Professional Documents
Culture Documents
Mid
Mid
Mid
o Customers: may look into going concern if it is to rely on the entity for goods
o Lenders: to assess whether loan repayments can be made as and when they fall due
o Employees: to assess whether they can pay entitlements, and stability may be assessed for
job security
o Governments: whether the entity is complying with regulations and paying appropriate taxes
o General public: whether they should associate with the entity (future employee, customer, or
supplier) and to determine what it does and plans to do
Sources of Demand for Audit and Assurance Services
Reasons why users demand financial statements include:
• Remoteness: users do not have access to information themselves
• Complexity: users do not have knowledge to be able to assess disclosure choices
• Competing incentives: users may find it difficult to identify when management is presenting biased
information.
• Reliability: as decisions are being made based on information presented, it is important that it be
reliable
Theoretical Frameworks
The demand for audit services can be explained by the following three theories:
• Agency theory: Due to the remoteness of the owners from the entity, the owners have an incentive to
hire an auditor to assess information provided by management
• Information hypothesis: Due to the need for reliable information, users will demand that
information be audited to aid in decision making
• Insurance hypothesis: Investors demand audited financial statements to insure in part against
potential losses
Level of assurance
High assurance
Report
Independent Auditor’s Report
Review Engagement
Objective
To reduce the assurance engagement risk to an acceptable level to allow the practitioner to conclude and
express limited assurance in that nothing has come to their attention.
Procedures
Sufficient appropriate evidence is obtained by:
obtaining an understanding of the entity and identifying where material misstatements are likely
performing primarily inquiry and analytic procedures to address high-risk areas and to address all
material items in the financial statements
Level of assurance
Limited assurance
Report
Independent Practitioner’s Review Engagement Report
Procedures
Performance requirements include:
obtaining a knowledge of the business, the accounting systems, and the policies used to prepare
the financial statements as needed to conduct the engagement
discussing with management the assumptions the auditor helped make in preparing the financial
statements
reading the financial statements to consider if they are misleading
formatting the financial statements and checking the mathematical accuracy
Level of assurance
NO assurance
Report
Compilation Engagement Report
o Here a practitioner compiles the financial information as provided by the client ensuring
mathematical accuracy
o The practitioner attaches a report to this set of financial statements called a Compilation
Engagement Report
o Refer to figure on next slide for an example report
- Unmodified opinion a clean audit opinion; the auditor concludes that the financial statements are
fairly presented.
- Qualified opinion an “except for” opinion provided where there is a material scope limitation or
a material (significant) misstatement not pervasive to the overall financial statements.
- Adverse opinion - opinion provided when the auditor concludes that there is a pervasive material
misstatement in the financial statements.
- Disclaimer of opinion - opinion provided when the impact of a scope limitation is so extreme
that an auditor is unable to obtain sufficient appropriate evidence to base an opinion.
-
• All other reports are modified opinions
• A report can be an unqualified modified report when an emphasis of matter is added
- Emphasis of matter what results when an auditor issues an unmodified audit opinion when there
is a significant issue that is adequately disclosed and there is a need to draw the attention of the
user to it in the audit report.
•
• An emphasis of matter is used so that the reader can pay appropriate attention to the issue raised, but
does not change the auditor’s opinion (CAS 706)
• All other audit reports are modified (See Table 1.3 in text)
• A qualified opinion is given when the auditor concludes that the financial statements contain a
material misstatement.
• Can include a qualified or “except for” opinion. This is when issue(s) are material but not pervasive.
• Adverse opinion would arise when the financial statements are misstated, and the misstatement is
material and pervasive.
• Disclaimer of opinion would arise when there is an inability to obtain sufficient appropriate audit
evidence and the possible effects are material and pervasive.
o AASB adopted the International Standards on Auditing (ISAs) issued by the International
Auditing and Assurance Standards Board (IAASB)
• Auditing and Assurance Standards Board (AASB)
o A redraft of these standards including a “clarity” format are now referred to as Canadian
Auditing Standards (CASs)
o Responsible for issuing CASs plus standards for:
o review engagements
o compilation engagements
o Auditors required by CSA to be a member in good standing and pass CPAB inspection
o Requires those listed to follow Securities Act of Ontario, the relevant provincial securities
acts, and the CSA
• Chartered Professional Accountants of Canada (CPA Canada)
o The national body of the accounting profession in Canada
We know these cannot be met by the auditor as the auditor provides reasonable assurance, not a guarantee
• The expectation gap can be reduced by:
o Auditors performing their duties appropriately, complying with standards, and meeting
the minimum standards of performance.
o Undertaking peer reviews of work performed
o Professional competence
o Confidentiality
o Objectivity
Professional behaviour
• Comply with rules and regulations and do not harm reputation of the profession
• Do not claim to provide services they cannot provide, or qualifications they do not possess, or
experience they do not have
• Do not undermine reputation of, or quality of work produced by, others
Integrity and due care
• To be straightforward and honest
• Act diligently, taking care to complete each task thoroughly, document all work, and finish on
a timely basis
Professional competence
• Maintain knowledge and skill at a level required by the professional body
• Keep up to date with changes in regulations and standards
• Maintain competence through continuing education and work experience
Confidentiality
• Refrain from disclosing information to people outside the workplace that is learned as a result of
employment
• Exception: if legal requirement to disclose
• Not allowed to use confidential information to their advantage or advantage of another person
Objectivity
• Not allow personal feelings or prejudices to influence professional judgement
• Be unbiased
• Not allow conflict of interest or influence of others to impair decision process
Specific Rules Incorporating the Principles of Professional Ethics
Fees and Pricing
Fee quotes cannot be provided to a client without adequate knowledge of the work to be performed. Fees
quoted should not be significantly lower than the fees charged by a predecessor firm. If fees quoted are
significantly lower than those of the predecessor, it may suggest the quality of the audit work or the
independence of the auditor may be compromised. Contingency fees (based on outcome of service) are
not permitted for engagements where independence is required, for compilation engagements, and for the
preparation of income tax returns.
Advertising
Advertising must be in good taste and it should not bring disrepute to the profession. Advertising cannot
be false or misleading or make unsubstantiated claims. For example, a firm should not imply that it is
better than competing firms.
Contact with Predecessor
Firm Names
Professional Conduct
o Confirmation bias
o Overconfidence bias
o Anchoring bias
Independence
• Independence is the ability to act with integrity and objectivity
• Lack of auditor independence impacts on credibility and reliability of the financial statements
• The auditor must be, and be seen to be, independent
Auditor Independence
Independence in fact
• ability to act independently with integrity, objectivity, and professional scepticism
• ability to make a decision free from bias, personal beliefs, and client pressures
Independence in appearance
• belief that independence of mind has been achieved
Threats to independence
• Self-interest
• Self-review
• Advocacy
• Familiarity
• Intimidation
Self-interest threat
Can occur if the audit firm or its staff have financial interest in audit client
Examples:
o Bank account held with the client
o Shares owned in the client
o A loan to or from the client
o Fee dependence, where the fees from a client form a significant proportion of all fees of the
firm
o Close business relationship with the client
Self-review threat
Can occur when the assurance team need to form an opinion on their own work or work done by
others in their firm
Examples:
o Assurance team member has recently been an employee or director of the client
o Preparing information for the client that is then assured
o Performing services for the client that are then assured
Advocacy threat
Can occur when an audit firm or assurance staff act, or is believed to act, on behalf of assurance
client
Can lead to questioning of auditor’s objectivity
Examples:
o Encouraging others to buy shares sold by client
o Representing the client in third-party negotiation
o Representing the client in a legal dispute
Familiarity threat
Can occur when close relationship exists or develops between assurance firm and client, or
between firm and client personnel
Assurance staff can become too sensitive to needs of client and lose objectivity
Examples:
o Long association between assurance firm and client
o Long association between assurance firm members and client personnel
o Assurance team member with a close relative holding a senior position of influence at the
client
Former partner of assurance firm holding senior position at the client
Acceptance of gifts by members of assurance team from their client (other than minor tokens)
Acceptance of hospitality by members of assurance team from client (other than minor gestures)
Intimidation threat
Can occur when member of assurance team feels threatened by the client’s staff or directors
Assurance team member unable to act objectively, fearing negative consequences
Examples:
o Threat that client will use different assurance firm next year
o Undue pressure to reduce audit hours to reduce fees paid
Additional requirements for public companies with market capitalization and a book value of total assets
great than $10 million include:
Auditor cannot perform certain prohibited services–examples include actuarial, human resources,
and tax calculations
If engagement team member accepts employment in financial reporting role with client, firm
refrains from being the auditor of client for one year from last filing of financial statements
Safeguards to independence
Created by profession, legislation, and regulation
o Quality control standards
o Education and code of ethics
o Legislative requirement to be independent
Corporate governance
Policies and procedures
o Created by accounting firms
Internal auditors
o Viewed by external auditor as part of client
o External auditor can modify the nature and timing of their procedures and reduce the extent
of their testing if there is an effective internal audit function (CAS 610).
o Modifications by external auditor depends on internal auditor’s:
Objectivity
Technical competence
Due professional care
Communication with external auditors
Legal Liability
External auditor must exercise due care, being diligent in applying standards and documenting work
Auditor can be found negligent and liable for damages under tort law if it is established that:
o A duty of care was owed by the auditor
o There was a breach of the duty of care
o Negligence: failed in performance of audit by being careless and breaching duty of care
o Contract: failed to live up to their responsibilities agreeing to act as the auditor and explicit in
engagement letter
Contributory Negligence
o Where a plaintiff (party suing) and the defendant (the auditor) can be proven to have been
negligent, each party must be held responsible in proportion to their guilt
o The auditor’s negligence was responsible for the third party’s loss
o Auditors not liable for ordinary negligence to parties that they do not have a contractual
relationship with
o Hedley Byrne & Co vs. Heller and Partners Ltd. (1964)
Expanded concept of liability beyond the contractual one to those third parties
provided the auditors knew beforehand this party would be relying on their opinion
o Haig vs. Bamford (1977)
Although the auditor did not know the name of the investor, they knew the financial
statements were being passed on to unidentified members of a limited class for use in
a transaction
o Hercules Management vs. Ernst & Young (1997)
Overall:
o To determine care owed to third parties, the third party must establish that:
o A duty of care existed and was breached and
o Third party relied upon the audit report and there were quantifiable damages
Client acceptance
Staff allocation
Ethical and independence issue identification dealt with on a timely basis
Adequate work documentation
Gather adequate and appropriate evidence to support opinion
o Meet with audit committee to discuss significant issues arising in audit
o Follow up any significant weaknesses in client’s internal control procedures from previous
year’s audit
Client Acceptance and Continuance
• The first stage in any audit is client acceptance or continuance decision
• Guidance provided in CSQC1
Step 1: Assess client integrity
Step 2: Assess audit firm’s ability to meet ethical requirements, service client
Step 3: Prepare client engagement letter
Client’s willingness to allow auditor full access to information required to form an opinion
Client’s attitude and willingness to pay fair amount for audit work
Auditor can obtain information from:
Communication with prior auditor, client personnel, third parties
Review of press articles and Internet or background search
Review of prior-period financial statements
Ethical requirements
Entity Level
Major customers
o How many customers?
o Are they likely to pay accounts on timely basis?
o Are there long term contracts with customers?
Major suppliers
o Are they reputable? Supply quality goods on timely basis? Overseas or domestic?
o Does client pay supplier accounts on timely basis?
Sources of financing
o Reliability of funding, structure of debt
Ownership structure
o Rights of shareholders, dividend policy and payments
Industry level
Understanding the client’s position in the industry, competitive pressures, government support,
overall demand for products
What risks to client arise from nature of industry and client’s position within it?
Overall level of demand for industry goods and services – impact on revenue, impact of technological
changes
Economy level
How do overall economic conditions affect client?
o Interest rate changes, financial crises
o What are specific pressures on client to understate or overstate profits in these conditions?
Related parties
Identification and appropriate disclosure of a client’s related parties
o Examples of related parties include parent companies, subsidiaries, joint ventures, associates,
company management, and close family members of key management
Lack of independence may lead to transactions outside of the normal course of business
o Unusual transactions
In addition to assessing fraud risk factors there are specific procedures the auditor should perform to
comply with CAS240:
Ask management and those charged with governance (and internal audit if exists) if they are
aware of a known fraud or of a suspected one
All team members should attend a team planning meeting, which includes a review of significant
fraud risk factors and financial statement elements susceptible to fraud
Perform preliminary analytics to aid in identifying unusual relationships
Consider the risk of management override
Assess the risk of fraud relating to revenue
Remaining a going concern is the responsibility of management and those charged with
governance
Auditor must obtain sufficient appropriate evidence to assess validity of going concern
assumption
Auditor makes professional judgement about going concern risk, based on risk indicators
CAS 570 has list of going concern risk indicators; examples include:
Auditor should also consider factors that mitigate (reduce) going concern risk
IT Environment
Auditor should consider particular risks faced by client related to IT (CAS 315), for example:
• Unauthorized access to computers, software, data
o Need security, passwords to prevent distorted data
• Errors in programs
o Can occur if not thoroughly tested before implementation, or mistakes made when changing
programs
o Restrict program change rights to authorized personnel
Fraud
Transactions where subjectivity is involved
Accounting estimates with high estimation uncertainty or complexity
Complexity in data collection and/or processing
Account balances or disclosures that involve complex calculations
Accounting principles subject to different interpretations
Entity changes such as mergers and acquisitions
2. Assessment of client’s system of internal controls (control risk)
o Does client have controls designed to minimize risk of material misstatement for each
account and related assertions identified as being high risk by the auditor?
3. Auditor plans to undertake detailed testing of each identified account to the extent deemed necessary
o Based on auditor’s assessments of riskiness of account and related assertions, and
effectiveness of the client’s system of internal controls
o Audit risk is a function of the risk of material misstatement and detection risk (CAS 200)
o Risk of material misstatement existing in client’s financial statements and at assertion level
comprises both IR and CR
o AR = IR × CR × DR
• Inherent risk
o Risk that a material misstatement could occur
• Control risk
o Risk that client’s system of internal controls will not prevent or detect such a material
misstatement
• Detection risk
o Risk that the auditor’s testing procedures will not be effective in detecting a material
misstatement, should there be one
• Auditor will plan and perform their audit to reduce audit risk to an acceptably low level (CAS 200)
• There is an inverse relationship between IR and CR combined, and DR
o If IR and CR are high, auditor will set DR as low, and perform more detailed substantive
procedures
o If IR and CR are low, auditor will set DR as high, and reduce reliance on detailed substantive
procedures
Materiality
• Materiality guides audit planning, testing, and assessment of information in the financial statements
• Information is material if it impacts on the decision-making process of users of the financial
statements
• Information could be considered material because of its qualitative or quantitative characteristics
Qualitative materiality factors
o Nature of the item, for example:
Fraud
Non-compliance with laws
Related party transactions
Change in accounting method
Change in operations
Quantitative materiality factors
o Magnitude of the item
Express as percentage of relevant base figure
Performance materiality is an amount less than planning materiality, to reduce the likelihood that a
misstatement in a particular account balance, class of transactions, or disclosures does not in total
exceed overall materiality
Specific materiality is information that is relevant when some areas of the financial statements are
expected to influence the economic decision made by the users
Materiality and audit risk are both considered in assessing the risk of a material misstatement
Auditor should not use audit risk to determine materiality as materiality is focused on the needs of the
users of the financial statements
Audit Strategy
Auditor must establish an overall audit strategy (CAS 300)
Audit strategy
o Sets scope, timing, and direction of the audit
o Provides basis for developing detailed audit plan
o Is based on preliminary assessments of IR and CR
When an audit client does not have appropriate controls in place for an identified risk, what step will the
auditors take?
- weaknesses will be reported to those charged with governance.
When an auditor traces each transaction flow from inception to the recording of the transaction in the
general ledger, this is known as
- Walkthrough
o Auditor needs to understand what client focuses on, and what is potentially at risk of
misstatement
Profitability
o Profit by division, branch, manager, etc.
o Price earnings ratio (PE)
o Market price per share/earnings per share
o Earnings per share (EPS)
Profit/no. weighted average ordinary shares
Decline could signal pressure on management
o Inventory turnover
Cost of goods sold/inventory
Decline could signal overvalued stock
Liquidity
o Ability of company to meet its cash needs in short and long term
o Ratios can be written into debt contracts (as covenants) and restrict client’s actions
o Client potentially under pressure to misstate accounts included in ratios
Analytical Procedures
Evaluation of financial information by studying plausible links among both financial and non-
financial data (CAS 520)
o Identify fluctuations in accounts that are inconsistent with auditor’s expectations based on their
understanding of the client
o Analytical procedures performed by the auditor can be conducted throughout audit:
Risk Assessment – risk identification
Risk Response – estimating account balances
Reporting – overall review
Analytical procedures at the risk assessment stage:
o Highlight unusual fluctuations in accounts
o Reduce audit risk by concentrating audit effort where risk of material misstatement is greatest
o Where results are unusual or unexpected, investigate further because it indicates risk of
material misstatement
Completeness All transactions and events that should have been recorded have been recorded, and all related
disclosures that should have been included are included.
Accuracy Transactions and events have been recorded appropriately and related disclosures have been
appropriately measured and described.
Cut-off Transactions and events have been recorded in the correct accounting period.
Classification Transactions and events have been recorded in the proper accounts.
Presentation Transactions and events are appropriately aggregated or disaggregated and clearly described;
related disclosures are relevant and understandable.
Transaction assertions
Occurrence
o Auditor gathers evidence that the transaction and disclosures recorded by the client
actually took place and relate to the entity
Most important where there is risk of overstatement (e.g., revenue)
Completeness
o Auditor gathers evidence that all transactions and disclosures have been recorded by the
entity
Most important where there is risk of understatement (e.g., expenses)
Accuracy
o Auditor gathers evidence that transactions and disclosures are recorded by the client at
the appropriate amounts.
Most important where there is higher risk of inaccuracy (e.g., complex foreign
exchange transactions)
Cut-off
o Auditor gathers evidence that the transactions have been recorded by the client in the
correct period.
Most important for transactions near year end
Classification
o Auditor gathers evidence that transaction is in correct account
o Presentation
Assertions about account balances at year end and Related Disclosures at Year End
Existence Assets, liabilities, and equity interests exist.
Rights and obligations The entity holds or controls the rights to assets, and liabilities are the obligations
of the entity.
Completeness All assets, liabilities, and equity interests that should have been recorded have
been recorded, and all related disclosures that should have been included have
been included.
Accuracy, valuation, Assets, liabilities, and equity interests are included in the financial statements at
and allocation appropriate amounts and any resulting valuation or allocation adjustments are
appropriately recorded, and related disclosures are appropriately measured and
described.
Classification Assets, liabilities, and equity interests have been recorded in the proper accounts.
Existence
o Auditor gathers evidence that recorded asset, liability, and equity items actually exist
Classification
o Auditor gathers evidence that assets, liabilities, and equity interests are recorded in proper
accounts
Presentation
o Auditor ensures assets, liabilities, and equity interests are appropriately aggregated or
disaggregated
Audit Evidence
• Audit evidence is the information that an auditor uses when arriving at their opinion on the fair
presentation of their client’s financial statements (CAS 500)
• Auditor must gather sufficient appropriate evidence
o Sufficiency relates to quantity of evidence
High-risk account
Aduit Risk = Inherent Risk X Control risk X Detection Risk X Evidence required
Risk Level high high Low More
Aduit Risk = Inherent Risk X Control risk X Detection Risk X Evidence required
Risk Level Low Low High Less
Sufficiency of evidence gathered is a matter of professional judgement and will vary from account to
account and client to client
Reliability of evidence refers to information that reflects the true state of information
o Expertise of respondent
o Consistency of information
Auditor can
o Verify information in client’s records to supporting external documents to confirm accuracy,
existence, rights and obligations, or
o Trace from documents to client’s records to confirm classification, accuracy, completeness
Verbal evidence
o Auditor documents discussions with client management and staff
Computational evidence
o Auditor checks mathematical accuracy; re-adding, can include complex re-calculations,
verifying formulas
Physical evidence
o Gathered by inspecting assets, to assess condition, to reconcile to client’s records
Electronic evidence
o Includes data held on client’s computer, emails to auditor, and scans and faxes
o No paper trail
o Auditor needs to consider the internal controls in place, including the quality of client’s
computer system when assessing reliability of this evidence
o Least persuasive because it is possible that client could manipulate or omit this type of
evidence
o More persuasive than internally generated evidence because it is produced by third parties
o More reliable when external party is considered to be more reliable, trustworthy, independent
of client
Is expert required?
Determining scope of work for expert
Selecting expert – assessing objectivity, capability of expert
Assessing work of expert
Auditor is responsible for drawing conclusions
Assessing need to use an expert. Consider:
o Knowledge of audit team
The less knowledge held by audit team, the greater risk of material misstatement, and less
corroborating evidence available, the more likely an expert is required
o Use written instructions covering issues expert will report on, and how work will be used by
auditor
Objectivity
Gathering sufficient, appropriate evidence
Evidence-Gathering Procedures
Evidence gathering occurs throughout audit
Inquiry
o Useful for gaining understanding, or to corroborate other evidence; auditor will document
conversation
Recalculations
o To check mathematical accuracy
Re-performance
o Follow the process used by client
Analytical procedures
o Relationships between data
Working Papers
Auditor must document each stage of the audit in working papers (CAS 230)
o Provides evidence of work completed, details evidence gathered to support opinion
Client information and documentation that apply to more than one audit
o For example, client address, key personnel, long-term contracts
Current file
o Risk of material misstatement (IR, CR) is inverse to the level of DR auditor will accept
o If IR and CR are low, auditor will accept a high DR, and a small number of substantive
procedures are required
Linkage between inherent risk, control risk, and substantive testing required to reduce detection
risk
Risk assessments are required to be performed at assertion level and the financial statement level
o Transaction assertions are related to account balance assertions
e.g., work done to verify sales occurrence provides some evidence about accounts
receivable existence
Similar assertions across all types of assertions (transactions, account balances, and
presentation/disclosure) are not exactly the same
Substantive procedures:
o Audit procedures that are designed to detect material misstatements at the assertion level
Nature, timing, and extent of substantive procedures in audit program determined by:
o Risk of material misstatement
o Some auditing standards require specific substantive procedures (e.g., CAS 501)
More extensive tests of completeness assertion needed than accuracy, valuation, and
allocation assertion
Completeness tests more likely near year end, whereas accuracy, valuation, and
allocation tests of identified claims could be done at interim date
Accounts that accumulate transactions that mostly remain in year-end balance (e.g.,
additions to fixed asset register)
Control testing confirms a strong control system
Roll-forward procedures are suitable due to strong controls and no changes to
controls
Roll-forward procedures are done between interim date and year end, and
provide evidence that interim testing results continue to apply for the
remainder of the period
o Tracing
Vouching: taking a balance or transaction from the underlying accounting records and verifying it
by agreeing the details to supporting evidence outside of the accounting records of the company
o Primarily tests existence/occurrence assertion
o Auditor typically does not perform procedures on 100% of the balances within the financial
statements
o Audit sampling typically involved (CAS 530)
Analytical Procedures
Analytical procedures can be used as:
o Primary (persuasive) tests of a balance
Analytical procedures may be the most effective test of a balance, or at least reduce extent of other
substantive tests (CAS 520)
o Break-even analysis
o Perform procedures
o Draw conclusions
CAATs and ADAs more useful when client has strong controls
Material content of work in progress and Relate raw materials put into production and quantities sold to
finished goods normal yield factors
Overheads in closing inventory Relate actual overheads for the period to actual direct labour,
production volumes, or another measure
Finished goods pricing Refer to selling prices less selling costs and “normal” gross
margin
Charges for depreciation Refer to asset balance, effect of additions and disposals, and
average depreciation rate
Accrued payroll Refer to days accrued and average daily payroll or subsequent
period’s gross payroll
Commission expense Refer to commission rates and related sales
Accruals for commissions or royalties Refer to terms of agreements and payment dates
Accrued warranty costs for established products Refer to applicable payroll and previous year’s contribution
rate
Scrap income Relate standard cost scrap factor to weight of material
processed and apply the result to published scrap prices
Interest expense and related accrual Refer to the average debt outstanding, weighted average
interest rate, and payment dates
Investment income Relate average amounts invested to an average interest rate or
yield
Total revenue for a private school Relate school fee per each grade by number of students in the
respective grade
o Corroborative
o Confirms audit findings from other procedures
o Unexpected results would require auditor to expand other substantive audit procedures to
provide explanation of result
Examples of analytical procedures that provide corroborative evidence
Evidence Analytical Procedures
Trade receivables, sales, and going concern Review the volatility of the customer base (for example, new
customers as a percentage of existing customers) and compare
with expectations
Property, plant, and equipment Review the reasonableness of the depreciation expense by
referring to the previous year’s balance and the effects of
acquisitions and disposals
Sales commission expense Compare sales commissions or bonuses with related sales
Payroll expense Compare payroll tax expenses with the annual payroll times the
statutory tax rates
Minimal
o Not persuasive or corroborative
e.g., simple comparison with previous year to help identify problems, not to reduce
other testing
o Usefulness of procedure to generate more persuasive evidence depends on the circumstances
Trade receivables Compare the number and amounts of credit notes issued with
those of prior periods
Property, plant, and equipment Review the property, plant, and equipment and related
accounts in the general ledger for unusual items
Audit of estimates often includes reviewing processes and controls, and substantive testing
Auditor assesses impact of all errors identified during the audit and documented in working papers
o Distinguish between errors (including fraud) and judgemental misstatements
Conclude on results for each audit program step and each significant account and significant assertion
Chapter 6: Sampling and Overview of the Risk Response Phase of the Audit
Audit Sampling
• Sampling is required whenever the auditor does not test an entire group of transactions or all items in
a balance (CAS 530)
• In many cases, there are too many items to test, or auditor decides that it is not necessary to test all
items
• Sample of items tested should be representative of the population
Sampling and Non-Sampling Risk
• Sampling risk is the risk that the sample chosen by the auditor is not representative of the population
available for testing, and causes the auditor to arrive at an inappropriate conclusion
• Two consequences of sampling risk:
o Risk that audit will be ineffective
The risk that the auditor concludes that the client’s An increased audit risk (that is, the risk that the
system of internal controls is effective when it is auditor will issue an inappropriate audit
ineffective conclusion)
The risk that the auditor concludes that the client’s An increase in audit effort when not required (that
system of internal controls is ineffective when it is is, there is a risk that the audit will be inefficient)
effective
Sampling Techniques
• Random selection
o Person selecting sample cannot influence choice of items
• E.g., stratify (subdivide) population of transactions into different size ranges, then
take different size samples from each stratum
• Systematic selection
o Divide number of items in population by sample size, giving sampling interval (n). Select
starting point, then take every nth item
o Risk that items are listed in way that every nth item is related – can randomly order first
• Haphazard selection
o Auditor does not use methodical technique
• Block selection
o Select items grouped together
• Judgemental selection
o Auditor chooses items based on judgement
o Non-statistical
1. An increase in the extent to which the auditor’s risk assessment takes into Increase
account plans to test the operating effectiveness of
controls
When determining size of sample for substantive testing, CAS 530 requires auditor to consider:
1. Larger sample size if auditor assesses risk of material misstatement as greater (higher IR, CR)
2. Smaller sample size if auditor also using other substantive procedures for same assertion
3. Larger sample size if auditor requires greater confidence from results of tests (requires lower DR)
Sample size for substantive testing
4. Smaller sample size if auditor is willing to accept greater total error (higher tolerable misstatement)
5. Greater sample size if auditor expects to find greater misstatement in population
6. Smaller sample size if auditor using stratification of population
7. Very little change to sample size if population has more sampling units
Factors that influence the sample size when testing transactions and balances
Factor Effect on Sample
Size
Can use audit risk tables, variables estimation sampling, or attribute sampling to select the
items to test
Evaluating Sample Test Results
Auditor will consider whether results of tests applied to a sample provide evidence that
o Control tested is effective within entire population (for control tests), or
o Class of transactions or account balance tested is fairly stated (for substantive tests)
Conclude deviation from controls in sample is at same rate as deviation from controls in population
o Is deviation rate tolerable? More testing required?
As an auditor, what would you conclude if the tolerable error rate was set at $3,500? What if the tolerable
error rate was $7,500?
Tests of Controls
Preliminary assessment of control risk (CR) is made after gaining an understanding of client during
planning stage
Tests of controls are performed on controls identified during gaining understanding phase
o To obtain evidence that controls operated effectively and consistently throughout period
Auditor can reduce reliance on substantive testing only if tests confirm CR not high
Control testing procedures include:
Inspection of documents for evidence of authorization
Inspection of documents for evidence that details included have been checked by appropriate client
personnel
Observation of client personnel performing various tasks, such as opening mail and conducting an
inventory count
Control testing procedures include
Inquiry of client personnel about how they perform their tasks
Substantive Procedures
Types of substantive procedures:
o Substantive tests of transactions
o Substantive tests of balances
o Analytical procedures
When CR is lower, auditor can rely more on analytical procedures and less on detailed substantive
tests of transactions and balances
o Analytical procedures are more efficient than substantive tests and place greater reliance on
client’s accounting records
o Inspecting documents to verify date of transactions posted around year end (cut-off assertion)
Control testing
Low-risk accounts
o Year-end testing usually done for:
High-risk accounts
Accounts affected by high deviations in control tests
Cut-off assertion
o Reduce extent of substantive testing and increase extent of reliance on analytical procedures
when control testing confirms lower CR
o Do little or no control testing when adopting substantive strategy (i.e., control risk is high)
CHAPTER 7: Understanding and Testing the Client’s System of Internal Controls
Internal Control Defined
System of internal control encompasses the entity’s resources, systems, processes, culture,
structure, and tasks
When controls are effective, the entity is more likely to achieve its strategic and operating
objectives
Internal control is the system designed, implemented, and maintained by those charged with
governance, management, and other personnel to provide reasonable assurance about the
achievement of the entity’s objectives with regard to reliability of financial reporting,
effectiveness and efficiency of operations, and compliance with applicable laws and regulations
(CAS 315)
Objectives of Internal Controls
Is an entity’s internal control effective as it relates to recording of transactions and balances?
Effective internal control meets the following objectives:
6. Posted – accumulated totals in transaction file are correctly transferred to the general ledger and
subsidiary ledgers
o Assertions: accuracy, classification, and accuracy, valuation, and allocation
Auditor aims to gain an understanding of how the client uses internal controls to meet these
objectives
Focusing on these objectives helps auditor select controls for testing to gain greatest assurance
that system of internal controls is operating effectively
Failure of an entity’s controls to meet any of these objectives is a weakness in internal control
o Auditor is interested in how management identifies, analyzes, and manages risks relevant to
financial reporting, and how the risks might impact the audit
3. Information systems and communication
o Designed to capture and exchange information to conduct, manage, and control entity’s
operations
o Includes manual and automated systems
o Auditor is interested in systems relevant to financial reporting
4. Control activities
o Policies and procedures that help make sure management’s directives are carried out
Performance review
For example, actual vs. budget, investigation of differences
Information processing
Manual or automated, to check accuracy, completeness, and authorization of
transactions
Authorization controls
Define who can approve transactions
Account reconciliations
Preparation and review of account reconciliations on a timely basis
Physical controls
Security of assets and records
Segregation of incompatible duties
No one employee/group should be in position to both perpetrate and hide
fraud/errors
Separate authorization/custody/recording
o When understanding the client’s control activities, auditor considers:
Extent of reliance on IT
Existence of necessary policies and procedures
Extent to which controls included in the organization’s policies are being applied
Clarity of management objectives for financial and operating goals
Existence of planning and reporting systems for performance, communication and
investigation of variances, and management corrective action
Extent of segregation of duties
Software controls over access to data and programs
Periodic comparison between records and assets
Safeguards over access to documents, records, and assets
5. Monitoring of controls
Does management monitor controls and modify as required when conditions change?
Ongoing monitoring procedures should be part of regular activities, e.g., internal
audit function
Auditor considers:
Are there periodic evaluations of internal controls?
Do client staff regularly obtain evidence of control functioning?
Extent to which information from external parties corroborate, or contradict, internal
information
Management acting on internal and external audit recommendations, or respond to
control difficulties on timely basis
Types of Controls
Transaction-level controls are designed to reduce the risk of misstatement due to error or fraud and to
ensure that processes are operating effectively
Controls can include any procedure used and relied upon by the client to prevent errors occurring, or
to detect and correct errors that occur
o To support the automated parts of the business in the functioning of the controls in place
When controls are designed, consideration is given to what can go wrong with the transaction, often
referred to as WCGWs (what can go wrongs).
Sales occur that are not Occurrence, accuracy The computerized accounting program will
collectible. not allow a sale to be processed if a customer
has exceeded its credit limit.
Sales are recorded at the wrong Accuracy Sales invoices are automatically priced using
amount. a master pricing file.
Transactions are classified and coded Classification The account coding on each purchase order is
to incorrect accounts. checked by the computer using a table of
valid account numbers, and then various
logic tests are performed by the computer.
o Detective controls are necessary to discover fraud or errors that have occurred during the
transaction process
o Usually not applied to transactions during normal flow of processing, but applied outside normal
flow to partially or fully processed transactions
For example, cheques for payment prepared and held by system until approved for
payment, then processed
o Wide variation in detective controls from client to client, depending on complexity, preferences,
etc.
Can be informal or formal
o Important that detective controls:
Cash is received but not recorded in Completeness, Bank reconciliation and follow-up of
the general ledger, payments occurrence, cut-off unexpected outstanding items (for example,
are made but not recorded, or cash unexpected or large deposits not yet cleared
receipts or cash payments are not real by the bank, cheques presented by the bank
or not recorded on a timely basis. but not recorded in the general ledger).
Shipments are not billed and Completeness, The computer performs a daily comparison
recorded, or billings are not related to occurrence of quantities shipped to quantities billed. If
actual shipments of product. differences are revealed, a report is generated
for review and follow-up by the billing
supervisor.
Errors in the number of units, or unit Accuracy The sales manager reviews daily shipments,
prices being calculated or applied total sales, and sales per unit shipped.
incorrectly.
Select controls that will provide most efficient and effective audit evidence
Increase efficiency by only testing controls that are critical to audit opinion –
those that address the WCGWs most effectively with least amount of testing
More efficient to test controls that address multiple WCGWs
o How much testing of controls is required
o Consider:
Weekly 5 2
Monthly 2 1
Quarterly 2 1
Annually 1 1
1. Narratives
2. Flowcharts
Provide any other details that are necessary to understand the initiation, processing, recording, and
reporting of the transactions:
Briefly describe the client’s revenue recognition policy, including standard billing and collection terms:
Briefly describe the client’s credit terms and credit authorization procedures:
Briefly describe the client’s procedures for sales returns and allowances and the issuance of credit
memos:
Techniques for Testing Internal Controls
Auditor uses combination of techniques when testing controls
Inquiry
o Auditor questions employee performing control, management about review of control
Observation
o Auditor observes actual control being performed
Re-performance
o Auditor re-performs control (e.g., attempts to access an unauthorized area to see if attempt on
exception report)
Results of Auditor’s Testing
Do results of control testing confirm preliminary evaluation of controls and control risk based on
internal control documentation?
o If so, do not modify planned substantive procedures
o If not,
o Identify internal control exceptions where control did not operate as intended
Management Letters
CAS 260/265 requires auditors to provide those charged with governance timely observations arising
from the audit that are significant and relevant to the oversight of the financial reporting process
May take the form of a letter from the auditor to the client, recommendations based on internal
control weaknesses, and other matters discovered during the audit
Allows management to document their actions in response, and inform those charged with
governance
Diagnostic analytics use data analytic focused on understanding why something happened
Predictive analytics use data analytics to mke predictions into the future considering a variety of
scenarios
Prescriptive analytics use data analytics to examine a variety of solutions to determine the best
outcome
How Data Analytics Are Used
Audit Data Analytics (A D A) – the examination of large datasets, using computer software, for
exceptions, outliers, trends, and other useful information
For example: the ability to quickly prepare a trend analysis over multiple years in greater detail
with drill down capability into the details where needed
Visuals can aid in the identification of items requiring further investigation plus it can increase
the effectiveness of communicating audit findings
FIGURE 9.1 Year-over-year visualization
Data Considerations
Types of Data
Structured
o Data that resides in a fixed field within a record or file
Unstructured
o Data that do not reside in traditional data bases
o The auditor should gain an understanding of what data the client has available
It is important for the auditor to understand the quality of data to assess its usability
o Completeness
o Cleansing which involves identifying and correcting missing, incorrect and duplicate
fields and reformatting the data in a consistent format
C A S 500 requires the auditor to consider the relevance and reliability of the information used as
audit evidence
For an audit procedure to be relevant it should relate to the account and relevant assertions
Nature
• Financial, non-financial
• Accounting process and control-related
• Product and service categories
• Demographic
• Economic
• Geographic
• Business sector
• Regulatory
• Historic
• Forward-looking
• Time-sensitive
Sources
• Controlled by the accounting department of the audited entity (in-house records) or stored externally
(for example, in the cloud)
• Controlled by persons outside of the accounting department of the audited entity (with various possible
storage media)
• External to, and not controlled by, the audited entity
Format
• Numerical (for example, quantity, currency), text, symbols, other characters
• Structured (for example, data in a fixed field within a record or file)
• Unstructured (for example, text)
Timing
Extent
• Volume
• Scope (variety of subject matters and sources)
Level of Aggregation
• Financial statement item, account balance, component of an account balance
• Annual, monthly, daily, hourly, some smaller timing frequency
• Consolidated, segmented (for example, by division, location)
• Database files, tables, and fields
Documentation of the work performed in the working paper file is required regardless if manual
or A D A s
C P A Canada to Audit Data Analytics outlines the following regarding the documentation of A D
As
o Objectives of the procedures
C P A Canada to Audit Data Analytics outlines the following regarding the documentation of A D
As
o A D A related tools and techniques used
o Steps taken to access data, how extracted and transformed for use
C P A Canada to Audit Data Analytics outlines the following regarding the documentation of A D
As
o Identifying characteristics of the specific items or materials tested
o Name of the auditor who did the work and the date performed
o Name of the auditor who reviewed the work and the date of the review
Figure 9.4 The data life cycle
1. Plan the A D A
o The auditor needs to have a good understanding of the client, their business, and whether the
system of internal control over data collection is generally effective
o Next determine what type of A D A to perform including what account and assertions to test –
influenced by the preliminary risk assessment and data available
o Then identify the data needed and plan the details of the test including how to document the
test results
TABLE 9.2 Planning the A D A as a risk assessment procedure
Purpose
To examine year-over-year sales to identify trends and unexpected changes that may impact the risk
assessment of the sales account
Account and Assertion
Sales: occurrence, accuracy, and completeness
Data Required
• Sales data from the general ledger for the year under audit and the prior three years
• Quantities of each product sold from the client’s sales database for the year under audit and the
prior three years
ADA to Perform
• To examine sales trends by quarter over four years
• To examine sales by location over four years
• To examine the quantity of products sold over four years
2. Access and Prepare the Data
o Assess the condition and format of the data population identified
o Auditor needs to consider where the test met its objective or if it needs to be revised and
reperformed
o CAS230 requirement auditor should document the results of the test
o The auditor uses the A D A five-step process to plan the regression analysis
Focus to detect a material misstatement at the account and assertion levels, often using sampling
Prior to performing this test the auditor will have tested controls and concluded that the entity has
strong:
o strong IT general controls
o strong controls over data interchange and the exchange of electronic information between
the client and its customers/suppliers
o Example – A D A Sales and Accounts Receivable
TABLE 9.8 Planning the A D A test of details on sales and accounts receivable
Purpose
To substantiate the accounts receivable at year end and the revenue during the year
Account and Assertion
Accounts Receivable: existence
Sales: occurrence
Data Required
• Listing of all sales invoices issued for the year including sales details such
as invoice date, invoice number, and invoice amount
• Cash receipts for the year
• Accounts receivable listing at year end
• Cash receipts from Jan. 1 to March 31 subsequent to year end relating to the prior year
ADA to Perform
• To corroborate service revenue during the year by matching
invoices issued during the year with the cash receipts
• To corroborate the accounts receivable at year end by matching subsequent cash receipts
Features of a Good Visualization
Visualizations are often used to communicate the results of an A D A
They assist with the ability to interpret large amounts of data and summarize test results in a way that
can be interpreted more quickly
It also has:
o An appropriate amount of detail – only the details needed in an easy-to-read manner
o Appropriate axis scaling – if a bar chart is too large, small fluctuations may appear
significant, and if too small, significant fluctuations may remain hidden
o A balanced use of colour – typically using a maximum of two colours
An auditor should
o Understand the goal of the visualization
Terms
Data analytics is the science of analysing data to draw conclusions
Descriptive analytics use data to aid in understanding past data
Diagnostic analytics use data analytic focused on understanding why something happened
Predictive analytics use data analytics to make predictions into the future considering a variety of
scenarios
Prescriptive analytics use data analytics to examine a variety of solutions to determine the best outcome
ADA Benefits
ADAs improve identification and assessment of risks of material misstatement and contribute to
the performance of substantive procedures when the data volume is large
ADAs provide management with useful insights as a by-product of the audit since they may
involve looking at entire data populations
ADAs provide the audit committee with useful insights from the audit while meeting stakeholder
expectations
WHAT TYPES OF ADAS ARE BEING USED AND WHY?
There were 16 different automated audit procedures identified by participants as being ADAs, the most
commonly used among participants included:
Data Considerations
Types of Data
Structured
o Data that resides in a fixed field within a record or file
o Often includes data captured, processed and maintained in an accounting system – G L and
journals for example
Unstructured
o Data that do not reside in traditional data bases
o Examples: emails, social media, texts, images
o The auditor should gain an understanding of what data the client has available
It is important for the auditor to understand the quality of data to assess its usability
o Completeness
o Cleansing which involves identifying and correcting missing, incorrect and duplicate
fields and reformatting the data in a consistent format
C A S 500 requires the auditor to consider the relevance and reliability of the information used as
audit evidence
For an audit procedure to be relevant it should relate to the account and relevant assertions
Financial, non-financial
Accounting process and control-related
Product and service categories
Demographic
Economic
Geographic
Business sector
Regulatory
Historic
Forward-looking
Time-sensitive
Sources
Controlled by the accounting department of the audited entity (in-house records) or stored
externally (for example, in the cloud)
Controlled by persons outside of the accounting department of the audited entity (with various
possible storage media)
External to, and not controlled by, the audited entity
Format
Timing
• Point-in-time, period of time
• Rate of change (time lags, continuity)
Extent
Volume
Scope (variety of subject matters and sources)
Level of Aggregation
Documentation of the work performed in the working paper file is required regardless if manual
or ADAs
CPA Canada to Audit Data Analytics outlines the following regarding the documentation of
ADAs
o Objectives of the procedures
o Risk of material misstatement that the procedures is intended to address
o Source of data and why selected
o ADA related tools and techniques used
o Tables and graphics used including how they were generated
o Steps taken to access data, how extracted and transformed for use
o Evaluation of matters identified as a result of applying ADA including where additional
items were investigated and how filtered
o Identifying characteristics of the specific items or materials tested
o Name of the auditor who did the work and the date performed
o Name of the auditor who reviewed the work and the date of the review
Next determine what type of A D A to perform including what account and assertions to test –
influenced by the preliminary risk assessment and data available
Then identify the data needed and plan the details of the test including how to document the test
results
TABLE 9.8 Planning the A D A test of details on sales and accounts receivable
An auditor should
o Understand the goal of the visualization
8. Revisit planning documentation to determine if all matters in plan have been addressed
9. Perform analytical procedures on the adjusted financial statements to ensure consistent with
knowledge obtained during the audit
10. Final review of financial statements
o Including reconciling client’s final trial balance and other records, review of wording
used, level of disclosure and aggregation.
11. Perform a review for contingent liabilities and commitments to ensure properly accounted for
and/or disclosed
12. Perform subsequent events procedures
o Identify events occurring between year end and date of audit report that might require
adjustment or disclosure
13. Read other material included in the entity’s annual report to ensure consistent with audited
financial statements and other information
14. Complete the file on a timely basis after the audit report has been finalized
o File “archiving” - a finalized file where nothing is to be removed, deleted, or discarded
from the file. If modifications needed, then must document why and who made the
changes
Auditor must decide if there is sufficient, appropriate audit evidence to support audit opinion -
consider:
o Materiality of misstatements
o Management responses
o Previous experience
o Whether evidence obtained supports or contradicts the results of the risk assessment
procedures
New information, e.g., client obtained new loan with more restrictive covenants
Change in auditor’s understanding of the entity and its operations
New circumstances, e.g., significantly lower profit than expected
Going Concern
Going concern assumption underpins accounting on the basis that the entity will remain in
business for the foreseeable future
It will be able to realize its assets and discharge its liabilities in the normal course of business
Management must assess the entity’s ability to continue as a going concern
Typically 12 months from the date of the financial statements is the period management is
required to assess all available information in order to make their going concern assessment
Judgement about the future is based on the information available at the time the judgement was
made
The size and complexity of entity, nature and condition of its business, degree to which business
affected by external factors all affect judgement regarding outcomes of events or conditions
Auditor considers reasonableness of management’s assessment of going concern and whether disclosures
are required in financial statements (C A S 570)
Events that provide evidence with respect to conditions that developed subsequent to year end
Type 1 subsequent events
Can affect estimates in financial statements, or indicate that going concern assumption is not
appropriate
Accounting treatment: adjust financial statements for the effect of these events, where material
o Examples:
Accounting treatment: adjust financial statements for the effect of these events, where material
o Examples:
Deterioration in operating results after year end that means going concern not
appropriate
Settlement of a lawsuit after the reporting period for an amount different than the
original estimate
Type 2 subsequent events
Do not result in changes to amounts in the financial statements
Might be so significant to require disclosure
o Do not require accounts to be adjusted
Examples:
Uninsured loss of assets due to fire, flood, subsequent to year end
Purchase of a business, issuance of shares or debt subsequent to year end
Auditor is concerned only with significant events occurring subsequent to balance sheet date that
might require adjustment, disclosure in accounts
Audit procedures
o Gain understanding, and make evaluation, of management processes to deal with
subsequent events
o Read board meeting minutes
Audit procedures:
o Analyze latest interim results and other items deemed necessary such as budgets, cash
flow forecasts, and other reports for events such as accounting decisions, loan
repayments, and compliance
o Enquiring of management, legal counsel, and board members whether any subsequent
events have incurred that might affect the financial statements
o Obtain written representations CAS 580
Misstatements
Misstatements are differences between a reported financial statement item and the correct
reporting as required by standards
o Differences could relate to item’s amount, classification, presentation, or disclosure
o Misstatements can be unintentional (error) or due to fraud
o Auditor evaluates whether misstatements need to be corrected
o Statement that reasonable assurance is a high level of assurance but not an guarantee
Requirement to challenge the adequacy of financial statement disclosure for so-called close
calls with respect to the applicable financial reporting framework when there are events or
conditions that cast doubt on the ability to continue as a going concern
Emphasis of matter
o Does not affect auditor’s opinion
o Applies when resolution of a matter is dependent on future actions or events not under
direct control of the entity, but that may affect the financial statements, and the matter is
disclosed in the financial statements
Emphasis of matter
o Not a key audit matter, e.g., major catastrophe having impact on entity
Nature of Matter Giving Rise to the Auditor’s Judgement about Auditor’s Judgement about
Modification the Pervasiveness of the the Pervasiveness of the
Effects or Possible Effects on Effects or Possible Effects on
the Financial Statements: the Financial Statements:
Material but Not Pervasive Material and Pervasive
Financial statements are materially Qualified opinion Adverse opinion
misstated
Inability to obtain sufficient Qualified opinion Disclaimer of opinion
appropriate audit evidence
a
Where the circumstances are so material and pervasive that the auditor has been unable to obtain
sufficient appropriate audit evidence, or where a qualified opinion is inadequate to disclose the
misleading or incomplete nature of the financial statements.
Communication with Those Charged with Governance
Auditor required to communicate audit matters of governance interest arising from the financial
statement audit with those charged with governance (C A S 260)
o Selection of, changes in, accounting polices that have or could have a material effect on financial
statements
o Potential effect on financial statements of any material risks and exposures
o Comments on design and operation of internal controls, suggestions for improvements (also in
management letter)
o Any other matters as agreed
Other Engagements
An auditor may be asked to perform other reports outside of those involving traditional financial
statements
A few examples include:
o Reports in accordance with a special purpose framework
o Review engagements
o Assurance engagements
o Reporting on controls
o Reports on applying specific procedures to financial information other than financial statements