101 MODULE 2: REVIEW OF NEW AND EMERGING STANDARDS — CHAPTER 4 Summary of New Audit Documentation Requirements LEARNING OBJECTIVES After reading this chapter, the reader should: Understand the audit documentation requirements of the AICPA’s Statement on Auditing Standards No. 103, Audit Documentation (SAS 103). Understand the relationships between SAS 103 and other auditing standards. Be able to apply these requirements in practical auditing situations. INTRODUCTION The auditing profession has seen significant changes recently in the requirements for both audit performance and audit documentation. Statement on Auditing Standards No. 103, Audit Documentation (SAS 103) (AU section 339), issued by the AICPA in March of 2006 deals with documentation requirements for audits in general. But many other Standards contain specific documentation requirements. Some of these mark departures from previous practice. The purpose of this chapter is to revisit the overall documentation requirements of SAS 103, and to summarize into a single place the specific documentation requirements of the other Standards. While SAS 103 makes sweeping changes to existing practice and adds significantly to documentation requirements for audit engagements, it emphasizes that professional judgment is integral in determining quantity, type, and content of audit documentation.. As part of the AICPA’s “Clarity Project,” SAS 103 has been re-drafted into a new and more digestible format. The exposure draft of this re-draft can be viewed at the AICPA’s website, www.aicpa.org/download/auditstd/ED_Audit_Documentation.pdf. This exposure draft is primarily a matter of form and in does not significantly affect the substance of this Standard. Top_Aud_09_book.indb 101 9/30/2008 8:18:31 AM 102 TOP AUDITING ISSUES FOR 2009 CPE COURSE UNCONDITIONAL AND PRESUMPTIVELY MANDATORY REQUIREMENTS The requirements of SAS 103 are listed below, to assist readers in focusing on their application in practice. For clarity and purposes of analysis, this Course singles out its unconditional requirements, and summarizes its presumptively mandatory requirements into various captions. Unconditional Requirements SAS 103 has three unconditional requirements. These are identified in the Standards by the word “must,” and are required to be performed in all circumstances where they are applicable. These requirements are quite straightforward in their essence. Many of the implementation difficulties that have manifested themselves since the effective date stem from lack of basic understanding of these requirements. SAS 103 states that auditors must: 1. Prepare audit documentation for each audit engagement, in sufficient detail to provide a clear understanding of the work performed, including: a. The nature, timing, extent and results of the procedures performed. b. The evidence obtained and its source. c. The conclusions reached. 2. Not delete or discard audit documentation after the documentation completion date until after the end of the document retention period. 3. Document in the workpapers justification for departures from presumptively mandatory requirements, and how the alternative procedures performed were sufficient to achieve the objectives of the presumptively mandatory requirements. Presumptively Mandatory Requirements These requirements are identified in the Standards by the words “should” or “should consider.” They are required to be performed in all applicable circumstances unless the auditor can justify in the audit documentation a reason for not doing so, and demonstrate how other audit procedures have met their objectives. Some of these are interrelated requirements in which one requirement contains sub-requirements. SAS 103 states that auditors should: 1. When transferring or copying paper documentation to another media, apply procedures to generate a copy that is faithful in form and content to the original paper document. 2. Include abstracts or copies of the entity’s records in the audit documentation when they are necessary to understand the work performed and conclusions reached. Top_Aud_09_book.indb 102 9/30/2008 8:18:31 AM M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s 3. 103 Prepare audit documentation that enables an experienced auditor with no previous connection to the audit to understand: a. The nature, timing and extent of auditing procedures performed. b. The results of the procedures performed and the audit evidence obtained. c. The conclusions reached on significant matters. d. That the accounting records agree with or reconcile to the audited financial statements or other audited information. 4. Consider the following factors in determining the form, content and extent of audit documentation: a. The nature of auditing procedures to be performed. b. The risk of material misstatement associated with the assertion, account balance or transaction class, or disclosure. c. The extent of judgment involved in performing the work and evaluating the results. d. The significance of evidence obtained to the assertion being tested. e. The nature and extent of exceptions identified. f. The need to document a conclusion, or the basis for a conclusion, that is not readily determinable from the documentation of the work performed or the evidence obtained. 5. Include documentation of matters specific to a particular audit engagement in the audit file for that specific engagement. 6. Document significant findings or issues, the actions taken to address them, including any additional evidence obtained, and the basis for the conclusions reached. 7. Document discussions of significant issues or findings with management on a timely basis, including: a. When the discussions took place. b. With whom the discussions were held. c. The responses. 8. Document how inconsistent or contradictory information identified during the audit was addressed in forming final conclusions. 9. Record the identity of the persons performing and reviewing the audit work, and the dates performed and reviewed. 10. Include identifying characteristics of specific items tested. 11. Not date the auditor’s report earlier than the date on which the auditor has obtained sufficient appropriate evidence to support the opinion. Top_Aud_09_book.indb 103 9/30/2008 8:18:31 AM 104 TOP AUDITING ISSUES FOR 2009 CPE COURSE 12. Follow the guidance of SAS 46, Consideration of Omitted Procedures After the Report Date, when the auditor concludes that procedures considered necessary in the circumstances were omitted, and prepare additional documentation in accordance with SAS 103. 13. Follow the guidance of SAS 1, Codification of Auditing Standards and Procedures, “Subsequent Discovery of Facts Existing at the Date of the Auditor’s Report” when information relating to financial information previously reported on was not known at the date of the report. 14. In circumstances described in items 12 and 13 above, or in other circumstance where it is necessary to make an addition to the audit documentation after the documentation completion date, make changes necessary to reflect the performance of a new audit procedure or a new conclusion reached, including: a. When and by whom the changes were made and reviewed. b. The reasons for the change. c. The effect of the change on the auditor’s conclusions. 15. Complete the assembly of the audit file within 60 days following the report release date. 16. Record the report release date in the audit documentation. 17. Adopt reasonable procedures to retain and access audit documentation for a period not shorter than five years from the report release date, or longer if required by legal or regulatory requirements or firm policy. 18. Adopt reasonable procedures to maintain the confidentiality of client information. 19. Apply appropriate and reasonable controls for audit documentation to: a. b. c. d. Clearly determine when it was created, changed or reviewed. Protect the integrity of the information at all stages of the audit. Prevent unauthorized changes. Allow access by the audit team and other authorized parties to properly discharge their responsibilities. PURPOSES OF AUDIT DOCUMENTATION Audit documentation is the principal support for the two key representations in the auditor’s report: that the engagement was performed in accordance with generally accepted auditing standards (GAAS), and the opinion (or disclaimer of opinion) on the financial information. Audit documentation Top_Aud_09_book.indb 104 9/30/2008 8:18:31 AM M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s 105 must be prepared for each engagement and must be detailed enough to provide a clear understanding of the work performed, including: The nature, timing, extent and results of the procedures performed The evidence obtained and its source The conclusions reached The Statement draws an important relationship between audit documentation and audit quality. Audit documentation is an essential element of audit quality. It does not by itself guarantee audit quality, but the process of creating sufficient appropriate documentation contributes to audit quality. Insufficient or inappropriate documentation, on the other hand, always indicates poor audit quality. Audit documentation also serves other purposes, including: Assisting the audit team in planning and performing the engagement Assisting new audit team members in understanding the current engagement by reviewing the documentation from the previous year Assisting supervisors in directing and reviewing the audit work Demonstrating accountability of the audit team for the procedures it has performed, the audit evidence examined, and the conclusions reached Recording matters of continuing significance to future audits Enabling quality control reviewers, such as internal inspectors or peer reviewers, to understand how the engagement team reached significant conclusions and whether there is sufficient support for those conclusions Assisting a successor auditor who reviews the predecessor auditor’s audit documentation STUDY QUESTION 1. Which of the following statements best describes the primary purpose of audit documentation? a. It assists supervisors in directing and reviewing the audit work along with assisting external inspectors and peer reviewers. b. It enables quality control reviewers to understand how the engagement team reached significant conclusions. c. It is the principal support for the representation in the auditor’s report that the engagement was performed in accordance with GAAS, and for the opinion (or disclaimer of opinion) on the financial information. d. Although it does not provide a guarantee of audit quality, it is a major factor contributing to a high level of audit quality. Top_Aud_09_book.indb 105 9/30/2008 8:18:31 AM 106 TOP AUDITING ISSUES FOR 2009 CPE COURSE FORM, CONTENT, AND EXTENT OF AUDIT DOCUMENTATION SAS 103 made significant changes to existing documentation requirements. One of the most important of these changes is that the auditor’s workpapers (now referred to as “audit documentation”) are required to enable an “experienced auditor” with no previous connection to the audit to understand, without additional oral explanation: The nature, timing, extent and results of the audit procedures The audit evidence obtained Conclusions on significant matters Conclusions that may not otherwise be readily obvious related to risks of material misstatement That the financial statements agree to or reconcile with the accounting records For purposes of this Statement, an “experienced auditor” is defined as a person who understands the auditing and accounting issues relevant to the client’s industry and who would have been capable of performing the audit. That person must understand audit processes, the SASs and applicable legal and regulatory requirements, the entity’s business environment, and the auditing and reporting issues applicable to the entity’s industry. Audit documentation may be recorded on paper, electronic media, or by other means. When transferring paper documents to another medium, care must be taken to produce a copy that is faithful to the original in both form and content. Auditors should also be aware of possible legal, regulatory, or other reasons for retaining original paper documents. The Statement allows considerable judgment as to the exact content of audit documentation. It specifically lists the following items as examples of materials that make up audit documentation: Audit programs Analyses Issues memoranda Summaries of significant findings or issues Letters of confirmation Representation letters Checklists Abstracts or copies of important documents, such as contracts or agreements, if they are necessary to enable an experienced auditor to understand the work performed and the conclusions reached Correspondence, including e-mail, concerning significant findings or issues Schedules of work the auditor performed Top_Aud_09_book.indb 106 9/30/2008 8:18:31 AM M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s 107 The documentation for a specific engagement is assembled in an audit file. This documentation may contain cross-references to audit documentation for related entities. Other matters, such as auditor independence or staff training may be documented either within the audit file for each engagement or centrally within the firm. EXAMPLE Documentation of an audit of a subsidiary company may contain references to tests of intercompany balances or transactions contained in the audit documentation of the parent company. Documentation of an audit of an employee benefit plan may crossreference dual purpose payroll-related tests that are documented within the plan sponsor’s audit file. It is not necessary to duplicate this documentation in both files. Many firms require periodic independence representations for their professional staff, which are filed centrally within the firm. It is a good practice to cross reference these files within the engagement audit file, to assure that the independence of each audit team member is documented. OBSERVATION Cross-referencing is an efficient documentation technique because it eliminates the need for duplicate documentation, thus saving both time and file storage space. Standardized documentation indexing systems greatly enhance this efficiency. OBSERVATION This Statement also makes it clear that oral explanations, on their own, do not constitute sufficient support for the audit work or for its conclusions. They may, however, be used to clarify or explain information contained in the audit documentation. The accounting profession has moved to the point where there is a presumption that if something is not documented, it was not done. Some state laws include a “rebuttable presumption” to this effect, and the AICPA practice monitoring programs take a similar position. An occasional oral explanation can interpret a comment or test but if there is nothing present in the files to be interpreted, then it will be difficult to defend the contention that it took place. Top_Aud_09_book.indb 107 9/30/2008 8:18:32 AM 108 TOP AUDITING ISSUES FOR 2009 CPE COURSE OBSERVATION Some practitioners have asked if they need to record every thought they had during the audit, and retain a copy of every document they looked at. The answer to this is “no.” SAS 103 acknowledges that it is neither necessary nor practicable to document every matter considered during an audit. Copies of an entity’s records, for example, need only be retained if they are needed to enable an “experienced auditor” to understand the work performed and the resulting conclusions. Similarly, information that is incorrect or superseded need not be retained. Auditors should be guided by the following factors in considering the form, content, and extent of audit documentation: The nature of the auditing procedures to be performed The risk of material misstatement at the assertion, account balance, or transaction level, including disclosures The extent of judgment necessary in performing and evaluating the audit work The significance of the audit evidence gathered to the assertion tested The nature and extent of exceptions noted The need to document a conclusion that may not be readily obvious from the documentation of the audit work or the evidence obtained Significant Findings or Issues As a matter of good practice, auditors have long documented significant matters considered in the audit. SAS 103 sets forth specific definitions and requirements in this area. “Significant findings or issues” refer to audit findings or issues that are significant in the auditor’s judgment, the actions taken to address them, including additional evidence gathered, and the resulting conclusions. Those matters include: Significant matters related to the appropriate selection, application, or consistency of accounting principles, including related disclosures, such as: Accounting for complex or unusual transactions Estimates, uncertainties, and related management assumptions Results of audit procedures that indicate material misstatements or the need to revise a previous assessment of the risk of material misstatement and the response to those risks Circumstances causing significant difficulty in applying necessary audit procedures, such as: Lack of responsiveness to confirmation or information requests Absence of original documentation Findings that could result in a modified report Top_Aud_09_book.indb 108 9/30/2008 8:18:32 AM M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s 109 Audit adjustments, whether or not recorded, that could either individually or in the aggregate have a material effect on the entity’s financial information Discussion of significant findings and issues should be documented and should include: The significant findings or issues discussed When the discussion took place Persons with whom the matters were discussed, such as: Those charged with governance Those responsible for oversight of financial reporting Internal auditors External parties such as those providing professional services to the entity The responses to these discussions When information obtained during the audit is inconsistent with or contradictory to the final conclusions on significant findings or issues, audit documentation should record how the matter was resolved. This may include procedures performed in response to the information and consultations on or resolutions of differences of professional judgment within the engagement team or between the engagement team and others consulted. The Statement is clear, however, that information that is incorrect or superseded need not be retained in the audit documentation, unless the document completion date has passed. Preparer and Reviewer Audit documentation should show who performed the audit work, the date it was completed, and who reviewed specific audit documentation and the date of that review. This does not mean that each specific working paper must include evidence of review. Rather, the audit documentation should make clear who reviewed specific elements of the audit work and when. OBSERVATION Preparer and reviewer documentation is an important subject for firm quality control policies and procedures, because of the degree of judgment that the Statement allows. For example, when a client provides a 250 page detailed inventory list, and an auditor tests one item on each page, it would likely be inefficient to initial and date every page. Firm policy should specify, rather, that the preparer should initial and date either the first or the last page, as evidence of having performed all the procedures recorded on the document. This should be written into the firm’s quality control policies and procedures for audit engagement performance and should be communicated to staff. Top_Aud_09_book.indb 109 9/30/2008 8:18:32 AM 110 TOP AUDITING ISSUES FOR 2009 CPE COURSE Specific Items Tested The requirements for documenting specific items tested expand upon the previously existing guidance of SAS 96. When documents are inspected as part of the testing of controls or as substantive tests of details, identifying characteristics of those documents must be recorded in a way such that another auditor could identify the same set of documents. EXAMPLE Examples of acceptable document identifiers are: Unique item numbers, such as purchase order or check numbers All items over a specified amount from a specific source, such as the cash disbursements journal For inquiry procedures, the dates of the inquiries, the names and job descriptions of persons involved, and the nature of the inquiry For observation procedures, the process or subject of the observation, persons involved and their responsibilities, and when and where the observation was made For systematic samples, the population of documents, starting point, and interval, such as “ every 10th item starting with the 5th, from the May cash disbursements journal” Departures from Statements on Auditing Standards In rare cases, an auditor may need to depart from presumptively mandatory requirements (but not unconditional requirements) of the SASs. In these cases, the audit documentation must contain the justification for the departure, and how the alternative procedures performed were adequate under the circumstances to achieve the objectives of the presumptively mandatory requirement. STUDY QUESTIONS 2. SAS 103 specifically lists as items that may ordinarily be contained in audit documentation all of the following except: a. Audit programs b. Summaries of significant findings or issues c. Complete copies of all contracts or agreements inspected as part of the audit work d. Representation letters 3. The documentation in an audit file for a specific engagement may contain cross-references to audit documentation for related entities. True or False? Top_Aud_09_book.indb 110 9/30/2008 8:18:32 AM M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s 111 4. Oral explanations, on their own: a. May not be used to clarify or explain information contained in the audit documentation b. Do not constitute sufficient support for the audit work or for its conclusions c. Are not admissible in any circumstances d. Are sufficient support for the audit work or for its conclusions 5. Which of the following constitutes an acceptable document identifier for the specific items tested? a. For observation procedures, the process or subject of the observation, and when the observation took place. b. For inquiry procedures, the names of persons inquired of c. For systematic samples, the population of documents and interval, such as “every 10th item from the December 31st accounts receivable aging” d. Unique item numbers, such as purchase order or check numbers REPORT AND DOCUMENTATION DATING AND RETENTION SAS 103 creates four key dates or periods that are significant changes to previous practice. Report Date Under SAS 103, the report date cannot be before the date on which the auditor has obtained sufficient appropriate audit evidence to support the opinion. Sufficient appropriate evidence includes evidence that the audit documentation has been reviewed, that the financial statements and disclosures have been prepared, and that management has accepted responsibility for them. This is a significant departure from the previous report dating requirement, which was the “last date of field work.” This latter date was subject to highly judgmental determination by audit firms. OBSERVATION When confirmations are needed to support a material balance or transaction, and alternative procedures are not possible or economical, auditors should make additional efforts to send them out early in the audit process, and to follow up on them in a timely manner, in order to avoid a delay in dating the report. The report date is also significant for two other reasons: It is the start of the documentation retention period. The management representation letter should be dated the same as the report date. Top_Aud_09_book.indb 111 9/30/2008 8:18:32 AM 112 TOP AUDITING ISSUES FOR 2009 CPE COURSE Report Release Date SAS 103 defines the “report release date,” as the date that the auditor grants permission for the audit report to be used in connection with the financial statements. Usually this date will be shortly after the report date. Significant delays in releasing the report may necessitate additional subsequent events procedures. The report release date must be documented. It is significant because it starts the clock ticking on the next important date, the “documentation completion date.” Documentation Completion Date The “documentation completion date” may be no later than sixty days after the report release date. At that time, the audit documentation files must be completed. No audit documentation should be deleted or discarded after that time. Users should not confuse this date with a similar date in the PCAOB standards, which gives only forty-five days after report issuance. Documentation Retention Period The records retention period is specified to be not less than five years from the report date, unless laws, regulations or the firm’s quality control policies require a longer period. STUDY QUESTIONS 6. Which of the following statements applies to the documentation completion date under SAS 103? a. The documentation retention period runs for five years after the report release date. b. The documentation completion date may be no later than 45 days after the report release date. c. The documentation completion date may be no later than 60 days after the report release date. d. The documentation completion date is the date on which the auditor has obtained sufficient appropriate audit evidence to support the opinion. 7. SAS 103 defines the report release date as: a. Forty five days prior to the documentation completion date. b. The last date of audit field work. c. The date that the auditor grants permission for the audit report to be used in connection with the financial statements. d. The date on which the auditor obtained sufficient appropriate audit evidence to support the opinion. Top_Aud_09_book.indb 112 9/30/2008 8:18:32 AM M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s 113 8. Which of the following statements applies to the documentation retention period under SAS 103? a. The documentation retention period runs for seven years after the report date. b. The documentation retention period may run for more than five years after the report date, if required by statute or regulation. c. The documentation retention period runs for seven years after the balance sheet or period end date. d. The documentation retention period runs for five years after the report date. REVISIONS TO AUDIT DOCUMENTATION AFTER THE REPORT DATE After the report date, the auditor is allowed to make changes to the audit documentation only to: Complete the documentation and assembly of evidence that has been obtained prior to the report date Add information, such as an original of a document that was previously faxed, that was received after the report date Perform routine file assembly work, such as: Discarding superseded documentation Sorting and collating Cross-referencing final workpapers Sign-off on file completion checklists After the report date, but before the document completion date, updated or revised audit documentation may be added. However it must contain all the information, evidence, and conclusions that were in the original or superseded documents. If, the information, evidence or conclusion is no longer relevant, it need not be retained. Any additions after the report date should show when and by whom the change was made and reviewed, the reason for the change, and its effect, if any, on the auditor’s conclusions. After the documentation completion date, audit documentation must not be deleted or discarded prior to the end of the documentation retention period. If the auditor becomes aware that procedures performed or evidence obtained under the circumstances then existing at the report date were not adequate to support the auditor’s report, the requirements of SAS No. 46, Consideration of Omitted Procedures After the Report Date, (AU section 390) should be followed and documentation prepared in accordance with the requirements of this Statement. Similarly, if the auditor Top_Aud_09_book.indb 113 9/30/2008 8:18:32 AM 114 TOP AUDITING ISSUES FOR 2009 CPE COURSE subsequently becomes aware of information that was unknown to him or her at the report date, the provisions of SAS No. 1, Codification of Auditing Standards and Procedures, “Subsequent Discovery of Facts Existing at the Date of the Auditor’s Report,” (AU section 561) should be followed. OBSERVATION AU sections 390 and 561 contain important performance and documentation requirements. Those requirements are summarized below, although auditors who encounter situations involving omitted procedures or subsequent discovery of facts should study these sections in their entirety. While these two sections treat distinct circumstances, their applications may become interrelated. For example, additional auditing procedures applied after the report date may lead to the discovery of facts that existed at that date. Similarly, a subsequent discovery of facts that existed at the report date may cause an auditor to consider whether necessary procedures were omitted. An auditor who becomes aware that audit procedures have been omitted should: Assess the significance of those procedures and consider whether to apply additional procedures. When the omitted procedures are considered significant, they should be performed if possible. Determine a proper course of action when significant procedures or adequate alternative procedures cannot be applied. If this is not possible, the auditor should consult an attorney and discuss whether it is appropriate to notify persons who are known or likely to rely on the statements or regulatory authorities. Auditors are not required to continue auditing after the report date. However, facts that existed at the report date but that were unknown at that time may subsequently come to light. In this case, the auditor should: Determine the relevance of the discovered facts to the financial statements. Take appropriate measures if the facts are relevant. Notify the board of directors if the client does not cooperate with the auditor’s conclusions and proposed remedies. If the client continues to refuse to cooperate, consult an attorney and communicate the problem to appropriate parties. Top_Aud_09_book.indb 114 9/30/2008 8:18:32 AM M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s 115 STUDY QUESTION 9. After the report date but before the document completion date, the auditor: a. May delete incorrect or superseded information from the audit documentation b. May make changes to the audit documentation without the need to document the reason for the change c. May not add information to the audit documentation. d. May not sign off on file completion checklists PERMANENT FILE DOCUMENTATION SAS 103’s requirements for document retention and the requirement not to remove anything from the audit documentation after the documentation completion date raise interesting questions about “permanent file” documentation. Under pre-SAS 103 practice, auditors customarily assembled certain types of audit documentation into “permanent files” when they expected it to be useful in future audits, and not to change much from year to year. Examples of the kinds of documentation kept in permanent files might include: Articles of incorporation and bylaws. Internal control questionnaires, flowcharts or memoranda. Long-term notes payable. Long-term contracts, such as lease agreements. Pension plan or other employee benefit plan documents. Organization charts. Personnel manuals. Documents like these were often “rolled forward” from one year to the next in a permanent file with little or no change, and then discarded when they were no longer applicable or useful, or when they became superseded by other information. This practice has several problems under new SASs. The most obvious of these is that if a document that was necessary to support a previously issued opinion becomes obsolete—for example, if a lease agreement expires—it can no longer simply be removed from the “perm file” and discarded, as long as the document retention period for that audit is still open. A more subtle issue has to do with “perm file” documents such as internal control documentation that ordinarily might be expected to change only incrementally from one year to the next. It is important to preserve the original content of any audit documentation for the duration of the document retention period. This means that, for example, when a checkbox on an internal control questionnaire changes from “yes” last year to “no” this year, it is unacceptable Top_Aud_09_book.indb 115 9/30/2008 8:18:32 AM 116 TOP AUDITING ISSUES FOR 2009 CPE COURSE to erase the old “yes” answer and insert the new “no” answer. The old questionnaire has to be retained because it is still necessary to support the old audit. Some auditors address this issue by using a system of color codes, in which all changes to a document in a particular year are noted in a unique color, but none of the previously recorded information is obliterated. Some practitioners have gone as far as to suggest that there can no longer be “perm files” under the new standards. Under this theory, all documentation necessary for each individual audit must be contained within that year’s audit file. An auditor certainly would not go wrong following this approach. However, that auditor might end up with voluminous documentation files that in themselves presented some significant efficiency and documentation management challenges. One alternative to this approach might be to divide permanent files into “active” and “superseded” sections. Each item in the “perm file” can be indexed in the appropriate audit’s workpapers, and the transfer of items from the active to the superseded section documented on a master permanent file indexing form. An example of a form that can be used for this purpose appears below, as Illustration 4-1. Illustration 4-1: SAS 103 Permanent File Index PERMANENT FILE INDEX CLIENT: National Distribution Corp This form is to be used in the post-SAS 103 environment, to document the movement and disposition of documents into and out of the “active permanent file.” Such documents are those that would be expected to be useful over more than one audit period, such as articles of incorporation, lease agreements, accounting and personnel manuals and the like. Effective with the implementation of SAS 103, (y/e 12/31/06 and after) it is the firm’s policy to maintain two sets of permanent files, as applicable, for each audit engagement. The first is the “active permanent file,” which accumulates documents that have ongoing relevance to the current year’s audit. The second is the “superseded permanent file,” which archives for document retention purposes, the documents that are no longer necessary for the current audit, but which must be maintained for the 5 year document retention period to support previous audits. Pre-SAS 103 documents will be designated as such by a checkmark in the “Pre-SAS 103” column. For documents entered into the active permanent file post SAS 103 implementation, the date entered and initials of the person entering the document will be noted in the “date entered/entered by” column. When a document is transferred from the active to the superseded permanent file, the date of transfer and initials of person making the transfer will be noted in the “date trf’d/Trf’d by” column. Top_Aud_09_book.indb 116 9/30/2008 8:18:32 AM M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s 117 A copy of this index will be maintained in both the active and superseded permanent files. P/F- Title 1 2 3 4 4.1 4.2 5 Articles of Incorporation By-Laws Employee handbook, rev 10/1/05 Lease agreements: First Street property-3yrs ending 12/07 First Street property-3 yrs ending 12/10 Bonus plan-eff 1/1/08 Pre-SAS 103 Post-SAS 103 Date Entered/ Date Trf’d/ Entered By Trf’d By X X X X 1/7/08-pmh 1/7/08-pmh 1/8/08-pmh In this illustration, National Distribution Corporation’s articles of incorporation, by-laws, and employee handbook have been in the permanent file since before the effective date of SAS 103 and are unchanged for the current period. The lease agreement on the First Street property for the 3 years ending 12/07 was inserted in the active file before the effective date of SAS 103, and has been superseded in the current audit period by a new lease expiring in 12/10. The index form shows that on 1/7/08 the auditor, “pmh” transferred the expired lease to the superseded file and inserted the new lease into the active file. Also, on 1/8/08, “pmh” inserted a new bonus plan into the active file. One of the keys to making this system work is never to re-use a permanent file index number. For example, the expired lease agreement, which is indexed as “P/F-4.1” retains that index number when it is transferred from the active to the superseded file. This way, the workpaper indexing in the documentation for the audits that it pertains to will still lead a reader of that documentation to the appropriate location in the superseded perm file. OWNERSHIP AND CONFIDENTIALITY OF AUDIT DOCUMENTATION Audit documentation is the auditor’s property. At the auditor’s discretion, copies of the audit documentation may be made available to the entity, as long as doing so does not undermine independence, such as by becoming a part of the client’s accounting records, or the validity of the audit process, such as by an unwarranted disclosure of audit scope or methodology. Top_Aud_09_book.indb 117 9/30/2008 8:18:32 AM 118 TOP AUDITING ISSUES FOR 2009 CPE COURSE Reasonable procedures should be in place to safeguard, retain, and access audit documentation for a period of time sufficient to meet the needs of the auditor’s practice and to satisfy legal or regulatory document retention requirements. In no case should this period be less than five years from the report release date. Firms’ quality control policies and procedures should address these matters in a comprehensive fashion, to include such matters as backup policies for electronic files, storage and access policies for paper and electronic files, and disaster recovery. Physical access controls, as well as software access controls such as passwords for electronic media, should be implemented in order to protect the integrity, accessibility, and retrievability of audit documentation. These safeguards should protect the documentation against unauthorized alterations, additions, or deletions, as well as against permanent loss or damage. At a minimum, these controls should: Enable the auditor to determine when and by whom audit documentation was: Created Changed Reviewed Safeguard the integrity of the documentation at all stages of the audit, especially when it is transmitted electronically between members of the audit team or others Prevent unauthorized alterations Permit access by audit team members and other authorized persons as necessary in the performance of their duties Maintain the confidentiality of client information OBSERVATION Electronic or “paperless” audit documentation provides many advantages, such as enhanced portability, ease of creating updates, and decreased need for physical storage space. It also creates several technological challenges. Among these are possible dependence upon proprietary software, surmounting the learning curve that may be associated with periodic updates of that software and accessibility and retrievability in the latter stages of the documentation retention period. The rapid evolution of computer technology makes the five year period specified by SAS 103, not to say even longer statutory or regulatory retention periods, quite a long time. If the audit process uses a vendor’s proprietary software, consider that access to the files must be maintained for at least five years after the vendor stops supporting the software. Conversion to a new computer operating system, which is an issue facing most CPA firms as this Course goes to press, could make old software inoperative. Top_Aud_09_book.indb 118 9/30/2008 8:18:32 AM M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s 119 Certain types of hardware upgrades, such as moving from 32 bit to 64 bit architecture, risk making old software inoperative. Other technology changes we may not know of today could make data files unreadable. Some forms of electronic storage, such as optical CDs and DVDs, deteriorate over time and could possibly be unreadable five years after the audit completion date (even the beginning of oxidation will make random portions of the CD unreadable). Auditors should assure that the electronic media that they use to record their audit documentation have a “shelf life” sufficient to last throughout the retention period and that they maintain software and hardware capable of reading the storage media for that period. STUDY QUESTION 10. Which of the following statements about the ownership and confidentiality of audit documentation is correct? a. Audit documentation may never be made available to the entity. b. At the auditor’s discretion, copies of the audit documentation may be made available to the entity. c. Copies of audit documentation must be made available to the entity upon request. d. Copies of audit documentation may be used as a part of the client’s accounting records. RELATIONSHIP TO OTHER AUDITING LITERATURE In addition to the general requirements of SAS 103, many other auditing standards contain specific documentation requirements. SAS 103 does not change those requirements. This section summarizes them, and provides practical implementation guidance. PCAOB Standards SAS 103 is largely a response to the PCAOB’s Auditing Standard No. 3, Audit Documentation (AS-3). It parallels this pronouncement philosophically and in many practical respects but has several important differences: The “experienced auditor” criterion of SAS 103 is more restrictive than the PCAOB’s. The PCAOB requires only that the person “have a reasonable understanding of audit activities” and have “studied the company’s industry as well as the accounting and auditing issues relevant to the industry.” It does not require that an experienced auditor be qualified to perform the audit himself or herself. This less restrictive requirement is apparently necessary to allow PCAOB inspectors, who may not be capable themselves of performing the audits that they inspect, to carry out their duties. Top_Aud_09_book.indb 119 9/30/2008 8:18:32 AM 120 TOP AUDITING ISSUES FOR 2009 CPE COURSE The documentation completion date under AS-3 must come 45 days after the report date, rather than the 60 days required in SAS 103. The documentation retention period under AS-3 is seven years from the report release date, rather than the five years required by SAS 103. AS-3 requires a detailed engagement completion document, which is not required by SAS 103. SAS 103 applies solely to audits of non-SEC issuers. Auditors of SEC issuers should study the complete text of AS-3, which is available on the PCAOB’s website at www.pcaobus.org. STUDY QUESTION 11. Which of the following is a requirement for the “experienced auditor” under PCAOB standards? a. The auditor would have been capable of performing the audit. b. The auditor must understand audit processes, the SASs, and legal and regulatory requirements applicable to the entity’s industry. c. The auditor must be knowledgeable about auditing and have “studied” the industry. d. The auditor must understand the entity’s business environment and the auditing and reporting issues applicable to its industry. SAS 1, Codification of Auditing Standards and Procedures SAS 1 requires auditors to document an understanding with the client. SAS 12, Inquiry of a Client’s Lawyer Concerning Litigation, Claims and Assessments SAS 12 requires auditors to document: That the client has assured the auditor that it has disclosed all unasserted claims that the lawyer has advised the client are probable of assertion and must be disclosed in accordance with SFAS No. 5, Accounting for Contingencies. This may be done either in the audit inquiry letter or in a separate letter to the client’s lawyer. The conclusions reached as a result of responses obtained in a conference relating to matters covered by the audit inquiry letter. SAS 51, Reporting on Financial Statements Prepared for Use in Other Countries SAS 51 requires written management representations regarding the purpose and uses financial statements prepared in accordance with foreign GAAP. Top_Aud_09_book.indb 120 9/30/2008 8:18:33 AM M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s 121 SAS 54, Illegal Acts by Clients SAS 54 requires documentation of oral communications to the audit committee or others charged with equivalent authority and responsibility concerning illegal acts that come to the auditor’s attention. SAS 56, Analytical Procedures SAS 56 requires auditors to document: The expectations used in analytical procedures, where not otherwise readily ascertainable from the documentation of the work performed. The factors considered in developing expectations. The results of comparisons of the expectations to recorded amounts or to ratios developed from recorded amounts. Any additional auditing procedures performed in response to significant unexpected differences arising from the analytical procedures. The results of those additional procedures. OBSERVATION One of the most commonly-used analytical procedures is trend analysis, in which comparative trial balances or financial statements are analyzed for consistency over two or more periods. Simply placing a set of computer-prepared comparative financial statements in the audit documentation does not satisfy the requirements of SAS 56 because it does not really indicate the auditor’s expectations, nor does it indicate the results of the comparison, i.e., whether or not it is consistent with prior periods, or with some other expectation. In this case, however, most experienced auditors would probably agree that notations in the margins of such a workpaper to the effect that current period amounts are or are not consistent with prior periods would be sufficient. SAS 58, Reports on Audited Financial Statements SAS 58 requires the predecessor auditor to obtain representation letters from the former client, and from the successor auditor, before reissuing or consenting to the reissuance of a previously issued report on the financial statements of a prior period. SAS 59, The Auditor’s Consideration of an Entity’s Ability to Continue as a Going Concern SAS 59 requires the auditor to document: The conditions or events leading to the belief that there is substantial doubt about the entity’s ability to continue as a going concern. The work performed in connection with the auditor’s evaluation of management’s plans. The auditor’s conclusion about whether substantial doubt as to the entity’s ability to continue as a going concern for a reasonable period of time remains or is alleviated. Top_Aud_09_book.indb 121 9/30/2008 8:18:33 AM 122 TOP AUDITING ISSUES FOR 2009 CPE COURSE The consideration and effect of that conclusion on the financial statements, disclosures and the auditor’s report. SAS 67, The Confirmation Process SAS 67 requires the auditor to: Document oral confirmations. Document how, when confirmations have not been requested in the audit of accounts receivable, this presumption was overcome. SAS 74, Compliance Auditing in Considerations in Audits of Governmental Entities and Recipients of Governmental Financial Assistance SAS 74 requires auditors to document oral communication with management and those charged with governance when the auditor becomes aware, during a financial statement audit under GAAS, of an audit requirement that may not be encompassed in the original engagement. OBSERVATION This sometimes happens in audits of entities that obtain Federal awards for the first time, and become subject to Single Audit Act requirements, or entities, especially small ones, whose Federal funding goes over the Single Audit Act threshold for the first time. If the client was unaware of these requirements at the time that the auditor was engaged, the auditor is required to make them aware. SAS 85, Management Representations SAS 85 requires written representations from management in all financial statement audits. SAS 99, Consideration of Fraud in a Financial Statement Audit SAS 99 requires that the following specific fraud-related items be recorded in the audit documentation: The fraud risk discussion in the planning phase of the audit, including: How and when the discussion took place Who participated The subject matter of the discussion The auditing procedures used to gather the information needed to identify and assess the risk of material misstatement caused by fraud The specific fraud risks that were identified A description of the audit responses to identified fraud risks Support for the conclusion that improper revenue recognition is not a fraud risk, if it is not identified as such Results of procedures performed to address the risk of management override of internal control Top_Aud_09_book.indb 122 9/30/2008 8:18:33 AM M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s 123 Analytical relationships and other conditions that caused the auditor to believe that expanded auditing procedures or responses were necessary and any additional audit responses to address those conditions The nature of fraud-related communications made to management, the audit committee, or others OBSERVATION As a practical matter, fraud-related procedures are performed at various times throughout an audit. For this reason, their documentation may be spread widely throughout the audit workpapers. Some auditors find it efficient to use a standardized workpaper to summarize or index into one place in the audit documentation the performance of these various procedures. Such a workpaper might take a form similar to Illustration 4-2 below. Illustration 4-2: Fraud Risk Evaluation FRAUD RISK – EVALUATION OF AUDIT TEST RESULTS By: em. Date: 2/1/08 CLIENT: CalMac Ltd DATE: 12/31/07 Certain of the procedures in the audit have the potential to discover fraud risk. In the performance of these procedures, have any of the above indicators or any other indicators come to our attention? Explain any “yes” answers. Procedure Review of minutes Attorney correspondence Review of legal expense Representation letter Correspondence with funding sources Cash receipts tests Cash disbursements tests Related party procedures Review of regulatory correspondence Analytical procedures Understanding, and (if applicable) tests of internal control Management override of internal control Tests of revenue recognition Conclusions: 1. Based on the audit findings, is the original fraud risk assessment still valid? 2. Have the audit procedures adequately addressed the assessed fraud risks? 3. Based on the audit findings, is there reason to suspect that material misstatement to the F/S has occurred due to fraud? If yes, see SAS 99 AU Sec 319 for further action. *=see specific accounts w/p’s. Top_Aud_09_book.indb 123 Yes No Wp Ref X X X X X X X X X X B-7 B-9 B-9 B-18 * * * B-12 None B-6, B-20* B-5 X X B-5 D & R-series X X X 9/30/2008 8:18:33 AM 124 TOP AUDITING ISSUES FOR 2009 CPE COURSE STUDY QUESTION 12. When auditors do not consider improper revenue recognition to be a fraud risk, they are required to document a justification for this conclusion. True or False? SAS 100, Interim Financial Information SAS 100 requires auditors to prepare documentation, with form and content designed to meet the circumstances of the engagement, in connection with a review of interim financial information. SAS 106, Audit Evidence The numerous performance requirements of SAS 106 create implicit documentation requirements. Much of what was left unsaid, or implicit, under previous practice now needs to be reduced to writing, in terms of demonstrating, for example, how individual audit procedures come together to provide support for the relevant assertions. There is no specific requirement as to how this is to be documented. Documentation techniques, consequently, will vary greatly depending on firm policy and engagement characteristics. The challenge facing all auditors is to create documentation that is clear and comprehensive while at the same time being succinct and efficient. One possible technique could be the use of a matrix similar to the one in Illustration 4-3 below. Illustration 4-3: Relationship of Audit Procedures to Relevant Assertions, Account Balances, Transaction Classes, Disclosures, and the Financial Statements as a Whole This illustration demonstrates four levels of consideration in a financial statement audit, and how the individual procedures provide evidence to support each of the relevant assertions for a particular balance, in this case for property and equipment. The accumulation and proper evaluation of sufficient appropriate audit evidence for the relevant assertions attaching to each material balance, transaction class and disclosure provide the building blocks for assurance at the financial statement level. For the sake of brevity, the illustration is truncated after property and equipment, and is expanded down to the relevant assertion and audit procedures level only for property and equipment. In an actual engagement, all balance sheet captions (i.e., account balances) and income statement captions (transaction classes) along with significant disclosures, would be listed in the second column, and expanded in the third and fourth columns. Top_Aud_09_book.indb 124 9/30/2008 8:18:33 AM M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s Financial Statement Level Balance/Transaction Class/Disclosure Level Relevant Assertion Level Audit Procedures Existence Inspection of assets (step 7) Completeness Inspection of assets (see w/p K10) Completeness Analytical procedures Completeness Inspection of records and documents Rights/obligations Inspection of documents of title, debt instruments Valuation Inspection of purchase invoices Valuation Recalculation of depreciation Valuation Analytical procedures 125 Cash Accounts Receivable Inventory Property & Equipment One way to think of this illustration is to visualize the planning process as going from left to right on the matrix, and the actual gathering and evaluation of audit evidence as going from right back to left. The planning starts at the financial statement level, identifies the significant account balances, transactions classes, and presentation and disclosure aspects of the statements. It then considers the assertions relevant to each of those, and the attendant risks, and designs and performs audit procedures to address those risks and to support—or disprove—the assertions. Performing further audit procedures starts to build back up from right to left. Each procedure provides support for one or more assertion, which in turn leads to the ability to conclude whether the balance, transaction class or disclosure has sufficient support, and whether the financial statements as a whole are fairly presented. Illustration 4-4: Risk Assessment Matrix This illustration demonstrates the application of the concepts discussed above in a practical situation. Like Illustration 4-3, it is truncated to show detail only for property and equipment. Separate worksheets for the transactions classes and presentation and disclosure would list across the top their own relevant assertions, e.g., for transaction classes; occurrence, completeness, accuracy, cutoff and classification, rather than the assertions for account balances shown in this worksheet. Top_Aud_09_book.indb 125 9/30/2008 8:18:33 AM 126 TOP AUDITING ISSUES FOR 2009 CPE COURSE Some auditors have suggested that it will be efficient to combine risk assessment with preliminary analytical review in the planning process. This worksheet demonstrates one possible format for documenting these processes. Column 1 lists the account balance, transaction class or disclosure Column 2 shows the auditor’s determination of whether the line item is significant or not by indicating a “Y” for yes, or “N” for no. Columns 3-5 give the current and prior years’ balances and the change, for preliminary analytical review purposes. Columns 6-10 list the relevant assertions for inherent risk. High risk is designated by “H”, moderate by “M” and low by “L.” Columns 11-15 list the relevant assertions for control risk, similarly to columns 6-10 Column 16 shows the risk of material misstatement. Column 17 shows whether tests of controls are contemplated or not. Column 18 provides space for narrative comment for the preliminary analytical review Column 19 lists audit responses for each of the relevant assertions. XYZ Company is a small manufacturer that has experienced an increase in sales due to acquisition of new and more productive machinery. Top_Aud_09_book.indb 126 9/30/2008 8:18:33 AM Top_Aud_09_book.indb 127 25,000 L 250,000 225,000 10,000 11,000 500,000 475,000 Inventory y Prepaids n Prpty/ Equip y Prpty/ Equip Prpty/ Equip Prpty/ Equip Prpty/ Equip Prpty/ Equip Prpty/ Equip Prpty/ Equip Prpty/ Equip Prpty/ Equip 25,000 M (1,000) 150,000 120,000 30,000 M 10,000 L y 90,000 7 8 9 10 11 12 13 14 15 16 17 18 19 M H M L M H M L L H H L L M L L L M M L M M M L M H M L L H H L L M L L M H M L no yes no yes Planned additions Increase consistent w/sales Increase consistent w/sales Disclosure checklist Inspection of assets & docs, analytical Insp of purchase invoices, recalc depr, analytical Inspection of assets Inspection of documents Disclosure checklist Inspection of assets Inspection of documents Inspection of assets & docs, analytical Insp of purchase invoices, recalc depr, analytical Further audit prcdrs not listed to reduce size of illus. Further audit prcdrs not listed to reduce size of illus. See I/C section of planning docs. Further audit prcdrs not listed to reduce size of illus. Inherent Risk Control Risk Val/ Risk of Material Cntrl Analyt Review Further Audit Rights/ Val/ Rights/ Tests? Comments Procedures Exist Oblig Complete Alloc Discl Exist Oblig Complete Alloc Discl Misstatemt 6 A/R 100,000 Change 5 y 4 Cash 3 Signif? Current Prior 2 Acct Balance 1 XYZ Company Combined Preliminary Analytical Review and Risk Assessment FYE 12/31/07 M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s 127 9/30/2008 8:18:33 AM 128 TOP AUDITING ISSUES FOR 2009 CPE COURSE Not all of the audit procedures listed in this illustration would necessarily have to be applied. For example, column 19 shows “inspection of assets” as a procedure that could be used to support the existence assertion for property and equipment. Inherent and control risk for existence, however, are both assessed at low risk. Under these circumstances, an auditor might decide that an inspection of documents, specifically purchase invoices, which is contemplated to obtain support for the valuation assertion anyway, would also be sufficient to support existence. SAS 107, Audit Risk and Materiality in Conducting an Audit The performance requirements of SAS 107 carry with them both explicit and implicit documentation requirements. These requirements have significant implications both for audit efficiency and for systems of quality control for audit engagements. Auditors should document the levels of materiality and tolerable misstatement used in the audit, the basis on which these levels were determined, and any changes that they make to them during the audit. Simply recording numbers for materiality and tolerable misstatement does not meet this requirement because it does not show the basis for determining those numbers. As a practical matter, many firms will find that the easiest way to satisfy this requirement is to use structured audit practice aids such as those offered by CCH or by other reputable publishers. Materiality and tolerable misstatement. Summary of uncorrected misstatements. Auditors should summarize uncorrected misstatements, other than those that are trivial. This summary should facilitate: Separate consideration of the effects of known and likely misstatements, including uncorrected misstatements from prior periods. Consideration of the aggregate effects of misstatements. Consideration of qualitative aspects of misstatements that are relevant to the consideration of whether they are material. The documentation should contain a conclusion as to whether the uncorrected misstatements are material individually and in the aggregate, and a basis for that conclusion. The summary of uncorrected misstatements is also important as a client communication device. Auditors are required to obtain management’s written representation that uncorrected misstatements are immaterial individually and in the aggregate. Auditors are also required to communicate these items to those charged with governance. Many find that attaching this summary from the audit workpapers, and referencing it in the management representa- Top_Aud_09_book.indb 128 9/30/2008 8:18:33 AM M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s 129 tion letter or the written communication to those charged with governance, is an efficient way to communicate these items. OBSERVATION A likely effect of this new emphasis on uncorrected misstatements is that auditors, particularly when working with smaller entities, may be “passing” fewer adjustments, and urging clients to correct all known misstatements other than trivial ones. Known and likely misstatements. Audit documentation should record all known and likely misstatements identified by the auditor that have been corrected by management, other than those considered to be trivial. SAS 107 introduces of the concept of “trivial” misstatements both in the context of corrected and uncorrected misstatements. This implies documentation requirements that are not explicitly stated. This suggests that a threshold for triviality should be documented, and that a basis for that determination should be stated. Some auditors set this threshold with reference to their planning materiality documentation, usually by stating some percentage of tolerable misstatement below which misstatements need not be aggregated. OBSERVATION Some documentation requirements, such as documenting levels of materiality and tolerable misstatement, are “fixed costs” in the sense that it takes an audit firm about the same amount of time to fill out its materiality worksheet no matter the size of the client. Like all fixed costs, they weigh the heaviest at the lowest levels of activity. This poses a challenge for all auditors, but especially those of smaller entities, to become more efficient in producing audit documentation. To meet this challenge, many are finding that their quality control systems need to move toward two goals: Increased standardization, often in the form of – More reliance on published practice aids. – Standardized indexing and workpaper set-up. Increased use of electronic aids and documentation, which may, for example, – Automatically link specific accounts workpapers to adjusted trial balances to financial statements. – Facilitate the standardization of documentation and production of repetitive types of documents. Top_Aud_09_book.indb 129 9/30/2008 8:18:34 AM 130 TOP AUDITING ISSUES FOR 2009 CPE COURSE STUDY QUESTIONS 13. Which of the following statements best applies to the documentation requirements of SAS 107? a. Auditors should document the basis on which materiality was determined. b. Auditors should not document materiality at levels below the financial statements taken as a whole. c. Auditors should avoid documenting changes made to materiality levels during the audit. d. Audit documentation may exclude uncorrected misstatements from prior periods. 14. According to SAS 107, the summary of uncorrected misstatements should: a. Include consideration only of known misstatements. b. Exclude separate consideration of known and likely misstatements. c. Include consideration of their aggregate effects. d. Exclude a conclusion as to their materiality. SAS 108, Planning and Supervision SAS 108 requires: A written engagement letter. Documentation of significant revisions to the overall audit strategy to respond to changes in circumstances. A written audit plan. Documentation of changes to the original audit plan. Documentation of significant disagreements among the audit team, if any, and their resolution. SAS 109 Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement SAS 109 states that the auditor should document four elements related to the understanding of the entity and its environment, and the assessment of the risk of material misstatement: The audit team’s discussion about the susceptibility of the statements to material misstatement, whether caused by fraud or error. This documentation should include: How the discussion occurred. When it occurred. Names of the participants. Subjects discussed. Significant decisions regarding audit responses at the financial statement and relevant assertion levels. Top_Aud_09_book.indb 130 9/30/2008 8:18:34 AM M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s 131 Significant elements of the auditor’s understanding of: The client and its environment. The five components of internal control. The sources of the information used. The risk assessment procedures. The assessment of the risks of material misstatement at both the financial statement and the relevant assertion levels. The risks identified and related controls evaluated, including: Identification of the risks that require special audit consideration. Risks for which it is not possible or practicable to reduce detection risk at the relevant assertion level to an acceptably low level by substantive procedures alone. OBSERVATION In addition to these explicit documentation requirements, SAS 109 contains many requirements for auditors to “obtain an understanding” or to “obtain knowledge” about particular matters. Implicit in these requirements is the requirement to document those understandings and knowledge. Generating this documentation is likely to require significant time and effort during the audit period in which SAS 109 is first implemented. During this implementation period and into the second-time through audit, auditors should give serious consideration to how best to create this documentation in a way that it can be economically updated and maintained in future audits. Electronic documentation will likely be the method of choice for most auditors. This may take the form of questionnaires or of narrative memoranda. Firms with large audit practices or with specialized industry niches may find that providing audit staff with pre-structured outlines for narrative memoranda will facilitate this process by introducing standardization in gathering, documenting, and retrieving this information. STUDY QUESTION 15. According to SAS 109, auditors should document the assessment of the risks of material misstatement down to the financial statement level. True or False? SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained SAS 110 requires auditors to specifically document the following elements of the audit procedures performed in response to assessed risks and the evaluation of the audit evidence obtained through those procedures: The overall responses to the risk assessment at the financial statement level. Top_Aud_09_book.indb 131 9/30/2008 8:18:34 AM 132 TOP AUDITING ISSUES FOR 2009 CPE COURSE The nature, timing and extent of audit procedures performed. The linkage of audit procedures to the assessed risks at the relevant assertion level. The results of audit procedures. The conclusions reached concerning the use in the current audit of evidence about the operating effectiveness of controls that was obtained in a previous audit. SAS 112, Communicating Internal Control Related Matters Identified in an Audit SAS 112 requires the auditor to: Make the written communication of significant deficiencies and material weaknesses in internal control no later than 60 days following the report release date. Document the content of oral communications when communicating other matters to management or those charged with governance, such as matters that may be of potential benefit to the client or matters that the client has requested. SAS 114, The Auditor’s Communication With Those Charged With Governance This Statement does not require written communication of any matters. It does, however, state that copies of written communications, if any, should be retained, and that oral communications should be documented. OBSERVATION Although written communications were not required under SAS 61 and are still not generally required under SAS 114, many auditors feel that written communication represents a “best practice” under most circumstances. Oral communication is still appropriate, however, especially in the case of very small, owner-managed clients, as long as it is well-documented. Top_Aud_09_book.indb 132 9/30/2008 8:18:34 AM 133 MODULE 2: REVIEW OF NEW AND EMERGING STANDARDS — CHAPTER 5 The Risk Assessment Standards: A Comprehensive Review LEARNING OBJECTIVES Upon completion of this chapter, the reader should: Understand the new philosophical concepts embodied in the Risk Assessment Standards. Be able to use relevant assertions in the financial statements to assess risk of material misstatement. Understand the linkage of audit procedures to risk assessment. Understand how to develop and use an understanding of the entity and its environment in assessing risks. Be able to evaluate audit findings in light of assessed risks and materiality. INTRODUCTION The “Risk Assessment Standards” represent the most sweeping change to auditing practice in the last twenty years. They consist of eight new Statements of Auditing Standards (SASs 104 through 111). These Statements became effective for audits of financial statements with periods beginning on or after December 15, 2006. Thus, for full-year audits, December 31, 2007 year ends are the first round of audits in which application was required. These Standards present significant new philosophical directions in auditing. Along with these new modes of thought come new procedures and practices. Numerous practical issues have presented themselves in this initial period of implementation. These have to do not only with basic understanding of the new requirements, but of how to transition thought processes away from the “old rules” and how to modify, adapt, or sometimes discard existing auditing practices in a way that is both effective and economically feasible. This chapter summarizes these new Standards and their requirements, explores some of the emerging implementation issues, and offers some practical directions and tools for moving forward. As a convenient reference, Appendix A summarizes these Standards and Appendix B lists their unconditional requirements. Appendix C contains the definitions of the many new terms that these Standards have introduced. Top_Aud_09_book.indb 133 9/30/2008 8:18:34 AM 134 TOP AUDITING ISSUES FOR 2009 CPE COURSE THE RISK ASSESSMENT STANDARDS: NEW DIRECTIONS IN AUDITING Risk assessment in itself is not a new concept in auditing. Auditors have always made efforts to determine the areas within a client’s financial statements that are most prone to misstatement. And they have always attempted to design audit procedures to address these risks. The Risk Assessment Standards formalize this process, and give it structure. This raises the process from an intuitive, and sometimes informal, plane to the level of a documentationintensive set of structured procedures. Some new philosophical orientations underlie these procedural requirements. Auditors who do not grasp these philosophical implications are not likely to approach these new Standards, either in their initial implementation or in ongoing performance, in an efficient or effective manner. This section discusses those new directions briefly, as a platform for moving forward into practical implementation and performance issues. Risk Assessment Among the most sweeping changes that the new Standards make to previous practice are the requirements for auditors to have an appropriate basis for all risk assessments, and the elimination of the concept of assessing risk “at the maximum” without support. Auditors should now develop an understanding of controls. When deciding not to test controls, they need to be satisfied that substantive procedures alone will be effective in reducing detection risk to an acceptably low level. OBSERVATION The inability to default to a “maximum risk” assessment without developing—and documenting—an understanding of controls has significant effect on audits of smaller entities. This is particularly true of owner-managed businesses, in which control structures may not be formalized and segregation of duties may be less than optimal due simply to the lack of personnel. This does not mean that auditors should test controls that they feel are ineffective or that they do not plan to rely on in the audit. It does mean that they should document an understanding of the control risk, and design substantive procedures to reduce detection risk appropriately. Implicit in the idea of risk assessment is that almost every audit will contain at least one significant risk. Risk assessments that say “there are no significant risks in this audit” might well draw skeptical consideration from audit supervisors. Less frequently, risk assessments may list nearly every significant account balance, transaction class or disclosure as having significant risk. This should draw skepticism on two counts. The first is to question whether the person Top_Aud_09_book.indb 134 9/30/2008 8:18:34 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 135 or persons making the risk assessment really understand what a significant risk is. Secondly, if such a risk assessment were accurate, it might lead the audit partner to question whether the client is really auditable, and whether firm’s quality control policies and procedures for client and engagement acceptance and continuance were properly drafted and properly applied to the engagement. Linkage of Audit Procedures to Risk Assessment The requirement to use risk assessment in determining the nature, timing and extent of additional audit procedures may well be one of the most important in the new Standards. One of the key philosophical threads running through the Risk Assessment Standards is the idea of linking audit procedures to risks: that is, of performing more intensive procedures in areas of higher risk and less intensive in areas of lower risk. Arguably, this is merely a codification of existing best practices. On a practical implementation level, it is more important than ever for auditors to show how they have considered risks in developing audit procedures, and how their procedures address those risks. Thus, whenever an auditor, as a result of obtaining an understanding of a client, assesses a significant risk of material misstatement, the audit procedures should respond to that risk. OBSERVATION The practical effect of linking audit procedures to risk assessment is that audit resources will be more efficiently allocated. Areas of higher risk will receive more time and more intensive consideration and testing. Areas of lower risk will receive less intensive work. One practical result of this new emphasis is the need to more closely tailor standardized audit programs to the unique risks of each individual engagement. However, regardless of risk, auditors should design and perform substantive procedures for all relevant assertions related to each material class of transactions, account balance and disclosure. This requirement is new to the auditing literature. It is, on the one hand, arguably nothing but a codification of pre-existing best practices. On the other hand, it carries a danger of misinterpretation. Some auditors, at an initial reading, have concluded that this requires extensive substantive procedures on virtually every line item on a client’s trial balance. This is not the Standards’ intent. Auditors attest to the financial statements as a whole, not to the detailed general ledger. It is thus the relevant assertions for material transaction classes, account balances and disclosures at the financial statement level that are the subject of this concern. Top_Aud_09_book.indb 135 9/30/2008 8:18:34 AM 136 TOP AUDITING ISSUES FOR 2009 CPE COURSE Presentation and Disclosure Among the most sweeping changes that the new Standards make to previous practice is the introduction of the concept of considering risk of misstatement not only at the level of the financial statements taken as a whole, and at the level of individual account balance or class of transactions, but also at the disclosure level. This is consistent with the philosophical direction of the new risk assessment model, which increases emphasis on the accuracy and clarity of disclosures. This is important because it underscores the fact that disclosures are more than just a mass of fine print appended to the basic financial statements. They are an integral part of those statements, and share equal importance to users, and thus are of equal concern to the auditor. This has several important practical implications for the ways in which auditors view their responsibilities relating to financial statement disclosures. OBSERVATION The increased emphasis on presentation and disclosure is likely to lead increased reliance on standardized presentation and disclosure checklists. Practitioners should be aware, however, that it will not be sufficient to run down these checklists in a mechanical fashion determining merely the presence or absence of a particular element of presentation or disclosure. Financial statements and related disclosures also need to be read carefully for clarity and understandability. Another implication of this increased emphasis, along with the requirement to reconcile the statements and notes to underlying accounting records, will likely be a necessity to reference assertions contained in the notes to applicable support within the audit documentation. Responsibilities of Client and Auditor One of the major philosophical thrusts of the new Risk Assessment Standards as a whole is to differentiate the auditor’s responsibilities from those of management and other financial statement users. This is part of a campaign, which began several years ago with Ethics Interpretation No. 101-3, Nonattest Services, to educate clients and the public as to who is responsible for what in the audit process, and continues with SAS 112, Communication of Internal Control Related Matters Identified in an Audit, and SAS 114, The Auditor’s Communication With Those Charged With Governance. Examples of this new direction include: The concept that financial statement users need to take responsibility for intelligent use of the financial statements. Users need to understand that financial statements are prepared and audited to levels of materiality. Top_Aud_09_book.indb 136 9/30/2008 8:18:34 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 137 The concept that auditors cannot reasonably anticipate the needs of all financial statement users. Increased emphasis on communication between the auditor and management on the subject of misstatements, in order to clarify that it is the client, not the auditor, that “owns” the audit adjustments. There are also some changes in the emphasis on auditor responsibilities. SAS 104, Amendment to SAS 1, “Codification of Auditing Standards and Procedures” (“Due Professional Care in the Performance of Work”) emphasizes that the high level of intended assurance is expressed in the auditor’s report as obtaining reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. It expands the definition of “reasonable assurance” by adding wording to emphasize that audits must be planned and performed to attain a low level of audit risk. SAS 104 does not explicitly define the terms “high level of assurance” or “low level of audit risk.” However, it equates “reasonable assurance” with a “high level of assurance” and requires auditors to perform audit procedures designed to limit audit risk “to a low level.” SAS 105, Amendment of SAS 95, “Generally Accepted Auditing Standards” broadens the philosophy of the audit process significantly by amending the second fieldwork standard to: Expand the scope of the auditor’s understanding from “internal control” to “the entity and its environment, including its internal control.” Extend the purpose of the auditor’s understanding from “planning the audit” to “assessing the risk of material misstatement of the financial statements whether due to error or fraud.” STUDY QUESTIONS 1. Among the major philosophical directions taken by the Risk Assessment Standards are all of the following except: a. The concept of differentiating the auditor’s responsibilities from those of management and other financial statement users. b. The elimination of the concept of assessing risk “at the maximum” without support. c. The concept of considering risk of misstatement only at the level of the financial statements taken as a whole. d. The idea of linking audit procedures to risks. Top_Aud_09_book.indb 137 9/30/2008 8:18:34 AM 138 TOP AUDITING ISSUES FOR 2009 CPE COURSE USING RELEVANT ASSERTIONS IN RISK ASSESSMENT Assertions are implied or expressed representations by management about the recognition, measurement, presentation, and disclosure of information in the financial statements and related disclosures. One of the first steps in the audit process is to identify management’s assertions regarding each material component of the financial statements. Auditors must test these assertions by gathering evidence to support or refute them. Professional literature previously identified five assertions: completeness, occurrence, rights and obligations, valuation/allocation, and presentation and disclosure. SAS 106, Audit Evidence, identifies 13 assertions which it sorts into three broad categories. Some of these assertions, such as accuracy and cutoff, are really different ways of viewing previously existing assertions. The new category for presentation and disclosure reflects increased emphasis on the importance of this area to the users of financial statements. It highlights the necessity for auditors to seriously address the content of the financial statements, including the disclosures. Auditors are now required to determine the relevance of each of the assertions and the source of likely potential misstatements for each significant class of transactions, account balance, and presentation and disclosure, and to use the assertions in assessing risks by considering the types of misstatements that might arise and designing further audit procedures to respond to those risks. Classes of Transactions and Events Assertions about classes of transactions and events for the period under audit address whether recorded transactions and events: Have in fact occurred and relate to the entity (occurrence). Include all transactions and events that should have been recorded (completeness). Have been properly recorded based on appropriate amounts and other data (accuracy). Have been recorded in the correct accounting period (cutoff). Have been recorded in the proper accounts (classification). Previous auditing standards did not have explicit assertions for accuracy or cutoff, although these matters have always been addressed in financial statement audits. Accuracy was addressed through a combination of considerations related to all five of the previously existing assertions. Cutoff was addressed through considerations of completeness and occurrence. The new cutoff assertion is a logical outgrowth of the increased emphasis in SAS 99, Consideration of Fraud in a Financial Statement Audit, on fraudulent revenue recognition, and reflects the need for auditors to give explicit consideration to the risk of cutoff errors or manipulations giving rise to improper revenue recognition. Top_Aud_09_book.indb 138 9/30/2008 8:18:34 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 139 Account Balances Assertions about account balances at the period end address whether: Assets, liabilities, and equity interests exist (existence). The entity holds or controls the rights to assets and whether liabilities are actually the obligations of the entity (rights and obligations). All assets, liabilities, and equity interests that should have been recorded have been recorded (completeness). Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded (valuation and allocation). This category of assertions has not changed, and thus will not likely cause significant changes to existing audit practices. Presentation and Disclosure Assertions about presentation and disclosure address whether: Disclosed events and transactions have occurred, and relate to the entity (occurrence and rights and obligations). All disclosures that should have been included in the financial statements have been included (completeness). Financial information is appropriately presented and described and disclosures are clearly expressed (classification and understandability). Financial and other information is disclosed fairly and at appropriate amounts (accuracy and valuation). It is significant that SAS 106 has carved out a separate category for financial statement presentation and disclosure. This has several important practical implications for the ways in which auditors view their responsibilities relating to financial statement disclosures. Disclosure checklists will continue to be important tools in assuring the completeness of disclosures. Auditors will increasingly need to look past their disclosure checklists to the quality and substance of the disclosures. However, the mere presence of a footnote captioned, say, “Inventory” does not necessarily mean that all of the necessary disclosures about inventory are present and are clearly expressed. Auditors will need to carefully read and evaluate each disclosure to determine if it is truly adequate, especially in areas that require management to make quantitative or qualitative judgments affecting the content of a disclosure. Disclosure omissions or inadequacies often arise when a client experiences a significant unusual event or transaction, or has significant changes in its business. Such events should cause auditors to be alert to the need for new disclosures. Top_Aud_09_book.indb 139 9/30/2008 8:18:34 AM 140 TOP AUDITING ISSUES FOR 2009 CPE COURSE Data in the footnotes will need to be closely correlated to the audit documentation. This includes non-financial data. This does not mean that every number in every footnote needs to be cross-referenced to a specific workpaper within the audit documentation, although some firms have adopted this practice as a matter of their own quality control policies. It does mean that if a footnote asserts, for example, that a significant operating lease has a five year term, the audit documentation should contain a copy or an abstract of the lease agreement that supports this assertion. OBSERVATION Not every assertion applies to every material component of the financial statements. There are, though, many areas where most of the assertions are relevant. There will be a significant increase in the number of assertions that need to be addressed on each audit. Auditors should be mindful of the increased time this will create for each audit. This has implications for the scheduling of the firm’s personnel, and should also be discussed with clients when scheduling audit engagements. The Risk Assessment Standards as a group will likely also create new demands on the time and resources of clients’ accounting staffs. Auditors should also consider discussing fee increases with clients during the transition period, in order to give them a chance to budget for the increase and to avoid the distress of “sticker shock” in the year of implementation. Some firms report that the new standards, as a whole, have added 20%-25% to audit time in the first year of implementation. “Learning curve” costs are certainly a part of this increase, so the time might decline in years subsequent to the initial implementation. EXAMPLE If an entity’s financial statements show cash of $50,000, this means that management asserts that cash of $50,000 exists, is owned by the entity, and includes funds at all locations, funds with custodians, and deposits in transit as of the balance-sheet date. Furthermore, unless otherwise disclosed in the financial statements or notes thereto, management also asserts that the cash was unrestricted and available for the entity’s general operating purposes. SAS 106 allows auditors some discretion in how they express these assertions in their work. They may use them as described above, or they may characterize them differently, as long as all of the aspects have been covered. As a practical matter, auditors who choose to express the relevant assertions differently are well-advised to document in explicit fashion how those assertions cover all aspects of those outlined in SAS 106. This can be efficiently done, to some extent, through the use of uniformly structured practice Top_Aud_09_book.indb 140 9/30/2008 8:18:34 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 141 aids that specify the connection between the assertions as used and those presented in the SAS. However, because of the wide variety of situations that may be encountered in real-world auditing, the need to supplement standardized practice aids with narrative comments should be considered on an engagement-by engagement basis. EXAMPLE The cutoff assertion under “classes of transactions and events” is one of the new assertions created by SAS 106. The concept of assuring proper cutoffs has long been addressed by auditors, and is not in itself a new idea. Under previous standards, a receiving cutoff issue would have been addressed through a combination of the completeness and occurrence assertions. If goods were received in a period but not recorded, the client had a problem with the completeness assertion. If, on the other hand, receipt of goods was recorded in a period but the actual receipt did not occur in that period, there was a problem with the occurrence assertion. This continues to be a valid conceptual approach in this case. SAS 106 explicitly states that there may not be a separate cutoff assertion for transactions and events when the completeness and occurrence assertions include appropriate consideration of recording transactions in the proper accounting period. In this case, it is probably wise for the audit documentation to state that the cutoff assertion for receiving is adequately addressed by the combined consideration of completeness and occurrence. STUDY QUESTIONS 2. SAS 106 identifies 13 assertions, which it groups into which of the following broad categories? a. Completeness, occurrence, rights and obligations, valuation/allocation, and presentation and disclosure. b. Account balances; classes of transactions; and events, presentation and disclosure. c. Completeness, classification and understandability, accuracy and valuation. d. Occurrence, completeness, accuracy, cutoff, and classification. Using Assertions in Obtaining Audit Evidence SAS 106 requires auditors to determine the relevance of each of the financial statement assertions for each significant class of transactions, account balance, and for presentation and disclosure. Auditors should use the relevant assertions to assess the risks of material misstatements in the financial statements and to design audit procedures to respond to the assessed risks. To determine whether a particular assertion is relevant, they should evaluate: Top_Aud_09_book.indb 141 9/30/2008 8:18:34 AM 142 TOP AUDITING ISSUES FOR 2009 CPE COURSE The nature of the assertion. The volume of transactions or data related to the assertion. The nature and complexity of the systems the entity uses to process and control information supporting the assertion. Developing Audit Tests and Procedures To determine what type of evidence to collect, auditors develop specific objectives related to each relevant assertion. Auditors should evaluate each relevant assertion as it relates to the particular account balance, class of transactions, or presentation and disclosure when determining audit objectives. Having identified specific audit objectives, they should then develop methods to achieve them. Deciding upon the nature, timing, and extent of procedures to achieve the audit objectives involves the following types of procedures: Risk assessment procedures. These are performed to obtain an understanding of the entity and its environment, including its internal control, to assess the risks of material misstatement at the financial statement and relevant assertion levels. Risk assessment procedures must be performed in all audits. Tests of controls (when relevant or necessary). These are performed to test the operating effectiveness of controls in preventing or detecting material misstatements at the relevant assertion level. Auditors should perform tests of controls when the risk assessment includes an expectation of the operating effectiveness of controls, or when substantive procedures alone do not provide sufficient appropriate audit evidence. EXAMPLE Substantive procedures alone often do not provide sufficient appropriate evidence for businesses that conduct a large volume of transactions in electronic form, for which a paper trail is not generated. These transactions are typically of a similar, repetitive nature and can be effectively controlled by a single system of internal control. When this is the case, testing the operating effectiveness of the controls over the transactions is often both effective and necessary to provide sufficient appropriate evidence. These are performed to detect material misstatements at the relevant assertion level and include tests of details of classes of transactions, account balances, and disclosures, and substantive analytical procedures. Regardless of the assessed risk of material misstatement, substantive procedures should be performed in all audits for all relevant assertions related to each material class of transactions, account balance, and disclosure. Substantive procedures. Top_Aud_09_book.indb 142 9/30/2008 8:18:35 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 143 STUDY QUESTIONS 3. Which of the following statements best describes SAS 106’s requirements related to substantive procedures? a. Substantive procedures should be performed in all audits for all relevant assertions related to each class of transactions, account balance, and disclosure, regardless of materiality. b. Substantive procedures should be performed in all audits for all relevant assertions related to each material class of transactions, account balance, and disclosure, regardless of the assessed risk of material misstatement. c. Substantive procedures performed on each material class of transactions, account balance, and disclosure must include tests of details and substantive analytical procedures. d. Substantive procedures are performed to detect material misstatements down to the transaction class, account balance and disclosure level. Types of Audit Procedures The auditor should use one or more types of the audit procedures described below when performing risk assessment procedures, tests of controls, or substantive procedures: Inspection of records and documents. Inspection of tangible assets. Observation. Inquiry. Confirmation. Recalculation. Reperformance. Analytical procedures. Additional Considerations for Audit Evidence and Procedures SAS 106 advances a newly-explicit requirement dealing with the longestablished practice of “rolling forward” audit evidence from one period to the next. Auditors are now required to perform procedures to establish the continuing relevance of such evidence when it is used in the current audit. This is a significant departure from previous practice. SAS 106 makes the point that accounting records do not, by themselves, provide sufficient appropriate evidence on which to base an opinion. This is because they are internally prepared, and provide no external corroboration. For this reason, it requires auditors to obtain other audit evidence, from sources outside the accounting records. Another set of requirements are the requirements to use professional judgment and professional skepticism in evaluating the quantity and quality of Top_Aud_09_book.indb 143 9/30/2008 8:18:35 AM 144 TOP AUDITING ISSUES FOR 2009 CPE COURSE audit evidence. These speak to the need to critically evaluate audit evidence for both sufficiency and appropriateness. A set of requirements deals with client-prepared information. These requirements essentially codify and expand the existing practice of “footing the PBCs”. They state that auditors should obtain audit evidence about the accuracy and completeness of client-prepared information when using that information to perform further audit procedures and, especially where electronic documentation is involved, should consider its reliability, including the controls over its preparation and maintenance. There is also a specific requirement that auditors should consider the accuracy of price information and the completeness and accuracy of sales volume data when applying standard prices to records of sales volume to audit revenue. Yet another set of requirements deals with audit responses to inconsistencies in audit evidence. Auditors should determine what additional audit procedures are necessary to resolve inconsistencies in audit evidence obtained from different sources. Especially when inconsistencies involve evidence obtained through inquiry, additional audit procedures should be performed to resolve the inconsistencies. STUDY QUESTIONS 4. Which of the following audit procedures would be most likely to provide persuasive evidence in support of the existence assertion related to inventory? a. b. c. d. Inquiries of management.. Inspection of tangible assets. Analytical procedures. Recalculation of inventory pricing. 5. Substantive analytical procedures are required on all audits. True or False? CONSIDERING AUDIT RISK AND MATERIALITY SAS 107, Audit Risk and Materiality in Conducting an Audit, requires that audit risk and materiality be considered both at the financial statement level, and in more detailed fashion at the individual account balance, transaction class, or disclosure level. Considerations at the Financial Statement Level SAS 107 requires auditors to consider audit risk and to determine a materiality level for the financial statements taken as a whole. This assists them in: Determining the extent and nature of risk assessment procedures. Identifying and assessing the risks of material misstatement. Top_Aud_09_book.indb 144 9/30/2008 8:18:35 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 145 Determining the nature, timing and extent of further audit procedures. Evaluating whether the financial statements are fairly presented. Considering audit risk is a matter of professional judgment. It can be assessed in quantitative or nonquantitative terms. At the financial statement level, this consideration includes general planning decisions such as staffing, extent of review, and degree of professional skepticism. The auditor is required to perform the audit to reduce audit risk to a low level that is appropriate for expressing an opinion on the entity’s financial statements. At this level, the auditor is concerned with risks of material misstatement that cut across many relevant assertions, and relate pervasively to the statements as a whole. These risks often attach to the overall control environment, and may not be linked to a particular relevant assertion at the account balance, transaction class, or disclosure level. Identifying these risks is particularly important in terms of assessing the risk of fraud as a result of management override of controls. OBSERVATION Almost every audit has at least one significant risk. Most have only a few, one of which may stand out as the most significant. A mental exercise to help identify that risk is called “the one hour audit.” In this exercise, there are as many hours available as are reasonably necessary to plan the audit, including performing necessary risk assessment procedures and developing an understanding of controls, and to draft and review the financial statements and do other necessary “wrap-up” work. But the substantive test work in the field is limited to only a very short time; say an hour for a small audit, or a day for a large audit. Consider what the first thing to be tested would be. Then, if there is time left over, or if another hour was allotted, consider what would be tested next. This will usually identify the one or two most significant risks in the audit. This exercise works well in the brainstorming session that is required as a part of all audit planning. Give every participant a slip of paper, and ask them to write down how they would spend their hour. Collect all the responses and read them aloud, anonymously. Let the discussion begin. Considerations at the Account Balance, Transaction Class, or Disclosure Level SAS 107 requires the auditor to consider audit risk at the individual account balance, class of transactions, or disclosure level. At this level, the auditor’s objectives are to: Determine the nature, timing, and extent of further audit procedures. Reduce audit risk at the individual balance, class, or disclosure level so Top_Aud_09_book.indb 145 9/30/2008 8:18:35 AM 146 TOP AUDITING ISSUES FOR 2009 CPE COURSE that the auditor can express an opinion on the statements as a whole at an appropriately low level of audit risk. In determining the nature, timing, and extent of audit procedures to be applied to a specific account balance, class of transactions, or disclosure, the auditor should design audit procedures to obtain reasonable assurance of detecting misstatements that could be material, when aggregated with misstatements in other balances, classes, or disclosures, to the financial statements taken as a whole. Regardless of the audit approach or methodology, SAS 107 requires the auditor to assess the risk of material misstatement at the relevant assertion level as a basis for further audit procedures. OBSERVATION The requirement to assess the risk of material misstatement at the relevant assertion level as a basis for further audit procedures effectively eliminates the auditor’s ability to default to “maximum control risk” without having a basis for that assessment. This is a significant departure from existing practice. This does not mean that controls must always be tested. It does, however, mean that the auditor must have an understanding of controls sufficient to support an assessment of maximum control risk. The intended result of this shift in audit thinking is that audit effort will be more effectively concentrated in areas of highest risk; in other words, that audit procedures will be more closely correlated to assessed risks. STUDY QUESTIONS 6. The requirement of SAS 107 to assess the risk of material misstatement at the relevant assertion level as a basis for further audit procedures: a. Effectively eliminates the auditor’s ability to default to “maximum control risk” without having a basis for that assessment. b. Intends that audit procedures be performed in all areas without regard to assessed risks. c. Means that the auditor need not develop an understanding of controls sufficient to support an assessment of maximum control risk. d. Requires that controls always be tested. Determining and Using Materiality Some matters are more important for the fair presentation of financial statements than others. Auditors are concerned with matters that either by themselves or combined with others, could be important, or material, to the financial statements. Auditors are responsible for planning and performing Top_Aud_09_book.indb 146 9/30/2008 8:18:35 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 147 the audit to obtain reasonable, but not absolute, assurance that material misstatements, whether they are caused by error or by fraud, are detected. SAS 107 discusses materiality at three levels: The financial statements as a whole. Tolerable misstatement at the account balance, transaction class, or disclosure level. Other particular items that are less than the materiality amount for the financial statements as a whole. Once materiality is established, it should be considered the same way— although not necessarily in the same amounts—in planning and evaluating, regardless of the client’s inherent business characteristics. EXAMPLE User expectations may differ depending on the degree of inherent uncertainty associated with particular financial statement items. The Standard cites as examples the provision for insurance claims in an insurance company, or for legal claims in the course of any entity’s business. The fact that these statement items are based on estimates that may contain a high degree of uncertainty may influence users’ assessments of materiality. This does not, however, cause the auditor to use different procedures for planning, or for evaluating misstatements in these areas. Considering the needs of users. Financial statement users are a diverse group that may include management, owners, employees, and creditors, among many others. Auditors consider the needs and perceptions of intended users of the financial statements in making judgments about materiality. SAS 107 makes two important comments about financial statement users. The first is that auditors consider the needs of users as a group, rather than individually, when considering the possible effects of a misstatement. Because the needs of individual users may vary greatly, it is not feasible for the auditor to consider, or to try to anticipate, the individual needs of every user. The second is that financial statement users need to take responsibility for intelligent use of the financial statements. Users are assumed to: Have appropriate knowledge of business and economic activities and accounting. Be willing to study the information in the statements with appropriate diligence. Understand that financial statements are prepared and audited to levels of materiality. Recognize that there are uncertainties inherent in the accounting estimates and judgments, and in future events. Top_Aud_09_book.indb 147 9/30/2008 8:18:35 AM 148 TOP AUDITING ISSUES FOR 2009 CPE COURSE Make appropriate economic decisions based on the financial statements. OBSERVATION One of the major philosophical thrusts of the new Risk Assessment Standards as a whole is to differentiate the auditor’s responsibilities from those of management and other financial statement users. This is part of a campaign to educate the public as to who is responsible for what in the process. Stories abound in which an auditor is sued by a financial statement user who failed to read or understand the statements, and made a decision that they would not have made if they had actually read the statements, or for something that the auditor could not reasonably have foreseen as a need. This Standard puts forth clear language that aims to head off such claims by making users responsible for exerting reasonable effort to understand the statements and making reasonable judgments. STUDY QUESTIONS 7. SAS 107 makes all of the following assumptions relating to financial statement users except: a. Financial statement users are willing to study the statements with appropriate diligence. b. Financial statement users have appropriate knowledge of business and economic activities and accounting. c. The individual needs of all financial statement users have been considered by the auditor. d. Financial statement users recognize that there are uncertainties inherent in the accounting estimates and judgments used in preparing the financial statements. SAS 107 defines two types of misstatements: known and likely. The concept of known misstatements is unchanged from previous literature. They are simply the “hard differences” identified in the audit process. The concept of likely misstatements is not new, but it has taken on more importance. Likely misstatements are those that are identified either by projecting the results of a sampling application to an entire population, or by quantifying a difference between a recorded estimate and the auditor’s best judgment. These are often referred to in practice as “soft differences.” Under the new Standard, likely misstatements need to be considered and evaluated, aggregated, and when not corrected by the client, carried forward to the summary of uncorrected misstatements. Known and likely misstatements. Top_Aud_09_book.indb 148 9/30/2008 8:18:35 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 149 EXAMPLE The most common example of determining likely misstatements is in audit sampling. If the auditor sampled 20% of the accounts receivable balance and found total misstatements of $2,000 (the known misstatements), the auditor could project this misstatement to the account balance as $10,000 (the likely misstatements)—$2,000 divided by 20%. The likely misstatements of $10,000 include the known misstatements of $2,000 because the known misstatements are projected to the total accounts receivable balance. However, if the client corrects the known misstatements of $2,000, then the likely misstatements would be only $8,000 ($10,000 - $2,000). Another example of determining likely misstatements is in accounting estimates. When the client records depreciation expense at $ 25,000, but the auditor determines that a more reasonable range for this estimate should be $28,000 to $30,000, the likely misstatement is $3,000 ($28,000 – $25,000) which is the difference between the recorded amount and the closest amount in the reasonable range calculated by the auditor. OBSERVATION SAS 107 places more responsibility on auditors to critically evaluate “soft differences.” In the past, these misstatements were often given slight consideration, and dismissed as acceptable differences in judgment, or in the case of sampling differences as abstract statistics that the auditor “can’t really prove.” Implicit in this philosophical shift is a perception that auditors, in the past, might have allowed significant misstatements to pass without comment, simply for lack of giving them full consideration. SAS 107 aims to plug this gap by requiring that “likely misstatements” be considered both individually and in the aggregate, and qualitatively as well as quantitatively. Misstatements may consist of: Inaccuracies in gathering or processing the data from which the statements are prepared. Differences between recorded amounts, classifications, or presentations and those that should reported under GAAP. Omissions of financial statement elements, accounts or items, or disclosures. Disclosures that are not prepared in conformity with GAAP. Incorrect accounting estimates arising from oversight or misinterpretation of facts. Judgments by management in the selection or application of accounting policies, or in accounting estimates that the auditor may consider inappropriate or unreasonable. Causes of misstatements. Top_Aud_09_book.indb 149 9/30/2008 8:18:35 AM 150 TOP AUDITING ISSUES FOR 2009 CPE COURSE Misstatements arise either unintentionally, that is, by error, or intentionally by fraud. Misstatements caused by fraud come in two categories: fraudulent financial reporting and misappropriation of assets. Qualitative Aspects of Materiality SAS 107 discusses both quantitative and qualitative aspects of materiality. Some misstatements are more important than others, regardless of their amount. One of the most important qualitative aspects to be considered is the possibility of fraud. When an auditor uncovers evidence that suggests fraud, the implications for the integrity of management or employees and effects on other aspects of the audit should be considered regardless of the quantitative materiality of the misstatement. This often implies that further audit procedures will need to be performed. Other qualitative aspects of misstatements that can make them material even though they do not meet the quantitative threshold are those that cause a change in a key measure within the financial statements, such as a small misstatement that changes net income to a net loss, or that changes a key ratio such that the client is in violation of a loan covenant. While auditors have no responsibility to design or perform audits to detect immaterial misstatements, they do have a responsibility to evaluate detected misstatements for qualitative as well as quantitative aspects. Qualitative aspects of materiality cannot be evaluated until a misstatement is detected. This is because of the wide range of possible qualitative implications for any misstatement, depending not only upon the misstatement itself, but upon circumstances and user perceptions. For this reason, while auditors always consider the qualitative aspects of detected misstatements, it is not usually feasible to design procedures specifically to detect misstatements that are qualitatively material. Methods of Determining Materiality SAS 107 avoids prescribing any particular formula or method for determining materiality. It discusses the quantitative determination as a process that usually involves applying a percentage to a chosen benchmark within the financial statements. It offers as examples of benchmarks: Total revenues. Gross profit. Pre-tax profit from continuing operations. Net assets. Selection of an appropriate benchmark or percentage involves a great degree of professional judgment, taking into account such factors as: The elements of the particular financial statements, and the financial statement measures defined in GAAP. Top_Aud_09_book.indb 150 9/30/2008 8:18:36 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 151 Particular financial statement items that may be the focus of users’ interest. The client’s industry and environment. The client’s size, nature of ownership and the way it is financed. EXAMPLE In most profit-making businesses, some measure related to revenue is usually an appropriate benchmark for the materiality determination because users of the financial statements are most concerned with revenue and profitability. However, an auditor of a company that is running near breakeven or at a loss would not usually choose a measure like pre-tax profit for the materiality benchmark because it would create an artificially low materiality level. This would cause an inefficient audit because audit tests would be scoped at a very low dollar amount and therefore would likely take in many more test items than necessary. A more appropriate benchmark in this case might be gross revenues or total assets. In privately-held corporations, it is common practice for owners to draw out significant amounts of profit in salary. Using pre-tax profit as a materiality benchmark would, in this case, create the same problems as in a break-even corporation. In this case, it might be better to add owners’ compensation back to the pre-tax profit to arrive at a benchmark. Some businesses are in volatile industries or economic environments, and may routinely experience marked swings in profitability. Using a benchmark based on current year’s profits may lead to a materiality level that is either so low as to create an inefficient audit, or so high that it fails to reduce the auditor’s detection risk to an acceptably low level, and thus renders the audit ineffective. In this case, an auditor might decide that a benchmark based upon an average profit over several years is more representative of the client’s true activity levels. Some business entities, such as real estate investment companies or mutual funds are more concerned with total assets or net assets than with revenue. An asset-based materiality benchmark may work better for these businesses. In non-business entities, such as governments or nonprofit organizations, generating a profit is not the entity’s objective. Auditors of these types of entities often choose gross revenues or total assets as a benchmark. Materiality for the Financial Statements as a Whole Materiality for the financial statements as a whole is the maximum amount that the financial statements could be misstated and still fairly present the overall financial statements. The auditor’s estimate of materiality requires professional judgment, based on the understanding of the client’s business and the specific circumstances of the engagement. When establishing the Top_Aud_09_book.indb 151 9/30/2008 8:18:36 AM 152 TOP AUDITING ISSUES FOR 2009 CPE COURSE overall audit strategy, the auditor should determine materiality for the financial statements taken as a whole. OBSERVATION The subjectivity that surrounds materiality determination has led some to draw parallels between it and pornography: It is impossible to codify a definition or standard that covers all possible circumstances. Well-intentioned people may have widely differing opinions of what it is or is not in any particular circumstance. Individuals immediately recognize what it is or is not according to their own standards in any particular circumstance. As a part of the Risk Assessment Standards’ philosophical thrust, SAS 107 carves out distinctions between the responsibilities of auditors and financial statement users. One point is that users need to understand that financial statements are prepared and audited to levels of materiality. This comparison, however frivolous it may sound, may help de-mystify the concept of materiality for non-accountants. Common misconceptions. One prevalent misconception under the old Standards was that establishing a materiality level in the planning stages of the audit sets a threshold below which misstatements are always considered to be immaterial. This is was not the case then, and is not the case under SAS 107. Some identified misstatements may be deemed to be material even when they are below established thresholds. Another common misconception is that once an auditor sets materiality levels in the planning phase, they must be used in evaluating the audit results at the end of the engagement. This is not true. Because auditing is a process of discovery, an auditor’s judgment about what is material may well change in light of unanticipated circumstances between the planning and final stages of an engagement. If a lower level of materiality than that envisioned in audit planning is deemed appropriate by the end of the audit, the auditor should reconsider the related levels of tolerable misstatement and the adequacy of the nature, timing, and extent of the audit procedures performed. Tolerable misstatement. Tolerable misstatement (sometimes called tolerable error) is the maximum monetary misstatement the auditor can accept at the account balance or class of transactions level without causing the financial statements to be materially misstated. Tolerable misstatement is the next level of materiality below the financial-statement-as-a-whole level. The underlying theory is that misstatements less than the materiality amount determined at the financial statement level could possibly exist, and could lead in the Top_Aud_09_book.indb 152 9/30/2008 8:18:36 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 153 aggregate to material misstatement at the financial statement level. For this reason, auditors set one or more levels of tolerable misstatement, lower than the materiality level for the statements as a whole. Many auditors calculate these as percentages of materiality, and may apply different percentages for significant classes of transactions, account balances, disclosures, or other components of financial statements. The objective of “fragmenting” the overall materiality amount is to set the precision levels for the significant financial statement components low enough so that the risk that the total of undetected misstatements, detected misstatements, and judgmental differences from all audit areas will exceed materiality is acceptably low. EXAMPLE An auditor may set materiality for the financial statements as a whole at $100,000. Seeing that sales and costs of sales are the largest items in the statements, and considering them to be at a relatively high risk of misstatement, the auditor might set tolerable misstatement for these transaction classes at $25,000, based upon professional judgment about the level of risk and possible nature of misstatements. Tolerable misstatement for other significant financial statement areas might be set at different levels. Materiality for other lesser amounts. Auditors should also consider whether misstatements of particular items of lesser amounts than the materiality level determined for the financial statements as a whole could reasonably be expected to influence users’ decisions about the financial statements. These amounts represent lower materiality levels to be considered in relation to those particular items. The views of management or those charged with governance may be taken into account in making this determination. Other factors to consider include: Accounting standards, laws and regulations, and the effect they might have on users’ expectations about the measurement or disclosure of particular items. SAS 107 cites related party transactions and management compensation as examples. Key industry-related disclosures, such as research and development costs for a pharmaceutical company. Whether the financial performance of a particular segment of the business, such as a subsidiary or division that is separately disclosed, is of special concern to users. Top_Aud_09_book.indb 153 9/30/2008 8:18:36 AM 154 TOP AUDITING ISSUES FOR 2009 CPE COURSE STUDY QUESTIONS 8. Which of the following benchmarks would likely be the most appropriate to use in determining materiality for a consistently profitable, closelyheld corporation in which the owners draw out substantial amounts of compensation? a. b. c. d. Pre-tax income before owners’ compensation. Pre-tax income. Average net income over the past three years. Retained earnings. Communicating Misstatements to Management SAS 107 places increased emphasis on auditor-client communication about misstatements. Auditors have an unconditional requirement to communicate all known and likely misstatements to the appropriate level of management, other than those that are trivial. This requirement adds emphasis to the concept of communicating likely as well as known misstatements. This Standard also imposes a host of presumptively mandatory requirements which, when taken together, signify the importance that the Auditing Standards Board places on auditor-client communication. Among those are requirements that: This communication should distinguish between known and likely misstatements. Auditors should request that management correct all known misstatements, including the effects of prior period misstatements. Auditors should request that management examine a class of transactions, balance, or disclosure to identify misstatement when the audit identifies material likely misstatements from a sample. The auditor should request that management reevaluate the assumptions and methods used in developing an accounting estimate when the audit identifies a likely misstatement involving estimates. Once management has examined transaction classes, balances, or disclosures, the auditor should reevaluate the amount of likely misstatement and, if necessary, perform further audit procedures. The auditor should obtain an understanding of management’s reasons for not correcting known and likely misstatements, and should take that understanding into account when considering the qualitative aspects of the client’s accounting practices and the implications for his or her report. Top_Aud_09_book.indb 154 9/30/2008 8:18:36 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 155 OBSERVATION SAS 107 places emphasis on more comprehensive and in-depth communication between the auditor and management on the subject of misstatements. Part of the reason for this is to educate or inform clients more thoroughly, so that they can take responsibility for the misstatements, and for correcting them. Note, for example, that the Standard requires the auditor to request management to examine and reevaluate, rather than simply to calculate an audit adjustment and give it to the client. Clearly, under the new standard, it would not be acceptable, except perhaps in audits of very small entities with very few adjustments, to do nothing more about misstatements than to hand the client a sheet of adjusting entries at the end of the audit. This fosters the notion that it is the auditor, and not the client who “owns” the adjustments, which is contrary to the philosophical direction that the Risk Assessment Standards as a whole are taking. STUDY QUESTIONS 9. SAS 107 requires auditors to communicate only “hard differences” or known misstatements to management. True or False? Evaluating Audit Findings Audit findings are evaluated at the level of individual findings, adjustments, and differences, which generally takes place at the “workpaper” level, and at the level of the financial statements taken as a whole. Evaluating audit findings, adjustments, and differences. Evaluating the findings of the audit procedures and documenting conclusions are important aspects of the audit process. A major step in this process is summarizing the misstatements and judgmental differences uncovered in the audit. Misstatements should be summarized in a way that enables the auditor to consider their effects on individual amounts, subtotals, or totals in the statements, in order to help the auditor consider whether their effects, either individually or in the aggregate, materially misstate the financial statements. This is a two-step process. Before considering the misstatements in the aggregate, the auditor considers them individually to evaluate: Their effect on individual balances, transaction classes, or disclosures. Whether it is appropriate to offset misstatements. The effects of prior period uncorrected misstatements. Top_Aud_09_book.indb 155 9/30/2008 8:18:36 AM 156 TOP AUDITING ISSUES FOR 2009 CPE COURSE OBSERVATION Considering the effects of prior period misstatements is important because they can affect current period income or can accumulate on the balance sheet over time. There are three acceptable methods of doing this: Considering the effect of all current and prior period misstatements that flow through the current period’s income statement. Considering the cumulative effect on the ending balance sheet. Applying both approaches and recording adjustments if either indicates the need to do so. During evaluation, the auditor’s judgment about whether misstatements are material may be influenced by two factors. Types of misstatements. Misstatements can result from errors or fraud and may consist of differences in amounts, classifications or presentation, omissions, improper estimates or accounting policies, or inaccurate data. Auditors should consider not only the nature and amounts of the misstatements corrected by management but also the uncorrected misstatements and misstatements in accounting estimates. SAS 107 cautions auditors to be alert for patterns in the types of misstatements discovered and the circumstances of their occurrence, and to consider whether other material misstatements might exist. Material misstatements do not usually occur in a vacuum, and auditors should avoid drawing facile conclusions that detected misstatements are isolated occurrences. Qualitative characteristics. The auditor should not rely exclusively on quantitative benchmarks to determine whether an item is material. A numerical threshold may provide the basis for a preliminary assumption that an amount is unlikely to be material; however, it is not a substitute for a full analysis. Certain misstatements may have significance even though the dollar amount may not be as large as the auditor typically would assume to be material. Therefore, the nature of the misstatement will help the auditor determine the potential for additional misstatements of a similar type and the need for changes in audit procedures. Some of these qualitative factors may include errors versus fraud, considerations of contractual obligations, and effects on earnings trends. An illegal payment of an otherwise immaterial amount may take on significance if there is a reasonable possibility that it could lead to a material contingent liability or loss of revenue. It also may have implications for management’s integrity. The sheer volume of qualitative considerations that SAS 107 lists is a clear indication that they are important in evaluating audit findings. Among those factors are: Top_Aud_09_book.indb 156 9/30/2008 8:18:36 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 157 The potential effect of a misstatement on trends such as profitability. A misstatement that changes a net income to a net loss or vice versa. The potential effect of the misstatement on contractual compliance Regulatory or statutory reporting requirements that affect materiality thresholds. A misstatement that masks a change in important trends. A misstatement that affects management’s compensation. Misstatements involving sensitive circumstances such as fraud or conflicts of interest. The significance of the financial statement element that is misstated. The effects of misclassifications, such as between operating and nonoperating income, or current and non-current assets or liabilities. The significance of the misstatement to a reasonable user. Management’s motivations with respect to misstatements. The existence of material, but different, offsetting misstatements. The likelihood of a currently immaterial misstatement becoming material over time through cumulative effects. The cost-benefit considerations in making the correction. The risk that further undetected misstatements exist that might influence the auditor’s evaluation. As the audit progresses, auditors may need to reconsider the levels of materiality established to set the overall scope of the audit. This may be particularly important when significant misstatements are discovered. Evaluating the financial statements as a whole. SAS 107 requires auditors to evaluate whether the financial statements as a whole are free of material misstatement. This involves both quantitative and qualitative considerations and requires the use of professional judgment. As the aggregate effect of uncorrected misstatements approaches materiality, auditors should consider whether further undetected misstatements exist. If this risk is unacceptably high, they should perform additional procedures to support the audit opinion or should satisfy themselves that the entity has adjusted the financial statements to reduce audit risk to an appropriately low level. If auditors believes that the financial statements taken as a whole are materially misstated, they should request that management make the necessary corrections. If management refuses to make the corrections, they must determine the implications for their report. Top_Aud_09_book.indb 157 9/30/2008 8:18:36 AM 158 TOP AUDITING ISSUES FOR 2009 CPE COURSE STUDY QUESTIONS 10. Which of the following statements best applies, under SAS 107, to the auditor’s consideration of the qualitative characteristics of misstatements? a. Auditors may rely solely on quantitative benchmarks to assess whether an item is material. b. The likelihood of a currently immaterial misstatement becoming material to future periods through cumulative effects should not be considered. c. Certain misstatements may have significance even though they do not exceed quantitative thresholds for materiality. d. A misclassification between current and non-current assets is not a qualitatively significant misstatement. PLANNING AND SUPERVISION SAS 108, Planning and Supervision, places significant importance on audit planning. Audit planning entails developing an overall audit strategy for the engagement. Audit strategies will vary according to the client’s size and complexity, and the auditor’s experience and understanding of the client and its environment, including its internal control. The auditor with final responsibility for the audit (hereinafter referred to as the “audit partner”) may delegate portions of the planning process to other firm personnel. Planning is an ongoing process throughout the engagement. Because auditing is a process of discovery, it is not always possible to anticipate a full range of appropriate audit procedures. Therefore, the audit strategy, and the more detailed audit plan should change to respond to changed circumstances in the audit. Establishing an Understanding with the Client SAS 108 requires the auditor to establish a written understanding with the client regarding the services to be performed. It lists four required elements for an engagement letter and numerous others that are either “generally included” or that “may also be included.” The four presumptively mandatory elements of an audit engagement letter are: The objectives of the engagement. Management’s responsibilities. The auditor’s responsibilities. Limitations of the engagement. Required elements. Top_Aud_09_book.indb 158 9/30/2008 8:18:36 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 159 Generally included elements. The following elements are not required content, but they may reduce the risk that either the client or the auditor might misinterpret the other’s needs or expectations in the audit. Consistent with one of the Risk Assessment Standards’ general philosophical objectives, they also help to define a brighter line between client responsibility and auditor responsibility. Management is responsible for: The financial statements and the selection and application of accounting policies. Establishing and maintaining effective internal control over financial reporting. Designing and implementing programs and controls to prevent and detect fraud. Identifying and assuring compliance with applicable laws and regulations. Making all financial records and related information available to the auditor. Providing a written representation letter at the end of the audit. Adjusting the financial statements to correct material misstatements. Affirming in the representation letter that uncorrected misstatements are immaterial. The auditor is responsible for: Expressing an opinion on the financial statements. Conducting the audit in accordance with generally accepted auditing standards (GAAS), including the facts that: Those standards require that the auditor obtain reasonable but not absolute assurance about whether the statements are free of material misstatement. Material misstatements may remain undetected. The audit is not designed to detect immaterial errors or fraud, or to detect significant deficiencies in internal control or to provide assurance on internal control. The auditor may decline to express an opinion or issue a report if, for any reason, the audit cannot be concluded or an opinion formed. Obtaining an understanding of the client and its environment sufficient to assess the risk of material misstatement and plan the audit. Communicating significant deficiencies in internal control to those charged with governance. Preliminary Engagement Activities At the beginning of the audit engagement, the auditor should perform procedures relating to the continuance of the client relationship and the specific audit engagement, and should evaluate the auditing firm’s compliance with ethical requirements. These procedures include consideration of: Top_Aud_09_book.indb 159 9/30/2008 8:18:36 AM 160 TOP AUDITING ISSUES FOR 2009 CPE COURSE Independence. Management integrity. Whether an understanding about the terms of the engagement has been reached. Ordinarily these initial procedures should be performed before other significant audit activities. As conditions and circumstances change during the course of the audit, the auditor should continue to consider the client continuance and ethical requirements. Overall Audit Strategy and the Audit Plan The overall audit strategy is the broad approach regarding how the audit will be conducted. The audit plan is a more detailed map that describes the nature, timing, and extent of audit procedures to be performed. The overall audit strategy and developing the audit plan are not necessarily separate activities. Changes in one may result in changes to the other. OBSERVATION Overall audit strategy and audit plan are new terms in professional literature. Previous standards referred to them as the audit approach and the audit program. Their meaning is unchanged. Overall audit strategy. Developing an audit strategy helps the auditor determine audit staffing, including the timing and management of audit activities. In connection with establishing the overall audit strategy for the audit, SAS 108 requires the auditor to address: Characteristics of the engagement, including the basis of reporting, industry specific requirements, and client locations Reporting objectives of the engagement, including deadlines, and dates for expected communications.: Significant factors affecting the audit team’s efforts, including: Materiality levels. Audit areas with higher risks of material misstatement. Material locations. Material account balances. Evaluation of the planned extent of internal control tests, if any. Recent significant entity-specific, industry, financial reporting, or other relevant developments. Results of preliminary engagement activities, such as issues with management integrity or ethical and independence requirements. Changes in circumstances that could require significant revisions to the overall audit strategy. Top_Aud_09_book.indb 160 9/30/2008 8:18:36 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 161 OBSERVATION SAS 108 notes that small audits do not require a complex strategizing exercise or document, and states that a brief narrative memorandum is sufficient. Audit plan. After establishing an audit strategy, the auditor is ready to develop a more detailed audit plan to address the matters identified in the audit strategy and to achieve audit objectives. This audit plan is what used to be called the “audit program.” SAS 108 requires the audit plan to include descriptions of: The nature, timing, and extent of planned risk assessment procedures sufficient to assess the risks of material misstatement. The nature, timing, and extent of planned further audit procedures at the relevant assertion level for each material class of transactions, account balance, and disclosure. The auditor should provide a clear linkage between the understanding of the entity, the risk assessments, and the design of further audit procedures. Other audit procedures to be performed to comply with GAAS, such as direct communication with the company’s attorney. The auditor should update and document any significant revisions to the original audit plan to respond to changes in circumstances. STUDY QUESTIONS 11. Which of the following statements best applies to SAS 108’s requirements for the audit plan? a. The original audit plan must not be altered or revised once it has been established. b. The audit plan should include a description of the nature, timing, and extent of planned risk assessment procedures. c. The audit plan should not discuss linkage between the understanding of the entity, the risk assessments, and the design of further audit procedures. d. The audit plan should include a description of the nature, timing, and extent of planned further audit procedures to be applied only at the level of the financial statements taken as a whole. Discussions with Management and Those Charged with Governance SAS 108 encourages auditors to discuss elements of audit planning with the client’s management and with those charged with governance. These discussions generally include the overall audit strategy, timeline for performing the Top_Aud_09_book.indb 161 9/30/2008 8:18:36 AM 162 TOP AUDITING ISSUES FOR 2009 CPE COURSE audit and issuing the audit report, coordination of certain procedures (e.g., inventory observation) with the client’s personnel, and preparation of audit schedules by the client. While this communication facilitates the conduct of the audit, SAS 108 cautions auditors to not divulge sensitive detailed audit procedures that might jeopardize audit effectiveness by making audit procedures too predictable. Additional Procedures for Initial Audits Because the auditor generally lacks any previous experience with the client, management, and those charged with governance, new audits require additional procedures. Among these are requirements for the auditor to: Perform procedures regarding the acceptance of the client and the engagement. Establish controls for deciding whether to accept a client relationship and perform a specific engagement, in order to: Minimize the likelihood of association with a client whose management lacks integrity. Provide reasonable assurance that the firm undertakes only those engagements that can be completed with professional competence. Assure that the auditor considers the risks associated with providing professional services in the particular circumstances. Communicate with the previous auditor, where applicable. In developing the overall audit strategy and audit plan for an initial audit, the auditor should consider additional matters including: Arrangements to be made with the predecessor auditor. Any major issues discussed with management or those charged with governance involving the initial selection as auditors and how these issues affect the overall audit strategy and audit plan. The planned procedures to obtain audit evidence regarding opening balances. The assignment of personnel possessing the appropriate characteristics and qualifications to enable them to perform competently and to successfully execute the engagement. Other procedures required by the firm’s quality control system for initial audit engagements. Supervision Assigning the appropriate staff to the engagement and directing the efforts of assistants are important to meet GAAS and to promote audit efficiency. Supervision also involves reviewing the audit effort and related audit judgments made by assistants to determine whether they are appropriate. SAS 108 indicates that elements of supervision include: Top_Aud_09_book.indb 162 9/30/2008 8:18:36 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 163 Instructing assistants. Staying abreast of significant issues encountered during the audit. Reviewing the work performed by assistants to determine that it is adequate and that the results are consistent with the conclusions to be presented in the auditor’s report. Dealing with differences of opinion among firm personnel. The timing and nature of supervision provided to assistants will vary greatly depending upon the assistants’ experience and training, and the characteristics of the engagement. Discussions and communications with assistants. SAS 108 requires cer- tain communications with assistants in every audit. The engagement partner should communicate to members of the audit team: The susceptibility of the financial statements to material misstatement due to error or fraud. The need to maintain a questioning mind and to exercise professional skepticism. The need to bring to the attention of the engagement partner significant accounting and auditing issues raised during the audit. The need to bring to the attention of appropriate individuals in the firm difficulties encountered in performing the audit. Their responsibilities and the objectives of audit procedures to be performed. Matters that may affect the nature, timing, and extent of audit procedures to be performed. OBSERVATION Reviews of audit documentation and financial statements are indispensable supervisory procedures. It is difficult, however, to supervise effectively without the engagement partner’s involvement in all phases of the audit. This involvement keeps the audit team focused on the big picture and significant audit issues, helps avoid inefficient or ineffective auditing procedures, and compensates for overauditing or underauditing tendencies on the part of the assistants. Reviewing the work of assistants. SAS 108 requires the work of each assistant, including the audit documentation, to be reviewed to determine whether it was adequately performed and documented and to evaluate the results relative to the conclusions that will be presented in the auditor’s report. SAS 108 provides only general guidance on this subject. Therefore, practices for reviewing engagements will vary depending on the size of the firm Top_Aud_09_book.indb 163 9/30/2008 8:18:37 AM 164 TOP AUDITING ISSUES FOR 2009 CPE COURSE and the complexity of the engagement. The review of work performed by assistants is ordinarily conducted by the engagement partner. However, SAS 108 indicates that parts of the review may be delegated to other assistants. The primary objectives of the review are to determine whether: The audit has been appropriately planned. The scope of the audit is sufficient to support the auditor’s opinion on the financial statements. The audit has been conducted in accordance with firm and professional standards. Technical differences of opinion are addressed and documented in accordance with professional standards. The accounting and auditing issues have been evaluated properly and the financial statements meet accepted standards of presentation and disclosure. The firm’s audit report is appropriate. OBSERVATION Supervisory auditors often ask whether they need to initial every workpaper in the file as evidence of their review. Neither SAS 108 nor SAS 103 make this specific requirement. However, the documentation should specify which workpapers were reviewed and by whom. There are many methods of doing this. The documentation might take the form of a narrative memorandum, or a sign-off on the workpaper index, indicating which sections were reviewed by whom. STUDY QUESTIONS 12. Which of the following matters should the engagement partner communicate to audit assistants under the requirements of SAS 108? a. The assistant’s responsibility to bring to management’s attention accounting issues raised during the audit that the assistant believes are significant to the financial statements. b. The need to bring to the engagement partner’s attention client-imposed restrictions on access to information necessary to perform the audit. c. The need to maintain a questioning mind and to exercise professional skepticism in gathering and evaluating audit evidence throughout the audit. d. The time budget for performing assigned audit procedures. Top_Aud_09_book.indb 164 9/30/2008 8:18:37 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 165 Differences of professional opinion may occur during an audit. Each assistant has a professional responsibility to voice concerns about, and bring to the attention of appropriate individuals in the firm, any disagreements or concerns with respect to significant accounting and auditing issues. Both the engagement partner and assistants should be aware of the procedures to be followed when such differences of opinion exist. Procedures should allow assistants to document their positions if they disagree with the way a particular accounting or auditing issue was resolved. When differences of opinion remain and an assistant decides to disassociate from the resolution, SAS 108 requires that the basis for the final resolution be documented. Once this is done, an assistant who disagrees with the resolution of a particular accounting or auditing issue has met the requirements of professional standards and, therefore, has no further responsibility for related decisions made by supervisory personnel. The ability to dissociate is a key protection that professional standards provide for professionals who have unresolved differences of opinion. Differences of opinion. OBSERVATION In the wake of the well-publicized audit failures of the last decade, methods of handling differences of professional opinion within an audit team have come to the forefront as a serious concern from a personnel management as well as an engagement performance standpoint. In the past, some audit firms maintained an informal culture, often at odds with the formal statements in their quality control policies and procedures, that actively discouraged divergent opinions within an audit team, and even informally sanctioned dissenters. It is now more important than ever that firms maintain a positive “tone at the top,” which holds as honorable the expression of differences of professional opinion, and which protects those who express such differences from reprisal. Many firms, particularly larger ones, have gone so far as to establish special communication channels outside their normal “chains of command,” similar to some of the federal whistleblower hotlines, to enable audit assistants who believe that their differences of opinion have not been satisfactorily resolved to communicate their concerns directly to senior firm management. UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, positions obtaining an understanding of the entity and its environment, including its internal control, as an essential part of the auditor’s risk assessment process. Top_Aud_09_book.indb 165 9/30/2008 8:18:37 AM 166 TOP AUDITING ISSUES FOR 2009 CPE COURSE The Role of Risk Assessment Procedures Auditors should assess risk by performing inquiries of management and other client personnel, analytical procedures, and by observation and inspection. It is not necessary to perform each of these procedures for every aspect of the risk assessment. However all of the procedures should be performed during the process of obtaining the required understanding. Inquiries of management and persons responsible for financial reporting can yield much of the information necessary for the audit. It is important not to limit these inquiries to financial management personnel. Deciding who to ask, and the exact nature and extent of the inquiries is a matter of professional judgment. Auditors should consider what information would aid in identifying risks of material misstatement. Inquiries might also be directed to: Persons charged with governance. Internal auditors. Employees involved in initiating, recording, or processing unusual or complex transactions. In-house legal counsel. Operating personnel who are not directly involved in financial reporting. Persons outside of the entity such as legal counsel or valuation experts. Inquiries of management and others. Analytical Procedures. Analytical procedures are useful in considering the risk of material misstatement because they highlight unexpected or unusual relationships, transactions, balances and events within the financial statements. When using analytical procedures in connection with risk assessment, auditors should: Develop expectations about relationships that might plausibly exist. Compare the results of the analytical procedures to those expectations. Consider unusual or unexpected relationships in identifying risks of material misstatement. Analytical procedures performed at a high level of aggregation, such as those usually applied in the planning and final review stages of an audit, often give only broad indications of whether material misstatements exist. Analytical procedures at a more microscopic level, such as a gross profit test by location or by product line, or by shorter periods such as a month, may have a greater chance of detecting a misstatement. Auditors should, therefore, consider the results of analytical procedures in connection with other information obtained in identifying the risks of material misstatement. Observation and inspection provides information about the client and its environment, and may also corroborate information gained through inquiries. Normally, it involves: Observation and inspection. Top_Aud_09_book.indb 166 9/30/2008 8:18:37 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 167 Observing the client’s activities and operations. Inspecting documents. Reading reports prepared by management, internal auditors, or persons charged with governance. Visiting the client’s facilities. Tracing transactions through the information system. When using information from prior periods, such as internal control evaluations, the auditor should make inquiries and perform audit procedures such as walk-throughs to ascertain whether that information has changed. Fraud risk. Auditors should consider the fraud risk assessment in connection with other information gathered, and whether it calls for an overall response, a response that targets particular account balances, transaction classes, or disclosures at the relevant assertion level, or both. Discussion Among the Audit Team The engagement team should discuss the susceptibility of the financial statements to material misstatement. This discussion normally occurs during planning, and should be documented. The discussion should include the engagement partner and the key members of the audit team. This discussion is intended to: Help the audit team gain a better understanding of the potential for material misstatement due to fraud or error. Help audit team members understand how the results of the audit procedures they perform may impact other audit areas. Give more experienced team members an opportunity to share their knowledge about the entity. Enable team members to exchange information about the client’s business risk and the susceptibility of the financial statements to material misstatement. The exact content of the discussion; its participants and location or locations; and how and when it should take place are matters of professional judgment for the audit partner. It is not necessary for every member of the audit team to have a comprehensive knowledge of all facets of the audit. Critical issues should be covered, such as: Areas of significant audit risk. Areas susceptible to management override of controls. Unusual accounting procedures used. Significant control systems. Materiality at the financial statement and account levels. The effect of materiality on the scope of testing. Top_Aud_09_book.indb 167 9/30/2008 8:18:37 AM 168 TOP AUDITING ISSUES FOR 2009 CPE COURSE The entity’s application of generally accepted accounting principles. The risk of material misstatement due to fraud. Fraud risk factors. Audit responses to assessed fraud risks. The need to perform the audit with an attitude of professional skepticism, to be alert for and follow up on indications of material misstatements, and to exercise professional judgment. Normally, it is efficient for this discussion to occur concurrently with the discussion about fraud risk required under SAS 99. If the audit involves multiple locations, multiple discussions may take place. OBSERVATION SAS 109 acknowledges that some audits may be performed by one auditor. In this case, the auditor should document the consideration of the foregoing matters, and should consider whether other persons with specialized skills need to be involved. STUDY QUESTIONS 13. Which of the following statements best applies to SAS 109’s requirement that a discussion among the audit team take place in planning the audit? a. This discussion must occur concurrently with the discussion about fraud risk required under SAS 99. b. If the audit involves multiple locations, multiple discussions should take place. c. Every member of the audit team should have a comprehensive knowledge of all facets of the audit. d. This discussion should emphasize to members of the audit team the need to be alert for and follow up on indications of material misstatements. Understanding the Entity and Its Environment Auditors should gain an understanding of the pertinent industry, regulatory and other factors, such as: The competitive environment. Customer and supplier relationships. General economic conditions. The political and legal environment. The regulatory environment. Technological developments. External factors. Top_Aud_09_book.indb 168 9/30/2008 8:18:37 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 169 A client’s industry may be subject to particular risks of material misstatement due to the nature of its business, government regulation or other external factors. If so, auditors should consider whether the audit team has the expertise to address these matters. Auditors should gain an understanding of their client’s nature in order to understand the classes of balances, transactions, and disclosures that will appear in the financial statements. Many characteristics make up this nature. They may include attributes of its: Operations. Ownership, including the structure of the ownership and whether it has complex characteristics that may increase the risk of material misstatement. Governance. Financing. Management. Key personnel. Related party transactions. Nature of the entity. Business operates in a context of industry, regulatory and other internal and external factors. Within this context a client defines overall plans for its business. These are its objectives. Strategies are management’s operational approaches toward achieving those objectives. The concept of business risk includes, but is broader than, the risk of material misstatement to the financial statements. Although auditors do not have to identify or assess every business risk, a solid understanding of business risk greatly increases the likelihood of identifying risks of material misstatement. Business risk can arise from: Setting inappropriate objectives or strategies. Conditions or events that adversely affect an entity’s ability to reach its objectives or to execute its strategies. Change or the failure to recognize a need to change. Complexity. Objectives, strategies and related business risks. EXAMPLE SAS 109 illustrates the relationship of business risk to the risk of material misstatement with the example of a competitor that has brand recognition and economies of scale entering a new marketplace. This causes a business risk to existing manufacturers’ ability to command retail shelf space and to compete on price. The risks of material misstatement to the existing manufacturers’ statements, in this case, include inventory obsolescence, or excess production of inventory that would have to be sold at a discount. Top_Aud_09_book.indb 169 9/30/2008 8:18:37 AM 170 TOP AUDITING ISSUES FOR 2009 CPE COURSE Most business risks have financial consequences, but not all risks give rise to the risk of material misstatement Consideration of whether a business risk leads to the risk of material misstatement is made within the context of the entity’s circumstances. OBSERVATION Smaller entities often do not have formal plans, processes or documents for their objectives and strategies, or for the management of business risks. In this case, auditors can obtain the required understanding by inquiries of management and observations of its responses to such matters. Measurement and review of financial performance. Performance measures and their review signal the aspects of the client’s performance that are the most important to management and others. They also create pressures that may give management incentives either to improve performance or to misstate the financial statements, such as to “pump up” quarterly earnings to meet analysts’ expectations. For these reasons, auditors should understand how an entity measures and reviews its financial performance. Management’s review of performance measures is intended to assess whether the entity’s performance meets the objectives set by management, or by outside parties such as lenders. It is different from the monitoring of internal controls, which is concerned with the effective operations of those controls. In setting performance measures, management may use both internallygenerated and external information. Internal measures, such as budgets, departmental information, or comparisons with competitors may signal a need to take corrective actions. They may also indicate to the auditor the possibility of material misstatement. An unusually rapid growth or high profitability, combined with performance-based management bonuses may, for example, indicate a risk of management bias in financial statement preparation. External performance measures may provide useful perspectives for the auditor’s understanding of the client and its environment. These may include such information as analysts’ or credit rating agencies’ reports. When using internally generated information for the audit auditors should be careful to consider whether that information provides a reliable basis and is sufficiently precise to detect material misstatements. Top_Aud_09_book.indb 170 9/30/2008 8:18:37 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 171 OBSERVATION Even though smaller entities often lack formal processes to measure or review financial performance, management often relies on certain key indicators for evaluating performance and taking action. These may be based on management’s knowledge, experience or even intuition. Auditors are well-advised to ask about the existence of such indicators, and to consider their implications for the audit. Internal Control SAS 109 discusses internal control within the context of the COSO framework. It stresses that the auditor’s primary consideration is whether, and by what means, a particular control prevents, or detects and corrects material misstatements at the relevant assertion level. Toward this end, auditors may use frameworks or terminology other than the COSO model, as long as all of the components described in SAS 109 are addressed. Auditors should also develop an understanding of how the client selects and applies its accounting policies and should consider their appropriateness. This understanding should include: Methods of accounting for significant and unusual transactions. Effects of significant accounting policies in emerging or controversial areas. Identification of pertinent new financial reporting standards and regulations. Changes in accounting policies, including consideration of the reasons for, and the appropriateness of the changes. SAS 109 also states that auditors should consider the financial statement disclosures, and whether they are appropriate in form, arrangement and content. This includes the terminology used, the level of detail presented, classification of items presented, and the bases of the amounts. Internal control components. SAS 109 states that auditors should gain an understanding of the five elements of internal control sufficient to assess risks of material misstatement in the financial statements caused either by fraud or by error, and to design the nature, timing, and extent of further audit procedures. The auditor should also perform risk assessment procedures to evaluate the design and implementation of controls relevant to the audit. The knowledge gained in this process should be used to: Identify types of possible misstatements. Consider factors affecting the risk of material misstatement. Design tests of control and substantive procedures. SAS 109 gives explicit consideration to smaller entities. It acknowledges that the design and implementation of internal control vary with an entity’s Top_Aud_09_book.indb 171 9/30/2008 8:18:37 AM 172 TOP AUDITING ISSUES FOR 2009 CPE COURSE size and complexity, and that smaller entities may use simpler, less formal processes and procedures to achieve their objectives. It also states that monitoring may be a less formalized process, because of owner-managers’ close daily involvement with the business. EXAMPLE In very small, owner-managed businesses, the owner may be actively involved in the financial reporting process, and thus may not have—and probably does not need—detailed written accounting policies. Similarly, efforts to categorize various control activities into the categories described by the COSO framework may not be particularly useful because ownermanagers often perform functions that in a larger entity would be considered as belonging to several of those elements. The fact that a tidy COSO-like categorization may not be possible does not negate the effectiveness or validity of these controls. Relevant controls. Internal control applies to the entire entity, including all of its business functions and operating units. Controls that are relevant to the audit, however, pertain to preparing the financial statements. An understanding of internal control pertaining to each unit and function, or an assessment of all controls may not be necessary when assessing the risk of material misstatement and designing and performing audit procedures. Auditors should focus, rather, on significant risks, and evaluate the design and implementation of the controls relevant to those risks. In so doing, auditors should consider the particular control component and factors such as: The client’s size. Materiality. The nature of the business. Organization and ownership characteristics. Complexity and diversity of operations. Legal and regulatory requirements. The nature and complexity of the systems that make up the internal control system. Use of service organizations. OBSERVATION It is not necessary to assess all controls in connection with assessing the risks of material misstatement and designing further audit procedures in response to those assessed risks. As long as the design and implementation of controls related to significant risks are evaluated, the decision of what controls to assess is left to the auditor’s professional judgment. Top_Aud_09_book.indb 172 9/30/2008 8:18:37 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 173 EXAMPLE Clients usually have operational controls that do not directly relate to the audit, such as a production scheduling system. Ordinarily, these controls need not be considered in the audit. Controls over operations and compliance objectives may, however, be pertinent to the audit if they relate to information that may be evaluated or used in the audit procedures. The controls over nonfinancial data such as production statistics are relevant to the audit if that data is to be used in performing analytical procedures. Similarly, controls designed to detect noncompliance with income tax laws and regulations would likely have a direct and material bearing on the financial statements and therefore would be relevant to the audit. On the other hand, controls over production scheduling would not normally be relevant to the audit. The auditor’s understanding of internal control consists of evaluating the design of the control and determining if it has been implemented. In evaluating a control’s design, auditors consider whether it is capable of preventing, or of detecting and correcting material misstatements. Auditors should consider control design before considering implementation. This is an efficient audit approach because an ineffectively designed control will not work even if it is implemented, and thus need not be tested for implementation. An improperly designed control may, however, represent a significant deficiency in internal control. Auditors should consider communicating this to management and those charged with governance. Auditors should perform risk assessment procedures to gain an understanding of internal control. These may include: Inquiries of client personnel. Observation of the application of specific controls. Inspection of reports and documents. Tracing transactions through the financial reporting system. Depth of understanding. Inquiry alone, however, is not sufficient to evaluate the design of a control or to determine if it has been implemented. Neither is obtaining an understanding of controls sufficient, in itself, as a test of their operating effectiveness, unless they are automated controls operating within an environment of effective IT general controls. The extent to which a client uses manual and IT-based systems affects the five components of internal control relevant to its financial reporting, operational, or compliance objectives and its operating units and business functions. Manual and automated internal control elements. Top_Aud_09_book.indb 173 9/30/2008 8:18:37 AM 174 TOP AUDITING ISSUES FOR 2009 CPE COURSE In regard to automated elements, IT may be used as stand-alone systems that support specific activities, functions or business units, such as an accounts receivable system or a system that controls the operation of production equipment. These systems may not be integrated with other IT systems. Conversely, a client may have complex and highly integrated IT systems that share data and support the entire range of its financial reporting, operational and compliance objectives. Systems that employ IT may use automated procedures to initiate, authorize, record, process and report transactions. Electronic records typically replace paper documents in these systems. Controls in such systems are both automated and manual. There may, for example, be controls embedded in a computer program that report transactions over a specified size, but the follow-up on those transactions may be a manual process. IT generally provides the benefits of efficiency and effectiveness for internal control. IT systems, on the other hand, are not without their risks. It is particularly important with automated systems for auditors to understand how the incorrect processing of transactions is resolved. The system may, for example, generate exception reports, or create automated suspense files. Auditors should understand the follow-up procedures for exceptions or suspense items, and how overrides or bypasses to automated controls are processed and accounted for. Manual elements or systems employ manual procedures and generate paper records. Controls in these systems are also manual, and may consist of processes such as approvals, reviews, and reconciliations. Manual controls may be best suited in areas that require high degrees of judgment, such as: Large transactions. Unusual or nonrecurring transactions. Circumstances in which misstatements are difficult to define, predict or anticipate. Changing circumstances that require controls that are outside the scope or capability of existing automated controls. Monitoring the effectiveness of automated controls. On the other hand, manual controls are more susceptible to error than automated controls, and can be more easily bypassed or overridden. Because of the human element involved, manual controls cannot be assumed to be operating consistently. They may be less suitable than automated controls in situations involving high volume or recurring transactions, transactions in which errors can be anticipated and detected or prevented by automated parameters, or control activities where specific ways to perform the activity can be adequately automated. Effective systems of internal control are designed to give reasonable, not absolute assurance about the achievement of Limitations of internal control. Top_Aud_09_book.indb 174 9/30/2008 8:18:37 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 175 the entity’s objectives. There are inherent limitations to any system of internal control, which include the realities that human judgment can be faulty, and that breakdowns in internal control can happen due to human error. Also, a properly designed and implemented system can be circumvented through collusion, or by inappropriate management override of controls. EXAMPLE Management may collude with customers to enter into undisclosed agreements that alter the terms and conditions of standard sales contracts, which in turn may lead to improper revenue recognition. Management may override controls by overriding or disabling edit checks in software programs to flag transactions that exceed specified limits. OBSERVATION Optimal segregation of duties may not be feasible in smaller entities because they have few employees. Nonetheless, some simple but effective controls can be implemented in key areas. For example, owner-managers of small businesses often have the bank statements mailed to their homes, and open them to look at deposits and canceled checks before handing them over to the bookkeeper. This action sends employees a message that the owner places importance on internal control. STUDY QUESTIONS 14. Which of the following statements best describes the relationship between business risk and the risk of material misstatement? a. All business risks have financial consequences that give rise to the risk of material misstatement. b. Most business risks have financial consequences, most of which give rise to the risk of material misstatement. c. The concept of business risk includes, but is broader than, the risk of material misstatement to the financial statements. d. As a part of assessing the risk of material misstatement, auditors should identify and assess every significant business risk. Assessing Risks of Material Misstatement Auditors should identify and assess risks of material misstatement on both the financial statement level and the relevant assertion level for classes of transactions, balances, and disclosures. As a part of this process, they should: Top_Aud_09_book.indb 175 9/30/2008 8:18:37 AM 176 TOP AUDITING ISSUES FOR 2009 CPE COURSE Identify risks throughout the process of gaining an understanding of the entity and its environment. Relate those risks to risks of possible misstatements at the relevant assertion level. Consider whether the magnitude of those risks could result in material misstatement of the financial statements. Consider whether it is likely that the risks could result in material misstatement of the financial statements. Use information obtained by performing risk assessment procedures in evaluating the design and implementation of internal controls. Use risk assessment in determining the nature, timing and extent of additional audit procedures. Determine whether identified risks are isolated to particular relevant assertions associated with a class of transactions, balances or disclosures, or are more pervasive and likely to affect the financial statements as a whole. Identify controls that are likely to prevent, detect or correct material misstatements in particular relevant assertions. Communicate significant deficiencies in internal control to those charged with governance. Consider a qualification or disclaimer of opinion, or in some cases a withdrawal from the engagement in cases where there are concerns about management’s integrity or the adequacy of its records. OBSERVATION The requirement to use risk assessment in determining the nature, timing, and extent of additional audit procedures may well be one of the most important in SAS 109. One of the key philosophical threads running through the Risk Assessment Standards is the idea of linking audit procedures to risks: that is, of performing more intensive procedures in areas of higher risk, and less intensive ones in areas of lower risk. Arguably, this is merely a codification of existing best practices. On a practical level in implementing SAS 109, it will be more important than ever for auditors to show how they have considered risks in developing audit procedures, and how their procedures address those risks. Special audit consideration for significant risks. Significant risks are likely to arise in most audits. Determining which risks are significant and therefore require special audit consideration is subject to a high degree of professional judgment. Factors to consider in making this determination include: Inherent risk. The likelihood of multiple misstatements. The nature of the related business risks. Top_Aud_09_book.indb 176 9/30/2008 8:18:37 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 177 The risk of fraud. Whether the risk is related to significant recent developments in the economy or in accounting. The complexity of transactions. Related party transactions. The degree of subjectivity involved. Non-routine transactions and judgmental matters involving accounting estimates are normally regarded as areas in which significant risks are likely to be identified. The nature of non-routine transactions in itself makes it difficult for management to design and implement control over them. In addition, non-routine transactions often exhibit one or more of the following characteristics which cause them to have higher risk: Complex accounting principles or calculations. Greater management intervention to control the accounting treatment. Greater manual intervention in data collection and processing. Related party transactions. Judgmental matters may turn upon accounting principles that are subject to differing interpretations, or may involve significant estimates or uncertainties, such as assumptions about future events. Auditors should evaluate the design and implementation of internal controls related to significant risks. Where such controls are absent or ineffective, they should communicate the matter to those charged with governance, and consider the effects on the risk assessment. EXAMPLE Lawsuits are an example of a nonrecurring event that often carries significant risk. In addition to evaluating the substance of the lawsuit as such, it is important for auditors to look to the client’s policies and practices, whether formal or informal, for responding to a lawsuit. Appropriate responses include prompt referral to legal counsel. Auditors should also ascertain whether management has assessed the potential effect of the lawsuit, and how they propose to disclose it in the financial statements. Risks for which substantive procedures alone provide insufficient evidence. In some cases, it may be impossible to design substantive effec- tive procedures to provide sufficient audit evidence in support of relevant financial statement assertions. This often occurs when routine daily business transactions permit highly automated processing, and clients use IT to initiate, process and record transactions with little or no manual intervention. Telecommunications companies or internet service providers, for example, provide service to customers through electronic media, and use IT to log Top_Aud_09_book.indb 177 9/30/2008 8:18:37 AM 178 TOP AUDITING ISSUES FOR 2009 CPE COURSE the services provided, initiate and process billings, and automatically record these transactions in the accounting records. In these cases, audit evidence may exist only in electronic form, and its appropriateness and sufficiency are highly dependent on the effectiveness of the controls over its completeness and accuracy. Auditors should identify the risks for which it is not possible or practicable to reduce detection risk at the relevant assertion level to an acceptably low level by means of substantive procedures alone. The design and implementation of controls, including relevant control activities over those risks, should then be evaluated. When transaction initiation and processing is highly automated, such as for revenues, purchases, cash receipts, or disbursements, risks ordinarily relate to those specific classes of transactions. Those risks include incomplete or inaccurate processing, and improper initiation or alteration of information. Testing of controls becomes crucial in these situations, because stronger controls reduce the risks of misstatement. A combination of audit evidence obtained through both tests of controls and substantive tests can therefore reduce detection risk at the relevant assertion level to an acceptably low level. Revision of risk assessment. SAS 109 emphasizes that risk assessment is a dynamic process that occurs throughout the audit. As a result of applying audit procedures, the auditor may discover, for example, that internal controls are not operating as expected, or that misstatements have occurred in amounts or frequencies that are greater than is consistent with the initial risk assessment. When this occurs, the auditor should revise the risk assessment and should modify the planned audit procedures appropriately to respond to the risks. OBSERVATION The AICPA Practice Monitoring Programs (peer review programs) are replete with anecdotal observations about firms that, after making an initial risk assessment, discover high risks of misstatement in unexpected areas. While this does not necessarily mean that the risk assessment process was flawed, it does beg the firm to take some action, usually in the form of additional audit procedures, related to the newly discovered risks. Under the new Risk Assessment Standards, it will be important for auditors to look at their initial risk assessments at the end of the engagement, in light of the audit’s actual results, to determine that the initial risk assessment continues to be appropriate, or that planned audit procedures were appropriately modified. Top_Aud_09_book.indb 178 9/30/2008 8:18:38 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 179 STUDY QUESTIONS 15. As a part of the process of identifying and assessing risks of material misstatement on both the financial statement level and the relevant assertion level for classes of transactions, balances, and disclosures, auditors should do all of the following except: a. Relate risks identified in the process of gaining an understanding of the entity and its environment to risks of possible misstatements at the relevant assertion level. b. Use information obtained by performing risk assessment procedures in evaluating the design and implementation of internal controls. c. Determine whether identified risks are isolated to particular relevant assertions associated with a class of transactions, balances, or disclosures, or are more pervasive and likely to affect the financial statements as a whole. d. Communicate significant deficiencies in internal control to legal counsel. 16. Nonroutine transactions and judgmental matters involving accounting estimates are normally regarded as areas in which significant risks are likely to be identified. True or False? PERFORMING AUDIT PROCEDURES IN RESPONSE TO ASSESSED RISKS AND EVALUATING AUDIT EVIDENCE OBTAINED SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating Audit Evidence Obtained, introduces significant changes to existing auditing practice. Its most significant provisions require auditors to: Determine overall responses to address the assessed risks of material misstatement at the financial statement level. Design and perform additional audit procedures that are responsive to the assessed risks of material misstatement at the relevant assertion level. These include substantive procedures and, where relevant and necessary, tests of the operating effectiveness of controls. Design and perform substantive procedures for all relevant assertions related to each material class of transactions, account balance and disclosure, regardless of the assessed risk of material misstatement. Agree the financial statements and accompanying notes to the underlying records and examine material journal entries and other adjustments made during the course of preparing the financial statements. Perform tests of controls to obtain evidence about their operating effectiveness when the risk assessment includes an expectation of the operating effectiveness of controls, or when substantive procedures alone Top_Aud_09_book.indb 179 9/30/2008 8:18:38 AM 180 TOP AUDITING ISSUES FOR 2009 CPE COURSE do not provide sufficient appropriate audit evidence at the relevant assertion level. When performing audit procedures at an interim date: Determine what additional evidence should be obtained for the remaining period when tests of controls are performed during an interim period. Perform further substantive procedures or a combination of substantive procedures and tests of controls for the remaining period to provide a reasonable basis for extending audit conclusions based on substantive procedures performed at an interim date to the period end. When planning to carry forward and rely upon evidence about specific controls from previous audits in the current audit: Inquire, observe and inspect documentation to determine if they have changed. Test their operating effectiveness in the current audit, if they have changed. Test the operating effectiveness of such controls at least once in every third year in an annual audit, if they have not changed. Include certain specific documentation as part of every audit. Overall Responses SAS 110 provides guidance on determining overall responses to address risks of material misstatement at the financial statement level. Those responses may include: Emphasizing to engagement personnel the need to maintain an attitude of professional skepticism in performing the audit. Assigning more experienced staff to the audit. Assigning specialists or those with special skills to the audit. Providing additional supervision to the audit team. Introducing elements of unpredictability in the selection of audit procedures. Changing the nature, timing or extent of audit procedures. The auditor’s consideration of the control environment has a significant impact on the assessment of the risk of material misstatement at the financial statement level, and therefore, on the general approach to the audit. Weaknesses in the control environment call for appropriate audit responses. These might include, for example: Performing a substantive procedure such as confirmation at year end rather than at an interim date. Making more extensive use of substantive procedures. Top_Aud_09_book.indb 180 9/30/2008 8:18:38 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 181 Changing the nature of audit procedures to obtain more persuasive evidence. Increasing the number of locations to be included in the audit scope. Audit Procedures Responsive to the Risk of Material Misstatement at the Relevant Assertion Level SAS 110 advances the concept of a linkage between the audit tests performed and the risks assessed. While not a new concept, SAS 110 gives additional emphasis to the idea that the auditor should design and perform further audit procedures whose nature, timing and extent are responsive to the assessed risks of material misstatement at the relevant assertion level. In doing so, the auditor should consider: The significance of the risk. The likelihood of material misstatement. The characteristics of the transaction classes, balances, or disclosures. The nature of the client’s controls, and whether they are automated or manual. Whether the auditor plans to test controls. Audit procedures should be proportional to the assessed risk, with areas of higher risk receiving more attention from the audit team. Usually, this entails developing an audit approach that contains elements of substantive procedures, tests of controls and analytical procedures in varying degrees to achieve an appropriate level of assurance for each relevant assertion. OBSERVATION Auditors have always designed their audit procedures to respond to their perceptions of audit risk. Under the old standards, this was more of an intuitive process, in which the audit documentation was left to “speak for itself” as to the responsiveness of those procedures to the audit risks. Under SAS 110, auditors are required to specifically document which audit procedures are designed to respond to which risks. In the initial application of the Risk Assessment Standards, this is likely to present significant challenges in terms of explicitly conceptualizing those linkages, and systematizing methods for documenting them. SAS 110 further develops the concept of linkage by discussing the relationship between the level of assessed risk and the nature, timing and extent of audit procedures. It notes that information developed in an environment of effective internal control is generally more reliable than information that is not. Effective internal control thus reduces, but does not eliminate, the risk of material misstatement. In an environment of effective internal control, Top_Aud_09_book.indb 181 9/30/2008 8:18:38 AM 182 TOP AUDITING ISSUES FOR 2009 CPE COURSE tests of internal control can therefore reduce, but not eliminate, the need for substantive procedures. Conversely, it is not necessary to perform tests of the operating effectiveness of controls in an audit area where substantive procedures alone are, in the auditor’s judgment, sufficient to reduce detection risk to an acceptably low level, or in an area where no effective controls have been shown to exist. Analytical procedures, likewise, may be sufficient in areas where balances or transaction classes are immaterial and are assessed at low risk of material misstatement. However, in some areas, it is appropriate to buttress the evidence obtained through analytical procedures with substantive tests. SAS 110 cites the example of an estimation process, such as allowance for doubtful accounts, in which subsequent collection tests would be used to strengthen evidence developed through analytical procedures. SAS 110 briefly discusses small entities, in which control activities cannot be identified, and therefore, a primarily substantive approach must be taken. Auditors are cautioned, in such cases, to consider whether it is possible to obtain appropriate audit evidence. OBSERVATION SAS 110 does not require that controls be tested in all audits. Neither does it prohibit an “all substantive approach” to an audit. Controls should be tested only when the auditor plans to rely on them. Similarly, SAS 110 specifically states that it is not necessary to test controls when it would be inefficient to do so. The significant change to existing practice is that auditors can no longer default to a maximum control risk assessment, as was often the case with audits of small owner-managed clients. Under the new standards, auditors should develop an understanding of controls. When deciding not to test controls, auditors need to be satisfied that substantive procedures alone will be effective in reducing detection risk to an acceptably low level. OBSERVATION Auditors of smaller entities often say that their clients “are too small to have any internal controls.” This is almost never the case. Consider, for example, basic controls such as double entry bookkeeping, serially numbered checks and invoices, and bank reconciliations. Almost every entity, down to the smallest, has at least some elements such as these that are thought of as internal controls, even though they may not be formalized or well-documented. In a small-entity environment, it may well be more efficient to rely on substantive tests, but it is seldom accurate to assert that there are no internal controls. Top_Aud_09_book.indb 182 9/30/2008 8:18:38 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 183 Nature of further audit procedures. The nature of audit procedures is a qualitative determination, in which auditors use professional judgment in selecting the type of procedures, such as inspection, observation, inquiry, recalculation, reperformance, or analytical procedures, that are likely to be the most effective and efficient in obtaining audit evidence. In selecting audit procedures, auditors consider the risk of misstatement in the particular class of transactions, balances, or disclosures. This includes considering the reasons for the risk assessment. If, for example, the particular characteristics of a class of transactions have low inherent risk, without regard to controls, it may be appropriate to use substantive analytical procedures alone. Conversely, if the assessed control risk is low, and the auditor intends to design substantive procedures based on the effectiveness of those controls, it will be necessary to perform tests of those controls. It is also necessary to gather evidence to support the accuracy and completeness of information produced by the entity’s information system when that data is used in performing audit procedures. This is the case when, for example, budget data or nonfinancial data is used in performing substantive analytical procedures. Tests of controls or substantive procedures may be performed at an interim date, or at period end. Performing tests at an interim date may enable auditors to identify significant matters early in the audit, and thus either resolve them with management’s assistance, or develop an effective audit approach to deal with them. However, when substantive procedures or tests of the operating effectiveness of controls are performed at an interim date, the auditor should consider what additional evidence is necessary for the remaining period. Auditors are more likely to perform substantive tests at or near the period end, or at unannounced or unpredictable times, when there is a high assessed risk of misstatement. Also, certain procedures can be performed only at or after the period end. Timing of further audit procedures. EXAMPLE Procedures that can only be performed at or after a period end include examining adjustments made during financial statement preparation and agreeing the financial statements to the underlying accounting records. Also, when there is an assessed risk of improper cutoffs, or of other improper transactions or adjustments near the period end, auditors should inspect transactions both shortly before and shortly after the period end to specifically address that risk. Top_Aud_09_book.indb 183 9/30/2008 8:18:38 AM 184 TOP AUDITING ISSUES FOR 2009 CPE COURSE In determining when to perform auditing procedures, auditors should take into account: The control environment. When relevant information will become available. The nature of the risk. The date or period to which the evidence relates. Extent of further audit procedures. Determining the extent of audit proce- dures is a quantitative process in which the auditor decides such matters as sample sizes or the number of observations of a control activity. It involves the auditor’s professional judgment, which takes into account: Tolerable misstatement. Assessed risk of material misstatement. The degree of assurance to be obtained. In general, more extensive audit procedures, such as larger sample sizes, yield a higher degree of assurance. It is important, however, not to confuse quantity with the relevance of the procedure to a particular assertion. A substantive procedure such as inspecting all of the vendors’ invoices to support recorded accounts payable, for example, provides strong support for the existence of those payables, but does nothing to assure the completeness of accounts payable. Similarly, in sampling applications, an inappropriate selection methodology or sample size, or the failure to follow up on exceptions, will affect the validity of the auditor’s conclusions. It is therefore the nature of the audit procedure, and not its extent, that is the most important consideration. SAS 110 encourages the use of different audit procedures in combination with each other, such as tests of the operating effectiveness of controls together with substantive or analytical procedures. Auditors should, however, be careful to consider whether the extent of testing is sufficient when using different procedures in combination. OBSERVATION The concept that the nature of the procedure, and not its extent, is the most important in responding to the risk of material misstatement is crucial to SAS 110. Otherwise stated, auditors cannot reduce detection risk simply by “increasing their scope” when the nature of the test is not appropriate for a particular assertion. Top_Aud_09_book.indb 184 9/30/2008 8:18:38 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 185 STUDY QUESTIONS 17. Which of the following statements best applies to the requirement under SAS 110 to link auditing procedures to assessed risk? a. Audit procedures should be applied proportionally to the monetary amounts of recorded financial statement items. b. Audit procedures should be applied uniformly to recorded financial statement amounts irrespective of assessed risks. c. Audit procedures should be directly linked to materiality. d. Audit procedures should be proportional to the assessed risk, with areas of higher risk receiving more attention from the audit team. Tests of Controls Auditors should test controls when the risk assessment includes an expectation of their operating effectiveness, or when substantive procedures do not by themselves provide sufficient appropriate evidence at the relevant assertion level. Considering controls consists of three steps. Normally these are performed in sequence, as a matter of audit efficiency. These steps involve determining that the control: Is suitably designed to prevent or detect a material misstatement in a relevant assertion. If the control is not suitably designed, it is unnecessary to test it for operating effectiveness or implementation. Exists and is implemented. Is operating effectively. In some cases, risk assessment procedures to assess the design and implementation of controls may also serve as tests of those controls. IT controls, for example, are generally consistent in their application, thus the determination that they have been implemented may also serve as a test of their operating effectiveness. Auditors often find that it is efficient to test internal controls concurrently with substantive tests. In so doing, consideration should be given to the impact that the result of substantive testing has on the control testing, and vice versa. A material misstatement revealed by substantive procedures that went undetected by the client would usually be considered a significant deficiency in internal control. On the other hand, control weaknesses noted in the test of controls may indicate that the auditor should consider whether the planned extent of the substantive procedure, such as the sample size, is adequate. Top_Aud_09_book.indb 185 9/30/2008 8:18:38 AM 186 TOP AUDITING ISSUES FOR 2009 CPE COURSE Nature of control tests. Control tests normally consist of a combination of such procedures as: Inquiries of entity personnel. Inspection of documents, reports, or electronic files which indicate the performance of the control. Observation of the control’s application. Reperformance of the control’s application. When selecting audit procedures, auditors should consider the degree of assurance about operating effectiveness that is needed. As the planned level of assurance increases, so should the reliability or extent of the audit evidence. In such cases, different audit procedures should be used in concert, to supplement each other. Auditors should also consider indirect controls on which direct controls depend for their effectiveness. EXAMPLE As a control over credit sales in excess of customer limits, a company’s IT system generates an exception report showing credit sales that exceed established limits. The direct control consists of the user’s review of this report. The effectiveness of this control depends not only on the user’s diligence in the review process, but upon the IT controls used to generate the data, such as controls over maintaining and updating a database of credit limits by customer, and on the automated processes for comparing recorded sales to credit limits. An absence of misstatements detected by substantive procedures does not prove that controls are effective. However, misstatements detected by substantive procedures should be considered in assessing the effectiveness of controls. Material misstatements that were undetected by the client are to be regarded as at least a significant deficiency, and possibly as a material weakness which should be communicated to management and those charged with governance. OBSERVATION SAS 110’s bold assertion that auditors cannot assume that controls are operating effectively when no material misstatements are detected tacitly acknowledges the “dumb luck” factor in accounting. It is possible for financial statement items to be correct, even though the controls over them are ineffective. Top_Aud_09_book.indb 186 9/30/2008 8:18:38 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 187 Timing of control tests. Controls should be tested throughout the period, or as of the point in time that the auditor plans to rely on them. Observations at a point in time, such as physical inventory observation, may be sufficient when the controls pertain only to that time. However, when auditors plan to rely on controls throughout a period, point-in-time observations or tests performed in interim periods should be supplemented with other procedures that are capable of providing evidence that the control operated effectively throughout that period. In such circumstances, auditors should consider: The significance of the assessed risk of material misstatement at the relevant assertion level. The specific controls tested on an interim basis. The degree to which audit evidence about their effectiveness was obtained. The length of the remaining period. The extent of planned reliance on the controls to reduce the extent of substantive procedures.. The control environment. Internal controls should be tested at least once in every third year of an annual audit. This marks a significant departure from previously existing practice in which internal control documentation was routinely “rolled over” from one audit to the next at the auditor’s discretion. Under SAS 110, when planning to rely on evidence obtained about internal control in previous audits, auditors should: Obtain evidence about whether the controls have changed since the prior audit. Establish the continuing relevance of the evidence obtained in the prior period. Determine whether changes have been made to automated processing that affect its continued effectiveness. Test controls that have changed since the prior audit, if reliance on those controls is planned. SAS 110 offers significant guidance for determining when, and whether, it is appropriate to use audit evidence obtained in a prior period. It states that auditors should consider: The effectiveness of other internal control elements, including: The control environment. The client’s monitoring of controls. The risk assessment process. The risks arising from the characteristics of the control, including whether controls are automated or manual. The effectiveness of IT general controls. Top_Aud_09_book.indb 187 9/30/2008 8:18:38 AM 188 TOP AUDITING ISSUES FOR 2009 CPE COURSE The control’s effectiveness and its application by the client, including the nature and extent of deviations in its application noted in prior audits. Whether changing circumstances have caused the lack of change in a particular control to pose risks. The risk of material misstatement. The extent of reliance on the control. As the risk of material misstatement or the planned reliance on controls increase, the interval of time that elapses between tests is likely to shorten. The presence of the following indicators ordinarily results in either not relying on evidence obtained in prior audits, or in shortening the period for retesting a control: Weak control environment. Weak monitoring controls. A significant manual element to the relevant controls. Weak general IT controls. Significant personnel changes that affect control application. Changes in circumstances that indicate a need for changes in the control. In any case, auditors should test the operating effectiveness of some controls every year. This approach provides evidence about the continuing effectiveness of the particular controls tested and of the control environment, and contributes to the decision about whether reliance on evidence obtained in prior audits is appropriate. It also avoids the possibility that all relevant controls would be tested in one period, and none in the subsequent two periods. Accordingly, auditors should plan to test a portion of the controls each period, so that each control is tested at least once in every three audits. An important exception to the “three year rule” exists when there is a significant assessed risk of material misstatement at the relevant assertion level. In this case, auditors should test the operating effectiveness of the control in the current period, when they plan to rely on it to mitigate that risk. Extent of control tests. Auditors should design tests of controls to provide sufficient appropriate evidence that they are operating effectively throughout the period of reliance. In determining the extent of controls, the following factors may be considered: How often the control is performed. How long during the audit period the auditor is relying on the control. The relevance and reliability of the evidence supporting the control’s effectiveness in preventing, detecting, or correcting material misstatements at the relevant assertion level. The extent of evidence obtained about other controls pertinent to the relevant assertion. Top_Aud_09_book.indb 188 9/30/2008 8:18:38 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 189 The extent of planned reliance on the control in the risk assessment. The expected deviation from the control. When a control operates frequently, such as a control over daily transactions, consideration should be given to employing an audit sampling technique to obtain reasonable assurance about its operating effectiveness. When a control operates only on a periodic or infrequent basis, auditors should consider applying the guidance for testing smaller populations, such as testing the control application for two months of the year and reviewing evidence of its application or scanning for unusual items in other months. The greater the level of reliance on control effectiveness in the risk assessment process, the greater the extent of testing should be. However, when a high incidence of deviation is expected, auditors should consider whether control tests will be sufficient to reduce control risk at the relevant assertion level. In such cases, control tests may be inappropriate or inefficient. IT processing is inherently consistent, thus the extent of tests might be limited to one or a few instances of operation. However, having once determined that the control is operating as intended, auditors should test to assure that it continues to function effectively. STUDY QUESTIONS 18. Auditors should test controls: a. When substantive procedures do not by themselves provide sufficient appropriate evidence at the relevant assertion level. b. Regardless of whether the risk assessment includes an expectation of their operating effectiveness. c. Once every three years. d. Whenever there is a significant assessed risk of material misstatement at the relevant assertion level. Substantive Procedures Auditors should plan and perform substantive procedures to be responsive to the related assessed risk of material misstatement. When the assessed risk of material misstatement at the relevant assertion level is determined to be significant, substantive procedures that are specifically responsive to that risk should be performed. Regardless of risk, substantive procedures should be designed and performed for all relevant assertions related to each material class of transactions, account balance, and disclosure. Those procedures should include: Agreeing the financial statements and accompanying notes to the underlying accounting records. Top_Aud_09_book.indb 189 9/30/2008 8:18:38 AM 190 TOP AUDITING ISSUES FOR 2009 CPE COURSE Examining material adjustments and journal entries made in the preparation of the financial statements. Substantive procedures should be designed to respond to the planned level of detection risk. Such procedures consist of both tests of details and substantive analytical procedures. The decision as to which procedures are to be applied, or in what combination, is influenced by whether the auditor has gathered evidence about the operating effectiveness of controls. Tests of details are usually most appropriate for gathering evidence about relevant assertions, such as valuation and existence, pertaining to account balances. Substantive analytical procedures, on the other hand, generally lend themselves to situations involving large transaction volumes that are relatively predictable over time. Substantive analytical procedures may be sufficient in situations of low assessed risk where the auditor has determined that the relevant controls are operating effectively, or they may be used in combination with limited tests of details. When designing substantive analytical procedures, consideration should be given to: The suitability of substantive analytical procedures for the given assertion. The reliability of the data from which ratios or expectations are derived, including the controls over the preparation of that data. The degree of precision of the expectation relative to the levels of materiality and desired assurance. The acceptable amount variance between expectations and recorded amounts. Nature of substantive procedures. In deciding to use substantive analytical procedures, and in evaluating their results, auditors should be aware of their limitations. One particular limitation is that they may not be well suited for detecting certain types of fraud involving management override of controls. When financial statement amounts have been manipulated to create a false appearance of normality or consistency, there is a danger that substantive analytical procedures will fail to detect the manipulation, and thus cause erroneous acceptance. Timing of substantive procedures. When considering whether to perform substantive procedures at the period end, or at an interim date, auditors should take into account: The control environment and relevant controls. The availability of necessary information at a date after the interim date. The objective of the substantive procedure. The assessed risk of material misstatement, including fraud risk. Top_Aud_09_book.indb 190 9/30/2008 8:18:38 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 191 The nature of the account balance or class of transactions and the relevant assertions. The entity’s procedures for analyzing and adjusting balances and transaction classes at interim dates. The client’s cutoff procedures. The capability of the information system to permit investigation of: Significant unusual transactions or entries. Causes of significant fluctuations or of expected fluctuations that did not occur. Changes in the composition of account balances or classes of transaction during the remaining period. The ability to reduce detection risk at the period end with further substantive procedures, or a combination of control tests and substantive procedures. When substantive procedures are performed at an interim date, detection risk at the period end increases. Auditors should, at a minimum, perform further substantive procedures to mitigate this risk. It is not always necessary to test the operating effectiveness of controls for the interim period to provide a reasonable basis for projecting the audit conclusions to the period end. However, auditors should consider whether the interim substantive procedures alone provide a sufficient basis. When the interim substantive procedures do not adequately support conclusions about the remaining period, additional period-end substantive procedures or a combination of control tests and substantive procedures over the remaining period should be performed. Audit procedures performed between the interim date and the period end may include: Comparison and reconciliation of interim and period end balances. Identification and investigation of amounts that appear unusual. Substantive analytical procedures applied to balances and transaction classes that are reasonably predictable. Tests of details. When material misstatements are detected at an interim date, consideration should be given to modifying the nature, timing or extent of the substantive procedures covering the remaining period, or to repeating the audit procedures at the period end. Evidence obtained from previous audits is not sufficient to reduce detection risk to an acceptably low level in the current period. When considering whether to use such evidence in the current audit, the evidence and related subject matter must not have fundamentally changed. Auditors should perform tests in the current period to establish its continuing relevance. Top_Aud_09_book.indb 191 9/30/2008 8:18:38 AM 192 TOP AUDITING ISSUES FOR 2009 CPE COURSE SAS 110 lists the following other timing considerations for substantive tests: Coordinating related party procedures in light of the risks of material misstatements. Coordinating tests of interrelated accounts and cutoffs. Maintaining temporary audit control over negotiable assets. Simultaneously testing such assets as cash on hand, bank loans and other related items. Extent of substantive procedures. Determination of the extent of substantive tests of details to be performed is usually thought of in quantitative terms, primarily related to sample sizes. In making this determination, a higher level of assessed risk of misstatement usually indicates the need for more extensive substantive procedures. However, consideration of the operating effectiveness of internal controls, and the relevance of the planned procedure to the specific risk should also enter into this determination. Consideration should be given to the qualitative aspects of specific populations to be detail-tested, and whether it may be more effective to use other methods of selection such as selecting large or unusual items from a population, or stratifying the population into homogeneous subsets for sampling. EXAMPLE Consider three different transaction classes of similar total monetary amount, but differing qualitative properties. One class of transactions contains several thousand individual line items of similar and relatively small items. The second class contains a few large items comprising all but an immaterial portion of its total. The third class contains a few large items and a remaining population of several hundred items that vary widely in amount, including a large number of very small transactions. The first transaction class lends itself well to statistical sampling. The second class might best be addressed by detailed testing of the large items and scanning of the rest. For the third class, detail testing of the few large items, and statistical sampling of the remaining population or stratifying the remaining population and testing larger amounts on an interval basis, while merely scanning the smaller amounts, would likely prove effective. When using substantive analytical procedures, the auditor should determine how large of a variance from expectation is acceptable. This involves considering tolerable misstatement and the desired level of assurance, and the possibility that a combination of misstatements could aggregate to a material level. Adequacy of Presentation and Disclosure SAS 110 places additional emphasis on the auditor’s responsibility to evaluate the financial statements for their fairness of presentation and disclosure. Top_Aud_09_book.indb 192 9/30/2008 8:18:39 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 193 This evaluation should take place within the context of the assessed risk of material misstatement at the relevant assertion level. Procedures targeted toward this objective should include consideration of whether: The financial statements and the related notes are in accordance with generally accepted accounting principles in their overall presentation. Individual financial statements are appropriate in form, arrangement, and content. Individual financial statements contain proper: Classifications. Descriptions. Terminology. Levels of detail. Bases of amounts set forth. Adequate disclosure of material matters. Management has, or should have, disclosed a particular matter in light of the facts and circumstances. Evaluating the Sufficiency and Appropriateness of Audit Evidence SAS 110 states that, “An audit of financial statements is a cumulative and iterative process.” This recognizes that evidence builds up throughout the audit, as audit procedures are performed, and that assumptions about the risk of material misstatement may change in light of this evidence. It is important for auditors to view the audit process as an integrated whole rather than as a series of sequentially-applied procedures. This involves a careful consideration, both during and at the end of the audit, of whether preliminary assumptions about risk continue to be valid, and whether the audit procedures respond adequately to the assessed risks. Factors that may cause a re-evaluation of the initial risk assessment include: Differences between information upon which risk assessments were based and information that subsequently comes to light. Extent of misstatements detected by substantive procedures. The effect of those misstatements on the auditor’s assessment of the effectiveness of controls. Whether misstatements due to fraud or error are isolated instances and how their detection affects the assessed risk of material misstatement. Extent of deviations in the application of control procedures detected by tests of controls. Whether the tests of control provide sufficient basis for reliance upon the controls. Finally, auditors should conclude as to whether sufficient appropriate evidence has been obtained to reduce the risk of material misstatement to Top_Aud_09_book.indb 193 9/30/2008 8:18:39 AM 194 TOP AUDITING ISSUES FOR 2009 CPE COURSE an appropriately low level. This determination is a matter of professional judgment, involving consideration of: All relevant audit evidence, whether it appears to support or to contradict the relevant financial statement assertions. The significance of the potential misstatement in the relevant assertion. The likelihood of the potential misstatement having a material effect on the financial statements either individually or when aggregated with other misstatements. The effectiveness of management’s controls and responses to risks. Experience from previous audits with respect to similar potential misstatements. Results of audit procedures performed. Whether audit procedures identified specific instances of fraud or error. The sources and reliability of information. The persuasiveness of audit evidence. The understanding of the client, its environment and its internal control. When the auditor concludes that sufficient appropriate evidence has not been obtained with respect to material financial statement assertion, attempts should be made to obtain additional evidence. If sufficient appropriate audit evidence cannot be obtained, the auditor should express a qualified opinion, or should disclaim an opinion. STUDY QUESTIONS 19. Which of the following statements best applies to the auditor’s considerations in forming a conclusion as to whether sufficient appropriate evidence has been obtained to reduce the risk of material misstatement to an appropriately low level? a. Audit evidence that appears to contradict the relevant financial statement assertions may be disregarded in low-risk areas. b. Experience from previous audits with respect to similar potential misstatements should not be considered in the current period audit. c. The likelihood of the potential misstatement having a material effect on the financial statements should be considered only in the aggregate. d. The sources and reliability of information, and the persuasiveness of audit evidence should be considered. Top_Aud_09_book.indb 194 9/30/2008 8:18:39 AM MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review 195 AUDIT SAMPLING SAS 111, Amendment to SAS 39, “Audit Sampling,” presents several largely technical amendments to previous audit sampling practices. This section discusses only a few of the most important concepts. Sample Size In general, as risk factors increase—for example, as the assessed risk of material misstatement gets higher—the sample size increases. When tests of controls are required, many auditors feel that is efficient to select one sample to serve both the control test and tests of details objectives. SAS 111 states that a “dual purpose” sample should be the larger of the samples sizes that would otherwise have been selected for the two separate purposes. This requirement may result in some sampling applications having a larger number of items than otherwise expected. Evaluating Sample Results It is not always possible to apply planned audit procedures to every item within a sample. This often occurs because the client cannot locate the supporting documentation. When this happens, auditors should consider applying alternative audit procedures if a misstatement within unexamined items in a sample would change the evaluation of the sample results. SAS 111 does not mandate that each item within a sample be tested. If the result of examining the item would not change the conclusion about the sample results, and if there are no other implications for an inability to test an item, it may be inefficient to select a replacement item or to apply alternative procedures for an item that cannot be located. These considerations should, however, be documented, when relevant. SAS 111 states that the absence of monetary misstatements in a sample does not necessarily mean that controls are effective. Even in an environment of weak controls, it is possible to get things right by accident. Monetary misstatements detected by substantive procedures should, however, be evaluated for their implications as possible indicators of control failures. These instances should be taken into account when assessing the operating effectiveness of related controls. STUDY QUESTIONS 20. A sample designed to serve for both control tests and tests of details should be the larger of the samples sizes that would otherwise have been selected for the two separate purposes. True or False? Top_Aud_09_book.indb 195 9/30/2008 8:18:39 AM Top_Aud_09_book.indb 196 9/30/2008 8:18:39 AM 197 MODULE 2: REVIEW OF NEW AND EMERGING STANDARDS — CHAPTER 6 Audit Risk Alert – 2007/08 LEARNING OBJECTIVES At the end of this chapter, the reader should: Have an overview of certain economic and industry developments that are of interest to the auditing profession. Have a general understanding of recent auditing standards and developments for communications with those charged with governance, and for internal control audits of SEC issuers. Have a general understanding of recent accounting standards and developments for fair value measurement, postretirement plans, and income taxes. Be aware of the general objectives of the AICPA Clarity Project and International Convergence. INTRODUCTION The AICPA publishes an annual Audit Risk Alert to give auditors an overview of recent professional, economic, and regulatory developments. This year’s Audit Risk Alert covers a wide variety of topics, such as Statement on Auditing Standards No. 103, Audit Documentation (SAS 103), SASs 104111, the Risk Assessment Standards, and SAS 112, Communicating Internal Control Related Matters Identified in an Audit, that are covered in other chapters of this Course. In addition to those topics, it provides information in the following areas of interest to auditors, which are covered in this chapter: Economic and Industry Developments Auditing Developments, including: Communication With Those Charged With Governance Dating of the Auditor’s Report PCAOB Auditing Standard No. 5 Alternative Investments Accounting Issues and Developments, including: Fair Value Measurements Defined Benefit Pension and Other Postretirement Plans Income Tax Accruals and Deferred Income Taxes Developing Issues, including: The AICPA Clarity Project International Convergence Top_Aud_09_book.indb 197 9/30/2008 8:18:39 AM 198 TOP AUDITING ISSUES FOR 2009 CPE COURSE The Audit Risk Alert has no authoritative status. It is an “other auditing publication” as defined in AU Section 150, Generally Accepted Auditing Standards, that may assist auditors in understanding and applying the SASs. It cautions readers that they should be satisfied, in their judgment, that its guidance is both relevant and appropriate to the circumstances of their particular audits. ECONOMIC AND INDUSTRY DEVELOPMENTS It is important for auditors to understand the general economic environment and the economic conditions facing the client’s industry in planning and performing audits. Factors such as interest rates, inflation, consumer confidence, and labor markets, as well as overall economic conditions are likely to affect an entity’s financial statements. OBSERVATION Many statistics such as those discussed below may be useful for auditors in developing expectations for analytical procedures. Interest rates, for example, could be useful as a yardstick in gauging the reasonableness of investment income. Conditions in the housing market could likewise provide useful information in developing expectations about the performance of entities in the real estate, construction or leasing industries. Real Gross Domestic Product Real gross domestic product (GDP) measures the output of goods and services by labor and property within the U.S. It is the broadest measure of economic activity, and it increases as the economy grows. Through 2007, GDP increased at an estimated 2.0% annual rate, compared to 3.1% in 2005 and 2.9% in 2006. Unemployment The unemployment rate held steady at between 4.4% and 4.8% from 2006 to 2007. These are the lowest rates since 2000. Interest Rates The federal funds rate held steady at 5.25% from June 2006 to August 2007, after a period of rising rates during early 2006. Due to deteriorating financial markets, tighter credit conditions and increased uncertainty, the Federal Reserve lowered the fed funds rate to 4.5 through December 11, 2007 and then it dropped to 4.25%. In April 2008 it dropped to 2.0%. Top_Aud_09_book.indb 198 9/30/2008 8:18:39 AM MODULE 2 — CHAPTER 6 — Audit Risk Alert – 2007/08 199 OBSERVATION Interest rate changes and volatility affect the valuation assertion related to investments and derivatives. For investments whose valuation is tied to interest rates, auditors will need to assure that reasonable interest rates are used. Consumer Price Index The Consumer Price Index for all Urban Consumers (CPI-U) is the most widely used measure of inflation. It measures the change over time in the prices paid by urban consumers for a market basket of goods and services. Using 1982-84 as baseline years, the CPI-U increased from 179.9 in 2002 to 201.6 in 2006, and 207.3 in 2007. Interest Rates for Below-Market Loans This rate is published annually by the IRS. It is useful for auditors in assessing the reasonableness of interest rates and determining imputed interest for below-market loans. It has increased steadily since 2003, from 1.52%, up to 4.92% in 2007. Housing Market After five years of record growth, the housing market has continued to deteriorate since 2006. Foreclosures in August 2007 rose compared to the previous month, and more than doubled compared to a year earlier. These conditions not only slow the economy directly, but also raise concerns about reduced consumer spending and inflation in the future. Subprime Mortgages and the Liquidity Crisis The rate of default and foreclosure on subprime mortgages has increased sharply. This, combined with falling real estate prices, has resulted in significant credit losses. Most of these loans were ultimately financed by investors who bought mortgage-backed securities. Currently, the number of investors willing to provide such funding is dropping. This restricts the amount of capital available to originate new loans or to refinance existing loans. The values of existing loans and mortgage-backed securities have decreased significantly. The number of mortgage lenders has decreased, and those still making loans have tightened their underwriting standards, making credit less available. Investments in assets backed by subprime mortgages are found across the spectrum of investors, including commercial and investment banks, insurance companies, mutual funds, hedge funds, pension and employee-benefit plans, and university endowment funds. The price volatility in this area is of particular concern to auditors in measuring the fair value these assets. Top_Aud_09_book.indb 199 9/30/2008 8:18:39 AM 200 TOP AUDITING ISSUES FOR 2009 CPE COURSE STUDY QUESTIONS 1. Interest rate statistics can be useful to auditors in considering the valuation assertion related to certain assets. True or False? AUDITING DEVELOPMENTS Communication With Those Charged With Governance SAS 114, The Auditor’s Communication With Those Charged With Governance, became effective for audits of financial statement periods beginning on or after December 15, 2006. It significantly broadens auditors’ responsibilities for identifying persons charged with governance, and for communicating matters to them. Unlike the previous requirements under SAS 61, this Standard applies to all non-SEC issuer entities regardless of their size, ownership, or organizational structure. SAS 114 defines those charged with governance as persons with responsibility for overseeing the entity’s strategic direction and its obligations related to accountability, including overseeing the financial reporting process. It distinguishes these persons from management, which it defines as those responsible for achieving the entity’s objectives, and who have the authority to establish policies and make decisions by which those objectives are to be pursued. Auditors should determine appropriate persons within the entity’s governance structure to receive these communications. Depending on the entity’s structure, this may not be a clear-cut determination. In particular, family-owned enterprises that do not formally define a governance structure, or some nonprofit or government entities may present this challenge. When this is not readily apparent, auditors should reach an agreement with the engaging party on who to communicate with. SAS 114 contains requirements to communicate an overview of the planned scope and timing of the audit to those charged with governance, and to document all significant matters communicated. OBSERVATION Auditors may need to be more proactive under SAS 114 than they were under SAS 61 in assuring that a mutual understanding with the client has been reached. This is especially true when dealing with new clients. However, it also applies to continuing audit clients, due to all the new auditing standards that have become effective. These may affect previous client understandings. Top_Aud_09_book.indb 200 9/30/2008 8:18:39 AM MODULE 2 — CHAPTER 6 — Audit Risk Alert – 2007/08 201 It is not sufficient to send written communications to those charged with governance when the auditor has reason to believe they are not being read. SAS 114 places squarely on auditors the responsibility to take appropriate action when they believe that effective two-way communication has not been established for purposes of the audit. Although written communications were not required under SAS 61, and are still not generally required under SAS 114, many auditors feel that written communication represents a “best practice” under most circumstances. Oral communication is still appropriate, however, especially in the case of very small, owner-managed clients, as long as it is well-documented. STUDY QUESTIONS 2. The requirements of SAS 114 apply to: a. SEC issuers. b. Only entities that have formally constituted audit committees. c. All non-SEC issuer entities regardless of their size, ownership, or organizational structure. d. Only large entities with defined governance structures. 3. When an entity’s governance structure is such that the person or persons who should receive the auditor’s communication with those charged with governance is not readily apparent, the auditor should: a. Direct this communication to senior management. b. Direct this communication to the chairman of the board of directors, or the equivalent person. c. Refrain from issuing such communications. d. Reach an agreement with the engaging party as to the person or persons to receive this communication. Dating of the Auditor’s Report The Professional Issues Task Force issued Practice Alert No. 07-1 to provide guidance concerning the dating of the auditor’s report. One of the key provisions of SAS 103, Audit Documentation, is that the auditor’s report not be dated earlier than the date on which the auditor obtained sufficient appropriate evidence to support the report. It goes on to state that sufficient appropriate evidence includes evidence that: The audit documentation has been reviewed. The financial statements, including disclosures, have been prepared. Management has taken responsibility for the financial statements. Top_Aud_09_book.indb 201 9/30/2008 8:18:39 AM 202 TOP AUDITING ISSUES FOR 2009 CPE COURSE OBSERVATION This requirement marks a significant departure from the previous practice of dating the auditor’s report as of the last date of field work. As a practical matter, this may create a need for firms to modify their engagement procedures to include a field review of the audit documentation and the financial statements. In some cases, additional visits to update subsequent events tests and management representations may also be necessary. PCAOB Standards The Audit Alert discusses developments at the Public Companies Accounting Oversight Board (PCAOB). These developments directly affect only audits of SEC issuers. However, as noted in the Observation to AS-5, below, they have, in at least one instance, influenced the AICPA to amend standards for non-issuers. Auditing Standard No. 5. In its monitoring of the implementation of Auditing Standard No. 2 (AS-2), The PCAOB concluded that the audit of internal control over financial reporting has yielded significant benefits to corporate processes and controls. These benefits, however, have come at significant and higher than anticipated costs and, at times, at an effort greater than needed to conduct an effective audit of internal control. As a result, the new AS-5, An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statements, was issued to replace AS-2, effective for fiscal years ending on or after November 15, 2007. Its objective is to focus auditors on matters most important to internal control, eliminate unnecessary procedures and to simplify and shorten the standard by reducing detail and specificity and make it more scalable for smaller and less complex entities. This new standard does the following: Directs auditors to the most important controls. Emphasizes the importance of risk assessment and a top-down approach. Places additional emphasis on fraud controls, including: Assessing fraud risk in the planning process. Offering additional guidance on the types of controls that may address fraud risk. Identifying management fraud as a high risk area. Recalibrates the walk-through requirement. Permits consideration of knowledge obtained in previous audits. Redefines the terms significant deficiency and material weakness. Revises the list of strong indicators of a material weakness. Top_Aud_09_book.indb 202 9/30/2008 8:18:39 AM MODULE 2 — CHAPTER 6 — Audit Risk Alert – 2007/08 203 Adopts requirements that auditors consider and communicate any identified significant deficiencies to the audit committee. Directs auditors to tailor audits to reflect the attributes of smaller and less complex entities. Removes a requirement for auditors to evaluate management’s process. Offers further guidance on scoping decisions for multiple-location audits. OBSERVATION The re-definition of the terms significant deficiency and material weakness is important to auditors of non-issuers as well, because the AICPA is changing the existing definitions of those terms in SAS 112 to conform to the AS-5 definitions. In June 2008, an exposure draft was issued which changes those terms. Those new definitions for non-issuers will be: Significant deficiency. A deficiency or combination of deficiencies in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company’s financial reporting. Material weakness. A deficiency or combination of deficiencies in internal control over financial reporting such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis. The existing definition of significant deficiency is: a control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity’s financial statements that is more than inconsequential will not be prevented or detected. These new definitions are effective for periods ending on or after December 15, 2009, that is, starting with December 31, 2009 audits. Earlier implementation is permitted. The new definition could be used as soon as the final document is approved. The revised definitions for non-issuers are primarily semantic in nature according to the AICPA, and are expected to clarify these terms in practice. They are not expected to create significant changes in practice, in the AICPA’s view. Top_Aud_09_book.indb 203 9/30/2008 8:18:39 AM 204 TOP AUDITING ISSUES FOR 2009 CPE COURSE OBSERVATION Some practitioners have voiced the opinion that the new definition blurs what was a reasonably bright line definition under the original wording of SAS 112. They feel that at least some number of control related matters that, under the original definition, were clearly required to be commented upon in writing have now moved into a gray area that will be much more subject to debate by management. Other practitioners have hailed this change because they feel it restores to the profession some of the discretion that it used to have under previous standards as to the threshold for what matters were required to be reported in writing. The AICPA avows that it is not its intention to “lower the bar” by this change, but merely to move the ASB standards into line with the PCAOB, to avoid confusion. The impact of this change is likely to vary widely from one engagement to another within each auditing practice, depending on the nature and number of internal comments, and upon the characteristics of management. In any case, auditors should consider how this change is likely to affect particular engagements in the coming year. AS-5 also incorporates some key concepts related to considering and using the work of others. Among those concepts are the following: Eliminating a barrier to integration of the financial statement and internal control audits by allowing auditors to use the work of others to obtain evidence about the design and operating effectiveness of internal controls for both audits. Eliminating the principal evidence provision. Auditors may now use the work of competent and objective other persons to obtain evidence supporting their assessment of control risk for the financial statement audit. Allowing auditors to use the work of company personnel other than internal auditors, or third parties working under the direction of management or the audit committee. Requiring auditors to use a risk-based approach to the extent that they can use the work of others. Otherwise stated, the need for auditors to perform their own work on controls increases with the associated risk. Audit committee pre-approval of non-audit services. PCAOB Rule 3525, Audit Committee Pre-Approval of Non-Audit Services Related to Internal Control Over Financial Reporting, requires the audit firm to submit a written description of the scope of the service to the audit committee, and to discuss with the audit committee the potential effect of the service on independence. The substance of this discussion is required to be documented. This rule became effective for audits of fiscal years ending on or after November 15, 2007. Top_Aud_09_book.indb 204 9/30/2008 8:18:39 AM MODULE 2 — CHAPTER 6 — Audit Risk Alert – 2007/08 205 STUDY QUESTIONS 4. Which of the following statements best applies, in audits of non-issuers, to the new definitions of significant deficiency and material weakness? a. The new definitions are effective for fiscal years ending on or after November 15, 2007. b. The new definitions are effective January 1, 2009. c. The new definitions are expected by the AICPA to create significant changes to practice under the previous provisions of SAS 112. d. A significant deficiency is more severe than a material weakness. Alternative Investments The AICPA’s Alternative Investments Task Force issued a practice aid entitled “Alternative Investments—Audit Considerations.” Alternative investments often include direct holdings of subprime loans, or investment vehicles whose value is affected by the value of subprime loans. These investments often do not have a readily determinable market value, and may have greater risk and volatility. In some cases, the existence of these investments may not be readily obvious, and may be identified only by audit procedures designed for that purpose. Developing support for the valuation assertion for these investments can be difficult because of the lack of readily determinable fair value, and the limited information often provided by the fund managers. The practice aid for alternative investments offers non-authoritative guidance for auditors faced with these situations. This document comments on: The client’s responsibility to have controls in place to enable management to address the valuation assertion. The auditor’s responsibility to obtain support for an opinion on the valuation assertion. General considerations pertaining to the auditing of alternative investments. Addressing the existence and valuation assertions. Management representations. Disclosure of certain risks and uncertainties. Reporting. Confirmations. Due diligence. Ongoing monitoring. Financial reporting controls. Subsequent events tests are also important in determining the appropriate period in which to recognize identified declines in value. Top_Aud_09_book.indb 205 9/30/2008 8:18:39 AM 206 TOP AUDITING ISSUES FOR 2009 CPE COURSE ACCOUNTING ISSUES AND DEVELOPMENTS Fair Value Measurements Prior to the issuance of FASB Statement No. 157, Fair Value Measurements, (FAS 157) different definitions of fair value and different guidance for applying them were dispersed throughout various accounting pronouncements. FAS157 provides one consistent definition, and provides for expanded disclosures about the use of fair value to measure assets and liabilities. Definition. Fair value is defined by FAS 157 as “the price that would be received to sell an asset or paid to transfer a liability in an orderly transaction between market participants at the measurement date.” This definition retains the notion of an exchange price to define fair value, but clarifies that it is a hypothetical transaction from the seller’s point of view. In other words, it is the price that the owner of an asset would accept to sell the asset, or that the owner of a liability would pay to transfer the liability. It is an “exit price,” rather than the “entry price” that a buyer would pay to acquire an asset or receive to assume a liability. This definition assumes that the transaction takes place in the principal market, which it defines as the market that has the greatest volume and level of activity, or, in the absence of a principal market, the most advantageous market for the asset or liability. Fair value measurement for an asset also assumes its highest and best use, considering what is physically possible, legal, and economically feasible at the measurement date. Highest and best use is established by one of two valuation premises: Value-in-use. This premise assumes that the asset would provide maximum value to market participants principally through its use in combination with other assets. This premise is appropriate for certain nonfinancial assets. It assumes use as installed, or as configured for use, with a group of assets that would also be available to market participants. Value-in-exchange. This premise assumes that the asset would provide maximum value primarily on a standalone basis. This would usually be appropriate for a financial asset. The fair value measurement for a liability reflects the risk that the obligation will not be fulfilled; that is, a nonperformance risk. This includes the consideration of the entity’s credit risk and its effect on the value of the liability. FAS 157 also assumes the existence of an “orderly transaction,” which means that there is no forced sale. Valuation techniques. FAS 157 discusses valuation techniques that are appropriate to measure fair value. In some cases, a single technique will Top_Aud_09_book.indb 206 9/30/2008 8:18:39 AM MODULE 2 — CHAPTER 6 — Audit Risk Alert – 2007/08 207 be appropriate, while in others multiple techniques may be used and their indications of value weighted. Market approach. This approach uses prices and other information involving identical or comparable assets or liabilities. Income approach. This approach uses valuation techniques to convert future amounts, such as earnings or cash flow, to a discounted present amount, based on market expectations about those future amounts. Cost approach. This is often referred to as current replacement cost, and is based on the amount that currently would be required to replace the service capacity of an asset. An appendix to FAS 157 provides discussion and guidance on the use of present value techniques in valuation. Fair value hierarchy. All valuation techniques depend on inputs derived from assumptions based on market data. FAS 157 prioritizes these inputs into three broad levels: Level 1 inputs are quoted prices in active markets for identical assets or liabilities that the entity has the ability to access at the measurement date. An active market is one in which transactions for the asset or liability occur with sufficient volume and frequency to provide ongoing pricing information. Quoted prices in active markets are considered the most reliable evidence of fair value, and should be used whenever available. Level 2 inputs are inputs other than level 1 that are observable either directly or indirectly. These include: Quoted prices for similar assets or liabilities in active markets. Quoted prices for identical or similar assets or liabilities in markets that are not active. Observable inputs other than quoted prices, such as interest rates or yield curves observable at commonly quoted intervals, credit risks, and default rates. Inputs derived from or corroborated by observable market data by correlation or other means. Level 3 inputs are unobservable inputs. When there is little or no market activity at the measurement date, the reporting entity is forced to make its own assumptions about the marketplace. Disclosures. FAS 157 expands the disclosures required for assets and liabilities measured at fair value. Those disclosures include information designed to assist readers of the financial statements in assessing the inputs used to develop fair value measurements. Where Level 3 inputs are used, the entity is required to disclose certain information to assist users in assessing the effects of the measurement on earnings for the period. Top_Aud_09_book.indb 207 9/30/2008 8:18:40 AM 208 TOP AUDITING ISSUES FOR 2009 CPE COURSE FAS 159. FAS 159, The Fair Value Option for Financial Assets and Financial Liabilities, expands the use of fair value measurement. It allows entities to choose to measure financial instruments and certain other items at fair value. It permits the election of the fair value option on an instrument-by-instrument basis. Once made, however, the election is irrevocable. It allows entities to mitigate volatility in reported earnings caused by measuring related assets and liabilities differently without having to apply hedge accounting provisions. It also establishes presentation and disclosure requirements designed to facilitate the comparability of entities that choose different measurement attributes for similar types of assets and liabilities. STUDY QUESTIONS 5. FAS 157 considers which of the following to be the most reliable evidence of fair value? a. Quoted prices for similar assets or liabilities in active markets. b. Quoted prices for identical assets or liabilities in active markets. c. Unobservable inputs in which the reporting entity makes its own assumptions about the marketplace. d. Observable inputs other than quoted prices, such as interest rates or yield curves observable at commonly quoted intervals. Defined Benefit Pension and Other Postretirement Plans FAS 158, Employers’ Accounting for Defined Benefit Pension and Other Postretirement Plans, strengthens financial reporting by requiring that employers recognize the overfunded or underfunded status of a defined benefit postretirement plan, other than a multi-employer plan, as an asset or liability. Changes in funded status are required to be recognized in the year in which they occur through comprehensive income for a business entity, or though changes in unrestricted net assets for a nonprofit organization. Employers are also required, with limited exceptions, to measure the funded status of a plan at year end. OBSERVATION FAS 158 causes information that was previously reported in the notes to be recognized in the financial statements. Reporting of the current funded status of postretirement benefit plans as an asset or liability enhances the capability of financial statement users to assess the employer’s ability to satisfy the benefit obligations without referring to the notes. Similarly, recognizing events and transactions that affect funded status in the financial statements in the year that they occur enhances the timeliness of financial statement information. Top_Aud_09_book.indb 208 9/30/2008 8:18:40 AM MODULE 2 — CHAPTER 6 — Audit Risk Alert – 2007/08 209 Funded status. The funded status of a plan is the difference between plan assets at fair value and the benefit obligation. For pension plans, the benefit obligation is the projected benefit obligation. For any other postretirement benefit plan, the benefit obligation is the accumulated postretirement benefit obligation. Accumulated other comprehensive income. Gains or losses and prior service costs or credits that arise during the period but are not recognized as components of net periodic benefit cost are recognized, net of tax, as other comprehensive income. These amounts are later adjusted as they are subsequently recognized as components of periodic net benefit cost. Disclosures. FAS 158 requires footnote disclosure about certain effects on net periodic benefit cost for the coming fiscal year that arise out of delayed recognition of gains or losses, prior service costs or credits, and transition assets or obligations remaining from the initial application of FAS 87 and FAS 106. Effective dates. Provisions of FAS 158 contained different effective dates, depending upon whether or not the employer was an issuer of publicly traded securities or not. Those effective dates are all past as this Course goes to press. However, the requirement to measure plan assets and benefit obligations as of the date of the employer’s fiscal year end is effective for fiscal years ending after December 15, 2008. STUDY QUESTIONS 6. FAS 158 introduced as significant changes to previous accounting practice all of the following except: a. A requirement to measure the funded status of a plan as of the end of each fiscal quarter. b. A requirement to recognize in the financial statements events and transactions that affect funded status in the year that they occur. c. A requirement that employers recognize the overfunded or underfunded status of a defined benefit postretirement plan, other than a multi-employer plan, as an asset or liability. d. A required footnote disclosure about certain effects on net periodic benefit cost for the coming fiscal year that arise out of delayed recognition of gains or losses, or prior service costs or credits. Income Tax Accruals and Deferred Income Taxes FASB Interpretation No. 48, Accounting for Uncertainty in Income Taxes, (FIN 48) states that financial statement income tax accrual may contain tax positions that meet the more-likely-than-not standard. Tax positions in the current year or in any previous year for which the statute is still open that Top_Aud_09_book.indb 209 9/30/2008 8:18:40 AM 210 TOP AUDITING ISSUES FOR 2009 CPE COURSE do not meet this standard must be disclosed and may become the subject of increased scrutiny by taxing authorities. Evaluation of a tax position. Evaluation of a tax position under FIN 48 is a two-step process: Recognition. The entity determines whether a tax position is more likely than not to be sustained upon examination, which includes resolution through appeals or litigation, based on its technical merits. The entity should assume, when making this determination, that the taxing authority will have full knowledge of all relevant information. Measurement. A tax position that meets the more-likely-than-not test is measured to determine the amount of benefit to recognize in the statements. The amount of benefit is the largest amount that would be more than 50 percent likely of being realized on settlement. Tax positions may not initially meet the more-likely-than-not threshold, but in subsequent years that determination may change. Those positions should be recognized in the first subsequent financial statement reporting period in which the threshold is met. Likewise, previously recognized positions that no longer meet the threshold should be derecognized in the first subsequent period in which the threshold is no longer met. The use of a valuation allowance, such as for a deferred tax asset under FAS 109 is not appropriate as an alternative treatment for the derecognition of a tax position. OBSERVATION FIN 48 will result in increased work by accountants and auditors on the income tax accrual. Seemingly mundane issues such as unreasonable compensation or decisions to capitalize or expense will now need to be evaluated. It is important also to note that the evaluation should be done for each taxing jurisdiction, including states and local governments, as well as foreign governments where taxes are based on income. FIN 48 does not apply to property tax or other taxes not based on income. The FASB has issued FASB Staff Position FIN 48-1, Definition of Settlement in FASB Interpretation No. 48, in order to clarify that a tax position could be effectively settled upon examination by a taxing authority. The FSP describes conditions for evaluating effective settlement and offers guidance for determining effective settlement with respect to an examination by taxing authorities. For non-public entities, the effective date for FIN 48 was delayed for a year. It will not be effective for year-end December 31, 2008 fiscal years for non-public entities. Top_Aud_09_book.indb 210 9/30/2008 8:18:40 AM MODULE 2 — CHAPTER 6 — Audit Risk Alert – 2007/08 211 Independence issues. Many practitioners have questioned whether they could assist clients in applying FIN 48, and still maintain their independence under Ethics Interpretation 101-3, Performance of Nonattest Services. (ET 101-3) The staff of the AICPA’s Professional Ethics Division has issued nonauthoritative guidance indicating that these services can be performed if the accountant or auditor meets all the requirements of ET 101-3 and is satisfied that the client can make informed judgments and take responsibility for the results of the services. STUDY QUESTIONS 7. Which of the following statements best applies to the evaluation of a tax position under FIN 48? a. In the recognition step of evaluating a tax position, the entity determines whether that position is more likely than not to be sustained upon examination based on its technical merits. b. When determining whether a tax position is more likely than not to be sustained upon examination, the entity should assume that the taxing authority’s knowledge of the relevant facts is limited to those disclosed in the financial statements. c. For a tax position that meets the more-likely-than-not test, the amount of benefit to recognize in the statements is the smallest amount that would be more than 50 percent likely of being realized on settlement. d. Evaluations of tax positions under FIN 48 apply only to United States federal income taxes. 8. Under ET 101-3, auditors cannot help their clients with FIN 48 implementation unless: a. The client is unable to make informed judgments about its implementation. b. They are satisfied that the client can take responsibility for the results of the services. c. The tax position is more likely than not to be sustained upon examination based on its technical merits. d. The client measures the amount of benefit to be recognized. DEVELOPING ISSUES The AICPA Clarity Project The Auditing Standards Board (ASB) has formed a Clarity Task Force to address widespread concerns over the complexity, clarity, and length of Generally Accepted Auditing Standards (GAAS). The objectives of this project are Top_Aud_09_book.indb 211 9/30/2008 8:18:40 AM 212 TOP AUDITING ISSUES FOR 2009 CPE COURSE to redraft existing auditing standards to make them easier to read, understand, and apply. Among the conventions for this redrafting are: Establishing objectives for each standard. Distinguishing requirements from application and other explanatory material. Presenting applications and other explanatory material in a separate section following the requirements section. Including a definitions section, where relevant, in each standard. Using formatting techniques such as bulleted lists to improve readability. Providing special considerations for audits of smaller, less complex entities and governmental entities. Over the coming two or three years, the ASB will redraft all of the existing auditing sections of the Codification of Statements on Auditing Standards using these conventions, and converging them with the International Standards on Auditing (ISA). The ASB expects that nearly all of the ISA requirements will be adopted, but that there will also be additional requirements to address specific U.S. issues, or to retain existing U.S. practices. This process will include an exposure draft and public comment period. In order to ease the transition to the redrafted standards, they will all have the same implementation date. At present that date is expected to be for periods beginning no earlier than December 15, 2010. OBSERVATION The new “clarity project” format closely resembles the format currently used by International Auditing and Accounting Standards Board (IAASB) in their standards, and thus should help make these two bodies of standards more mutually intelligible, as they move toward convergence. Since the publication of the Audit Risk Alert, two draft standards have been posted to the AICPA’s website: SAS 103 and SAS 114. These drafts can be accessed at www.aicpa.org/download/auditstd. OBSERVATION Although the comment periods on both of these exposure drafts are closed, they are well worth taking a look at. They have recast two complex recent standards into a form that most users are likely to find more readable. Top_Aud_09_book.indb 212 9/30/2008 8:18:40 AM MODULE 2 — CHAPTER 6 — Audit Risk Alert – 2007/08 213 STUDY QUESTIONS 9. Among the goals of the AICPA’s Clarity Project are all of the following except: a. Making U.S. auditing standards easier to read and understand. b. Maintaining U.S. GAAS separate and distinct from International Standards on Auditing. c. More clearly differentiating between professional requirements and application or explanatory material. d. Providing special considerations for audits of smaller, less complex entities. International Convergence The convergence of U.S. and international accounting and auditing standards is receiving serious attention by the profession in both the U.S. and the international community. Recent actions moving in that direction are summarized below. The ASB has created seven task forces charged with monitoring certain IAASB activities and working toward convergence with international auditing standards. The ASB has commented on several of their exposure drafts. Among the issues that have received attention are: Auditing accounting estimates. Related party transactions. Reports on audited financial statements. Going concern considerations. Management representations. Service organizations. Using the work of a specialist. Auditing standards. In addition, the Clarity Project, as noted above, is working to converge U.S. GAAS with the ISAs in its redrafting project. Accounting standards. The FASB and the IASB have reaffirmed their commitment to the convergence of U.S. GAAP and International Financial Reporting Standards (IFRS). Progress toward this goal was made with the issuance of FAS 157 and FAS 159, which take U.S. GAAP in the direction of IFRS in respect of fair value reporting. STUDY QUESTIONS 10. The issuance of FAS 157 and FAS 159 on fair value reporting have moved U.S. GAAP into closer conformity with IFRS. True or False? Top_Aud_09_book.indb 213 9/30/2008 8:18:40 AM Top_Aud_09_book.indb 214 9/30/2008 8:18:40 AM 215 MODULE 2: REVIEW OF NEW AND EMERGING STANDARDS — CHAPTER 7 Peer Review and Quality Control: Upcoming Changes LEARNING OBJECTIVES At the conclusion of this chapter, the reader should: Have an overview of the changes to the peer review process. Understand the effects of the changes to the peer review process and the quality control standards on a firm’s system of quality control. Be aware of the implications of these changes for firm quality control documents. INTRODUCTION The AICPA has issued two documents that will usher in a new era in the peer review process and in systems of quality control for all firms that have accounting or auditing practices. These documents are: AICPA Standards for Performing and Reporting on Peer Reviews, which brings significant revisions to the procedures for performing and reporting on peer reviews. Statement on Quality Control Standards No. 7, “A Firm’s System of Quality Control (SQCS 7), which supersedes all of the existing Statements on Quality Control Standards. Both of these documents are effective January 1, 2009. Early implementation is prohibited. This chapter highlights the most significant of the many changes that these new Standards bring to quality control and peer review. It also discusses how these changes impact the peer review process, especially reporting, and the ramifications of these new Standards for firms’ systems of quality control and their quality control documents. THE PEER REVIEW PROCESS The AICPA Standards for Performing and Reporting on Peer Reviews (PRP) address the perceived call for “transparency” in the peer review process. These standards are intended to be more “principles based” and less “rules based” than the previous standards. The most important changes are: Creation of a new reporting model designed to be more understandable to users and easier to apply. This model changes the three current ratings Top_Aud_09_book.indb 215 9/30/2008 8:18:40 AM 216 TOP AUDITING ISSUES FOR 2009 CPE COURSE of “unmodified,” “modified,” and “adverse” to “pass,” “pass with deficiencies,” and “fail,” and eliminates the separate letter of comments. Consolidation of the existing report review and engagement review levels into a single level. Restructuring of the peer review program by the creation of a single set of standards for all AICPA members subject to peer review, rather than having separate standards for those peer reviews previously performed under the auspices of the AICPA’s Center for Public Company Accounting Firms. Reporting Model Changes The new reporting model is the most visible change, and one of the most significant, that these new standards have created. The new reports are more concise and understandable. The report grading scheme has also been simplified, and the old ratings of “unmodified,” “modified,” and “adverse” have been changed to “pass,” “pass with deficiencies,” and “fail.” The letter of comments has been eliminated. Definitions. The foundation of the new reporting model is a set of four terms that describe conditions that could be noted in a system review or an engagement review. These terms establish a hierarchy that matters gets elevated through in evaluating them, and in determining their effects on the peer review report. Matter. A matter is typically an item for which a “no” answer was given to a question in a peer review questionnaire, which a reviewer concludes warrants further consideration in the evaluation of a firm’s QC system or, in the case of an engagement review, in evaluating whether an engagement submitted for peer review was performed and/or reported on in conformity with applicable professional standards. Finding. In the context of a system review, a finding is one or more related matters that result from a condition in the firm’s QC system, or its compliance with the system, such that there is more than a remote chance that the firm would not perform and/or report in conformity with applicable professional standards. In an engagement review, a finding is one or more matters that the review captain concludes results in the financial statements or information, the related accountant’s reports submitted for review, or the procedures performed, including documentation, not being performed and/or reported on in conformity with professional standards. Deficiency. In the context of a system review, a deficiency is one or more findings that the reviewer concludes could, because of their nature, causes, pattern or pervasiveness, and their implications for the QC system as a whole, create a situation in which the firm would not have reasonable Top_Aud_09_book.indb 216 9/30/2008 8:18:40 AM MODULE 2 — CHAPTER 7 — Peer Review and Quality Control: Upcoming Changes 217 assurance of performing and/or reporting in conformity with professional standards in one or more important respects. A deficiency is not a significant deficiency in a system review when the reviewer concludes that, except for the deficiency or deficiencies, the firm has reasonable assurance of performing and reporting in conformity with professional standards in all material respects. In an engagement review, a deficiency is one or more findings that the review captain concludes is material to the understanding of the financial statements or information and/or related accountant’s reports, or represents the omission of a critical procedure, including documentation, required by applicable professional standards. Significant deficiency. In a system review, a significant deficiency is one or more deficiencies that the reviewer concludes results from a condition in the QC system, or the firm’s compliance with it, such that the firm’s QC system taken as a whole does not provide it with reasonable assurance of performing and/or reporting in conformity with applicable professional standards in all material respects. In an engagement review, a significant deficiency exists when the review captain concludes that deficiencies are evident on all engagements submitted for review. In system reviews, determining the significance of individual matters, either by themselves or in combination with others, in relation to the system of quality control, is a matter of professional judgment. While engagement reviews do not consider a firm’s system of quality control, determining the significance of individual matters, either by themselves or in combination with others, is also important to the process. Documentation. One of the most important changes in the process of per- forming peer reviews has to do with the way the program documentation is used to communicate findings to the firm. Under the old reporting model, a significant number of users found the letter of comments to be confusing. The users’ input further revealed a widespread misunderstanding of this letter’s purpose, in light of the fact that it does not affect the opinion or type of report issued. Also, drafting the letter of comment absorbs a significant amount of the reviewer’s time and effort. As a result of these considerations, the Peer Review Board decided to eliminate the separate letter of comments. The primary intent of the peer review program is, and always has been, to promote quality practice and to educate firms, rather than to regulate or punish them. For this reason, the Board wanted to retain a means of communicating findings and corrective actions to firms. Toward this end, existing peer review program documentation, outside of the reporting process, has been expanded, to allow peer reviewers to make substantive comments and recommendations and for firms to provide meaningful responses. Top_Aud_09_book.indb 217 9/30/2008 8:18:40 AM 218 TOP AUDITING ISSUES FOR 2009 CPE COURSE The new process involves the use of three forms in the peer review documentation: Matter for Further Consideration (MFC) form. This form is familiar and little changed from current practice. It typically results when a “no” answer to a question in a peer review questionnaire causes a reviewer to conclude that a matter warrants further consideration in the evaluation of a firm’s QC system or, in the case of an engagement review, in evaluating whether an engagement submitted for peer review was performed and/ or reported on in conformity with applicable professional standards. It contains spaces for the reviewer to describe the matter and to cite specific professional standards, along with room for the firm to comment upon the matter. This form is the “entry point” for either developing a finding that will be communicated in writing further down the line, or for resolving the matter. A matter is usually discussed with the firm, and may be cleared at this stage. If it does not get elevated further, a peer review report with a “pass” rating is issued. Disposition of MFC (DMFC) form. This is a new form. Its purpose is to summarize all MFCs and ensure that they have been addressed and to document how they were resolved. It does not require further description or explanation of the MFCs. This form is the next step in developing or disposing of a finding. Findings for Further Consideration (FFC) form. This is also a new form. It is to be used in situations similar to those that would require a letter of comments in the current peer review reporting model. It is to be prepared in a system review when there are findings that the team captain believes resulted in more than a remote possibility that the firm would not perform or report on an engagement in conformity with professional standards, but were not of such significance to include in a report with a “pass with deficiencies” or “fail” rating. In an engagement review, it is to be prepared when there are findings that the review captain believes resulted in financial statements or information; related accountant’s reports; or procedures performed that were not in conformity with applicable professional standards, but that were not deemed to be significant deficiencies to be included in a report with a “pass with deficiencies” or “fail” rating. This form provides a description of the finding, including whether it is a repeat, and the reviewer’s recommendations. It also identifies which MFCs are contained in the finding, and includes the reviewed firm’s response, including corrective actions, and the firm’s signature. These forms are reviewed by the administering entity and its peer review committee and are a part of the peer reviewer’s workpapers outside of the reporting and acceptance process. Neither they, nor any of the other peer review workpapers are made publicly available. They are, however, a part of Top_Aud_09_book.indb 218 9/30/2008 8:18:40 AM MODULE 2 — CHAPTER 7 — Peer Review and Quality Control: Upcoming Changes 219 the records of the peer review, which are maintained by both the administering entity and the peer reviewer until the completion of the next review. OBSERVATION Peer reviewers and firms alike have greeted this new scheme of documentation, and particularly the elimination of the letter of comments, enthusiastically. The letter of comments has long been problematic to reviewers for the time that it takes to draft. It has also been an occasional bone of contention with firms, who would prefer that certain matters not be recorded in a formal written document that is referred to in the body of the actual peer review report. Finally, matters in a letter of comments have sometimes been misinterpreted by members of the public, and have been attributed unwarranted significance. The new FFC form, since it not designed as a formalized communication, will likely save the review some drafting time. It allows reviewers to communicate matters to firms, but will also satisfy firms by keeping matters that do not affect the report outside of the reporting process. All but a small minority of states have some form of mandatory peer review requirement as a condition of licensure. The elimination of the letter of comments may yet become a politically charged issue if regulators or other users perceive this move as an effort to “sweep deficiencies in practice under the rug.” STUDY QUESTIONS 1. The purpose of the “Disposition of Matters for Further Consideration” (DMFC) form under the new Standards is to: a. Provide a description of the finding, including whether it is a repeat. b. Identify which MFCs are contained in particular findings. c. Summarize all “Matter for Further Consideration” (MFC) forms, ensure that they have been addressed, and document how they were resolved. d. Document matters warranting further consideration in the evaluation of a firm’s QC system. 2. Which of the following statements best applies to the “Findings for Further Consideration” (FFC) form under the new Standards? a. This form is an integral part of the reporting process. b. This form eliminates the current letter of comments. c. This form is subject to public inspection in jurisdictions with mandatory peer review requirements. d. Copies of this form should not be maintained by the peer reviewer after the completion of the review. Top_Aud_09_book.indb 219 9/30/2008 8:18:40 AM 220 TOP AUDITING ISSUES FOR 2009 CPE COURSE Reporting. The most visible effect of the revised Standards is a sweeping change in the reporting process. The peer review program will now offer three levels of reports: Pass. Pass with Deficiencies. Fail. These levels are similar to the current rating system of “unmodified,” “modified” and “adverse.” This terminology was adopted because of feedback indicating that the old terms were not clear to the public. Determining report ratings. In order to determine what rating a peer review receives, reviewers will refer to the definition of “finding,” “deficiency,” and “significant deficiency” in considering the matters raised in the peer review. Pass. In a system review, a finding is one or more related matters that result from a condition in the firm’s QC system, or its compliance with the system, such that there is more than a remote chance that the firm would not perform and/or report in conformity with applicable professional standards. In an engagement review, a finding is one or more matters that the review captain concludes results in the financial statements or information; the related accountant’s reports submitted for review; or the procedures performed, including documentation; not being performed and/or reported on in conformity with professional standards. Findings are documented, communicated to the firm, and responded to by the firm, on the new FFC form. In either a system review or an engagement review, when a reviewer concludes that no finding, individually or combined with others, rises to the level of a deficiency or significant deficiency, a report rating of “pass” is appropriate. Pass With Deficiencies. In a system review, a deficiency is one or more findings that the reviewer concludes could, because of their nature, causes, pattern or pervasiveness, and their implications for the QC system as a whole, create a situation in which the firm would not have reasonable assurance of performing and/or reporting in conformity with professional standards in one or more important respects. A system review report rating of “pass with deficiencies” is appropriate under these circumstances. In an engagement review, a deficiency is one or more findings that the review captain concludes are material to the understanding of the financial statements or information and/or related accountant’s reports or that represents the omission of a critical procedure, including documentation, required by applicable professional standards. When the reviewer concludes that deficiencies are not evident on all of the engagements submitted for review, or that the exact same deficiency exists on all engagements submitted for review and no other deficiencies are evident, a peer review rating of “pass with deficiencies” is ordinarily appropriate. Top_Aud_09_book.indb 220 9/30/2008 8:18:40 AM MODULE 2 — CHAPTER 7 — Peer Review and Quality Control: Upcoming Changes 221 Fail. In a system review, a significant deficiency is one or more deficiencies that the reviewer concludes results from a condition in the QC system, or the firm’s compliance with it, such that the firm’s QC system taken as a whole does not provide it with reasonable assurance of performing and/or reporting in conformity with applicable professional standards in all material respects. A report rating of “fail” is appropriate under these circumstances. In an engagement review, a significant deficiency exists when the review captain concludes that deficiencies are evident on all engagements submitted for review, except when the exact same deficiency appears on multiple engagements and no other deficiencies were evident. When a significant deficiency exists, the reviewer concludes that all engagements submitted for review were not performed and/or reported on in conformity with applicable professional standards in all material respect. A peer review rating of “fail” is therefore appropriate. Under the new Standards, deficiencies will be cited in the body of the peer review report when a rating of “pass with deficiencies” is appropriate. Both deficiencies and significant deficiencies will appear in the body of the report when a rating of “fail” is appropriate. This is similar to the current practice, in which deficiencies that result in modified or adverse reports appear in those reports. The major difference, as noted above, is that findings that would, under the current Standards, be reported in a letter of comments will be recorded on an FFC form instead, which will remain outside of the reporting process. Significant changes to the old reporting model include: Shortening the length of the report. Revised language that is easier to understand and requires minimal tailoring to suit the needs of individual peer reviews. Reference to a URL for a “plain English” description of the nature, objectives, scope, limitations of, and procedures performed on the peer review, rather than detailing this information in the report or in an attachment, as is the current practice. Other reporting matters. All of these changes are directed toward the “transparency” issue, and toward making peer review reports easier for users to understand. Illustrations of all of the various possible types of reports for system and engagement reviews appear in the Appendices to the new Standards. The new reporting model is designed to promote consistency and efficiency, and to make the reports more understandable to readers. The process to determine which type of report to issue is more structured and rigorous. Reviewers, under the new Standards, evaluate threshold questions to distinguish between findings, deficiencies and significant deficiencies. Through this process, they arrive at a decision as to the type of report to issue. Top_Aud_09_book.indb 221 9/30/2008 8:18:40 AM 222 TOP AUDITING ISSUES FOR 2009 CPE COURSE One of the most significant results of this new process is that the Peer Review Board expects to see more “pass with deficiencies” peer review reports under the new Standards than “modified” reports under the old Standards. Table 7-1: Comparison of Peer Review Report Types Under Old and New Standards Old Standards Revised Standards Unmodified–No LOC: “Matters,” if any, recorded on MFCs OR Unmodified–LOC: “Finding(s)” reported in LOC Pass: “Finding(s),” if any, recorded on FFC “Matter(s), if any, recorded on MFC Modified: “Deficiency(ies)” reported in report “Finding(s),” if any, reported in LOC Pass With Deficiency: “Deficiency(ies)” reported in report “Finding(s),” if any, recorded on FFC “Matter(s), if any, recorded on MFC Adverse: “Deficiency(ies)” reported in report “Finding(s), if any, reported in report Fail: “Significant deficiency(ies)” reported in report “Deficiency(ies),” if any, reported in report “Finding(s),” if any, recorded on FFC “Matter(s), if any, recorded on MFC OBSERVATION The exposure draft process for the new reports indicates that most people agree that the new report ratings will be more understandable to the public, and that the new, more condensed report language will be well received. Some controversy arose in the exposure draft stage about the inclusion in the report of a URL referring readers to expanded information about the peer review program. The Board, after considering these comments, ultimately reaffirmed its belief that the URL helps accomplish the objectives of making the report more concise and understandable. Implementation plans. Under the old standards, a reviewed firm might be required to perform certain corrective actions to address deficiencies or comments reflected in a modified or adverse report or letter of comments. This process is essentially unchanged under the new standards when a firm has “pass with deficiencies” or “fail” report. However, because of the elimination of the letter of comments and related reporting model changes, a new process was needed to address findings in the FFC forms. Under the new Standards, the committee considers and evaluates the findings in the FFC forms, which include the recommendations of the review team and the firm’s responses. The firm may be required to evidence its agreement to an Top_Aud_09_book.indb 222 9/30/2008 8:18:41 AM MODULE 2 — CHAPTER 7 — Peer Review and Quality Control: Upcoming Changes 223 implementation plan for corrective actions in writing, and to complete those actions as a condition of cooperation with the administering entity. If the firm fails to cooperate with the implementation plan, it could be subject to due process procedures resulting in termination from the peer review program. STUDY QUESTIONS 3. When a reviewer concludes that no finding, individually or combined with others, rises to the level of a deficiency or significant deficiency, which of the following report ratings is appropriate under the new Standards? a. b. c. d. Pass. Unmodified. Modified. Pass with deficiencies. 4. Among the significant changes to the old reporting model include all of the following except: a. Shortening the report. b. Revised language that is easier to understand. c. Reference to a URL for a “plain English” description of the nature, objectives, scope, limitations of, and procedures performed on the peer review. d. Revised language that encourages more tailoring to suit the needs of individual peer reviews. Consolidation of Existing Report and Engagement Reviews The old Standards provided for three levels of peer review: system, engagement and report. The new Standards pare this down to two by merging the old report review process into the engagement review process. Under the old Standards, engagement reviews generally were for firms that perform reviews or full-disclosure compilations, and report reviews were for firms that perform only compilations that omit substantially all disclosures. The objectives of these two levels of peer review, and the processes for performing and reporting on them, are so similar that the Board felt it would simplify the program and create more clarity for users of peer review reports to consolidate these two levels of peer review. Program Restructuring The new Standards restructure the nationwide program into one single program for all firms and do away with the separate program under the auspices of the old Center for Public Company Accounting Firms (CPCAF) for firms that audit SEC issuers. The majority of peer reviews, for firms that do not have SEC practices, will continue to be administered largely by state societies, as is the current practice. Reviews that previously fell under the CPCAF program Top_Aud_09_book.indb 223 9/30/2008 8:18:41 AM 224 TOP AUDITING ISSUES FOR 2009 CPE COURSE will now be conducted under the same standards as all other peer reviews but will be administered by a newly-created National Peer Review Board. OBSERVATION The Board and most “stakeholders” in the peer review program view the consolidation of these two programs as a positive step. Public feedback indicated that existence of two parallel, but not identical, programs was confusing and unnecessary. STUDY QUESTIONS 5. The new Standards have merged the old report review process into the engagement review process. True or False? QUALITY CONTROL SYSTEMS SQCS 7 contains many significant changes to previously existing quality control practices. The most sweeping of those include: A requirement for all firms with accounting or auditing practices to have documented quality control policies and procedures. The old SQCSs required firms to have quality control policies and procedures, but allowed considerable discretion in deciding whether, or to what extent, they should be documented. While the new SQCS still allows discretion as to the extent of documentation, based upon a firm’s size and operating characteristics, even the smallest firm should have some documentation. This applies even to firms that do only compilations and reviews. Addition of a new element, entitled “leadership responsibilities for quality control within the firm,” to the required elements of quality control. This element is also referred to as “tone at the top.” A requirement for firms to assign management responsibilities so that commercial considerations do not override the objectives of the quality control system, and to design its personnel policies, including compensation, to demonstrate an overarching commitment to quality. A requirement for annual written independence confirmations from staff who are subject to independence rules Requirements for policies and procedures related to resolving differences of professional opinion, and for dealing with complaints or allegations of noncompliance with professional standards or with the firm’s system of quality control. Requirements for annual monitoring procedures. These requirements include a significant new requirement for “engagement quality control reviews.” These are pre-issuance reviews, conducted by a person not con- Top_Aud_09_book.indb 224 9/30/2008 8:18:41 AM MODULE 2 — CHAPTER 7 — Peer Review and Quality Control: Upcoming Changes 225 nected with the performance of the engagement, and are required to be conducted under certain circumstances defined by the firm. Documentation and Communication SQCS 7 requires that all firms should document their quality control policies and procedures. The extent of documentation necessary depends on the size, structure and nature of the practice. OBSERVATION This is a significant new requirement. Under the previous SQCSs, all firms with accounting and auditing practices were required to have QC systems. However, there was no requirement that all firms document their QC systems. This led to a misconception that firms that do not perform audits, and thus to not have system reviews, do not need to have a QC system. This was untrue under the old SQCSs, and continues to be untrue. Even firms that have only compilation and/or review practices must establish systems of quality control. SQCS 7 explicitly recognizes the obvious fact that the QC system for a sole practitioner who performs only compilations omitting substantially all disclosures will be significantly less complex and will require less documentation than a large, multi-office auditing firm. Nonetheless, both firms should now have documented QC systems, even though firms that have engagement reviews will never have their systems peer reviewed. Existing peer review documentation for system reviews has required firms to complete a quality control policies and procedures questionnaire, which, for many small firms, serves as their QC document. Indications are that this will continue to be an acceptable practice under SQCS 7. This may be an efficient approach to QC system documentation for many smaller firms. As a result of this requirement, it is likely that many firms will turn to purchased practice aids as a source of documentation for their QC systems. This is an efficient method of creating an effective quality control document. However, firms should be careful not to adopt “canned” systems without carefully considering how they fit their practices, and modifying them as appropriate for their individual firm needs. Most importantly, firms should be careful not to impose upon themselves requirements that exceed the requirements of professional standards unless they actually intend, and have the resources to comply with them. By adopting standards that they cannot comply with, the peer review will be obliged to hold them to the higher standard that their QC document sets, and will thus put them out of compliance with their own system. Firms should, under SQCS 7, communicate their QC policies and procedures to their personnel. The spirit of this standard is that such communication should be effective in explaining the system’s objectives and in delivering the message that each individual in the firm is responsible for quality work. Top_Aud_09_book.indb 225 9/30/2008 8:18:41 AM 226 TOP AUDITING ISSUES FOR 2009 CPE COURSE While this was always implied under the previous Standards, SQCS 7 makes it an explicit requirement. It does state, however, that the communication need not be in writing. STUDY QUESTIONS 6. A significant change introduced by SQCS 7 relative to the documentation of quality control systems is that: a. Firms that do only compilations and reviews can elect not to have documented quality control policies and procedures. b. Firms that do not have system reviews are not required to document the quality control policies and procedures for their accounting practices. c. Only firms with auditing practices should have documented quality control policies and procedures. d. All firms with accounting or auditing practices should have documented quality control policies and procedures. Elements of a Quality Control System SQCS 7 contains six elements, including one completely new element, that firms should address in their QC systems. Leadership responsibilities for quality within the firm. This element is otherwise referred to as “tone at the top.” It first entered the professional literature in the Public Companies Accounting Oversight Board (PCAOB) inspection process, and has been adopted in the AICPA’s philosophy for nonSEC practice. Its essence is that firms should promote an internal culture based on the recognition that quality is essential and should adopt policies and procedures to support that culture. The firm’s leadership, which may be its managing partner, board, CEO or equivalent, should assume ultimate responsibility for the QC system. SQCS 7 explicitly recognizes that a firm’s business strategy is subject to the overarching requirement for the firm to achieve the objectives of its QC system, and that commercial consideration cannot be allowed to override the system. The examples that the firm’s leadership set, such as recognizing and rewarding quality work through policies and procedures for performance evaluation, compensation, and promotion, can significantly influence the firm’s culture. Under this new element, the firm’s leadership should assume ultimate responsibility for the QC system, and should: Promote an internal culture based on the recognition that quality is essential. Establish policies and procedures to promote that culture. Top_Aud_09_book.indb 226 9/30/2008 8:18:41 AM MODULE 2 — CHAPTER 7 — Peer Review and Quality Control: Upcoming Changes 227 Recognize that its business strategy is subject to the overarching requirement for quality in all engagements performed, and accordingly should: Assign management responsibilities so that commercial considerations do not override the quality of work. Address performance evaluation, compensation, and promotion so as to demonstrate a commitment to the QC system. Devote sufficient appropriate resources to developing, communicating, and supporting quality control policies and procedures. OBSERVATION This is a new element in the AICPA’s model for QC systems. It addresses perceptions that have been held by some people both inside and outside the profession that profit-making considerations sometimes override a commitment to quality. One of the foremost of these, from the point of view of some members of the profession, has to do with compensation and advancement. Whether or not it is true within any particular firm, there has long been a perception that the “rainmakers,” that is, those who bring in and manage high-paying client engagements, get compensated and promoted ahead of the “technicians” upon whose skill the relationship rests. The PCAOB, in some of its early inspection reports, explicitly cited this as a “tone at the top” issue that sends a message that the firm’s management is less serious about the quality of work than it is about commercial considerations. STUDY QUESTIONS 7. SQCS 7’s new quality control element, “leadership responsibilities for quality within the firm” requires that: a. The firm’s leadership should assume ultimate responsibility for the QC system. b. The firm’s business strategy should give commercial considerations and quality control equal weight in designing and achieving the objectives of its QC system. c. The firm should consider adopting policies and procedures designed to promote an internal culture based on the recognition that quality is essential. d. The firm’s leadership should assign ultimate responsibility for the QC system to a suitably qualified partner of the firm. Relevant ethical requirements. This element was entitled “independence, integrity and objectivity” in the old SQCSs. As the expanded wording implies, this section expands guidance that explicitly incorporates legal and ethical Top_Aud_09_book.indb 227 9/30/2008 8:18:41 AM 228 TOP AUDITING ISSUES FOR 2009 CPE COURSE requirements into the conceptual framework for this QC element. Three new provisions are of particular interest: Written independence confirmations are required at least annually under the new SQCS. This is arguably a codification of existing “best practices” under the old SQCSs, but it represents a significant new documentation requirement. This requirement may also be satisfied on an engagementby-engagement basis. Firms and professionals within them will have direct responsibility for identifying and resolving breaches of independence requirements. Firms will be required to implement policies and procedures to provide them with reasonable assurance of being notified when breaches occur. These include requirements for personnel to promptly notify the firm of circumstances that pose a threat to independence, or of actual breaches of independence requirements. The engagement partner is specifically charged with responsibility for taking required corrective actions, and for confirming to the firm and to relevant personnel that those actions have been taken. The new SQCS discusses the “familiarity threat” that may result when the same senior personnel are used on an audit or attest engagement for a long time. It imposes no specific requirements related to this concern. However, its explicit mention raises this issue, which has long been discussed in the profession, to a new level of importance. OBSERVATION These new provisions represent a significant shift in the profession’s attitude toward a more practical and proactive view of quality control, and away from a theoretical, academic view. The documentation requirement is seen in SQCS 7 as a means of keeping independence matters visible to firm personnel and demonstrating their importance. The new requirements also specifically require appropriate corrective action, by specific people in the firm when threats to independence arise, including “closing the loop” on that corrective action to the firm. OBSERVATION The discussion about the “familiarity threat” avoids mention of the obvious solution—personnel rotation—because this is not feasible in many small firms. The issue will, however, likely provoke some discussion among large and small firms alike, about policies and procedures to address the familiarity threat. Top_Aud_09_book.indb 228 9/30/2008 8:18:41 AM MODULE 2 — CHAPTER 7 — Peer Review and Quality Control: Upcoming Changes 229 Acceptance and continuance of client relationships and specific engagements. This element expands on the requirements and guidance of the previous QC element entitled “acceptance and continuance of clients and engagements.” Two significant changes emerge from this guidance: Firms should document how acceptance or continuance issues that arose during the acceptance/continuance decision process were resolved when they decide to accept or continue a client relationship or a specific engagement. Firms should have policies and procedures for withdrawal from a specific engagement or from a client relationship, which should include documenting significant issues, consultations, and conclusions. Human resources. This element was previously known as “personnel man- agement.” There are few significant changes to the old Standards under this element. However, one area of particular interest, in connection with the discussion of “tone at the top” issues, is the additional emphasis placed on the role of performance evaluation, compensation, and advancement procedures in a QC system. It says that effective procedures give “due recognition and reward” to the development and maintenance of competence and commitment to ethical principles. Similar wording appears under the “leadership responsibilities” element. OBSERVATION The fact that this concept is discussed in depth under both elements signals the importance that standard-setters have placed on it. Although not explicitly stated, one of the intentions of giving “due recognition and reward” to the “technicians” in a firm is to influence the economics of the profession such that audit engagements are no longer given away as lossleaders by firms that wish to use them to gain access to more lucrative consulting engagements. Engagement performance. Guidance on engagement documentation, documentation confidentiality, safeguarding, and retention has been added, primarily to bring the SQCS literature into line with recently released documentation requirements in the auditing and other professional standards. One of the most significant and controversial provisions in the new SQCS is the requirement for engagement quality control reviews. An engagement QC review is a pre-issuance process performed by persons who are not otherwise involved in performing the engagement. It is designed to provide an objective evaluation of the significant judgments the engagement team made and the conclusions they reached in formulating the report. This process has often been referred to as “concurring review.” Top_Aud_09_book.indb 229 9/30/2008 8:18:41 AM 230 TOP AUDITING ISSUES FOR 2009 CPE COURSE When the exposure draft of this SQCS was issued, a misconception arose that engagement QC reviews, or “concurring reviews” were to be required on all engagements. A reading of that exposure draft and of the final standard shows clearly that this is untrue. Firms are required, however, to set down criteria for which engagements are required to have engagement QC reviews. These criteria may take into account matters such as: The nature of the engagement. Whether the engagement involves public interest. Unusual circumstances or risks in the engagement. Legal or regulatory requirements. It is therefore the firm that controls which engagements are to be subject to engagement QC review. However, once a firm establishes these criteria, all engagements that meet the criteria should be subjected to engagement QC review. The new SQCS lists certain procedures that should be included in engagement QC reviews. Reading the financial statements or other subject matter information. Reading the report on the engagement. Consideration of whether the report is appropriate. A discussion with the engagement partner about significant issues and findings. Review of selected engagement documentation. Documentation showing: A description of the procedures applied in the engagement QC review. The completion of the engagement QC review before report issuance. That the reviewer is not aware of unresolved matters that would call into question the engagement team’s judgment. Individual firms may specify additional procedures, such as review of specific types of engagement documentation, in their QC policies and procedures. OBSERVATION The new SQCS is explicit in stating that the engagement QC review does not reduce the responsibilities of the engagement partner. The new SQCS contains detailed criteria for eligibility of engagement QC reviewers. These may include: Technical qualifications. Limitations on other participation in the engagement by the engagement QC reviewer, including making decisions for or extensive consultation with the engagement team. Objectivity. Top_Aud_09_book.indb 230 9/30/2008 8:18:41 AM MODULE 2 — CHAPTER 7 — Peer Review and Quality Control: Upcoming Changes 231 It also says that sole practitioners or small firms may contract suitably qualified external persons or firms to facilitate engagement QC reviews. One other set of changes to existing practice centers around the role of consultation in the QC system. The new SQCS contains a requirement for policies and procedures to deal with differences of opinion between the engagement team and persons consulted. These include requirements that conclusions reached through consultation be both documented and implemented. Finally, there is a presumptively mandatory requirement that the report should not be issued until differences of opinion are resolved in accordance with the firm’s policies and procedures. OBSERVATION These new requirements related to consultation follow the philosophical thread under the independence element that the QC literature is becoming more practical and implementation-oriented, and less theoretical. It is no longer sufficient simply to look a matter up in the professional literature, or discuss a matter with an expert colleague. Under the new standards, a conclusion must be both documented and implemented. STUDY QUESTIONS 8. Which of the following statements best applies to the engagement quality control review? a. It is a post-issuance process performed by persons who are not otherwise involved in performing the engagement. b. It is a pre-issuance process performed by or under the supervision of the engagement partner. c. It is a pre-issuance process performed by persons who are not otherwise involved in performing the engagement. d. It is a post-issuance process performed by or under the supervision of the engagement partner. 9 Engagement quality control reviews are required on all audit engagements. True or False? Monitoring. The requirements for monitoring have been augmented considerably in the new SQCS, to underscore the importance of this element to all firms. The guidance under the old SQCSs was largely advisory in nature. Under the new requirements, firms should: Establish policies and procedures to provide reasonable assurance that their QC systems are relevant, adequate, effectively operating, and complied with in practice. Top_Aud_09_book.indb 231 9/30/2008 8:18:41 AM 232 TOP AUDITING ISSUES FOR 2009 CPE COURSE Include ongoing consideration and evaluation of the QC system to determine that it is appropriately designed and effectively operating. Assign responsibility for monitoring to qualified individuals. Require the performance of sufficiently comprehensive monitoring procedures to enable the firm to assess compliance with applicable standards, regulatory requirements, and its own QC policies and procedures. Evaluate the effects of deficiencies noted in monitoring to determine if they are systemic in nature. Communicate deficiencies and recommendations for remedial action to appropriate firm personnel at least annually. SQCS 7 provides detailed illustrations of procedures that a firm may include in its monitoring process. None of these procedures are specifically required, either individually or in combination with others. It is difficult, however, to imagine an effective monitoring program that does not include at least some of the following: Review of selected administrative and personnel records pertaining to QC elements. Review of engagement documentation and financial statements. Discussions with firm personnel. Summarization of findings at least annually. Consideration of the systemic causes of findings. Determination of corrective actions. Communication of findings to firm management. Consideration of findings by appropriate firm personnel. Assessment of: The appropriateness of the firm’s guidance materials and practice aids. The effects of new developments in standards, legal and regulatory requirements. Compliance with independence policies. Effectiveness of continuing professional development. Acceptance and continuance decisions. Understanding and implementation of the firm’s QC policies and procedures by firm personnel. Top_Aud_09_book.indb 232 9/30/2008 8:18:41 AM MODULE 2 — CHAPTER 7 — Peer Review and Quality Control: Upcoming Changes 233 OBSERVATION Some monitoring elements appear to be either poorly understood or poorly implemented in practice. Most firms do a good job of monitoring the “engagement performance” element at the specific engagement level. Some firms give less importance to human-resources related concerns. As a result, they may not be effectively monitoring compliance with continuing education requirements other than the minimum requirements to maintain licensure. They also may not truly know whether its personnel are familiar with its QC document. Even fewer firms, it seems, go the extra step of summarizing their monitoring findings annually, and considering their systemic implications. This may grow into a significant issue for peer reviews conducted under the new SQCS. OBSERVATION The monitoring element, and particularly the task of documenting the achievement of its objectives, has long been a conceptual headache for many small firms. Under the new Standards, which require even the smallest of firms to have a documented QC system, this headache is likely to get worse. As a practical matter, however, this need not be so. Consider the fact that all practitioners perform procedures, sometimes intuitively, which, if they were documented in even a minimal fashion, would suffice as monitoring procedures. For example, all practitioners presumably at least “eyeball” their accounts receivable once in a while and would not likely commence an audit engagement when the previous year’s audit fee had not been paid. This mental process is in fact a monitoring procedure for the firm’s independence and objectivity. It would take but little effort on the part of even the smallest solo practitioner to place a copy of an accounts receivable aging in a file folder labeled “Monitoring” at least once a year, with notations penciled on it to show that the effect of uncollected fees on independence had been considered and appropriately acted upon. Similarly, all practitioners and firms presumably review the prior year’s engagement documentation when preparing to perform the current year’s engagement. These informal reviews sometimes reveal matters that would be “findings” in a formal inspection program, such as noncompliance with the firm’s documentation policies, or minor engagement performance issues. It would take little additional effort to place brief notations of these findings in a “Monitoring” file, and to summarize them once a year, consider their systemic implications, and take some corrective action where necessary. The inspection process has long been a component of monitoring. SQCS 7 defines inspection as a retrospective evaluation of the adequacy of the firm’s QC policies and procedures, and its personnel’s understanding of and compliance with them. Inspection has often been characterized as an “internal peer review.” Top_Aud_09_book.indb 233 9/30/2008 8:18:41 AM 234 TOP AUDITING ISSUES FOR 2009 CPE COURSE SQCS 7 carries forward substantially unchanged the provisions of the old SQCSs for small firms in which “self-monitoring” is a practical necessity. It continues to stress, in this context, the need for individuals to be able to critically review their own performance and maintain a mental attitude of continual improvement. It also acknowledges that certain circumstances, such as obtaining clients in new industries, or significant changes in firm size, along with the inherent limitations of self-monitoring, may indicate the need to engage a qualified outside person to perform inspection procedures. It is important to note that, while a firm may, in the year of its peer review, substitute the peer review for its inspection procedures, the peer review does not take the place of the firm’s internal monitoring program for that year. OBSERVATION SQCS 7 clarifies the significance of deficiencies noted in engagements. Deficiencies in individual engagements do not, in and of themselves, indicate that the firm’s QC system is insufficient to provide reasonable assurance of compliance with professional standards. Deficiencies need, rather, to be evaluated to determine if they result in systemic, repetitive, or other significant deficiencies. Another new requirement in the new SQCS is for the firm to establish policies and procedures for dealing with complaints and allegations of substandard work. These policies and procedures should include: Establishment of clearly defined channels for firm personnel to raise concerns without fear of reprisal. Provisions for investigating complaints under the supervision of a person with sufficient appropriate experience and authority who is not otherwise involved in the engagement. Provisions for documenting complaints, allegations, and responses to them. Some firms are considering the Sarbanes Oxley-like step of establishing an outside telephone hotline that reports complaints to senior firm leadership directly, outside of the normal chain of command, and allows for anonymous reporting. Other firms, especially small and mid-sized firms are considering using the services of qualified external persons or firms to carry out these investigations. Finally, the new SQCS requires that evidence of the operation of each element of the QC system be documented, and retained for a sufficient time to permit those performing monitoring and peer review to evaluate Top_Aud_09_book.indb 234 9/30/2008 8:18:41 AM MODULE 2 — CHAPTER 7 — Peer Review and Quality Control: Upcoming Changes 235 compliance. The form and content of this documentation may depend on firm size, its number of offices, and the nature and complexity of its organization and engagements. STUDY QUESTIONS 10. SQCS 7 envisions that an effective monitoring program might include any of the following except: a. Assessment of the appropriateness of the firm’s guidance materials and practice aids. b. Discussions with firm personnel. c. Performance of engagement quality control reviews. d. Review of selected personnel records pertaining to QC elements. CPE NOTE: When you have completed your study and review of chapters 4-7, which comprise Module 2, you may wish to take the Quizzer for this Module. For your convenience, you can also take this Quizzer online at www. cchtestingcenter.com. Top_Aud_09_book.indb 235 9/30/2008 8:18:41 AM 250 TOP AUDITING ISSUES FOR 2009 CPE COURSE 14. a. Correct. SAS 112 permits auditors to issue written communications stating that no material weaknesses were identified during the financial statement audit, if they choose to do so. b. Incorrect. Auditors are prohibited by SAS 112 from issuing written communications stating that no significant deficiencies were identified during the audit. Financial statement audits are not designed to detect every significant deficiency that may exist. For this reason, it would be misleading to readers to give the impression that no significant deficiencies exist. c. Incorrect. Auditors are permitted, but not required to issue written communications indicating that no material weaknesses were identified during the financial statement audit. d. Incorrect. Auditors are permitted to issue written communications indicating that no material weaknesses were identified during the financial statement audit. Often clients request such a communication for purposes of regulatory compliance. 15. False. Correct. In order to meet the threshold of SAS 112, a client needs to be able to perform a particular accounting function, such as preparing financial statements, correctly without auditor assistance. The ET 101-3 threshold is a lower level of understanding. In order to meet this threshold, the client need not have the capability to perform the function, but must be able to understand and take responsibility for the adequacy of the auditor’s work product. It is important also to remember that SAS 112 speaks to the client’s internal control, while ET 101-3 speaks to the auditor’s independence. True. Incorrect. SAS 112 requires a higher level of understanding from the client. If a client does not have this level of understanding, that is the capability to perform the particular accounting function, such as drafting financial statements, by itself, the auditor may perform that service for the client. In this case, however, a control deficiency which is likely a material weakness exists, that the auditor must communicate to management and those charged with governance. In this case, the client should have a level of understanding sufficient to meet the requirements of ET 101-3, in order for the auditor to retain independence. This requires that the client be able to understand and take responsibility for the adequacy of the ancillary service. MODULE 2: REVIEW OF NEW AND EMERGING STANDARDS — CHAPTER 4 1. c. Correct. Audit documentation serves many purposes, however its primary purpose is to provide the principal support for the representation in the auditor’s report that the engagement was performed in accordance with GAAS, and for the opinion (or disclaimer of opinion) on the financial information. Top_Aud_09_book.indb 250 9/30/2008 8:18:43 AM ANSWERS TO STUDY QUESTIONS — Module 2 — Chapter 4 251 a. Incorrect. Audit documentation is necessary to assist supervisors in directing and reviewing the audit work, and also for assisting external inspectors and peer reviewers, but this is not its primary purpose. b. Incorrect. While it is true that good audit documentation enables quality control reviewers to understand how the engagement team reached significant conclusions, this is not its primary purpose. d. Incorrect. Audit documentation is a necessary element of audit quality, and is a major factor in contributing to the quality of audits. However, good documentation alone cannot guarantee audit quality, without the performance of appropriate auditing procedures. 2. c. Correct. It is not necessary to keep complete copies of all contracts or agreements that are inspected during an audit. It is, however, required that abstracts or copies of important documents such as contracts or agreements be retained if they are necessary for an experienced auditor to understand the work performed and the conclusions reached. a. Incorrect. Audit programs are a required element of all audit documentation. b. Incorrect. SAS 103 lists summaries of significant findings or issues as one of the elements ordinarily included in audit documentation. d. Incorrect. Representation letters are a required element of all audit documentation. 3. True. Correct. The Statement allows documentation in an audit file for a specific engagement to contain cross-references to audit documentation for related entities such as parent or subsidiary companies or pension plans. False. Incorrect. Cross-referencing between audit files of related entities is an efficient documentation technique that is allowed by SAS 103. 4. b. Correct. The Statement is clear that oral explanations on their own do not constitute sufficient support for the audit work or for its conclusions. a. Incorrect. Oral explanations, while not encouraged by this Statement, are admissible for clarifying or explaining information contained in the audit documentation. c. Incorrect. While oral explanations on their own never constitute sufficient support for the audit work or for its conclusions, they may be used to clarify or explain information contained in the audit documentation. d. Incorrect. Oral explanations, on their own do not constitute sufficient support for the audit work or for its conclusions. 5. d. Correct. Unique item numbers, such as purchase order or check numbers are considered acceptable document identifiers. Top_Aud_09_book.indb 251 9/30/2008 8:18:43 AM 252 TOP AUDITING ISSUES FOR 2009 CPE COURSE a. Incorrect. For observation procedures, acceptable identifiers must include both when and where the observation was made as well as the process or subject of the observation, persons involved and their responsibilities. b. Incorrect. For inquiry procedures, acceptable identifiers must include the date and subject matter of the inquiry and the positions of the persons inquired of, as well as their names. c. Incorrect. For systematic samples, an acceptable document identifier must include the starting point, such as “the 5th item,” as well as the population of documents and interval. 6. c. Correct. SAS 103 requires that t documentation completion take place no later than 60 days after the report release date. a. Incorrect. The documentation retention period runs for five years after the report date, not the report release date, unless a longer period is required by law or regulation. b. Incorrect. The documentation completion date may be no later than 45 days after the report release date under PCAOB Auditing Standards. The SAS 103 requirement is 60 days. d. Incorrect. The date on which the auditor has obtained sufficient appropriate audit evidence to support the opinion is the earliest date permissible for the report date. The report release date, according to the definition in SAS 103, is the date that the auditor grants permission for the audit report to be used in connection with the financial statements. a. Incorrect. Under SAS 103, as well as under PCAOB standards, the documentation completion date is determined with reference to the report release date. For SAS 103 purposes, that is no later than 60 days after the report release date. The PCAOB standards require a shorter 45 day period. The report release date, however, is not determined with reference to the documentation completion date. b. Incorrect. Under SAS 103, the last date of audit field work is of little relevance for purposes of audit documentation. d. Incorrect. SAS 103 defines report date as the date on which the auditor obtained sufficient appropriate audit evidence to support the opinion, not the report release date. 7. c. Correct. 8. b. Correct. It is important to remember that the five year documentation retention period specified by SAS 103 is a minimum, which may be extended by requirements of statute or regulation or by firm policy. a. Incorrect. The documentation retention period runs for seven years after the report date under PCAOB Auditing Standards. Top_Aud_09_book.indb 252 9/30/2008 8:18:43 AM ANSWERS TO STUDY QUESTIONS — Module 2 — Chapter 4 253 Both SAS 103 and the PCAOB Auditing Standards define their documentation retention periods with reference to the report date, not the balance sheet or period end date. d. Incorrect. While the minimum documentation retention period runs for five years after the report date, it may be extended for a longer period if required by law, regulation, or firm policy. c. Incorrect. 9. a. Correct. SAS 103 allows the auditor to delete incorrect or superseded information from the audit documentation after the report date but before the document completion date. b. Incorrect. After the report date but before the document completion date, the auditor may make changes to the audit documentation but must document when and by whom the change was made and reviewed, as well as the reason for the change and its effect on the audit conclusions. c. Incorrect. SAS 103 permits the auditor, after the report date but before the document completion date, to add information to the audit documentation, such as an original of a document that was previously faxed, that was received after the report date. d. Incorrect. SAS 103 permits the auditor to sign off on file completion checklists after the report date but before the document completion date. 10. b. Correct. At the auditor’s discretion, copies of the audit documentation may be made available to the entity, as long as doing so does not compromise independence or the validity of the audit process. a. Incorrect. There is no provision in SAS 103 prohibiting the auditor from making audit documentation available to the entity, where doing so does not compromise independence or the validity of the audit process. c. Incorrect. Obviously, certain items within the audit documentation, such as the adjusting entries, a summary of unadjusted differences, or a management letter, will be communicated to the entity. However, there is no requirement that an auditor release portions of the audit documentation as such to the entity. d. Incorrect. Allowing the use of audit documentation as a part of the client’s accounting records may cause an impairment of independence, and should be avoided. AS-3 defines an “experienced auditor” as one who is knowledgeable about auditing and has “studied” the industry. a. Incorrect. SAS 103 requires that an “experienced auditor” would have been capable of performing the audit but this is not a requirement of the PCAOB’s standards. 11. c. Correct. Top_Aud_09_book.indb 253 9/30/2008 8:18:43 AM 254 TOP AUDITING ISSUES FOR 2009 CPE COURSE SAS 103 requires that an “experienced auditor” must understand audit processes, the SASs, and legal and regulatory requirements applicable to the entity’s industry. The PCAOB requires only a “reasonable understanding of audit activities.” d. Incorrect. SAS 103 requires that an “experienced auditor” must understand the entity’s business environment, and the auditing and reporting issues applicable to its industry. The PCAOB requires only that the experienced auditor have “studied the industry.” b. Incorrect. 12. True. Correct. SAS 99 creates a presumption that revenue recognition is a fraud risk. If the auditor does not consider improper revenue recognition to be a fraud risk, the auditor is required to document a justification for this conclusion. False. Incorrect. Improper revenue recognition is presumed to be a fraud risk unless the auditor can demonstrate otherwise. Documentation of reasons why improper revenue recognition is not a risk is required to overcome this presumption. 13. a. Correct. SAS 107 contains a requirement for auditors to document the basis on which materiality, as well as tolerable misstatement, was determined. b. Incorrect. Auditors are required to document materiality for tolerable misstatement, which applies to account balances, transactions classes and disclosures. c. Incorrect. Auditors are required to document changes made to materiality levels during the audit. d. Incorrect. Audit documentation should include consideration of the effects of uncorrected misstatements from prior periods on the current period’s financial statements. 14. c. Correct. The summary of uncorrected misstatements should include consideration of their aggregate effects, including impact on significant financial statement totals or subtotals, such as current assets and liabilities, working capital, gross sales, or gross margin. a. Incorrect. Auditors are required under SAS 107 to consider both known and likely uncorrected misstatements. b. Incorrect. Auditors are required under SAS 107 to summarize uncorrected misstatements in a way that facilitates separate consideration of known and likely misstatements. d. Incorrect. Auditors are required under SAS 107 to document a conclusion as to the materiality of uncorrected misstatements, both individually and in the aggregate. Top_Aud_09_book.indb 254 9/30/2008 8:18:43 AM ANSWERS TO STUDY QUESTIONS — Module 2 — Chapter 5 255 15. False. Correct. As both a documentation and a performance requirement under SAS 109, auditors should assess the risks of material misstatement at both the financial statement and the relevant assertion levels. True. Incorrect. SAS 109 requires auditors to document the assessment of the risks of material misstatement down to the relevant assertion level for significant account balances, transaction classes, and disclosures, which is one level below the financial statement level. MODULE 2 — CHAPTER 5 1 c. Correct. The Risk Assessment Standards emphasize the concept of considering risk of misstatement not only at the level of the financial statements taken as a whole, but also at the level of individual account balances, classes of transactions, and disclosures. a. Incorrect. Recent professional standards, including ET 101-3, the Risk Assessment Standards, and SASs 112 and 114 have sought to differentiate the auditor’s responsibilities from those of management and other financial statement users. b. Incorrect. The Risk Assessment Standards have eliminated the concept of defaulting to a “maximum risk assessment” without developing an understanding of control to support that assessment. d. Incorrect. The idea of linking audit procedures to risks is central to the Risk Assessment Standards. Audit procedures should be proportional to assessed risk. 2. b. Correct. SAS 106 groups the 13 assertions into three broad categories: account balances, classes of transactions and events, presentation and disclosure. a. Incorrect. Completeness, occurrence, rights and obligations, valuation/ allocation, and presentation and disclosure are the relevant assertions that were identified in previous auditing standards. All of these assertions reappear in SAS 106 under one or more broad categories. c. Incorrect. Completeness, classification and understandability, accuracy and valuation are the relevant assertions listed by SAS 106 under the broad category of account balances. d. Incorrect. Occurrence, completeness, accuracy, cutoff, and classification are the relevant assertions listed by SAS 106 under the broad category of classes of transactions and events. SAS 106 states as a presumptively mandatory requirement that substantive procedures should be performed in all audits for all relevant assertions related to each material class of transactions, account balance, and disclosure regardless of the assessed risk of material misstatement. 3. b. Correct. Top_Aud_09_book.indb 255 9/30/2008 8:18:43 AM 256 TOP AUDITING ISSUES FOR 2009 CPE COURSE a. Incorrect. There is no requirement to apply substantive procedures to immaterial classes of transactions, account balances or disclosures. c. Incorrect. Substantive procedures performed on each material class of transactions, account balance, and disclosure may include tests of details and substantive analytical procedures. There is no requirement, however, that both be performed when only one is necessary to provide sufficient appropriate evidence. d. Incorrect. Substantive procedures are performed to detect material misstatements down to the relevant assertion level, which is below the transaction class, account balance and disclosure level. 4. b. Correct. Inspection of actual items of physical inventory provides persuasive evidence as to the existence of those items. a. Incorrect. Absent other corroborative evidence, inquiry does not by itself provide persuasive evidence about any of the financial statement assertions. c. Incorrect. Analytical procedures might, in combination with other audit procedures, provide useful evidence about valuation or completeness of inventory. They would not be likely to provide evidence about its existence. d. Incorrect. Recalculation, especially of pricing, would normally be used to provide evidence about such assertions as accuracy or valuation. It would not usually provide support for the existence assertion. There is no requirement to use substantive analytical procedures in audits. True. Incorrect. Analytical procedures must be used in the planning and final evaluation stages of all audits. These analytical procedures, however, should not be confused with substantive analytical procedures, which may be used in combination with tests of details or tests of controls to provide audit evidence about balances, transactions or disclosures. 5. False. Correct. Even when planning not to rely on a control and to assess control risk at maximum, the auditor must have sufficient understanding of the control to have a basis for that assessment. b. Incorrect. SAS 107 intends that audit procedures to be performed be specifically linked to assessed risks. c. Incorrect. Regardless of the auditor’s intention to rely or not to rely on controls, the auditor should develop an understanding of controls sufficient to support an assessment of maximum control risk. d. Incorrect. Controls need not be tested unless the auditor plans to rely on them. 6. a. Correct. Top_Aud_09_book.indb 256 9/30/2008 8:18:43 AM ANSWERS TO STUDY QUESTIONS — Module 2 — Chapter 5 257 7. c. Correct. SAS 107 states that it is not ordinarily feasible for the auditor to consider the individual needs of all financial statement users because their needs may vary so greatly. a. Incorrect. SAS 107 makes a number of assumptions about the competence and diligence of financial statement users, one of which is their willingness to study the statements with appropriate diligence. b. Incorrect. SAS 107 assumes that financial statement users have appropriate knowledge of business and economic activities and accounting. d. Incorrect. Under SAS 107, financial statement users are assumed to recognize that there are uncertainties inherent in the accounting estimates and judgments used in preparing the financial statements. In profit-making businesses, a benchmark based on results of operations is usually appropriate for determining materiality. However in this case, if that benchmark included the expense for the owners’ compensation, it would likely result in a lower amount than necessary to provide reasonable assurance of detecting material misstatement, and thus cause an inefficient audit. Pre-tax income before owners’ compensation would therefore be a more appropriate benchmark. b. Incorrect. Pre-tax income in such a corporation may be artificially low due to the owners’ compensation. This would cause materiality levels determined based on this benchmark to be artificially low, and could lead to an inefficient audit. c. Incorrect. Using any benchmark of income that includes owners’ compensation expense could lead to artificially low materiality levels and an inefficient audit. Also, in a consistently profitable business, a benchmark based on current year operations would likely be more relevant than one that includes prior years. d. Incorrect. In most cases, a benchmark based on retained earnings would be artificially low due to the significant amount of owners’ compensation, and their ability to control that amount. Like for pre-tax income, using such a benchmark could cause materiality levels determined based on this benchmark to be artificially low, and could lead to an inefficient audit. 8. a. Correct. 9. False. Correct. SAS 107 requires auditors to communicate both known and likely misstatements to management. True. Incorrect. Communicating only known misstatements to management would frustrate one of the purposes of the Risk Assessment Standards, which is to create more responsibility on management’s part for evaluating and correcting misstatements. Top_Aud_09_book.indb 257 9/30/2008 8:18:43 AM 258 TOP AUDITING ISSUES FOR 2009 CPE COURSE 10. c. Correct. Certain misstatements may have significance even though they do not exceed quantitative thresholds for materiality. This is particularly true of misstatements that involve potential fraud or illegal acts, or that cause misstatement of items that are known to be of particular concern to financial statement users. a. Incorrect. SAS 107 states that auditors may not rely solely on quantitative benchmarks to assess whether an item is material. While quantitative thresholds may provide a basis for a preliminary assumption about whether an item is material, they are not a substitute for full analysis. b Incorrect. SAS 107 requires auditors to consider the likelihood of a currently immaterial misstatement, such as an accrual or deferral, becoming material to future periods through cumulative effects. d. Incorrect. Misclassifications between current and non-current assets are potentially significant misstatements, from a qualitative standpoint, even when they are lower than quantitative materiality thresholds, because they may affect working capital and the related ratios. This information is often significant if, for example, it causes a violation of a loan covenant. 11. b. Correct. SAS 108 requires the audit plan to include a description of the nature, timing, and extent of planned risk assessment procedures. a. Incorrect. SAS 108 actually requires the opposite; that the original audit plan be revised to respond to changes in circumstances. c. Incorrect. The audit plan should provide a clear linkage between the understanding of the entity, the risk assessments, and the design of further audit procedures. d. Incorrect. The audit plan should include a description of the nature, timing, and extent of planned further audit procedures to be applied down to the relevant assertion level. 12 c. Correct. The engagement partner should emphasize to audit assistants the need to maintain a questioning mind and to exercise professional skepticism in gathering and evaluating audit evidence throughout the audit, both in the planning stage and throughout the engagement. a. Incorrect. Audit assistants should bring accounting issues raised during the audit that the assistant believes are significant to the financial statements to the attention of the engagement partner. Significant accounting issues impacting the financial statements should also be communicated to management, although the channel for this communication is a matter of firm policy. Ordinarily, assistants would be expected to bring the matter to the engagement partner’s attention before it is communicated to the client. b. Incorrect. Audit assistants should be reminded of the need to bring client-imposed restrictions on access to information necessary to perform the audit to the attention of appropriate persons within the firm. Ordinarily Top_Aud_09_book.indb 258 9/30/2008 8:18:43 AM ANSWERS TO STUDY QUESTIONS — Module 2 — Chapter 5 259 this would be a person on the level of a field supervisor. Such matters would not ordinarily be brought directly to the engagement partner’s attention as a first resort except in small engagements. d. Incorrect. Although it would be unusual for the engagement partner not to communicate the time budget for performing an engagement to assistants, there is no requirement in professional standards to do so. Among the numerous matters to be addressed in the discussion among the audit team, SAS 109 requires that emphasis be placed on the need to be alert for and follow up on indications of material misstatements. a. Incorrect. Nothing in SAS 109 or elsewhere in the auditing literature requires the audit risk discussion to occur concurrently with the fraud risk discussion required under SAS 99. As a practical matter, however, most firms find that it is efficient to combine these discussions. b. Incorrect. SAS 109 leaves the location of this discussion to the professional judgment of the audit partner. It allows multiple discussions to take place if the audit involves multiple locations. c. Incorrect. SAS 109 is explicit in stating that every member of the audit team need not have a comprehensive knowledge of all facets of the audit. 13. d. Correct. 14. c. Correct. The concept of business risk includes the risk of material misstatement, but it is a broader concept that includes diverse risks such as competition, labor relations and many others. a. Incorrect. All business risks do not necessarily have financial consequences, and thus do not give rise to the risk of material misstatement. b. Incorrect. While it is true that most business risks have financial consequences, not all of them necessarily give rise to the risk of material misstatement. d. Incorrect. Not every business risk carries with it a risk of material misstatement. While giving consideration to significant business risks is a part of the audit, auditors are concerned primarily with risks of material misstatement. For this reason, they normally seek to identify and assess only those significant business risks that give rise to risks of material misstatement. Auditors are required under SAS 109 to communicate significant deficiencies in internal control to those charged with governance. Communication of such matters to legal counsel is not required and would in fact be rare in the extreme. a. Incorrect. Risks of material misstatements are not fully comprehended apart from the bigger picture of the entity and its environment. Therefore it is necessary for auditors to relate risks identified in the process of gaining 15. d. Correct. Top_Aud_09_book.indb 259 9/30/2008 8:18:43 AM 260 TOP AUDITING ISSUES FOR 2009 CPE COURSE and understanding of the entity and its environment to risks of possible misstatements at the relevant assertion level. b. Incorrect. Using information obtained by performing risk assessment procedures in evaluating the design and implementation of internal controls is a requirement of SAS 109. Failure to do so would lead either to an inefficient audit, in which extensive evaluation of controls was performed in low-risk areas, or an ineffective audit in which controls in high-risk areas were not adequately evaluated. c. Incorrect. SAS 109 intends for risks of material misstatements to be considered in the entire context of the client and its environment, as well as on a more microscopic level. For this reason, determining whether identified risks are isolated to particular relevant assertions associated with a class of transactions, balances, or disclosures, or are more pervasive and likely to affect the financial statements as a whole is an important part of the process. 16. True. Correct. SAS 109 specifically identifies nonroutine transactions and judgmental matters involving accounting estimates as areas in which significant risks are likely to exist. False. Incorrect. Because of their unusual and subjective natures, nonroutine transactions, and matters involving management’s judgment on accounting estimates are usually considered to carry with them significant risks of material misstatement. 17. d. Correct. The intent of the linkage concept is that audit procedures should be proportional to the assessed risk. Audits that focus on areas of higher risk are far more likely to be efficient in detecting material misstatements. a. Incorrect. Applying audit procedures based solely upon the monetary amounts of recorded financial statement items ignores the qualitative aspects of financial data, and ignores factors of risk assessment other than size. b. Incorrect. Applying audit procedures uniformly to recorded financial statement amounts irrespective of assessed risks is the opposite of SAS 110’s intent. This approach would lead to an inefficient audit because it would allocate audit resources unnecessarily to areas of lower risk and away from areas of higher risk. Such an audit would have a high probability of failing to detect material misstatements. c. Incorrect. Audit procedures should take into consideration the materiality of financial statement items as one of many factors. Making materiality the sole, or the primary determinant would lead to overauditing of low-risk but large-dollar areas, while diverting audit efforts from higher risk areas of lesser dollar amounts. Top_Aud_09_book.indb 260 9/30/2008 8:18:43 AM ANSWERS TO STUDY QUESTIONS — Module 2 — Chapter 5 261 18. a. Correct. When substantive procedures do not by themselves provide sufficient appropriate evidence at the relevant assertion level auditors should test controls. A frequently cited example is when large volumes of transactions are recorded in electronic form only and are either not economically testable or are unavailable for testing after a certain time. b. Incorrect. If controls are not expected to be operating effectively, as for example when they are improperly designed or implemented, it usually serves no purpose to test them. c. Incorrect. Auditors should test each control that they plan to rely on at least once every three years. Under certain circumstances, however, such as when there is a significant risk of material misstatement at the relevant assertion level, or when there is a weak control environment, more frequent testing may be necessary. d. Incorrect. Auditors need test only those controls that they plan to rely on. Therefore, if a significant assessed risk of material misstatement at the relevant assertion level can be adequately and efficiently addressed by substantive procedures alone, tests of related controls are not necessary. The sources and reliability of information, and the persuasiveness of audit evidence are among the matters that the auditor should consider in forming a conclusion about whether there is sufficient appropriate evidence to reduce the risk of material misstatement to an appropriately low level. a. Incorrect. All relevant audit evidence, whether it appears to support or to contradict the relevant financial statement assertions, should enter into the auditor’s consideration. b. Incorrect. Experience from previous audits with respect to similar potential misstatements should be taken into account in the current period audit. c. Incorrect. The likelihood of the potential misstatement having a material effect on the financial statements should be considered both individually and in the aggregate. 19. d. Correct. If a sample in a dual purpose test were the smaller of the sample sizes that would have been required for each purpose separately, then it would not be large enough to serve one of those purposes. False. Incorrect. In order to give adequate coverage within the sample to both purposes, the sample size for a dual-purpose test should be the larger of the samples sizes that would otherwise have been selected for the two separate purposes. 20. True. Correct. Top_Aud_09_book.indb 261 9/30/2008 8:18:43 AM 262 TOP AUDITING ISSUES FOR 2009 CPE COURSE MODULE 2 — CHAPTER 6 1. True. Correct. Auditors can use interest rate statistics in considering the valuation of assets such as investments and derivatives, whose value may fluctuate with changes in interest rates. False. Incorrect. The valuation of many assets, bond investments for example, is directly connected to interest rates. For this reason, interest rate statistics are useful and even necessary in considering the valuation assertion related to those assets. SAS 114 significantly expanded the auditor’s responsibilities for communicating to persons charged with governance. Its provisions apply to all non-SEC issuer entities. Neither size, ownership characteristics, nor organizational structure confer exemptions. a. Incorrect. Audits of SEC issuers are governed by the PCAOB Standards, and not the AICPA’s Statements on Auditing Standards. b. Incorrect. Under the previous guidance of SAS 61, auditors were required to make communications with persons charged with governance only in entities with formally constituted audit committees or their equivalent. SAS 114 changed this requirement, and now this communication is required for all non-SEC issuers. d. Incorrect. SAS 114’s requirements apply equally to small entities with informally-defined governance structures, and to large entities with defined governance structures. 2. c. Correct. SAS 114 requires, in cases when the person or persons who should receive the auditor’s communication with those charged with governance is not readily apparent, that auditors reach an agreement with the engaging party as to who should receive the communication. a. Incorrect. Directing the SAS 114 communication to senior management might be appropriate in the case of small, owner-managed entities, however in other cases, such as when senior management and those charged with governance are not the same persons, it would be ineffective in meeting SAS 114’s objectives. b. Incorrect. While the board of directors, or the equivalent body, is ultimately charged with governance, the chairman of that body may not always be the best person to receive communications with the auditor. For this reason, the auditor should not automatically send it to the chairman of the board. c. Incorrect. Nothing in SAS 114 exempts auditors from communicating with those charged with the governance of the entity. The fact that a governance structure may not be formally defined, or that it may not clearly identify a person or group of persons to receive auditor communications does not change this responsibility. 3. d. Correct. Top_Aud_09_book.indb 262 9/30/2008 8:18:43 AM ANSWERS TO STUDY QUESTIONS — Module 2 — Chapter 6 263 The conforming amendment to SAS 112 for audits of nonissuers, which contains these new definitions, is effective January 1, 2009. a. Incorrect. The new definitions are effective for fiscal years ending on or after November 15, 2007 only for SEC issuers. c. Incorrect. The new definitions, according to official sources at the AICPA, are not expected to create significant changes to practice under the previous provisions of SAS 112. Rather, they are expected to clarify those terms. d. Incorrect. The opposite is actually true under both the old and new definitions. A significant deficiency is less severe than a material weakness. 4. b. Correct. FAS 157 identifies quoted prices for identical assets or liabilities in active markets as its “level 1” input to valuation techniques used to measure fair value, and states that they provide the most reliable evidence of fair value and should be used whenever available. a. Incorrect. FAS 157 identifies quoted prices for similar assets or liabilities in active markets as a “level 2” input in its fair value hierarchy, indicating that they are less reliable than “level 1” inputs. c. Incorrect. Unobservable inputs in which the reporting entity makes its own assumptions about the marketplace are considered “level 3” inputs by FAS 157. These inputs should be used when the observable inputs of levels 1 or 2 are not available. They are considered the least reliable evidence of fair value. d. Incorrect. Observable inputs other than quoted prices, such as interest rates or yield curves observable at commonly quoted intervals are “level 2” inputs, and are less reliable than quoted prices for identical assets or liabilities in active markets or other types of inputs. 5. b. Correct. 6. a. Correct. FAS 158 requires measurement of the funded status of a plan as of the employer’s fiscal year end, not at the end of each fiscal quarter. b. Incorrect. In an effort to enhance the timeliness of financial statement information, FAS 158 contains a requirement to recognize in the financial statements events and transactions that affect funded status in the year that they occur. c. Incorrect. FAS 158 contains a requirement that employers recognize the overfunded or underfunded status of a defined benefit postretirement plan, other than a multi-employer plan, as an asset or liability. This requirement is aimed at helping financial statement users assess an employer’s ability to satisfy its benefit obligations. d. Incorrect. FAS 158 requires footnote disclosures about certain effects on net periodic benefit cost for the next fiscal year that arise out of delayed recognition of gains or losses, or prior service costs or credits. Top_Aud_09_book.indb 263 9/30/2008 8:18:43 AM 264 TOP AUDITING ISSUES FOR 2009 CPE COURSE 7. a. Correct. Evaluating a tax position under FIN 48 involves two steps. The first of those, the recognition step, involves determining whether the tax position is more likely than not to be sustained upon examination based on its technical merits. b. Incorrect. When determining whether a tax position is more likely than not to be sustained upon examination, the entity should assume that the taxing authority has full knowledge of all the relevant facts. c. Incorrect. For a tax position that meets the more-likely-than-not test, the amount of benefit to recognize in the statements is the largest amount that would be more than 50 percent likely of being realized on settlement, not the smallest. d. Incorrect. Evaluations of tax positions under FIN 48 apply to all jurisdictions in which the entity is subject to taxes based on income. 8. b. Correct. Under ET 101-3, in order for auditors to maintain their independence in providing nonattest services such as assistance with FIN 48 implementation, they must be satisfied that the client can take responsibility for the results of the services. a. Incorrect. Under ET 101-3, if the client is unable to make informed judgments about a nonattest service such as assistance in FIN 48 implementation, then the auditor’s independence is impaired by rendering those services. c. Incorrect. Whether or not a tax position is more likely than not to be sustained is not relevant to this consideration. Auditors can help clients with this step of the evaluation under FIN 48, as long as the provisions of ET 101-3 are met. d. Incorrect. The client need not measure the amount of benefit to be recognized. Auditors can help clients with this step of the evaluation under FIN 48, as long as the provisions of ET 101-3 are met. Maintaining U.S. GAAS completely separate and distinct from the ISAs is not one of the Clarity Project’s goals. Rather, it seeks to converge those two bodies of standards, while retaining certain existing U.S. practices and addressing issues that are specific to the U.S. environment. a. Incorrect. One of the Clarity Project’s primary goals is making U.S. auditing standards easier to read and understand. Toward this end, it is addressing issues of how the content of the standards is organized, and is using formatting techniques to enhance readability. c. Incorrect. The Clarity Project has a stated goal of setting off professional requirements and applications or explanatory material into separate sections so as to clearly differentiate between the two. 9. b. Correct. Top_Aud_09_book.indb 264 9/30/2008 8:18:44 AM ANSWERS TO STUDY QUESTIONS — Module 2 — Chapter 7 265 Under the Clarity Project’s drafting conventions, special considerations for audits of smaller, less complex entities will be included where applicable. d. Incorrect. 10. True. Correct. Both U.S. and foreign standards-setters have declared their intention to move into closer conformity. FAS 157 and FAS 159 were steps in this direction. False. Incorrect. The adoption of fair value reporting in FAS 157 and FAS 159 brings U.S. GAAP into line with IFRS on this subject. MODULE 2 — CHAPTER 7 1. c. Correct. Summarizing all “Matter for Further Consideration” (MFC) forms, ensuring that they have been addressed, and documenting how they were resolved, is the primary purpose of the DMFC form. a. Incorrect. Providing a description of the finding, including whether it is a repeat, is actually one of the purposes of the “Findings for Further Consideration” (FFC) form. b. Incorrect. Identifying which MFCs are contained in particular findings is actually one of the purposes of the FFC form. d. Incorrect. Documenting matters that warrant further consideration in the evaluation of a firm’s QC system is actually a purpose of the MFC form, rather than the DMFC form. 2. b. Correct. The FFC form is used for communicating findings that do not become part of the peer review report. As such, it eliminates the use of the letter of comments. a. Incorrect. The FFC form is a part of the peer review working papers that are outside of the reporting process. c. Incorrect. The FFC form is not subject to public inspection. d. Incorrect. Copies of this form should be maintained by the peer reviewer until after the completion of the next review, because it is the record of the review’s findings. 3. a. Correct. A report rating of “pass” is appropriate under the new Standards when a reviewer concludes that the review’s findings, individually or in combination, do not rise to the level of a deficiency or significant deficiency. b. Incorrect. The report rating of “unmodified” exists under the old Standards, but has been replaced under the proposed revisions with an equivalent rating entitled “pass.” c. Incorrect. The report rating of “modified” exists under the old Standards, but has been replaced under the new Standards with a rating entitled “pass with deficiencies.” Top_Aud_09_book.indb 265 9/30/2008 8:18:44 AM 266 TOP AUDITING ISSUES FOR 2009 CPE COURSE d. Incorrect. A rating of “pass with deficiencies” would be inappropriate in a case where no deficiencies or significant deficiencies existed. 4. d. Correct. The revised language is actually designed to require less tailoring, rather than more, to suit the needs of individual peer reviews. a. Incorrect. The new reporting model shortens the length of the peer review report. b. Incorrect. The revisions to the old reporting model contain language that most people find easier to understand. c. Incorrect. The inclusion in the peer review report of a reference to a URL for a “plain English” description of the nature, objectives, scope, limitations of, and procedures performed on the peer review is one of changes in the new reporting model. 5. True. Correct. The old Standards provided for three levels of peer review: system, engagement and report. The new Standards pare this down to two levels by merging the old report review process into the engagement review process. False. Incorrect. The objectives of the engagement and report levels of peer review under the old Standards, and the processes for performing and reporting on them, were so similar that the Board felt it would simplify the program and create more clarity for users of peer review reports to consolidate these two levels of peer review. SQCS 7 has introduced a requirement for all firms with accounting or auditing practices to have documented quality control policies and procedures. a. Incorrect. Under the old SQCSs, there was a widely-held misconception that firms with only compilations and review practices did not need to have quality control policies and procedures. This misconception arose because peer reviews for these firms covered only engagements, and not QC policies and procedures. It was never true under the old SQCSs that these firms did not need to have quality control policies and procedures. It is still untrue under SQCS 7. b. Incorrect. Under the old SQCSs, there was no explicit requirement for firms that did not have system reviews to document their quality control policies and procedures. SQCS 7 has changed this. Now these firms are required to have documented QC systems. c. Incorrect. The requirement under SQCS 7 to have documented QC policies and procedures extends to even the smallest firms that perform only compilations without disclosures. The fact that a firm does not have an auditing practice in no way exempts it from this requirement. 6. d. Correct. Top_Aud_09_book.indb 266 9/30/2008 8:18:44 AM ANSWERS TO STUDY QUESTIONS — Module 2 — Chapter 7 267 7. a. Correct. Under SQCS 7, the firm’s leadership should assume ultimate responsibility for the QC system. b. Incorrect. It would be foolish to argue that a firm’s business strategy not take commercial considerations into account in designing and achieving the objectives of its QC system. Like systems of internal control in businesses, QC systems in accounting firms need to be economical and efficient in order to be effective. However, the new SQCS states a requirement that the firms assign management responsibilities so that commercial considerations do not override the quality of work performed. c. Incorrect. The new SQCS imposes a requirement that firms should adopt policies and procedures designed to promote an internal culture based on the recognition that quality is essential. This is a far stronger statement than the mere suggestion, as explanatory language, that they “consider” such policies and procedures. d. Incorrect. The firm’s leadership is not permitted to assign the ultimate responsibility for the QC system to another person. It may delegate operational responsibilities for the operation of the system to qualified persons within the firm, but the firm leadership still has ultimate responsibility for the system. 8. c. Correct. SQCS 7 defines the engagement quality review as a preissuance process performed by persons who are not otherwise involved in performing the engagement. Its purpose is to provide an objective evaluation of the significant judgments the engagement team made and the conclusions they reached in formulating the report. a. Incorrect. The engagement quality review is a pre-issuance, rather than a post-issuance, process performed by persons who are not otherwise involved in performing the engagement. b. Incorrect. While it is correct that the engagement quality review is a pre-issuance process, having it performed by or under the supervision of the engagement partner would defeat its purpose, which is to provide an objective evaluation of the significant judgments the engagement team made and the conclusions they reached in formulating the report. d. Incorrect. The engagement quality review is a pre-issuance, rather than a post-issuance process that is designed to provide an objective evaluation of the significant judgments the engagement team made and the conclusions they reached in formulating the report. Having engagement personnel involved in the review would impair the objectivity of the process. 9. False. Correct. SQCS 7 does not require all audits to be subjected to engagement QC reviews. It does require, however, that firms set down criteria for which engagements are required to have engagement QC reviews. Once a firm establishes these criteria, all engagements that meet the criteria should be subjected to engagement QC review. Top_Aud_09_book.indb 267 9/30/2008 8:18:44 AM 268 TOP AUDITING ISSUES FOR 2009 CPE COURSE Engagement quality control reviews are not specifically required on audits, or on any other particular type of engagements, by SQCS 7. The firm controls which engagements are subject to QC review because it sets the criteria for which engagements are to have QC reviews. True. Incorrect. Engagement quality control reviews are an important part of any QC system. However, they are actually part of the engagement performance element of quality control, because they are a pre-issuance process. They are not a component of the monitoring element. a. Incorrect. Assessment of the appropriateness of the firm’s guidance materials and practice aids would usually take place periodically during a firm’s monitoring procedures, to help it assure that it had the most current and relevant materials. b. Incorrect. Discussions with firm personnel would ordinarily be a part of a firm’s monitoring program. These discussions would, among other things, help the firm to assess its personnel’s level of awareness of the QC system. d. Incorrect. Review of selected personnel records pertaining to QC elements might be a part of the monitoring process, and would be useful in assessing, for example, such matters as independence, continuing education, and advancement. 10. c. Correct. Top_Aud_09_book.indb 268 9/30/2008 8:18:44 AM 269 TOP AUDITING ISSUES FOR 2009 CPE COURSE Appendix A: Summary of the Risk Assessment Standards SAS 104, Amendment to SAS 1, “Codification of Auditing Standards and Procedures” (“Due Professional Care in the Performance of Work”) SAS 104 expands the definition of “reasonable assurance” by: Adding wording to emphasize that audits must be planned and performed to attain a low level of audit risk. Emphasizing that the high level of intended assurance is expressed in the auditor’s report as obtaining reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. SAS 105, Amendment of SAS 95, “Generally Accepted Auditing Standards” SAS 105 broadens the philosophy of the audit process significantly by amending the second fieldwork standard to: Expand the scope of the auditor’s understanding from “internal control” to “the entity and its environment, including its internal control.” Extend the purpose of the auditor’s understanding from “planning the audit” to “assessing the risk of material misstatement of the financial statements whether due to error or fraud.” Replace the phrase “tests to be performed” with “further audit procedures” to emphasize that audit procedures also are performed to obtain the understanding on which the auditor bases the risk assessments. OBSERVATION SAS 105 makes the understanding of internal control more important, and more useful, to the audit process. Under previous standards, the understanding of internal control was obtained strictly to assist in planning the audit. Now, understanding the entity and its internal control is not only a part of the planning process, it is a part of the risk assessment procedures that ultimately support the auditor’s opinion. Top_Aud_09_book.indb 269 9/30/2008 8:18:44 AM 270 TOP AUDITING ISSUES FOR 2009 CPE COURSE OBSERVATION Consistent with the broad philosophical direction of the Risk Assessment Standards, SAS 105 emphasizes the need to closely link the understanding of the entity, and the risk assessment, to the design of further audit procedures. Thus, whenever an auditor, as a result of obtaining an understanding of a client, assesses a significant risk of material misstatement, the audit procedures should respond to that risk. Conversely, in areas with low assessed risk, audit procedures would ordinarily be less intensive. This results in a more efficient allocation of audit resources, and a more effective audit. Consequently, auditors now need to more closely tailor standardized audit programs (which will now be called an “audit plan”) to the unique risks of each individual engagement. SAS 106, Audit Evidence SAS 106 makes significant changes to audit practice. Significantly expands and recategorizes the assertions for account balances, transaction classes, and disclosures that are used in audits, Requires a closer correlation between those assertions and the audit procedures used in gathering audit evidence. Provides new definitions of several terms including audit evidence and the sufficiency and appropriateness of that evidence. Creates significant new guidance for using relevant assertions to assess risk and design audit procedures; assessing the reliability of various types of audit evidence; risk assessment’s place in the body of audit evidence; and uses and limitations of inquiry. Describes the risk assessment procedures of inquiry, analytical procedures, observation, and inspection. SAS 107, Audit Risk and Materiality in Conducting an Audit Among the most sweeping changes that SAS 107 makes to current auditing practice are: The introduction of the concept of considering risk of misstatement not only at the level of the financial statements taken as a whole, and at the level of individual account balance or class of transactions, but also at the disclosure level The requirement for the auditor to have an appropriate basis for all risk assessments, and elimination of the concept of assessing risk “at the maximum” without support SAS 108, Planning and Supervision This Statement is primarily a codification of existing best practices. It changes little in terms of the actual conduct of audit engagements. Top_Aud_09_book.indb 270 9/30/2008 8:18:44 AM APPENDIX A 271 SAS 109, Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement SAS 109 establishes standards and provides guidance to auditors of nonpublic entities about obtaining a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and designing the nature, timing and extent of further audit procedures. SAS 109 positions obtaining an understanding of the entity and its environment, including its internal control, as an essential part of the auditor’s risk assessment process. SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained (“Performing Procedures”) This Standard introduces significant changes to existing auditing practice. Its most significant provisions require auditors to: Determine overall responses to address the assessed risks of material misstatement at the financial statement level. Design and perform additional audit procedures that are responsive to the assessed risks of material misstatement at the relevant assertion level. These include substantive procedures and, where relevant and necessary, tests of the operating effectiveness of controls. Design and perform substantive procedures for all relevant assertions related to each material class of transactions, account balance, and disclosure, regardless of the assessed risk of material misstatement. Agree the financial statements and accompanying notes to the underlying records and examine material journal entries and other adjustments made during the course of preparing the financial statements. Perform tests of controls to obtain evidence about their operating effectiveness when the risk assessment includes an expectation of the operating effectiveness of controls, or when substantive procedures alone do not provide sufficient appropriate audit evidence at the relevant assertion level. When performing audit procedures at an interim date: Determine what additional evidence should be obtained for the remaining period when tests of controls are performed during an interim period. Perform further substantive procedures or a combination of substantive procedures and tests of controls for the remaining period to provide a reasonable basis for extending audit conclusions based on substantive procedures performed at an interim date to the period end. When planning to carry forward and rely upon evidence about specific controls from previous audits in the current audit: Top_Aud_09_book.indb 271 9/30/2008 8:18:44 AM 272 TOP AUDITING ISSUES FOR 2009 CPE COURSE Inquire, observe and inspect documentation to determine if they have changed. Test their operating effectiveness in the current audit, if they have changed. Test the operating effectiveness of such controls at least once in every third year in an annual audit, if they have not changed. SAS 111, Amendment to SAS 39, “Audit Sampling” SAS 111 makes several, primarily technical, updates to previous standards, in order to: Enhance guidance when the auditor is establishing tolerable misstatement for a specific audit procedure, to require that auditors normally set tolerable misstatement for a specific procedure at less than financial statement materiality, so that the required overall assurance is attained when the results of all audit procedures are aggregated. Enhance guidance on the application of sampling to tests of controls. Top_Aud_09_book.indb 272 9/30/2008 8:18:44 AM 273 TOP AUDITING ISSUES FOR 2009 CPE COURSE Appendix B: Professional Requirements The unconditional requirements of each of the Risk Assessment Standards are summarized below. These requirements are identified in the Standards by the word “must,” and are required to be performed in all circumstances where they are applicable. The presumptively mandatory requirements of these statements number well over 200, and are too voluminous to reproduce in this Course. Certain of these requirements are covered in Chapter 5. Also, the documentation requirements, whether unconditional or presumptively mandatory, are covered as a group in Chapter 4. SAS 104 states that the auditor must: Plan and perform the audit to obtain sufficient appropriate audit evidence so that audit risk will be limited to a low level that is, in his or her professional judgment, appropriate for expressing an opinion on the financial statements. SAS 105 states that the audit (or auditor) must: Be performed by a person or persons having adequate technical training and proficiency as an auditor. Adequately plan the work Properly supervise any assistants. Obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures. Obtain sufficient appropriate audit evidence by performing audit procedures to afford a reasonable basis for an opinion on the financial statements. SAS 106 states that the auditor must: Obtain sufficient appropriate audit evidence by performing audit procedures to afford a reasonable basis for the audit opinion. Not be satisfied with evidence that is less than persuasive. Perform risk assessment procedures to provide a satisfactory basis for the assessment of risks at the financial statement and relevant assertion levels. Supplement risk assessment procedures with further audit procedures in the form of substantive procedures and, when relevant or necessary, tests of controls. Top_Aud_09_book.indb 273 9/30/2008 8:18:44 AM 274 TOP AUDITING ISSUES FOR 2009 CPE COURSE SAS 107 states that the auditor must: Consider audit risk and materiality. Determine a materiality level for the financial statements taken as a whole for four specific purposes listed in the Standard. Perform the audit to obtain reasonable assurance of detecting misstatements that could be large enough either individually or in the aggregate, in the auditor’s judgment, to be quantitatively material to the financial statements. Accumulate all known and likely misstatements identified in the audit, other than trivial amounts, and communicate them to the appropriate level of management. Consider the effects, both individually and in the aggregate, of known and likely misstatements that are not corrected, in evaluating whether the financial statements are fairly presented. Evaluate whether the financial statements taken as a whole are free of material misstatement. Determine the implications for the auditor’s report if management refuses to make necessary corrections. Determine the implications for the auditor’s report if he or she concludes that, or is unable to conclude whether, the financial statements are materially misstated. SAS 108 states that the auditor must: Adequately plan the audit. Properly supervise any assistants. Plan the audit so that it is responsive to the assessment of the risk of material misstatement, based on the auditor’s understanding of the client and its environment, including its internal control. Develop an audit plan which documents the audit procedures that are expected to reduce audit risk to an acceptably low level. SAS 109 states that the auditor must: Obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures. SAS 110 states that: The auditor must obtain sufficient appropriate audit evidence by performing audit procedures to afford a reasonable basis for an opinion regarding the financial statements under audit. In order for evidence from prior audits to be used as substantive evidence in the current audit, the evidence and related subject matter must not fundamentally change. SAS 111 contains no unconditional requirements. Top_Aud_09_book.indb 274 9/30/2008 8:18:44 AM 275 TOP AUDITING ISSUES FOR 2009 CPE COURSE Appendix C: Definitions The Risk Assessment Standards introduce or redefine several key terms. These are presented below, sorted by each SAS. Misunderstanding of these definitions is a significant cause of difficulty in implementing the Risk Assessment Standards. SAS 106 Audit evidence. SAS 106 defines audit evidence as “all the information used by the auditor in arriving at the conclusions on which the audit opinion is based and includes the information contained in the accounting records underlying the financial statements and other information.” Relevant assertions. SAS 106 defines relevant assertions as those which have a meaningful bearing on whether an account is fairly stated. This is a new term. It draws attention to the need for audit procedures to be relevant to a particular assertion in order to be appropriate. Risk assessment procedures. Risk assessment procedures are defined by SAS 106 as procedures performed on all audits to: Obtain an understanding of: The entity Its environment Its internal controls Assess the risk of material misstatement at: The financial statement level The relevant assertion level Risk assessment procedures, according to SAS 106, are necessary to provide a basis for assessing the risk of material misstatement. Their results, combined with the results of further audit procedures, provide audit evidence that ultimately supports the auditor’s opinion on the financial statements taken as a whole. Sufficient, appropriate audit evidence. SAS 106 uses two key terms to describe audit evidence: sufficient and appropriate. The term appropriate replaces competent in previous standards. Its meaning is essentially the same. Sufficient refers to the quantity of the evidence, while appropriate refers to its quality. It is difficult to define sufficient audit evidence because the term refers simply to the amount of evidence collected. Nevertheless, the audi- Top_Aud_09_book.indb 275 9/30/2008 8:18:44 AM 276 TOP AUDITING ISSUES FOR 2009 CPE COURSE tor must exercise considerable judgment when determining whether audit evidence is sufficient. SAS 106 offers the following guidance: An auditor can never reduce audit risk to zero. Therefore, the accumulation of evidence should be persuasive rather than conclusive. An auditor must work within economic limits but cost cannot be the sole basis for the quantity or quality of audit procedures. The difficulty or expense of a test is not a valid reason for omitting it. An auditor should not form an opinion on the entity’s financial statements until he or she has obtained sufficient appropriate audit evidence to remove any substantial doubt about a material assertion. Otherwise, the auditor should express a qualified opinion or a disclaimer of opinion on the financial statements. SAS 106 states that audit evidence is appropriate when it is both reliable and relevant but it does not define either term. It does, however, indicate that evidence is more reliable when it is: Obtained from an independent, knowledgeable source outside the entity. Created under more effective internal controls. Obtained directly by the auditor rather than indirectly or by inference. In documentary form. In the form of original documents rather than photocopies or facsimiles. Audit evidence should be capable of proving or disproving an assertion made by the client in its financial records. Therefore, evidence must pertain to or be relevant to the audit objective or the assertion the auditor is testing before it can be persuasive. Relevance can be considered only in terms of specific audit objectives or assertions and evidence may be relevant to one specific audit objective or assertion but not to another. EXAMPLE Assume that an auditor is concerned with whether all shipments made to customers are being billed by the client (completeness assertion). Selecting a sample of duplicate sales invoices, using the sales invoices as the population, and tracing them to the related shipping documents, does not provide relevant evidence for the completeness assertion. Selecting a sample of shipping documents, using the shipping documents as the population, and comparing them to the related duplicate sales invoices to determine if the customers had been billed, does. In this example, tracing from the duplicate sales invoices to the related shipping documents provides relevant evidence for the existence or occurrence assertion, but not the completeness assertion. Top_Aud_09_book.indb 276 9/30/2008 8:18:44 AM APPENDIX C 277 SAS 107 Audit risk. SAS 107 defines audit risk as “the risk that the auditor may unknowingly fail to appropriately modify his or her opinion on financial statements that are materially misstated” and, therefore, the risk that financial statements will include material misstatements. The auditor addresses both materiality and audit risk at an overall financial statement level to develop an audit strategy that will provide sufficient evidence to enable him or her to reasonably evaluate whether the financial statements are materially misstated. At the individual account balance, class of transactions, relevant assertion, or disclosure level, audit risk is made up of inherent risk, control risk, and detection risk. The concept of audit risk recognizes that auditors are able to obtain reasonable, but not absolute, assurance that material misstatements are detected. Control risk. This is the risk that a material misstatement that could occur in a relevant financial statement assertion, either individually or when aggregated with other misstatements, will not be prevented or detected on a timely basis by the entity’s internal control. OBSERVATION One way to think of inherent risk and control risk is to think of dynamite. Dynamite is an inherently risky substance, due to its physical properties. Those properties do not change, no matter who has control of it. This is dynamite’s inherent risk. It is a constant. Control risk is a variable, depending on possession. When the hazardous materials squad of the fire department has the dynamite, the control risk, that is the risk that it will do damage, is low because of their special training and equipment, and their intention to protect public safety. When a group of terrorists has the dynamite, the control risk is high because of their intention to do harm, and their possible lack of proper training and equipment. Detection risk. This is the risk that the auditor will not detect a material misstatement that exists in a relevant financial statement assertion, either individually or when aggregated with other misstatements. Detection risk can be disaggregated into additional components of tests of details risk and substantive analytical procedures risk. Inherent and control risk are always the client’s risks. They exist independently of the audit. Detection risk is the auditor’s risk. The combined assessment of inherent risk and control risk is termed the “risk of material misstatement.” The new model for describing audit risk is: AR = RMM x DR In the equation, AR is audit risk, RMM is risk of material misstatement and DR is detection risk. It is a matter of professional judgment as to how Top_Aud_09_book.indb 277 9/30/2008 8:18:44 AM 278 TOP AUDITING ISSUES FOR 2009 CPE COURSE these components are expressed. Some auditors express them in quantitative terms such as percentages. Many others use qualitative terms such as high, moderate or low. OBSERVATION Risk assessment, like materiality, does not lend itself to strict formulaic calculation. For this reason, broader qualitative terms, or percentages expressed in fairly wide ranges, are often the most useful approach to expressing levels of risk assessment. Precise quantitative expressions, such as pinpoint percentage calculations, may imply a greater degree of precision than this process actually intends or is capable of. In addition, by “putting too fine a point on it” at this stage of the engagement, the auditor may be setting a standard so high as to make it impossible to conduct the engagement efficiently or economically. Inherent risk. This is the susceptibility of a relevant financial statement assertion to a material misstatement, either individually or when aggregated with other misstatements, assuming there are no related controls. SAS 107 defines materiality as “the magnitude of an omission or misstatement of accounting information that, in light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement.” Materiality. Trivial misstatement. A footnote to SAS 107 defines trivial as “amounts designated by the auditor below which misstatements need not be accumulated. This amount is set so that any such misstatements, individually or when aggregated with other such misstatements, would not be material to the financial statements, after the possibility of further undetected misstatements is considered.” OBSERVATION Auditors are required to summarize uncorrected misstatements and to communicate them to management. In most cases management agrees, in the representation letter, that they are not material. Trivial misstatements as designated by the auditor would not be posted to this summary. This is done for convenience or economy, otherwise auditors would have to communicate every misstatement no matter how small to management. Auditors should be careful, however, in determining this threshold, so that the concept of “trivial misstatement” does not become an expedient for disposing of misstatements that may have individual or collective significance on a qualitative basis. Top_Aud_09_book.indb 278 9/30/2008 8:18:44 AM 305 TOP AUDITING ISSUES FOR 2009 CPE COURSE Quizzer Questions: Module 2 Answer the True/False questions by marking a “T” or “F” on the Quizzer Answer Sheet. Answer Multiple Choice questions by indicating the appropriate letter on the Answer Sheet. 41. In addition to its primary purpose as the principal support for the auditor’s report, SAS 103 lists which of the following as another purpose of audit documentation? Audit documentation constitutes an integral part of the entity’s accounting records b. Audit documentation demonstrates the accountability of the audit team for the audit procedures it has performed. c. Audit documentation protects the auditor from legal liability. d. Audit documentation provides a guarantee of audit quality. a. 42. Which of the following statements concerning documentation of auditor independence is correct? Auditor independence must be documented in central files. Auditor independence must be documented in each specific engagement audit file. c. Auditor independence may be documented either in central files or in specific engagement audit files. d. Auditor independence may be documented when required by firm policy. a. b. 43. The documentation in an audit file must be recorded on paper, not electronic media or by other means. True or False? 44. Audit documentation must enable another experienced auditor with no previous connection to the audit to understand the nature, timing, extent, and results of the audit procedures: a. b. c. d. Top_Aud_09_book.indb 305 When allowed contact with the client When combined with oral clarifications Without additional oral explanation When the other auditor re-performs significant audit procedures 9/30/2008 8:18:47 AM 306 TOP AUDITING ISSUES FOR 2009 CPE COURSE 45. An example of an unacceptable document identifier for specific items tested is: Every 15th item from the May cash disbursements journal All invoices over $15,000 from the June 2008 accounts payable detail. c. Checks numbered from 60100 to 60227 d. For an inventory observation, descriptions of the counting procedures and goods observed, the persons involved and their responsibilities, and the location, date and time of the observation a. b. 46. When information obtained during the audit contradicts or is inconsistent with the final conclusions on significant findings or issues, audit documentation should: a. b. c. d. 47. Not mention specific additional procedures performed, if any Retain related information that is found to be incorrect Record how the matter was resolved Exclude the results of consultations within outside experts regarding differences of professional judgment within the engagement team Which of the following statements applies to the report date under SAS 103? The report date falls 45 days prior to the documentation completion date. b. The documentation completion date may be no later than 90 days after the report date. c. The report date is the date on which the auditor has obtained sufficient appropriate audit evidence to support the opinion. d. The report date is the last date of significant audit field work. a. 48. The date that the auditor grants permission for the audit report to be used in connection with the financial statements is known as the: a. b. c. d. Top_Aud_09_book.indb 306 Field work completion date Report date Documentation completion date Report release date 9/30/2008 8:18:47 AM QUIZZER QUESTIONS — Module 2 49. 307 During the period prior to the document completion date but after the report date, the auditor may do all of the following except: Remove valid evidence that contradicts final audit conclusions Add information, such as an original of a document that was previously faxed, that was received after the report date c. Sign off on file completion checklists d. Perform routine file assembly work, such as collating and crossreferencing the audit documentation a. b. 50. Updated or revised audit documentation added to the audit file prior to the document completion date but after the report date must: Contain all the information, evidence, and conclusions that were in the original or superseded documents b. Preserve the content of preliminary conclusions that are no longer relevant c. Make no changes to the pre-existing audit documentation d. Be faithful to original documents in form a. 51. Additions to audit documentation during the document completion period must show when and by whom the change was made and reviewed, the reason for the change, and its effect, if any, on the auditor’s conclusions. True or False? 52. SAS 99 requires which of the following specific fraud-related items to be recorded in the audit documentation? The fraud risk discussion at the conclusion of the audit. The nature of fraud-related communications made to management, the audit committee, or others. c. Results of procedures performed to address the risk of design deficiencies in internal control d. The auditing procedures used to gather the information needed to identify and assess the risk of material misstatement caused by error a. b. Top_Aud_09_book.indb 307 9/30/2008 8:18:47 AM 308 TOP AUDITING ISSUES FOR 2009 CPE COURSE 53. According to SAS 107, audit documentation should record all of the following except: All known and likely misstatements that have been identified by the auditor and corrected by management, except for trivial amounts. b. Consideration of the aggregate effects of misstatements. c. Consideration of the individual effects of trivial misstatements. d. Separate consideration of known and likely uncorrected misstatements. a. 54. According to SAS 109, auditors should document the assessment of the risks of material misstatement at both the financial statement and relevant assertion level. True or False? 55. SAS 112 requires auditors to: Communicate only material weaknesses in internal control to the client in writing. b. Communicate only significant deficiencies in internal control to the client in writing. c. Make the written communication of significant deficiencies and material weaknesses in internal control no later than 60 days following the report release date. d. Make the written communication of significant deficiencies and material weaknesses in internal control no later than 45 days following the report release date. a. 56. SAS 104 indicates that the level of assurance that is intended to be obtained by the auditor is: Expressed in the auditor’s report as reasonable assurance about whether the financial statements are free of material misstatement. b. Equated with a low level of assurance. c. That which would be expected by a reasonable user of the financial statements. d. An absolute level of assurance. a. Top_Aud_09_book.indb 308 9/30/2008 8:18:47 AM QUIZZER QUESTIONS — Module 2 57. 309 SAS 105 broadens the auditor’s responsibilities in which of the following ways? Reducing the emphasis on fraud risk assessment when expanded control risk assessment procedures are undertaken. b. Expanding the scope of the auditor’s understanding to encompass not only internal control, but also the entity and its environment, including its internal control. c. Requiring confirmation, observation, and other specific audit procedures. d. Expanding the documentation requirements for all audits. a. 58. Substantive procedures should be performed in all audits for all relevant assertions related only to classes of transactions, account balances, and disclosures that are assessed at high risk of material misstatement. True or False? 59. All of the following assertions fall under the “presentation and disclosure” category of assertions except: a. b. c. d. 60. Which of the following audit procedures is likely to be most effective in providing relevant audit evidence to prove or disprove the client’s rights and obligations assertions concerning a lease agreement? a. b. c. d. 61. Completeness. Occurrence and rights and obligations. Existence. Classification and understandability. Inspection of the leased premises. Substantive analytical procedures. Inspection of the lease agreement. Inquiry of management. Auditors should perform risk assessment procedures at: Both the financial statement level and the tolerable misstatement level. b. Both the financial statement level and the account balance, transaction class, and disclosure level. c. Only the account balance, transaction class, and disclosure level. d. Only the tolerable misstatement level. a. Top_Aud_09_book.indb 309 9/30/2008 8:18:47 AM 310 TOP AUDITING ISSUES FOR 2009 CPE COURSE 62. Which of the following would likely be the most appropriate benchmark to use in setting materiality for a small, service oriented nonprofit organization? a. b. c. d. 63. Gross revenues. Pre-tax income. Gross profit. Net income. When a non-public client is in a lease agreement with significant scheduled escalations over its term, and the client has not recorded deferred rent in the previous year: The auditor should consider only the cumulative effect of the uncorrected rent deferral on the ending balance sheet. b. The auditor should consider only the current and prior period rent expense that flows through the current period’s income statement. c. The auditor may consider both the income statement and ending balance sheet effects of the prior period misstatements. d. The auditor must consider both the income statement and ending balance sheet effects of the prior period misstatements. a. 64. Which of the following statements best applies, under SAS 107, to the auditor’s consideration of the qualitative characteristics of misstatements? Indications of possible fraud on the part of management or key employees may be considered qualitatively immaterial if they fall beneath quantitative tolerable misstatement levels. b. Misstatements affecting management’s compensation may have qualitative significance even though they do not exceed quantitative thresholds for materiality. c. A misclassification between current and non-current liabilities is not considered a qualitatively significant misstatement. d. Previous years’ earnings trends are not qualitatively relevant to misstatements in the current year’s financial statements. a. 65. The audit plan is the detailed map that describes the nature, timing, and extent of audit procedures to be performed. True or False? Top_Aud_09_book.indb 310 9/30/2008 8:18:47 AM QUIZZER QUESTIONS — Module 2 66. 311 Under the requirements of SAS 108, the engagement partner is required to communicate to audit assistants all of the following matters except: Their responsibilities and the objectives of audit procedures to be performed. b. The assistant’s responsibility to bring to the attention of the client’s management accounting issues raised during the audit that the assistant believes are significant to the financial statements. c. Matters that may affect the nature, timing, and extent of audit procedures to be performed, such as the nature of the entity’s business and possible accounting and auditing issues. d. The susceptibility of the entity’s financial statements to material misstatement due to error or fraud, with special emphasis on fraud. a. 67. Each workpaper in the audit documentation file must be signed-off by a supervisor to indicate that it has been reviewed. True or False? 68. Which of the following statements best applies to the requirement to perform inquiries, apply analytical procedures, and perform observation and inspections in assessing risk? Each of these procedures must be performed for every aspect of the risk assessment. b. Each of these procedures should be performed for every aspect of the risk assessment. c. All of these procedures should be performed during the risk assessment. d. All of these procedures must be performed during the risk assessment. a. 69. Which of the following statements best applies to the requirements of SAS 109 for the discussion among the audit team in planning the audit? This discussion should include the audit partner and key members of the audit team. b. This discussion should include the audit partner and all members of the audit team. c. Fraud risk must be discussed separately from other risks of material misstatement. d. All members of the audit team should have a comprehensive knowledge of all facets of the audit. a. Top_Aud_09_book.indb 311 9/30/2008 8:18:47 AM 312 TOP AUDITING ISSUES FOR 2009 CPE COURSE 70. Nonroutine transactions involving significant risks are often characterized by: Related party transactions. Reduced manual intervention in data collection. Lack of management intervention to control the accounting treatment. d. Highly automated data processing. a. b. c. 71. Which of the following circumstances might ordinarily indicate that substantive procedures alone would not provide sufficient appropriate audit evidence for an account balance or transaction class? Audit evidence exists only in electronic form. Audit evidence is highly dependent on the effectiveness of manual controls over its completeness and accuracy. c. The transaction class contains only a few large transactions. d. The account balance or transaction class contains judgmental matters that involve significant estimates or uncertainties. a. b. 72. The concept of a linkage between audit tests performed and risks assessed essentially means that: Audit procedures should be applied uniformly to all financial statement amounts and disclosures. b. Audit procedures should be directly correlated to materiality for the financial statements taken as a whole. c. Areas of higher risk should receive more attention from the audit team than areas of lower risk. d. More intensive audit procedures should be applied to larger monetary amounts in the financial statements. a. Top_Aud_09_book.indb 312 9/30/2008 8:18:48 AM QUIZZER QUESTIONS — Module 2 73. 313 Which of the following statements best applies to SAS 110’s requirement that internal controls be tested at least once every three years in an annual audit? Auditors should plan to test a portion of the controls at least every other year, and must test each control at least once in every three audits. b. Significant personnel changes that affect control application do not ordinarily result in shortening the period for retesting a control. c. Auditors should test the operating effectiveness of some controls every year, irrespective of their planned reliance on the controls. d. When there is a significant assessed risk of material misstatement at the relevant assertion level and the auditor plans to rely on a control to mitigate that risk, the operating effectiveness of that control should be tested in the current period, regardless of the three year rule. a. 74. The sources and reliability of information and the persuasiveness of audit evidence should be considered in forming a conclusion as to whether sufficient appropriate evidence has been obtained to reduce the risk of material misstatement to an appropriately low level. True or False? 75. The size of a sample for tests of details is usually influenced by other factors in which of the following ways? a. b. c. d. 76. Sample size decreases as expected misstatement increases. Sample size increases as audit risk decreases. Sample size increases as expected misstatement decreases. Sample size increases as audit risk increases. Statistics such as interest rates and the consumer price index can be useful to auditors in developing expectations for analytical procedures. True or False? 77. The requirements of SAS 114 for the auditor to communicate with those charged with governance do not apply to: a. b. b. d. Top_Aud_09_book.indb 313 Small, owner-managed entities. SEC-issuers. Entities that do not have formally constituted audit committees. Governmental and nonprofit entities. 9/30/2008 8:18:48 AM 314 TOP AUDITING ISSUES FOR 2009 CPE COURSE 78. In a family-owned enterprise without a formally defined governance structure, auditors should direct communications to those charged with governance to: a. b. c. d. 79. The controller or senior accounting employee. The majority owner. Such person or persons as agreed to with the engaging party. No one, because they are not required under these circumstances. Under AS-5, a significant deficiency is described as a deficiency or combination of deficiencies in internal control over financial reporting: That creates more than a remote likelihood that a misstatement that is more than inconsequential will not be prevented or detected on a timely basis. b. Such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis. c. That is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company’s financial reporting. d. That creates more than a remote likelihood that a material misstatement will not be prevented or detected on a timely basis. a. 80. When quoted prices for identical assets or liabilities in active markets are not available as an input to measure fair value, which of the following inputs would be regarded by FAS 157 as the least reliable alternative? Unobservable inputs in which the reporting entity makes its own assumptions about the marketplace. b. Observable inputs other than quoted prices, such as interest rates or yield curves, observable at commonly quoted intervals. c. Quoted prices for identical or similar assets or liabilities in markets that are not active. d. Inputs derived from or corroborated by observable market data by correlation or other means. a. Top_Aud_09_book.indb 314 9/30/2008 8:18:48 AM QUIZZER QUESTIONS — Module 2 81. 315 FAS 158 requires, with respect to the overfunded or underfunded status of a defined benefit postretirement plan (other than a multi-employer plan), that an employer: Report the excess of plan assets over benefit obligations as accumulated other comprehensive income. b. Recognize current-year changes in the overfunded or underfunded status as a part of net income from continuing operations. c. Recognize an asset or liability in its financial statements. d. Disclose the overfunded or underfunded status in a footnote only. a. 82. In evaluating a tax position under FIN 48, entities should do all of the following except: Assume, when determining whether a position meets the morelikely-than-not threshold, that the taxing authority will have full knowledge of all relevant information. b. Not consider possible resolution through appeals or litigation when determining whether a position meets the more-likely-than-not threshold. c. Evaluate tax positions for all jurisdictions in which the entity is subject to taxes based on income. d. Measure the amount of benefit to recognize in the statements as the largest amount that would be more than 50 percent likely of being realized on settlement. a. 83. Which of the following statements best applies to auditors who wish to provide assistance to their audit clients in implementing FIN 48? They should advise their clients to seek assistance from a third party in implementing FIN 48. b. They cannot assist clients in measuring the amount of the benefit to be recognized. c. They should take care to observe the requirements of ET 101-3 for providing nonattest services. d. Auditors are prohibited from providing assistance to their audit clients in implementing FIN 48. a. Top_Aud_09_book.indb 315 9/30/2008 8:18:48 AM 316 TOP AUDITING ISSUES FOR 2009 CPE COURSE 84. The AICPA’s Clarity Project envisions all of the following except: Redrafting all existing SASs according to the new Clarity Project conventions. b. Including an exposure draft and public comment period for the redrafted standards c. More clearly differentiating between professional requirements and application or explanatory material. d. Providing special considerations for audits of SEC issuers. a. 85. The PCAOB has created seven task forces charged with monitoring certain IAASB activities and working toward convergence with international auditing standards. True or False? 86. One of the purposes of the “Findings for Further Consideration” (FFC) form under the new Standards is to: Eliminate the letter of comments on report reviews. Document matters warranting further consideration in the evaluation of a firm’s QC system. c. Document the reviewer’s recommendations and the reviewed firm’s responses. d. Summarize all “Matter for Further Consideration” (MFC) forms, ensure that they have been addressed, and document how they were resolved. a. b. 87. Which of the following statements best describes the disposition of the “Findings for Further Consideration” (FFC) form under the new Standards? Copies of this form should be maintained by the peer reviewer and the administering entity until after the completion of the next review. b. This form should be filed with the AICPA Peer Review Board by the administering entity. c. This form must be retained by the administering entity for public inspection in jurisdictions with mandatory peer review requirements. d. This form should be maintained by the reviewed firm until 90 days after the approval of the peer review is received from the administering entity. a. Top_Aud_09_book.indb 316 9/30/2008 8:18:48 AM QUIZZER QUESTIONS — Module 2 88. When the review captain in an engagement review concludes that deficiencies are evident on all engagements submitted for review, except when the exact same deficiency appears on multiple engagements and no other deficiencies were evident, which of the following report ratings is appropriate under the new Standards? a. b. c. d. Pass with deficiencies. Modified. Fail. Adverse. 89. Among the significant changes to the old reporting model are that the new report is shorter and contains a URL that takes readers to a “plain English” description of the nature, objectives, scope, limitations of, and procedures performed on the peer review. True or False? 90. The new Standards have merged: a. b. c. d. 91. The old engagement review into the new system review. The old report review into the new engagement review. The old CPCAF review into the report review. The old report review into the system review. Documented quality control policies and procedures are required under SQCS 7 for: a. b. c. d. 92. 317 All firms in states with mandatory peer review requirements. All AICPA member firms, regardless of the nature of their practice. All firms except those with only no-disclosure compilation practices. All firms with accounting or auditing practices. Under the new quality control element “leadership responsibilities for quality within the firm,” firms are required to: Promote an internal culture based on the recognition that the quality of work is important, but secondary to economic considerations. b. Establish policies and procedures to promote an internal culture based on the recognition that quality is essential. c. Assign management responsibilities consistent with commercial considerations. d. Address performance evaluation, compensation, and promotion so as to reward members who bring in new clients over technicians. a. Top_Aud_09_book.indb 317 9/30/2008 8:18:48 AM 318 TOP AUDITING ISSUES FOR 2009 CPE COURSE 93. Which of the following statements best describes an engagement quality control review under SQCS 7? It is a pre-issuance process performed by or under the supervision of the engagement partner. b. It is designed to provide a post-issuance assessment of engagement quality as part of the firm’s monitoring program. c. It is designed to provide an objective evaluation of the significant judgments the engagement team made and the conclusions they reached in formulating the report. d. It is a post-issuance process performed by persons who are not otherwise involved in performing the engagement. a. 94. The criteria for which engagements will be subject to engagement quality control reviews are to be established by each firm in its quality control policies and procedures. True or False? 95. Under the requirements of SQCS 7 for monitoring, firms should: Establish policies and procedures for withdrawal from a specific engagement or from a client relationship. b. Assign responsibility for monitoring to randomly selected individuals within the firm. c. Evaluate the effects of deficiencies noted in monitoring to determine if they are systemic in nature. d. Communicate deficiencies and recommendations for remedial action to appropriate firm personnel monthly. a. Top_Aud_09_book.indb 318 9/30/2008 8:18:48 AM