Authorization
■ Record keeping
■ Custody of related assets
● Internal control exceptions: collusion & mgmt override
● Preventive controls & detective controls make up internal control system
● Walkthroughs - performed by selecting a single transaction or identifying key steps in the
process of a class of transactions
○ WT procedures:
■ Inquiry - inquire those who actually perform the info processing
procedures
■ Other procedures - observe, re-perform, inspect
● Document the understanding of internal control (FIND)
○ Flowchart - depicts auditor’s understanding of internal control
22
○ Internal control questionnaire or checklist - used for each assertion of mgmt

○ Narrative - hard to see weakness in internal control
○ Documentation from client
● Consider limitations of internal control - related to control environment, mgmt override of
internal control & human error
● Other audit considerations - effect of IT on internal control, if evidence is not retrievable
it’s difficult to determine timing of control testing and substantive testing
○ Manual controls - suitable when judgment and discretion are required, also used
to monitor automated controls
■ IT exception - IT system may make it impossible to resolve detection risk
through substantive testing alone, must do control testing as well
○ Automated controls - for high volume or recurring transactions
● IT general controls - relate to many applications and support effective functioning and
proper operating of the information system
● IT application controls - apply to processing of individual transactions
● IT benefits - ability to process large volumes of transactions and data accurately and
consistently, improved timeliness, enhanced segregation of duties
○ Control group
○ Operators
○ Programmers
○ Analyst
○ Librarian
23
● IT risks = garbage in = garbage out

○ Potential reliance on inaccurate systems
○ Unauthorized access to data
○ Unauthorized changes to data
○ Failure to make required changes or updates
○ Potential loss of data
● General control - policies and procedures that relate to many applications and support
the effective functioning/proper operating of the info system
Effect of IT on the Audit

● IT environment - auditor documents their understanding of the entity’s IT environment
during risk assessment
● For computer systems = use more frequent, continuous testing
● Potential for increased errors and irregularities - disadvantage, opportunity for remote
access to data, substantive testing alone may not be sufficient
○ Test of controls should be performed to assess control risk in a highly
computerized system
24
● Potential for increase supervision and review - advantages, integration of audit

procedures in application programs themselves, more data means more opportunity for
analytical procedures
● Computer assisted audit techniques = CAAT = auditing through the computer
○ Transaction tagging - electronically mark specific transactions, follow them
through the electronic system
○ Test data - use application program under auditor’s control with a set of test data
■ Only use data of interest to the auditor, not all possible conditions
○ Integrated test facility - test data separated from live data before reports are
created
■ Client personnel are not informed that the test is being run
■ Live data
○ Parallel simulation - auditor reprocesses some or all of live data
■ Controlled processing = observe actual processing run
■ Controlled reprocessing = auditor uses an archived copy of program
● Otherwise use manual audit procedures = auditing around the computer
○ Does not directly test the application program
○ Auditor tests input data, processes data independently then compares the results
○ Only appropriate for batch systems with a good audit trail
● CPA is responsible for guiding an IT auditor, treat them as your staff
● Generalized audit software packages (GASPs) - allow auditor to perform test of controls
and substantive tests directly on client’s system
○ Required little technical knowledge of client’s hardware and software system
● Embedded audit module - section of application code that collects data for the auditor
○ Auditors required to be involved in the design
ME1 Review
● FS presentation in accordance with applicable reporting framework should include
adequate description of framework in FS
● Materiality for FS as a WHOLE - smallest level of misstatement that would be material
for any one of the FS
● Uncertainty may result in unmodified, qualified, adverse or disclaimer of opinion
● For cash basis of actg, no need to include emphasis of matter paragraph
● Quality control = assigning personnel, client acceptance, professional development
● Risk assessment for internal control involves:
○ Testing controls
○ Identifying specific internal control policies
○ Identifying types of potential misstatements
● Adverse opinion = GAAP problem exists which is very material
● Audit documentation should include:
○ Info about selection/application of actg principles
○ Identification of staff who performed audit work
○ Sufficient appropriate evidence has been obtained to support conclusions
reached
25
● Auditor’s planning process - understanding design of controls, determining whether

controls have been implemented, documenting understanding of internal control
● If initial test of controls shows the controls are not operating effectively…revise initial risk
assessment and modify audit procedures
26
A3 - Risk, Evidence & Sampling

Fraud Risk
27
● Error - unintentional misstatements

● Fraud - intentional act
○ Financial reporting fraud = lying, misstatements including omissions or
disclosures in FS
○ Misappropriation of assets = stealing, theft of entity’s assets
○ Corruption = cheating
● Fraud risk factors:
○ incentives/pressure - reason to commit fraud
○ Opportunity - lack of effective controls, allows a misrepresentation to occur
○ rationalization/attitude - attempt to justify fraudulent behavior
● Reasonable assurance - due to concealing aspects of fraud, audit must have reasonable
assurance in detecting material misstatement
○ Even a quality audit may not uncover fraud
● Mgmt responsibility - designing and implementing programs and controls to prevent,
deter and detect fraud
● Auditor responsibility - plan and perform audit to obtain reasonable assurance that FS
are free from material misstatement from error or fraud
○ Professional skepticism
○ Audit procedures
● Required discussions amongst engagement personnel - consideration of risk of mgmt
override of controls, how the auditor may respond to identified fraud risks
● Inquire entity personnel regarding their views of fraud risk - talk to mgmt, employees,
internal auditors, legal counsel and those charged with governance about overall risk of
fraud, process of identifying and responding to fraud
○ Inconsistent responses = need for additional evidence
● Consider results of analytical procedures - required during planning stage & final review
stage
● Identifying risks:
○ Type of risk
○ Significance of risk
○ Likelihood of risk
○ Pervasiveness of risk
● Presumption of risk - improper revenue recognition (analytical procedures required) and
mgmt override of controls
○ These 2 risks exist in every audit
● Responding to assessed fraud risk:
○ General response - assign personnel to the engagement, determine supervision
required, evaluate mgmt’s selection of actg principles, incorporate level of
unpredictability in selection of auditing procedures
○ Response encompassing specific audit procedures - looking at nature, extent
and timing of procedures (NET)
○ Response addressing risks related to mgmt override - obtain an understanding of
reporting process, examine JEs for evidence, review actg estimates for biases,
evaluate busn purpose for significant unusual transactions
28
● If significant risks = withdraw

● Evaluating audit evidence:
○ Conditions identified during fieldwork - discrepancies, conflicting or missing
evidence, problematic relationships, inconsistent actg policies, frequent changes
in actg estimates, tolerance for violations of company conduct
○ Analytical procedures - required during planning stage and final review stage
○ Misstatements due to fraud - may be indicative of underlying mgmt integrity
problem (withdraw)
○ Final evaluation - include communication with engagement personnel
● Communication:
○ Mgmt and those charged with governance - report fraud to mgmt at least one
level above those involved
■ If involves senior mgmt, go directly to those charged with governance
○ Parties outside the entity - CPA must communicate with, duty to disclose for
legal requirements, successor auditor, subpoena
● Documentation requirements - required to document if auditor has not identified
improper revenue recognition, addressing the risk of mgmt override
○ Must document addressing items with presumed risk
Audit Risk
● Audit risk - risk that auditor may unknowingly fail to appropriately modify opinion on FS
that are materially misstated
○ Material misstatement - departures from GAAP, omissions, incorrect
estimates/judgments
■ Types of misstatements:
● Factual = misstatement which there is no doubt
● Judgmental = involves an estimate
● Projected
● Audit risk model - risk that auditor will issue the wrong opinion
○ AR = RMM * DR
■ AR = audit risk, should be low
■ DR = detection risk, risk that auditor will not detect a material
misstatement, CPA controls through NET
● Risk: auditor misses the mistake (error/fraud) and gives wrong
opinion
■ RMM = IR * CR = risk of material misstatement, exists independent of FS
audit
● High RMM = select more effective substantive tests
● IR = risk of relevant assertion to a material misstatement, client
actg system has errors
○ High inherent risk:
■ High volume transactions
■ Complex calculations
■ Amounts derived from estimates
29
● CR = control risk, client’s internal control does not detect it

○ Assessed in terms of financial statement assertions
○ If CR goes down, sample size goes down
○ High control risk:
■ No effective controls
■ Implemented controls are not operating effectively
■ Would not be effective to test controls
● Effect on the audit:
● Auditor controls detection risk and change NET in response to assessed level of RMM
○ Ex. high RMM = lower DR (more work)
○ Change nature of substantive tests
○ Change extent of substantive tests (larger sample size)
○ Change timing of substantive tests (more tests at year end)
● Audit risk and materiality - consider together to design NET of audit procedures and
evaluating results
● Increase tests of details = decreased detection risk
Identifying, Assessing & Responding to Risk

● Assertion level risks - transactions, acct balances or disclosures at the relevant assertion
level
● Significant risk exists when inherent risk is exceptionally high
○ Indicating factors:
■ Fraud
■ Related party transactions
■ Non-compliance
● Risk assessment procedures are always required in FS audits
○ Required documentation:
■ Discussion among audit team
■ Key elements of the understanding
■ Assessment of risks
■ Identified risks and related controls
30
● Responding to assessed risk of material misstatement:

○ Communicate to audit team
○ Assign staff with more experience
○ Increase level of supervision
○ Greater level of unpredictability
● Response to risks at assertion level:
○ Change the NET of audit procedures
● Audit approach - may consist of substantive approach only or a combined approach to
identify risks at relevant assertion level
○ Substantive approach = only use substantive procedures, control risk is
maximum (max risk of material misstatement)
■ No strong controls to rely on
○ Combined approach = use both operating effectiveness tests of controls and
substantive procedures
○ Tests of controls may be required
○ Dual-purpose test = test of controls performed concurrently with test of details on
same transaction
● If relying on operating effectiveness of internal controls to mitigate significant risk, test of

controls must be performed in current period
○ Prior year test results relied upon = ok if not significant risk (every 3 yrs)
● Responding to RMM: (strengths and IT)
○ Inspect client records documenting use and changes to IT programs
● For FS audit, auditor is required to obtain understanding of design and implementation of
internal control
○ Not required to evaluate operating effectiveness as part of obtaining
understanding of design of internal control
● Audit evidence hierarchy:
○ Auditor knows
○ External evidence
○ Internal evidence
○ Oral evidence
○ You know it!
● Extent of tests of controls - more reliance = more reliable & extensive evidence
● Responding to RMM - substantive procedures
31
○ Test $ balances
○ Analytical procedures
○ Ratios
● Substantive interim testing - only if risk of material misstatement is low
Specific Areas of Engagement Risk

● Noncompliance - act of omission or commission by an entity whether intentional or
unintentional
○ Audit procedures - get signed mgmt rep letter, discuss any matters with mgmt
one level above or those charged with governance when appropriate
● Auditor’s responsibility - not responsible for preventing noncompliance, not expected to
detect noncompliance
● Inherent limitations - may be concealed by collusion
● Reporting noncompliance:
○ If mgmt or those charged with governance are involved = go to next higher level
of authority, may need legal advice
○ Material effect on FS = GAAP issue = except for or adverse opinion
○ Insufficient evidence = GAAS issue = except for or disclaimer of opinion
○ Client response/refusal = GAAS issue = withdrawal
● Actg estimates - mgmt is responsible, subjective risk because influenced by potential
mgmt bias
○ Auditor should evaluate degree of uncertainty associated with actg estimates
■ Low uncertainty:
● Estimates are not complex
● Simple, routine transactions
● Derived from data that’s readily available
■ High uncertainty:
● Litigation
● FV of derivatives
● Highly specialized estimates
○ Audit procedures - determine whether actg estimates with high estimation
uncertainty give rise to significant risks
○ Impact of estimates on RMM:
■ Low uncertainty = low RMM
■ High uncertainty = high RMM
● Evaluating contingencies - audit risk = understate expenses and liab, must obtain
appropriate evidence regarding contingent liab
○ Identify contingencies by reviewing minutes of meetings, lawyer correspondence,
communicate with mgmt, review bank confirmations
● Related party transactions: (audit risk of accuracy and completeness)
○ Auditor’s responsibility - identify related party transactions during course of the
audit, determine whether transactions have been properly accounted for and
disclosed in FS
■ Recognize fraud risk factors
32
○ Audit procedures:
■ Request mgmt provide names of all related parties
■ Test balances of accounts
■ Inquire any unapproved related party transactions
■ Review material transactions
○ Document names of all identified parties
○ If identify any previously unidentified related party transactions - inquire why
entity’s controls failed, request mgmt identify all transactions, reconsider risk
Sufficient Appropriate Evidence

● Audit evidence overview - support for audit opinion, must be obtained to support the
conclusion
○ Document risk assessment procedures, test of controls, substantive procedures,
other audit procedures
○ Objective of substantive testing: detect material misstatement in FS
○ If don’t have access to all audit records = scope limitation
● Cost alone or difficulty in obtaining evidence is not a valid basis for omitting a procedure
for which there is no alternative
● Sufficiency of audit evidence = valid and relevant
● Evidence hierarchy:
○ Auditor’s direct personal knowledge
○ External evidence
○ Internal evidence
○ Oral evidence
● Evaluating sufficiency and appropriateness of audit evidence:
○ Evaluate mgmt assertions -> detect material misstatement
○ Results of further audit procedures - helps reassess risk of material
misstatement, identify control deficiencies, identify misstatements
■ Revising assessed RMM - further audit procedure results should be used
to evaluate relevant assertion level RMM is appropriate
● Results of tests of controls are not functioning effectively = higher
RMM, reassess and change NET
● Material misstatements discovered during substantive tests =
higher RMM, change NET
● Fraud is discovered = affects RMM
○ Contradictory versus supporting information - contradictory evidence should be
documented, results in need for additional procedures
● Documentation requirements - overall response addressing assessed risk
Procedures to Obtain Evidence

● Obtaining audit evidence: (C FIVE CARROT WAR)
○ Confirmation
○ Footing, cross-footing and recalculation
○ Inquiry
33
○ Vouching - revenue and assets are not overstated

○ Examination/inspection - existence assertion
○ Cutoff review
○ Reperformance
○ Reconciliation
○ Observation
○ Tracing
○ Walkthrough
○ Auditing related accounts simultaneously
○ Representation letter
○ Subsequent events review - through the date of auditor’s report
● Types of audit procedures:
○ Substantive procedures - designed to detect material misstatements at assertion
level
■ Tests of details applied to transactions, balances
● Audit procedures used to gather evidence to support account
balances in the FS
■ Substantive analytical procedures
● Determine analytical procedures that are suitable
● Evaluate reliability of the data from which auditor’s expectation is
to be developed
● Develop an expectation
● Perform analytical procedures
● Compare results with expectations
● Investigate significant differences
● Efficiency and effectiveness of analytical procedures:

○ Nature of assertion being testing (IS accounts are more predictable0
○ Plausibility and predictability of data relationships (acct with mgmt discretion are
less predictable)
34
○ Availability and reliability of data used to develop expectation

○ Precision of the expectation
○ Method used to develop auditor’s expectation
● Documentation requirements:
○ Auditor’s expectation
○ Factors considered in development of expectation
○ Results of comparison
○ Additional procedures performed
○ Results of additional procedures
● External confirmation - direct written response to auditor form third party

○ Positive = must respond
○ Negative = no news is good news
● Mgt refusal of external confirmations = perform alternative procedures
● Review of relevant assertions:
○ Completeness
○ Cut offs
○ Valuation, allocation, accuracy
○ Rights and obligations
● Transactions, events and related disclosures:
○ Completeness
○ Cutoff
○ Valuation, allocation and accuracy
35

Financial Ratios
● Ratio analysis often used in analytical procedures
● Numerator of ratio has direct relationship, denominator has inverses relationship
● Liquidity ratios - short term ability to pay, focus on balance sheet accounts
● Activity ratios - how effectively use the assets
● Profitability ratios - measure financial performance
● Investor ratios - interest to investors
● Long term debt paying ability ratios - long term solvency
● Turnover ratio = average balance
● Days in = numerator is ending balance, denom is account / 365
● Cash conversion cycle = day sales in acct receivable + days in inventory - days of
payables outstanding
Sampling
● Sampling risk - sample is not representative of population and auditor’s conclusion
would be different if they examined 100% of the population
● Assumptions and rules of sampling:
○ Assume population is normally distributed (central limit theorem)
○ Samples must be unrestricted and randomly selected
■ Only area where CPA does not use judgment
○ Standard deviation is measure of variability, range of values within the population
(sample risk)
■ Variability = uncertainty = larger sample size
● Sampling methods:
○ Statistical sampling - evaluate results quantitatively
■ Random sample selection should be used
○ Nonstatistical sampling - evaluated using auditor judgment
● Professional judgment - used in both statistical and nonstatistical sampling to define
population and sampling unit, evaluate appropriateness of evidence
● Statistical sampling:
○ Attribute sampling - used for internal control, testing for specific characteristics
■ Risk of assessing control risk too low = beta risk = risk of overreliance
■ Risk of assessing control risk too high = alpha risk = risk of under reliance
○ Variables sampling - used in substantive testing to estimate dollar value of
population
■ Risk of incorrect acceptance = beta risk = auditor’s concern or fear
36
■ Risk of incorrect rejection = alpha risk = lack of efficiency

● Efficiency - lost with alpha risk, auditor does more work than necessary
● Effectiveness - lost with beta risk, could lead to inappropriate opinion
○ Auditor is 95% confident that sample is representative of population
● Nonsampling risk - use wrong audit procedures, improperly evaluate evidence/results
● Attribute sampling:
○ Used to determine NET of substantive testing
○ Tolerable deviation rate = tolerable mistakes = risk of misstatement
■ Such deviations don’t result in misstatements
○ Steps for testing of controls:
■ Define objective of test
■ Define population
■ Define sampling unit
■ Define attributes of interest
■ Determine sample size
● Risk of assessing control risk too low:
● Tolerable deviation rate:
● Expected deviation rate:
● Evaluating sampling results:

○ Upper deviation rate = sample deviation rate + allowance for sampling risk
○ Project results onto population
○ If upper deviation rate < tolerable deviation rate = auditor may rely on the control
○ If upper deviation rate > tolerable deviation rate = auditor may not rely on control
● Stop or go sampling - designed to avoid over sampling for attributes by allowing auditor
to stop an audit test before completing all steps
○ Used when few errors are expected in the population
● Variables sampling: (substantive testing)
○ Sampling for misstatement, estimate dollar value of population
○ Tolerable misstatement - max monetary misstatement in the related account
balance or class of transactions that the auditor is willing to accept
○ Separate samples into relatively homogeneous groups
37
■ Stratified sampling = used when population has highly variable recorded

amounts
● Projected misstatement - once complete sampling procedures, auditor projects
misstatement results of sample to items in population
● Steps for substantive testing:
○ Define objective of test
○ Define population
○ Define sampling unit
○ Determine sample size
■ Higher the tolerable misstatement, lower the sample size
○ Select the sample (random sampling)
○ Evaluate the sample results - obtain point estimate of true balance
○ Form conclusions about balances tested
■ Qualitative considerations - error is unintentional, fraud is intentional
■ Determine whether recorded book value falls within acceptable range
○ Document sampling procedure
○ Additional consideration when using auditing data analytics (ADAs)
● PPS sampling - dollar unit sampling
○ Sampling interval = tolerable misstatement / reliability factor
○ Sample size = recorded amount of population / sampling interval
○ Use systematic selection to select remainder of the sample, use random start for
beginning of sample
● Ratio estimation sampling - use when calculated audit amounts are proportional to
client’s book amounts
● Precision = projected error in either direction
● Mean-per-unit estimation = average audited value * # of items in population
● Ratio estimation = (Audited value of sample / book value of sample) × Total book value
● Difference estimation:
○ Calculate projected error = [(Book value of sample – Audited value of sample) /
Number of items audited] × Population of items
○ Calculate point estimate = Total book value of population – Projected error
Audit Data Analytics

● ADAs application:
○ Risk assessment - use to help identify:
■ Previously unidentified risk
■ Risk of material misstatement at FS level and at relevant assertion level
■ Assess fraud risk
■ Determination of additional audit procedures
○ Test of controls - provide support and evidence in evaluating design and
operating effectiveness of internal controls
■ Evaluate external data
■ Analysis of internal data
■ Review of data for anomalies
38
■ Aid in reperformance activities

○ Substantive procedures - detect material misstatements, applied to test of details
& analytical procedures
■ Perform sequence checks
■ Test entire population to verify accuracy
■ Compare current year data against prior year data
■ Compare industry trends to audited entity
○ Concluding the audit - used when forming overall conclusion
● ADA techniques:
○ Descriptive analytics - summary stats, data sorting, aging data, data reduction
○ Diagnostic analytics - clustering, drill-down/drill-through, variance analysis, data
profiling
○ Predictive analytics - regression analysis, forecasting, time-series model,
classification
○ Prescriptive analytics - what if analysis, machine learning, natural language
processing, decision support and automation
● Unstructured data - in original unmodified form, difficult to sort
● Attributes to evaluate ADA - numeric, text, time data, geographic data
A4 - Performing Further Procedures, Forming

Conclusions, & Communications
Revenue Cycle
● Sales:
○ Preparation of sales order - serially numbered
○ Credit approval
○ Shipment
○ Billing - match shipping, order, invoice
○ Accounting
● Accounts receivable:
○ Sales
○ Collection of cash receipts
○ Uncollectible receivables
○ Sales return - serially numbered receiving report
■ Segregation of duties
○ Sales discounts
● Cash receipts: (3 copies)
○ Cashier - receives actual receipts, prepares bank deposit
○ Accounts receivable department - enter receipts into A/R subsidiary records
○ Accounting department - enter receipts into A/R control account
● Segregation of duties:
○ Authorization
○ Record keeping
○ Custody
39
● Auditing sales transactions:

○ Completeness - trace form shipping doc to invoice to sales journal
○ Cutoff - effort to boost revenue
○ existence/occurrence - vouch starting from sales journal to invoice to shipping
document
○ Understandability of presentation/classification
● Auditing accounts receivable:
○ Completeness
● A/R confirmations - review schedule for accuracy and collectibility
○ Positive confirmations - good for existence and rights and obligations, not good
for valuation or completeness, used when:
■ Large individual accounts
■ Expected errors or items in dispute
■ Internal control is weak
○ Negative confirmation - customers should respond to the auditor only if they
disagree with stated amount owed, used when:
■ Inherent + control risk is low (RMM low)
■ No big accounts
■ Recipients respond
○ Confirmation exceptions:
■ Timing difference
■ Misstatements
○ Confirmation nonresponses - follow up with second or third confirmation
requests, then go to alternative procedures
Expenditure Cycle
● Purchases:
○ Start with purchases requisition - properly approved serially numbered requisition
○ Purchase orders - must be properly approved
○ Receipt of goods - receiving department receives purchase order as
authorization to accept the goods with blind copy, must report the quantity
● Accounts payable:
○ Recording the payable - match the receiving report & the PO
○ Approving invoice for payment and recording payment
● Auditing accounts payable:
○ Completeness & accuracy assertions are more relevant than existence and
rights/obligations assertions
○ Review disbursements recorded
○ Identify disbursements related to expenses incurred before YE
○ Confirm YE liability
40
● Detect overstatement of sales = start with sales order for tracing
Cash Cycle
● Fraud risk related to cash cycle - high fraud risk, especially when internal control is weak
● Lapping - an employee withholds funds received by customer for personal use and fails
to apply these receipts of cash to customer’s receivable balance
○ Today’s receivable covers yesterday’s theft
● Kiting - check drawn on one bank is deposited in another bank and no record is made of
the disbursement in the balance of first bank until after year end
○ Cash recorded in two places at once
○ Look for unusual year end cash movements
○ Indicated by low average balance compared to high level of deposits
● Auditing cash balance:
○ Bank confirmation
○ Bank reconciliation - check year end math accuracy
● Cash receipts & cash disbursements:
○ Completeness - trace sample of remittance advices to cash receipts journal
○ Cutoff - test year end transactions
● Bank statements should be reviewed by internal auditor
Inventory Cycle
● Internal controls related to inventory cycle:
○ Warehouse - accounts as custodian for verified quantity of goods received
○ Observe beginning and ending physical inventory counts
○ Inspect inventory to confirm its existence and valuation
● If inventory is held offsite:
○ Significant?
■ Yes = observe
■ No = confirmation
● Auditing inventory transactions - audited as part of the audits of revenue cycle and
expenditure cycle
41
● Presentation and disclosure - cost method, raw materials, WIP inventory, finished goods
balances, consigned inventory, warranty obligations, etc.
Investment Cycle
● Auditing investment balance:
○ Completeness - if high volume of transactions, search for unrecorded purchases
is necessary
○ Valuation and allocation - look at changes during the year, investments not
reported at fair value, impairments of investments
○ Existence - confirmations and examination of any securities on hand
● Auditing investment transactions:
○ Completeness - use analytical procedures
○ Valuation, allocation, accuracy - did they properly calculate amortization
○ Existence and occurrence - analytical procedures to calculate investment income
○ Understandability and classification - AFS debt goes to OCI, trading debt and all
equity securities goes to current earnings
● Investments in securities when valuations are based on investee's financial results - use
equity method, FS are not audited (request that they should be), if different year end
then consider the impact of the gap
● Measuring fair value - amount asset could be sold for (exit price)
○ Hierarchy of inputs (level 1-3)
○ Management’s responsibility to make FV measurement and disclosures in
accordance with GAAP
○ Auditor’s responsibility:
■ Understand process for determining FV
■ Understand relevant controls
■ Assess the RMM
■ Evaluate whether the method is in conformity with GAAP
■ Consider need for specialist
○ Testing FV measurements:
■ Verify quoted market price
■ Determine whether mgmt’s assumptions are a reasonable basis
■ Mgmt’s intent that may affect FV
■ Whether modifications made to observable information reflect common
assumptions
■ Whether valuation model is appropriate
■ Test underlying data
■ Develop independent FV estimate
■ Consider use of a specialist
■ Consider subsequent events
● Pricing services - reliability depends on nature and source of evidence and
circumstances under which evidence is obtained
○ Relevance - relationship with assertion of control being tested
42
○ When using info from multiple pricing services, less info is needed about
particular methods and inputs used
● Broker dealers - is information relevant and reliable, is broker a market maker for similar
instruments
○ Relationship with broker and the entity
○ Is the quote binding
○ Limitations on the quote
● Impairment loss resulting from decline in FV other than temporary needs to be recorded
○ Auditor should evaluate basis for decision
○ FV is below cost and:
■ Adverse conditions related to specific security
■ Decline exists for extended period of time
■ Mgmt doesn’t have intent and ability to hold security for anticipated
recovery
Other Transaction Cycles

● PP&E cycle internal controls:
○ Acquisition - special requisition form generated including description and amount
to be charged
○ Subsidiary ledgers - detailed info about each asset kept in subsidiary ledger
○ Physical security - fixed assets should have identification plates
○ Written policies - maintain written records of policies
○ Disposition - retirement of assets should be documented on a sequentially
numbered work order containing evidence of proper authorization and reason for
retirement
● Specific procedures for PP&E:
○ Completeness - obtain and foot fixed asset schedule and agree to general
ledger, obtain and foot schedule of additions and dispositions
■ Select sample and trace to fixed asset sub ledger
■ Trace sample of fixed asset purchase requisitions
■ Review related repair & maintenance
■ Review lease and rental agreements
○ Valuation and allocation - recalculate accum dep’n, evaluate fixed assets for
impairment
■ G/L and removal of accum dep’n should be tested for reasonableness
○ Existence - vouch additions to fixed asset accounts by examining internal
documents and external evidence and inspected actual assets
■ Select older fixed assets, locate the assets
○ Rights and obligations - invoices, deeds, title documents
● Payroll and personnel cycle:
○ Service organizations - used to process payroll transactions
○ Segregation of duties - timekeeping and cost actg
■ Hourly employees may use time clocks
■ Payroll = record-keeping department
43
○ Check distribution - distribute by person who has no other payroll function

○ Internal control evaluation - view personnel records, observe segregation of
duties between HR & payroll distribution
● Auditing payroll accrual - analytical procedures and recalculation of payroll accruals
○ Tests related to completeness, existence, rights & obligations performed when
entity’s IC canot be relied upon
● Financing cycle:
○ Internal control over debt - include documentation of all agreements,
authorization, detailed records with key amounts
○ Internal control over equity - must be authorized by board of directors (see
minutes)
● Auditing debt balance & transactions:
○ Completeness - trace from minutes for completeness
■ Examine new debt agreements
■ Review interest expense
○ Valuation and allocation - auditor should test sample of debt receipts and
payments
○ Existence/occurrence - auditor should verify existence of new debt by reviewing
board minutes for evidence and inspect relevant debt agreements
Matters that Require Special Considerations

● Litigation, claims & assessments:
○ Degree of probable unfavorable outcome
○ Amount or range of potential loss
● Management responsibility - identify and account for contingent liabilities
○ Mgmt is primary source of information regarding contingencies
○ Attorney is there to corroborate info provided by mgmt
● Substantial attention limitation - lawyers may limit replies to matters to which they have
given substantial attention
● Confidential limitation - unwise for attorney to disclose confidential information
● Entity’s ability to continue as a going concern - auditor evaluates audit evidence to
determine whether there is substantial doubt about entity’s ability to continue as a going
concern for “reasonable period of time”
○ FASB = one year after issuance is reasonable
○ GASB = 1 year beyond the date of FS is reasonable
● If raise substantial doubt:
○ Obtain sufficient appropriate audit evidence
○ Evaluate mgmt’s plans
○ Conclude on whether there is substantial doubt
○ Consider the impact on auditor’s report
● Factors that may indicate substantial doubt: (FINE)
○ Financial difficulties
○ Internal matters
○ Negative trends
44
○ External matters
● If auditor identifies conditions or events that may be indicative of substantial doubt,
everything is not FINE
● Mitigating factors - must include both intent and ability to carry out the planned
procedures
○ Plans to borrow money or restructure debt
○ Plans to sell assets
○ Plans to increase ownership equity
○ Plans to delay or reduce expenses
● Reporting for non issuers - wording depends on where or not substantial doubt has been
alleviated by mgmt’s plans
○ If going concern basis of actg is appropriate and substantial doubt has been
alleviated & if adequate disclosures are made = emphasis of matter paragraph
○ If going concern basis of actg is appropriate and substantial doubt remains =
separate section in auditor’s report
● Reporting for issuers - explanatory paragraph should be added when there is going
concern uncertainty
● Documentation requirements - conditions that gave rise to substantial doubt, mitigating
factors that auditor considers significant, audit work performed to evaluate mgmt’s plans,
effect of auditor’s conclusion on FS and related disclosures and resulting auditor’s report
● Other going concern considerations:
○ If going concern disclosures are inadequate = departure from GAAP
○ If mgmt is unwilling to perform or extend evaluation to meet required period of
time = qualified or adverse opinion
○ If FS have been prepared using going concern basis but is inappropriate =
adverse opinion
○ If auditor’s doubts are removed in subsequent period = going concern section
need not be repeated
● Accounting estimates:
○ Auditor’s responsibilities - evaluate degree of uncertainty, assess mgmt’s written
policies, verify all material estimates have been developed, determine that actg
estimates are reasonable
■ Apply professional skepticism
■ Focus on significant assumptions
● Audit procedures - auditor should obtain understanding of how mgmt developed its
estimates
○ Review and test procedures used by mgmt to develop the estimate
■ Methods - conformance with framework, appropriate based on auditor’s
understanding of company, if company has changed determine reason
why
■ Data - test accuracy and completeness of data, evaluate reliability
■ Significant assumptions - evaluate reasonableness of assumptions
● Auditor should evaluate whether difference between reported estimate and best estimate
supported by audit evidence indicates possible management bias
45
Misstatements and Internal Control Deficiencies

● Identification of misstatements - accumulate misstatements found other than those that
are clearly trivial
○ Clearly trivial = inconsequential
● Evaluation of misstatements - considered material if quantitatively and qualitatively is a
material misstatement
● Communication and correction of misstatements:
○ Communicate with mgmt and request correction
■ Mgmt agrees and makes correction
■ Mgmt refuses to correct
● If mgmt doesn’t make recommended entries, auditor should
document summary of errors
○ Document mgmt’s action after communicating the misstatement
● Documentation requirements:
○ Amount below which misstatements are clearly trivial
○ All misstatements accumulated and whether they’ve been corrected
● Material weakness - deficiency, combination of deficiencies in internal control over
financial reporting
● Adjusting journal entries:
○ Correct amounts that are overstated or understated
○ Purchases - requires knowledge of FOB shipping and FOB destination
■ Client is the buyer:
● FOB shipping - included in client’s inventory once item is in the
delivery truck
● FOB destination - included in inventory once item reaches the
client’s place of business
■ Client is the seller - opposite as above
Written Representations
● Management representation letter - confirm representations given to the auditor,
indicates and document continuing appropriateness of such representations, reduces
the possibility of misunderstanding concerning matters that are subject of the
representations
○ Requirements:
■ Final piece of evidential matter
■ Letter is mandatory
■ Dated same as audit report
■ Signed by CEO & CFO
■ Representations
■ Materiality
■ Doubt about reliability of written representations
○ Contents:
■ Financial statements
46
■ Completeness of information
■ Fraud
■ Laws and regulations
■ Uncorrected misstatements
■ Litigation and claims
■ Estimates
■ Additional representations
● Written representation regarding internal control:
○ Only required when performing an integrated audit (includes audit of internal
control)
○ Obtain additional representations from mgmt
● For comparative FS, rep letter should cover all years presented in the report
Communication with Management & Those Charged with Governance

● Audit committee - not employees, no material financial interest
● Purpose of an audit committee - SEC recommends, strengthens public’s trust in the
entity
○ Maintain lines of communication between auditor and board of directors
● Auditor should have appropriate access to the audit committee periodically
● Planned scope and timing of an engagement:
○ Auditor should communicate with those charged with governance the scope and
timinng of the audit, including significant risks identified
● Internal control communications:
○ FS audit nonissuers - certain deficiencies mmay be noticed by auditor during the
audit
○ Audit of internal control issuers - PCAOB rules, required to have an integrated
audit
○ Control deficiency - operation or design of a control does not allow mgmt or
employees to prevent or detect and correct misstatements onn a timely basis
■ Design effectiveness
■ Operational effectiveness
○ Material weakness - deficiency in internal control such that there is a reasonable
possibility that a material misstatement of FS will not be prevented or detected on
a timely basis
○ Significant deficiency - important enough to merit attention by those charged with
governance
○ Detection of control deficiencies - auditor of a nonissuer is not required to
perform procedures to identify deficiencies in internal control
● Evaluation of control deficiencies - severity depends on whether a misstatement has
actually occurred and the magnitude of potential misstatement and whether there is a
reasonable possibility that entity’s controls will fail to prevent or detect and correct a
misstatement
47
● Communication of control deficiencies:

○ Timing - recommended by release, required by release +60 days
● Optional communication content - description of inherent limitations of internal control,
nature and extent of auditor’s consideration of IC
A5 - Integrated Audits, Attestation Engagements,

Compliance & Government Audits
Integrated Audit Procedures
● Overview of integrated audits - audit of FS and internal control over financial reporting
○ Required for issuers by PCAOB
■ <$75m outstanding common equity held by nonaffiliates are exempt
○ Optional for non issuers
● Objective - express opinion on effectiveness over internal control
○ Material weakness = ineffective internal control
● Mgmt requirements:
○ Issuers - annual report about internal control that states mgmt’s responsibility for
establishing and maintaining internal control structure, contains an assessment
as of end of most recent fiscal year
○ Nonissuers - mgmt accepts responsibility for and evaluates effectiveness of
internal control
● Written representation:
○ Acknowledges mgmt’s responsibility
○ State mgmt’s assessment as of specified date
○ Mgmt disclosed all deficiencies in design and operations
● Planning the engagement:
○ Fraud risk assessment - pressure/incentive, opportunity, rationalization
■ Significant unusual transactions
■ Period end journal entries and adjustments
● Top-down approach - auditor evaluates overall risks at FS level (entity level) then
focuses on accounts, transactions & disclosures for which there is a reasonable
possibility of material misstatement and then the assertions as they relate to each
account
● AICPA standards for testing controls - integrated audit should evaluate components of
ICFR and determine whether components are:
○ Present and functioning in design and operation
○ Operating together in an integrated manner
● Components of internal control of financial reporting:
○ Control environment
○ Risk assessment
○ Info and communication systems
○ Monitoring
○ Existing control activities
48
● Testing controls:
○ Design effectiveness - use walkthroughs, inquiry, observation
○ Operating effectiveness - inquiry alone is not enough
○ Determine the effect of any identified control deviations on the risk assessment
■ Risk, evidence & effectiveness
● Benchmarking of automated controls - low risk and no change, may not need to repeat
testing
● Forming an opinion:
○ Mgmt report - indicate mgmt is responsible, describe the subject matter, identify
criteria by mgmt used to measure effectiveness, describe material weaknesses
identified by mgmt
■ If required disclosures for MW have not been included = state in auditor’s
report
■ If report is incomplete/improperly presented = state in auditor’s report
■ If report contains additional information = auditor should read additional
info to ensure there are no material inconsistencies and disclaim an
opinion on such information
● FS audit versus audit of internal control:
○ Relevant period - internal control audit is for a point in time, FS opinion is for a
period of time
○ Extent of testing - internal control is more limited
○ Interrelationship between 2 engagements - audit ToC applies to IC opinion, IC
testing leads to greater IC reliance, IC deficiency raises control risk so more
substantive testing, audit issues may be IC issues
● Integrated audit has different scope, purpose and procedures
Communication and Reporting in an Integrated Audit

● For nonissuer - auditor should communicate with mgmt & those charged with
governance all material weaknesses and significant deficiencies identified
○ Define deficiency and MW
○ Describe the issues identified
○ Restrict the use of the report
● If auditor finds that audit committee is ineffective, auditor should notify entire board of
directors
49
● Reporting on internal control for nonissuers - can be separate or combined reports

○ Separate reports - each report should make reference to the other report
○ Section headings:
■ Opinion section
■ Basis for opinion
■ Management responsibilities
■ Auditor’s responsibility
■ Internal control definition
■ Inherent limitations
○ Combined report sections:
■ Dual opinions
■ Basis for opinions
■ Management responsibilities
■ Audit responsibilities
■ Definition of inherent limitations and internal control
○ Report date - no earlier than date on which sufficient appropriate evidence has
been obtained
■ Internal control report should be same date as audit report
● Material weakness in internal control = adverse opinion
● Other considerations: (both for issuers and nonissuers)
○ If mgmt report fails to include 1+ MW identified by auditor = auditor’s report
should state this and describe MW
○ If mgmt report includes a MW but not fairly presented = auditor should indicate
the situation and describe the MW
● Reporting on internal control for issuers - separate or combined reports
○ Separate report headings:
■ Opinion
● Reference to internal control following opinion paragraph
■ Basis for opinion (mgmt responsibility + auditor responsibility)
■ Internal control definition
○ Combined report headings:
■ Dual opinions
50
■ Basis for opinions

■ Definition of internal control
■ “We have served as the company’s auditor since year X”
● Reporting on a previously report internal control weakness:
○ If subsequently eliminated, mgmt communicates this to the public and have
independent auditor attest to improvements in internal control
○ Auditor’s objective is to express an opinion on whether a previously reported MW
has been eliminated
● Scope limitations - auditor should withdraw or issue a disclaimer of opinion if the scope
of the audit is restricted
○ When disclaiming an opinion:
■ State that opinion is not being expressed in the opinion section
■ State the reasons for disclaimer within the basis for opinion section
■ Revise the opinion paragraph - different language between
issuer/nonissuer
● Subsequent events:
○ If before date of auditor’s report, new info about a matter that existed as of the
date of report -> appropriate action should be taken
○ If new information arises after the date of auditor’s report, include information as
an explanatory paragraph of the report
○ Auditor has no responsibility to keep informed about events occurring after the
audit report date but if they become aware of information, they should explain it
Attestation Engagements and Standards

● Attest engagements - assurance on subject matters other than basic FS
○ Examination, review or agreed-upon procedures report on subject matter
○ Assertion about the subject matter
○ Responsibility of a party other than the practitioner (usually mgmt)
● Subject matters:
○ Agreed-upon procedures
○ Financial forecasts and projections
○ Pro forma FS
○ Compliance
○ MD&A
○ Reporting on controls at a service organization
51
● Standards:
○ Audit engagements = SAS/PCAOB standards
○ Preparation, compilation & review engagements = SSARS (statements on
standards for actg review services)
○ Attest engagements = SSAE (statements on standards for attestation
engagements)
● Attestation standards - provide guidance, set boundaries, provide a measure of quality
and describe the objectives
○ Differ from GAAS:
■ No reference to historical fS
■ No reference to GAAP
● Common attestation concepts: (CAPE CORP)
○ Compliance with attestation standards
○ Acceptance and continuance
○ Preconditions for attestation engagement are present
■ Practitioner is independent
■ Responsible party takes responsibility for subject matter
■ Subject matter is appropriate
○ Engagement documentation standards
○ Acceptance of a Change in terms of engagement is reasonable
○ Using the work of an Other practitioner is allowed
○ Responsibility for quality control
○ Professional skepticism and professional judgment
● Attestation risk (should be low) = inherent risk * control risk * detection risk
● Additional reporting requirements:
○ Report may be issued on assertion itself or on the subject matter to which the
assertion relates
○ If material misstatements or deviations then conclusion should be expressed
directly on subject matter
○ If reporting on the assertion then it should accompany practitioner’s report or be
clearly stated in the report
● Scope restrictions:
52
○ Examination - result in qualified opinion, disclaimer of opinion or withdrawal

○ Review - results in withdrawal from engagement
● Assertion-based examination engagements - positive opinion, practitioner who
expresses an opinion about whether the underlying subject matter is in accordance with
the responsible-party’s assertion
● Direct examination engagements - reasonable assurance, responsible party does not
provide an assertion but they must acknowledge their responsibility for underlying
subject matter
● Review - limited assurance (moderate level), results in a conclusion instead of an
opinion
● Written assertion - obtain in an assertion-based examination, review and agreed-upon

procedures engagements regarding whether underlying subject matter is measured or
evaluated in accordance with suitable criteria
○ If no written assertion is provided:
■ Client is responsibly party = scope limitation
● Assertion-based = withdraw
● Review engagement = withdraw
● Agreed-upon procedures engagement = modify the report based
on scope limitation
■ Client is not responsible party = as long as appropriate procedures are
performed and sufficient evidence is obtained
Agreed-Upon Procedures & Prospective FS

● Agreed-upon procedures - attestation engagement, perform specific procedures on
underlying subject matter and report findings
○ Conditions: (I AM SURE)
■ Independence of practitioner
■ Agreement of parties
■ Measurability and consistency
■ Sufficiency of procedures
■ Use of report can be general or restricted
■ Responsibility for the subject matter
■ Engagements to perform agreed-upon procedures on prospective FS
○ Reporting: (required elements)
■ Title, signature, location & date
■ Appropriate addressee
■ Identification of engaging party, subject matter, nature and intended
purpose of engagement and responsible party
53
■ Subject matter is responsibility of responsible party

■ Engaging party acknowledged that procedures performed were
appropriate
■ Statement that report may not be suitable for ay other purpose
■ Statement that engagement involves specific procedures that engaging
party agreed to
■ Statement that engagement was conducted in accordance with SSAE
■ Description of procedures performed, related findings, materiality if
applicable
■ Statement that practitioner was not engaged to conduct an examination
or review and does not express an opinion/conclusion
■ Certain additional items on prospective financial information
■ Any information provided by a specialist
● Prospective financial statements:
○ Includes:
■ FS that cover period that has partially expired
○ Does not include:
■ Pro forma
■ Completely expired FS
○ Types of prospective FS:
■ Financial forecast - expected financial results based on expected
conditions
■ Financial projection - based on hypothetical assumptions, what-if scenario
○ Uses of prospective FS:
■ Forecasts may be for general use, not projections
■ Forecasts and projections can be for limited use
○ Engagement types:
■ Preparation - similar to requirements for preparation of historical FS
■ Compilation - proper assembling of financial data, no assurance, be
aware of obvious inappropriate assumptions
● Disclose lack of independence if applicable
● Compilation report:
○ Identify entity, prospective financial info, date or period
covered
○ Mgmt is responsible
○ Does not express an opinion
○ Prospective results may not be achieved
○ No responsibility to update the report
○ Describe limitations of projection’s usefulness
■ Examination - express an opinion as to whether statements are presented
in accordance with AICPA guidelines and underlying assumptions provide
reasonable basis for prospective statements
● Independence is required
■ Agreed-upon procedures - think I AM SURE
54
● Pro forma FS - demonstrates the effect of a future or hypothetical event by showing how
it might have affected the historical FS
○ Based on mgmt’s assumptions
○ Directly attributable to transaction (or event)
○ Practitioner should have an understanding of the event, evaluate the pro forma
adjustments and any assumptions used in the adjustments
55
Reporting on Controls at a Service Organization

● Reporting on controls at service org - entities often use outside orgs to process a portion
of actg transactions
● Relationship between entity & service org:
○ Services are part of user entity’s information system when those services affect
the initiation, execution, processing or reporting of user company’s transactions
○ Service orgs often have an auditor perform an attestation examination
engagement to report on controls that are relevant to ICFR or are relevant to
security of information processed by service org
● Objectives of service auditor:
○ Obtain reasonable assurance about whether (in all material aspects):
■ Mgmt fairly presents the system
■ Controls were suitably designed
■ Controls operating effectively
● Procedures:
○ Assess suitability of criteria
○ Obtain understanding of system
○ Obtain evidence of mgmt’s description of system
○ Obtain evidence regarding design of controls
○ Obtain evidence of operating effectiveness of controls (type 2 only)
○ Obtain written rep from mgmt
○ Consider subsequent events
● SOC1 & SOC2 reports:
○ SOC1 - evaluating impact that certain controls at the service org have on the FS
of the entity
○ SOC2 - give assurance to a broad range of users regarding controls in place at
service org relevant to one or more of the trust services criteria of security,
availability, processing integrity, confidentiality, & privacy
● Type 1 & Type 2 reports:
○ Type 1 - report on design and implementation of service org’s controls
■ As of a specific date
■ Contains mgmt’s description, written assertion by mgmt
○ Type 2 - report on design, implementation, and operating effectiveness of a
service org’s controls
■ Over a period of time
■ Contains mgmt’s description, written assertion by mgmt
● User auditor considerations:
○ User auditor responsibilities - obtain understanding of nature and significance of
services provided by service org and the effect on the user entity’s IC
○ SOC1 Type 1 - aid user in obtaining understanding of controls
○ SOC1 Type 2 - provide user auditor with assurance about the design,
implementation and operating effectiveness of service org’s internal control
● User auditor should be satisfied with:
○ Service auditor’s competence and independence
56
○ Adequacy of standards under which report was issued

○ Whether period of time covered by report is appropriate
○ Adequacy of time covered by test of controls
● Reporting by user auditor:
○ If unable to obtain sufficient appropriate audit evidence = qualified or disclaimer
of opinion
○ User auditor should not make reference to report of service auditor in an
unmodified opinion issued by user auditor
Reporting on Compliance
● Compliance reporting:
○ Auditor may be asked to report on compliance with contractual agreements or
regulatory requirements in connection with FS audit
○ Report on an attestation engagement regarding entity’s compliance with specific
laws on internal control over compliance
○ Report on compliance and IC over compliance as part of a single audit
engagement when auditing a recipient of federal financial assistance
● Compliance reports in connection with audited FS:
○ Auditor may only issue negative assurance on compliance
■ No identified instances of noncompliance
○ Identified instances of noncompliance - describe the noncompliance, if
adverse/disclaimer of opinion, only report on compliance can only be issued
when there are identified instances of noncompliance
● Compliance attestation - SSAE report does not provide legal determination of an entity’s
compliance, may be useful to legal counsel or others
○ Compliance with specific requirements
○ Internal control over compliance
● Agreed-upon procedures engagements:
○ Compliance with specific requirements
○ Entity’s IC over compliance
○ Could be both of the above
● Objective of agreed-upon procedures - present specific findings to assist users in
evaluating entity’s compliance with specific requirements
● Examination engagements - examine entity’s compliance with requirements or a written
assertion about compliance
○ Practitioner may perform if:
■ Responsible party accepts responsibility of compliance
■ Responsible party evaluates entity’s compliance
■ Enough evidence exists to support mgmt’s evaluation
● Overall requirements for compliance examination:
○ Perform risk assessment
○ Design response
○ Determine if supplementary audit requirements exist
○ Obtain written rep from mgmt
57
○ Prepare reports
○ Prepare required documentation
■ Assessed risk of material noncompliance
■ Procedures performed
■ Documentation of internal control
■ Responses to risk assessment
■ Test of controls
■ Basis for materiality levels
● Representation letter - management:

○ Take responsibility for complying
○ Take responsibility for effective internal control over compliance
○ Performed evaluation of compliance or controls to detect noncompliance
○ Disclosed all known noncompliance
■ Subsequent event
○ Made available all documentation
○ Disclosed any communications from regulatory agencies about possible
noncompliance
● Attestation risk of noncompliance:
● Risk of material noncompliance:

○ Inherent risk of noncompliance - susceptibility of a compliance requirement to
noncompliance that could be material
○ Control risk of noncompliance - risk that noncompliance with a compliance
requirement that could be material will not be prevented or detected on a timely
basis
Government Audits
● GAGAS - covers standards for audits for government organizations & government
assistance received by contractors, NFP orgs, other nongovernmental orgs
● Purpose and types of government audits:
○ Financial audits
○ Attestation engagements
58
○ Performance audits
■ Objectives:
● Effectiveness, economy, efficiency
● Internal control
● Compliance
● Prospective analysis
● Determine if supplementary audit requirements exist - may have audit requirements that
go beyond GAAS & GAGAS
● Standards for financial audits (performing financial audits) - GAGAS includes
requirements in addition to GAAS standards
○ Previous audits and attestation engagements
○ Fraud, noncompliance & abuse
○ Developing a finding
■ Criteria
■ Condition
■ Cause
■ Effect or potential effect
● GAGAS doesn’t require auditor to express an opinion on IC
● Communicate deficiencies in internal control, fraud & noncompliance:
○ Deficiencies in IC - communicate in repot
○ Instances of fraud/noncompliance - report to appropriate members of the org
○ Less than material findings - communicate in writing with appropriate officials
○ Present findings in auditor’s report - listing of findings & mgmt responses
included in report on IC and compliance
○ Report findings to outside parties - communicate to parties outside audited org
when mgmt fails to satisfy legal or regulatory requirements to report
● Distribution of reports - to those charged with governance, audited entity officials,
oversight bodies, all others authorized to receive report
● Yellow book report is an additional report required under GAGAS
○ FS audit looks same as standard nonissuer report except:
■ Auditor’s responsibility section includes reference to govt auditing
standards
■ Other-matter paragraph added referencing GAGAS report
● Reporting internal control - GAGAS required auditor to obtain understanding of design of
relevant controls, determine whether implemented, communicate all significant
deficiencies
○ Content of the report:
■ Assertion that evaluating compliance with laws, rules, regulations with
direct material effect on FS
■ Assertion that specific controls relating to financial reporting are
considered
■ Indication that either no weaknesses were found or that significant
deficiencies were found
59
Single Audits
● Audit recipients of federal financial assistance should be conducted in accordance with
GAAS & GAGAS
○ Apply single audit standards to federal financial assistance
■ 2 CFR 200 = codification of single audit act
● Single audit act - requires entities that expend total federal assistance equal to or greater
than $750,000 in a fiscal year (audit threshold)
○ Allows either a single or program-specific audit
■ Program-specific audit = only 1 program = no FS audit is required
■ Otherwise stuck with single audit
● Single audit objectives:
○ Audit of entity’s FS and separate schedule of expenditures of federal awards
○ Compliance audit of federal awards expended during the year as a basis for
issuing additional reports on compliance
● Materiality - considered separately in relation to each major program, not calculated at a
whole level
● Federal award recipients are subject to audit requirements associated with federal
financial assistance
● Program-specific audits - auditor must contact inspector general of applicable federal
agency and obtain a current program-specific audit guide
● Auditee responsibilities: (entity being audited)
○ Auditor selection - follow procurement standards established by federal
guidelines
■ Evaluate potential vendors based on:
● Responsiveness
● Relevant experience
● Availability of staff
● Results of peer reviews
○ Copy of audit org’s peer review report
○ Report submission - submit within the earlier of 30 days of receipt of auditor’s
report or 9 months after the end of audit period
● Auditor responsibilities:
○ Scope of the audit - express an opinion on FS and related schedules
■ Consider IC, compliance & previous audit findings
■ Internal control - consider IC over compliance as they relate to programs
● Must test controls to plan for low level of control risk for
noncompliance for major programs
■ Compliance - for each major program, did they follow the rules
■ Previous audit findings
● Audit reporting:
○ Express opinion on FS
○ Express opinion on schedule of expenditures of federal awards
○ Report on ICFR
■ Scope of testing
60
■ Results of tests
○ Report on compliance for each major program and IC over compliance
○ Provide schedule of findings and questioned costs including:
● Single audits require use of GAAS and GAGAS, five reports issued:
○ FS report
○ SEFA report
○ GAGAS report
○ Single audit report
○ Schedule of findings and questioned costs
● Audit findings - report significant deficiencies & MW in IC over major programs, material
noncompliance, questioned costs for a given type of compliance requirement if costs
exceed $25,000, known or likely fraud
● Audit documentation - maintained for 3 years after the date of issuance (both auditor and
auditee)
● Major program determination:
○ Risk-based approach - consider current and prior audit experience, oversight by
federal agencies, inherent risk
○ 4 step process:
■ Identify type A (>$750,000) and type B programs
■ Identify type A programs that are low risk
■ Identify type B programs that are high risk using professional judgment
■ At a minimum, major programs are all type A programs not identified as
low risk and type B programs identified as high risk
○ % of coverage:
■ Low risk auditees = auditor must test 20% of federal awards expended
■ High risk auditees = auditor must test 40% of federal awards expended
○ Criteria for federal program risk:
■ Multiple IC structures
■ Weak monitoring systems
■ Programs not recently audited as major
■ Complexity of program
■ Being in the early phase of a program’s life cycle
61
● Subrecipient - nonfederal entity that expends federal awards received from another
entity to carry out a federal program
A6 - Actg & Review Service Engagements, Interim

Reviews, and Ethics & Professional Responsibilities
SSARS Engagements
● Levels of service:
○ Preparation - no assurance, independence not required
○ Compilation - no assurance, objective is to present FS that represents mgmt
without expressing assurance
■ If not independent, must add paragraph saying that
○ Review - limited assurance on FS that have not been audited, independence
required
■ Inquiry & analytical procedures
● Performance of more than 1 service = issue report for highest level of services
performed
● Statements on standards for accounting & review services = SSARS
○ Used for preparation of unaudited FS of nonissuers
○ Applies to engagements where auditor is engaged to prepare, compile or review
specific elements, accounts or items of nonissuers FS
○ i f any departures from SSARS, be able to justify
● SSARS does not apply:
○ Few adjusting entries
○ Consulting
○ Preparing tax returns
○ Bookkeeping
62
○ Data processing services

● 3 party relationship for SSARS engagements:
○ Management - responsible for identifying framework, internal control
○ Accountant - possess knowledge of actg principles and practices
○ Intended user - understand limitations of the engagement and FS
● Establish understanding with the client through engagement letter (written agreement)
● Compilation of SSARS and another set of standards:
○ Special purpose framework - not considered appropriate in form unless FS
include description of framework and material differences from GAAP and
disclosures
○ Framework in another country
■ Distributed outside US = accountant should either report in accordance
with SSARS or report in accordance with another set of compilation or
review standards
■ Distributed inside US = report in accordance with SSARS
● Subsequent events - accountant should request mgmt consider whether each such
event is appropriately reflected in FS
○ Discovered facts that became known to accountant before report release date
■ Discuss with mgmt
■ Determine if FS need revision
■ If mgmt updates, perform additional procedures and date the review
report as of later date or dual date the report
○ Discovered facts that become known to accountant after report release date
■ Discuss with mgmt
■ If mgmt revises, date the review as of later date or dual date
■ If accountant’s conclusion changes on the revised FS, disclose in
emphasis of matter paragraph
○ If client has refused to cooperate - accountant’s disclosure need only state that
info has come to their attention, report should no longer be relied upon
● Reporting fraud and noncompliance:
○ Communicate to appropriate level of mgmt
○ Consider the impact on the compilation or review report
○ If FS are materially misstated, accountant should obtain additional or revised info
○ Consider with withdrawing from the engagement
Preparation Engagements
● Preparation engagements - nonissuer only, not compilation/review/audit
○ No assurance
○ Independence not required
○ Non-attest service
● Establish understanding with client through engagement letter including:
○ Mgmt responsibility
○ Objectives of engagement
63
○ Agreement of mgmt that each page of FS will include statement stating no

assurance
○ Accountant’s responsibilities
○ Limitations
● Preparation requirements:
○ Possess knowledge and understanding of entity’s reporting framework
■ Obtain an understanding
○ Prepare the FS
■ Mgmt understands and accepts responsibility for judgements
■ If accountant is unable to include assurance statement, accountant
should issue disclaimer, perform a compilation engagement or withdraw
from engagement
○ No restriction on use
● Other preparation considerations:
○ FS prepared with special purpose framework - include description of framework
on the face of the FS or in a note
○ inaccurate/incomplete FS - accountant is not required to but may make inquiries
or perform other procedures
■ If known departures from framework, accountant should disclose material
misstatements or withdraw
○ FS that omit all disclosures - accountant may prepare these statements if the
accountant discloses omission and if the FS are not misleading to users
● Documentation in a preparation engagement:
○ Engagement letter
○ Copy of the FS prepared by the accountant
○ Any findings/significant issues
Compilation Engagements
● Compilation - no assurance, independence not required (must disclose)
○ Nonissuer only
○ Establish understanding with client - engagement letter
■ Can accept engagement & then obtain understanding of the client’s
business and industry
● Compilation requirements:
○ Knowledge of industry actg principles and practices
○ Reading the FS - look for no obvious errors, no audit work
○ Noncompliance with laws & regulations, going concern & subsequent events
○ FS that may be inaccurate or incomplete
■ If client refuses to provide information = withdraw
○ Documentation - engagement letter, copy of FS, copy of accountant’s report are
all required
■ Compilation report doesn’t contain a title
■ Doesn’t require signature from accountant or be printed on accountant’s
letterhead
64
● Reporting on a compilation:
○ Accountant’s report - includes mgmt responsibility, reference to SSARS,
statement that accountant did not audit or review the FS
○ Additional paragraphs - if special framework, disclosures omitted or known
departures from framework
● Reporting on FS that are prepared with special purpose framework:
○ Explanation of mgmt’s responsibility
○ Include additional paragraph with reference to applicable special purpose
framework other than GAAP and refers to FS note that describes framework
○ If prepared for a contractual basis of actg, FS may not be suitable for another
purpose
● Omission of 1+ notes should be treated like a departure from the applicable financial
reporting framework
○ Accountant’s report should clearly indicate omission
● Compiled FS that omit GAAP disclosures are acceptable if:
○ FS are otherwise in conformity
○ Restricted use is not required
○ FS would not be misleading to users
○ Include disclaimer of opinion, reference to omission and statement that if
included the disclosures may influence the user’s opinion
○ Compilation report warns the user of missing disclosures
● Exam trick = do not issue an “adverse opinion” for departures from applicable framework
○ Disclose or withdraw from engagement
● If change from review engagement to compilation engagement, compilation report
should make no reference to original engagement
Review Engagements
● Review of FS - limited assurance on financial statements, independence required
○ Nonissuers = SSARS if review only, SAS if audit also
○ Issuer = PCAOB
● Review procedures - should be tailored to client, inquiry and analytical procedures
● Review requirements: (U LIAR CPA)
○ Understanding with client
○ Learn and obtain knowledge of client’s business
■ Not required:
● Test internal control
● Perform audit tests
● Assess fraud risk
● Communicate with predecessor accountant
○ Inquiries should be addressed to appropriate individuals
■ Inside company, not outside
■ Going concern inquiry
■ Identification of related parties
65
○ Review - other procedures should be performed

○ Client representation letter obtained from management
■ Required for all periods reported on
■ Mgmt’s responsibility for internal control and FS
○ Professional judgment used to evaluate results
○ Accountant (CPA) should communicate results - include:
■ Title
■ Addressee
■ Intro paragraph - does not express an opinion
■ Mgmt responsibility paragraph - FS & IC
■ Accountant’s responsibility - required independent, SSARS reference
■ Accountant’s conclusion - general rule is limited assurance
■ Signature of accountant
● If accountant becomes aware of matter that may cause FS to be materially misstated,
perform additional procedures
● Audit procedures not performed in review:
○ Test of actg records
○ Test of mgmt’s assertions about continued existence
○ Inquiries of entity’s attorney about contingent liab
Review Reports
● Unmodified conclusion - limited assurance, nothing has come to auditor’s attention that
causes auditor to believe FS are not materially prepared
● Modified conclusion - when accountant determines that the FS are materially misstated
○ Qualified conclusion = material but not pervasive
■ Include basis for qualified conclusion paragraph before the conclusion
paragraph
○ Adverse conclusion = material and pervasive
■ Need basis for adverse opinion immediately before the conclusion
paragraph
● Title = independent accountant’s review report
● Emphasis of matter paragraph/other matter paragraphs
○ Required when:
■ Special purpose framework
● Describe the framework and state that it’s a basis other than
GAAP
● Potentially restrict the use of the report (regulatory/contractual
basis)
■ Prior period is audited
■ Going concern
○ Optional when:
■ Uncertainties or inconsistencies
■ Significant related party transactions
66
● Reference to work of other accountant’s in review report - if entity decides not to assume
responsibility for audit or review performed, refer to other accountants in accountant’s
responsibility paragraph
● Current period compiled and prior period reviewed (downgraded) - issue compilation
report and add a paragraph describing the prior period responsibility, reissue prior
review report
● Current period prepared and prior period compiled or reviewed - no requirement to
reference prior period
● Columnar form - clear indication when FS have not been audited or reviewed so a user
doesn’t extend a compilation report to such FS
● Omission of required disclosures - not comparable, should not issue a report on
comparative FS
● Information affecting previous report - for subsequent events, include other matter
paragraph with original report date and indicating reason for changing report
● Other accountants involved in prior periods:
○ Prior accountant reissued report unchanged - old accountant should read
statements, compare and obtain letter from successor accountants
○ Prior report not reissued - successor is not required to make reference to prior
report
■ New accountant may make reference by including an additional
paragraph
● Reporting when 1 period is audited - reissue prior report or other matter paragraph in
current report
● Current period unaudited and prior period audited - add other matter paragraph indicated
the prior statements were audited with relevant date and that no audit procedures have
been performed since previous report date
○ Include basis for prior audit opinion
● Current period audited and prior period unaudited - upgraded service, add other matter
paragraph describing the prior period services
○ Either reissue prior period report or describe scope of previous engagement
Interim Reviews
● Nonissuers follow SAS for interim reviews if latest FS have been audited
○ Past audit or future audit
67
○ Same reporting framework must be used on interim FS

● Issuers follow PCAOB for interim reviews for quarterly reports
● Procedures: (U LIAR CPA)
○ Understanding with client - engagement letter is required
■ Limited assurance is scope of the engagement
■ Mgmt is responsible for FS & IC
■ Auditor responsible for SAS or PCAOB standards
■ Limitations of engagement (no opinion)
○ Learn and obtain knowledge of client’s business - select appropriate inquiries
and analytical procedures
■ Initial review of interim financial information
○ Inquiries should be addressed to appropriate individuals - directed to
management and client’s lawyer (not required to corroborate)
○ Analytical procedures - trends, comparisons, ratio analysis
■ Actual versus budget
■ Benchmarking & compare to industry standards
○ Review - other procedures should be performed
■ Read minutes of directors’ meetings
■ Reports from component auditors
■ Read interim info and documents
○ Client representation letter obtained from management - required
■ Discuss matter with mgmt & those charged with governance
■ Reevaluate integrity of mgmt
■ Consider whether to withdraw from review engagement
○ Professional judgment used to evaluate results
■ Scope limitations = no review report
■ Misstatements = accumulate and evaluate to determine materiality
○ Accountant (CPA) should communicate results
● Departures from framework - modify the report including description of the departure and
its effects
○ If inadequate disclosure in interim information, auditor should modify report to
include necessary information
○ If not sufficient, withdraw
● Going concern:
○ Issuers - if disclosure is adequate, auditor is not required for explanatory
paragraph
○ Nonissuers - include separate section in report is going concern was not included
in prior report
68
AICPA Code of Professional Conduct

● State board - issues CPA license, renews, suspends & revokes CPA license
● Professional code of conduct - accepts high degree of responsibility toward the public
● Objectivity - member should maintain objectivity and be independent in fact and
appearance
○ Objectivity applies to all services rendered
○ Independence applies to attest services only
● Requirements:
○ Adequate internal quality control
○ Determine whether conflicts of interest arise
○ Assess whether firm’s activities are consistent with professional
● Independence rule - applies to public practice only, not required for compilations and
non-attestation services
○ Covered member - audit team and office/boss “chain of command” must maintain
independence
○ Immediate family - spouse and dependents (living under your roof) also subject
to independence rule
69
○ Close relative - parents, siblings & adult kids

● Financial interest - independence is impair if covered member has direct financial
interest or material indirect financial interest
○ Direct financial interest - ownership interest directly in client
○ Indirect financial interest - removed relationship (ex. Member owns mutual fund
that invests in attestation client)
○ Independence is impaired if covered member or immediate family has a loan to
or from a client
■ Exceptions:
● Credit card balance less than $10,000
● Bank account that’s fully insured by government below $250,000
● Fully collateralized car loan
● Independence impaired by relationships:
○ If client officer joins CPA firm
○ Family works for client
○ CPA firm employee joins client as exec
○ CPA discussing job at client
○ If member makes management decisions for attest client
● Other reasons independence may be impaired:
○ Accounts receivable > 1 year old
○ Actual or threatened litigation may impair independence
● Integrity and objectivity rule:
○ Professional competency - knowledge of subject matter or ability to obtain
knowledge
○ Due professional care - skills commonly possessed by others in the field,
critically review work done by those assisting engagement
○ Planning and supervision - adequately plan and supervise all performance of
services
○ Sufficient relevant data - obtain relevant data to afford a reasonable basis for
conclusions or recommendations
● Compliance with standards rule - measure of quality performance
● Accounting principles rule - general rule is that GAAP should be followed, departure is a
rare exception if justified
● Confidential client info - do not discuss without consent of client
○ Exceptions:
■ Subpoena or summons
■ Quality review (peer review)
■ Ethics division or trial board of AICPA
■ Disciplinary body of a state CPA society
■ You legal defense team when client is suing you
● Contingent fees rule - generally are not allowed
○ Exceptions:
■ Fixed by courts or based on results of court proceedings
70
● Acts discreditable rule - failure to return records, discrimination or harassment, shall not
disclose confidential information
● Advertising and other forms of solicitation rule - generally ok unless in a manner that’s
false, misleading or deceptive
○ Intentionally underestimate fees = not allowed
● Commissions and referral fees rule - impair independence
○ Not allowed:
■ Audit or review of FS
■ Compilation where lack of independence is not disclosed
■ Examination of FS
● Ownership of CPA firms - must be over 50% owned by CPAs
● Conceptual framework - threats & safeguards, identify threats, evaluate significance of
threat, apply safeguards
○ Conceptual framework for members in public practice
○ Conceptual framework for independence
○ Conceptual framework for members in business
● Threats to compliances:
○ Adverse interest threat - not acting with objectivity
○ Advocacy threat - promote client’s interest or position
○ Familiarity threat - too sympathetic
○ Mgmt participation threat - acting as mgmt for client
○ Self-interest threat - could benefit financially
○ Self-review threat - evaluate your own work
○ Undue influence threat - subordinate judgment
● Evaluating significance of threat - use reasonable 3rd party standard for assessment
● Safeguards that may eliminate or reduce threat - profession, legislation or regulation to
prevent threats or implemented by employing organization
Ethical Requirements of the SEC & PCAOB

● PCAOB - audits the auditors that report for issuers, originated from SOX Title 1
○ For CPA firms that audit public companies
○ Only PCAOB registered firms can audit a public company
○ Standards of registered firms:
■ Maintain audit documentation for 7 years
■ Provide concurring or second review partner for each report
● PCAOB penalties:
○ Temporary suspension
○ Bar of a person
○ Limitation of activities
○ Civil monetary penalties
● SOX Title 2 - auditor independence
○ Prohibited services when auditing public company - bookkeeping, actuarial
services, legal services, internal audit services
○ Tax services are permissible if preapproved by audit committee
71
● Audit partner requirements - to audit an issuer/public company the partner must rotate
off the audit every 5 years (stay off for 5 years)
● Conflicts of interest - audit firm cannot have employed the issuer’s CEO, CFO, controller,
etc. for 1 year before the audit (1 year cool off period)
● SOX Title 3, Section 303 - cannot fraudulently influence, coerce, manipulate or mislead
an independent CPA
● Principles of independence: (prohibited services, independence has been impaired)
○ Conflict of interest
○ Audit acting as mgmt
○ Auditing their own work
○ Advocating for the client
● Investments in audit clients - direct investments and material indirect investments in
audit client are not allowed
● Covered persons - audit engagement team, all people who supervise or have mgmt
responsibility for audit
● Other financial interest in audit client:
○ Loans to or from an audit client
○ Savings and checking balances over $250,000
○ Credit cards over $10,000
● Exceptions:
○ Unsolicited gifts or inherited - dispose as soon as possible
○ Immediate family member has financial interest - dispose no later than 30 days
after person is aware of engagement
● Non audit services - impair independence
● Audit committee administration:
○ Preapproval not required for non-audit services less than 5% of total revenues
○ Required auditor reporting to audit committee
■ Material written communications between audit firm and mgmt
● Auditor independence is impaired if audit partner earns or receives compensation based
on selling engagements to an audit client
● PCAOB independence standards:
○ Responsibility not to knowingly contribute to violations
○ Contingent fees are not allowed
○ Must be independent of firm’s audit client throughout the audit period
○ May not provide tax services related to confidential or aggressive tax
transactions
■ Ok to prepare corporate tax return
Ethical Requirements of the GAO and DOL

● GAO = government accountability office, issues generally accepted government auditing
standards (GAGAS)
○ General principles:
■ Independent in fact and appearance
■ Professional judgment
72
■ Competence
■ Quality control and assurance - external peer review every 3 years
● GAGAS framework for independence:
○ Threats to independence:
■ Self-interest threat
■ Self-review threat
■ Bias threat
■ Familiarity threat
■ Undue influence threat
■ Mgmt participation threat - no safeguard could reduce the threat to an
acceptable level
● Custody of audited entity’s assets
● Setting policies for audited entity
■ Structural threat
○ Document any threats to independence and safeguards applied
● Evaluation of non-audit services - determine whether providing services would create a
threat
○ Consideration of mgmt’s ability to effectively oversee the non-audit service to be
performed
● DOL = department of labor
○ Independence is required when auditing FS submitted to DOL
○ Impairment of independence - direct financial interest or material indirect financial
interest in plan or plan sponsor
Review of Simulated Exams

SE1
● Failure to file personal tax return on timely basis = discreditable act of AICPA
● Registered audit firms are required to report critical actg policies to the audit committee
● Only a few transactions during the year = audit the transactions that occurred
● Many transactions during the year = audit the ending balance of account
● Population variability and sample size are directly related
○ More variability = larger sample size
● Desired risk of incorrect acceptance and sample size are inversely related
○ Lower risk of incorrect acceptance = larger sample size
● Inappropriate for department supervisor to approve timesheet and distribute paychecks
for SOD purposes
● Lower RMM leads to less substantive procedures (cannot eliminate entirely)
● Compilation = no assurance, examination = positive assurance
● For internal control - perform test of controls while obtaining understanding of internal
controls for efficiency
● Firm without adequate system of quality control may still comply with professional
standards
73
● Cannot express unmodified opinion if justifiable change in actg principle inseparable

from change in actg estimate, which is accounted for as a change in principle
● If materiality for FS as a whole changes, materiality for particular classes of transactions
might also need to be revised
● Lack of adherence to GAAP and lack of adequate disclosure require auditor’s report to
be modified
● Efficiency of the audit includes incorrect rejection and assessing control risk too high
● Accounts payable department should receive the purchase order, receiving report and
vendor invoice
● Auditor is not concerned with the client’s evaluation of materiality
○ Must make their own determination of materiality regardless of what client thinks
● Cashier = prepares deposits
● Sufficient knowledge of auditing standards required, justify any departures from
standards
○ Don't need to document specific paragraph numbers of the standards
● Sampling interval = tolerable misstatement / reliability factor
○ Population / sampling interval = # of samples to test
● Consistency of GAAP application is IMPLIED in the audit report
● In accordance with GAAP in the US is stated EXPLICITLY
● Compiled FS that omit all GAAP disclosures are not comparable to FS that include
disclosures
● Report on compliance with a regulatory requirement is restricted use
● Don't need to document mgmt’s acknowledgement of assessed level of risk
● For mgmt disagreements -> communicate with those charged with governance even if
issue has been resolved
● For significant audit adjustments -> communicate with those charged with governance
regardless of if an adjustment is booked
● Topics to Review:
○ Professional code of conduct - definitions of different rules
○ Different types of engagements - level of assurance/requirements for each
○ Sample size and factors that affect it
○ Audit procedures - which goes with which assertions
○ Substantive versus analytical procedures
SE2
● To identify unusual sales transactions, an auditor would perform trend analysis for
quarterly sales
● If mgmt knows of material fraud and doesn’t disclose to the auditor -> integrity is
questioned
● Can be a country club member of a client and still be independent
● If electronic evidence that’s not retrievable after a certain period of time, timing of testing
is going to be difficult to determine
● For government auditing standards, must contain report describing scope of auditor’s
testing of compliance and internal control
74
● Reports issued on significant deficiencies are restricted use

● Professional standards emphasizes period-end financial reporting controls as significant
● Compilation reports can be issued without being independent of the entity
● GAAP allows companies to use different methods for costing different inventories as
long as it’s disclosed
● When performing single audit CPA should follow GAAS and governmental standards
● CPA cannot review a balance sheet of a nonissuer if the scope is restricted
● User auditor cannot make reference to the report of a service auditor as a basis for the
user auditor’s opinion
● Trial sales can be recorded after the consignment period is up
● Written client rep letter would include details about discontinuing a line of business
● For designing written audit programs, auditor should establish audit objectives based on
FS assertions
● Review MD&A = standards for attestation engagements
● Executed loan agreement is original documentation and most reliable form of evidence
● If no audit trail, test the control using observation and inquiry
● Review stage includes performing analytical procedures to determine if additional
evidence is needed
● If change scope from audit to review do not issue review report with separate paragraph
discussing engagement scope change
○ Change in scope = do not reference original engagement
● Investment services product records which can be used to confirm dividend income
● Audit evidence is not gathered when determining sample size
● The methods to process accounting information are relevant to the design of internal
control in the audit of a new client
● Preparing a bank transfer schedule does not prevent or detect lapping
○ Detects kiting but not lapping
● Comparing a sample of shipping documents to related sales invoices would verify
completeness
● The treasure authorizes the write offs of uncollectible accounts
● Even if contingent loss will be covered by insurance -> accrue liability anyways
●

Aud Notes

Uploaded by

Copyright:

Available Formats

You might also like

Aud Notes

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Aud Notes

Uploaded by

Copyright:

Available Formats

AUD EXAM

Expected Date: November 19, 2022

● Direct efforts to areas most expected to contain risks of material

Forming an Audit Opinion

● When forming an opinion, evaluate:

● Pervasive = very material

● Unqualified - issuer, auditor concludes FS are presented fairly in accordance with

■ Evaluating actg principles used and significant estimates

Modified Opinions Due to FS Issues

○ Problem is described in ‘basis for qualified opinion paragraph’

Modified Opinions Due to Audit Issues

■ Basis for qualified opinion includes description of issue

Emphasis of Matter, Other Matter & Explanatory Paragraphs

Reporting with Different Opinions & Other Auditors

● Unrevised - original report date

Other Info & Supplementary Info

● Reporting for nonissuers - auditor’s report on supplementary info can be presented in

Special Purpose & Other Country Frameworks

■ Firm should have policies for withdrawal

○ Remain alert for evidence of noncompliance

● Nature and extent of audit documentation - objective of detailed substantive testing is to

● Initial audit - talk to prior CPA is mandatory, client permission is needed

■ Substantive procedures - test account balances

● Use of an auditor’s specialist:

● Risk assessment procedures - obtain understanding of entity, understand internal

■ In a well-designed internal control environment, fraud & errors should be

○ Internal control questionnaire or checklist - used for each assertion of mgmt

● IT risks = garbage in = garbage out

Effect of IT on the Audit

● Potential for increase supervision and review - advantages, integration of audit

● Auditor’s planning process - understanding design of controls, determining whether

A3 - Risk, Evidence & Sampling

● Error - unintentional misstatements

● If significant risks = withdraw

● CR = control risk, client’s internal control does not detect it

Identifying, Assessing & Responding to Risk

● Responding to assessed risk of material misstatement:

● If relying on operating effectiveness of internal controls to mitigate significant risk, test of

Specific Areas of Engagement Risk

Sufficient Appropriate Evidence

Procedures to Obtain Evidence

○ Vouching - revenue and assets are not overstated

● Efficiency and effectiveness of analytical procedures:

○ Availability and reliability of data used to develop expectation

● External confirmation - direct written response to auditor form third party

○ Rights and obligations

■ Risk of incorrect rejection = alpha risk = lack of efficiency

● Tolerable deviation rate:

● Expected deviation rate:

● Evaluating sampling results:

■ Stratified sampling = used when population has highly variable recorded

Audit Data Analytics

■ Aid in reperformance activities

A4 - Performing Further Procedures, Forming

● Auditing sales transactions:

● Detect overstatement of sales = start with sales order for tracing

Other Transaction Cycles