AUD - Notes Chapter 3 http://cpacfa.blogspot.com Planning and Supervision TIP PIE ACDO The audit committee is responsible for the selection and the appointment of the auditor and the reviewing the nature and scope of the engagement In a new client relationship, it is mandatory to make inquiries of the predecessor auditor. Client permission is needed. If the client is unwilling it is a scope limitation. Before accepting the client, inquiry the old CPA regarding: • • • • Information that may reveal mgmt integrity Disagreements with mgmt (accounting principles, auditing procedures) Reasons for change of auditor Communication to the audit committee regarding fraud, illegal acts, internal control matters After acceptance, inquiry the old CPA regarding: • Make specific inquiries about the audit • Review predecessors audit documentation (workpapers) Preliminary Engagement Activities • • Assess the integrity of mgmt Assess the availability and adequacy of the clients accounting records (lack of records = scope limitation) • Evaluate the firm’s quality control policies and procedures An engagement letter – a signed contract which documents the understanding with the client is required for an audit engagement (should be signed and dated by the client) Management’s is responsible for: • • • • The F/S Internal controls Compliance with laws Representation letter (letter to auditor at end of the engagement that confirms the representation made) Auditor is responsible for: • Conduct the audit in accordance with GAAS (obtain reasonable assurance about whether the F/S are free from material misstatements An audit is not designed to detect error or fraud that is immaterial to the F/S An audit is not designed to provide assurance on internal control or to identify significant deficiencies Audit is subject to inherent risks that errors and fraud will not be detected. If we discover fraud then we report it to the audit committee Planning the Audit The nature, extent and timing of planning procedures will vary based on the engagement (the NET we cast over the audit) The auditor is required to obtain an understanding of the entity, its environment and internal controls Obtain knowledge about the clients industry and business through: • Audit guides, trade publications and public information AUD - Notes Chapter 3 http://cpacfa.blogspot.com • • • • Tour client facilities Review financial history of client Obtain understanding of client accounting Inquire of client personnel Analytical Procedures used for: • • • For planning the nature, extent, and timing of other audit procedures (required) Substantive tests to obtain evidential matter (optional) Overall review in the final stage of the audit (required) Analytical procedures performed during planning • Used to enhance the auditors understanding, and identify unusual transactions, events and amounts • During planning, analytical procedures consist of a review of data aggregated at a high level, such as comparing financial statements to budgeted amounts • Financial data is used through relevant nonfinancial data (number of employees, square footage) The audit plan • • • Must be written Specific audit procedures are documented Description of the nature, extent, and timing of: - Planned risk assessment procedures (assess risk of material misstatement) (required) - Planned further audit procedures • Timing of audit procedures should be discussed with mgmt Materiality Known misstatements – specific misstatements identified during the audit Likely misstatements – misstatements the auditor considers likely to exist due to differences between auditor and mgmt judgements or from audit evidence Tolerable misstatements – maximum error in a specific population that the auditor is willing to accept All misstatements must be communicated to mgmt Because the F/S are interrelated, the auditor should use the smallest level of misstatement that could be material to any one of the F/S The auditor must consider the effects, both individually and in aggregate, of the uncorrected misstatements (both known and likely) Misstatements are more likely to be considered if they: • • • • • Affect trends in profitability Affect’s entity’s compliance with loan covenants, contracts or regulatory provisions Increase mgmt’s compensation Affect significant F/S elements Can be objectively determined The auditor should document: • Planning levels of materiality and tolerable misstatement, the basis for those levels and any subsequent changes AUD - Notes Chapter 3 http://cpacfa.blogspot.com • Known and likely misstatements that were corrected by mgmt • A summary of uncorrected misstatements (known and likely), auditors conclusions on whether those misstatements cause the F/S to be materially misstated, and the basis for the conclusion Documentation of uncorrected misstatements should include: • • • Separate identification of known and likely misstatements The aggregate effect on the F/S Relevant qualitative factors affecting materiality judgements Audit Risk Audit risk is the risk that the auditor may unknowingly fail to modify appropriately the opinion on the F/S that are materially misstated (risk that the auditor will give the wrong opinion) AR = RMM * DR AR = (IR * CR) * DR Audit risk (AR) should be low Risk of Material Misstatement (RMM) – assessed by auditor and is independent of F/S audit Inherent risk (IR) – susceptibility of a relevant assertion to a material misstatement, assuming there are no related controls (mistake in the clients acctg system). Auditor assesses IR but can’t change Control risk (CR) – risk that a material misstatement could occur in a relevant assertion will not be prevented or detected on a timely basis by the clients internal controls (clients internal control does not catch it) Detection risk (DR) – risk that the auditor will not detect a misstatement that exists within a relevant assertion (auditor will miss the mistake). Detection risk is a function of the effectiveness of audit procedures. The auditor can change the detection risk RMM and DR have inverse relationship. When risk of material misstatement is high, detection risk should be set low (so we have to do more work) Substantive procedures are always required Direct relationship between RMM and assurance required from Substantive procedures. Greater the risk (RMM) the more persuasive evidence needed. Audit risk and materiality must be considered at both the F/S level and the account balance (item level) • At the F/S level, the auditor should consider risks that have pervasive effect on the F/S, potentially affecting many relevant assertions • The account balance level (transaction & item level) is used to determine the nature, extent, and timing of audit procedures. Inverse relationship between audit risk and materiality Audit Procedures: 1. Risk assessment procedures 2. Test of controls – test of internal controls (CRIME) 3. Substantive procedures – tests $ balances F/S Assertions (made by mgmt) Transactions and events C – Completeness P – Proper period cutoff A – Accuracy C – Classification O – Occurrence AUD - Notes Chapter 3 http://cpacfa.blogspot.com Account balances C – Completeness A – Allocation and valuation R – Rights and obligations E – Existence Presentation and disclosure C – Completeness U – Understandability and classification R – Rights and obligations V – Valuation and accuracy After sufficient planning information has been gathered, an audit plan should be drafted. A written audit plan is required for every audit. When planning the audit, the auditor should consider the extent of involvement of the client’s internal auditors in the audit. Internal auditors are not independent, thus, the external auditor can’t share with the internal auditor any responsibility for audit decisions. • • • • Auditor must obtain an understanding of the internal audit function If the auditor uses the work of internal audit, competence and objectivity must be assessed The higher the level the internal auditors report to, the more objectivity can be assumed The auditor remains solely responsible for the report on the F/S. The internal auditor may not be utilized to make judgement calls If a specialist is used must evaluate the competence and objectivity of the specialist. Treat like one of your staff. Fraud and Illegal Acts Errors – unintentional Fraud – intentional; 2 types 1. Fraudulent financial reporting (lying) – designed to deceive F/S users. Usually involve manipulation, misrepresentation, intentional misapplication of accounting principles 2. Misappropriation of assets (stealing) – theft of an entities assets Fraud risk factors include: • • • Incentives/pressures: a reason to commit fraud Opportunity: lack of effective controls Rationalization/attitude: an attempt to justify fraudulent behaviour Its mgmt’s responsibility to design and implement programs and controls to prevent and detect fraud The auditor has a responsibility to plan and perform (referred to as design) the audit to obtain reasonable assurance about whether the F/S are free from material misstatement, whether caused by error or fraud. Mgmt override of controls is a major factor in fraud. Inquire entire personnel regarding their views of fraud risk - Inconsistent responses indicate a need for additional evidence Consider the results of analytical procedures (required during the planning and final stage) AUD - Notes Chapter 3 http://cpacfa.blogspot.com Attributes of risk: • • • • Type of risk: fraudulent F/S or misappropriation of assets Significance of risk: can it lead to a material misstatement Likelihood of the risk: how likely is this to happen Pervasiveness of the risk: does it affect the whole F/S or only specific accounts or transactions 2 Areas of greatest fraud concern: 1. Improper revenue recognition 2. Mgmt override controls Items are more susceptible to manipulation when they involve: 1. High degree of mgmt judgement and subjectivity 2. Highly complex accounting principles The auditor is required to respond to the results of the risk assessment on three levels 1. Overall, general response - assigning personnel to the engagement - determining the appropriate level of supervision of engagement personnel - evaluating mgmt’s selection and application of accounting principles 2. Response encompassing specific audit procedures - change nature - change extent - change timing 3. Response addressing risks related to mgmt override - examine journal entries and other adjustments - review accounting estimates for biases - evaluate the business purpose for significant unusual transactions Significant fraud risk – may consider withdrawing from the engagement Revenue recognition - perform substantive analytical procedures relating to revenue - confirm with customers contract terms and the absence of side agreements Revenue recognition criteria 1. must have an arrangement (signed agreement) 2. must be a delivery 3. must be fixed or determinable price 4. collectability Inventory quantities - concern that there may be a failure to reconcile books to physical inventory Mgmt estimates - engage a specialist - develop an independent estimate - perform a retrospective review of prior period estimates (how good were last yr’s estimates) Misstatements caused by fraud (even immaterial misstatements) may be indicative of an underlying problem with mgmt integrity. The auditor may need to reevaluate the assessment of fraud risk, the assessed effectiveness of controls, and the appropriateness of audit procedures applied. Inform the audit committee of any fraud. Parties outside the entity that we may communicate with in certain circumstances AUD - Notes Chapter 3 http://cpacfa.blogspot.com - to comply with certain legal and regulatory requirements - to a successor auditor - in response to a subpoena - to a funding agency Complete documentation of the auditors risk assessment and response is required If the auditor has not identified improper revenue recognition as fraud risk, support for this conclusion Illegal acts – violation of law The auditors responsibility to detect illegal acts are the same for fraud and errors. The auditor has no obligation to look for illegal acts having an indirect effect on the F/S The auditor generally does not include procedures to specifically detect illegal acts Effect of illegal acts on the auditors report Departure from GAAP – “expect for” or adverse Insufficient evidence – “except for” or disclaimer Clients refuses to modify report – withdraw Risk Assessment TIP PIE ACDO (fieldwork) Audit Steps IMACPA I – Internal control, understand M – Material misstatement, assess A – Assess risk control C – Control testing P – Perform substantive testing A – Audit evidence, evaluate appropriateness and sufficiency I - Internal control – obtain an understanding of the entity and its environment Risk assessment procedures • • • • • • Inquires Analytical procedures (required for planning and final stages) Observation and inspection Discussion among audit team Other procedures The auditor may choose to perform substantive procedures or tests of controls, if its efficient to do so Factors to understand • • • Industry, regulatory, and other external factors Nature of the entity Objectives, strategies and business risks - Business risks – events or circumstances that could adversely affect the firm (ie competition) • Financial performance • Internal controls and accounting policies M – Material misstatement, assessing the risks Factors that my be indicative of significant risks • • • Unusual, complex transactions Business risks Fraud risk AUD - Notes Chapter 3 http://cpacfa.blogspot.com • Significant related party transactions • Highly subjective accounting estimates and principles Response to significant risks • • • Evaluate the design of the entity’s related controls Determine whether the controls have been implemented Evaluate whether and how mgmt responds to such risks Test of controls – test strengths to be relied upon, not weaknesses Controls that are more directly related to an assertion are more effective in preventing, detecting and correcting a misstatement in that assertion, than controls which only relate indirectly to an assertion. Documentation requirements • • • • Discussion among the audit team Key elements of the understanding of the entity and its environment The assessment of the risks of material misstatement The identified risks and related controls evaluated by the auditor Document 1. control factors that were used/helped to plan the audit engagement 2. control factors that helped ensure mgmt rules and directives were followed Forms of documentation may include any item the auditor can FIND F – Flowchart I – Internal control questionnaire or checklists N – Narrative D – Decision table Flowcharts – symbolic diagram representing the sequential flow of authority, processes and documents. Depicts the auditors understanding of the system • An adequate flowchart shows the origin of each document in the system, its subsequent processing, and its final disposition • IT flowcharts are initially created to document the logic and existing flow of a computer program Internal control questionnaires – used for each item of mgmt assertions Narratives – a narrative is a written version of a flow chart (hard to “see” weaknesses Decision tables or trees – graphic illustrations that depict the logic of an operation or a process A flowchart is sequential while a decision table/tree is logical Internal Control TIP PIE ACDO Entity objectives 1. Reliability of financial reporting (most relevant to the audit) 2. Effectiveness and efficiency of operations 3. Compliance with applicable laws and regulations AUD - Notes Chapter 3 http://cpacfa.blogspot.com Controls that pertain to the first objective (reliability of financial reporting) are the most relevant to the audit, and these are the controls that the auditor must consider and understand. Five components of internal controls – CRIME C – Control environment: overall tone of the organization R – Risk assessment – mgmt’s identification of risk I – Information and communication systems M – Monitoring: assessment of internal controls over time E – Existing control activities: control policies and procedures It’s a CRIME not to have strong internal controls Control testing = internal controls (CRIME) Substantive testing = $ balances The auditor should obtain an understanding of CRIME as it pertains to financial reporting: 1. evaluate the design of relevant controls and determine whether then have been implemented 2. assess the risk of material misstatement 3. design the nature, extent and timing of further audit procedures (CPA tests internal controls in order to adequately plan the NET audit) Limitations of internal controls • • • • Human error Collusion Mgmt override Segregation of duties may be difficult to achieve in a smaller entity IT system may make it impossible to reduce detection risk through substantive testing alone (must do control testing as well) IT benefits: • • • • • Ability to process large volumes of transactions accurately Improved timeliness and availability of information Facilitation of data analysis and performance monitoring Reduction is the risk that controls will be circumvented Enhanced segregation of duties through effective security controls IT Risks: • • • • Potential reliance on inaccurate systems Unauthorized access to data Unauthorized changes to data, systems and programs Failure to make required changes and updates to systems or programs Auditor should document use of programs and perform tests more often during the yr Organizational structure of the IT department C – Control group – responsible for internal control within IT dept. O – Program Operators – input data P – Programmers – write and develop computer programs A – System Analysts – design the overall program, while programmers do the detailed work L – Librarian – maintains the storage of the data UD - Notes Chapter 3 http://cpacfa.blogspot.com Anyone doing for an 1 job or supervising another area is a weakness CRIME C – Control Environment – has pervasive effect on the auditors risk of assessment and preliminary judgements about its effectiveness may influence NET of further audit procedures to be performed • • • • • • Sets the tone of an organization, influencing the control consciousness of its people Communication and enforcement of integrity and ethical values Mgmt’s philosophy and operating style Organizational structure Assignment of authority, responsibility and accountability Human resource policies and practices R – Risk assessment • CPA should obtain understanding and knowledge I – Information and communication • • • CPA should obtain understanding and knowledge Accounting process (automated and manual), from initiation of a transaction to F/S Accounting records (electronic and manual) supporting information and specific accounts involved in initiating, authorizing, recording, processing and reporting transactions • The financial reporting process, including the development of significant accounting estimates and the inclusion of appropriate disclosure M – Monitoring • • • CPA should obtain understanding and knowledge Process that assesses the quality of internal control performance over time Establishing and maintaining internal control is a responsibility of mgmt E – Existing control activities Control activities in a strong internal control system have PAID TIPS P – Prenumbering of documents A – Authorization of transactions I – Independent checks to maintain asset accountability D – Documentation T – Timely and appropriate performance reviews I – Information processing controls – ensure that transactions are valid, authrorized, and accurate - Application controls – controls for processing of individuals transactions - General controls – apply to information processing throughout the company P – Physical controls for safeguarding assets – simply security S – Segregation of duties – client should separate:ARC - Authorization - Recordkeeping - Custody of related assets The internal control environment should be detected in the ordinary course of business by an employee, not - Collusion - Mgmt overrides For internal controls the auditor should • Obtain the necessary understanding of the user organizations internal control to plan the audit • Assess the control risk at the user organization, and AUD - Notes Chapter 3 http://cpacfa.blogspot.com • Perform substantive procedures Report on controls placed in operation – may aid the auditor in obtaining an understanding of controls, however, it is provided when tests of operating effectiveness were not performed, and therefore it does not provide the user with a basis for reducing the assessment of control risk Responding to Assessed Risks IMACPA Audit approach – the auditors specific approach to identified risks at the relevant assertion level may consist of either a substantive or combined approach Use substantive approach when: • Controls are not strong for an assertion • Not cost/benefit to test the effectiveness of the controls Combined approach – both control testing and substantive procedures are used. If controls are operating effectively, less assurance will be required from substantive procedures. Test of controls may be required in highly electronic environments, substantive procedures alone may not be sufficient Audit approach Status of internal control Risk level Perform control tests Perform substantive tests None or weak high No (because nothing to rely on) yes-maximum Some medium Yes Strong low Yes minimal (but never eliminate for material balances, transaction classes, or disclosures) Test of Controls - IMACPA Test of controls are performed when the auditors risk assessment is based on the assumption that controls are operating effectively, or when substantive procedures alone are insufficient. (test control strengths, not weaknesses) Obtaining an understanding of internal controls includes evaluating the design of controls and determining whether they have been implemented Only controls that are suitably designed to prevent or detect material misstatements are subject to tests of operating effectiveness Inspect client records documenting use and changes to IT programs Nature of tests of controls • Tests of operating effectiveness of controls include: inquiries, inspection, observation, and reperfornance • As the planned level of assurance (about operating effectiveness) increases, the auditor should obtain more reliable or more extensive audit evidence Evidence hierarchy: 1. Personal observation and knowledge 2. External evidence AUD - Notes Chapter 3 http://cpacfa.blogspot.com 3. Internal evidence 4. Oral evidence Timing of tests of controls • When tests of controls are performed at one particular time, they provide evidence that controls operated effectively only at that time. Controls tested throughout the period provide evidence of operating effectiveness during that period • Controls that are tested only during an interim period should be supplemented by additional evidence for the remaining period (roll forward) • If controls have changed since they were last tested, operating effectiveness must be retested in the current period • Even if controls have not changed, operating effectiveness must be tested at least one every third year Perform substantive testing – IMACPA • Used to detect material misstatements at the relevant assertion level • Substantive procedures should be designed to be responsive to assessed risks, however, regardless of the assessed risk, substantive procedures are required for each material transaction class or account balance 2 types of substantive procedures 1. Test of details – applied to transaction classes, account balances and disclosures. $ balances, ratios 2. Substantive analytical procedures – used for large volume predictable transactions Directional testing To test existence or occurrence assertion – Top down, start from F/S. Look for support = vouching Test existence for overstatement of assets and revenues To test completeness assertion – Bottom up, start from item, look to see its included/covered in F/S = tracing Test completeness for understatement of liabilities and expenses If substantive procedures are performed at an interim date, the auditor should perform further substantive procedures (maybe with test of controls) to provide reasonable basis for extending audit conclusions to period end If risk of material misstatement is low, performing substantive procedures at interim increases the risk that the auditor will not detect material misstatements in the F/S In certain situations, such as those in which there is an identified fraud risk, the auditor may choose to perform substantive procedures at or near period end. Audit evidence, evaluate appropriateness and sufficiency – IMACPA • • Audit evidence obtained may cause the auditor to modify this or her initial risk assessment The auditor should not assume that an identified instance of fraud or error is an isolated occurrence • When there is a change in the assessed level of risk, the auditor should modify planned procedures accordingly • The auditor uses judgement to evaluate the sufficiency and appropriateness of audit evidence