101
MODULE 2: REVIEW OF NEW AND EMERGING STANDARDS — CHAPTER 4
Summary of New Audit Documentation
Requirements
LEARNING OBJECTIVES
After reading this chapter, the reader should:
Understand the audit documentation requirements of the AICPA’s Statement on Auditing Standards No. 103, Audit Documentation (SAS 103).
Understand the relationships between SAS 103 and other auditing
standards.
Be able to apply these requirements in practical auditing situations.
INTRODUCTION
The auditing profession has seen significant changes recently in the
requirements for both audit performance and audit documentation.
Statement on Auditing Standards No. 103, Audit Documentation (SAS
103) (AU section 339), issued by the AICPA in March of 2006 deals
with documentation requirements for audits in general. But many other
Standards contain specific documentation requirements. Some of these
mark departures from previous practice. The purpose of this chapter is
to revisit the overall documentation requirements of SAS 103, and to
summarize into a single place the specific documentation requirements
of the other Standards.
While SAS 103 makes sweeping changes to existing practice and adds
significantly to documentation requirements for audit engagements, it
emphasizes that professional judgment is integral in determining quantity,
type, and content of audit documentation..
As part of the AICPA’s “Clarity Project,” SAS 103 has been re-drafted
into a new and more digestible format. The exposure draft of this re-draft
can be viewed at the AICPA’s website, www.aicpa.org/download/auditstd/ED_Audit_Documentation.pdf. This exposure draft is primarily
a matter of form and in does not significantly affect the substance of
this Standard.
Top_Aud_09_book.indb 101
9/30/2008 8:18:31 AM
102
TOP AUDITING ISSUES FOR 2009 CPE COURSE
UNCONDITIONAL AND PRESUMPTIVELY
MANDATORY REQUIREMENTS
The requirements of SAS 103 are listed below, to assist readers in focusing on
their application in practice. For clarity and purposes of analysis, this Course
singles out its unconditional requirements, and summarizes its presumptively
mandatory requirements into various captions.
Unconditional Requirements
SAS 103 has three unconditional requirements. These are identified in
the Standards by the word “must,” and are required to be performed in
all circumstances where they are applicable. These requirements are quite
straightforward in their essence. Many of the implementation difficulties that
have manifested themselves since the effective date stem from lack of basic
understanding of these requirements. SAS 103 states that auditors must:
1.
Prepare audit documentation for each audit engagement, in sufficient detail
to provide a clear understanding of the work performed, including:
a. The nature, timing, extent and results of the procedures performed.
b. The evidence obtained and its source.
c. The conclusions reached.
2.
Not delete or discard audit documentation after the documentation
completion date until after the end of the document retention period.
3.
Document in the workpapers justification for departures from presumptively mandatory requirements, and how the alternative procedures
performed were sufficient to achieve the objectives of the presumptively
mandatory requirements.
Presumptively Mandatory Requirements
These requirements are identified in the Standards by the words “should” or
“should consider.” They are required to be performed in all applicable circumstances unless the auditor can justify in the audit documentation a reason
for not doing so, and demonstrate how other audit procedures have met their
objectives. Some of these are interrelated requirements in which one requirement contains sub-requirements. SAS 103 states that auditors should:
1.
When transferring or copying paper documentation to another media,
apply procedures to generate a copy that is faithful in form and content
to the original paper document.
2.
Include abstracts or copies of the entity’s records in the audit documentation when they are necessary to understand the work performed
and conclusions reached.
Top_Aud_09_book.indb 102
9/30/2008 8:18:31 AM
M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s
3.
103
Prepare audit documentation that enables an experienced auditor with
no previous connection to the audit to understand:
a. The nature, timing and extent of auditing procedures performed.
b. The results of the procedures performed and the audit evidence
obtained.
c. The conclusions reached on significant matters.
d. That the accounting records agree with or reconcile to the audited
financial statements or other audited information.
4.
Consider the following factors in determining the form, content and
extent of audit documentation:
a. The nature of auditing procedures to be performed.
b. The risk of material misstatement associated with the assertion,
account balance or transaction class, or disclosure.
c. The extent of judgment involved in performing the work and
evaluating the results.
d. The significance of evidence obtained to the assertion being tested.
e. The nature and extent of exceptions identified.
f. The need to document a conclusion, or the basis for a conclusion,
that is not readily determinable from the documentation of the
work performed or the evidence obtained.
5.
Include documentation of matters specific to a particular audit engagement in the audit file for that specific engagement.
6.
Document significant findings or issues, the actions taken to address
them, including any additional evidence obtained, and the basis for
the conclusions reached.
7.
Document discussions of significant issues or findings with management on a timely basis, including:
a. When the discussions took place.
b. With whom the discussions were held.
c. The responses.
8.
Document how inconsistent or contradictory information identified
during the audit was addressed in forming final conclusions.
9.
Record the identity of the persons performing and reviewing the audit
work, and the dates performed and reviewed.
10. Include identifying characteristics of specific items tested.
11. Not date the auditor’s report earlier than the date on which the auditor
has obtained sufficient appropriate evidence to support the opinion.
Top_Aud_09_book.indb 103
9/30/2008 8:18:31 AM
104
TOP AUDITING ISSUES FOR 2009 CPE COURSE
12. Follow the guidance of SAS 46, Consideration of Omitted Procedures
After the Report Date, when the auditor concludes that procedures
considered necessary in the circumstances were omitted, and prepare
additional documentation in accordance with SAS 103.
13. Follow the guidance of SAS 1, Codification of Auditing Standards and
Procedures, “Subsequent Discovery of Facts Existing at the Date of the
Auditor’s Report” when information relating to financial information
previously reported on was not known at the date of the report.
14. In circumstances described in items 12 and 13 above, or in other
circumstance where it is necessary to make an addition to the audit
documentation after the documentation completion date, make changes
necessary to reflect the performance of a new audit procedure or a new
conclusion reached, including:
a. When and by whom the changes were made and reviewed.
b. The reasons for the change.
c. The effect of the change on the auditor’s conclusions.
15. Complete the assembly of the audit file within 60 days following the
report release date.
16. Record the report release date in the audit documentation.
17. Adopt reasonable procedures to retain and access audit documentation
for a period not shorter than five years from the report release date, or
longer if required by legal or regulatory requirements or firm policy.
18. Adopt reasonable procedures to maintain the confidentiality of client
information.
19. Apply appropriate and reasonable controls for audit documentation to:
a.
b.
c.
d.
Clearly determine when it was created, changed or reviewed.
Protect the integrity of the information at all stages of the audit.
Prevent unauthorized changes.
Allow access by the audit team and other authorized parties to
properly discharge their responsibilities.
PURPOSES OF AUDIT DOCUMENTATION
Audit documentation is the principal support for the two key representations
in the auditor’s report: that the engagement was performed in accordance
with generally accepted auditing standards (GAAS), and the opinion (or
disclaimer of opinion) on the financial information. Audit documentation
Top_Aud_09_book.indb 104
9/30/2008 8:18:31 AM
M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s
105
must be prepared for each engagement and must be detailed enough to
provide a clear understanding of the work performed, including:
The nature, timing, extent and results of the procedures performed
The evidence obtained and its source
The conclusions reached
The Statement draws an important relationship between audit documentation and audit quality. Audit documentation is an essential element of
audit quality. It does not by itself guarantee audit quality, but the process of
creating sufficient appropriate documentation contributes to audit quality.
Insufficient or inappropriate documentation, on the other hand, always
indicates poor audit quality.
Audit documentation also serves other purposes, including:
Assisting the audit team in planning and performing the engagement
Assisting new audit team members in understanding the current engagement by reviewing the documentation from the previous year
Assisting supervisors in directing and reviewing the audit work
Demonstrating accountability of the audit team for the procedures it has
performed, the audit evidence examined, and the conclusions reached
Recording matters of continuing significance to future audits
Enabling quality control reviewers, such as internal inspectors or peer
reviewers, to understand how the engagement team reached significant
conclusions and whether there is sufficient support for those conclusions
Assisting a successor auditor who reviews the predecessor auditor’s audit
documentation
STUDY QUESTION
1. Which of the following statements best describes the primary purpose
of audit documentation?
a. It assists supervisors in directing and reviewing the audit work
along with assisting external inspectors and peer reviewers.
b. It enables quality control reviewers to understand how the engagement team reached significant conclusions.
c. It is the principal support for the representation in the auditor’s
report that the engagement was performed in accordance with
GAAS, and for the opinion (or disclaimer of opinion) on the financial information.
d. Although it does not provide a guarantee of audit quality, it is a
major factor contributing to a high level of audit quality.
Top_Aud_09_book.indb 105
9/30/2008 8:18:31 AM
106
TOP AUDITING ISSUES FOR 2009 CPE COURSE
FORM, CONTENT, AND EXTENT OF AUDIT DOCUMENTATION
SAS 103 made significant changes to existing documentation requirements.
One of the most important of these changes is that the auditor’s workpapers
(now referred to as “audit documentation”) are required to enable an “experienced auditor” with no previous connection to the audit to understand,
without additional oral explanation:
The nature, timing, extent and results of the audit procedures
The audit evidence obtained
Conclusions on significant matters
Conclusions that may not otherwise be readily obvious related to risks
of material misstatement
That the financial statements agree to or reconcile with the accounting records
For purposes of this Statement, an “experienced auditor” is defined as a person
who understands the auditing and accounting issues relevant to the client’s
industry and who would have been capable of performing the audit. That
person must understand audit processes, the SASs and applicable legal and
regulatory requirements, the entity’s business environment, and the auditing
and reporting issues applicable to the entity’s industry.
Audit documentation may be recorded on paper, electronic media, or by
other means. When transferring paper documents to another medium, care
must be taken to produce a copy that is faithful to the original in both form
and content. Auditors should also be aware of possible legal, regulatory, or
other reasons for retaining original paper documents.
The Statement allows considerable judgment as to the exact content of
audit documentation. It specifically lists the following items as examples of
materials that make up audit documentation:
Audit programs
Analyses
Issues memoranda
Summaries of significant findings or issues
Letters of confirmation
Representation letters
Checklists
Abstracts or copies of important documents, such as contracts or agreements, if they are necessary to enable an experienced auditor to understand the work performed and the conclusions reached
Correspondence, including e-mail, concerning significant findings
or issues
Schedules of work the auditor performed
Top_Aud_09_book.indb 106
9/30/2008 8:18:31 AM
M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s
107
The documentation for a specific engagement is assembled in an audit file.
This documentation may contain cross-references to audit documentation
for related entities. Other matters, such as auditor independence or staff
training may be documented either within the audit file for each engagement
or centrally within the firm.
EXAMPLE
Documentation of an audit of a subsidiary company may contain references to tests of intercompany balances or transactions contained in
the audit documentation of the parent company.
Documentation of an audit of an employee benefit plan may crossreference dual purpose payroll-related tests that are documented
within the plan sponsor’s audit file. It is not necessary to duplicate this
documentation in both files.
Many firms require periodic independence representations for their
professional staff, which are filed centrally within the firm. It is a good
practice to cross reference these files within the engagement audit
file, to assure that the independence of each audit team member is
documented.
OBSERVATION
Cross-referencing is an efficient documentation technique because it eliminates the need for duplicate documentation, thus saving both time and
file storage space. Standardized documentation indexing systems greatly
enhance this efficiency.
OBSERVATION
This Statement also makes it clear that oral explanations, on their own, do
not constitute sufficient support for the audit work or for its conclusions.
They may, however, be used to clarify or explain information contained
in the audit documentation. The accounting profession has moved to the
point where there is a presumption that if something is not documented,
it was not done. Some state laws include a “rebuttable presumption” to
this effect, and the AICPA practice monitoring programs take a similar
position. An occasional oral explanation can interpret a comment or test
but if there is nothing present in the files to be interpreted, then it will be
difficult to defend the contention that it took place.
Top_Aud_09_book.indb 107
9/30/2008 8:18:32 AM
108
TOP AUDITING ISSUES FOR 2009 CPE COURSE
OBSERVATION
Some practitioners have asked if they need to record every thought they
had during the audit, and retain a copy of every document they looked
at. The answer to this is “no.” SAS 103 acknowledges that it is neither
necessary nor practicable to document every matter considered during
an audit. Copies of an entity’s records, for example, need only be retained
if they are needed to enable an “experienced auditor” to understand the
work performed and the resulting conclusions. Similarly, information that
is incorrect or superseded need not be retained.
Auditors should be guided by the following factors in considering the form,
content, and extent of audit documentation:
The nature of the auditing procedures to be performed
The risk of material misstatement at the assertion, account balance, or
transaction level, including disclosures
The extent of judgment necessary in performing and evaluating the
audit work
The significance of the audit evidence gathered to the assertion tested
The nature and extent of exceptions noted
The need to document a conclusion that may not be readily obvious from
the documentation of the audit work or the evidence obtained
Significant Findings or Issues
As a matter of good practice, auditors have long documented significant
matters considered in the audit. SAS 103 sets forth specific definitions and
requirements in this area.
“Significant findings or issues” refer to audit findings or issues that are
significant in the auditor’s judgment, the actions taken to address them,
including additional evidence gathered, and the resulting conclusions. Those
matters include:
Significant matters related to the appropriate selection, application, or consistency of accounting principles, including related disclosures, such as:
Accounting for complex or unusual transactions
Estimates, uncertainties, and related management assumptions
Results of audit procedures that indicate material misstatements or
the need to revise a previous assessment of the risk of material misstatement and the response to those risks
Circumstances causing significant difficulty in applying necessary audit
procedures, such as:
Lack of responsiveness to confirmation or information requests
Absence of original documentation
Findings that could result in a modified report
Top_Aud_09_book.indb 108
9/30/2008 8:18:32 AM
M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s
109
Audit adjustments, whether or not recorded, that could either individually or in the aggregate have a material effect on the entity’s financial
information
Discussion of significant findings and issues should be documented and
should include:
The significant findings or issues discussed
When the discussion took place
Persons with whom the matters were discussed, such as:
Those charged with governance
Those responsible for oversight of financial reporting
Internal auditors
External parties such as those providing professional services to
the entity
The responses to these discussions
When information obtained during the audit is inconsistent with or contradictory to the final conclusions on significant findings or issues, audit documentation should record how the matter was resolved. This may include procedures
performed in response to the information and consultations on or resolutions
of differences of professional judgment within the engagement team or between
the engagement team and others consulted. The Statement is clear, however,
that information that is incorrect or superseded need not be retained in the
audit documentation, unless the document completion date has passed.
Preparer and Reviewer
Audit documentation should show who performed the audit work, the date
it was completed, and who reviewed specific audit documentation and the
date of that review. This does not mean that each specific working paper
must include evidence of review. Rather, the audit documentation should
make clear who reviewed specific elements of the audit work and when.
OBSERVATION
Preparer and reviewer documentation is an important subject for firm quality
control policies and procedures, because of the degree of judgment that the
Statement allows. For example, when a client provides a 250 page detailed
inventory list, and an auditor tests one item on each page, it would likely
be inefficient to initial and date every page. Firm policy should specify,
rather, that the preparer should initial and date either the first or the last
page, as evidence of having performed all the procedures recorded on the
document. This should be written into the firm’s quality control policies
and procedures for audit engagement performance and should be communicated to staff.
Top_Aud_09_book.indb 109
9/30/2008 8:18:32 AM
110
TOP AUDITING ISSUES FOR 2009 CPE COURSE
Specific Items Tested
The requirements for documenting specific items tested expand upon the
previously existing guidance of SAS 96. When documents are inspected as
part of the testing of controls or as substantive tests of details, identifying
characteristics of those documents must be recorded in a way such that
another auditor could identify the same set of documents.
EXAMPLE
Examples of acceptable document identifiers are:
Unique item numbers, such as purchase order or check numbers
All items over a specified amount from a specific source, such as the
cash disbursements journal
For inquiry procedures, the dates of the inquiries, the names and job
descriptions of persons involved, and the nature of the inquiry
For observation procedures, the process or subject of the observation,
persons involved and their responsibilities, and when and where the
observation was made
For systematic samples, the population of documents, starting point,
and interval, such as “ every 10th item starting with the 5th, from the May
cash disbursements journal”
Departures from Statements on Auditing Standards
In rare cases, an auditor may need to depart from presumptively mandatory requirements (but not unconditional requirements) of the SASs. In
these cases, the audit documentation must contain the justification for the
departure, and how the alternative procedures performed were adequate
under the circumstances to achieve the objectives of the presumptively
mandatory requirement.
STUDY QUESTIONS
2. SAS 103 specifically lists as items that may ordinarily be contained in
audit documentation all of the following except:
a. Audit programs
b. Summaries of significant findings or issues
c. Complete copies of all contracts or agreements inspected as part
of the audit work
d. Representation letters
3. The documentation in an audit file for a specific engagement may
contain cross-references to audit documentation for related entities.
True or False?
Top_Aud_09_book.indb 110
9/30/2008 8:18:32 AM
M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s
111
4. Oral explanations, on their own:
a. May not be used to clarify or explain information contained in the
audit documentation
b. Do not constitute sufficient support for the audit work or for its
conclusions
c. Are not admissible in any circumstances
d. Are sufficient support for the audit work or for its conclusions
5. Which of the following constitutes an acceptable document identifier
for the specific items tested?
a. For observation procedures, the process or subject of the observation, and when the observation took place.
b. For inquiry procedures, the names of persons inquired of
c. For systematic samples, the population of documents and interval, such as “every 10th item from the December 31st accounts
receivable aging”
d. Unique item numbers, such as purchase order or check numbers
REPORT AND DOCUMENTATION DATING AND RETENTION
SAS 103 creates four key dates or periods that are significant changes to
previous practice.
Report Date
Under SAS 103, the report date cannot be before the date on which the
auditor has obtained sufficient appropriate audit evidence to support the
opinion. Sufficient appropriate evidence includes evidence that the audit
documentation has been reviewed, that the financial statements and disclosures have been prepared, and that management has accepted responsibility
for them. This is a significant departure from the previous report dating
requirement, which was the “last date of field work.” This latter date was
subject to highly judgmental determination by audit firms.
OBSERVATION
When confirmations are needed to support a material balance or transaction, and alternative procedures are not possible or economical, auditors
should make additional efforts to send them out early in the audit process,
and to follow up on them in a timely manner, in order to avoid a delay in
dating the report.
The report date is also significant for two other reasons:
It is the start of the documentation retention period.
The management representation letter should be dated the same as the
report date.
Top_Aud_09_book.indb 111
9/30/2008 8:18:32 AM
112
TOP AUDITING ISSUES FOR 2009 CPE COURSE
Report Release Date
SAS 103 defines the “report release date,” as the date that the auditor grants
permission for the audit report to be used in connection with the financial
statements. Usually this date will be shortly after the report date. Significant
delays in releasing the report may necessitate additional subsequent events
procedures. The report release date must be documented. It is significant
because it starts the clock ticking on the next important date, the “documentation completion date.”
Documentation Completion Date
The “documentation completion date” may be no later than sixty days after
the report release date. At that time, the audit documentation files must be
completed. No audit documentation should be deleted or discarded after that
time. Users should not confuse this date with a similar date in the PCAOB
standards, which gives only forty-five days after report issuance.
Documentation Retention Period
The records retention period is specified to be not less than five years from
the report date, unless laws, regulations or the firm’s quality control policies
require a longer period.
STUDY QUESTIONS
6. Which of the following statements applies to the documentation completion date under SAS 103?
a. The documentation retention period runs for five years after the
report release date.
b. The documentation completion date may be no later than 45 days
after the report release date.
c. The documentation completion date may be no later than 60 days
after the report release date.
d. The documentation completion date is the date on which the auditor has obtained sufficient appropriate audit evidence to support
the opinion.
7. SAS 103 defines the report release date as:
a. Forty five days prior to the documentation completion date.
b. The last date of audit field work.
c. The date that the auditor grants permission for the audit report to
be used in connection with the financial statements.
d. The date on which the auditor obtained sufficient appropriate
audit evidence to support the opinion.
Top_Aud_09_book.indb 112
9/30/2008 8:18:32 AM
M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s
113
8. Which of the following statements applies to the documentation retention period under SAS 103?
a. The documentation retention period runs for seven years after the
report date.
b. The documentation retention period may run for more than five
years after the report date, if required by statute or regulation.
c. The documentation retention period runs for seven years after the
balance sheet or period end date.
d. The documentation retention period runs for five years after the
report date.
REVISIONS TO AUDIT DOCUMENTATION
AFTER THE REPORT DATE
After the report date, the auditor is allowed to make changes to the audit
documentation only to:
Complete the documentation and assembly of evidence that has been
obtained prior to the report date
Add information, such as an original of a document that was previously
faxed, that was received after the report date
Perform routine file assembly work, such as:
Discarding superseded documentation
Sorting and collating
Cross-referencing final workpapers
Sign-off on file completion checklists
After the report date, but before the document completion date, updated
or revised audit documentation may be added. However it must contain
all the information, evidence, and conclusions that were in the original or
superseded documents. If, the information, evidence or conclusion is no
longer relevant, it need not be retained.
Any additions after the report date should show when and by whom the
change was made and reviewed, the reason for the change, and its effect, if
any, on the auditor’s conclusions.
After the documentation completion date, audit documentation must
not be deleted or discarded prior to the end of the documentation retention period.
If the auditor becomes aware that procedures performed or evidence
obtained under the circumstances then existing at the report date were
not adequate to support the auditor’s report, the requirements of SAS
No. 46, Consideration of Omitted Procedures After the Report Date, (AU
section 390) should be followed and documentation prepared in accordance with the requirements of this Statement. Similarly, if the auditor
Top_Aud_09_book.indb 113
9/30/2008 8:18:32 AM
114
TOP AUDITING ISSUES FOR 2009 CPE COURSE
subsequently becomes aware of information that was unknown to him
or her at the report date, the provisions of SAS No. 1, Codification of
Auditing Standards and Procedures, “Subsequent Discovery of Facts
Existing at the Date of the Auditor’s Report,” (AU section 561) should
be followed.
OBSERVATION
AU sections 390 and 561 contain important performance and documentation requirements. Those requirements are summarized below, although
auditors who encounter situations involving omitted procedures or subsequent discovery of facts should study these sections in their entirety.
While these two sections treat distinct circumstances, their applications
may become interrelated. For example, additional auditing procedures
applied after the report date may lead to the discovery of facts that existed at that date. Similarly, a subsequent discovery of facts that existed
at the report date may cause an auditor to consider whether necessary
procedures were omitted.
An auditor who becomes aware that audit procedures have been omitted should:
Assess the significance of those procedures and consider whether to apply additional procedures. When the omitted procedures are considered
significant, they should be performed if possible.
Determine a proper course of action when significant procedures or adequate alternative procedures cannot be applied. If this is not possible, the
auditor should consult an attorney and discuss whether it is appropriate
to notify persons who are known or likely to rely on the statements or
regulatory authorities.
Auditors are not required to continue auditing after the report date. However,
facts that existed at the report date but that were unknown at that time may
subsequently come to light. In this case, the auditor should:
Determine the relevance of the discovered facts to the financial statements.
Take appropriate measures if the facts are relevant.
Notify the board of directors if the client does not cooperate with the
auditor’s conclusions and proposed remedies.
If the client continues to refuse to cooperate, consult an attorney and
communicate the problem to appropriate parties.
Top_Aud_09_book.indb 114
9/30/2008 8:18:32 AM
M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s
115
STUDY QUESTION
9. After the report date but before the document completion date, the
auditor:
a. May delete incorrect or superseded information from the audit
documentation
b. May make changes to the audit documentation without the need
to document the reason for the change
c. May not add information to the audit documentation.
d. May not sign off on file completion checklists
PERMANENT FILE DOCUMENTATION
SAS 103’s requirements for document retention and the requirement
not to remove anything from the audit documentation after the documentation completion date raise interesting questions about “permanent
file” documentation.
Under pre-SAS 103 practice, auditors customarily assembled certain types
of audit documentation into “permanent files” when they expected it to be
useful in future audits, and not to change much from year to year. Examples
of the kinds of documentation kept in permanent files might include:
Articles of incorporation and bylaws.
Internal control questionnaires, flowcharts or memoranda.
Long-term notes payable.
Long-term contracts, such as lease agreements.
Pension plan or other employee benefit plan documents.
Organization charts.
Personnel manuals.
Documents like these were often “rolled forward” from one year to the next
in a permanent file with little or no change, and then discarded when they
were no longer applicable or useful, or when they became superseded by
other information.
This practice has several problems under new SASs. The most obvious of
these is that if a document that was necessary to support a previously issued
opinion becomes obsolete—for example, if a lease agreement expires—it can
no longer simply be removed from the “perm file” and discarded, as long as
the document retention period for that audit is still open.
A more subtle issue has to do with “perm file” documents such as internal
control documentation that ordinarily might be expected to change only incrementally from one year to the next. It is important to preserve the original
content of any audit documentation for the duration of the document retention
period. This means that, for example, when a checkbox on an internal control
questionnaire changes from “yes” last year to “no” this year, it is unacceptable
Top_Aud_09_book.indb 115
9/30/2008 8:18:32 AM
116
TOP AUDITING ISSUES FOR 2009 CPE COURSE
to erase the old “yes” answer and insert the new “no” answer. The old questionnaire has to be retained because it is still necessary to support the old audit.
Some auditors address this issue by using a system of color codes, in which all
changes to a document in a particular year are noted in a unique color, but
none of the previously recorded information is obliterated.
Some practitioners have gone as far as to suggest that there can no longer
be “perm files” under the new standards. Under this theory, all documentation necessary for each individual audit must be contained within that year’s
audit file. An auditor certainly would not go wrong following this approach.
However, that auditor might end up with voluminous documentation files
that in themselves presented some significant efficiency and documentation
management challenges.
One alternative to this approach might be to divide permanent files into “active” and “superseded” sections. Each item in the “perm file” can be indexed in the
appropriate audit’s workpapers, and the transfer of items from the active to the
superseded section documented on a master permanent file indexing form.
An example of a form that can be used for this purpose appears below,
as Illustration 4-1.
Illustration 4-1: SAS 103 Permanent File Index
PERMANENT FILE INDEX
CLIENT: National Distribution Corp
This form is to be used in the post-SAS 103 environment, to document
the movement and disposition of documents into and out of the “active
permanent file.” Such documents are those that would be expected to be
useful over more than one audit period, such as articles of incorporation,
lease agreements, accounting and personnel manuals and the like.
Effective with the implementation of SAS 103, (y/e 12/31/06 and after) it
is the firm’s policy to maintain two sets of permanent files, as applicable,
for each audit engagement. The first is the “active permanent file,” which
accumulates documents that have ongoing relevance to the current year’s
audit. The second is the “superseded permanent file,” which archives for
document retention purposes, the documents that are no longer necessary
for the current audit, but which must be maintained for the 5 year document
retention period to support previous audits.
Pre-SAS 103 documents will be designated as such by a checkmark in the
“Pre-SAS 103” column. For documents entered into the active permanent
file post SAS 103 implementation, the date entered and initials of the person entering the document will be noted in the “date entered/entered by”
column. When a document is transferred from the active to the superseded
permanent file, the date of transfer and initials of person making the transfer
will be noted in the “date trf’d/Trf’d by” column.
Top_Aud_09_book.indb 116
9/30/2008 8:18:32 AM
M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s
117
A copy of this index will be maintained in both the active and superseded
permanent files.
P/F- Title
1
2
3
4
4.1
4.2
5
Articles of Incorporation
By-Laws
Employee handbook, rev 10/1/05
Lease agreements:
First Street property-3yrs ending 12/07
First Street property-3 yrs ending 12/10
Bonus plan-eff 1/1/08
Pre-SAS
103
Post-SAS 103
Date Entered/ Date Trf’d/
Entered By
Trf’d By
X
X
X
X
1/7/08-pmh
1/7/08-pmh
1/8/08-pmh
In this illustration, National Distribution Corporation’s articles of incorporation, by-laws, and employee handbook have been in the permanent file since
before the effective date of SAS 103 and are unchanged for the current period.
The lease agreement on the First Street property for the 3 years ending 12/07
was inserted in the active file before the effective date of SAS 103, and has been
superseded in the current audit period by a new lease expiring in 12/10. The
index form shows that on 1/7/08 the auditor, “pmh” transferred the expired
lease to the superseded file and inserted the new lease into the active file. Also,
on 1/8/08, “pmh” inserted a new bonus plan into the active file.
One of the keys to making this system work is never to re-use a permanent file index number. For example, the expired lease agreement, which is
indexed as “P/F-4.1” retains that index number when it is transferred from
the active to the superseded file. This way, the workpaper indexing in the
documentation for the audits that it pertains to will still lead a reader of that
documentation to the appropriate location in the superseded perm file.
OWNERSHIP AND CONFIDENTIALITY
OF AUDIT DOCUMENTATION
Audit documentation is the auditor’s property. At the auditor’s discretion,
copies of the audit documentation may be made available to the entity, as
long as doing so does not undermine independence, such as by becoming a
part of the client’s accounting records, or the validity of the audit process,
such as by an unwarranted disclosure of audit scope or methodology.
Top_Aud_09_book.indb 117
9/30/2008 8:18:32 AM
118
TOP AUDITING ISSUES FOR 2009 CPE COURSE
Reasonable procedures should be in place to safeguard, retain, and access
audit documentation for a period of time sufficient to meet the needs of
the auditor’s practice and to satisfy legal or regulatory document retention
requirements. In no case should this period be less than five years from the
report release date. Firms’ quality control policies and procedures should
address these matters in a comprehensive fashion, to include such matters
as backup policies for electronic files, storage and access policies for paper
and electronic files, and disaster recovery.
Physical access controls, as well as software access controls such as
passwords for electronic media, should be implemented in order to protect
the integrity, accessibility, and retrievability of audit documentation. These
safeguards should protect the documentation against unauthorized alterations, additions, or deletions, as well as against permanent loss or damage.
At a minimum, these controls should:
Enable the auditor to determine when and by whom audit documentation was:
Created
Changed
Reviewed
Safeguard the integrity of the documentation at all stages of the audit,
especially when it is transmitted electronically between members of the
audit team or others
Prevent unauthorized alterations
Permit access by audit team members and other authorized persons as
necessary in the performance of their duties
Maintain the confidentiality of client information
OBSERVATION
Electronic or “paperless” audit documentation provides many advantages,
such as enhanced portability, ease of creating updates, and decreased need
for physical storage space. It also creates several technological challenges.
Among these are possible dependence upon proprietary software, surmounting the learning curve that may be associated with periodic updates
of that software and accessibility and retrievability in the latter stages of
the documentation retention period.
The rapid evolution of computer technology makes the five year period
specified by SAS 103, not to say even longer statutory or regulatory retention periods, quite a long time. If the audit process uses a vendor’s proprietary software, consider that access to the files must be maintained for at
least five years after the vendor stops supporting the software. Conversion
to a new computer operating system, which is an issue facing most CPA
firms as this Course goes to press, could make old software inoperative.
Top_Aud_09_book.indb 118
9/30/2008 8:18:32 AM
M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s
119
Certain types of hardware upgrades, such as moving from 32 bit to 64 bit
architecture, risk making old software inoperative. Other technology changes
we may not know of today could make data files unreadable. Some forms of
electronic storage, such as optical CDs and DVDs, deteriorate over time and
could possibly be unreadable five years after the audit completion date (even
the beginning of oxidation will make random portions of the CD unreadable).
Auditors should assure that the electronic media that they use to record
their audit documentation have a “shelf life” sufficient to last throughout
the retention period and that they maintain software and hardware capable
of reading the storage media for that period.
STUDY QUESTION
10. Which of the following statements about the ownership and confidentiality of audit documentation is correct?
a. Audit documentation may never be made available to the entity.
b. At the auditor’s discretion, copies of the audit documentation may
be made available to the entity.
c. Copies of audit documentation must be made available to the
entity upon request.
d. Copies of audit documentation may be used as a part of the client’s accounting records.
RELATIONSHIP TO OTHER AUDITING LITERATURE
In addition to the general requirements of SAS 103, many other auditing
standards contain specific documentation requirements. SAS 103 does not
change those requirements. This section summarizes them, and provides
practical implementation guidance.
PCAOB Standards
SAS 103 is largely a response to the PCAOB’s Auditing Standard No. 3, Audit
Documentation (AS-3). It parallels this pronouncement philosophically and
in many practical respects but has several important differences:
The “experienced auditor” criterion of SAS 103 is more restrictive than the
PCAOB’s. The PCAOB requires only that the person “have a reasonable
understanding of audit activities” and have “studied the company’s industry as well as the accounting and auditing issues relevant to the industry.”
It does not require that an experienced auditor be qualified to perform
the audit himself or herself. This less restrictive requirement is apparently
necessary to allow PCAOB inspectors, who may not be capable themselves
of performing the audits that they inspect, to carry out their duties.
Top_Aud_09_book.indb 119
9/30/2008 8:18:32 AM
120
TOP AUDITING ISSUES FOR 2009 CPE COURSE
The documentation completion date under AS-3 must come 45 days
after the report date, rather than the 60 days required in SAS 103.
The documentation retention period under AS-3 is seven years from the
report release date, rather than the five years required by SAS 103.
AS-3 requires a detailed engagement completion document, which is
not required by SAS 103.
SAS 103 applies solely to audits of non-SEC issuers. Auditors of SEC issuers
should study the complete text of AS-3, which is available on the PCAOB’s
website at www.pcaobus.org.
STUDY QUESTION
11. Which of the following is a requirement for the “experienced auditor”
under PCAOB standards?
a. The auditor would have been capable of performing the audit.
b. The auditor must understand audit processes, the SASs, and legal
and regulatory requirements applicable to the entity’s industry.
c. The auditor must be knowledgeable about auditing and have
“studied” the industry.
d. The auditor must understand the entity’s business environment
and the auditing and reporting issues applicable to its industry.
SAS 1, Codification of Auditing Standards and Procedures
SAS 1 requires auditors to document an understanding with the client.
SAS 12, Inquiry of a Client’s Lawyer Concerning
Litigation, Claims and Assessments
SAS 12 requires auditors to document:
That the client has assured the auditor that it has disclosed all unasserted
claims that the lawyer has advised the client are probable of assertion
and must be disclosed in accordance with SFAS No. 5, Accounting for
Contingencies. This may be done either in the audit inquiry letter or in
a separate letter to the client’s lawyer.
The conclusions reached as a result of responses obtained in a conference
relating to matters covered by the audit inquiry letter.
SAS 51, Reporting on Financial Statements
Prepared for Use in Other Countries
SAS 51 requires written management representations regarding the purpose
and uses financial statements prepared in accordance with foreign GAAP.
Top_Aud_09_book.indb 120
9/30/2008 8:18:33 AM
M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s
121
SAS 54, Illegal Acts by Clients
SAS 54 requires documentation of oral communications to the audit committee or others charged with equivalent authority and responsibility concerning
illegal acts that come to the auditor’s attention.
SAS 56, Analytical Procedures
SAS 56 requires auditors to document:
The expectations used in analytical procedures, where not otherwise
readily ascertainable from the documentation of the work performed.
The factors considered in developing expectations.
The results of comparisons of the expectations to recorded amounts or
to ratios developed from recorded amounts.
Any additional auditing procedures performed in response to significant
unexpected differences arising from the analytical procedures.
The results of those additional procedures.
OBSERVATION
One of the most commonly-used analytical procedures is trend analysis, in
which comparative trial balances or financial statements are analyzed for consistency over two or more periods. Simply placing a set of computer-prepared
comparative financial statements in the audit documentation does not satisfy
the requirements of SAS 56 because it does not really indicate the auditor’s
expectations, nor does it indicate the results of the comparison, i.e., whether
or not it is consistent with prior periods, or with some other expectation. In
this case, however, most experienced auditors would probably agree that
notations in the margins of such a workpaper to the effect that current period
amounts are or are not consistent with prior periods would be sufficient.
SAS 58, Reports on Audited Financial Statements
SAS 58 requires the predecessor auditor to obtain representation letters
from the former client, and from the successor auditor, before reissuing or
consenting to the reissuance of a previously issued report on the financial
statements of a prior period.
SAS 59, The Auditor’s Consideration of an
Entity’s Ability to Continue as a Going Concern
SAS 59 requires the auditor to document:
The conditions or events leading to the belief that there is substantial
doubt about the entity’s ability to continue as a going concern.
The work performed in connection with the auditor’s evaluation of
management’s plans.
The auditor’s conclusion about whether substantial doubt as to the
entity’s ability to continue as a going concern for a reasonable period of
time remains or is alleviated.
Top_Aud_09_book.indb 121
9/30/2008 8:18:33 AM
122
TOP AUDITING ISSUES FOR 2009 CPE COURSE
The consideration and effect of that conclusion on the financial statements, disclosures and the auditor’s report.
SAS 67, The Confirmation Process
SAS 67 requires the auditor to:
Document oral confirmations.
Document how, when confirmations have not been requested in the
audit of accounts receivable, this presumption was overcome.
SAS 74, Compliance Auditing in Considerations in Audits of Governmental
Entities and Recipients of Governmental Financial Assistance
SAS 74 requires auditors to document oral communication with management and those charged with governance when the auditor becomes aware,
during a financial statement audit under GAAS, of an audit requirement
that may not be encompassed in the original engagement.
OBSERVATION
This sometimes happens in audits of entities that obtain Federal awards
for the first time, and become subject to Single Audit Act requirements,
or entities, especially small ones, whose Federal funding goes over the
Single Audit Act threshold for the first time. If the client was unaware of
these requirements at the time that the auditor was engaged, the auditor
is required to make them aware.
SAS 85, Management Representations
SAS 85 requires written representations from management in all financial
statement audits.
SAS 99, Consideration of Fraud in a Financial Statement Audit
SAS 99 requires that the following specific fraud-related items be recorded
in the audit documentation:
The fraud risk discussion in the planning phase of the audit, including:
How and when the discussion took place
Who participated
The subject matter of the discussion
The auditing procedures used to gather the information needed to identify and assess the risk of material misstatement caused by fraud
The specific fraud risks that were identified
A description of the audit responses to identified fraud risks
Support for the conclusion that improper revenue recognition is not a
fraud risk, if it is not identified as such
Results of procedures performed to address the risk of management
override of internal control
Top_Aud_09_book.indb 122
9/30/2008 8:18:33 AM
M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s
123
Analytical relationships and other conditions that caused the auditor to
believe that expanded auditing procedures or responses were necessary
and any additional audit responses to address those conditions
The nature of fraud-related communications made to management, the
audit committee, or others
OBSERVATION
As a practical matter, fraud-related procedures are performed at various
times throughout an audit. For this reason, their documentation may be
spread widely throughout the audit workpapers. Some auditors find it efficient to use a standardized workpaper to summarize or index into one place
in the audit documentation the performance of these various procedures.
Such a workpaper might take a form similar to Illustration 4-2 below.
Illustration 4-2: Fraud Risk Evaluation
FRAUD RISK – EVALUATION OF AUDIT TEST RESULTS
By: em. Date: 2/1/08
CLIENT: CalMac Ltd
DATE: 12/31/07
Certain of the procedures in the audit have the potential to discover fraud risk. In
the performance of these procedures, have any of the above indicators or any other
indicators come to our attention? Explain any “yes” answers.
Procedure
Review of minutes
Attorney correspondence
Review of legal expense
Representation letter
Correspondence with funding sources
Cash receipts tests
Cash disbursements tests
Related party procedures
Review of regulatory correspondence
Analytical procedures
Understanding, and (if applicable) tests of internal
control
Management override of internal control
Tests of revenue recognition
Conclusions:
1. Based on the audit findings, is the original
fraud risk assessment still valid?
2. Have the audit procedures adequately
addressed the assessed fraud risks?
3. Based on the audit findings, is there reason
to suspect that material misstatement to the
F/S has occurred due to fraud? If yes, see
SAS 99 AU Sec 319 for further action.
*=see specific accounts w/p’s.
Top_Aud_09_book.indb 123
Yes
No
Wp Ref
X
X
X
X
X
X
X
X
X
X
B-7
B-9
B-9
B-18
*
*
*
B-12
None
B-6, B-20*
B-5
X
X
B-5
D & R-series
X
X
X
9/30/2008 8:18:33 AM
124
TOP AUDITING ISSUES FOR 2009 CPE COURSE
STUDY QUESTION
12. When auditors do not consider improper revenue recognition to be a
fraud risk, they are required to document a justification for this conclusion. True or False?
SAS 100, Interim Financial Information
SAS 100 requires auditors to prepare documentation, with form and content
designed to meet the circumstances of the engagement, in connection with
a review of interim financial information.
SAS 106, Audit Evidence
The numerous performance requirements of SAS 106 create implicit documentation requirements. Much of what was left unsaid, or implicit, under
previous practice now needs to be reduced to writing, in terms of demonstrating, for example, how individual audit procedures come together to provide
support for the relevant assertions. There is no specific requirement as to
how this is to be documented. Documentation techniques, consequently,
will vary greatly depending on firm policy and engagement characteristics.
The challenge facing all auditors is to create documentation that is clear
and comprehensive while at the same time being succinct and efficient.
One possible technique could be the use of a matrix similar to the one in
Illustration 4-3 below.
Illustration 4-3: Relationship of Audit Procedures to Relevant
Assertions, Account Balances, Transaction Classes, Disclosures,
and the Financial Statements as a Whole
This illustration demonstrates four levels of consideration in a financial
statement audit, and how the individual procedures provide evidence to
support each of the relevant assertions for a particular balance, in this case
for property and equipment. The accumulation and proper evaluation of
sufficient appropriate audit evidence for the relevant assertions attaching to
each material balance, transaction class and disclosure provide the building
blocks for assurance at the financial statement level.
For the sake of brevity, the illustration is truncated after property and
equipment, and is expanded down to the relevant assertion and audit procedures level only for property and equipment. In an actual engagement, all
balance sheet captions (i.e., account balances) and income statement captions (transaction classes) along with significant disclosures, would be listed
in the second column, and expanded in the third and fourth columns.
Top_Aud_09_book.indb 124
9/30/2008 8:18:33 AM
M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s
Financial
Statement
Level
Balance/Transaction
Class/Disclosure
Level
Relevant
Assertion Level
Audit
Procedures
Existence
Inspection of assets (step 7)
Completeness
Inspection of assets (see
w/p K10)
Completeness
Analytical procedures
Completeness
Inspection of records and
documents
Rights/obligations
Inspection of documents of
title, debt instruments
Valuation
Inspection of purchase
invoices
Valuation
Recalculation of depreciation
Valuation
Analytical procedures
125
Cash
Accounts Receivable
Inventory
Property & Equipment
One way to think of this illustration is to visualize the planning process
as going from left to right on the matrix, and the actual gathering and
evaluation of audit evidence as going from right back to left. The planning
starts at the financial statement level, identifies the significant account
balances, transactions classes, and presentation and disclosure aspects of
the statements. It then considers the assertions relevant to each of those,
and the attendant risks, and designs and performs audit procedures to
address those risks and to support—or disprove—the assertions. Performing further audit procedures starts to build back up from right to left.
Each procedure provides support for one or more assertion, which in turn
leads to the ability to conclude whether the balance, transaction class or
disclosure has sufficient support, and whether the financial statements as
a whole are fairly presented.
Illustration 4-4: Risk Assessment Matrix
This illustration demonstrates the application of the concepts discussed above
in a practical situation. Like Illustration 4-3, it is truncated to show detail
only for property and equipment. Separate worksheets for the transactions
classes and presentation and disclosure would list across the top their own
relevant assertions, e.g., for transaction classes; occurrence, completeness,
accuracy, cutoff and classification, rather than the assertions for account
balances shown in this worksheet.
Top_Aud_09_book.indb 125
9/30/2008 8:18:33 AM
126
TOP AUDITING ISSUES FOR 2009 CPE COURSE
Some auditors have suggested that it will be efficient to combine risk
assessment with preliminary analytical review in the planning process.
This worksheet demonstrates one possible format for documenting these
processes.
Column 1 lists the account balance, transaction class or disclosure
Column 2 shows the auditor’s determination of whether the line item is
significant or not by indicating a “Y” for yes, or “N” for no.
Columns 3-5 give the current and prior years’ balances and the change,
for preliminary analytical review purposes.
Columns 6-10 list the relevant assertions for inherent risk. High risk is
designated by “H”, moderate by “M” and low by “L.”
Columns 11-15 list the relevant assertions for control risk, similarly to
columns 6-10
Column 16 shows the risk of material misstatement.
Column 17 shows whether tests of controls are contemplated or not.
Column 18 provides space for narrative comment for the preliminary
analytical review
Column 19 lists audit responses for each of the relevant assertions.
XYZ Company is a small manufacturer that has experienced an increase in
sales due to acquisition of new and more productive machinery.
Top_Aud_09_book.indb 126
9/30/2008 8:18:33 AM
Top_Aud_09_book.indb 127
25,000 L
250,000 225,000
10,000 11,000
500,000 475,000
Inventory y
Prepaids n
Prpty/
Equip
y
Prpty/
Equip
Prpty/
Equip
Prpty/
Equip
Prpty/
Equip
Prpty/
Equip
Prpty/
Equip
Prpty/
Equip
Prpty/
Equip
Prpty/
Equip
25,000 M
(1,000)
150,000 120,000
30,000 M
10,000 L
y
90,000
7
8
9
10
11
12
13
14
15
16
17
18
19
M
H
M
L
M
H
M
L
L
H
H
L
L
M
L
L
L
M
M
L
M
M
M
L
M
H
M
L
L
H
H
L
L
M
L
L
M
H
M
L
no
yes
no
yes
Planned
additions
Increase
consistent
w/sales
Increase
consistent
w/sales
Disclosure checklist
Inspection of assets
& docs, analytical
Insp of purchase
invoices, recalc
depr, analytical
Inspection of assets
Inspection
of documents
Disclosure checklist
Inspection
of assets
Inspection
of documents
Inspection of assets
& docs, analytical
Insp of purchase
invoices, recalc
depr, analytical
Further audit prcdrs
not listed to reduce
size of illus.
Further audit prcdrs
not listed to reduce
size of illus.
See I/C section
of planning docs.
Further audit prcdrs
not listed to reduce
size of illus.
Inherent Risk
Control Risk
Val/
Risk of Material Cntrl Analyt Review Further Audit
Rights/
Val/
Rights/
Tests? Comments
Procedures
Exist Oblig
Complete Alloc Discl Exist Oblig
Complete Alloc Discl Misstatemt
6
A/R
100,000
Change
5
y
4
Cash
3
Signif? Current Prior
2
Acct
Balance
1
XYZ Company Combined Preliminary Analytical Review and Risk Assessment FYE 12/31/07
M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s
127
9/30/2008 8:18:33 AM
128
TOP AUDITING ISSUES FOR 2009 CPE COURSE
Not all of the audit procedures listed in this illustration would necessarily
have to be applied. For example, column 19 shows “inspection of assets” as a
procedure that could be used to support the existence assertion for property
and equipment. Inherent and control risk for existence, however, are both
assessed at low risk. Under these circumstances, an auditor might decide
that an inspection of documents, specifically purchase invoices, which is
contemplated to obtain support for the valuation assertion anyway, would
also be sufficient to support existence.
SAS 107, Audit Risk and Materiality in Conducting an Audit
The performance requirements of SAS 107 carry with them both explicit and
implicit documentation requirements. These requirements have significant
implications both for audit efficiency and for systems of quality control for
audit engagements.
Auditors should document the
levels of materiality and tolerable misstatement used in the audit, the basis
on which these levels were determined, and any changes that they make to
them during the audit. Simply recording numbers for materiality and tolerable misstatement does not meet this requirement because it does not show
the basis for determining those numbers. As a practical matter, many firms
will find that the easiest way to satisfy this requirement is to use structured
audit practice aids such as those offered by CCH or by other reputable
publishers.
Materiality and tolerable misstatement.
Summary of uncorrected misstatements. Auditors should summarize
uncorrected misstatements, other than those that are trivial. This summary
should facilitate:
Separate consideration of the effects of known and likely misstatements,
including uncorrected misstatements from prior periods.
Consideration of the aggregate effects of misstatements.
Consideration of qualitative aspects of misstatements that are relevant
to the consideration of whether they are material.
The documentation should contain a conclusion as to whether the uncorrected misstatements are material individually and in the aggregate, and a
basis for that conclusion.
The summary of uncorrected misstatements is also important as a client
communication device. Auditors are required to obtain management’s written
representation that uncorrected misstatements are immaterial individually
and in the aggregate. Auditors are also required to communicate these items
to those charged with governance. Many find that attaching this summary
from the audit workpapers, and referencing it in the management representa-
Top_Aud_09_book.indb 128
9/30/2008 8:18:33 AM
M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s
129
tion letter or the written communication to those charged with governance,
is an efficient way to communicate these items.
OBSERVATION
A likely effect of this new emphasis on uncorrected misstatements is that
auditors, particularly when working with smaller entities, may be “passing”
fewer adjustments, and urging clients to correct all known misstatements
other than trivial ones.
Known and likely misstatements. Audit documentation should record all
known and likely misstatements identified by the auditor that have been
corrected by management, other than those considered to be trivial.
SAS 107 introduces of the concept of “trivial” misstatements both in the
context of corrected and uncorrected misstatements. This implies documentation requirements that are not explicitly stated.
This suggests that a threshold for triviality should be documented, and
that a basis for that determination should be stated. Some auditors set this
threshold with reference to their planning materiality documentation, usually
by stating some percentage of tolerable misstatement below which misstatements need not be aggregated.
OBSERVATION
Some documentation requirements, such as documenting levels of
materiality and tolerable misstatement, are “fixed costs” in the sense
that it takes an audit firm about the same amount of time to fill out
its materiality worksheet no matter the size of the client. Like all fixed
costs, they weigh the heaviest at the lowest levels of activity. This poses
a challenge for all auditors, but especially those of smaller entities, to
become more efficient in producing audit documentation. To meet this
challenge, many are finding that their quality control systems need to
move toward two goals:
Increased standardization, often in the form of
– More reliance on published practice aids.
– Standardized indexing and workpaper set-up.
Increased use of electronic aids and documentation, which may, for
example,
– Automatically link specific accounts workpapers to adjusted trial
balances to financial statements.
– Facilitate the standardization of documentation and production of
repetitive types of documents.
Top_Aud_09_book.indb 129
9/30/2008 8:18:34 AM
130
TOP AUDITING ISSUES FOR 2009 CPE COURSE
STUDY QUESTIONS
13. Which of the following statements best applies to the documentation
requirements of SAS 107?
a. Auditors should document the basis on which materiality was
determined.
b. Auditors should not document materiality at levels below the
financial statements taken as a whole.
c. Auditors should avoid documenting changes made to materiality
levels during the audit.
d. Audit documentation may exclude uncorrected misstatements
from prior periods.
14. According to SAS 107, the summary of uncorrected misstatements
should:
a. Include consideration only of known misstatements.
b. Exclude separate consideration of known and likely misstatements.
c. Include consideration of their aggregate effects.
d. Exclude a conclusion as to their materiality.
SAS 108, Planning and Supervision
SAS 108 requires:
A written engagement letter.
Documentation of significant revisions to the overall audit strategy to
respond to changes in circumstances.
A written audit plan.
Documentation of changes to the original audit plan.
Documentation of significant disagreements among the audit team, if
any, and their resolution.
SAS 109 Understanding the Entity and Its Environment and Assessing
the Risk of Material Misstatement
SAS 109 states that the auditor should document four elements related to
the understanding of the entity and its environment, and the assessment of
the risk of material misstatement:
The audit team’s discussion about the susceptibility of the statements
to material misstatement, whether caused by fraud or error. This documentation should include:
How the discussion occurred.
When it occurred.
Names of the participants.
Subjects discussed.
Significant decisions regarding audit responses at the financial statement and relevant assertion levels.
Top_Aud_09_book.indb 130
9/30/2008 8:18:34 AM
M O D U L E 2 — C H A P T E R 4 — S u m m a r y o f N e w A u d i t D o c u m e n t a t i o n R e q u i re m e n t s
131
Significant elements of the auditor’s understanding of:
The client and its environment.
The five components of internal control.
The sources of the information used.
The risk assessment procedures.
The assessment of the risks of material misstatement at both the financial
statement and the relevant assertion levels.
The risks identified and related controls evaluated, including:
Identification of the risks that require special audit consideration.
Risks for which it is not possible or practicable to reduce detection
risk at the relevant assertion level to an acceptably low level by substantive procedures alone.
OBSERVATION
In addition to these explicit documentation requirements, SAS 109 contains
many requirements for auditors to “obtain an understanding” or to “obtain
knowledge” about particular matters. Implicit in these requirements is the
requirement to document those understandings and knowledge. Generating
this documentation is likely to require significant time and effort during the
audit period in which SAS 109 is first implemented. During this implementation period and into the second-time through audit, auditors should give
serious consideration to how best to create this documentation in a way
that it can be economically updated and maintained in future audits. Electronic documentation will likely be the method of choice for most auditors.
This may take the form of questionnaires or of narrative memoranda. Firms
with large audit practices or with specialized industry niches may find that
providing audit staff with pre-structured outlines for narrative memoranda
will facilitate this process by introducing standardization in gathering,
documenting, and retrieving this information.
STUDY QUESTION
15. According to SAS 109, auditors should document the assessment of
the risks of material misstatement down to the financial statement level.
True or False?
SAS 110, Performing Audit Procedures in Response to
Assessed Risks and Evaluating the Audit Evidence Obtained
SAS 110 requires auditors to specifically document the following elements of
the audit procedures performed in response to assessed risks and the evaluation of the audit evidence obtained through those procedures:
The overall responses to the risk assessment at the financial statement level.
Top_Aud_09_book.indb 131
9/30/2008 8:18:34 AM
132
TOP AUDITING ISSUES FOR 2009 CPE COURSE
The nature, timing and extent of audit procedures performed.
The linkage of audit procedures to the assessed risks at the relevant assertion level.
The results of audit procedures.
The conclusions reached concerning the use in the current audit of
evidence about the operating effectiveness of controls that was obtained
in a previous audit.
SAS 112, Communicating Internal Control Related
Matters Identified in an Audit
SAS 112 requires the auditor to:
Make the written communication of significant deficiencies and material weaknesses in internal control no later than 60 days following the
report release date.
Document the content of oral communications when communicating
other matters to management or those charged with governance, such
as matters that may be of potential benefit to the client or matters that
the client has requested.
SAS 114, The Auditor’s Communication
With Those Charged With Governance
This Statement does not require written communication of any matters. It
does, however, state that copies of written communications, if any, should
be retained, and that oral communications should be documented.
OBSERVATION
Although written communications were not required under SAS 61 and are
still not generally required under SAS 114, many auditors feel that written
communication represents a “best practice” under most circumstances.
Oral communication is still appropriate, however, especially in the case of
very small, owner-managed clients, as long as it is well-documented.
Top_Aud_09_book.indb 132
9/30/2008 8:18:34 AM
133
MODULE 2: REVIEW OF NEW AND EMERGING STANDARDS — CHAPTER 5
The Risk Assessment Standards:
A Comprehensive Review
LEARNING OBJECTIVES
Upon completion of this chapter, the reader should:
Understand the new philosophical concepts embodied in the Risk Assessment Standards.
Be able to use relevant assertions in the financial statements to assess
risk of material misstatement.
Understand the linkage of audit procedures to risk assessment.
Understand how to develop and use an understanding of the entity and
its environment in assessing risks.
Be able to evaluate audit findings in light of assessed risks and materiality.
INTRODUCTION
The “Risk Assessment Standards” represent the most sweeping change to
auditing practice in the last twenty years. They consist of eight new Statements
of Auditing Standards (SASs 104 through 111). These Statements became
effective for audits of financial statements with periods beginning on or after
December 15, 2006. Thus, for full-year audits, December 31, 2007 year ends
are the first round of audits in which application was required.
These Standards present significant new philosophical directions in auditing. Along with these new modes of thought come new procedures and
practices. Numerous practical issues have presented themselves in this initial
period of implementation. These have to do not only with basic understanding of the new requirements, but of how to transition thought processes
away from the “old rules” and how to modify, adapt, or sometimes discard
existing auditing practices in a way that is both effective and economically
feasible. This chapter summarizes these new Standards and their requirements, explores some of the emerging implementation issues, and offers
some practical directions and tools for moving forward.
As a convenient reference, Appendix A summarizes these Standards and
Appendix B lists their unconditional requirements. Appendix C contains the
definitions of the many new terms that these Standards have introduced.
Top_Aud_09_book.indb 133
9/30/2008 8:18:34 AM
134
TOP AUDITING ISSUES FOR 2009 CPE COURSE
THE RISK ASSESSMENT STANDARDS:
NEW DIRECTIONS IN AUDITING
Risk assessment in itself is not a new concept in auditing. Auditors have always made efforts to determine the areas within a client’s financial statements
that are most prone to misstatement. And they have always attempted to
design audit procedures to address these risks. The Risk Assessment Standards
formalize this process, and give it structure. This raises the process from an
intuitive, and sometimes informal, plane to the level of a documentationintensive set of structured procedures.
Some new philosophical orientations underlie these procedural requirements. Auditors who do not grasp these philosophical implications are not
likely to approach these new Standards, either in their initial implementation
or in ongoing performance, in an efficient or effective manner. This section
discusses those new directions briefly, as a platform for moving forward into
practical implementation and performance issues.
Risk Assessment
Among the most sweeping changes that the new Standards make to previous
practice are the requirements for auditors to have an appropriate basis for all
risk assessments, and the elimination of the concept of assessing risk “at the
maximum” without support. Auditors should now develop an understanding
of controls. When deciding not to test controls, they need to be satisfied
that substantive procedures alone will be effective in reducing detection risk
to an acceptably low level.
OBSERVATION
The inability to default to a “maximum risk” assessment without developing—and documenting—an understanding of controls has significant effect
on audits of smaller entities. This is particularly true of owner-managed
businesses, in which control structures may not be formalized and segregation of duties may be less than optimal due simply to the lack of personnel.
This does not mean that auditors should test controls that they feel are
ineffective or that they do not plan to rely on in the audit. It does mean that
they should document an understanding of the control risk, and design
substantive procedures to reduce detection risk appropriately.
Implicit in the idea of risk assessment is that almost every audit will contain at
least one significant risk. Risk assessments that say “there are no significant risks
in this audit” might well draw skeptical consideration from audit supervisors.
Less frequently, risk assessments may list nearly every significant account
balance, transaction class or disclosure as having significant risk. This should
draw skepticism on two counts. The first is to question whether the person
Top_Aud_09_book.indb 134
9/30/2008 8:18:34 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
135
or persons making the risk assessment really understand what a significant
risk is. Secondly, if such a risk assessment were accurate, it might lead the
audit partner to question whether the client is really auditable, and whether
firm’s quality control policies and procedures for client and engagement
acceptance and continuance were properly drafted and properly applied to
the engagement.
Linkage of Audit Procedures to Risk Assessment
The requirement to use risk assessment in determining the nature, timing and
extent of additional audit procedures may well be one of the most important
in the new Standards. One of the key philosophical threads running through
the Risk Assessment Standards is the idea of linking audit procedures to risks:
that is, of performing more intensive procedures in areas of higher risk and
less intensive in areas of lower risk. Arguably, this is merely a codification
of existing best practices. On a practical implementation level, it is more
important than ever for auditors to show how they have considered risks in
developing audit procedures, and how their procedures address those risks.
Thus, whenever an auditor, as a result of obtaining an understanding of a
client, assesses a significant risk of material misstatement, the audit procedures
should respond to that risk.
OBSERVATION
The practical effect of linking audit procedures to risk assessment is that
audit resources will be more efficiently allocated. Areas of higher risk will
receive more time and more intensive consideration and testing. Areas of
lower risk will receive less intensive work. One practical result of this new
emphasis is the need to more closely tailor standardized audit programs
to the unique risks of each individual engagement.
However, regardless of risk, auditors should design and perform substantive
procedures for all relevant assertions related to each material class of transactions, account balance and disclosure.
This requirement is new to the auditing literature. It is, on the one hand,
arguably nothing but a codification of pre-existing best practices. On the
other hand, it carries a danger of misinterpretation. Some auditors, at an
initial reading, have concluded that this requires extensive substantive procedures on virtually every line item on a client’s trial balance. This is not the
Standards’ intent. Auditors attest to the financial statements as a whole, not
to the detailed general ledger. It is thus the relevant assertions for material
transaction classes, account balances and disclosures at the financial statement
level that are the subject of this concern.
Top_Aud_09_book.indb 135
9/30/2008 8:18:34 AM
136
TOP AUDITING ISSUES FOR 2009 CPE COURSE
Presentation and Disclosure
Among the most sweeping changes that the new Standards make to previous
practice is the introduction of the concept of considering risk of misstatement not only at the level of the financial statements taken as a whole, and
at the level of individual account balance or class of transactions, but also
at the disclosure level. This is consistent with the philosophical direction of
the new risk assessment model, which increases emphasis on the accuracy
and clarity of disclosures. This is important because it underscores the fact
that disclosures are more than just a mass of fine print appended to the basic
financial statements. They are an integral part of those statements, and share
equal importance to users, and thus are of equal concern to the auditor. This
has several important practical implications for the ways in which auditors
view their responsibilities relating to financial statement disclosures.
OBSERVATION
The increased emphasis on presentation and disclosure is likely to lead
increased reliance on standardized presentation and disclosure checklists.
Practitioners should be aware, however, that it will not be sufficient to run
down these checklists in a mechanical fashion determining merely the
presence or absence of a particular element of presentation or disclosure.
Financial statements and related disclosures also need to be read carefully for clarity and understandability. Another implication of this increased
emphasis, along with the requirement to reconcile the statements and
notes to underlying accounting records, will likely be a necessity to reference assertions contained in the notes to applicable support within the
audit documentation.
Responsibilities of Client and Auditor
One of the major philosophical thrusts of the new Risk Assessment Standards as a whole is to differentiate the auditor’s responsibilities from those
of management and other financial statement users. This is part of a campaign, which began several years ago with Ethics Interpretation No. 101-3,
Nonattest Services, to educate clients and the public as to who is responsible
for what in the audit process, and continues with SAS 112, Communication
of Internal Control Related Matters Identified in an Audit, and SAS 114, The
Auditor’s Communication With Those Charged With Governance.
Examples of this new direction include:
The concept that financial statement users need to take responsibility
for intelligent use of the financial statements.
Users need to understand that financial statements are prepared and
audited to levels of materiality.
Top_Aud_09_book.indb 136
9/30/2008 8:18:34 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
137
The concept that auditors cannot reasonably anticipate the needs of all
financial statement users.
Increased emphasis on communication between the auditor and management on the subject of misstatements, in order to clarify that it is the
client, not the auditor, that “owns” the audit adjustments.
There are also some changes in the emphasis on auditor responsibilities. SAS
104, Amendment to SAS 1, “Codification of Auditing Standards and Procedures”
(“Due Professional Care in the Performance of Work”) emphasizes that the high
level of intended assurance is expressed in the auditor’s report as obtaining
reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. It expands the definition
of “reasonable assurance” by adding wording to emphasize that audits must
be planned and performed to attain a low level of audit risk.
SAS 104 does not explicitly define the terms “high level of assurance” or
“low level of audit risk.” However, it equates “reasonable assurance” with a
“high level of assurance” and requires auditors to perform audit procedures
designed to limit audit risk “to a low level.”
SAS 105, Amendment of SAS 95, “Generally Accepted Auditing Standards”
broadens the philosophy of the audit process significantly by amending the
second fieldwork standard to:
Expand the scope of the auditor’s understanding from “internal control”
to “the entity and its environment, including its internal control.”
Extend the purpose of the auditor’s understanding from “planning the
audit” to “assessing the risk of material misstatement of the financial
statements whether due to error or fraud.”
STUDY QUESTIONS
1. Among the major philosophical directions taken by the Risk Assessment
Standards are all of the following except:
a. The concept of differentiating the auditor’s responsibilities from
those of management and other financial statement users.
b. The elimination of the concept of assessing risk “at the maximum”
without support.
c. The concept of considering risk of misstatement only at the level
of the financial statements taken as a whole.
d. The idea of linking audit procedures to risks.
Top_Aud_09_book.indb 137
9/30/2008 8:18:34 AM
138
TOP AUDITING ISSUES FOR 2009 CPE COURSE
USING RELEVANT ASSERTIONS IN RISK ASSESSMENT
Assertions are implied or expressed representations by management about the
recognition, measurement, presentation, and disclosure of information in
the financial statements and related disclosures. One of the first steps in the
audit process is to identify management’s assertions regarding each material
component of the financial statements. Auditors must test these assertions
by gathering evidence to support or refute them. Professional literature previously identified five assertions: completeness, occurrence, rights and obligations, valuation/allocation, and presentation and disclosure. SAS 106, Audit
Evidence, identifies 13 assertions which it sorts into three broad categories.
Some of these assertions, such as accuracy and cutoff, are really different ways
of viewing previously existing assertions. The new category for presentation
and disclosure reflects increased emphasis on the importance of this area to the
users of financial statements. It highlights the necessity for auditors to seriously
address the content of the financial statements, including the disclosures.
Auditors are now required to determine the relevance of each of the assertions and the source of likely potential misstatements for each significant
class of transactions, account balance, and presentation and disclosure, and
to use the assertions in assessing risks by considering the types of misstatements that might arise and designing further audit procedures to respond
to those risks.
Classes of Transactions and Events
Assertions about classes of transactions and events for the period under audit
address whether recorded transactions and events:
Have in fact occurred and relate to the entity (occurrence).
Include all transactions and events that should have been recorded
(completeness).
Have been properly recorded based on appropriate amounts and other
data (accuracy).
Have been recorded in the correct accounting period (cutoff).
Have been recorded in the proper accounts (classification).
Previous auditing standards did not have explicit assertions for accuracy or
cutoff, although these matters have always been addressed in financial statement audits. Accuracy was addressed through a combination of considerations
related to all five of the previously existing assertions. Cutoff was addressed
through considerations of completeness and occurrence. The new cutoff assertion is a logical outgrowth of the increased emphasis in SAS 99, Consideration
of Fraud in a Financial Statement Audit, on fraudulent revenue recognition,
and reflects the need for auditors to give explicit consideration to the risk of
cutoff errors or manipulations giving rise to improper revenue recognition.
Top_Aud_09_book.indb 138
9/30/2008 8:18:34 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
139
Account Balances
Assertions about account balances at the period end address whether:
Assets, liabilities, and equity interests exist (existence).
The entity holds or controls the rights to assets and whether liabilities are
actually the obligations of the entity (rights and obligations).
All assets, liabilities, and equity interests that should have been recorded
have been recorded (completeness).
Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts and any resulting valuation or allocation
adjustments are appropriately recorded (valuation and allocation).
This category of assertions has not changed, and thus will not likely cause
significant changes to existing audit practices.
Presentation and Disclosure
Assertions about presentation and disclosure address whether:
Disclosed events and transactions have occurred, and relate to the entity
(occurrence and rights and obligations).
All disclosures that should have been included in the financial statements
have been included (completeness).
Financial information is appropriately presented and described and disclosures are clearly expressed (classification and understandability).
Financial and other information is disclosed fairly and at appropriate
amounts (accuracy and valuation).
It is significant that SAS 106 has carved out a separate category for financial
statement presentation and disclosure. This has several important practical
implications for the ways in which auditors view their responsibilities relating to financial statement disclosures.
Disclosure checklists will continue to be important tools in assuring the
completeness of disclosures.
Auditors will increasingly need to look past their disclosure checklists to
the quality and substance of the disclosures. However, the mere presence
of a footnote captioned, say, “Inventory” does not necessarily mean that
all of the necessary disclosures about inventory are present and are clearly
expressed. Auditors will need to carefully read and evaluate each disclosure to determine if it is truly adequate, especially in areas that require
management to make quantitative or qualitative judgments affecting the
content of a disclosure.
Disclosure omissions or inadequacies often arise when a client experiences
a significant unusual event or transaction, or has significant changes in
its business. Such events should cause auditors to be alert to the need
for new disclosures.
Top_Aud_09_book.indb 139
9/30/2008 8:18:34 AM
140
TOP AUDITING ISSUES FOR 2009 CPE COURSE
Data in the footnotes will need to be closely correlated to the audit documentation. This includes non-financial data. This does not mean that
every number in every footnote needs to be cross-referenced to a specific
workpaper within the audit documentation, although some firms have
adopted this practice as a matter of their own quality control policies. It
does mean that if a footnote asserts, for example, that a significant operating lease has a five year term, the audit documentation should contain a
copy or an abstract of the lease agreement that supports this assertion.
OBSERVATION
Not every assertion applies to every material component of the financial
statements. There are, though, many areas where most of the assertions
are relevant. There will be a significant increase in the number of assertions that need to be addressed on each audit. Auditors should be mindful
of the increased time this will create for each audit. This has implications
for the scheduling of the firm’s personnel, and should also be discussed
with clients when scheduling audit engagements. The Risk Assessment
Standards as a group will likely also create new demands on the time
and resources of clients’ accounting staffs. Auditors should also consider
discussing fee increases with clients during the transition period, in order
to give them a chance to budget for the increase and to avoid the distress
of “sticker shock” in the year of implementation. Some firms report that
the new standards, as a whole, have added 20%-25% to audit time in the
first year of implementation. “Learning curve” costs are certainly a part of
this increase, so the time might decline in years subsequent to the initial
implementation.
EXAMPLE
If an entity’s financial statements show cash of $50,000, this means that
management asserts that cash of $50,000 exists, is owned by the entity,
and includes funds at all locations, funds with custodians, and deposits
in transit as of the balance-sheet date. Furthermore, unless otherwise
disclosed in the financial statements or notes thereto, management also
asserts that the cash was unrestricted and available for the entity’s general
operating purposes.
SAS 106 allows auditors some discretion in how they express these assertions in their work. They may use them as described above, or they may
characterize them differently, as long as all of the aspects have been covered.
As a practical matter, auditors who choose to express the relevant assertions
differently are well-advised to document in explicit fashion how those assertions cover all aspects of those outlined in SAS 106. This can be efficiently
done, to some extent, through the use of uniformly structured practice
Top_Aud_09_book.indb 140
9/30/2008 8:18:34 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
141
aids that specify the connection between the assertions as used and those
presented in the SAS. However, because of the wide variety of situations
that may be encountered in real-world auditing, the need to supplement
standardized practice aids with narrative comments should be considered
on an engagement-by engagement basis.
EXAMPLE
The cutoff assertion under “classes of transactions and events” is one of the
new assertions created by SAS 106. The concept of assuring proper cutoffs
has long been addressed by auditors, and is not in itself a new idea. Under
previous standards, a receiving cutoff issue would have been addressed
through a combination of the completeness and occurrence assertions. If
goods were received in a period but not recorded, the client had a problem
with the completeness assertion. If, on the other hand, receipt of goods was
recorded in a period but the actual receipt did not occur in that period, there
was a problem with the occurrence assertion. This continues to be a valid
conceptual approach in this case. SAS 106 explicitly states that there may
not be a separate cutoff assertion for transactions and events when the
completeness and occurrence assertions include appropriate consideration
of recording transactions in the proper accounting period. In this case, it is
probably wise for the audit documentation to state that the cutoff assertion
for receiving is adequately addressed by the combined consideration of
completeness and occurrence.
STUDY QUESTIONS
2. SAS 106 identifies 13 assertions, which it groups into which of the following broad categories?
a. Completeness, occurrence, rights and obligations, valuation/allocation, and presentation and disclosure.
b. Account balances; classes of transactions; and events, presentation and disclosure.
c. Completeness, classification and understandability, accuracy and
valuation.
d. Occurrence, completeness, accuracy, cutoff, and classification.
Using Assertions in Obtaining Audit Evidence
SAS 106 requires auditors to determine the relevance of each of the financial
statement assertions for each significant class of transactions, account balance,
and for presentation and disclosure. Auditors should use the relevant assertions to assess the risks of material misstatements in the financial statements
and to design audit procedures to respond to the assessed risks. To determine
whether a particular assertion is relevant, they should evaluate:
Top_Aud_09_book.indb 141
9/30/2008 8:18:34 AM
142
TOP AUDITING ISSUES FOR 2009 CPE COURSE
The nature of the assertion.
The volume of transactions or data related to the assertion.
The nature and complexity of the systems the entity uses to process and
control information supporting the assertion.
Developing Audit Tests and Procedures
To determine what type of evidence to collect, auditors develop specific
objectives related to each relevant assertion. Auditors should evaluate each
relevant assertion as it relates to the particular account balance, class of
transactions, or presentation and disclosure when determining audit objectives. Having identified specific audit objectives, they should then develop
methods to achieve them.
Deciding upon the nature, timing, and extent of procedures to achieve
the audit objectives involves the following types of procedures:
Risk assessment procedures. These are performed to obtain an understanding of the entity and its environment, including its internal control,
to assess the risks of material misstatement at the financial statement and
relevant assertion levels. Risk assessment procedures must be performed
in all audits.
Tests of controls (when relevant or necessary). These are performed
to test the operating effectiveness of controls in preventing or detecting
material misstatements at the relevant assertion level. Auditors should
perform tests of controls when the risk assessment includes an expectation
of the operating effectiveness of controls, or when substantive procedures
alone do not provide sufficient appropriate audit evidence.
EXAMPLE
Substantive procedures alone often do not provide sufficient appropriate
evidence for businesses that conduct a large volume of transactions in
electronic form, for which a paper trail is not generated. These transactions
are typically of a similar, repetitive nature and can be effectively controlled
by a single system of internal control. When this is the case, testing the
operating effectiveness of the controls over the transactions is often both
effective and necessary to provide sufficient appropriate evidence.
These are performed to detect material misstatements at the relevant assertion level and include tests of details of
classes of transactions, account balances, and disclosures, and substantive
analytical procedures. Regardless of the assessed risk of material misstatement, substantive procedures should be performed in all audits for all
relevant assertions related to each material class of transactions, account
balance, and disclosure.
Substantive procedures.
Top_Aud_09_book.indb 142
9/30/2008 8:18:35 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
143
STUDY QUESTIONS
3. Which of the following statements best describes SAS 106’s requirements related to substantive procedures?
a. Substantive procedures should be performed in all audits for all
relevant assertions related to each class of transactions, account
balance, and disclosure, regardless of materiality.
b. Substantive procedures should be performed in all audits for all
relevant assertions related to each material class of transactions,
account balance, and disclosure, regardless of the assessed risk
of material misstatement.
c. Substantive procedures performed on each material class of
transactions, account balance, and disclosure must include tests
of details and substantive analytical procedures.
d. Substantive procedures are performed to detect material misstatements down to the transaction class, account balance and
disclosure level.
Types of Audit Procedures
The auditor should use one or more types of the audit procedures described
below when performing risk assessment procedures, tests of controls, or
substantive procedures:
Inspection of records and documents.
Inspection of tangible assets.
Observation.
Inquiry.
Confirmation.
Recalculation.
Reperformance.
Analytical procedures.
Additional Considerations for Audit Evidence and Procedures
SAS 106 advances a newly-explicit requirement dealing with the longestablished practice of “rolling forward” audit evidence from one period to
the next. Auditors are now required to perform procedures to establish the
continuing relevance of such evidence when it is used in the current audit.
This is a significant departure from previous practice.
SAS 106 makes the point that accounting records do not, by themselves,
provide sufficient appropriate evidence on which to base an opinion. This is
because they are internally prepared, and provide no external corroboration.
For this reason, it requires auditors to obtain other audit evidence, from
sources outside the accounting records.
Another set of requirements are the requirements to use professional judgment and professional skepticism in evaluating the quantity and quality of
Top_Aud_09_book.indb 143
9/30/2008 8:18:35 AM
144
TOP AUDITING ISSUES FOR 2009 CPE COURSE
audit evidence. These speak to the need to critically evaluate audit evidence
for both sufficiency and appropriateness.
A set of requirements deals with client-prepared information. These
requirements essentially codify and expand the existing practice of “footing
the PBCs”. They state that auditors should obtain audit evidence about the
accuracy and completeness of client-prepared information when using that
information to perform further audit procedures and, especially where electronic documentation is involved, should consider its reliability, including
the controls over its preparation and maintenance. There is also a specific
requirement that auditors should consider the accuracy of price information and the completeness and accuracy of sales volume data when applying
standard prices to records of sales volume to audit revenue.
Yet another set of requirements deals with audit responses to inconsistencies in audit evidence. Auditors should determine what additional audit
procedures are necessary to resolve inconsistencies in audit evidence obtained
from different sources. Especially when inconsistencies involve evidence
obtained through inquiry, additional audit procedures should be performed
to resolve the inconsistencies.
STUDY QUESTIONS
4. Which of the following audit procedures would be most likely to provide
persuasive evidence in support of the existence assertion related to
inventory?
a.
b.
c.
d.
Inquiries of management..
Inspection of tangible assets.
Analytical procedures.
Recalculation of inventory pricing.
5. Substantive analytical procedures are required on all audits. True
or False?
CONSIDERING AUDIT RISK AND MATERIALITY
SAS 107, Audit Risk and Materiality in Conducting an Audit, requires that
audit risk and materiality be considered both at the financial statement level,
and in more detailed fashion at the individual account balance, transaction
class, or disclosure level.
Considerations at the Financial Statement Level
SAS 107 requires auditors to consider audit risk and to determine a materiality level for the financial statements taken as a whole. This assists them in:
Determining the extent and nature of risk assessment procedures.
Identifying and assessing the risks of material misstatement.
Top_Aud_09_book.indb 144
9/30/2008 8:18:35 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
145
Determining the nature, timing and extent of further audit procedures.
Evaluating whether the financial statements are fairly presented.
Considering audit risk is a matter of professional judgment. It can be assessed
in quantitative or nonquantitative terms. At the financial statement level,
this consideration includes general planning decisions such as staffing, extent
of review, and degree of professional skepticism. The auditor is required to
perform the audit to reduce audit risk to a low level that is appropriate for
expressing an opinion on the entity’s financial statements.
At this level, the auditor is concerned with risks of material misstatement that cut across many relevant assertions, and relate pervasively to
the statements as a whole. These risks often attach to the overall control
environment, and may not be linked to a particular relevant assertion at the
account balance, transaction class, or disclosure level. Identifying these risks
is particularly important in terms of assessing the risk of fraud as a result of
management override of controls.
OBSERVATION
Almost every audit has at least one significant risk. Most have only a few, one
of which may stand out as the most significant. A mental exercise to help
identify that risk is called “the one hour audit.” In this exercise, there are as
many hours available as are reasonably necessary to plan the audit, including performing necessary risk assessment procedures and developing an
understanding of controls, and to draft and review the financial statements
and do other necessary “wrap-up” work. But the substantive test work in
the field is limited to only a very short time; say an hour for a small audit,
or a day for a large audit. Consider what the first thing to be tested would
be. Then, if there is time left over, or if another hour was allotted, consider
what would be tested next. This will usually identify the one or two most
significant risks in the audit. This exercise works well in the brainstorming
session that is required as a part of all audit planning. Give every participant
a slip of paper, and ask them to write down how they would spend their
hour. Collect all the responses and read them aloud, anonymously. Let the
discussion begin.
Considerations at the Account Balance, Transaction Class, or
Disclosure Level
SAS 107 requires the auditor to consider audit risk at the individual account
balance, class of transactions, or disclosure level. At this level, the auditor’s
objectives are to:
Determine the nature, timing, and extent of further audit procedures.
Reduce audit risk at the individual balance, class, or disclosure level so
Top_Aud_09_book.indb 145
9/30/2008 8:18:35 AM
146
TOP AUDITING ISSUES FOR 2009 CPE COURSE
that the auditor can express an opinion on the statements as a whole at
an appropriately low level of audit risk.
In determining the nature, timing, and extent of audit procedures to be
applied to a specific account balance, class of transactions, or disclosure,
the auditor should design audit procedures to obtain reasonable assurance
of detecting misstatements that could be material, when aggregated with
misstatements in other balances, classes, or disclosures, to the financial statements taken as a whole. Regardless of the audit approach or methodology,
SAS 107 requires the auditor to assess the risk of material misstatement at
the relevant assertion level as a basis for further audit procedures.
OBSERVATION
The requirement to assess the risk of material misstatement at the relevant
assertion level as a basis for further audit procedures effectively eliminates
the auditor’s ability to default to “maximum control risk” without having
a basis for that assessment. This is a significant departure from existing
practice. This does not mean that controls must always be tested. It does,
however, mean that the auditor must have an understanding of controls
sufficient to support an assessment of maximum control risk. The intended
result of this shift in audit thinking is that audit effort will be more effectively
concentrated in areas of highest risk; in other words, that audit procedures
will be more closely correlated to assessed risks.
STUDY QUESTIONS
6. The requirement of SAS 107 to assess the risk of material misstatement
at the relevant assertion level as a basis for further audit procedures:
a. Effectively eliminates the auditor’s ability to default to “maximum
control risk” without having a basis for that assessment.
b. Intends that audit procedures be performed in all areas without
regard to assessed risks.
c. Means that the auditor need not develop an understanding
of controls sufficient to support an assessment of maximum
control risk.
d. Requires that controls always be tested.
Determining and Using Materiality
Some matters are more important for the fair presentation of financial
statements than others. Auditors are concerned with matters that either by
themselves or combined with others, could be important, or material, to the
financial statements. Auditors are responsible for planning and performing
Top_Aud_09_book.indb 146
9/30/2008 8:18:35 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
147
the audit to obtain reasonable, but not absolute, assurance that material
misstatements, whether they are caused by error or by fraud, are detected.
SAS 107 discusses materiality at three levels:
The financial statements as a whole.
Tolerable misstatement at the account balance, transaction class, or
disclosure level.
Other particular items that are less than the materiality amount for the
financial statements as a whole.
Once materiality is established, it should be considered the same way—
although not necessarily in the same amounts—in planning and evaluating,
regardless of the client’s inherent business characteristics.
EXAMPLE
User expectations may differ depending on the degree of inherent uncertainty associated with particular financial statement items. The Standard cites
as examples the provision for insurance claims in an insurance company,
or for legal claims in the course of any entity’s business. The fact that these
statement items are based on estimates that may contain a high degree
of uncertainty may influence users’ assessments of materiality. This does
not, however, cause the auditor to use different procedures for planning,
or for evaluating misstatements in these areas.
Considering the needs of users. Financial statement users are a diverse
group that may include management, owners, employees, and creditors,
among many others. Auditors consider the needs and perceptions of intended
users of the financial statements in making judgments about materiality.
SAS 107 makes two important comments about financial statement users.
The first is that auditors consider the needs of users as a group, rather than
individually, when considering the possible effects of a misstatement. Because
the needs of individual users may vary greatly, it is not feasible for the auditor
to consider, or to try to anticipate, the individual needs of every user.
The second is that financial statement users need to take responsibility
for intelligent use of the financial statements. Users are assumed to:
Have appropriate knowledge of business and economic activities and
accounting.
Be willing to study the information in the statements with appropriate
diligence.
Understand that financial statements are prepared and audited to levels
of materiality.
Recognize that there are uncertainties inherent in the accounting estimates and judgments, and in future events.
Top_Aud_09_book.indb 147
9/30/2008 8:18:35 AM
148
TOP AUDITING ISSUES FOR 2009 CPE COURSE
Make appropriate economic decisions based on the financial statements.
OBSERVATION
One of the major philosophical thrusts of the new Risk Assessment Standards as a whole is to differentiate the auditor’s responsibilities from those
of management and other financial statement users. This is part of a campaign to educate the public as to who is responsible for what in the process.
Stories abound in which an auditor is sued by a financial statement user
who failed to read or understand the statements, and made a decision that
they would not have made if they had actually read the statements, or for
something that the auditor could not reasonably have foreseen as a need.
This Standard puts forth clear language that aims to head off such claims
by making users responsible for exerting reasonable effort to understand
the statements and making reasonable judgments.
STUDY QUESTIONS
7. SAS 107 makes all of the following assumptions relating to financial
statement users except:
a. Financial statement users are willing to study the statements with
appropriate diligence.
b. Financial statement users have appropriate knowledge of business and economic activities and accounting.
c. The individual needs of all financial statement users have been
considered by the auditor.
d. Financial statement users recognize that there are uncertainties
inherent in the accounting estimates and judgments used in preparing the financial statements.
SAS 107 defines two types of misstatements: known and likely. The concept of known misstatements is unchanged
from previous literature. They are simply the “hard differences” identified
in the audit process. The concept of likely misstatements is not new, but
it has taken on more importance. Likely misstatements are those that are
identified either by projecting the results of a sampling application to an
entire population, or by quantifying a difference between a recorded estimate
and the auditor’s best judgment. These are often referred to in practice as
“soft differences.” Under the new Standard, likely misstatements need to be
considered and evaluated, aggregated, and when not corrected by the client,
carried forward to the summary of uncorrected misstatements.
Known and likely misstatements.
Top_Aud_09_book.indb 148
9/30/2008 8:18:35 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
149
EXAMPLE
The most common example of determining likely misstatements is in audit
sampling. If the auditor sampled 20% of the accounts receivable balance
and found total misstatements of $2,000 (the known misstatements), the
auditor could project this misstatement to the account balance as $10,000
(the likely misstatements)—$2,000 divided by 20%. The likely misstatements
of $10,000 include the known misstatements of $2,000 because the known
misstatements are projected to the total accounts receivable balance.
However, if the client corrects the known misstatements of $2,000, then
the likely misstatements would be only $8,000 ($10,000 - $2,000).
Another example of determining likely misstatements is in accounting estimates. When the client records depreciation expense at $ 25,000, but the
auditor determines that a more reasonable range for this estimate should be
$28,000 to $30,000, the likely misstatement is $3,000 ($28,000 – $25,000)
which is the difference between the recorded amount and the closest
amount in the reasonable range calculated by the auditor.
OBSERVATION
SAS 107 places more responsibility on auditors to critically evaluate “soft
differences.” In the past, these misstatements were often given slight
consideration, and dismissed as acceptable differences in judgment, or
in the case of sampling differences as abstract statistics that the auditor
“can’t really prove.” Implicit in this philosophical shift is a perception that
auditors, in the past, might have allowed significant misstatements to
pass without comment, simply for lack of giving them full consideration.
SAS 107 aims to plug this gap by requiring that “likely misstatements” be
considered both individually and in the aggregate, and qualitatively as well
as quantitatively.
Misstatements may consist of:
Inaccuracies in gathering or processing the data from which the statements are prepared.
Differences between recorded amounts, classifications, or presentations
and those that should reported under GAAP.
Omissions of financial statement elements, accounts or items, or disclosures.
Disclosures that are not prepared in conformity with GAAP.
Incorrect accounting estimates arising from oversight or misinterpretation of facts.
Judgments by management in the selection or application of accounting
policies, or in accounting estimates that the auditor may consider inappropriate or unreasonable.
Causes of misstatements.
Top_Aud_09_book.indb 149
9/30/2008 8:18:35 AM
150
TOP AUDITING ISSUES FOR 2009 CPE COURSE
Misstatements arise either unintentionally, that is, by error, or intentionally
by fraud. Misstatements caused by fraud come in two categories: fraudulent
financial reporting and misappropriation of assets.
Qualitative Aspects of Materiality
SAS 107 discusses both quantitative and qualitative aspects of materiality.
Some misstatements are more important than others, regardless of their
amount. One of the most important qualitative aspects to be considered is
the possibility of fraud. When an auditor uncovers evidence that suggests
fraud, the implications for the integrity of management or employees and
effects on other aspects of the audit should be considered regardless of the
quantitative materiality of the misstatement. This often implies that further
audit procedures will need to be performed. Other qualitative aspects of
misstatements that can make them material even though they do not meet
the quantitative threshold are those that cause a change in a key measure
within the financial statements, such as a small misstatement that changes
net income to a net loss, or that changes a key ratio such that the client is
in violation of a loan covenant. While auditors have no responsibility to
design or perform audits to detect immaterial misstatements, they do have
a responsibility to evaluate detected misstatements for qualitative as well as
quantitative aspects.
Qualitative aspects of materiality cannot be evaluated until a misstatement
is detected. This is because of the wide range of possible qualitative implications for any misstatement, depending not only upon the misstatement
itself, but upon circumstances and user perceptions. For this reason, while
auditors always consider the qualitative aspects of detected misstatements,
it is not usually feasible to design procedures specifically to detect misstatements that are qualitatively material.
Methods of Determining Materiality
SAS 107 avoids prescribing any particular formula or method for determining materiality. It discusses the quantitative determination as a process that
usually involves applying a percentage to a chosen benchmark within the
financial statements. It offers as examples of benchmarks:
Total revenues.
Gross profit.
Pre-tax profit from continuing operations.
Net assets.
Selection of an appropriate benchmark or percentage involves a great degree
of professional judgment, taking into account such factors as:
The elements of the particular financial statements, and the financial
statement measures defined in GAAP.
Top_Aud_09_book.indb 150
9/30/2008 8:18:36 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
151
Particular financial statement items that may be the focus of users’
interest.
The client’s industry and environment.
The client’s size, nature of ownership and the way it is financed.
EXAMPLE
In most profit-making businesses, some measure related to revenue is usually an appropriate benchmark for the materiality determination because
users of the financial statements are most concerned with revenue and
profitability. However, an auditor of a company that is running near breakeven or at a loss would not usually choose a measure like pre-tax profit
for the materiality benchmark because it would create an artificially low
materiality level. This would cause an inefficient audit because audit tests
would be scoped at a very low dollar amount and therefore would likely take
in many more test items than necessary. A more appropriate benchmark in
this case might be gross revenues or total assets.
In privately-held corporations, it is common practice for owners to draw out
significant amounts of profit in salary. Using pre-tax profit as a materiality
benchmark would, in this case, create the same problems as in a break-even
corporation. In this case, it might be better to add owners’ compensation
back to the pre-tax profit to arrive at a benchmark.
Some businesses are in volatile industries or economic environments, and
may routinely experience marked swings in profitability. Using a benchmark
based on current year’s profits may lead to a materiality level that is either
so low as to create an inefficient audit, or so high that it fails to reduce the
auditor’s detection risk to an acceptably low level, and thus renders the
audit ineffective. In this case, an auditor might decide that a benchmark
based upon an average profit over several years is more representative of
the client’s true activity levels.
Some business entities, such as real estate investment companies or
mutual funds are more concerned with total assets or net assets than with
revenue. An asset-based materiality benchmark may work better for these
businesses.
In non-business entities, such as governments or nonprofit organizations,
generating a profit is not the entity’s objective. Auditors of these types of
entities often choose gross revenues or total assets as a benchmark.
Materiality for the Financial Statements as a Whole
Materiality for the financial statements as a whole is the maximum amount
that the financial statements could be misstated and still fairly present the
overall financial statements. The auditor’s estimate of materiality requires
professional judgment, based on the understanding of the client’s business
and the specific circumstances of the engagement. When establishing the
Top_Aud_09_book.indb 151
9/30/2008 8:18:36 AM
152
TOP AUDITING ISSUES FOR 2009 CPE COURSE
overall audit strategy, the auditor should determine materiality for the financial statements taken as a whole.
OBSERVATION
The subjectivity that surrounds materiality determination has led some to
draw parallels between it and pornography:
It is impossible to codify a definition or standard that covers all possible
circumstances.
Well-intentioned people may have widely differing opinions of what it is
or is not in any particular circumstance.
Individuals immediately recognize what it is or is not according to their
own standards in any particular circumstance.
As a part of the Risk Assessment Standards’ philosophical thrust, SAS
107 carves out distinctions between the responsibilities of auditors and
financial statement users. One point is that users need to understand that
financial statements are prepared and audited to levels of materiality. This
comparison, however frivolous it may sound, may help de-mystify the
concept of materiality for non-accountants.
Common misconceptions. One prevalent misconception under the old
Standards was that establishing a materiality level in the planning stages of
the audit sets a threshold below which misstatements are always considered
to be immaterial. This is was not the case then, and is not the case under
SAS 107. Some identified misstatements may be deemed to be material even
when they are below established thresholds.
Another common misconception is that once an auditor sets materiality
levels in the planning phase, they must be used in evaluating the audit results
at the end of the engagement. This is not true. Because auditing is a process
of discovery, an auditor’s judgment about what is material may well change
in light of unanticipated circumstances between the planning and final stages
of an engagement. If a lower level of materiality than that envisioned in audit
planning is deemed appropriate by the end of the audit, the auditor should
reconsider the related levels of tolerable misstatement and the adequacy of
the nature, timing, and extent of the audit procedures performed.
Tolerable misstatement. Tolerable misstatement (sometimes called tolerable
error) is the maximum monetary misstatement the auditor can accept at the
account balance or class of transactions level without causing the financial
statements to be materially misstated. Tolerable misstatement is the next level
of materiality below the financial-statement-as-a-whole level. The underlying
theory is that misstatements less than the materiality amount determined
at the financial statement level could possibly exist, and could lead in the
Top_Aud_09_book.indb 152
9/30/2008 8:18:36 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
153
aggregate to material misstatement at the financial statement level. For this
reason, auditors set one or more levels of tolerable misstatement, lower than
the materiality level for the statements as a whole. Many auditors calculate
these as percentages of materiality, and may apply different percentages for
significant classes of transactions, account balances, disclosures, or other
components of financial statements. The objective of “fragmenting” the
overall materiality amount is to set the precision levels for the significant
financial statement components low enough so that the risk that the total
of undetected misstatements, detected misstatements, and judgmental differences from all audit areas will exceed materiality is acceptably low.
EXAMPLE
An auditor may set materiality for the financial statements as a whole at
$100,000. Seeing that sales and costs of sales are the largest items in the
statements, and considering them to be at a relatively high risk of misstatement, the auditor might set tolerable misstatement for these transaction
classes at $25,000, based upon professional judgment about the level of
risk and possible nature of misstatements. Tolerable misstatement for other
significant financial statement areas might be set at different levels.
Materiality for other lesser amounts. Auditors should also consider whether
misstatements of particular items of lesser amounts than the materiality
level determined for the financial statements as a whole could reasonably be
expected to influence users’ decisions about the financial statements. These
amounts represent lower materiality levels to be considered in relation to
those particular items. The views of management or those charged with
governance may be taken into account in making this determination. Other
factors to consider include:
Accounting standards, laws and regulations, and the effect they might
have on users’ expectations about the measurement or disclosure of particular items. SAS 107 cites related party transactions and management
compensation as examples.
Key industry-related disclosures, such as research and development costs
for a pharmaceutical company.
Whether the financial performance of a particular segment of the business, such as a subsidiary or division that is separately disclosed, is of
special concern to users.
Top_Aud_09_book.indb 153
9/30/2008 8:18:36 AM
154
TOP AUDITING ISSUES FOR 2009 CPE COURSE
STUDY QUESTIONS
8. Which of the following benchmarks would likely be the most appropriate
to use in determining materiality for a consistently profitable, closelyheld corporation in which the owners draw out substantial amounts of
compensation?
a.
b.
c.
d.
Pre-tax income before owners’ compensation.
Pre-tax income.
Average net income over the past three years.
Retained earnings.
Communicating Misstatements to Management
SAS 107 places increased emphasis on auditor-client communication about
misstatements.
Auditors have an unconditional requirement to communicate all known
and likely misstatements to the appropriate level of management, other
than those that are trivial. This requirement adds emphasis to the concept
of communicating likely as well as known misstatements.
This Standard also imposes a host of presumptively mandatory requirements which, when taken together, signify the importance that the Auditing
Standards Board places on auditor-client communication. Among those are
requirements that:
This communication should distinguish between known and likely
misstatements.
Auditors should request that management correct all known misstatements, including the effects of prior period misstatements.
Auditors should request that management examine a class of transactions,
balance, or disclosure to identify misstatement when the audit identifies
material likely misstatements from a sample.
The auditor should request that management reevaluate the assumptions
and methods used in developing an accounting estimate when the audit
identifies a likely misstatement involving estimates.
Once management has examined transaction classes, balances, or disclosures, the auditor should reevaluate the amount of likely misstatement
and, if necessary, perform further audit procedures.
The auditor should obtain an understanding of management’s reasons
for not correcting known and likely misstatements, and should take
that understanding into account when considering the qualitative
aspects of the client’s accounting practices and the implications for
his or her report.
Top_Aud_09_book.indb 154
9/30/2008 8:18:36 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
155
OBSERVATION
SAS 107 places emphasis on more comprehensive and in-depth communication between the auditor and management on the subject of misstatements. Part of the reason for this is to educate or inform clients more
thoroughly, so that they can take responsibility for the misstatements, and
for correcting them. Note, for example, that the Standard requires the auditor to request management to examine and reevaluate, rather than simply
to calculate an audit adjustment and give it to the client. Clearly, under
the new standard, it would not be acceptable, except perhaps in audits of
very small entities with very few adjustments, to do nothing more about
misstatements than to hand the client a sheet of adjusting entries at the
end of the audit. This fosters the notion that it is the auditor, and not the
client who “owns” the adjustments, which is contrary to the philosophical
direction that the Risk Assessment Standards as a whole are taking.
STUDY QUESTIONS
9. SAS 107 requires auditors to communicate only “hard differences” or
known misstatements to management. True or False?
Evaluating Audit Findings
Audit findings are evaluated at the level of individual findings, adjustments,
and differences, which generally takes place at the “workpaper” level, and at
the level of the financial statements taken as a whole.
Evaluating audit findings, adjustments, and differences. Evaluating the
findings of the audit procedures and documenting conclusions are important
aspects of the audit process. A major step in this process is summarizing the
misstatements and judgmental differences uncovered in the audit. Misstatements should be summarized in a way that enables the auditor to consider
their effects on individual amounts, subtotals, or totals in the statements, in
order to help the auditor consider whether their effects, either individually
or in the aggregate, materially misstate the financial statements. This is a
two-step process. Before considering the misstatements in the aggregate, the
auditor considers them individually to evaluate:
Their effect on individual balances, transaction classes, or disclosures.
Whether it is appropriate to offset misstatements.
The effects of prior period uncorrected misstatements.
Top_Aud_09_book.indb 155
9/30/2008 8:18:36 AM
156
TOP AUDITING ISSUES FOR 2009 CPE COURSE
OBSERVATION
Considering the effects of prior period misstatements is important because
they can affect current period income or can accumulate on the balance
sheet over time. There are three acceptable methods of doing this:
Considering the effect of all current and prior period misstatements that
flow through the current period’s income statement.
Considering the cumulative effect on the ending balance sheet.
Applying both approaches and recording adjustments if either indicates
the need to do so.
During evaluation, the auditor’s judgment about whether misstatements are
material may be influenced by two factors.
Types of misstatements. Misstatements can result from errors or fraud
and may consist of differences in amounts, classifications or presentation,
omissions, improper estimates or accounting policies, or inaccurate data.
Auditors should consider not only the nature and amounts of the misstatements corrected by management but also the uncorrected misstatements and
misstatements in accounting estimates. SAS 107 cautions auditors to be alert
for patterns in the types of misstatements discovered and the circumstances
of their occurrence, and to consider whether other material misstatements
might exist. Material misstatements do not usually occur in a vacuum, and
auditors should avoid drawing facile conclusions that detected misstatements
are isolated occurrences.
Qualitative characteristics. The auditor should not rely exclusively on
quantitative benchmarks to determine whether an item is material. A numerical threshold may provide the basis for a preliminary assumption that
an amount is unlikely to be material; however, it is not a substitute for a
full analysis. Certain misstatements may have significance even though the
dollar amount may not be as large as the auditor typically would assume to
be material. Therefore, the nature of the misstatement will help the auditor
determine the potential for additional misstatements of a similar type and
the need for changes in audit procedures. Some of these qualitative factors
may include errors versus fraud, considerations of contractual obligations,
and effects on earnings trends. An illegal payment of an otherwise immaterial amount may take on significance if there is a reasonable possibility that
it could lead to a material contingent liability or loss of revenue. It also may
have implications for management’s integrity.
The sheer volume of qualitative considerations that SAS 107 lists is a
clear indication that they are important in evaluating audit findings. Among
those factors are:
Top_Aud_09_book.indb 156
9/30/2008 8:18:36 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
157
The potential effect of a misstatement on trends such as profitability.
A misstatement that changes a net income to a net loss or vice versa.
The potential effect of the misstatement on contractual compliance
Regulatory or statutory reporting requirements that affect materiality
thresholds.
A misstatement that masks a change in important trends.
A misstatement that affects management’s compensation.
Misstatements involving sensitive circumstances such as fraud or conflicts
of interest.
The significance of the financial statement element that is misstated.
The effects of misclassifications, such as between operating and nonoperating income, or current and non-current assets or liabilities.
The significance of the misstatement to a reasonable user.
Management’s motivations with respect to misstatements.
The existence of material, but different, offsetting misstatements.
The likelihood of a currently immaterial misstatement becoming material
over time through cumulative effects.
The cost-benefit considerations in making the correction.
The risk that further undetected misstatements exist that might influence
the auditor’s evaluation.
As the audit progresses, auditors may need to reconsider the levels of materiality established to set the overall scope of the audit. This may be particularly
important when significant misstatements are discovered.
Evaluating the financial statements as a whole. SAS 107 requires auditors
to evaluate whether the financial statements as a whole are free of material
misstatement. This involves both quantitative and qualitative considerations
and requires the use of professional judgment.
As the aggregate effect of uncorrected misstatements approaches materiality, auditors should consider whether further undetected misstatements
exist. If this risk is unacceptably high, they should perform additional
procedures to support the audit opinion or should satisfy themselves that
the entity has adjusted the financial statements to reduce audit risk to an
appropriately low level.
If auditors believes that the financial statements taken as a whole are
materially misstated, they should request that management make the necessary corrections. If management refuses to make the corrections, they must
determine the implications for their report.
Top_Aud_09_book.indb 157
9/30/2008 8:18:36 AM
158
TOP AUDITING ISSUES FOR 2009 CPE COURSE
STUDY QUESTIONS
10. Which of the following statements best applies, under SAS 107, to the
auditor’s consideration of the qualitative characteristics of misstatements?
a. Auditors may rely solely on quantitative benchmarks to assess
whether an item is material.
b. The likelihood of a currently immaterial misstatement becoming
material to future periods through cumulative effects should not be
considered.
c. Certain misstatements may have significance even though they do
not exceed quantitative thresholds for materiality.
d. A misclassification between current and non-current assets is not
a qualitatively significant misstatement.
PLANNING AND SUPERVISION
SAS 108, Planning and Supervision, places significant importance on audit
planning. Audit planning entails developing an overall audit strategy for
the engagement. Audit strategies will vary according to the client’s size and
complexity, and the auditor’s experience and understanding of the client
and its environment, including its internal control. The auditor with final
responsibility for the audit (hereinafter referred to as the “audit partner”)
may delegate portions of the planning process to other firm personnel.
Planning is an ongoing process throughout the engagement. Because
auditing is a process of discovery, it is not always possible to anticipate a
full range of appropriate audit procedures. Therefore, the audit strategy,
and the more detailed audit plan should change to respond to changed
circumstances in the audit.
Establishing an Understanding with the Client
SAS 108 requires the auditor to establish a written understanding with the
client regarding the services to be performed. It lists four required elements
for an engagement letter and numerous others that are either “generally
included” or that “may also be included.”
The four presumptively mandatory elements of an
audit engagement letter are:
The objectives of the engagement.
Management’s responsibilities.
The auditor’s responsibilities.
Limitations of the engagement.
Required elements.
Top_Aud_09_book.indb 158
9/30/2008 8:18:36 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
159
Generally included elements. The following elements are not required
content, but they may reduce the risk that either the client or the auditor
might misinterpret the other’s needs or expectations in the audit. Consistent
with one of the Risk Assessment Standards’ general philosophical objectives,
they also help to define a brighter line between client responsibility and
auditor responsibility.
Management is responsible for:
The financial statements and the selection and application of accounting policies.
Establishing and maintaining effective internal control over financial
reporting.
Designing and implementing programs and controls to prevent and
detect fraud.
Identifying and assuring compliance with applicable laws and regulations.
Making all financial records and related information available to the auditor.
Providing a written representation letter at the end of the audit.
Adjusting the financial statements to correct material misstatements.
Affirming in the representation letter that uncorrected misstatements
are immaterial.
The auditor is responsible for:
Expressing an opinion on the financial statements.
Conducting the audit in accordance with generally accepted auditing
standards (GAAS), including the facts that:
Those standards require that the auditor obtain reasonable but not
absolute assurance about whether the statements are free of material
misstatement.
Material misstatements may remain undetected.
The audit is not designed to detect immaterial errors or fraud, or to
detect significant deficiencies in internal control or to provide assurance on internal control.
The auditor may decline to express an opinion or issue a report if, for
any reason, the audit cannot be concluded or an opinion formed.
Obtaining an understanding of the client and its environment sufficient
to assess the risk of material misstatement and plan the audit.
Communicating significant deficiencies in internal control to those
charged with governance.
Preliminary Engagement Activities
At the beginning of the audit engagement, the auditor should perform procedures relating to the continuance of the client relationship and the specific
audit engagement, and should evaluate the auditing firm’s compliance with
ethical requirements. These procedures include consideration of:
Top_Aud_09_book.indb 159
9/30/2008 8:18:36 AM
160
TOP AUDITING ISSUES FOR 2009 CPE COURSE
Independence.
Management integrity.
Whether an understanding about the terms of the engagement has been
reached.
Ordinarily these initial procedures should be performed before other significant audit activities. As conditions and circumstances change during
the course of the audit, the auditor should continue to consider the client
continuance and ethical requirements.
Overall Audit Strategy and the Audit Plan
The overall audit strategy is the broad approach regarding how the audit will
be conducted. The audit plan is a more detailed map that describes the nature,
timing, and extent of audit procedures to be performed. The overall audit
strategy and developing the audit plan are not necessarily separate activities.
Changes in one may result in changes to the other.
OBSERVATION
Overall audit strategy and audit plan are new terms in professional literature.
Previous standards referred to them as the audit approach and the audit
program. Their meaning is unchanged.
Overall audit strategy. Developing an audit strategy helps the auditor
determine audit staffing, including the timing and management of audit
activities. In connection with establishing the overall audit strategy for the
audit, SAS 108 requires the auditor to address:
Characteristics of the engagement, including the basis of reporting,
industry specific requirements, and client locations
Reporting objectives of the engagement, including deadlines, and dates
for expected communications.:
Significant factors affecting the audit team’s efforts, including:
Materiality levels.
Audit areas with higher risks of material misstatement.
Material locations.
Material account balances.
Evaluation of the planned extent of internal control tests, if any.
Recent significant entity-specific, industry, financial reporting, or
other relevant developments.
Results of preliminary engagement activities, such as issues with management integrity or ethical and independence requirements.
Changes in circumstances that could require significant revisions to the
overall audit strategy.
Top_Aud_09_book.indb 160
9/30/2008 8:18:36 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
161
OBSERVATION
SAS 108 notes that small audits do not require a complex strategizing
exercise or document, and states that a brief narrative memorandum
is sufficient.
Audit plan. After establishing an audit strategy, the auditor is ready to
develop a more detailed audit plan to address the matters identified in the
audit strategy and to achieve audit objectives. This audit plan is what used
to be called the “audit program.” SAS 108 requires the audit plan to include
descriptions of:
The nature, timing, and extent of planned risk assessment procedures
sufficient to assess the risks of material misstatement.
The nature, timing, and extent of planned further audit procedures at
the relevant assertion level for each material class of transactions, account balance, and disclosure. The auditor should provide a clear linkage
between the understanding of the entity, the risk assessments, and the
design of further audit procedures.
Other audit procedures to be performed to comply with GAAS, such as
direct communication with the company’s attorney.
The auditor should update and document any significant revisions to the
original audit plan to respond to changes in circumstances.
STUDY QUESTIONS
11. Which of the following statements best applies to SAS 108’s requirements for the audit plan?
a. The original audit plan must not be altered or revised once it has
been established.
b. The audit plan should include a description of the nature, timing,
and extent of planned risk assessment procedures.
c. The audit plan should not discuss linkage between the understanding of the entity, the risk assessments, and the design of
further audit procedures.
d. The audit plan should include a description of the nature, timing,
and extent of planned further audit procedures to be applied only
at the level of the financial statements taken as a whole.
Discussions with Management and Those Charged with Governance
SAS 108 encourages auditors to discuss elements of audit planning with the
client’s management and with those charged with governance. These discussions generally include the overall audit strategy, timeline for performing the
Top_Aud_09_book.indb 161
9/30/2008 8:18:36 AM
162
TOP AUDITING ISSUES FOR 2009 CPE COURSE
audit and issuing the audit report, coordination of certain procedures (e.g.,
inventory observation) with the client’s personnel, and preparation of audit
schedules by the client. While this communication facilitates the conduct
of the audit, SAS 108 cautions auditors to not divulge sensitive detailed
audit procedures that might jeopardize audit effectiveness by making audit
procedures too predictable.
Additional Procedures for Initial Audits
Because the auditor generally lacks any previous experience with the client,
management, and those charged with governance, new audits require additional procedures. Among these are requirements for the auditor to:
Perform procedures regarding the acceptance of the client and the engagement.
Establish controls for deciding whether to accept a client relationship
and perform a specific engagement, in order to:
Minimize the likelihood of association with a client whose management lacks integrity.
Provide reasonable assurance that the firm undertakes only those
engagements that can be completed with professional competence.
Assure that the auditor considers the risks associated with providing
professional services in the particular circumstances.
Communicate with the previous auditor, where applicable.
In developing the overall audit strategy and audit plan for an initial audit,
the auditor should consider additional matters including:
Arrangements to be made with the predecessor auditor.
Any major issues discussed with management or those charged with
governance involving the initial selection as auditors and how these issues
affect the overall audit strategy and audit plan.
The planned procedures to obtain audit evidence regarding opening
balances.
The assignment of personnel possessing the appropriate characteristics
and qualifications to enable them to perform competently and to successfully execute the engagement.
Other procedures required by the firm’s quality control system for initial
audit engagements.
Supervision
Assigning the appropriate staff to the engagement and directing the efforts
of assistants are important to meet GAAS and to promote audit efficiency.
Supervision also involves reviewing the audit effort and related audit
judgments made by assistants to determine whether they are appropriate.
SAS 108 indicates that elements of supervision include:
Top_Aud_09_book.indb 162
9/30/2008 8:18:36 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
163
Instructing assistants.
Staying abreast of significant issues encountered during the audit.
Reviewing the work performed by assistants to determine that it is
adequate and that the results are consistent with the conclusions to be
presented in the auditor’s report.
Dealing with differences of opinion among firm personnel.
The timing and nature of supervision provided to assistants will vary greatly
depending upon the assistants’ experience and training, and the characteristics of the engagement.
Discussions and communications with assistants. SAS 108 requires cer-
tain communications with assistants in every audit. The engagement partner
should communicate to members of the audit team:
The susceptibility of the financial statements to material misstatement
due to error or fraud.
The need to maintain a questioning mind and to exercise professional
skepticism.
The need to bring to the attention of the engagement partner significant
accounting and auditing issues raised during the audit.
The need to bring to the attention of appropriate individuals in the firm
difficulties encountered in performing the audit.
Their responsibilities and the objectives of audit procedures to be performed.
Matters that may affect the nature, timing, and extent of audit procedures
to be performed.
OBSERVATION
Reviews of audit documentation and financial statements are indispensable supervisory procedures. It is difficult, however, to supervise effectively
without the engagement partner’s involvement in all phases of the audit. This
involvement keeps the audit team focused on the big picture and significant
audit issues, helps avoid inefficient or ineffective auditing procedures, and
compensates for overauditing or underauditing tendencies on the part of
the assistants.
Reviewing the work of assistants. SAS 108 requires the work of each assistant, including the audit documentation, to be reviewed to determine whether
it was adequately performed and documented and to evaluate the results
relative to the conclusions that will be presented in the auditor’s report.
SAS 108 provides only general guidance on this subject. Therefore, practices for reviewing engagements will vary depending on the size of the firm
Top_Aud_09_book.indb 163
9/30/2008 8:18:37 AM
164
TOP AUDITING ISSUES FOR 2009 CPE COURSE
and the complexity of the engagement. The review of work performed by
assistants is ordinarily conducted by the engagement partner. However, SAS
108 indicates that parts of the review may be delegated to other assistants.
The primary objectives of the review are to determine whether:
The audit has been appropriately planned.
The scope of the audit is sufficient to support the auditor’s opinion on
the financial statements.
The audit has been conducted in accordance with firm and professional
standards.
Technical differences of opinion are addressed and documented in accordance with professional standards.
The accounting and auditing issues have been evaluated properly and
the financial statements meet accepted standards of presentation and
disclosure.
The firm’s audit report is appropriate.
OBSERVATION
Supervisory auditors often ask whether they need to initial every workpaper
in the file as evidence of their review. Neither SAS 108 nor SAS 103 make
this specific requirement. However, the documentation should specify
which workpapers were reviewed and by whom. There are many methods
of doing this. The documentation might take the form of a narrative memorandum, or a sign-off on the workpaper index, indicating which sections
were reviewed by whom.
STUDY QUESTIONS
12. Which of the following matters should the engagement partner communicate to audit assistants under the requirements of SAS 108?
a. The assistant’s responsibility to bring to management’s attention accounting issues raised during the audit that the assistant
believes are significant to the financial statements.
b. The need to bring to the engagement partner’s attention client-imposed restrictions on access to information necessary to perform
the audit.
c. The need to maintain a questioning mind and to exercise professional skepticism in gathering and evaluating audit evidence
throughout the audit.
d. The time budget for performing assigned audit procedures.
Top_Aud_09_book.indb 164
9/30/2008 8:18:37 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
165
Differences of professional opinion may occur
during an audit. Each assistant has a professional responsibility to voice
concerns about, and bring to the attention of appropriate individuals in the
firm, any disagreements or concerns with respect to significant accounting
and auditing issues.
Both the engagement partner and assistants should be aware of the procedures to be followed when such differences of opinion exist. Procedures
should allow assistants to document their positions if they disagree with the
way a particular accounting or auditing issue was resolved. When differences
of opinion remain and an assistant decides to disassociate from the resolution,
SAS 108 requires that the basis for the final resolution be documented.
Once this is done, an assistant who disagrees with the resolution of a particular accounting or auditing issue has met the requirements of professional
standards and, therefore, has no further responsibility for related decisions
made by supervisory personnel. The ability to dissociate is a key protection
that professional standards provide for professionals who have unresolved
differences of opinion.
Differences of opinion.
OBSERVATION
In the wake of the well-publicized audit failures of the last decade, methods
of handling differences of professional opinion within an audit team have
come to the forefront as a serious concern from a personnel management
as well as an engagement performance standpoint. In the past, some
audit firms maintained an informal culture, often at odds with the formal
statements in their quality control policies and procedures, that actively
discouraged divergent opinions within an audit team, and even informally
sanctioned dissenters. It is now more important than ever that firms maintain
a positive “tone at the top,” which holds as honorable the expression of
differences of professional opinion, and which protects those who express
such differences from reprisal. Many firms, particularly larger ones, have
gone so far as to establish special communication channels outside their
normal “chains of command,” similar to some of the federal whistleblower
hotlines, to enable audit assistants who believe that their differences of
opinion have not been satisfactorily resolved to communicate their concerns
directly to senior firm management.
UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND
ASSESSING THE RISKS OF MATERIAL MISSTATEMENT
SAS 109, Understanding the Entity and Its Environment and Assessing the Risks
of Material Misstatement, positions obtaining an understanding of the entity
and its environment, including its internal control, as an essential part of
the auditor’s risk assessment process.
Top_Aud_09_book.indb 165
9/30/2008 8:18:37 AM
166
TOP AUDITING ISSUES FOR 2009 CPE COURSE
The Role of Risk Assessment Procedures
Auditors should assess risk by performing inquiries of management and other
client personnel, analytical procedures, and by observation and inspection. It
is not necessary to perform each of these procedures for every aspect of the
risk assessment. However all of the procedures should be performed during
the process of obtaining the required understanding.
Inquiries of management and
persons responsible for financial reporting can yield much of the information necessary for the audit. It is important not to limit these inquiries to
financial management personnel. Deciding who to ask, and the exact nature
and extent of the inquiries is a matter of professional judgment. Auditors
should consider what information would aid in identifying risks of material
misstatement. Inquiries might also be directed to:
Persons charged with governance.
Internal auditors.
Employees involved in initiating, recording, or processing unusual or
complex transactions. In-house legal counsel.
Operating personnel who are not directly involved in financial reporting.
Persons outside of the entity such as legal counsel or valuation experts.
Inquiries of management and others.
Analytical Procedures. Analytical procedures are useful in considering the
risk of material misstatement because they highlight unexpected or unusual
relationships, transactions, balances and events within the financial statements. When using analytical procedures in connection with risk assessment,
auditors should:
Develop expectations about relationships that might plausibly exist.
Compare the results of the analytical procedures to those expectations.
Consider unusual or unexpected relationships in identifying risks of
material misstatement.
Analytical procedures performed at a high level of aggregation, such as those
usually applied in the planning and final review stages of an audit, often give
only broad indications of whether material misstatements exist. Analytical
procedures at a more microscopic level, such as a gross profit test by location
or by product line, or by shorter periods such as a month, may have a greater
chance of detecting a misstatement. Auditors should, therefore, consider
the results of analytical procedures in connection with other information
obtained in identifying the risks of material misstatement.
Observation and inspection provides information about the client and its environment, and may also corroborate
information gained through inquiries. Normally, it involves:
Observation and inspection.
Top_Aud_09_book.indb 166
9/30/2008 8:18:37 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
167
Observing the client’s activities and operations.
Inspecting documents.
Reading reports prepared by management, internal auditors, or persons
charged with governance.
Visiting the client’s facilities.
Tracing transactions through the information system.
When using information from prior periods, such as internal control evaluations, the auditor should make inquiries and perform audit procedures such
as walk-throughs to ascertain whether that information has changed.
Fraud risk. Auditors should consider the fraud risk assessment in connection
with other information gathered, and whether it calls for an overall response,
a response that targets particular account balances, transaction classes, or
disclosures at the relevant assertion level, or both.
Discussion Among the Audit Team
The engagement team should discuss the susceptibility of the financial statements to material misstatement. This discussion normally occurs during
planning, and should be documented. The discussion should include the
engagement partner and the key members of the audit team. This discussion is intended to:
Help the audit team gain a better understanding of the potential for
material misstatement due to fraud or error.
Help audit team members understand how the results of the audit procedures they perform may impact other audit areas.
Give more experienced team members an opportunity to share their
knowledge about the entity.
Enable team members to exchange information about the client’s business risk and the susceptibility of the financial statements to material
misstatement.
The exact content of the discussion; its participants and location or locations;
and how and when it should take place are matters of professional judgment
for the audit partner. It is not necessary for every member of the audit team
to have a comprehensive knowledge of all facets of the audit. Critical issues
should be covered, such as:
Areas of significant audit risk.
Areas susceptible to management override of controls.
Unusual accounting procedures used.
Significant control systems.
Materiality at the financial statement and account levels.
The effect of materiality on the scope of testing.
Top_Aud_09_book.indb 167
9/30/2008 8:18:37 AM
168
TOP AUDITING ISSUES FOR 2009 CPE COURSE
The entity’s application of generally accepted accounting principles.
The risk of material misstatement due to fraud.
Fraud risk factors.
Audit responses to assessed fraud risks.
The need to perform the audit with an attitude of professional skepticism,
to be alert for and follow up on indications of material misstatements,
and to exercise professional judgment.
Normally, it is efficient for this discussion to occur concurrently with the
discussion about fraud risk required under SAS 99. If the audit involves
multiple locations, multiple discussions may take place.
OBSERVATION
SAS 109 acknowledges that some audits may be performed by one auditor.
In this case, the auditor should document the consideration of the foregoing matters, and should consider whether other persons with specialized
skills need to be involved.
STUDY QUESTIONS
13. Which of the following statements best applies to SAS 109’s requirement that a discussion among the audit team take place in planning
the audit?
a. This discussion must occur concurrently with the discussion about
fraud risk required under SAS 99.
b. If the audit involves multiple locations, multiple discussions should
take place.
c. Every member of the audit team should have a comprehensive
knowledge of all facets of the audit.
d. This discussion should emphasize to members of the audit team
the need to be alert for and follow up on indications of material
misstatements.
Understanding the Entity and Its Environment
Auditors should gain an understanding of the pertinent
industry, regulatory and other factors, such as:
The competitive environment.
Customer and supplier relationships.
General economic conditions.
The political and legal environment.
The regulatory environment.
Technological developments.
External factors.
Top_Aud_09_book.indb 168
9/30/2008 8:18:37 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
169
A client’s industry may be subject to particular risks of material misstatement
due to the nature of its business, government regulation or other external
factors. If so, auditors should consider whether the audit team has the expertise to address these matters.
Auditors should gain an understanding of their client’s nature in order to understand the classes of balances, transactions, and
disclosures that will appear in the financial statements. Many characteristics
make up this nature. They may include attributes of its:
Operations.
Ownership, including the structure of the ownership and whether it
has complex characteristics that may increase the risk of material misstatement.
Governance.
Financing.
Management.
Key personnel.
Related party transactions.
Nature of the entity.
Business operates in
a context of industry, regulatory and other internal and external factors.
Within this context a client defines overall plans for its business. These are
its objectives. Strategies are management’s operational approaches toward
achieving those objectives.
The concept of business risk includes, but is broader than, the risk of
material misstatement to the financial statements. Although auditors do
not have to identify or assess every business risk, a solid understanding of
business risk greatly increases the likelihood of identifying risks of material
misstatement. Business risk can arise from:
Setting inappropriate objectives or strategies.
Conditions or events that adversely affect an entity’s ability to reach its
objectives or to execute its strategies.
Change or the failure to recognize a need to change.
Complexity.
Objectives, strategies and related business risks.
EXAMPLE
SAS 109 illustrates the relationship of business risk to the risk of material
misstatement with the example of a competitor that has brand recognition
and economies of scale entering a new marketplace. This causes a business risk to existing manufacturers’ ability to command retail shelf space
and to compete on price. The risks of material misstatement to the existing
manufacturers’ statements, in this case, include inventory obsolescence, or
excess production of inventory that would have to be sold at a discount.
Top_Aud_09_book.indb 169
9/30/2008 8:18:37 AM
170
TOP AUDITING ISSUES FOR 2009 CPE COURSE
Most business risks have financial consequences, but not all risks give rise
to the risk of material misstatement Consideration of whether a business
risk leads to the risk of material misstatement is made within the context of
the entity’s circumstances.
OBSERVATION
Smaller entities often do not have formal plans, processes or documents
for their objectives and strategies, or for the management of business risks.
In this case, auditors can obtain the required understanding by inquiries of
management and observations of its responses to such matters.
Measurement and review of financial performance. Performance measures
and their review signal the aspects of the client’s performance that are the
most important to management and others. They also create pressures that
may give management incentives either to improve performance or to misstate the financial statements, such as to “pump up” quarterly earnings to
meet analysts’ expectations. For these reasons, auditors should understand
how an entity measures and reviews its financial performance.
Management’s review of performance measures is intended to assess
whether the entity’s performance meets the objectives set by management, or
by outside parties such as lenders. It is different from the monitoring of internal
controls, which is concerned with the effective operations of those controls.
In setting performance measures, management may use both internallygenerated and external information. Internal measures, such as budgets,
departmental information, or comparisons with competitors may signal a
need to take corrective actions. They may also indicate to the auditor the
possibility of material misstatement.
An unusually rapid growth or high profitability, combined with performance-based management bonuses may, for example, indicate a risk of
management bias in financial statement preparation.
External performance measures may provide useful perspectives for the
auditor’s understanding of the client and its environment. These may include
such information as analysts’ or credit rating agencies’ reports.
When using internally generated information for the audit auditors
should be careful to consider whether that information provides a reliable
basis and is sufficiently precise to detect material misstatements.
Top_Aud_09_book.indb 170
9/30/2008 8:18:37 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
171
OBSERVATION
Even though smaller entities often lack formal processes to measure or
review financial performance, management often relies on certain key indicators for evaluating performance and taking action. These may be based
on management’s knowledge, experience or even intuition. Auditors are
well-advised to ask about the existence of such indicators, and to consider
their implications for the audit.
Internal Control
SAS 109 discusses internal control within the context of the COSO framework. It stresses that the auditor’s primary consideration is whether, and by
what means, a particular control prevents, or detects and corrects material
misstatements at the relevant assertion level. Toward this end, auditors may
use frameworks or terminology other than the COSO model, as long as all
of the components described in SAS 109 are addressed.
Auditors should also develop an understanding of how the client selects
and applies its accounting policies and should consider their appropriateness.
This understanding should include:
Methods of accounting for significant and unusual transactions.
Effects of significant accounting policies in emerging or controversial areas.
Identification of pertinent new financial reporting standards and regulations.
Changes in accounting policies, including consideration of the reasons
for, and the appropriateness of the changes.
SAS 109 also states that auditors should consider the financial statement
disclosures, and whether they are appropriate in form, arrangement and
content. This includes the terminology used, the level of detail presented,
classification of items presented, and the bases of the amounts.
Internal control components. SAS 109 states that auditors should gain an
understanding of the five elements of internal control sufficient to assess risks
of material misstatement in the financial statements caused either by fraud
or by error, and to design the nature, timing, and extent of further audit
procedures. The auditor should also perform risk assessment procedures to
evaluate the design and implementation of controls relevant to the audit.
The knowledge gained in this process should be used to:
Identify types of possible misstatements.
Consider factors affecting the risk of material misstatement.
Design tests of control and substantive procedures.
SAS 109 gives explicit consideration to smaller entities. It acknowledges
that the design and implementation of internal control vary with an entity’s
Top_Aud_09_book.indb 171
9/30/2008 8:18:37 AM
172
TOP AUDITING ISSUES FOR 2009 CPE COURSE
size and complexity, and that smaller entities may use simpler, less formal
processes and procedures to achieve their objectives. It also states that monitoring may be a less formalized process, because of owner-managers’ close
daily involvement with the business.
EXAMPLE
In very small, owner-managed businesses, the owner may be actively
involved in the financial reporting process, and thus may not have—and
probably does not need—detailed written accounting policies. Similarly,
efforts to categorize various control activities into the categories described
by the COSO framework may not be particularly useful because ownermanagers often perform functions that in a larger entity would be considered
as belonging to several of those elements. The fact that a tidy COSO-like
categorization may not be possible does not negate the effectiveness or
validity of these controls.
Relevant controls. Internal control applies to the entire entity, including
all of its business functions and operating units. Controls that are relevant
to the audit, however, pertain to preparing the financial statements. An
understanding of internal control pertaining to each unit and function, or
an assessment of all controls may not be necessary when assessing the risk of
material misstatement and designing and performing audit procedures.
Auditors should focus, rather, on significant risks, and evaluate the design
and implementation of the controls relevant to those risks. In so doing, auditors should consider the particular control component and factors such as:
The client’s size.
Materiality.
The nature of the business.
Organization and ownership characteristics.
Complexity and diversity of operations.
Legal and regulatory requirements.
The nature and complexity of the systems that make up the internal
control system.
Use of service organizations.
OBSERVATION
It is not necessary to assess all controls in connection with assessing the
risks of material misstatement and designing further audit procedures in
response to those assessed risks. As long as the design and implementation
of controls related to significant risks are evaluated, the decision of what
controls to assess is left to the auditor’s professional judgment.
Top_Aud_09_book.indb 172
9/30/2008 8:18:37 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
173
EXAMPLE
Clients usually have operational controls that do not directly relate to the
audit, such as a production scheduling system. Ordinarily, these controls
need not be considered in the audit. Controls over operations and compliance objectives may, however, be pertinent to the audit if they relate to
information that may be evaluated or used in the audit procedures. The
controls over nonfinancial data such as production statistics are relevant
to the audit if that data is to be used in performing analytical procedures.
Similarly, controls designed to detect noncompliance with income tax
laws and regulations would likely have a direct and material bearing on
the financial statements and therefore would be relevant to the audit. On
the other hand, controls over production scheduling would not normally
be relevant to the audit.
The auditor’s understanding of internal control
consists of evaluating the design of the control and determining if it has
been implemented.
In evaluating a control’s design, auditors consider whether it is capable of
preventing, or of detecting and correcting material misstatements. Auditors
should consider control design before considering implementation. This is
an efficient audit approach because an ineffectively designed control will not
work even if it is implemented, and thus need not be tested for implementation. An improperly designed control may, however, represent a significant
deficiency in internal control. Auditors should consider communicating this
to management and those charged with governance.
Auditors should perform risk assessment procedures to gain an understanding of internal control. These may include:
Inquiries of client personnel.
Observation of the application of specific controls.
Inspection of reports and documents.
Tracing transactions through the financial reporting system.
Depth of understanding.
Inquiry alone, however, is not sufficient to evaluate the design of a control
or to determine if it has been implemented. Neither is obtaining an understanding of controls sufficient, in itself, as a test of their operating effectiveness, unless they are automated controls operating within an environment
of effective IT general controls.
The extent to which
a client uses manual and IT-based systems affects the five components of
internal control relevant to its financial reporting, operational, or compliance
objectives and its operating units and business functions.
Manual and automated internal control elements.
Top_Aud_09_book.indb 173
9/30/2008 8:18:37 AM
174
TOP AUDITING ISSUES FOR 2009 CPE COURSE
In regard to automated elements, IT may be used as stand-alone systems
that support specific activities, functions or business units, such as an accounts
receivable system or a system that controls the operation of production equipment. These systems may not be integrated with other IT systems. Conversely,
a client may have complex and highly integrated IT systems that share data and
support the entire range of its financial reporting, operational and compliance
objectives. Systems that employ IT may use automated procedures to initiate,
authorize, record, process and report transactions. Electronic records typically
replace paper documents in these systems. Controls in such systems are both
automated and manual. There may, for example, be controls embedded in
a computer program that report transactions over a specified size, but the
follow-up on those transactions may be a manual process.
IT generally provides the benefits of efficiency and effectiveness for
internal control. IT systems, on the other hand, are not without their risks.
It is particularly important with automated systems for auditors to understand how the incorrect processing of transactions is resolved. The system
may, for example, generate exception reports, or create automated suspense
files. Auditors should understand the follow-up procedures for exceptions
or suspense items, and how overrides or bypasses to automated controls are
processed and accounted for.
Manual elements or systems employ manual procedures and generate
paper records. Controls in these systems are also manual, and may consist
of processes such as approvals, reviews, and reconciliations. Manual controls
may be best suited in areas that require high degrees of judgment, such as:
Large transactions.
Unusual or nonrecurring transactions.
Circumstances in which misstatements are difficult to define, predict
or anticipate.
Changing circumstances that require controls that are outside the scope
or capability of existing automated controls.
Monitoring the effectiveness of automated controls.
On the other hand, manual controls are more susceptible to error than automated controls, and can be more easily bypassed or overridden. Because
of the human element involved, manual controls cannot be assumed to be
operating consistently. They may be less suitable than automated controls
in situations involving high volume or recurring transactions, transactions
in which errors can be anticipated and detected or prevented by automated
parameters, or control activities where specific ways to perform the activity
can be adequately automated.
Effective systems of internal control are
designed to give reasonable, not absolute assurance about the achievement of
Limitations of internal control.
Top_Aud_09_book.indb 174
9/30/2008 8:18:37 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
175
the entity’s objectives. There are inherent limitations to any system of internal
control, which include the realities that human judgment can be faulty, and
that breakdowns in internal control can happen due to human error. Also,
a properly designed and implemented system can be circumvented through
collusion, or by inappropriate management override of controls.
EXAMPLE
Management may collude with customers to enter into undisclosed agreements that alter the terms and conditions of standard sales contracts, which
in turn may lead to improper revenue recognition.
Management may override controls by overriding or disabling edit checks
in software programs to flag transactions that exceed specified limits.
OBSERVATION
Optimal segregation of duties may not be feasible in smaller entities because
they have few employees. Nonetheless, some simple but effective controls
can be implemented in key areas. For example, owner-managers of small
businesses often have the bank statements mailed to their homes, and
open them to look at deposits and canceled checks before handing them
over to the bookkeeper. This action sends employees a message that the
owner places importance on internal control.
STUDY QUESTIONS
14. Which of the following statements best describes the relationship between business risk and the risk of material misstatement?
a. All business risks have financial consequences that give rise to the
risk of material misstatement.
b. Most business risks have financial consequences, most of which
give rise to the risk of material misstatement.
c. The concept of business risk includes, but is broader than, the risk
of material misstatement to the financial statements.
d. As a part of assessing the risk of material misstatement, auditors
should identify and assess every significant business risk.
Assessing Risks of Material Misstatement
Auditors should identify and assess risks of material misstatement on both the
financial statement level and the relevant assertion level for classes of transactions, balances, and disclosures. As a part of this process, they should:
Top_Aud_09_book.indb 175
9/30/2008 8:18:37 AM
176
TOP AUDITING ISSUES FOR 2009 CPE COURSE
Identify risks throughout the process of gaining an understanding of the
entity and its environment.
Relate those risks to risks of possible misstatements at the relevant assertion level.
Consider whether the magnitude of those risks could result in material
misstatement of the financial statements.
Consider whether it is likely that the risks could result in material misstatement of the financial statements.
Use information obtained by performing risk assessment procedures in
evaluating the design and implementation of internal controls.
Use risk assessment in determining the nature, timing and extent of additional audit procedures.
Determine whether identified risks are isolated to particular relevant assertions associated with a class of transactions, balances or
disclosures, or are more pervasive and likely to affect the financial
statements as a whole.
Identify controls that are likely to prevent, detect or correct material
misstatements in particular relevant assertions.
Communicate significant deficiencies in internal control to those charged
with governance.
Consider a qualification or disclaimer of opinion, or in some cases a
withdrawal from the engagement in cases where there are concerns about
management’s integrity or the adequacy of its records.
OBSERVATION
The requirement to use risk assessment in determining the nature, timing,
and extent of additional audit procedures may well be one of the most important in SAS 109. One of the key philosophical threads running through
the Risk Assessment Standards is the idea of linking audit procedures to
risks: that is, of performing more intensive procedures in areas of higher
risk, and less intensive ones in areas of lower risk. Arguably, this is merely
a codification of existing best practices. On a practical level in implementing SAS 109, it will be more important than ever for auditors to show how
they have considered risks in developing audit procedures, and how their
procedures address those risks.
Special audit consideration for significant risks. Significant risks are likely
to arise in most audits. Determining which risks are significant and therefore
require special audit consideration is subject to a high degree of professional
judgment. Factors to consider in making this determination include:
Inherent risk.
The likelihood of multiple misstatements.
The nature of the related business risks.
Top_Aud_09_book.indb 176
9/30/2008 8:18:37 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
177
The risk of fraud.
Whether the risk is related to significant recent developments in the
economy or in accounting.
The complexity of transactions.
Related party transactions.
The degree of subjectivity involved.
Non-routine transactions and judgmental matters involving accounting
estimates are normally regarded as areas in which significant risks are likely
to be identified. The nature of non-routine transactions in itself makes it
difficult for management to design and implement control over them. In
addition, non-routine transactions often exhibit one or more of the following characteristics which cause them to have higher risk:
Complex accounting principles or calculations.
Greater management intervention to control the accounting treatment.
Greater manual intervention in data collection and processing.
Related party transactions.
Judgmental matters may turn upon accounting principles that are subject to
differing interpretations, or may involve significant estimates or uncertainties, such as assumptions about future events.
Auditors should evaluate the design and implementation of internal controls related to significant risks. Where such controls are absent or ineffective,
they should communicate the matter to those charged with governance, and
consider the effects on the risk assessment.
EXAMPLE
Lawsuits are an example of a nonrecurring event that often carries significant
risk. In addition to evaluating the substance of the lawsuit as such, it is
important for auditors to look to the client’s policies and practices, whether
formal or informal, for responding to a lawsuit. Appropriate responses
include prompt referral to legal counsel. Auditors should also ascertain
whether management has assessed the potential effect of the lawsuit, and
how they propose to disclose it in the financial statements.
Risks for which substantive procedures alone provide insufficient
evidence. In some cases, it may be impossible to design substantive effec-
tive procedures to provide sufficient audit evidence in support of relevant
financial statement assertions. This often occurs when routine daily business
transactions permit highly automated processing, and clients use IT to initiate, process and record transactions with little or no manual intervention.
Telecommunications companies or internet service providers, for example,
provide service to customers through electronic media, and use IT to log
Top_Aud_09_book.indb 177
9/30/2008 8:18:37 AM
178
TOP AUDITING ISSUES FOR 2009 CPE COURSE
the services provided, initiate and process billings, and automatically record
these transactions in the accounting records.
In these cases, audit evidence may exist only in electronic form, and
its appropriateness and sufficiency are highly dependent on the effectiveness of the controls over its completeness and accuracy. Auditors should
identify the risks for which it is not possible or practicable to reduce
detection risk at the relevant assertion level to an acceptably low level by
means of substantive procedures alone. The design and implementation
of controls, including relevant control activities over those risks, should
then be evaluated.
When transaction initiation and processing is highly automated,
such as for revenues, purchases, cash receipts, or disbursements, risks
ordinarily relate to those specific classes of transactions. Those risks
include incomplete or inaccurate processing, and improper initiation
or alteration of information.
Testing of controls becomes crucial in these situations, because stronger controls reduce the risks of misstatement. A combination of audit
evidence obtained through both tests of controls and substantive tests
can therefore reduce detection risk at the relevant assertion level to an
acceptably low level.
Revision of risk assessment. SAS 109 emphasizes that risk assessment is
a dynamic process that occurs throughout the audit. As a result of applying audit procedures, the auditor may discover, for example, that internal
controls are not operating as expected, or that misstatements have occurred
in amounts or frequencies that are greater than is consistent with the initial
risk assessment. When this occurs, the auditor should revise the risk assessment and should modify the planned audit procedures appropriately to
respond to the risks.
OBSERVATION
The AICPA Practice Monitoring Programs (peer review programs) are replete with anecdotal observations about firms that, after making an initial
risk assessment, discover high risks of misstatement in unexpected areas.
While this does not necessarily mean that the risk assessment process
was flawed, it does beg the firm to take some action, usually in the form of
additional audit procedures, related to the newly discovered risks. Under
the new Risk Assessment Standards, it will be important for auditors to
look at their initial risk assessments at the end of the engagement, in light
of the audit’s actual results, to determine that the initial risk assessment
continues to be appropriate, or that planned audit procedures were appropriately modified.
Top_Aud_09_book.indb 178
9/30/2008 8:18:38 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
179
STUDY QUESTIONS
15. As a part of the process of identifying and assessing risks of material
misstatement on both the financial statement level and the relevant
assertion level for classes of transactions, balances, and disclosures,
auditors should do all of the following except:
a. Relate risks identified in the process of gaining an understanding
of the entity and its environment to risks of possible misstatements at the relevant assertion level.
b. Use information obtained by performing risk assessment procedures in evaluating the design and implementation of internal
controls.
c. Determine whether identified risks are isolated to particular relevant assertions associated with a class of transactions, balances,
or disclosures, or are more pervasive and likely to affect the financial statements as a whole.
d. Communicate significant deficiencies in internal control to legal
counsel.
16. Nonroutine transactions and judgmental matters involving accounting
estimates are normally regarded as areas in which significant risks are
likely to be identified. True or False?
PERFORMING AUDIT PROCEDURES IN RESPONSE
TO ASSESSED RISKS AND EVALUATING AUDIT
EVIDENCE OBTAINED
SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating Audit Evidence Obtained, introduces significant changes to existing
auditing practice. Its most significant provisions require auditors to:
Determine overall responses to address the assessed risks of material
misstatement at the financial statement level.
Design and perform additional audit procedures that are responsive to
the assessed risks of material misstatement at the relevant assertion level.
These include substantive procedures and, where relevant and necessary,
tests of the operating effectiveness of controls.
Design and perform substantive procedures for all relevant assertions
related to each material class of transactions, account balance and disclosure, regardless of the assessed risk of material misstatement.
Agree the financial statements and accompanying notes to the underlying records and examine material journal entries and other adjustments
made during the course of preparing the financial statements.
Perform tests of controls to obtain evidence about their operating effectiveness when the risk assessment includes an expectation of the
operating effectiveness of controls, or when substantive procedures alone
Top_Aud_09_book.indb 179
9/30/2008 8:18:38 AM
180
TOP AUDITING ISSUES FOR 2009 CPE COURSE
do not provide sufficient appropriate audit evidence at the relevant assertion level.
When performing audit procedures at an interim date:
Determine what additional evidence should be obtained for the
remaining period when tests of controls are performed during an
interim period.
Perform further substantive procedures or a combination of substantive procedures and tests of controls for the remaining period
to provide a reasonable basis for extending audit conclusions based
on substantive procedures performed at an interim date to the
period end.
When planning to carry forward and rely upon evidence about specific
controls from previous audits in the current audit:
Inquire, observe and inspect documentation to determine if they
have changed.
Test their operating effectiveness in the current audit, if they have
changed.
Test the operating effectiveness of such controls at least once in every
third year in an annual audit, if they have not changed.
Include certain specific documentation as part of every audit.
Overall Responses
SAS 110 provides guidance on determining overall responses to address risks
of material misstatement at the financial statement level. Those responses
may include:
Emphasizing to engagement personnel the need to maintain an attitude
of professional skepticism in performing the audit.
Assigning more experienced staff to the audit.
Assigning specialists or those with special skills to the audit.
Providing additional supervision to the audit team.
Introducing elements of unpredictability in the selection of audit
procedures.
Changing the nature, timing or extent of audit procedures.
The auditor’s consideration of the control environment has a significant
impact on the assessment of the risk of material misstatement at the financial
statement level, and therefore, on the general approach to the audit. Weaknesses in the control environment call for appropriate audit responses. These
might include, for example:
Performing a substantive procedure such as confirmation at year end
rather than at an interim date.
Making more extensive use of substantive procedures.
Top_Aud_09_book.indb 180
9/30/2008 8:18:38 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
181
Changing the nature of audit procedures to obtain more persuasive
evidence.
Increasing the number of locations to be included in the audit scope.
Audit Procedures Responsive to the Risk of Material Misstatement at
the Relevant Assertion Level
SAS 110 advances the concept of a linkage between the audit tests performed
and the risks assessed. While not a new concept, SAS 110 gives additional
emphasis to the idea that the auditor should design and perform further audit
procedures whose nature, timing and extent are responsive to the assessed
risks of material misstatement at the relevant assertion level. In doing so,
the auditor should consider:
The significance of the risk.
The likelihood of material misstatement.
The characteristics of the transaction classes, balances, or disclosures.
The nature of the client’s controls, and whether they are automated or
manual.
Whether the auditor plans to test controls.
Audit procedures should be proportional to the assessed risk, with areas
of higher risk receiving more attention from the audit team. Usually, this
entails developing an audit approach that contains elements of substantive
procedures, tests of controls and analytical procedures in varying degrees to
achieve an appropriate level of assurance for each relevant assertion.
OBSERVATION
Auditors have always designed their audit procedures to respond to their
perceptions of audit risk. Under the old standards, this was more of an intuitive process, in which the audit documentation was left to “speak for itself”
as to the responsiveness of those procedures to the audit risks. Under SAS
110, auditors are required to specifically document which audit procedures
are designed to respond to which risks. In the initial application of the
Risk Assessment Standards, this is likely to present significant challenges
in terms of explicitly conceptualizing those linkages, and systematizing
methods for documenting them.
SAS 110 further develops the concept of linkage by discussing the relationship between the level of assessed risk and the nature, timing and extent of
audit procedures. It notes that information developed in an environment of
effective internal control is generally more reliable than information that is
not. Effective internal control thus reduces, but does not eliminate, the risk
of material misstatement. In an environment of effective internal control,
Top_Aud_09_book.indb 181
9/30/2008 8:18:38 AM
182
TOP AUDITING ISSUES FOR 2009 CPE COURSE
tests of internal control can therefore reduce, but not eliminate, the need
for substantive procedures. Conversely, it is not necessary to perform tests
of the operating effectiveness of controls in an audit area where substantive
procedures alone are, in the auditor’s judgment, sufficient to reduce detection risk to an acceptably low level, or in an area where no effective controls
have been shown to exist.
Analytical procedures, likewise, may be sufficient in areas where balances or transaction classes are immaterial and are assessed at low risk of
material misstatement. However, in some areas, it is appropriate to buttress
the evidence obtained through analytical procedures with substantive tests.
SAS 110 cites the example of an estimation process, such as allowance for
doubtful accounts, in which subsequent collection tests would be used to
strengthen evidence developed through analytical procedures.
SAS 110 briefly discusses small entities, in which control activities cannot
be identified, and therefore, a primarily substantive approach must be taken.
Auditors are cautioned, in such cases, to consider whether it is possible to
obtain appropriate audit evidence.
OBSERVATION
SAS 110 does not require that controls be tested in all audits. Neither
does it prohibit an “all substantive approach” to an audit. Controls should
be tested only when the auditor plans to rely on them. Similarly, SAS 110
specifically states that it is not necessary to test controls when it would
be inefficient to do so. The significant change to existing practice is that
auditors can no longer default to a maximum control risk assessment, as
was often the case with audits of small owner-managed clients. Under
the new standards, auditors should develop an understanding of controls.
When deciding not to test controls, auditors need to be satisfied that substantive procedures alone will be effective in reducing detection risk to an
acceptably low level.
OBSERVATION
Auditors of smaller entities often say that their clients “are too small to have
any internal controls.” This is almost never the case. Consider, for example,
basic controls such as double entry bookkeeping, serially numbered checks
and invoices, and bank reconciliations.
Almost every entity, down to the smallest, has at least some elements such
as these that are thought of as internal controls, even though they may not
be formalized or well-documented. In a small-entity environment, it may
well be more efficient to rely on substantive tests, but it is seldom accurate
to assert that there are no internal controls.
Top_Aud_09_book.indb 182
9/30/2008 8:18:38 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
183
Nature of further audit procedures. The nature of audit procedures is a
qualitative determination, in which auditors use professional judgment in
selecting the type of procedures, such as inspection, observation, inquiry,
recalculation, reperformance, or analytical procedures, that are likely to be
the most effective and efficient in obtaining audit evidence. In selecting audit
procedures, auditors consider the risk of misstatement in the particular class
of transactions, balances, or disclosures. This includes considering the reasons
for the risk assessment. If, for example, the particular characteristics of a class
of transactions have low inherent risk, without regard to controls, it may
be appropriate to use substantive analytical procedures alone. Conversely, if
the assessed control risk is low, and the auditor intends to design substantive
procedures based on the effectiveness of those controls, it will be necessary
to perform tests of those controls.
It is also necessary to gather evidence to support the accuracy and completeness of information produced by the entity’s information system when
that data is used in performing audit procedures. This is the case when, for
example, budget data or nonfinancial data is used in performing substantive
analytical procedures.
Tests of controls or substantive procedures may be performed at an interim date, or at period end. Performing
tests at an interim date may enable auditors to identify significant matters
early in the audit, and thus either resolve them with management’s assistance,
or develop an effective audit approach to deal with them. However, when
substantive procedures or tests of the operating effectiveness of controls are
performed at an interim date, the auditor should consider what additional
evidence is necessary for the remaining period.
Auditors are more likely to perform substantive tests at or near the period
end, or at unannounced or unpredictable times, when there is a high assessed
risk of misstatement. Also, certain procedures can be performed only at or
after the period end.
Timing of further audit procedures.
EXAMPLE
Procedures that can only be performed at or after a period end include
examining adjustments made during financial statement preparation and
agreeing the financial statements to the underlying accounting records.
Also, when there is an assessed risk of improper cutoffs, or of other improper transactions or adjustments near the period end, auditors should
inspect transactions both shortly before and shortly after the period end
to specifically address that risk.
Top_Aud_09_book.indb 183
9/30/2008 8:18:38 AM
184
TOP AUDITING ISSUES FOR 2009 CPE COURSE
In determining when to perform auditing procedures, auditors should take
into account:
The control environment.
When relevant information will become available.
The nature of the risk.
The date or period to which the evidence relates.
Extent of further audit procedures. Determining the extent of audit proce-
dures is a quantitative process in which the auditor decides such matters as
sample sizes or the number of observations of a control activity. It involves
the auditor’s professional judgment, which takes into account:
Tolerable misstatement.
Assessed risk of material misstatement.
The degree of assurance to be obtained.
In general, more extensive audit procedures, such as larger sample sizes,
yield a higher degree of assurance. It is important, however, not to confuse
quantity with the relevance of the procedure to a particular assertion. A
substantive procedure such as inspecting all of the vendors’ invoices to
support recorded accounts payable, for example, provides strong support for the existence of those payables, but does nothing to assure the
completeness of accounts payable. Similarly, in sampling applications, an
inappropriate selection methodology or sample size, or the failure to follow
up on exceptions, will affect the validity of the auditor’s conclusions. It is
therefore the nature of the audit procedure, and not its extent, that is the
most important consideration.
SAS 110 encourages the use of different audit procedures in combination with each other, such as tests of the operating effectiveness of controls
together with substantive or analytical procedures. Auditors should, however,
be careful to consider whether the extent of testing is sufficient when using
different procedures in combination.
OBSERVATION
The concept that the nature of the procedure, and not its extent, is the most
important in responding to the risk of material misstatement is crucial to
SAS 110. Otherwise stated, auditors cannot reduce detection risk simply
by “increasing their scope” when the nature of the test is not appropriate
for a particular assertion.
Top_Aud_09_book.indb 184
9/30/2008 8:18:38 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
185
STUDY QUESTIONS
17. Which of the following statements best applies to the requirement under
SAS 110 to link auditing procedures to assessed risk?
a. Audit procedures should be applied proportionally to the monetary
amounts of recorded financial statement items.
b. Audit procedures should be applied uniformly to recorded financial
statement amounts irrespective of assessed risks.
c. Audit procedures should be directly linked to materiality.
d. Audit procedures should be proportional to the assessed risk, with
areas of higher risk receiving more attention from the audit team.
Tests of Controls
Auditors should test controls when the risk assessment includes an expectation of their operating effectiveness, or when substantive procedures do
not by themselves provide sufficient appropriate evidence at the relevant
assertion level.
Considering controls consists of three steps. Normally these are performed
in sequence, as a matter of audit efficiency. These steps involve determining
that the control:
Is suitably designed to prevent or detect a material misstatement in a
relevant assertion. If the control is not suitably designed, it is unnecessary
to test it for operating effectiveness or implementation.
Exists and is implemented.
Is operating effectively.
In some cases, risk assessment procedures to assess the design and implementation of controls may also serve as tests of those controls. IT controls, for example, are generally consistent in their application, thus the
determination that they have been implemented may also serve as a test
of their operating effectiveness.
Auditors often find that it is efficient to test internal controls concurrently with substantive tests. In so doing, consideration should be given
to the impact that the result of substantive testing has on the control
testing, and vice versa. A material misstatement revealed by substantive
procedures that went undetected by the client would usually be considered
a significant deficiency in internal control. On the other hand, control
weaknesses noted in the test of controls may indicate that the auditor
should consider whether the planned extent of the substantive procedure,
such as the sample size, is adequate.
Top_Aud_09_book.indb 185
9/30/2008 8:18:38 AM
186
TOP AUDITING ISSUES FOR 2009 CPE COURSE
Nature of control tests. Control tests normally consist of a combination
of such procedures as:
Inquiries of entity personnel.
Inspection of documents, reports, or electronic files which indicate the
performance of the control.
Observation of the control’s application.
Reperformance of the control’s application.
When selecting audit procedures, auditors should consider the degree of
assurance about operating effectiveness that is needed. As the planned level
of assurance increases, so should the reliability or extent of the audit evidence. In such cases, different audit procedures should be used in concert,
to supplement each other.
Auditors should also consider indirect controls on which direct controls
depend for their effectiveness.
EXAMPLE
As a control over credit sales in excess of customer limits, a company’s
IT system generates an exception report showing credit sales that exceed
established limits.
The direct control consists of the user’s review of this report. The effectiveness of this control depends not only on the user’s diligence in the
review process, but upon the IT controls used to generate the data, such
as controls over maintaining and updating a database of credit limits by
customer, and on the automated processes for comparing recorded sales
to credit limits.
An absence of misstatements detected by substantive procedures does
not prove that controls are effective. However, misstatements detected by
substantive procedures should be considered in assessing the effectiveness
of controls. Material misstatements that were undetected by the client are
to be regarded as at least a significant deficiency, and possibly as a material
weakness which should be communicated to management and those charged
with governance.
OBSERVATION
SAS 110’s bold assertion that auditors cannot assume that controls are
operating effectively when no material misstatements are detected tacitly
acknowledges the “dumb luck” factor in accounting. It is possible for financial statement items to be correct, even though the controls over them
are ineffective.
Top_Aud_09_book.indb 186
9/30/2008 8:18:38 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
187
Timing of control tests. Controls should be tested throughout the period, or
as of the point in time that the auditor plans to rely on them. Observations
at a point in time, such as physical inventory observation, may be sufficient
when the controls pertain only to that time. However, when auditors plan
to rely on controls throughout a period, point-in-time observations or tests
performed in interim periods should be supplemented with other procedures
that are capable of providing evidence that the control operated effectively
throughout that period. In such circumstances, auditors should consider:
The significance of the assessed risk of material misstatement at the
relevant assertion level.
The specific controls tested on an interim basis.
The degree to which audit evidence about their effectiveness was obtained.
The length of the remaining period.
The extent of planned reliance on the controls to reduce the extent of
substantive procedures..
The control environment.
Internal controls should be tested at least once in every third year of an
annual audit. This marks a significant departure from previously existing
practice in which internal control documentation was routinely “rolled over”
from one audit to the next at the auditor’s discretion. Under SAS 110, when
planning to rely on evidence obtained about internal control in previous
audits, auditors should:
Obtain evidence about whether the controls have changed since the
prior audit.
Establish the continuing relevance of the evidence obtained in the prior
period.
Determine whether changes have been made to automated processing
that affect its continued effectiveness.
Test controls that have changed since the prior audit, if reliance on those
controls is planned.
SAS 110 offers significant guidance for determining when, and whether, it
is appropriate to use audit evidence obtained in a prior period. It states that
auditors should consider:
The effectiveness of other internal control elements, including:
The control environment.
The client’s monitoring of controls.
The risk assessment process.
The risks arising from the characteristics of the control, including whether
controls are automated or manual.
The effectiveness of IT general controls.
Top_Aud_09_book.indb 187
9/30/2008 8:18:38 AM
188
TOP AUDITING ISSUES FOR 2009 CPE COURSE
The control’s effectiveness and its application by the client, including the
nature and extent of deviations in its application noted in prior audits.
Whether changing circumstances have caused the lack of change in a
particular control to pose risks.
The risk of material misstatement.
The extent of reliance on the control.
As the risk of material misstatement or the planned reliance on controls
increase, the interval of time that elapses between tests is likely to shorten.
The presence of the following indicators ordinarily results in either not
relying on evidence obtained in prior audits, or in shortening the period
for retesting a control:
Weak control environment.
Weak monitoring controls.
A significant manual element to the relevant controls.
Weak general IT controls.
Significant personnel changes that affect control application.
Changes in circumstances that indicate a need for changes in the control.
In any case, auditors should test the operating effectiveness of some controls
every year. This approach provides evidence about the continuing effectiveness of the particular controls tested and of the control environment, and
contributes to the decision about whether reliance on evidence obtained
in prior audits is appropriate. It also avoids the possibility that all relevant
controls would be tested in one period, and none in the subsequent two periods. Accordingly, auditors should plan to test a portion of the controls each
period, so that each control is tested at least once in every three audits.
An important exception to the “three year rule” exists when there is a significant assessed risk of material misstatement at the relevant assertion level.
In this case, auditors should test the operating effectiveness of the control in
the current period, when they plan to rely on it to mitigate that risk.
Extent of control tests. Auditors should design tests of controls to provide
sufficient appropriate evidence that they are operating effectively throughout
the period of reliance. In determining the extent of controls, the following
factors may be considered:
How often the control is performed.
How long during the audit period the auditor is relying on the control.
The relevance and reliability of the evidence supporting the control’s effectiveness in preventing, detecting, or correcting material misstatements
at the relevant assertion level.
The extent of evidence obtained about other controls pertinent to the
relevant assertion.
Top_Aud_09_book.indb 188
9/30/2008 8:18:38 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
189
The extent of planned reliance on the control in the risk assessment.
The expected deviation from the control.
When a control operates frequently, such as a control over daily transactions,
consideration should be given to employing an audit sampling technique to
obtain reasonable assurance about its operating effectiveness. When a control
operates only on a periodic or infrequent basis, auditors should consider
applying the guidance for testing smaller populations, such as testing the
control application for two months of the year and reviewing evidence of
its application or scanning for unusual items in other months.
The greater the level of reliance on control effectiveness in the risk assessment process, the greater the extent of testing should be. However, when a
high incidence of deviation is expected, auditors should consider whether
control tests will be sufficient to reduce control risk at the relevant assertion
level. In such cases, control tests may be inappropriate or inefficient.
IT processing is inherently consistent, thus the extent of tests might
be limited to one or a few instances of operation. However, having once
determined that the control is operating as intended, auditors should test
to assure that it continues to function effectively.
STUDY QUESTIONS
18. Auditors should test controls:
a. When substantive procedures do not by themselves provide sufficient appropriate evidence at the relevant assertion level.
b. Regardless of whether the risk assessment includes an expectation of their operating effectiveness.
c. Once every three years.
d. Whenever there is a significant assessed risk of material misstatement at the relevant assertion level.
Substantive Procedures
Auditors should plan and perform substantive procedures to be responsive
to the related assessed risk of material misstatement. When the assessed risk
of material misstatement at the relevant assertion level is determined to be
significant, substantive procedures that are specifically responsive to that
risk should be performed.
Regardless of risk, substantive procedures should be designed and performed for all relevant assertions related to each material class of transactions,
account balance, and disclosure. Those procedures should include:
Agreeing the financial statements and accompanying notes to the underlying accounting records.
Top_Aud_09_book.indb 189
9/30/2008 8:18:38 AM
190
TOP AUDITING ISSUES FOR 2009 CPE COURSE
Examining material adjustments and journal entries made in the preparation of the financial statements.
Substantive procedures should be designed to respond to the planned level of detection risk. Such procedures
consist of both tests of details and substantive analytical procedures. The
decision as to which procedures are to be applied, or in what combination, is
influenced by whether the auditor has gathered evidence about the operating
effectiveness of controls.
Tests of details are usually most appropriate for gathering evidence about
relevant assertions, such as valuation and existence, pertaining to account
balances. Substantive analytical procedures, on the other hand, generally
lend themselves to situations involving large transaction volumes that are
relatively predictable over time. Substantive analytical procedures may be
sufficient in situations of low assessed risk where the auditor has determined
that the relevant controls are operating effectively, or they may be used in
combination with limited tests of details.
When designing substantive analytical procedures, consideration should
be given to:
The suitability of substantive analytical procedures for the given
assertion.
The reliability of the data from which ratios or expectations are derived,
including the controls over the preparation of that data.
The degree of precision of the expectation relative to the levels of materiality and desired assurance.
The acceptable amount variance between expectations and recorded
amounts.
Nature of substantive procedures.
In deciding to use substantive analytical procedures, and in evaluating
their results, auditors should be aware of their limitations. One particular
limitation is that they may not be well suited for detecting certain types of
fraud involving management override of controls. When financial statement
amounts have been manipulated to create a false appearance of normality or
consistency, there is a danger that substantive analytical procedures will fail
to detect the manipulation, and thus cause erroneous acceptance.
Timing of substantive procedures. When considering whether to perform
substantive procedures at the period end, or at an interim date, auditors
should take into account:
The control environment and relevant controls.
The availability of necessary information at a date after the interim date.
The objective of the substantive procedure.
The assessed risk of material misstatement, including fraud risk.
Top_Aud_09_book.indb 190
9/30/2008 8:18:38 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
191
The nature of the account balance or class of transactions and the relevant assertions.
The entity’s procedures for analyzing and adjusting balances and transaction classes at interim dates.
The client’s cutoff procedures.
The capability of the information system to permit investigation of:
Significant unusual transactions or entries.
Causes of significant fluctuations or of expected fluctuations that
did not occur.
Changes in the composition of account balances or classes of transaction during the remaining period.
The ability to reduce detection risk at the period end with further substantive procedures, or a combination of control tests and substantive
procedures.
When substantive procedures are performed at an interim date, detection
risk at the period end increases. Auditors should, at a minimum, perform
further substantive procedures to mitigate this risk. It is not always necessary to test the operating effectiveness of controls for the interim period to
provide a reasonable basis for projecting the audit conclusions to the period
end. However, auditors should consider whether the interim substantive
procedures alone provide a sufficient basis. When the interim substantive
procedures do not adequately support conclusions about the remaining
period, additional period-end substantive procedures or a combination of
control tests and substantive procedures over the remaining period should
be performed.
Audit procedures performed between the interim date and the period
end may include:
Comparison and reconciliation of interim and period end balances.
Identification and investigation of amounts that appear unusual.
Substantive analytical procedures applied to balances and transaction
classes that are reasonably predictable.
Tests of details.
When material misstatements are detected at an interim date, consideration
should be given to modifying the nature, timing or extent of the substantive procedures covering the remaining period, or to repeating the audit
procedures at the period end.
Evidence obtained from previous audits is not sufficient to reduce detection risk to an acceptably low level in the current period. When considering
whether to use such evidence in the current audit, the evidence and related
subject matter must not have fundamentally changed. Auditors should perform tests in the current period to establish its continuing relevance.
Top_Aud_09_book.indb 191
9/30/2008 8:18:38 AM
192
TOP AUDITING ISSUES FOR 2009 CPE COURSE
SAS 110 lists the following other timing considerations for substantive tests:
Coordinating related party procedures in light of the risks of material
misstatements.
Coordinating tests of interrelated accounts and cutoffs.
Maintaining temporary audit control over negotiable assets.
Simultaneously testing such assets as cash on hand, bank loans and other
related items.
Extent of substantive procedures. Determination of the extent of substantive tests of details to be performed is usually thought of in quantitative terms,
primarily related to sample sizes. In making this determination, a higher
level of assessed risk of misstatement usually indicates the need for more
extensive substantive procedures. However, consideration of the operating
effectiveness of internal controls, and the relevance of the planned procedure
to the specific risk should also enter into this determination.
Consideration should be given to the qualitative aspects of specific populations to be detail-tested, and whether it may be more effective to use other
methods of selection such as selecting large or unusual items from a population,
or stratifying the population into homogeneous subsets for sampling.
EXAMPLE
Consider three different transaction classes of similar total monetary
amount, but differing qualitative properties. One class of transactions contains several thousand individual line items of similar and relatively small
items. The second class contains a few large items comprising all but an
immaterial portion of its total. The third class contains a few large items
and a remaining population of several hundred items that vary widely in
amount, including a large number of very small transactions.
The first transaction class lends itself well to statistical sampling. The second class might best be addressed by detailed testing of the large items
and scanning of the rest. For the third class, detail testing of the few large
items, and statistical sampling of the remaining population or stratifying the
remaining population and testing larger amounts on an interval basis, while
merely scanning the smaller amounts, would likely prove effective.
When using substantive analytical procedures, the auditor should determine
how large of a variance from expectation is acceptable. This involves considering
tolerable misstatement and the desired level of assurance, and the possibility
that a combination of misstatements could aggregate to a material level.
Adequacy of Presentation and Disclosure
SAS 110 places additional emphasis on the auditor’s responsibility to evaluate the financial statements for their fairness of presentation and disclosure.
Top_Aud_09_book.indb 192
9/30/2008 8:18:39 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
193
This evaluation should take place within the context of the assessed risk of
material misstatement at the relevant assertion level. Procedures targeted
toward this objective should include consideration of whether:
The financial statements and the related notes are in accordance with
generally accepted accounting principles in their overall presentation.
Individual financial statements are appropriate in form, arrangement,
and content.
Individual financial statements contain proper:
Classifications.
Descriptions.
Terminology.
Levels of detail.
Bases of amounts set forth.
Adequate disclosure of material matters.
Management has, or should have, disclosed a particular matter in light
of the facts and circumstances.
Evaluating the Sufficiency and Appropriateness of Audit Evidence
SAS 110 states that, “An audit of financial statements is a cumulative and
iterative process.” This recognizes that evidence builds up throughout the
audit, as audit procedures are performed, and that assumptions about the
risk of material misstatement may change in light of this evidence. It is
important for auditors to view the audit process as an integrated whole
rather than as a series of sequentially-applied procedures. This involves a
careful consideration, both during and at the end of the audit, of whether
preliminary assumptions about risk continue to be valid, and whether the
audit procedures respond adequately to the assessed risks. Factors that may
cause a re-evaluation of the initial risk assessment include:
Differences between information upon which risk assessments were based
and information that subsequently comes to light.
Extent of misstatements detected by substantive procedures.
The effect of those misstatements on the auditor’s assessment of the effectiveness of controls.
Whether misstatements due to fraud or error are isolated instances and
how their detection affects the assessed risk of material misstatement.
Extent of deviations in the application of control procedures detected
by tests of controls.
Whether the tests of control provide sufficient basis for reliance upon
the controls.
Finally, auditors should conclude as to whether sufficient appropriate
evidence has been obtained to reduce the risk of material misstatement to
Top_Aud_09_book.indb 193
9/30/2008 8:18:39 AM
194
TOP AUDITING ISSUES FOR 2009 CPE COURSE
an appropriately low level. This determination is a matter of professional
judgment, involving consideration of:
All relevant audit evidence, whether it appears to support or to contradict
the relevant financial statement assertions.
The significance of the potential misstatement in the relevant assertion.
The likelihood of the potential misstatement having a material effect
on the financial statements either individually or when aggregated with
other misstatements.
The effectiveness of management’s controls and responses to risks.
Experience from previous audits with respect to similar potential misstatements.
Results of audit procedures performed.
Whether audit procedures identified specific instances of fraud or error.
The sources and reliability of information.
The persuasiveness of audit evidence.
The understanding of the client, its environment and its internal control.
When the auditor concludes that sufficient appropriate evidence has not
been obtained with respect to material financial statement assertion, attempts
should be made to obtain additional evidence. If sufficient appropriate audit
evidence cannot be obtained, the auditor should express a qualified opinion,
or should disclaim an opinion.
STUDY QUESTIONS
19. Which of the following statements best applies to the auditor’s considerations in forming a conclusion as to whether sufficient appropriate
evidence has been obtained to reduce the risk of material misstatement
to an appropriately low level?
a. Audit evidence that appears to contradict the relevant financial
statement assertions may be disregarded in low-risk areas.
b. Experience from previous audits with respect to similar potential
misstatements should not be considered in the current period
audit.
c. The likelihood of the potential misstatement having a material effect on the financial statements should be considered only in the
aggregate.
d. The sources and reliability of information, and the persuasiveness
of audit evidence should be considered.
Top_Aud_09_book.indb 194
9/30/2008 8:18:39 AM
MODULE 2 — CHAPTER 5 — The Risk Assessment Standards: A Comprehensive Review
195
AUDIT SAMPLING
SAS 111, Amendment to SAS 39, “Audit Sampling,” presents several largely
technical amendments to previous audit sampling practices. This section
discusses only a few of the most important concepts.
Sample Size
In general, as risk factors increase—for example, as the assessed risk of material misstatement gets higher—the sample size increases.
When tests of controls are required, many auditors feel that is efficient
to select one sample to serve both the control test and tests of details objectives. SAS 111 states that a “dual purpose” sample should be the larger
of the samples sizes that would otherwise have been selected for the two
separate purposes.
This requirement may result in some sampling applications having a
larger number of items than otherwise expected.
Evaluating Sample Results
It is not always possible to apply planned audit procedures to every item
within a sample. This often occurs because the client cannot locate the
supporting documentation. When this happens, auditors should consider
applying alternative audit procedures if a misstatement within unexamined
items in a sample would change the evaluation of the sample results.
SAS 111 does not mandate that each item within a sample be tested. If
the result of examining the item would not change the conclusion about the
sample results, and if there are no other implications for an inability to test
an item, it may be inefficient to select a replacement item or to apply alternative procedures for an item that cannot be located. These considerations
should, however, be documented, when relevant.
SAS 111 states that the absence of monetary misstatements in a sample
does not necessarily mean that controls are effective. Even in an environment of weak controls, it is possible to get things right by accident. Monetary misstatements detected by substantive procedures should, however,
be evaluated for their implications as possible indicators of control failures.
These instances should be taken into account when assessing the operating
effectiveness of related controls.
STUDY QUESTIONS
20. A sample designed to serve for both control tests and tests of details
should be the larger of the samples sizes that would otherwise have
been selected for the two separate purposes. True or False?
Top_Aud_09_book.indb 195
9/30/2008 8:18:39 AM
Top_Aud_09_book.indb 196
9/30/2008 8:18:39 AM
197
MODULE 2: REVIEW OF NEW AND EMERGING STANDARDS — CHAPTER 6
Audit Risk Alert – 2007/08
LEARNING OBJECTIVES
At the end of this chapter, the reader should:
Have an overview of certain economic and industry developments that
are of interest to the auditing profession.
Have a general understanding of recent auditing standards and developments for communications with those charged with governance, and
for internal control audits of SEC issuers.
Have a general understanding of recent accounting standards and
developments for fair value measurement, postretirement plans, and
income taxes.
Be aware of the general objectives of the AICPA Clarity Project and
International Convergence.
INTRODUCTION
The AICPA publishes an annual Audit Risk Alert to give auditors an overview of recent professional, economic, and regulatory developments. This
year’s Audit Risk Alert covers a wide variety of topics, such as Statement on
Auditing Standards No. 103, Audit Documentation (SAS 103), SASs 104111, the Risk Assessment Standards, and SAS 112, Communicating Internal
Control Related Matters Identified in an Audit, that are covered in other
chapters of this Course.
In addition to those topics, it provides information in the following areas
of interest to auditors, which are covered in this chapter:
Economic and Industry Developments
Auditing Developments, including:
Communication With Those Charged With Governance
Dating of the Auditor’s Report
PCAOB Auditing Standard No. 5
Alternative Investments
Accounting Issues and Developments, including:
Fair Value Measurements
Defined Benefit Pension and Other Postretirement Plans
Income Tax Accruals and Deferred Income Taxes
Developing Issues, including:
The AICPA Clarity Project
International Convergence
Top_Aud_09_book.indb 197
9/30/2008 8:18:39 AM
198
TOP AUDITING ISSUES FOR 2009 CPE COURSE
The Audit Risk Alert has no authoritative status. It is an “other auditing
publication” as defined in AU Section 150, Generally Accepted Auditing
Standards, that may assist auditors in understanding and applying the SASs.
It cautions readers that they should be satisfied, in their judgment, that
its guidance is both relevant and appropriate to the circumstances of their
particular audits.
ECONOMIC AND INDUSTRY DEVELOPMENTS
It is important for auditors to understand the general economic environment and the economic conditions facing the client’s industry in planning
and performing audits. Factors such as interest rates, inflation, consumer
confidence, and labor markets, as well as overall economic conditions are
likely to affect an entity’s financial statements.
OBSERVATION
Many statistics such as those discussed below may be useful for auditors
in developing expectations for analytical procedures. Interest rates, for
example, could be useful as a yardstick in gauging the reasonableness of
investment income. Conditions in the housing market could likewise provide
useful information in developing expectations about the performance of
entities in the real estate, construction or leasing industries.
Real Gross Domestic Product
Real gross domestic product (GDP) measures the output of goods and
services by labor and property within the U.S. It is the broadest measure of
economic activity, and it increases as the economy grows. Through 2007,
GDP increased at an estimated 2.0% annual rate, compared to 3.1% in
2005 and 2.9% in 2006.
Unemployment
The unemployment rate held steady at between 4.4% and 4.8% from 2006
to 2007. These are the lowest rates since 2000.
Interest Rates
The federal funds rate held steady at 5.25% from June 2006 to August 2007,
after a period of rising rates during early 2006. Due to deteriorating financial
markets, tighter credit conditions and increased uncertainty, the Federal
Reserve lowered the fed funds rate to 4.5 through December 11, 2007 and
then it dropped to 4.25%. In April 2008 it dropped to 2.0%.
Top_Aud_09_book.indb 198
9/30/2008 8:18:39 AM
MODULE 2 — CHAPTER 6 — Audit Risk Alert – 2007/08
199
OBSERVATION
Interest rate changes and volatility affect the valuation assertion related to
investments and derivatives. For investments whose valuation is tied to
interest rates, auditors will need to assure that reasonable interest rates
are used.
Consumer Price Index
The Consumer Price Index for all Urban Consumers (CPI-U) is the most
widely used measure of inflation. It measures the change over time in the
prices paid by urban consumers for a market basket of goods and services.
Using 1982-84 as baseline years, the CPI-U increased from 179.9 in 2002
to 201.6 in 2006, and 207.3 in 2007.
Interest Rates for Below-Market Loans
This rate is published annually by the IRS. It is useful for auditors in assessing the reasonableness of interest rates and determining imputed interest
for below-market loans. It has increased steadily since 2003, from 1.52%,
up to 4.92% in 2007.
Housing Market
After five years of record growth, the housing market has continued to
deteriorate since 2006. Foreclosures in August 2007 rose compared to the
previous month, and more than doubled compared to a year earlier. These
conditions not only slow the economy directly, but also raise concerns about
reduced consumer spending and inflation in the future.
Subprime Mortgages and the Liquidity Crisis
The rate of default and foreclosure on subprime mortgages has increased
sharply. This, combined with falling real estate prices, has resulted in significant credit losses. Most of these loans were ultimately financed by investors
who bought mortgage-backed securities. Currently, the number of investors
willing to provide such funding is dropping. This restricts the amount of capital available to originate new loans or to refinance existing loans. The values
of existing loans and mortgage-backed securities have decreased significantly.
The number of mortgage lenders has decreased, and those still making loans
have tightened their underwriting standards, making credit less available.
Investments in assets backed by subprime mortgages are found across the
spectrum of investors, including commercial and investment banks, insurance companies, mutual funds, hedge funds, pension and employee-benefit
plans, and university endowment funds. The price volatility in this area is of
particular concern to auditors in measuring the fair value these assets.
Top_Aud_09_book.indb 199
9/30/2008 8:18:39 AM
200
TOP AUDITING ISSUES FOR 2009 CPE COURSE
STUDY QUESTIONS
1. Interest rate statistics can be useful to auditors in considering the valuation assertion related to certain assets. True or False?
AUDITING DEVELOPMENTS
Communication With Those Charged With Governance
SAS 114, The Auditor’s Communication With Those Charged With Governance,
became effective for audits of financial statement periods beginning on or
after December 15, 2006. It significantly broadens auditors’ responsibilities
for identifying persons charged with governance, and for communicating
matters to them. Unlike the previous requirements under SAS 61, this Standard applies to all non-SEC issuer entities regardless of their size, ownership,
or organizational structure.
SAS 114 defines those charged with governance as persons with responsibility for overseeing the entity’s strategic direction and its obligations related
to accountability, including overseeing the financial reporting process. It
distinguishes these persons from management, which it defines as those
responsible for achieving the entity’s objectives, and who have the authority to establish policies and make decisions by which those objectives are
to be pursued.
Auditors should determine appropriate persons within the entity’s
governance structure to receive these communications. Depending on the
entity’s structure, this may not be a clear-cut determination. In particular,
family-owned enterprises that do not formally define a governance structure,
or some nonprofit or government entities may present this challenge. When
this is not readily apparent, auditors should reach an agreement with the
engaging party on who to communicate with.
SAS 114 contains requirements to communicate an overview of the
planned scope and timing of the audit to those charged with governance,
and to document all significant matters communicated.
OBSERVATION
Auditors may need to be more proactive under SAS 114 than they were under SAS 61 in assuring that a mutual understanding with the client has been
reached. This is especially true when dealing with new clients. However, it also
applies to continuing audit clients, due to all the new auditing standards that
have become effective. These may affect previous client understandings.
Top_Aud_09_book.indb 200
9/30/2008 8:18:39 AM
MODULE 2 — CHAPTER 6 — Audit Risk Alert – 2007/08
201
It is not sufficient to send written communications to those charged with
governance when the auditor has reason to believe they are not being read.
SAS 114 places squarely on auditors the responsibility to take appropriate
action when they believe that effective two-way communication has not
been established for purposes of the audit.
Although written communications were not required under SAS 61, and are
still not generally required under SAS 114, many auditors feel that written
communication represents a “best practice” under most circumstances.
Oral communication is still appropriate, however, especially in the case of
very small, owner-managed clients, as long as it is well-documented.
STUDY QUESTIONS
2. The requirements of SAS 114 apply to:
a. SEC issuers.
b. Only entities that have formally constituted audit committees.
c. All non-SEC issuer entities regardless of their size, ownership, or
organizational structure.
d. Only large entities with defined governance structures.
3. When an entity’s governance structure is such that the person or persons
who should receive the auditor’s communication with those charged
with governance is not readily apparent, the auditor should:
a. Direct this communication to senior management.
b. Direct this communication to the chairman of the board of directors, or the equivalent person.
c. Refrain from issuing such communications.
d. Reach an agreement with the engaging party as to the person or
persons to receive this communication.
Dating of the Auditor’s Report
The Professional Issues Task Force issued Practice Alert No. 07-1 to provide
guidance concerning the dating of the auditor’s report.
One of the key provisions of SAS 103, Audit Documentation, is that
the auditor’s report not be dated earlier than the date on which the auditor
obtained sufficient appropriate evidence to support the report. It goes on to
state that sufficient appropriate evidence includes evidence that:
The audit documentation has been reviewed.
The financial statements, including disclosures, have been prepared.
Management has taken responsibility for the financial statements.
Top_Aud_09_book.indb 201
9/30/2008 8:18:39 AM
202
TOP AUDITING ISSUES FOR 2009 CPE COURSE
OBSERVATION
This requirement marks a significant departure from the previous practice
of dating the auditor’s report as of the last date of field work. As a practical
matter, this may create a need for firms to modify their engagement procedures to include a field review of the audit documentation and the financial
statements. In some cases, additional visits to update subsequent events
tests and management representations may also be necessary.
PCAOB Standards
The Audit Alert discusses developments at the Public Companies Accounting
Oversight Board (PCAOB). These developments directly affect only audits
of SEC issuers. However, as noted in the Observation to AS-5, below, they
have, in at least one instance, influenced the AICPA to amend standards
for non-issuers.
Auditing Standard No. 5. In its monitoring of the implementation of Auditing Standard No. 2 (AS-2), The PCAOB concluded that the audit of internal
control over financial reporting has yielded significant benefits to corporate
processes and controls. These benefits, however, have come at significant and
higher than anticipated costs and, at times, at an effort greater than needed
to conduct an effective audit of internal control.
As a result, the new AS-5, An Audit of Internal Control Over Financial
Reporting That is Integrated with an Audit of Financial Statements, was issued
to replace AS-2, effective for fiscal years ending on or after November 15,
2007. Its objective is to focus auditors on matters most important to internal
control, eliminate unnecessary procedures and to simplify and shorten the
standard by reducing detail and specificity and make it more scalable for
smaller and less complex entities.
This new standard does the following:
Directs auditors to the most important controls.
Emphasizes the importance of risk assessment and a top-down approach.
Places additional emphasis on fraud controls, including:
Assessing fraud risk in the planning process.
Offering additional guidance on the types of controls that may address fraud risk.
Identifying management fraud as a high risk area.
Recalibrates the walk-through requirement.
Permits consideration of knowledge obtained in previous audits.
Redefines the terms significant deficiency and material weakness.
Revises the list of strong indicators of a material weakness.
Top_Aud_09_book.indb 202
9/30/2008 8:18:39 AM
MODULE 2 — CHAPTER 6 — Audit Risk Alert – 2007/08
203
Adopts requirements that auditors consider and communicate any identified significant deficiencies to the audit committee.
Directs auditors to tailor audits to reflect the attributes of smaller and
less complex entities.
Removes a requirement for auditors to evaluate management’s process.
Offers further guidance on scoping decisions for multiple-location audits.
OBSERVATION
The re-definition of the terms significant deficiency and material weakness is
important to auditors of non-issuers as well, because the AICPA is changing
the existing definitions of those terms in SAS 112 to conform to the AS-5
definitions. In June 2008, an exposure draft was issued which changes
those terms. Those new definitions for non-issuers will be:
Significant deficiency. A deficiency or combination of deficiencies in
internal control over financial reporting that is less severe than a material
weakness, yet important enough to merit attention by those responsible
for oversight of the company’s financial reporting.
Material weakness. A deficiency or combination of deficiencies in internal
control over financial reporting such that there is a reasonable possibility
that a material misstatement of the company’s annual or interim financial
statements will not be prevented or detected on a timely basis.
The existing definition of significant deficiency is:
a control deficiency, or combination of control deficiencies, that
adversely affects the entity’s ability to initiate, authorize, record,
process, or report financial data reliably in accordance with generally
accepted accounting principles such that there is more than a remote
likelihood that a misstatement of the entity’s financial statements that
is more than inconsequential will not be prevented or detected.
These new definitions are effective for periods ending on or after December 15, 2009, that is, starting with December 31, 2009 audits. Earlier
implementation is permitted. The new definition could be used as soon as
the final document is approved. The revised definitions for non-issuers are
primarily semantic in nature according to the AICPA, and are expected to
clarify these terms in practice. They are not expected to create significant
changes in practice, in the AICPA’s view.
Top_Aud_09_book.indb 203
9/30/2008 8:18:39 AM
204
TOP AUDITING ISSUES FOR 2009 CPE COURSE
OBSERVATION
Some practitioners have voiced the opinion that the new definition blurs
what was a reasonably bright line definition under the original wording of
SAS 112. They feel that at least some number of control related matters
that, under the original definition, were clearly required to be commented
upon in writing have now moved into a gray area that will be much more
subject to debate by management. Other practitioners have hailed this
change because they feel it restores to the profession some of the discretion
that it used to have under previous standards as to the threshold for what
matters were required to be reported in writing. The AICPA avows that it is
not its intention to “lower the bar” by this change, but merely to move the
ASB standards into line with the PCAOB, to avoid confusion.
The impact of this change is likely to vary widely from one engagement to
another within each auditing practice, depending on the nature and number
of internal comments, and upon the characteristics of management. In any
case, auditors should consider how this change is likely to affect particular
engagements in the coming year.
AS-5 also incorporates some key concepts related to considering and using
the work of others. Among those concepts are the following:
Eliminating a barrier to integration of the financial statement and internal control audits by allowing auditors to use the work of others to
obtain evidence about the design and operating effectiveness of internal
controls for both audits.
Eliminating the principal evidence provision. Auditors may now
use the work of competent and objective other persons to obtain
evidence supporting their assessment of control risk for the financial
statement audit.
Allowing auditors to use the work of company personnel other than
internal auditors, or third parties working under the direction of management or the audit committee.
Requiring auditors to use a risk-based approach to the extent that they
can use the work of others. Otherwise stated, the need for auditors to
perform their own work on controls increases with the associated risk.
Audit committee pre-approval of non-audit services. PCAOB Rule 3525,
Audit Committee Pre-Approval of Non-Audit Services Related to Internal Control
Over Financial Reporting, requires the audit firm to submit a written description of the scope of the service to the audit committee, and to discuss with
the audit committee the potential effect of the service on independence. The
substance of this discussion is required to be documented. This rule became
effective for audits of fiscal years ending on or after November 15, 2007.
Top_Aud_09_book.indb 204
9/30/2008 8:18:39 AM
MODULE 2 — CHAPTER 6 — Audit Risk Alert – 2007/08
205
STUDY QUESTIONS
4. Which of the following statements best applies, in audits of non-issuers,
to the new definitions of significant deficiency and material weakness?
a. The new definitions are effective for fiscal years ending on or after
November 15, 2007.
b. The new definitions are effective January 1, 2009.
c. The new definitions are expected by the AICPA to create significant changes to practice under the previous provisions of
SAS 112.
d. A significant deficiency is more severe than a material weakness.
Alternative Investments
The AICPA’s Alternative Investments Task Force issued a practice aid entitled
“Alternative Investments—Audit Considerations.” Alternative investments
often include direct holdings of subprime loans, or investment vehicles whose
value is affected by the value of subprime loans. These investments often
do not have a readily determinable market value, and may have greater risk
and volatility. In some cases, the existence of these investments may not be
readily obvious, and may be identified only by audit procedures designed
for that purpose. Developing support for the valuation assertion for these
investments can be difficult because of the lack of readily determinable fair
value, and the limited information often provided by the fund managers.
The practice aid for alternative investments offers non-authoritative guidance for auditors faced with these situations. This document comments on:
The client’s responsibility to have controls in place to enable management
to address the valuation assertion.
The auditor’s responsibility to obtain support for an opinion on the
valuation assertion.
General considerations pertaining to the auditing of alternative investments.
Addressing the existence and valuation assertions.
Management representations.
Disclosure of certain risks and uncertainties.
Reporting.
Confirmations.
Due diligence.
Ongoing monitoring.
Financial reporting controls.
Subsequent events tests are also important in determining the appropriate
period in which to recognize identified declines in value.
Top_Aud_09_book.indb 205
9/30/2008 8:18:39 AM
206
TOP AUDITING ISSUES FOR 2009 CPE COURSE
ACCOUNTING ISSUES AND DEVELOPMENTS
Fair Value Measurements
Prior to the issuance of FASB Statement No. 157, Fair Value Measurements,
(FAS 157) different definitions of fair value and different guidance for applying them were dispersed throughout various accounting pronouncements.
FAS157 provides one consistent definition, and provides for expanded disclosures about the use of fair value to measure assets and liabilities.
Definition. Fair value is defined by FAS 157 as “the price that would be
received to sell an asset or paid to transfer a liability in an orderly transaction between market participants at the measurement date.” This definition
retains the notion of an exchange price to define fair value, but clarifies that
it is a hypothetical transaction from the seller’s point of view. In other words,
it is the price that the owner of an asset would accept to sell the asset, or
that the owner of a liability would pay to transfer the liability. It is an “exit
price,” rather than the “entry price” that a buyer would pay to acquire an
asset or receive to assume a liability.
This definition assumes that the transaction takes place in the principal
market, which it defines as the market that has the greatest volume and level
of activity, or, in the absence of a principal market, the most advantageous
market for the asset or liability.
Fair value measurement for an asset also assumes its highest and best use,
considering what is physically possible, legal, and economically feasible at
the measurement date. Highest and best use is established by one of two
valuation premises:
Value-in-use. This premise assumes that the asset would provide maximum value to market participants principally through its use in combination with other assets. This premise is appropriate for certain nonfinancial assets. It assumes use as installed, or as configured for use, with
a group of assets that would also be available to market participants.
Value-in-exchange. This premise assumes that the asset would provide
maximum value primarily on a standalone basis. This would usually be
appropriate for a financial asset.
The fair value measurement for a liability reflects the risk that the obligation
will not be fulfilled; that is, a nonperformance risk. This includes the consideration of the entity’s credit risk and its effect on the value of the liability.
FAS 157 also assumes the existence of an “orderly transaction,” which
means that there is no forced sale.
Valuation techniques. FAS 157 discusses valuation techniques that are
appropriate to measure fair value. In some cases, a single technique will
Top_Aud_09_book.indb 206
9/30/2008 8:18:39 AM
MODULE 2 — CHAPTER 6 — Audit Risk Alert – 2007/08
207
be appropriate, while in others multiple techniques may be used and their
indications of value weighted.
Market approach. This approach uses prices and other information
involving identical or comparable assets or liabilities.
Income approach. This approach uses valuation techniques to convert
future amounts, such as earnings or cash flow, to a discounted present
amount, based on market expectations about those future amounts.
Cost approach. This is often referred to as current replacement cost, and
is based on the amount that currently would be required to replace the
service capacity of an asset.
An appendix to FAS 157 provides discussion and guidance on the use of
present value techniques in valuation.
Fair value hierarchy. All valuation techniques depend on inputs derived
from assumptions based on market data. FAS 157 prioritizes these inputs
into three broad levels:
Level 1 inputs are quoted prices in active markets for identical assets or
liabilities that the entity has the ability to access at the measurement date.
An active market is one in which transactions for the asset or liability
occur with sufficient volume and frequency to provide ongoing pricing
information. Quoted prices in active markets are considered the most
reliable evidence of fair value, and should be used whenever available.
Level 2 inputs are inputs other than level 1 that are observable either
directly or indirectly. These include:
Quoted prices for similar assets or liabilities in active markets.
Quoted prices for identical or similar assets or liabilities in markets
that are not active.
Observable inputs other than quoted prices, such as interest rates or
yield curves observable at commonly quoted intervals, credit risks,
and default rates.
Inputs derived from or corroborated by observable market data by
correlation or other means.
Level 3 inputs are unobservable inputs. When there is little or no market
activity at the measurement date, the reporting entity is forced to make
its own assumptions about the marketplace.
Disclosures. FAS 157 expands the disclosures required for assets and liabilities
measured at fair value. Those disclosures include information designed to assist readers of the financial statements in assessing the inputs used to develop
fair value measurements. Where Level 3 inputs are used, the entity is required
to disclose certain information to assist users in assessing the effects of the
measurement on earnings for the period.
Top_Aud_09_book.indb 207
9/30/2008 8:18:40 AM
208
TOP AUDITING ISSUES FOR 2009 CPE COURSE
FAS 159. FAS 159, The Fair Value Option for Financial Assets and Financial
Liabilities, expands the use of fair value measurement. It allows entities to
choose to measure financial instruments and certain other items at fair value.
It permits the election of the fair value option on an instrument-by-instrument basis. Once made, however, the election is irrevocable. It allows entities
to mitigate volatility in reported earnings caused by measuring related assets
and liabilities differently without having to apply hedge accounting provisions. It also establishes presentation and disclosure requirements designed
to facilitate the comparability of entities that choose different measurement
attributes for similar types of assets and liabilities.
STUDY QUESTIONS
5. FAS 157 considers which of the following to be the most reliable evidence
of fair value?
a. Quoted prices for similar assets or liabilities in active markets.
b. Quoted prices for identical assets or liabilities in active markets.
c. Unobservable inputs in which the reporting entity makes its own
assumptions about the marketplace.
d. Observable inputs other than quoted prices, such as interest rates
or yield curves observable at commonly quoted intervals.
Defined Benefit Pension and Other Postretirement Plans
FAS 158, Employers’ Accounting for Defined Benefit Pension and Other Postretirement Plans, strengthens financial reporting by requiring that employers recognize
the overfunded or underfunded status of a defined benefit postretirement plan,
other than a multi-employer plan, as an asset or liability. Changes in funded
status are required to be recognized in the year in which they occur through
comprehensive income for a business entity, or though changes in unrestricted
net assets for a nonprofit organization. Employers are also required, with limited
exceptions, to measure the funded status of a plan at year end.
OBSERVATION
FAS 158 causes information that was previously reported in the notes to be
recognized in the financial statements. Reporting of the current funded status
of postretirement benefit plans as an asset or liability enhances the capability of
financial statement users to assess the employer’s ability to satisfy the benefit
obligations without referring to the notes. Similarly, recognizing events and
transactions that affect funded status in the financial statements in the year
that they occur enhances the timeliness of financial statement information.
Top_Aud_09_book.indb 208
9/30/2008 8:18:40 AM
MODULE 2 — CHAPTER 6 — Audit Risk Alert – 2007/08
209
Funded status. The funded status of a plan is the difference between plan assets
at fair value and the benefit obligation. For pension plans, the benefit obligation
is the projected benefit obligation. For any other postretirement benefit plan,
the benefit obligation is the accumulated postretirement benefit obligation.
Accumulated other comprehensive income. Gains or losses and prior
service costs or credits that arise during the period but are not recognized as
components of net periodic benefit cost are recognized, net of tax, as other
comprehensive income. These amounts are later adjusted as they are subsequently recognized as components of periodic net benefit cost.
Disclosures. FAS 158 requires footnote disclosure about certain effects on net
periodic benefit cost for the coming fiscal year that arise out of delayed recognition of gains or losses, prior service costs or credits, and transition assets or
obligations remaining from the initial application of FAS 87 and FAS 106.
Effective dates. Provisions of FAS 158 contained different effective dates,
depending upon whether or not the employer was an issuer of publicly traded
securities or not. Those effective dates are all past as this Course goes to press.
However, the requirement to measure plan assets and benefit obligations as
of the date of the employer’s fiscal year end is effective for fiscal years ending
after December 15, 2008.
STUDY QUESTIONS
6. FAS 158 introduced as significant changes to previous accounting
practice all of the following except:
a. A requirement to measure the funded status of a plan as of the
end of each fiscal quarter.
b. A requirement to recognize in the financial statements events and
transactions that affect funded status in the year that they occur.
c. A requirement that employers recognize the overfunded or underfunded status of a defined benefit postretirement plan, other than
a multi-employer plan, as an asset or liability.
d. A required footnote disclosure about certain effects on net periodic benefit cost for the coming fiscal year that arise out of delayed
recognition of gains or losses, or prior service costs or credits.
Income Tax Accruals and Deferred Income Taxes
FASB Interpretation No. 48, Accounting for Uncertainty in Income Taxes,
(FIN 48) states that financial statement income tax accrual may contain tax
positions that meet the more-likely-than-not standard. Tax positions in the
current year or in any previous year for which the statute is still open that
Top_Aud_09_book.indb 209
9/30/2008 8:18:40 AM
210
TOP AUDITING ISSUES FOR 2009 CPE COURSE
do not meet this standard must be disclosed and may become the subject
of increased scrutiny by taxing authorities.
Evaluation of a tax position. Evaluation of a tax position under FIN 48 is
a two-step process:
Recognition. The entity determines whether a tax position is more likely
than not to be sustained upon examination, which includes resolution
through appeals or litigation, based on its technical merits. The entity
should assume, when making this determination, that the taxing authority will have full knowledge of all relevant information.
Measurement. A tax position that meets the more-likely-than-not test is
measured to determine the amount of benefit to recognize in the statements. The amount of benefit is the largest amount that would be more
than 50 percent likely of being realized on settlement.
Tax positions may not initially meet the more-likely-than-not threshold, but
in subsequent years that determination may change. Those positions should
be recognized in the first subsequent financial statement reporting period in
which the threshold is met. Likewise, previously recognized positions that
no longer meet the threshold should be derecognized in the first subsequent
period in which the threshold is no longer met. The use of a valuation allowance, such as for a deferred tax asset under FAS 109 is not appropriate
as an alternative treatment for the derecognition of a tax position.
OBSERVATION
FIN 48 will result in increased work by accountants and auditors on the
income tax accrual. Seemingly mundane issues such as unreasonable
compensation or decisions to capitalize or expense will now need to be
evaluated. It is important also to note that the evaluation should be done
for each taxing jurisdiction, including states and local governments, as well
as foreign governments where taxes are based on income. FIN 48 does not
apply to property tax or other taxes not based on income.
The FASB has issued FASB Staff Position FIN 48-1, Definition of Settlement
in FASB Interpretation No. 48, in order to clarify that a tax position could be
effectively settled upon examination by a taxing authority. The FSP describes
conditions for evaluating effective settlement and offers guidance for determining effective settlement with respect to an examination by taxing authorities.
For non-public entities, the effective date for FIN 48 was delayed for a
year. It will not be effective for year-end December 31, 2008 fiscal years for
non-public entities.
Top_Aud_09_book.indb 210
9/30/2008 8:18:40 AM
MODULE 2 — CHAPTER 6 — Audit Risk Alert – 2007/08
211
Independence issues. Many practitioners have questioned whether they
could assist clients in applying FIN 48, and still maintain their independence under Ethics Interpretation 101-3, Performance of Nonattest Services.
(ET 101-3) The staff of the AICPA’s Professional Ethics Division has issued
nonauthoritative guidance indicating that these services can be performed
if the accountant or auditor meets all the requirements of ET 101-3 and is
satisfied that the client can make informed judgments and take responsibility
for the results of the services.
STUDY QUESTIONS
7. Which of the following statements best applies to the evaluation of a
tax position under FIN 48?
a. In the recognition step of evaluating a tax position, the entity
determines whether that position is more likely than not to be
sustained upon examination based on its technical merits.
b. When determining whether a tax position is more likely than not
to be sustained upon examination, the entity should assume that
the taxing authority’s knowledge of the relevant facts is limited to
those disclosed in the financial statements.
c. For a tax position that meets the more-likely-than-not test, the
amount of benefit to recognize in the statements is the smallest
amount that would be more than 50 percent likely of being realized on settlement.
d. Evaluations of tax positions under FIN 48 apply only to United
States federal income taxes.
8. Under ET 101-3, auditors cannot help their clients with FIN 48 implementation unless:
a. The client is unable to make informed judgments about its
implementation.
b. They are satisfied that the client can take responsibility for the
results of the services.
c. The tax position is more likely than not to be sustained upon
examination based on its technical merits.
d. The client measures the amount of benefit to be recognized.
DEVELOPING ISSUES
The AICPA Clarity Project
The Auditing Standards Board (ASB) has formed a Clarity Task Force to
address widespread concerns over the complexity, clarity, and length of Generally Accepted Auditing Standards (GAAS). The objectives of this project are
Top_Aud_09_book.indb 211
9/30/2008 8:18:40 AM
212
TOP AUDITING ISSUES FOR 2009 CPE COURSE
to redraft existing auditing standards to make them easier to read, understand,
and apply. Among the conventions for this redrafting are:
Establishing objectives for each standard.
Distinguishing requirements from application and other explanatory
material.
Presenting applications and other explanatory material in a separate section following the requirements section.
Including a definitions section, where relevant, in each standard.
Using formatting techniques such as bulleted lists to improve readability.
Providing special considerations for audits of smaller, less complex entities and governmental entities.
Over the coming two or three years, the ASB will redraft all of the existing
auditing sections of the Codification of Statements on Auditing Standards using
these conventions, and converging them with the International Standards
on Auditing (ISA). The ASB expects that nearly all of the ISA requirements
will be adopted, but that there will also be additional requirements to address
specific U.S. issues, or to retain existing U.S. practices.
This process will include an exposure draft and public comment period.
In order to ease the transition to the redrafted standards, they will all have
the same implementation date. At present that date is expected to be for
periods beginning no earlier than December 15, 2010.
OBSERVATION
The new “clarity project” format closely resembles the format currently used
by International Auditing and Accounting Standards Board (IAASB) in their
standards, and thus should help make these two bodies of standards more
mutually intelligible, as they move toward convergence.
Since the publication of the Audit Risk Alert, two draft standards have been
posted to the AICPA’s website: SAS 103 and SAS 114. These drafts can be
accessed at www.aicpa.org/download/auditstd.
OBSERVATION
Although the comment periods on both of these exposure drafts are closed,
they are well worth taking a look at. They have recast two complex recent
standards into a form that most users are likely to find more readable.
Top_Aud_09_book.indb 212
9/30/2008 8:18:40 AM
MODULE 2 — CHAPTER 6 — Audit Risk Alert – 2007/08
213
STUDY QUESTIONS
9. Among the goals of the AICPA’s Clarity Project are all of the following
except:
a. Making U.S. auditing standards easier to read and understand.
b. Maintaining U.S. GAAS separate and distinct from International
Standards on Auditing.
c. More clearly differentiating between professional requirements and
application or explanatory material.
d. Providing special considerations for audits of smaller, less complex entities.
International Convergence
The convergence of U.S. and international accounting and auditing standards is receiving serious attention by the profession in both the U.S. and
the international community. Recent actions moving in that direction are
summarized below.
The ASB has created seven task forces charged with
monitoring certain IAASB activities and working toward convergence with
international auditing standards. The ASB has commented on several of their
exposure drafts. Among the issues that have received attention are:
Auditing accounting estimates.
Related party transactions.
Reports on audited financial statements.
Going concern considerations.
Management representations.
Service organizations.
Using the work of a specialist.
Auditing standards.
In addition, the Clarity Project, as noted above, is working to converge U.S.
GAAS with the ISAs in its redrafting project.
Accounting standards. The FASB and the IASB have reaffirmed their
commitment to the convergence of U.S. GAAP and International Financial
Reporting Standards (IFRS). Progress toward this goal was made with the
issuance of FAS 157 and FAS 159, which take U.S. GAAP in the direction
of IFRS in respect of fair value reporting.
STUDY QUESTIONS
10. The issuance of FAS 157 and FAS 159 on fair value reporting have moved
U.S. GAAP into closer conformity with IFRS. True or False?
Top_Aud_09_book.indb 213
9/30/2008 8:18:40 AM
Top_Aud_09_book.indb 214
9/30/2008 8:18:40 AM
215
MODULE 2: REVIEW OF NEW AND EMERGING STANDARDS — CHAPTER 7
Peer Review and Quality Control:
Upcoming Changes
LEARNING OBJECTIVES
At the conclusion of this chapter, the reader should:
Have an overview of the changes to the peer review process.
Understand the effects of the changes to the peer review process and
the quality control standards on a firm’s system of quality control.
Be aware of the implications of these changes for firm quality control
documents.
INTRODUCTION
The AICPA has issued two documents that will usher in a new era in the
peer review process and in systems of quality control for all firms that have
accounting or auditing practices. These documents are:
AICPA Standards for Performing and Reporting on Peer Reviews, which
brings significant revisions to the procedures for performing and reporting on peer reviews.
Statement on Quality Control Standards No. 7, “A Firm’s System of Quality Control (SQCS 7), which supersedes all of the existing Statements on
Quality Control Standards.
Both of these documents are effective January 1, 2009. Early implementation is prohibited.
This chapter highlights the most significant of the many changes that
these new Standards bring to quality control and peer review. It also discusses
how these changes impact the peer review process, especially reporting, and
the ramifications of these new Standards for firms’ systems of quality control
and their quality control documents.
THE PEER REVIEW PROCESS
The AICPA Standards for Performing and Reporting on Peer Reviews (PRP)
address the perceived call for “transparency” in the peer review process. These
standards are intended to be more “principles based” and less “rules based”
than the previous standards. The most important changes are:
Creation of a new reporting model designed to be more understandable
to users and easier to apply. This model changes the three current ratings
Top_Aud_09_book.indb 215
9/30/2008 8:18:40 AM
216
TOP AUDITING ISSUES FOR 2009 CPE COURSE
of “unmodified,” “modified,” and “adverse” to “pass,” “pass with deficiencies,” and “fail,” and eliminates the separate letter of comments.
Consolidation of the existing report review and engagement review levels
into a single level.
Restructuring of the peer review program by the creation of a single set
of standards for all AICPA members subject to peer review, rather than
having separate standards for those peer reviews previously performed
under the auspices of the AICPA’s Center for Public Company Accounting Firms.
Reporting Model Changes
The new reporting model is the most visible change, and one of the most
significant, that these new standards have created. The new reports are
more concise and understandable. The report grading scheme has also been
simplified, and the old ratings of “unmodified,” “modified,” and “adverse”
have been changed to “pass,” “pass with deficiencies,” and “fail.” The letter
of comments has been eliminated.
Definitions. The foundation of the new reporting model is a set of four
terms that describe conditions that could be noted in a system review or
an engagement review. These terms establish a hierarchy that matters gets
elevated through in evaluating them, and in determining their effects on
the peer review report.
Matter. A matter is typically an item for which a “no” answer was given
to a question in a peer review questionnaire, which a reviewer concludes
warrants further consideration in the evaluation of a firm’s QC system or,
in the case of an engagement review, in evaluating whether an engagement submitted for peer review was performed and/or reported on in
conformity with applicable professional standards.
Finding. In the context of a system review, a finding is one or more
related matters that result from a condition in the firm’s QC system, or
its compliance with the system, such that there is more than a remote
chance that the firm would not perform and/or report in conformity
with applicable professional standards. In an engagement review, a finding is one or more matters that the review captain concludes results in
the financial statements or information, the related accountant’s reports
submitted for review, or the procedures performed, including documentation, not being performed and/or reported on in conformity with
professional standards.
Deficiency. In the context of a system review, a deficiency is one or more
findings that the reviewer concludes could, because of their nature, causes,
pattern or pervasiveness, and their implications for the QC system as a
whole, create a situation in which the firm would not have reasonable
Top_Aud_09_book.indb 216
9/30/2008 8:18:40 AM
MODULE 2 — CHAPTER 7 — Peer Review and Quality Control: Upcoming Changes
217
assurance of performing and/or reporting in conformity with professional
standards in one or more important respects. A deficiency is not a significant deficiency in a system review when the reviewer concludes that,
except for the deficiency or deficiencies, the firm has reasonable assurance
of performing and reporting in conformity with professional standards in
all material respects. In an engagement review, a deficiency is one or more
findings that the review captain concludes is material to the understanding of the financial statements or information and/or related accountant’s
reports, or represents the omission of a critical procedure, including
documentation, required by applicable professional standards.
Significant deficiency. In a system review, a significant deficiency is one
or more deficiencies that the reviewer concludes results from a condition
in the QC system, or the firm’s compliance with it, such that the firm’s QC
system taken as a whole does not provide it with reasonable assurance of
performing and/or reporting in conformity with applicable professional
standards in all material respects. In an engagement review, a significant
deficiency exists when the review captain concludes that deficiencies are
evident on all engagements submitted for review.
In system reviews, determining the significance of individual matters, either
by themselves or in combination with others, in relation to the system of
quality control, is a matter of professional judgment. While engagement
reviews do not consider a firm’s system of quality control, determining the
significance of individual matters, either by themselves or in combination
with others, is also important to the process.
Documentation. One of the most important changes in the process of per-
forming peer reviews has to do with the way the program documentation is
used to communicate findings to the firm. Under the old reporting model, a
significant number of users found the letter of comments to be confusing. The
users’ input further revealed a widespread misunderstanding of this letter’s
purpose, in light of the fact that it does not affect the opinion or type of report
issued. Also, drafting the letter of comment absorbs a significant amount of
the reviewer’s time and effort. As a result of these considerations, the Peer
Review Board decided to eliminate the separate letter of comments.
The primary intent of the peer review program is, and always has been,
to promote quality practice and to educate firms, rather than to regulate or
punish them. For this reason, the Board wanted to retain a means of communicating findings and corrective actions to firms. Toward this end, existing
peer review program documentation, outside of the reporting process, has
been expanded, to allow peer reviewers to make substantive comments and
recommendations and for firms to provide meaningful responses.
Top_Aud_09_book.indb 217
9/30/2008 8:18:40 AM
218
TOP AUDITING ISSUES FOR 2009 CPE COURSE
The new process involves the use of three forms in the peer review
documentation:
Matter for Further Consideration (MFC) form. This form is familiar
and little changed from current practice. It typically results when a “no”
answer to a question in a peer review questionnaire causes a reviewer to
conclude that a matter warrants further consideration in the evaluation of
a firm’s QC system or, in the case of an engagement review, in evaluating
whether an engagement submitted for peer review was performed and/
or reported on in conformity with applicable professional standards. It
contains spaces for the reviewer to describe the matter and to cite specific
professional standards, along with room for the firm to comment upon
the matter. This form is the “entry point” for either developing a finding that will be communicated in writing further down the line, or for
resolving the matter. A matter is usually discussed with the firm, and may
be cleared at this stage. If it does not get elevated further, a peer review
report with a “pass” rating is issued.
Disposition of MFC (DMFC) form. This is a new form. Its purpose is to
summarize all MFCs and ensure that they have been addressed and to
document how they were resolved. It does not require further description
or explanation of the MFCs. This form is the next step in developing or
disposing of a finding.
Findings for Further Consideration (FFC) form. This is also a new form.
It is to be used in situations similar to those that would require a letter
of comments in the current peer review reporting model. It is to be prepared in a system review when there are findings that the team captain
believes resulted in more than a remote possibility that the firm would
not perform or report on an engagement in conformity with professional
standards, but were not of such significance to include in a report with a
“pass with deficiencies” or “fail” rating. In an engagement review, it is to be
prepared when there are findings that the review captain believes resulted
in financial statements or information; related accountant’s reports; or
procedures performed that were not in conformity with applicable professional standards, but that were not deemed to be significant deficiencies
to be included in a report with a “pass with deficiencies” or “fail” rating.
This form provides a description of the finding, including whether it is
a repeat, and the reviewer’s recommendations. It also identifies which
MFCs are contained in the finding, and includes the reviewed firm’s
response, including corrective actions, and the firm’s signature.
These forms are reviewed by the administering entity and its peer review
committee and are a part of the peer reviewer’s workpapers outside of the
reporting and acceptance process. Neither they, nor any of the other peer
review workpapers are made publicly available. They are, however, a part of
Top_Aud_09_book.indb 218
9/30/2008 8:18:40 AM
MODULE 2 — CHAPTER 7 — Peer Review and Quality Control: Upcoming Changes
219
the records of the peer review, which are maintained by both the administering entity and the peer reviewer until the completion of the next review.
OBSERVATION
Peer reviewers and firms alike have greeted this new scheme of documentation, and particularly the elimination of the letter of comments,
enthusiastically. The letter of comments has long been problematic to
reviewers for the time that it takes to draft. It has also been an occasional
bone of contention with firms, who would prefer that certain matters not
be recorded in a formal written document that is referred to in the body
of the actual peer review report. Finally, matters in a letter of comments
have sometimes been misinterpreted by members of the public, and have
been attributed unwarranted significance. The new FFC form, since it not
designed as a formalized communication, will likely save the review some
drafting time. It allows reviewers to communicate matters to firms, but will
also satisfy firms by keeping matters that do not affect the report outside
of the reporting process.
All but a small minority of states have some form of mandatory peer review
requirement as a condition of licensure. The elimination of the letter of
comments may yet become a politically charged issue if regulators or other
users perceive this move as an effort to “sweep deficiencies in practice
under the rug.”
STUDY QUESTIONS
1. The purpose of the “Disposition of Matters for Further Consideration”
(DMFC) form under the new Standards is to:
a. Provide a description of the finding, including whether it is a repeat.
b. Identify which MFCs are contained in particular findings.
c. Summarize all “Matter for Further Consideration” (MFC) forms,
ensure that they have been addressed, and document how they
were resolved.
d. Document matters warranting further consideration in the evaluation of a firm’s QC system.
2. Which of the following statements best applies to the “Findings for
Further Consideration” (FFC) form under the new Standards?
a. This form is an integral part of the reporting process.
b. This form eliminates the current letter of comments.
c. This form is subject to public inspection in jurisdictions with mandatory peer review requirements.
d. Copies of this form should not be maintained by the peer reviewer
after the completion of the review.
Top_Aud_09_book.indb 219
9/30/2008 8:18:40 AM
220
TOP AUDITING ISSUES FOR 2009 CPE COURSE
Reporting. The most visible effect of the revised Standards is a sweeping
change in the reporting process. The peer review program will now offer
three levels of reports:
Pass.
Pass with Deficiencies.
Fail.
These levels are similar to the current rating system of “unmodified,” “modified” and “adverse.” This terminology was adopted because of feedback indicating that the old terms were not clear to the public.
Determining report ratings. In order to determine what rating a peer review
receives, reviewers will refer to the definition of “finding,” “deficiency,” and
“significant deficiency” in considering the matters raised in the peer review.
Pass. In a system review, a finding is one or more related matters that
result from a condition in the firm’s QC system, or its compliance with the
system, such that there is more than a remote chance that the firm would
not perform and/or report in conformity with applicable professional
standards. In an engagement review, a finding is one or more matters
that the review captain concludes results in the financial statements or
information; the related accountant’s reports submitted for review; or the
procedures performed, including documentation; not being performed
and/or reported on in conformity with professional standards. Findings
are documented, communicated to the firm, and responded to by the
firm, on the new FFC form. In either a system review or an engagement review, when a reviewer concludes that no finding, individually
or combined with others, rises to the level of a deficiency or significant
deficiency, a report rating of “pass” is appropriate.
Pass With Deficiencies. In a system review, a deficiency is one or more
findings that the reviewer concludes could, because of their nature, causes,
pattern or pervasiveness, and their implications for the QC system as a
whole, create a situation in which the firm would not have reasonable
assurance of performing and/or reporting in conformity with professional
standards in one or more important respects. A system review report rating of “pass with deficiencies” is appropriate under these circumstances.
In an engagement review, a deficiency is one or more findings that the
review captain concludes are material to the understanding of the financial
statements or information and/or related accountant’s reports or that
represents the omission of a critical procedure, including documentation, required by applicable professional standards. When the reviewer
concludes that deficiencies are not evident on all of the engagements
submitted for review, or that the exact same deficiency exists on all engagements submitted for review and no other deficiencies are evident, a
peer review rating of “pass with deficiencies” is ordinarily appropriate.
Top_Aud_09_book.indb 220
9/30/2008 8:18:40 AM
MODULE 2 — CHAPTER 7 — Peer Review and Quality Control: Upcoming Changes
221
Fail. In a system review, a significant deficiency is one or more deficiencies
that the reviewer concludes results from a condition in the QC system,
or the firm’s compliance with it, such that the firm’s QC system taken
as a whole does not provide it with reasonable assurance of performing
and/or reporting in conformity with applicable professional standards in
all material respects. A report rating of “fail” is appropriate under these
circumstances. In an engagement review, a significant deficiency exists
when the review captain concludes that deficiencies are evident on all
engagements submitted for review, except when the exact same deficiency
appears on multiple engagements and no other deficiencies were evident.
When a significant deficiency exists, the reviewer concludes that all
engagements submitted for review were not performed and/or reported
on in conformity with applicable professional standards in all material
respect. A peer review rating of “fail” is therefore appropriate.
Under the new Standards, deficiencies will be
cited in the body of the peer review report when a rating of “pass with
deficiencies” is appropriate. Both deficiencies and significant deficiencies
will appear in the body of the report when a rating of “fail” is appropriate.
This is similar to the current practice, in which deficiencies that result in
modified or adverse reports appear in those reports. The major difference,
as noted above, is that findings that would, under the current Standards, be
reported in a letter of comments will be recorded on an FFC form instead,
which will remain outside of the reporting process.
Significant changes to the old reporting model include:
Shortening the length of the report.
Revised language that is easier to understand and requires minimal tailoring to suit the needs of individual peer reviews.
Reference to a URL for a “plain English” description of the nature, objectives, scope, limitations of, and procedures performed on the peer review,
rather than detailing this information in the report or in an attachment,
as is the current practice.
Other reporting matters.
All of these changes are directed toward the “transparency” issue, and toward
making peer review reports easier for users to understand. Illustrations of all
of the various possible types of reports for system and engagement reviews
appear in the Appendices to the new Standards.
The new reporting model is designed to promote consistency and efficiency, and to make the reports more understandable to readers. The process
to determine which type of report to issue is more structured and rigorous.
Reviewers, under the new Standards, evaluate threshold questions to distinguish between findings, deficiencies and significant deficiencies. Through
this process, they arrive at a decision as to the type of report to issue.
Top_Aud_09_book.indb 221
9/30/2008 8:18:40 AM
222
TOP AUDITING ISSUES FOR 2009 CPE COURSE
One of the most significant results of this new process is that the Peer Review
Board expects to see more “pass with deficiencies” peer review reports under the
new Standards than “modified” reports under the old Standards.
Table 7-1: Comparison of Peer Review Report Types
Under Old and New Standards
Old Standards
Revised Standards
Unmodified–No LOC:
“Matters,” if any, recorded on MFCs
OR
Unmodified–LOC:
“Finding(s)” reported in LOC
Pass:
“Finding(s),” if any, recorded on FFC
“Matter(s), if any, recorded on MFC
Modified:
“Deficiency(ies)” reported in report
“Finding(s),” if any, reported in LOC
Pass With Deficiency:
“Deficiency(ies)” reported in report
“Finding(s),” if any, recorded on FFC
“Matter(s), if any, recorded on MFC
Adverse:
“Deficiency(ies)” reported in report
“Finding(s), if any, reported in report
Fail:
“Significant deficiency(ies)” reported in
report
“Deficiency(ies),” if any, reported in report
“Finding(s),” if any, recorded on FFC
“Matter(s), if any, recorded on MFC
OBSERVATION
The exposure draft process for the new reports indicates that most people
agree that the new report ratings will be more understandable to the public,
and that the new, more condensed report language will be well received.
Some controversy arose in the exposure draft stage about the inclusion in
the report of a URL referring readers to expanded information about the
peer review program. The Board, after considering these comments, ultimately reaffirmed its belief that the URL helps accomplish the objectives
of making the report more concise and understandable.
Implementation plans. Under the old standards, a reviewed firm might be required to perform certain corrective actions to address deficiencies or comments
reflected in a modified or adverse report or letter of comments. This process
is essentially unchanged under the new standards when a firm has “pass with
deficiencies” or “fail” report. However, because of the elimination of the letter
of comments and related reporting model changes, a new process was needed
to address findings in the FFC forms.
Under the new Standards, the committee considers and evaluates the findings
in the FFC forms, which include the recommendations of the review team and
the firm’s responses. The firm may be required to evidence its agreement to an
Top_Aud_09_book.indb 222
9/30/2008 8:18:41 AM
MODULE 2 — CHAPTER 7 — Peer Review and Quality Control: Upcoming Changes
223
implementation plan for corrective actions in writing, and to complete those
actions as a condition of cooperation with the administering entity. If the firm
fails to cooperate with the implementation plan, it could be subject to due
process procedures resulting in termination from the peer review program.
STUDY QUESTIONS
3. When a reviewer concludes that no finding, individually or combined with
others, rises to the level of a deficiency or significant deficiency, which of
the following report ratings is appropriate under the new Standards?
a.
b.
c.
d.
Pass.
Unmodified.
Modified.
Pass with deficiencies.
4. Among the significant changes to the old reporting model include all of
the following except:
a. Shortening the report.
b. Revised language that is easier to understand.
c. Reference to a URL for a “plain English” description of the nature,
objectives, scope, limitations of, and procedures performed on the
peer review.
d. Revised language that encourages more tailoring to suit the needs
of individual peer reviews.
Consolidation of Existing Report and Engagement Reviews
The old Standards provided for three levels of peer review: system, engagement and report. The new Standards pare this down to two by merging the
old report review process into the engagement review process. Under the
old Standards, engagement reviews generally were for firms that perform
reviews or full-disclosure compilations, and report reviews were for firms
that perform only compilations that omit substantially all disclosures. The
objectives of these two levels of peer review, and the processes for performing
and reporting on them, are so similar that the Board felt it would simplify
the program and create more clarity for users of peer review reports to consolidate these two levels of peer review.
Program Restructuring
The new Standards restructure the nationwide program into one single program for all firms and do away with the separate program under the auspices
of the old Center for Public Company Accounting Firms (CPCAF) for firms
that audit SEC issuers. The majority of peer reviews, for firms that do not have
SEC practices, will continue to be administered largely by state societies, as is
the current practice. Reviews that previously fell under the CPCAF program
Top_Aud_09_book.indb 223
9/30/2008 8:18:41 AM
224
TOP AUDITING ISSUES FOR 2009 CPE COURSE
will now be conducted under the same standards as all other peer reviews but
will be administered by a newly-created National Peer Review Board.
OBSERVATION
The Board and most “stakeholders” in the peer review program view the
consolidation of these two programs as a positive step. Public feedback
indicated that existence of two parallel, but not identical, programs was
confusing and unnecessary.
STUDY QUESTIONS
5. The new Standards have merged the old report review process into the
engagement review process. True or False?
QUALITY CONTROL SYSTEMS
SQCS 7 contains many significant changes to previously existing quality
control practices. The most sweeping of those include:
A requirement for all firms with accounting or auditing practices to have
documented quality control policies and procedures. The old SQCSs
required firms to have quality control policies and procedures, but allowed considerable discretion in deciding whether, or to what extent,
they should be documented. While the new SQCS still allows discretion
as to the extent of documentation, based upon a firm’s size and operating
characteristics, even the smallest firm should have some documentation.
This applies even to firms that do only compilations and reviews.
Addition of a new element, entitled “leadership responsibilities for quality control within the firm,” to the required elements of quality control.
This element is also referred to as “tone at the top.”
A requirement for firms to assign management responsibilities so that
commercial considerations do not override the objectives of the quality
control system, and to design its personnel policies, including compensation, to demonstrate an overarching commitment to quality.
A requirement for annual written independence confirmations from staff
who are subject to independence rules
Requirements for policies and procedures related to resolving differences
of professional opinion, and for dealing with complaints or allegations
of noncompliance with professional standards or with the firm’s system
of quality control.
Requirements for annual monitoring procedures. These requirements
include a significant new requirement for “engagement quality control
reviews.” These are pre-issuance reviews, conducted by a person not con-
Top_Aud_09_book.indb 224
9/30/2008 8:18:41 AM
MODULE 2 — CHAPTER 7 — Peer Review and Quality Control: Upcoming Changes
225
nected with the performance of the engagement, and are required to be
conducted under certain circumstances defined by the firm.
Documentation and Communication
SQCS 7 requires that all firms should document their quality control policies and procedures. The extent of documentation necessary depends on the
size, structure and nature of the practice.
OBSERVATION
This is a significant new requirement. Under the previous SQCSs, all firms
with accounting and auditing practices were required to have QC systems.
However, there was no requirement that all firms document their QC systems. This led to a misconception that firms that do not perform audits,
and thus to not have system reviews, do not need to have a QC system.
This was untrue under the old SQCSs, and continues to be untrue. Even
firms that have only compilation and/or review practices must establish
systems of quality control.
SQCS 7 explicitly recognizes the obvious fact that the QC system for a sole
practitioner who performs only compilations omitting substantially all disclosures will be significantly less complex and will require less documentation
than a large, multi-office auditing firm. Nonetheless, both firms should now
have documented QC systems, even though firms that have engagement
reviews will never have their systems peer reviewed. Existing peer review
documentation for system reviews has required firms to complete a quality
control policies and procedures questionnaire, which, for many small firms,
serves as their QC document. Indications are that this will continue to be
an acceptable practice under SQCS 7. This may be an efficient approach
to QC system documentation for many smaller firms.
As a result of this requirement, it is likely that many firms will turn to purchased
practice aids as a source of documentation for their QC systems. This is an
efficient method of creating an effective quality control document. However,
firms should be careful not to adopt “canned” systems without carefully considering how they fit their practices, and modifying them as appropriate for their
individual firm needs. Most importantly, firms should be careful not to impose
upon themselves requirements that exceed the requirements of professional
standards unless they actually intend, and have the resources to comply with
them. By adopting standards that they cannot comply with, the peer review
will be obliged to hold them to the higher standard that their QC document
sets, and will thus put them out of compliance with their own system.
Firms should, under SQCS 7, communicate their QC policies and procedures
to their personnel. The spirit of this standard is that such communication
should be effective in explaining the system’s objectives and in delivering
the message that each individual in the firm is responsible for quality work.
Top_Aud_09_book.indb 225
9/30/2008 8:18:41 AM
226
TOP AUDITING ISSUES FOR 2009 CPE COURSE
While this was always implied under the previous Standards, SQCS 7 makes
it an explicit requirement. It does state, however, that the communication
need not be in writing.
STUDY QUESTIONS
6. A significant change introduced by SQCS 7 relative to the documentation of quality control systems is that:
a. Firms that do only compilations and reviews can elect not to have
documented quality control policies and procedures.
b. Firms that do not have system reviews are not required to document the quality control policies and procedures for their accounting practices.
c. Only firms with auditing practices should have documented quality control policies and procedures.
d. All firms with accounting or auditing practices should have documented quality control policies and procedures.
Elements of a Quality Control System
SQCS 7 contains six elements, including one completely new element, that
firms should address in their QC systems.
Leadership responsibilities for quality within the firm. This element is
otherwise referred to as “tone at the top.” It first entered the professional
literature in the Public Companies Accounting Oversight Board (PCAOB)
inspection process, and has been adopted in the AICPA’s philosophy for nonSEC practice. Its essence is that firms should promote an internal culture
based on the recognition that quality is essential and should adopt policies
and procedures to support that culture. The firm’s leadership, which may
be its managing partner, board, CEO or equivalent, should assume ultimate
responsibility for the QC system.
SQCS 7 explicitly recognizes that a firm’s business strategy is subject to
the overarching requirement for the firm to achieve the objectives of its QC
system, and that commercial consideration cannot be allowed to override the
system. The examples that the firm’s leadership set, such as recognizing and
rewarding quality work through policies and procedures for performance
evaluation, compensation, and promotion, can significantly influence the
firm’s culture.
Under this new element, the firm’s leadership should assume ultimate
responsibility for the QC system, and should:
Promote an internal culture based on the recognition that quality is essential.
Establish policies and procedures to promote that culture.
Top_Aud_09_book.indb 226
9/30/2008 8:18:41 AM
MODULE 2 — CHAPTER 7 — Peer Review and Quality Control: Upcoming Changes
227
Recognize that its business strategy is subject to the overarching
requirement for quality in all engagements performed, and accordingly should:
Assign management responsibilities so that commercial considerations do not override the quality of work.
Address performance evaluation, compensation, and promotion so
as to demonstrate a commitment to the QC system.
Devote sufficient appropriate resources to developing, communicating, and supporting quality control policies and procedures.
OBSERVATION
This is a new element in the AICPA’s model for QC systems. It addresses
perceptions that have been held by some people both inside and outside the
profession that profit-making considerations sometimes override a commitment to quality. One of the foremost of these, from the point of view of some
members of the profession, has to do with compensation and advancement.
Whether or not it is true within any particular firm, there has long been a
perception that the “rainmakers,” that is, those who bring in and manage
high-paying client engagements, get compensated and promoted ahead
of the “technicians” upon whose skill the relationship rests. The PCAOB,
in some of its early inspection reports, explicitly cited this as a “tone at the
top” issue that sends a message that the firm’s management is less serious
about the quality of work than it is about commercial considerations.
STUDY QUESTIONS
7. SQCS 7’s new quality control element, “leadership responsibilities for
quality within the firm” requires that:
a. The firm’s leadership should assume ultimate responsibility for the
QC system.
b. The firm’s business strategy should give commercial considerations and quality control equal weight in designing and achieving
the objectives of its QC system.
c. The firm should consider adopting policies and procedures
designed to promote an internal culture based on the recognition
that quality is essential.
d. The firm’s leadership should assign ultimate responsibility for the
QC system to a suitably qualified partner of the firm.
Relevant ethical requirements. This element was entitled “independence,
integrity and objectivity” in the old SQCSs. As the expanded wording implies,
this section expands guidance that explicitly incorporates legal and ethical
Top_Aud_09_book.indb 227
9/30/2008 8:18:41 AM
228
TOP AUDITING ISSUES FOR 2009 CPE COURSE
requirements into the conceptual framework for this QC element. Three
new provisions are of particular interest:
Written independence confirmations are required at least annually under
the new SQCS. This is arguably a codification of existing “best practices”
under the old SQCSs, but it represents a significant new documentation
requirement. This requirement may also be satisfied on an engagementby-engagement basis.
Firms and professionals within them will have direct responsibility for
identifying and resolving breaches of independence requirements. Firms
will be required to implement policies and procedures to provide them with
reasonable assurance of being notified when breaches occur. These include
requirements for personnel to promptly notify the firm of circumstances
that pose a threat to independence, or of actual breaches of independence
requirements. The engagement partner is specifically charged with responsibility for taking required corrective actions, and for confirming to the
firm and to relevant personnel that those actions have been taken.
The new SQCS discusses the “familiarity threat” that may result when
the same senior personnel are used on an audit or attest engagement for
a long time. It imposes no specific requirements related to this concern.
However, its explicit mention raises this issue, which has long been discussed in the profession, to a new level of importance.
OBSERVATION
These new provisions represent a significant shift in the profession’s attitude toward a more practical and proactive view of quality control, and
away from a theoretical, academic view. The documentation requirement
is seen in SQCS 7 as a means of keeping independence matters visible to
firm personnel and demonstrating their importance. The new requirements
also specifically require appropriate corrective action, by specific people in
the firm when threats to independence arise, including “closing the loop”
on that corrective action to the firm.
OBSERVATION
The discussion about the “familiarity threat” avoids mention of the obvious
solution—personnel rotation—because this is not feasible in many small
firms. The issue will, however, likely provoke some discussion among
large and small firms alike, about policies and procedures to address the
familiarity threat.
Top_Aud_09_book.indb 228
9/30/2008 8:18:41 AM
MODULE 2 — CHAPTER 7 — Peer Review and Quality Control: Upcoming Changes
229
Acceptance and continuance of client relationships and specific engagements. This element expands on the requirements and guidance of the
previous QC element entitled “acceptance and continuance of clients and
engagements.” Two significant changes emerge from this guidance:
Firms should document how acceptance or continuance issues that
arose during the acceptance/continuance decision process were resolved
when they decide to accept or continue a client relationship or a specific
engagement.
Firms should have policies and procedures for withdrawal from a specific
engagement or from a client relationship, which should include documenting significant issues, consultations, and conclusions.
Human resources. This element was previously known as “personnel man-
agement.” There are few significant changes to the old Standards under this
element. However, one area of particular interest, in connection with the
discussion of “tone at the top” issues, is the additional emphasis placed on the
role of performance evaluation, compensation, and advancement procedures
in a QC system. It says that effective procedures give “due recognition and
reward” to the development and maintenance of competence and commitment to ethical principles. Similar wording appears under the “leadership
responsibilities” element.
OBSERVATION
The fact that this concept is discussed in depth under both elements
signals the importance that standard-setters have placed on it. Although
not explicitly stated, one of the intentions of giving “due recognition and
reward” to the “technicians” in a firm is to influence the economics of the
profession such that audit engagements are no longer given away as lossleaders by firms that wish to use them to gain access to more lucrative
consulting engagements.
Engagement performance. Guidance on engagement documentation,
documentation confidentiality, safeguarding, and retention has been added,
primarily to bring the SQCS literature into line with recently released documentation requirements in the auditing and other professional standards.
One of the most significant and controversial provisions in the new SQCS
is the requirement for engagement quality control reviews. An engagement
QC review is a pre-issuance process performed by persons who are not otherwise involved in performing the engagement. It is designed to provide an
objective evaluation of the significant judgments the engagement team made
and the conclusions they reached in formulating the report. This process has
often been referred to as “concurring review.”
Top_Aud_09_book.indb 229
9/30/2008 8:18:41 AM
230
TOP AUDITING ISSUES FOR 2009 CPE COURSE
When the exposure draft of this SQCS was issued, a misconception arose
that engagement QC reviews, or “concurring reviews” were to be required on
all engagements. A reading of that exposure draft and of the final standard
shows clearly that this is untrue. Firms are required, however, to set down
criteria for which engagements are required to have engagement QC reviews.
These criteria may take into account matters such as:
The nature of the engagement.
Whether the engagement involves public interest.
Unusual circumstances or risks in the engagement.
Legal or regulatory requirements.
It is therefore the firm that controls which engagements are to be subject to
engagement QC review. However, once a firm establishes these criteria, all engagements that meet the criteria should be subjected to engagement QC review.
The new SQCS lists certain procedures that should be included in engagement QC reviews.
Reading the financial statements or other subject matter information.
Reading the report on the engagement.
Consideration of whether the report is appropriate.
A discussion with the engagement partner about significant issues and
findings.
Review of selected engagement documentation.
Documentation showing:
A description of the procedures applied in the engagement QC review.
The completion of the engagement QC review before report issuance.
That the reviewer is not aware of unresolved matters that would call
into question the engagement team’s judgment.
Individual firms may specify additional procedures, such as review of specific
types of engagement documentation, in their QC policies and procedures.
OBSERVATION
The new SQCS is explicit in stating that the engagement QC review does
not reduce the responsibilities of the engagement partner.
The new SQCS contains detailed criteria for eligibility of engagement QC
reviewers. These may include:
Technical qualifications.
Limitations on other participation in the engagement by the engagement
QC reviewer, including making decisions for or extensive consultation
with the engagement team.
Objectivity.
Top_Aud_09_book.indb 230
9/30/2008 8:18:41 AM
MODULE 2 — CHAPTER 7 — Peer Review and Quality Control: Upcoming Changes
231
It also says that sole practitioners or small firms may contract suitably qualified external persons or firms to facilitate engagement QC reviews.
One other set of changes to existing practice centers around the role of
consultation in the QC system. The new SQCS contains a requirement
for policies and procedures to deal with differences of opinion between
the engagement team and persons consulted. These include requirements
that conclusions reached through consultation be both documented and
implemented. Finally, there is a presumptively mandatory requirement that
the report should not be issued until differences of opinion are resolved in
accordance with the firm’s policies and procedures.
OBSERVATION
These new requirements related to consultation follow the philosophical
thread under the independence element that the QC literature is becoming
more practical and implementation-oriented, and less theoretical. It is no
longer sufficient simply to look a matter up in the professional literature,
or discuss a matter with an expert colleague. Under the new standards, a
conclusion must be both documented and implemented.
STUDY QUESTIONS
8. Which of the following statements best applies to the engagement
quality control review?
a. It is a post-issuance process performed by persons who are not
otherwise involved in performing the engagement.
b. It is a pre-issuance process performed by or under the supervision
of the engagement partner.
c. It is a pre-issuance process performed by persons who are not
otherwise involved in performing the engagement.
d. It is a post-issuance process performed by or under the supervision of the engagement partner.
9
Engagement quality control reviews are required on all audit engagements. True or False?
Monitoring. The requirements for monitoring have been augmented considerably in the new SQCS, to underscore the importance of this element to
all firms. The guidance under the old SQCSs was largely advisory in nature.
Under the new requirements, firms should:
Establish policies and procedures to provide reasonable assurance that
their QC systems are relevant, adequate, effectively operating, and complied with in practice.
Top_Aud_09_book.indb 231
9/30/2008 8:18:41 AM
232
TOP AUDITING ISSUES FOR 2009 CPE COURSE
Include ongoing consideration and evaluation of the QC system to determine that it is appropriately designed and effectively operating.
Assign responsibility for monitoring to qualified individuals.
Require the performance of sufficiently comprehensive monitoring procedures to enable the firm to assess compliance with applicable standards,
regulatory requirements, and its own QC policies and procedures.
Evaluate the effects of deficiencies noted in monitoring to determine if
they are systemic in nature.
Communicate deficiencies and recommendations for remedial action to
appropriate firm personnel at least annually.
SQCS 7 provides detailed illustrations of procedures that a firm may include
in its monitoring process. None of these procedures are specifically required,
either individually or in combination with others. It is difficult, however,
to imagine an effective monitoring program that does not include at least
some of the following:
Review of selected administrative and personnel records pertaining to
QC elements.
Review of engagement documentation and financial statements.
Discussions with firm personnel.
Summarization of findings at least annually.
Consideration of the systemic causes of findings.
Determination of corrective actions.
Communication of findings to firm management.
Consideration of findings by appropriate firm personnel.
Assessment of:
The appropriateness of the firm’s guidance materials and practice aids.
The effects of new developments in standards, legal and regulatory
requirements.
Compliance with independence policies.
Effectiveness of continuing professional development.
Acceptance and continuance decisions.
Understanding and implementation of the firm’s QC policies and
procedures by firm personnel.
Top_Aud_09_book.indb 232
9/30/2008 8:18:41 AM
MODULE 2 — CHAPTER 7 — Peer Review and Quality Control: Upcoming Changes
233
OBSERVATION
Some monitoring elements appear to be either poorly understood or poorly
implemented in practice. Most firms do a good job of monitoring the “engagement performance” element at the specific engagement level. Some
firms give less importance to human-resources related concerns. As a
result, they may not be effectively monitoring compliance with continuing
education requirements other than the minimum requirements to maintain
licensure. They also may not truly know whether its personnel are familiar
with its QC document. Even fewer firms, it seems, go the extra step of
summarizing their monitoring findings annually, and considering their systemic implications. This may grow into a significant issue for peer reviews
conducted under the new SQCS.
OBSERVATION
The monitoring element, and particularly the task of documenting the
achievement of its objectives, has long been a conceptual headache for
many small firms. Under the new Standards, which require even the smallest of firms to have a documented QC system, this headache is likely to
get worse. As a practical matter, however, this need not be so. Consider
the fact that all practitioners perform procedures, sometimes intuitively,
which, if they were documented in even a minimal fashion, would suffice as
monitoring procedures. For example, all practitioners presumably at least
“eyeball” their accounts receivable once in a while and would not likely
commence an audit engagement when the previous year’s audit fee had
not been paid. This mental process is in fact a monitoring procedure for
the firm’s independence and objectivity. It would take but little effort on the
part of even the smallest solo practitioner to place a copy of an accounts
receivable aging in a file folder labeled “Monitoring” at least once a year,
with notations penciled on it to show that the effect of uncollected fees on
independence had been considered and appropriately acted upon.
Similarly, all practitioners and firms presumably review the prior year’s engagement documentation when preparing to perform the current year’s engagement. These informal reviews sometimes reveal matters that would be
“findings” in a formal inspection program, such as noncompliance with the
firm’s documentation policies, or minor engagement performance issues. It
would take little additional effort to place brief notations of these findings
in a “Monitoring” file, and to summarize them once a year, consider their
systemic implications, and take some corrective action where necessary.
The inspection process has long been a component of monitoring. SQCS
7 defines inspection as a retrospective evaluation of the adequacy of the
firm’s QC policies and procedures, and its personnel’s understanding of
and compliance with them. Inspection has often been characterized as an
“internal peer review.”
Top_Aud_09_book.indb 233
9/30/2008 8:18:41 AM
234
TOP AUDITING ISSUES FOR 2009 CPE COURSE
SQCS 7 carries forward substantially unchanged the provisions of
the old SQCSs for small firms in which “self-monitoring” is a practical
necessity. It continues to stress, in this context, the need for individuals to
be able to critically review their own performance and maintain a mental
attitude of continual improvement. It also acknowledges that certain
circumstances, such as obtaining clients in new industries, or significant
changes in firm size, along with the inherent limitations of self-monitoring,
may indicate the need to engage a qualified outside person to perform
inspection procedures.
It is important to note that, while a firm may, in the year of its peer
review, substitute the peer review for its inspection procedures, the peer
review does not take the place of the firm’s internal monitoring program
for that year.
OBSERVATION
SQCS 7 clarifies the significance of deficiencies noted in engagements.
Deficiencies in individual engagements do not, in and of themselves, indicate
that the firm’s QC system is insufficient to provide reasonable assurance
of compliance with professional standards. Deficiencies need, rather, to
be evaluated to determine if they result in systemic, repetitive, or other
significant deficiencies.
Another new requirement in the new SQCS is for the firm to establish policies
and procedures for dealing with complaints and allegations of substandard
work. These policies and procedures should include:
Establishment of clearly defined channels for firm personnel to raise
concerns without fear of reprisal.
Provisions for investigating complaints under the supervision of a person
with sufficient appropriate experience and authority who is not otherwise
involved in the engagement.
Provisions for documenting complaints, allegations, and responses to them.
Some firms are considering the Sarbanes Oxley-like step of establishing
an outside telephone hotline that reports complaints to senior firm leadership directly, outside of the normal chain of command, and allows for
anonymous reporting. Other firms, especially small and mid-sized firms
are considering using the services of qualified external persons or firms to
carry out these investigations.
Finally, the new SQCS requires that evidence of the operation of each
element of the QC system be documented, and retained for a sufficient
time to permit those performing monitoring and peer review to evaluate
Top_Aud_09_book.indb 234
9/30/2008 8:18:41 AM
MODULE 2 — CHAPTER 7 — Peer Review and Quality Control: Upcoming Changes
235
compliance. The form and content of this documentation may depend on
firm size, its number of offices, and the nature and complexity of its organization and engagements.
STUDY QUESTIONS
10. SQCS 7 envisions that an effective monitoring program might include
any of the following except:
a. Assessment of the appropriateness of the firm’s guidance materials and practice aids.
b. Discussions with firm personnel.
c. Performance of engagement quality control reviews.
d. Review of selected personnel records pertaining to QC elements.
CPE NOTE: When you have completed your study and review of chapters 4-7, which comprise Module 2, you may wish to take the Quizzer
for this Module.
For your convenience, you can also take this Quizzer online at www.
cchtestingcenter.com.
Top_Aud_09_book.indb 235
9/30/2008 8:18:41 AM
250
TOP AUDITING ISSUES FOR 2009 CPE COURSE
14. a. Correct. SAS 112 permits auditors to issue written communications
stating that no material weaknesses were identified during the financial
statement audit, if they choose to do so.
b. Incorrect. Auditors are prohibited by SAS 112 from issuing written
communications stating that no significant deficiencies were identified
during the audit. Financial statement audits are not designed to detect every
significant deficiency that may exist. For this reason, it would be misleading
to readers to give the impression that no significant deficiencies exist.
c. Incorrect. Auditors are permitted, but not required to issue written
communications indicating that no material weaknesses were identified
during the financial statement audit.
d. Incorrect. Auditors are permitted to issue written communications
indicating that no material weaknesses were identified during the financial
statement audit. Often clients request such a communication for purposes
of regulatory compliance.
15. False. Correct. In order to meet the threshold of SAS 112, a client
needs to be able to perform a particular accounting function, such as
preparing financial statements, correctly without auditor assistance. The
ET 101-3 threshold is a lower level of understanding. In order to meet this
threshold, the client need not have the capability to perform the function,
but must be able to understand and take responsibility for the adequacy
of the auditor’s work product. It is important also to remember that SAS
112 speaks to the client’s internal control, while ET 101-3 speaks to the
auditor’s independence.
True. Incorrect. SAS 112 requires a higher level of understanding from
the client. If a client does not have this level of understanding, that is the
capability to perform the particular accounting function, such as drafting
financial statements, by itself, the auditor may perform that service for the
client. In this case, however, a control deficiency which is likely a material
weakness exists, that the auditor must communicate to management and
those charged with governance. In this case, the client should have a level of
understanding sufficient to meet the requirements of ET 101-3, in order for
the auditor to retain independence. This requires that the client be able to
understand and take responsibility for the adequacy of the ancillary service.
MODULE 2: REVIEW OF NEW AND EMERGING STANDARDS —
CHAPTER 4
1. c. Correct. Audit documentation serves many purposes, however its
primary purpose is to provide the principal support for the representation
in the auditor’s report that the engagement was performed in accordance
with GAAS, and for the opinion (or disclaimer of opinion) on the financial
information.
Top_Aud_09_book.indb 250
9/30/2008 8:18:43 AM
ANSWERS TO STUDY QUESTIONS — Module 2 — Chapter 4
251
a. Incorrect. Audit documentation is necessary to assist supervisors in
directing and reviewing the audit work, and also for assisting external
inspectors and peer reviewers, but this is not its primary purpose.
b. Incorrect. While it is true that good audit documentation enables
quality control reviewers to understand how the engagement team reached
significant conclusions, this is not its primary purpose.
d. Incorrect. Audit documentation is a necessary element of audit quality,
and is a major factor in contributing to the quality of audits. However,
good documentation alone cannot guarantee audit quality, without the
performance of appropriate auditing procedures.
2. c. Correct. It is not necessary to keep complete copies of all contracts or
agreements that are inspected during an audit. It is, however, required that
abstracts or copies of important documents such as contracts or agreements
be retained if they are necessary for an experienced auditor to understand
the work performed and the conclusions reached.
a. Incorrect. Audit programs are a required element of all audit
documentation.
b. Incorrect. SAS 103 lists summaries of significant findings or issues as
one of the elements ordinarily included in audit documentation.
d. Incorrect. Representation letters are a required element of all audit
documentation.
3. True. Correct. The Statement allows documentation in an audit file for a
specific engagement to contain cross-references to audit documentation for
related entities such as parent or subsidiary companies or pension plans.
False. Incorrect. Cross-referencing between audit files of related entities is
an efficient documentation technique that is allowed by SAS 103.
4. b. Correct. The Statement is clear that oral explanations on their own do
not constitute sufficient support for the audit work or for its conclusions.
a. Incorrect. Oral explanations, while not encouraged by this Statement,
are admissible for clarifying or explaining information contained in the
audit documentation.
c. Incorrect. While oral explanations on their own never constitute sufficient
support for the audit work or for its conclusions, they may be used to clarify
or explain information contained in the audit documentation.
d. Incorrect. Oral explanations, on their own do not constitute sufficient
support for the audit work or for its conclusions.
5. d. Correct. Unique item numbers, such as purchase order or check
numbers are considered acceptable document identifiers.
Top_Aud_09_book.indb 251
9/30/2008 8:18:43 AM
252
TOP AUDITING ISSUES FOR 2009 CPE COURSE
a. Incorrect. For observation procedures, acceptable identifiers must include
both when and where the observation was made as well as the process or
subject of the observation, persons involved and their responsibilities.
b. Incorrect. For inquiry procedures, acceptable identifiers must include
the date and subject matter of the inquiry and the positions of the persons
inquired of, as well as their names.
c. Incorrect. For systematic samples, an acceptable document identifier
must include the starting point, such as “the 5th item,” as well as the
population of documents and interval.
6. c. Correct. SAS 103 requires that t documentation completion take
place no later than 60 days after the report release date.
a. Incorrect. The documentation retention period runs for five years after
the report date, not the report release date, unless a longer period is required
by law or regulation.
b. Incorrect. The documentation completion date may be no later than 45
days after the report release date under PCAOB Auditing Standards. The
SAS 103 requirement is 60 days.
d. Incorrect. The date on which the auditor has obtained sufficient
appropriate audit evidence to support the opinion is the earliest date
permissible for the report date.
The report release date, according to the definition in SAS
103, is the date that the auditor grants permission for the audit report to be
used in connection with the financial statements.
a. Incorrect. Under SAS 103, as well as under PCAOB standards, the
documentation completion date is determined with reference to the report
release date. For SAS 103 purposes, that is no later than 60 days after the
report release date. The PCAOB standards require a shorter 45 day period.
The report release date, however, is not determined with reference to the
documentation completion date.
b. Incorrect. Under SAS 103, the last date of audit field work is of little
relevance for purposes of audit documentation.
d. Incorrect. SAS 103 defines report date as the date on which the auditor
obtained sufficient appropriate audit evidence to support the opinion, not
the report release date.
7. c. Correct.
8. b. Correct. It is important to remember that the five year documentation
retention period specified by SAS 103 is a minimum, which may be
extended by requirements of statute or regulation or by firm policy.
a. Incorrect. The documentation retention period runs for seven years after
the report date under PCAOB Auditing Standards.
Top_Aud_09_book.indb 252
9/30/2008 8:18:43 AM
ANSWERS TO STUDY QUESTIONS — Module 2 — Chapter 4
253
Both SAS 103 and the PCAOB Auditing Standards define
their documentation retention periods with reference to the report date, not
the balance sheet or period end date.
d. Incorrect. While the minimum documentation retention period runs
for five years after the report date, it may be extended for a longer period if
required by law, regulation, or firm policy.
c. Incorrect.
9. a. Correct. SAS 103 allows the auditor to delete incorrect or superseded
information from the audit documentation after the report date but before
the document completion date.
b. Incorrect. After the report date but before the document completion
date, the auditor may make changes to the audit documentation but must
document when and by whom the change was made and reviewed, as well
as the reason for the change and its effect on the audit conclusions.
c. Incorrect. SAS 103 permits the auditor, after the report date but
before the document completion date, to add information to the audit
documentation, such as an original of a document that was previously
faxed, that was received after the report date.
d. Incorrect. SAS 103 permits the auditor to sign off on file completion
checklists after the report date but before the document completion date.
10. b. Correct. At the auditor’s discretion, copies of the audit documentation
may be made available to the entity, as long as doing so does not compromise
independence or the validity of the audit process.
a. Incorrect. There is no provision in SAS 103 prohibiting the auditor
from making audit documentation available to the entity, where doing so
does not compromise independence or the validity of the audit process.
c. Incorrect. Obviously, certain items within the audit documentation,
such as the adjusting entries, a summary of unadjusted differences, or a
management letter, will be communicated to the entity. However, there is
no requirement that an auditor release portions of the audit documentation
as such to the entity.
d. Incorrect. Allowing the use of audit documentation as a part of the
client’s accounting records may cause an impairment of independence, and
should be avoided.
AS-3 defines an “experienced auditor” as one who is
knowledgeable about auditing and has “studied” the industry.
a. Incorrect. SAS 103 requires that an “experienced auditor” would have
been capable of performing the audit but this is not a requirement of the
PCAOB’s standards.
11. c. Correct.
Top_Aud_09_book.indb 253
9/30/2008 8:18:43 AM
254
TOP AUDITING ISSUES FOR 2009 CPE COURSE
SAS 103 requires that an “experienced auditor” must
understand audit processes, the SASs, and legal and regulatory requirements
applicable to the entity’s industry. The PCAOB requires only a “reasonable
understanding of audit activities.”
d. Incorrect. SAS 103 requires that an “experienced auditor” must
understand the entity’s business environment, and the auditing and
reporting issues applicable to its industry. The PCAOB requires only that
the experienced auditor have “studied the industry.”
b. Incorrect.
12. True. Correct. SAS 99 creates a presumption that revenue recognition is
a fraud risk. If the auditor does not consider improper revenue recognition
to be a fraud risk, the auditor is required to document a justification for
this conclusion.
False. Incorrect. Improper revenue recognition is presumed to be a
fraud risk unless the auditor can demonstrate otherwise. Documentation
of reasons why improper revenue recognition is not a risk is required to
overcome this presumption.
13. a. Correct. SAS 107 contains a requirement for auditors to document
the basis on which materiality, as well as tolerable misstatement, was
determined.
b. Incorrect. Auditors are required to document materiality for tolerable
misstatement, which applies to account balances, transactions classes and
disclosures.
c. Incorrect. Auditors are required to document changes made to materiality
levels during the audit.
d. Incorrect. Audit documentation should include consideration of the
effects of uncorrected misstatements from prior periods on the current
period’s financial statements.
14. c. Correct. The summary of uncorrected misstatements should include
consideration of their aggregate effects, including impact on significant
financial statement totals or subtotals, such as current assets and liabilities,
working capital, gross sales, or gross margin.
a. Incorrect. Auditors are required under SAS 107 to consider both known
and likely uncorrected misstatements.
b. Incorrect. Auditors are required under SAS 107 to summarize uncorrected
misstatements in a way that facilitates separate consideration of known and
likely misstatements.
d. Incorrect. Auditors are required under SAS 107 to document a conclusion
as to the materiality of uncorrected misstatements, both individually and
in the aggregate.
Top_Aud_09_book.indb 254
9/30/2008 8:18:43 AM
ANSWERS TO STUDY QUESTIONS — Module 2 — Chapter 5
255
15. False. Correct. As both a documentation and a performance requirement
under SAS 109, auditors should assess the risks of material misstatement at
both the financial statement and the relevant assertion levels.
True. Incorrect. SAS 109 requires auditors to document the assessment of
the risks of material misstatement down to the relevant assertion level for
significant account balances, transaction classes, and disclosures, which is
one level below the financial statement level.
MODULE 2 — CHAPTER 5
1 c. Correct. The Risk Assessment Standards emphasize the concept of
considering risk of misstatement not only at the level of the financial
statements taken as a whole, but also at the level of individual account
balances, classes of transactions, and disclosures.
a. Incorrect. Recent professional standards, including ET 101-3, the Risk
Assessment Standards, and SASs 112 and 114 have sought to differentiate
the auditor’s responsibilities from those of management and other financial
statement users.
b. Incorrect. The Risk Assessment Standards have eliminated the concept
of defaulting to a “maximum risk assessment” without developing an
understanding of control to support that assessment.
d. Incorrect. The idea of linking audit procedures to risks is central to the
Risk Assessment Standards. Audit procedures should be proportional to
assessed risk.
2. b. Correct. SAS 106 groups the 13 assertions into three broad categories:
account balances, classes of transactions and events, presentation and
disclosure.
a. Incorrect. Completeness, occurrence, rights and obligations, valuation/
allocation, and presentation and disclosure are the relevant assertions
that were identified in previous auditing standards. All of these assertions
reappear in SAS 106 under one or more broad categories.
c. Incorrect. Completeness, classification and understandability, accuracy
and valuation are the relevant assertions listed by SAS 106 under the broad
category of account balances.
d. Incorrect. Occurrence, completeness, accuracy, cutoff, and classification
are the relevant assertions listed by SAS 106 under the broad category of
classes of transactions and events.
SAS 106 states as a presumptively mandatory requirement
that substantive procedures should be performed in all audits for all relevant
assertions related to each material class of transactions, account balance,
and disclosure regardless of the assessed risk of material misstatement.
3. b. Correct.
Top_Aud_09_book.indb 255
9/30/2008 8:18:43 AM
256
TOP AUDITING ISSUES FOR 2009 CPE COURSE
a. Incorrect. There is no requirement to apply substantive procedures to
immaterial classes of transactions, account balances or disclosures.
c. Incorrect. Substantive procedures performed on each material class of
transactions, account balance, and disclosure may include tests of details
and substantive analytical procedures. There is no requirement, however,
that both be performed when only one is necessary to provide sufficient
appropriate evidence.
d. Incorrect. Substantive procedures are performed to detect material
misstatements down to the relevant assertion level, which is below the
transaction class, account balance and disclosure level.
4. b. Correct. Inspection of actual items of physical inventory provides
persuasive evidence as to the existence of those items.
a. Incorrect. Absent other corroborative evidence, inquiry does not by itself
provide persuasive evidence about any of the financial statement assertions.
c. Incorrect. Analytical procedures might, in combination with other
audit procedures, provide useful evidence about valuation or completeness
of inventory. They would not be likely to provide evidence about its
existence.
d. Incorrect. Recalculation, especially of pricing, would normally be used
to provide evidence about such assertions as accuracy or valuation. It would
not usually provide support for the existence assertion.
There is no requirement to use substantive analytical
procedures in audits.
True. Incorrect. Analytical procedures must be used in the planning and
final evaluation stages of all audits. These analytical procedures, however,
should not be confused with substantive analytical procedures, which may
be used in combination with tests of details or tests of controls to provide
audit evidence about balances, transactions or disclosures.
5. False. Correct.
Even when planning not to rely on a control and to assess
control risk at maximum, the auditor must have sufficient understanding
of the control to have a basis for that assessment.
b. Incorrect. SAS 107 intends that audit procedures to be performed be
specifically linked to assessed risks.
c. Incorrect. Regardless of the auditor’s intention to rely or not to rely on
controls, the auditor should develop an understanding of controls sufficient
to support an assessment of maximum control risk.
d. Incorrect. Controls need not be tested unless the auditor plans to rely
on them.
6. a. Correct.
Top_Aud_09_book.indb 256
9/30/2008 8:18:43 AM
ANSWERS TO STUDY QUESTIONS — Module 2 — Chapter 5
257
7. c. Correct. SAS 107 states that it is not ordinarily feasible for the auditor
to consider the individual needs of all financial statement users because
their needs may vary so greatly.
a. Incorrect. SAS 107 makes a number of assumptions about the competence
and diligence of financial statement users, one of which is their willingness
to study the statements with appropriate diligence.
b. Incorrect. SAS 107 assumes that financial statement users have appropriate
knowledge of business and economic activities and accounting.
d. Incorrect. Under SAS 107, financial statement users are assumed to
recognize that there are uncertainties inherent in the accounting estimates
and judgments used in preparing the financial statements.
In profit-making businesses, a benchmark based on results
of operations is usually appropriate for determining materiality. However
in this case, if that benchmark included the expense for the owners’
compensation, it would likely result in a lower amount than necessary to
provide reasonable assurance of detecting material misstatement, and thus
cause an inefficient audit. Pre-tax income before owners’ compensation
would therefore be a more appropriate benchmark.
b. Incorrect. Pre-tax income in such a corporation may be artificially
low due to the owners’ compensation. This would cause materiality levels
determined based on this benchmark to be artificially low, and could lead
to an inefficient audit.
c. Incorrect. Using any benchmark of income that includes owners’
compensation expense could lead to artificially low materiality levels and
an inefficient audit. Also, in a consistently profitable business, a benchmark
based on current year operations would likely be more relevant than one
that includes prior years.
d. Incorrect. In most cases, a benchmark based on retained earnings would
be artificially low due to the significant amount of owners’ compensation,
and their ability to control that amount. Like for pre-tax income, using
such a benchmark could cause materiality levels determined based on this
benchmark to be artificially low, and could lead to an inefficient audit.
8. a. Correct.
9. False. Correct. SAS 107 requires auditors to communicate both known
and likely misstatements to management.
True. Incorrect. Communicating only known misstatements to
management would frustrate one of the purposes of the Risk Assessment
Standards, which is to create more responsibility on management’s part for
evaluating and correcting misstatements.
Top_Aud_09_book.indb 257
9/30/2008 8:18:43 AM
258
TOP AUDITING ISSUES FOR 2009 CPE COURSE
10. c. Correct. Certain misstatements may have significance even though
they do not exceed quantitative thresholds for materiality. This is particularly
true of misstatements that involve potential fraud or illegal acts, or that
cause misstatement of items that are known to be of particular concern to
financial statement users.
a. Incorrect. SAS 107 states that auditors may not rely solely on quantitative
benchmarks to assess whether an item is material. While quantitative
thresholds may provide a basis for a preliminary assumption about whether
an item is material, they are not a substitute for full analysis.
b Incorrect. SAS 107 requires auditors to consider the likelihood of a
currently immaterial misstatement, such as an accrual or deferral, becoming
material to future periods through cumulative effects.
d. Incorrect. Misclassifications between current and non-current assets are
potentially significant misstatements, from a qualitative standpoint, even
when they are lower than quantitative materiality thresholds, because they
may affect working capital and the related ratios. This information is often
significant if, for example, it causes a violation of a loan covenant.
11. b. Correct. SAS 108 requires the audit plan to include a description of
the nature, timing, and extent of planned risk assessment procedures.
a. Incorrect. SAS 108 actually requires the opposite; that the original audit
plan be revised to respond to changes in circumstances.
c. Incorrect. The audit plan should provide a clear linkage between the
understanding of the entity, the risk assessments, and the design of further
audit procedures.
d. Incorrect. The audit plan should include a description of the nature,
timing, and extent of planned further audit procedures to be applied down
to the relevant assertion level.
12 c. Correct. The engagement partner should emphasize to audit assistants
the need to maintain a questioning mind and to exercise professional
skepticism in gathering and evaluating audit evidence throughout the
audit, both in the planning stage and throughout the engagement.
a. Incorrect. Audit assistants should bring accounting issues raised during
the audit that the assistant believes are significant to the financial statements
to the attention of the engagement partner. Significant accounting issues
impacting the financial statements should also be communicated to
management, although the channel for this communication is a matter of
firm policy. Ordinarily, assistants would be expected to bring the matter to
the engagement partner’s attention before it is communicated to the client.
b. Incorrect. Audit assistants should be reminded of the need to bring
client-imposed restrictions on access to information necessary to perform
the audit to the attention of appropriate persons within the firm. Ordinarily
Top_Aud_09_book.indb 258
9/30/2008 8:18:43 AM
ANSWERS TO STUDY QUESTIONS — Module 2 — Chapter 5
259
this would be a person on the level of a field supervisor. Such matters would
not ordinarily be brought directly to the engagement partner’s attention as
a first resort except in small engagements.
d. Incorrect. Although it would be unusual for the engagement partner
not to communicate the time budget for performing an engagement to
assistants, there is no requirement in professional standards to do so.
Among the numerous matters to be addressed in the
discussion among the audit team, SAS 109 requires that emphasis be
placed on the need to be alert for and follow up on indications of material
misstatements.
a. Incorrect. Nothing in SAS 109 or elsewhere in the auditing literature
requires the audit risk discussion to occur concurrently with the fraud risk
discussion required under SAS 99. As a practical matter, however, most
firms find that it is efficient to combine these discussions.
b. Incorrect. SAS 109 leaves the location of this discussion to the professional
judgment of the audit partner. It allows multiple discussions to take place
if the audit involves multiple locations.
c. Incorrect. SAS 109 is explicit in stating that every member of the audit
team need not have a comprehensive knowledge of all facets of the audit.
13. d. Correct.
14. c. Correct. The concept of business risk includes the risk of material
misstatement, but it is a broader concept that includes diverse risks such as
competition, labor relations and many others.
a. Incorrect. All business risks do not necessarily have financial consequences,
and thus do not give rise to the risk of material misstatement.
b. Incorrect. While it is true that most business risks have financial
consequences, not all of them necessarily give rise to the risk of material
misstatement.
d. Incorrect. Not every business risk carries with it a risk of material
misstatement. While giving consideration to significant business risks is
a part of the audit, auditors are concerned primarily with risks of material
misstatement. For this reason, they normally seek to identify and assess
only those significant business risks that give rise to risks of material
misstatement.
Auditors are required under SAS 109 to communicate
significant deficiencies in internal control to those charged with governance.
Communication of such matters to legal counsel is not required and would
in fact be rare in the extreme.
a. Incorrect. Risks of material misstatements are not fully comprehended
apart from the bigger picture of the entity and its environment. Therefore
it is necessary for auditors to relate risks identified in the process of gaining
15. d. Correct.
Top_Aud_09_book.indb 259
9/30/2008 8:18:43 AM
260
TOP AUDITING ISSUES FOR 2009 CPE COURSE
and understanding of the entity and its environment to risks of possible
misstatements at the relevant assertion level.
b. Incorrect. Using information obtained by performing risk assessment
procedures in evaluating the design and implementation of internal controls
is a requirement of SAS 109. Failure to do so would lead either to an
inefficient audit, in which extensive evaluation of controls was performed
in low-risk areas, or an ineffective audit in which controls in high-risk areas
were not adequately evaluated.
c. Incorrect. SAS 109 intends for risks of material misstatements to be
considered in the entire context of the client and its environment, as well
as on a more microscopic level. For this reason, determining whether
identified risks are isolated to particular relevant assertions associated with
a class of transactions, balances, or disclosures, or are more pervasive and
likely to affect the financial statements as a whole is an important part of
the process.
16. True. Correct. SAS 109 specifically identifies nonroutine transactions
and judgmental matters involving accounting estimates as areas in which
significant risks are likely to exist.
False. Incorrect. Because of their unusual and subjective natures,
nonroutine transactions, and matters involving management’s judgment on
accounting estimates are usually considered to carry with them significant
risks of material misstatement.
17. d. Correct. The intent of the linkage concept is that audit procedures
should be proportional to the assessed risk. Audits that focus on areas of higher
risk are far more likely to be efficient in detecting material misstatements.
a. Incorrect. Applying audit procedures based solely upon the monetary
amounts of recorded financial statement items ignores the qualitative
aspects of financial data, and ignores factors of risk assessment other than
size.
b. Incorrect. Applying audit procedures uniformly to recorded financial
statement amounts irrespective of assessed risks is the opposite of SAS 110’s
intent. This approach would lead to an inefficient audit because it would
allocate audit resources unnecessarily to areas of lower risk and away from
areas of higher risk. Such an audit would have a high probability of failing
to detect material misstatements.
c. Incorrect. Audit procedures should take into consideration the materiality
of financial statement items as one of many factors. Making materiality the
sole, or the primary determinant would lead to overauditing of low-risk
but large-dollar areas, while diverting audit efforts from higher risk areas of
lesser dollar amounts.
Top_Aud_09_book.indb 260
9/30/2008 8:18:43 AM
ANSWERS TO STUDY QUESTIONS — Module 2 — Chapter 5
261
18. a. Correct. When substantive procedures do not by themselves provide
sufficient appropriate evidence at the relevant assertion level auditors
should test controls. A frequently cited example is when large volumes
of transactions are recorded in electronic form only and are either not
economically testable or are unavailable for testing after a certain time.
b. Incorrect. If controls are not expected to be operating effectively, as for
example when they are improperly designed or implemented, it usually
serves no purpose to test them.
c. Incorrect. Auditors should test each control that they plan to rely on at
least once every three years. Under certain circumstances, however, such
as when there is a significant risk of material misstatement at the relevant
assertion level, or when there is a weak control environment, more frequent
testing may be necessary.
d. Incorrect. Auditors need test only those controls that they plan to rely
on. Therefore, if a significant assessed risk of material misstatement at
the relevant assertion level can be adequately and efficiently addressed by
substantive procedures alone, tests of related controls are not necessary.
The sources and reliability of information, and the
persuasiveness of audit evidence are among the matters that the auditor
should consider in forming a conclusion about whether there is sufficient
appropriate evidence to reduce the risk of material misstatement to an
appropriately low level.
a. Incorrect. All relevant audit evidence, whether it appears to support or
to contradict the relevant financial statement assertions, should enter into
the auditor’s consideration.
b. Incorrect. Experience from previous audits with respect to similar potential
misstatements should be taken into account in the current period audit.
c. Incorrect. The likelihood of the potential misstatement having a material
effect on the financial statements should be considered both individually
and in the aggregate.
19. d. Correct.
If a sample in a dual purpose test were the smaller of
the sample sizes that would have been required for each purpose separately,
then it would not be large enough to serve one of those purposes.
False. Incorrect. In order to give adequate coverage within the sample to
both purposes, the sample size for a dual-purpose test should be the larger
of the samples sizes that would otherwise have been selected for the two
separate purposes.
20. True. Correct.
Top_Aud_09_book.indb 261
9/30/2008 8:18:43 AM
262
TOP AUDITING ISSUES FOR 2009 CPE COURSE
MODULE 2 — CHAPTER 6
1. True. Correct. Auditors can use interest rate statistics in considering the
valuation of assets such as investments and derivatives, whose value may
fluctuate with changes in interest rates.
False. Incorrect. The valuation of many assets, bond investments for
example, is directly connected to interest rates. For this reason, interest
rate statistics are useful and even necessary in considering the valuation
assertion related to those assets.
SAS 114 significantly expanded the auditor’s responsibilities
for communicating to persons charged with governance. Its provisions
apply to all non-SEC issuer entities. Neither size, ownership characteristics,
nor organizational structure confer exemptions.
a. Incorrect. Audits of SEC issuers are governed by the PCAOB Standards,
and not the AICPA’s Statements on Auditing Standards.
b. Incorrect. Under the previous guidance of SAS 61, auditors were required
to make communications with persons charged with governance only in
entities with formally constituted audit committees or their equivalent. SAS
114 changed this requirement, and now this communication is required for
all non-SEC issuers.
d. Incorrect. SAS 114’s requirements apply equally to small entities with
informally-defined governance structures, and to large entities with defined
governance structures.
2. c. Correct.
SAS 114 requires, in cases when the person or persons
who should receive the auditor’s communication with those charged with
governance is not readily apparent, that auditors reach an agreement with
the engaging party as to who should receive the communication.
a. Incorrect. Directing the SAS 114 communication to senior management
might be appropriate in the case of small, owner-managed entities, however
in other cases, such as when senior management and those charged with
governance are not the same persons, it would be ineffective in meeting
SAS 114’s objectives.
b. Incorrect. While the board of directors, or the equivalent body, is
ultimately charged with governance, the chairman of that body may not
always be the best person to receive communications with the auditor. For
this reason, the auditor should not automatically send it to the chairman
of the board.
c. Incorrect. Nothing in SAS 114 exempts auditors from communicating
with those charged with the governance of the entity. The fact that a
governance structure may not be formally defined, or that it may not clearly
identify a person or group of persons to receive auditor communications
does not change this responsibility.
3. d. Correct.
Top_Aud_09_book.indb 262
9/30/2008 8:18:43 AM
ANSWERS TO STUDY QUESTIONS — Module 2 — Chapter 6
263
The conforming amendment to SAS 112 for audits of nonissuers, which contains these new definitions, is effective January 1, 2009.
a. Incorrect. The new definitions are effective for fiscal years ending on or
after November 15, 2007 only for SEC issuers.
c. Incorrect. The new definitions, according to official sources at the AICPA,
are not expected to create significant changes to practice under the previous
provisions of SAS 112. Rather, they are expected to clarify those terms.
d. Incorrect. The opposite is actually true under both the old and new
definitions. A significant deficiency is less severe than a material weakness.
4. b. Correct.
FAS 157 identifies quoted prices for identical assets or
liabilities in active markets as its “level 1” input to valuation techniques
used to measure fair value, and states that they provide the most reliable
evidence of fair value and should be used whenever available.
a. Incorrect. FAS 157 identifies quoted prices for similar assets or liabilities
in active markets as a “level 2” input in its fair value hierarchy, indicating
that they are less reliable than “level 1” inputs.
c. Incorrect. Unobservable inputs in which the reporting entity makes its
own assumptions about the marketplace are considered “level 3” inputs by
FAS 157. These inputs should be used when the observable inputs of levels
1 or 2 are not available. They are considered the least reliable evidence of
fair value.
d. Incorrect. Observable inputs other than quoted prices, such as interest
rates or yield curves observable at commonly quoted intervals are “level
2” inputs, and are less reliable than quoted prices for identical assets or
liabilities in active markets or other types of inputs.
5. b. Correct.
6. a. Correct. FAS 158 requires measurement of the funded status of a plan
as of the employer’s fiscal year end, not at the end of each fiscal quarter.
b. Incorrect. In an effort to enhance the timeliness of financial statement
information, FAS 158 contains a requirement to recognize in the financial
statements events and transactions that affect funded status in the year that
they occur.
c. Incorrect. FAS 158 contains a requirement that employers recognize the
overfunded or underfunded status of a defined benefit postretirement plan,
other than a multi-employer plan, as an asset or liability. This requirement
is aimed at helping financial statement users assess an employer’s ability to
satisfy its benefit obligations.
d. Incorrect. FAS 158 requires footnote disclosures about certain effects
on net periodic benefit cost for the next fiscal year that arise out of delayed
recognition of gains or losses, or prior service costs or credits.
Top_Aud_09_book.indb 263
9/30/2008 8:18:43 AM
264
TOP AUDITING ISSUES FOR 2009 CPE COURSE
7. a. Correct. Evaluating a tax position under FIN 48 involves two steps.
The first of those, the recognition step, involves determining whether the
tax position is more likely than not to be sustained upon examination based
on its technical merits.
b. Incorrect. When determining whether a tax position is more likely than
not to be sustained upon examination, the entity should assume that the
taxing authority has full knowledge of all the relevant facts.
c. Incorrect. For a tax position that meets the more-likely-than-not test,
the amount of benefit to recognize in the statements is the largest amount
that would be more than 50 percent likely of being realized on settlement,
not the smallest.
d. Incorrect. Evaluations of tax positions under FIN 48 apply to all
jurisdictions in which the entity is subject to taxes based on income.
8. b. Correct. Under ET 101-3, in order for auditors to maintain their
independence in providing nonattest services such as assistance with
FIN 48 implementation, they must be satisfied that the client can take
responsibility for the results of the services.
a. Incorrect. Under ET 101-3, if the client is unable to make informed
judgments about a nonattest service such as assistance in FIN 48
implementation, then the auditor’s independence is impaired by rendering
those services.
c. Incorrect. Whether or not a tax position is more likely than not to be
sustained is not relevant to this consideration. Auditors can help clients
with this step of the evaluation under FIN 48, as long as the provisions of
ET 101-3 are met.
d. Incorrect. The client need not measure the amount of benefit to be
recognized. Auditors can help clients with this step of the evaluation under
FIN 48, as long as the provisions of ET 101-3 are met.
Maintaining U.S. GAAS completely separate and distinct
from the ISAs is not one of the Clarity Project’s goals. Rather, it seeks to
converge those two bodies of standards, while retaining certain existing U.S.
practices and addressing issues that are specific to the U.S. environment.
a. Incorrect. One of the Clarity Project’s primary goals is making U.S.
auditing standards easier to read and understand. Toward this end, it is
addressing issues of how the content of the standards is organized, and is
using formatting techniques to enhance readability.
c. Incorrect. The Clarity Project has a stated goal of setting off professional
requirements and applications or explanatory material into separate sections
so as to clearly differentiate between the two.
9. b. Correct.
Top_Aud_09_book.indb 264
9/30/2008 8:18:44 AM
ANSWERS TO STUDY QUESTIONS — Module 2 — Chapter 7
265
Under the Clarity Project’s drafting conventions, special
considerations for audits of smaller, less complex entities will be included
where applicable.
d. Incorrect.
10. True. Correct. Both U.S. and foreign standards-setters have declared
their intention to move into closer conformity. FAS 157 and FAS 159 were
steps in this direction.
False. Incorrect. The adoption of fair value reporting in FAS 157 and FAS
159 brings U.S. GAAP into line with IFRS on this subject.
MODULE 2 — CHAPTER 7
1. c. Correct. Summarizing all “Matter for Further Consideration” (MFC)
forms, ensuring that they have been addressed, and documenting how they
were resolved, is the primary purpose of the DMFC form.
a. Incorrect. Providing a description of the finding, including whether it
is a repeat, is actually one of the purposes of the “Findings for Further
Consideration” (FFC) form.
b. Incorrect. Identifying which MFCs are contained in particular findings
is actually one of the purposes of the FFC form.
d. Incorrect. Documenting matters that warrant further consideration in
the evaluation of a firm’s QC system is actually a purpose of the MFC form,
rather than the DMFC form.
2. b. Correct. The FFC form is used for communicating findings that do
not become part of the peer review report. As such, it eliminates the use of
the letter of comments.
a. Incorrect. The FFC form is a part of the peer review working papers that
are outside of the reporting process.
c. Incorrect. The FFC form is not subject to public inspection.
d. Incorrect. Copies of this form should be maintained by the peer reviewer
until after the completion of the next review, because it is the record of the
review’s findings.
3. a. Correct. A report rating of “pass” is appropriate under the new
Standards when a reviewer concludes that the review’s findings, individually
or in combination, do not rise to the level of a deficiency or significant
deficiency.
b. Incorrect. The report rating of “unmodified” exists under the old
Standards, but has been replaced under the proposed revisions with an
equivalent rating entitled “pass.”
c. Incorrect. The report rating of “modified” exists under the old Standards,
but has been replaced under the new Standards with a rating entitled “pass
with deficiencies.”
Top_Aud_09_book.indb 265
9/30/2008 8:18:44 AM
266
TOP AUDITING ISSUES FOR 2009 CPE COURSE
d. Incorrect. A rating of “pass with deficiencies” would be inappropriate in
a case where no deficiencies or significant deficiencies existed.
4. d. Correct. The revised language is actually designed to require less
tailoring, rather than more, to suit the needs of individual peer reviews.
a. Incorrect. The new reporting model shortens the length of the peer
review report.
b. Incorrect. The revisions to the old reporting model contain language
that most people find easier to understand.
c. Incorrect. The inclusion in the peer review report of a reference to a URL
for a “plain English” description of the nature, objectives, scope, limitations
of, and procedures performed on the peer review is one of changes in the
new reporting model.
5. True. Correct. The old Standards provided for three levels of peer
review: system, engagement and report. The new Standards pare this down
to two levels by merging the old report review process into the engagement
review process.
False. Incorrect. The objectives of the engagement and report levels of
peer review under the old Standards, and the processes for performing and
reporting on them, were so similar that the Board felt it would simplify
the program and create more clarity for users of peer review reports to
consolidate these two levels of peer review.
SQCS 7 has introduced a requirement for all firms with
accounting or auditing practices to have documented quality control
policies and procedures.
a. Incorrect. Under the old SQCSs, there was a widely-held misconception
that firms with only compilations and review practices did not need to have
quality control policies and procedures. This misconception arose because
peer reviews for these firms covered only engagements, and not QC policies
and procedures. It was never true under the old SQCSs that these firms did
not need to have quality control policies and procedures. It is still untrue
under SQCS 7.
b. Incorrect. Under the old SQCSs, there was no explicit requirement for
firms that did not have system reviews to document their quality control
policies and procedures. SQCS 7 has changed this. Now these firms are
required to have documented QC systems.
c. Incorrect. The requirement under SQCS 7 to have documented QC
policies and procedures extends to even the smallest firms that perform
only compilations without disclosures. The fact that a firm does not have
an auditing practice in no way exempts it from this requirement.
6. d. Correct.
Top_Aud_09_book.indb 266
9/30/2008 8:18:44 AM
ANSWERS TO STUDY QUESTIONS — Module 2 — Chapter 7
267
7. a. Correct. Under SQCS 7, the firm’s leadership should assume ultimate
responsibility for the QC system.
b. Incorrect. It would be foolish to argue that a firm’s business strategy not
take commercial considerations into account in designing and achieving the
objectives of its QC system. Like systems of internal control in businesses,
QC systems in accounting firms need to be economical and efficient in
order to be effective. However, the new SQCS states a requirement that the
firms assign management responsibilities so that commercial considerations
do not override the quality of work performed.
c. Incorrect. The new SQCS imposes a requirement that firms should adopt
policies and procedures designed to promote an internal culture based on
the recognition that quality is essential. This is a far stronger statement than
the mere suggestion, as explanatory language, that they “consider” such
policies and procedures.
d. Incorrect. The firm’s leadership is not permitted to assign the ultimate
responsibility for the QC system to another person. It may delegate
operational responsibilities for the operation of the system to qualified
persons within the firm, but the firm leadership still has ultimate
responsibility for the system.
8. c. Correct. SQCS 7 defines the engagement quality review as a preissuance process performed by persons who are not otherwise involved
in performing the engagement. Its purpose is to provide an objective
evaluation of the significant judgments the engagement team made and the
conclusions they reached in formulating the report.
a. Incorrect. The engagement quality review is a pre-issuance, rather than a
post-issuance, process performed by persons who are not otherwise involved
in performing the engagement.
b. Incorrect. While it is correct that the engagement quality review is a
pre-issuance process, having it performed by or under the supervision of
the engagement partner would defeat its purpose, which is to provide an
objective evaluation of the significant judgments the engagement team
made and the conclusions they reached in formulating the report.
d. Incorrect. The engagement quality review is a pre-issuance, rather than a
post-issuance process that is designed to provide an objective evaluation of
the significant judgments the engagement team made and the conclusions
they reached in formulating the report. Having engagement personnel
involved in the review would impair the objectivity of the process.
9. False. Correct. SQCS 7 does not require all audits to be subjected to
engagement QC reviews. It does require, however, that firms set down
criteria for which engagements are required to have engagement QC
reviews. Once a firm establishes these criteria, all engagements that meet
the criteria should be subjected to engagement QC review.
Top_Aud_09_book.indb 267
9/30/2008 8:18:44 AM
268
TOP AUDITING ISSUES FOR 2009 CPE COURSE
Engagement quality control reviews are not specifically
required on audits, or on any other particular type of engagements, by
SQCS 7. The firm controls which engagements are subject to QC review
because it sets the criteria for which engagements are to have QC reviews.
True. Incorrect.
Engagement quality control reviews are an important part
of any QC system. However, they are actually part of the engagement
performance element of quality control, because they are a pre-issuance
process. They are not a component of the monitoring element.
a. Incorrect. Assessment of the appropriateness of the firm’s guidance
materials and practice aids would usually take place periodically during a
firm’s monitoring procedures, to help it assure that it had the most current
and relevant materials.
b. Incorrect. Discussions with firm personnel would ordinarily be a part of
a firm’s monitoring program. These discussions would, among other things,
help the firm to assess its personnel’s level of awareness of the QC system.
d. Incorrect. Review of selected personnel records pertaining to QC
elements might be a part of the monitoring process, and would be useful in
assessing, for example, such matters as independence, continuing education,
and advancement.
10. c. Correct.
Top_Aud_09_book.indb 268
9/30/2008 8:18:44 AM
269
TOP AUDITING ISSUES FOR 2009 CPE COURSE
Appendix A: Summary of the Risk
Assessment Standards
SAS 104, Amendment to SAS 1, “Codification of Auditing Standards
and Procedures” (“Due Professional Care in the Performance of Work”)
SAS 104 expands the definition of “reasonable assurance” by:
Adding wording to emphasize that audits must be planned and performed
to attain a low level of audit risk.
Emphasizing that the high level of intended assurance is expressed in
the auditor’s report as obtaining reasonable assurance about whether the
financial statements are free of material misstatement, whether caused
by error or fraud.
SAS 105, Amendment of SAS 95,
“Generally Accepted Auditing Standards”
SAS 105 broadens the philosophy of the audit process significantly by
amending the second fieldwork standard to:
Expand the scope of the auditor’s understanding from “internal control”
to “the entity and its environment, including its internal control.”
Extend the purpose of the auditor’s understanding from “planning the
audit” to “assessing the risk of material misstatement of the financial
statements whether due to error or fraud.”
Replace the phrase “tests to be performed” with “further audit procedures” to emphasize that audit procedures also are performed to obtain
the understanding on which the auditor bases the risk assessments.
OBSERVATION
SAS 105 makes the understanding of internal control more important, and
more useful, to the audit process. Under previous standards, the understanding of internal control was obtained strictly to assist in planning the
audit. Now, understanding the entity and its internal control is not only a
part of the planning process, it is a part of the risk assessment procedures
that ultimately support the auditor’s opinion.
Top_Aud_09_book.indb 269
9/30/2008 8:18:44 AM
270
TOP AUDITING ISSUES FOR 2009 CPE COURSE
OBSERVATION
Consistent with the broad philosophical direction of the Risk Assessment
Standards, SAS 105 emphasizes the need to closely link the understanding
of the entity, and the risk assessment, to the design of further audit procedures. Thus, whenever an auditor, as a result of obtaining an understanding
of a client, assesses a significant risk of material misstatement, the audit
procedures should respond to that risk. Conversely, in areas with low assessed risk, audit procedures would ordinarily be less intensive. This results
in a more efficient allocation of audit resources, and a more effective audit.
Consequently, auditors now need to more closely tailor standardized audit
programs (which will now be called an “audit plan”) to the unique risks of
each individual engagement.
SAS 106, Audit Evidence
SAS 106 makes significant changes to audit practice.
Significantly expands and recategorizes the assertions for account balances, transaction classes, and disclosures that are used in audits,
Requires a closer correlation between those assertions and the audit
procedures used in gathering audit evidence.
Provides new definitions of several terms including audit evidence and
the sufficiency and appropriateness of that evidence.
Creates significant new guidance for using relevant assertions to assess
risk and design audit procedures; assessing the reliability of various types
of audit evidence; risk assessment’s place in the body of audit evidence;
and uses and limitations of inquiry.
Describes the risk assessment procedures of inquiry, analytical procedures,
observation, and inspection.
SAS 107, Audit Risk and Materiality in Conducting an Audit
Among the most sweeping changes that SAS 107 makes to current auditing
practice are:
The introduction of the concept of considering risk of misstatement not
only at the level of the financial statements taken as a whole, and at the
level of individual account balance or class of transactions, but also at
the disclosure level
The requirement for the auditor to have an appropriate basis for all
risk assessments, and elimination of the concept of assessing risk “at the
maximum” without support
SAS 108, Planning and Supervision
This Statement is primarily a codification of existing best practices. It changes
little in terms of the actual conduct of audit engagements.
Top_Aud_09_book.indb 270
9/30/2008 8:18:44 AM
APPENDIX A
271
SAS 109, Understanding the Entity and its Environment
and Assessing the Risks of Material Misstatement
SAS 109 establishes standards and provides guidance to auditors of nonpublic entities about obtaining a sufficient understanding of the entity and
its environment, including its internal control, to assess the risk of material
misstatement of the financial statements whether due to error or fraud, and
designing the nature, timing and extent of further audit procedures.
SAS 109 positions obtaining an understanding of the entity and its environment, including its internal control, as an essential part of the auditor’s
risk assessment process.
SAS 110, Performing Audit Procedures in Response to
Assessed Risks and Evaluating the Audit Evidence Obtained
(“Performing Procedures”)
This Standard introduces significant changes to existing auditing practice.
Its most significant provisions require auditors to:
Determine overall responses to address the assessed risks of material
misstatement at the financial statement level.
Design and perform additional audit procedures that are responsive to
the assessed risks of material misstatement at the relevant assertion level.
These include substantive procedures and, where relevant and necessary,
tests of the operating effectiveness of controls.
Design and perform substantive procedures for all relevant assertions
related to each material class of transactions, account balance, and disclosure, regardless of the assessed risk of material misstatement.
Agree the financial statements and accompanying notes to the underlying records and examine material journal entries and other adjustments
made during the course of preparing the financial statements.
Perform tests of controls to obtain evidence about their operating effectiveness when the risk assessment includes an expectation of the
operating effectiveness of controls, or when substantive procedures alone
do not provide sufficient appropriate audit evidence at the relevant assertion level.
When performing audit procedures at an interim date:
Determine what additional evidence should be obtained for the
remaining period when tests of controls are performed during an
interim period.
Perform further substantive procedures or a combination of substantive
procedures and tests of controls for the remaining period to provide a
reasonable basis for extending audit conclusions based on substantive
procedures performed at an interim date to the period end.
When planning to carry forward and rely upon evidence about specific
controls from previous audits in the current audit:
Top_Aud_09_book.indb 271
9/30/2008 8:18:44 AM
272
TOP AUDITING ISSUES FOR 2009 CPE COURSE
Inquire, observe and inspect documentation to determine if they
have changed.
Test their operating effectiveness in the current audit, if they have
changed.
Test the operating effectiveness of such controls at least once in every
third year in an annual audit, if they have not changed.
SAS 111, Amendment to SAS 39, “Audit Sampling”
SAS 111 makes several, primarily technical, updates to previous standards,
in order to:
Enhance guidance when the auditor is establishing tolerable misstatement for a specific audit procedure, to require that auditors normally
set tolerable misstatement for a specific procedure at less than financial
statement materiality, so that the required overall assurance is attained
when the results of all audit procedures are aggregated.
Enhance guidance on the application of sampling to tests of controls.
Top_Aud_09_book.indb 272
9/30/2008 8:18:44 AM
273
TOP AUDITING ISSUES FOR 2009 CPE COURSE
Appendix B: Professional Requirements
The unconditional requirements of each of the Risk Assessment Standards
are summarized below. These requirements are identified in the Standards
by the word “must,” and are required to be performed in all circumstances
where they are applicable.
The presumptively mandatory requirements of these statements number
well over 200, and are too voluminous to reproduce in this Course. Certain
of these requirements are covered in Chapter 5. Also, the documentation
requirements, whether unconditional or presumptively mandatory, are
covered as a group in Chapter 4.
SAS 104 states that the auditor must:
Plan and perform the audit to obtain sufficient appropriate audit evidence so that audit risk will be limited to a low level that is, in his or
her professional judgment, appropriate for expressing an opinion on the
financial statements.
SAS 105 states that the audit (or auditor) must:
Be performed by a person or persons having adequate technical training
and proficiency as an auditor.
Adequately plan the work
Properly supervise any assistants.
Obtain a sufficient understanding of the entity and its environment,
including its internal control, to assess the risk of material misstatement
of the financial statements whether due to error or fraud, and to design
the nature, timing, and extent of further audit procedures.
Obtain sufficient appropriate audit evidence by performing audit
procedures to afford a reasonable basis for an opinion on the financial
statements.
SAS 106 states that the auditor must:
Obtain sufficient appropriate audit evidence by performing audit procedures to afford a reasonable basis for the audit opinion.
Not be satisfied with evidence that is less than persuasive.
Perform risk assessment procedures to provide a satisfactory basis for
the assessment of risks at the financial statement and relevant assertion
levels.
Supplement risk assessment procedures with further audit procedures
in the form of substantive procedures and, when relevant or necessary,
tests of controls.
Top_Aud_09_book.indb 273
9/30/2008 8:18:44 AM
274
TOP AUDITING ISSUES FOR 2009 CPE COURSE
SAS 107 states that the auditor must:
Consider audit risk and materiality.
Determine a materiality level for the financial statements taken as a whole
for four specific purposes listed in the Standard.
Perform the audit to obtain reasonable assurance of detecting misstatements
that could be large enough either individually or in the aggregate, in the auditor’s judgment, to be quantitatively material to the financial statements.
Accumulate all known and likely misstatements identified in the audit,
other than trivial amounts, and communicate them to the appropriate
level of management.
Consider the effects, both individually and in the aggregate, of known
and likely misstatements that are not corrected, in evaluating whether
the financial statements are fairly presented.
Evaluate whether the financial statements taken as a whole are free of
material misstatement.
Determine the implications for the auditor’s report if management refuses
to make necessary corrections.
Determine the implications for the auditor’s report if he or she concludes
that, or is unable to conclude whether, the financial statements are materially misstated.
SAS 108 states that the auditor must:
Adequately plan the audit.
Properly supervise any assistants.
Plan the audit so that it is responsive to the assessment of the risk of
material misstatement, based on the auditor’s understanding of the client
and its environment, including its internal control.
Develop an audit plan which documents the audit procedures that are
expected to reduce audit risk to an acceptably low level.
SAS 109 states that the auditor must:
Obtain a sufficient understanding of the entity and its environment,
including its internal control, to assess the risk of material misstatement
of the financial statements whether due to error or fraud, and to design
the nature, timing, and extent of further audit procedures.
SAS 110 states that:
The auditor must obtain sufficient appropriate audit evidence by performing audit procedures to afford a reasonable basis for an opinion
regarding the financial statements under audit.
In order for evidence from prior audits to be used as substantive evidence
in the current audit, the evidence and related subject matter must not
fundamentally change.
SAS 111 contains no unconditional requirements.
Top_Aud_09_book.indb 274
9/30/2008 8:18:44 AM
275
TOP AUDITING ISSUES FOR 2009 CPE COURSE
Appendix C: Definitions
The Risk Assessment Standards introduce or redefine several key terms.
These are presented below, sorted by each SAS. Misunderstanding of these
definitions is a significant cause of difficulty in implementing the Risk Assessment Standards.
SAS 106
Audit evidence. SAS 106 defines audit evidence as “all the information used
by the auditor in arriving at the conclusions on which the audit opinion
is based and includes the information contained in the accounting records
underlying the financial statements and other information.”
Relevant assertions. SAS 106 defines relevant assertions as those which have
a meaningful bearing on whether an account is fairly stated. This is a new
term. It draws attention to the need for audit procedures to be relevant to a
particular assertion in order to be appropriate.
Risk assessment procedures. Risk assessment procedures are defined by SAS
106 as procedures performed on all audits to:
Obtain an understanding of:
The entity
Its environment
Its internal controls
Assess the risk of material misstatement at:
The financial statement level
The relevant assertion level
Risk assessment procedures, according to SAS 106, are necessary to provide
a basis for assessing the risk of material misstatement. Their results, combined with the results of further audit procedures, provide audit evidence
that ultimately supports the auditor’s opinion on the financial statements
taken as a whole.
Sufficient, appropriate audit evidence. SAS 106 uses two key terms to
describe audit evidence: sufficient and appropriate. The term appropriate
replaces competent in previous standards. Its meaning is essentially the same.
Sufficient refers to the quantity of the evidence, while appropriate refers to
its quality. It is difficult to define sufficient audit evidence because the term
refers simply to the amount of evidence collected. Nevertheless, the audi-
Top_Aud_09_book.indb 275
9/30/2008 8:18:44 AM
276
TOP AUDITING ISSUES FOR 2009 CPE COURSE
tor must exercise considerable judgment when determining whether audit
evidence is sufficient. SAS 106 offers the following guidance:
An auditor can never reduce audit risk to zero. Therefore, the accumulation of evidence should be persuasive rather than conclusive.
An auditor must work within economic limits but cost cannot be the
sole basis for the quantity or quality of audit procedures. The difficulty
or expense of a test is not a valid reason for omitting it.
An auditor should not form an opinion on the entity’s financial statements until he or she has obtained sufficient appropriate audit evidence
to remove any substantial doubt about a material assertion. Otherwise,
the auditor should express a qualified opinion or a disclaimer of opinion
on the financial statements.
SAS 106 states that audit evidence is appropriate when it is both reliable and
relevant but it does not define either term. It does, however, indicate that
evidence is more reliable when it is:
Obtained from an independent, knowledgeable source outside the entity.
Created under more effective internal controls.
Obtained directly by the auditor rather than indirectly or by inference.
In documentary form.
In the form of original documents rather than photocopies or facsimiles.
Audit evidence should be capable of proving or disproving an assertion made
by the client in its financial records. Therefore, evidence must pertain to or
be relevant to the audit objective or the assertion the auditor is testing before
it can be persuasive. Relevance can be considered only in terms of specific
audit objectives or assertions and evidence may be relevant to one specific
audit objective or assertion but not to another.
EXAMPLE
Assume that an auditor is concerned with whether all shipments made to
customers are being billed by the client (completeness assertion). Selecting a sample of duplicate sales invoices, using the sales invoices as the
population, and tracing them to the related shipping documents, does
not provide relevant evidence for the completeness assertion. Selecting
a sample of shipping documents, using the shipping documents as the
population, and comparing them to the related duplicate sales invoices to
determine if the customers had been billed, does. In this example, tracing from the duplicate sales invoices to the related shipping documents
provides relevant evidence for the existence or occurrence assertion, but
not the completeness assertion.
Top_Aud_09_book.indb 276
9/30/2008 8:18:44 AM
APPENDIX C
277
SAS 107
Audit risk. SAS 107 defines audit risk as “the risk that the auditor may unknowingly fail to appropriately modify his or her opinion on financial statements
that are materially misstated” and, therefore, the risk that financial statements
will include material misstatements. The auditor addresses both materiality and
audit risk at an overall financial statement level to develop an audit strategy
that will provide sufficient evidence to enable him or her to reasonably evaluate
whether the financial statements are materially misstated. At the individual account balance, class of transactions, relevant assertion, or disclosure level, audit
risk is made up of inherent risk, control risk, and detection risk. The concept
of audit risk recognizes that auditors are able to obtain reasonable, but not
absolute, assurance that material misstatements are detected.
Control risk. This is the risk that a material misstatement that could occur
in a relevant financial statement assertion, either individually or when aggregated with other misstatements, will not be prevented or detected on a
timely basis by the entity’s internal control.
OBSERVATION
One way to think of inherent risk and control risk is to think of dynamite. Dynamite
is an inherently risky substance, due to its physical properties. Those properties
do not change, no matter who has control of it. This is dynamite’s inherent risk.
It is a constant. Control risk is a variable, depending on possession. When the
hazardous materials squad of the fire department has the dynamite, the control
risk, that is the risk that it will do damage, is low because of their special training
and equipment, and their intention to protect public safety. When a group of
terrorists has the dynamite, the control risk is high because of their intention to
do harm, and their possible lack of proper training and equipment.
Detection risk. This is the risk that the auditor will not detect a material
misstatement that exists in a relevant financial statement assertion, either
individually or when aggregated with other misstatements. Detection risk
can be disaggregated into additional components of tests of details risk and
substantive analytical procedures risk.
Inherent and control risk are always the client’s risks. They exist independently of the audit. Detection risk is the auditor’s risk.
The combined assessment of inherent risk and control risk is termed the
“risk of material misstatement.” The new model for describing audit risk is:
AR = RMM x DR
In the equation, AR is audit risk, RMM is risk of material misstatement
and DR is detection risk. It is a matter of professional judgment as to how
Top_Aud_09_book.indb 277
9/30/2008 8:18:44 AM
278
TOP AUDITING ISSUES FOR 2009 CPE COURSE
these components are expressed. Some auditors express them in quantitative
terms such as percentages. Many others use qualitative terms such as high,
moderate or low.
OBSERVATION
Risk assessment, like materiality, does not lend itself to strict formulaic
calculation. For this reason, broader qualitative terms, or percentages
expressed in fairly wide ranges, are often the most useful approach to
expressing levels of risk assessment. Precise quantitative expressions,
such as pinpoint percentage calculations, may imply a greater degree of
precision than this process actually intends or is capable of. In addition, by
“putting too fine a point on it” at this stage of the engagement, the auditor
may be setting a standard so high as to make it impossible to conduct the
engagement efficiently or economically.
Inherent risk. This is the susceptibility of a relevant financial statement assertion to a material misstatement, either individually or when aggregated
with other misstatements, assuming there are no related controls.
SAS 107 defines materiality as “the magnitude of an omission
or misstatement of accounting information that, in light of surrounding
circumstances, makes it probable that the judgment of a reasonable person
relying on the information would have been changed or influenced by the
omission or misstatement.”
Materiality.
Trivial misstatement. A footnote to SAS 107 defines trivial as “amounts
designated by the auditor below which misstatements need not be accumulated. This amount is set so that any such misstatements, individually or
when aggregated with other such misstatements, would not be material to
the financial statements, after the possibility of further undetected misstatements is considered.”
OBSERVATION
Auditors are required to summarize uncorrected misstatements and to
communicate them to management. In most cases management agrees, in
the representation letter, that they are not material. Trivial misstatements as
designated by the auditor would not be posted to this summary. This is done
for convenience or economy, otherwise auditors would have to communicate
every misstatement no matter how small to management. Auditors should be
careful, however, in determining this threshold, so that the concept of “trivial
misstatement” does not become an expedient for disposing of misstatements
that may have individual or collective significance on a qualitative basis.
Top_Aud_09_book.indb 278
9/30/2008 8:18:44 AM
305
TOP AUDITING ISSUES FOR 2009 CPE COURSE
Quizzer Questions: Module 2
Answer the True/False questions by marking a “T” or “F” on the Quizzer
Answer Sheet. Answer Multiple Choice questions by indicating the appropriate letter on the Answer Sheet.
41.
In addition to its primary purpose as the principal support for the auditor’s report, SAS 103 lists which of the following as another purpose
of audit documentation?
Audit documentation constitutes an integral part of the entity’s
accounting records
b. Audit documentation demonstrates the accountability of the audit
team for the audit procedures it has performed.
c. Audit documentation protects the auditor from legal liability.
d. Audit documentation provides a guarantee of audit quality.
a.
42.
Which of the following statements concerning documentation of auditor independence is correct?
Auditor independence must be documented in central files.
Auditor independence must be documented in each specific engagement audit file.
c. Auditor independence may be documented either in central files
or in specific engagement audit files.
d. Auditor independence may be documented when required by
firm policy.
a.
b.
43.
The documentation in an audit file must be recorded on paper, not
electronic media or by other means. True or False?
44.
Audit documentation must enable another experienced auditor with
no previous connection to the audit to understand the nature, timing,
extent, and results of the audit procedures:
a.
b.
c.
d.
Top_Aud_09_book.indb 305
When allowed contact with the client
When combined with oral clarifications
Without additional oral explanation
When the other auditor re-performs significant audit procedures
9/30/2008 8:18:47 AM
306
TOP AUDITING ISSUES FOR 2009 CPE COURSE
45.
An example of an unacceptable document identifier for specific items
tested is:
Every 15th item from the May cash disbursements journal
All invoices over $15,000 from the June 2008 accounts payable
detail.
c. Checks numbered from 60100 to 60227
d. For an inventory observation, descriptions of the counting procedures and goods observed, the persons involved and their responsibilities, and the location, date and time of the observation
a.
b.
46.
When information obtained during the audit contradicts or is inconsistent with the final conclusions on significant findings or issues, audit
documentation should:
a.
b.
c.
d.
47.
Not mention specific additional procedures performed, if any
Retain related information that is found to be incorrect
Record how the matter was resolved
Exclude the results of consultations within outside experts regarding
differences of professional judgment within the engagement team
Which of the following statements applies to the report date under
SAS 103?
The report date falls 45 days prior to the documentation completion date.
b. The documentation completion date may be no later than 90 days
after the report date.
c. The report date is the date on which the auditor has obtained sufficient appropriate audit evidence to support the opinion.
d. The report date is the last date of significant audit field work.
a.
48.
The date that the auditor grants permission for the audit report to be
used in connection with the financial statements is known as the:
a.
b.
c.
d.
Top_Aud_09_book.indb 306
Field work completion date
Report date
Documentation completion date
Report release date
9/30/2008 8:18:47 AM
QUIZZER QUESTIONS — Module 2
49.
307
During the period prior to the document completion date but after
the report date, the auditor may do all of the following except:
Remove valid evidence that contradicts final audit conclusions
Add information, such as an original of a document that was previously faxed, that was received after the report date
c. Sign off on file completion checklists
d. Perform routine file assembly work, such as collating and crossreferencing the audit documentation
a.
b.
50.
Updated or revised audit documentation added to the audit file prior
to the document completion date but after the report date must:
Contain all the information, evidence, and conclusions that were
in the original or superseded documents
b. Preserve the content of preliminary conclusions that are no
longer relevant
c. Make no changes to the pre-existing audit documentation
d. Be faithful to original documents in form
a.
51.
Additions to audit documentation during the document completion
period must show when and by whom the change was made and reviewed, the reason for the change, and its effect, if any, on the auditor’s
conclusions. True or False?
52.
SAS 99 requires which of the following specific fraud-related items to
be recorded in the audit documentation?
The fraud risk discussion at the conclusion of the audit.
The nature of fraud-related communications made to management,
the audit committee, or others.
c. Results of procedures performed to address the risk of design deficiencies in internal control
d. The auditing procedures used to gather the information needed
to identify and assess the risk of material misstatement caused
by error
a.
b.
Top_Aud_09_book.indb 307
9/30/2008 8:18:47 AM
308
TOP AUDITING ISSUES FOR 2009 CPE COURSE
53.
According to SAS 107, audit documentation should record all of the
following except:
All known and likely misstatements that have been identified by the
auditor and corrected by management, except for trivial amounts.
b. Consideration of the aggregate effects of misstatements.
c. Consideration of the individual effects of trivial misstatements.
d. Separate consideration of known and likely uncorrected misstatements.
a.
54.
According to SAS 109, auditors should document the assessment of
the risks of material misstatement at both the financial statement and
relevant assertion level. True or False?
55.
SAS 112 requires auditors to:
Communicate only material weaknesses in internal control to the
client in writing.
b. Communicate only significant deficiencies in internal control to
the client in writing.
c. Make the written communication of significant deficiencies and
material weaknesses in internal control no later than 60 days following the report release date.
d. Make the written communication of significant deficiencies and
material weaknesses in internal control no later than 45 days following the report release date.
a.
56.
SAS 104 indicates that the level of assurance that is intended to be
obtained by the auditor is:
Expressed in the auditor’s report as reasonable assurance about
whether the financial statements are free of material misstatement.
b. Equated with a low level of assurance.
c. That which would be expected by a reasonable user of the financial
statements.
d. An absolute level of assurance.
a.
Top_Aud_09_book.indb 308
9/30/2008 8:18:47 AM
QUIZZER QUESTIONS — Module 2
57.
309
SAS 105 broadens the auditor’s responsibilities in which of the following ways?
Reducing the emphasis on fraud risk assessment when expanded
control risk assessment procedures are undertaken.
b. Expanding the scope of the auditor’s understanding to encompass
not only internal control, but also the entity and its environment,
including its internal control.
c. Requiring confirmation, observation, and other specific audit
procedures.
d. Expanding the documentation requirements for all audits.
a.
58.
Substantive procedures should be performed in all audits for all relevant
assertions related only to classes of transactions, account balances, and
disclosures that are assessed at high risk of material misstatement.
True or False?
59.
All of the following assertions fall under the “presentation and disclosure” category of assertions except:
a.
b.
c.
d.
60.
Which of the following audit procedures is likely to be most effective
in providing relevant audit evidence to prove or disprove the client’s
rights and obligations assertions concerning a lease agreement?
a.
b.
c.
d.
61.
Completeness.
Occurrence and rights and obligations.
Existence.
Classification and understandability.
Inspection of the leased premises.
Substantive analytical procedures.
Inspection of the lease agreement.
Inquiry of management.
Auditors should perform risk assessment procedures at:
Both the financial statement level and the tolerable misstatement
level.
b. Both the financial statement level and the account balance, transaction class, and disclosure level.
c. Only the account balance, transaction class, and disclosure level.
d. Only the tolerable misstatement level.
a.
Top_Aud_09_book.indb 309
9/30/2008 8:18:47 AM
310
TOP AUDITING ISSUES FOR 2009 CPE COURSE
62.
Which of the following would likely be the most appropriate benchmark to use in setting materiality for a small, service oriented nonprofit
organization?
a.
b.
c.
d.
63.
Gross revenues.
Pre-tax income.
Gross profit.
Net income.
When a non-public client is in a lease agreement with significant scheduled escalations over its term, and the client has not recorded deferred
rent in the previous year:
The auditor should consider only the cumulative effect of the uncorrected rent deferral on the ending balance sheet.
b. The auditor should consider only the current and prior period
rent expense that flows through the current period’s income statement.
c. The auditor may consider both the income statement and ending
balance sheet effects of the prior period misstatements.
d. The auditor must consider both the income statement and ending
balance sheet effects of the prior period misstatements.
a.
64.
Which of the following statements best applies, under SAS 107, to the auditor’s consideration of the qualitative characteristics of misstatements?
Indications of possible fraud on the part of management or key
employees may be considered qualitatively immaterial if they fall
beneath quantitative tolerable misstatement levels.
b. Misstatements affecting management’s compensation may have
qualitative significance even though they do not exceed quantitative
thresholds for materiality.
c. A misclassification between current and non-current liabilities is
not considered a qualitatively significant misstatement.
d. Previous years’ earnings trends are not qualitatively relevant to misstatements in the current year’s financial statements.
a.
65.
The audit plan is the detailed map that describes the nature, timing,
and extent of audit procedures to be performed. True or False?
Top_Aud_09_book.indb 310
9/30/2008 8:18:47 AM
QUIZZER QUESTIONS — Module 2
66.
311
Under the requirements of SAS 108, the engagement partner is
required to communicate to audit assistants all of the following
matters except:
Their responsibilities and the objectives of audit procedures to be
performed.
b. The assistant’s responsibility to bring to the attention of the client’s
management accounting issues raised during the audit that the assistant believes are significant to the financial statements.
c. Matters that may affect the nature, timing, and extent of audit procedures to be performed, such as the nature of the entity’s business
and possible accounting and auditing issues.
d. The susceptibility of the entity’s financial statements to material misstatement due to error or fraud, with special emphasis on fraud.
a.
67.
Each workpaper in the audit documentation file must be signed-off by
a supervisor to indicate that it has been reviewed. True or False?
68.
Which of the following statements best applies to the requirement to
perform inquiries, apply analytical procedures, and perform observation
and inspections in assessing risk?
Each of these procedures must be performed for every aspect of the
risk assessment.
b. Each of these procedures should be performed for every aspect of
the risk assessment.
c. All of these procedures should be performed during the risk assessment.
d. All of these procedures must be performed during the risk assessment.
a.
69.
Which of the following statements best applies to the requirements
of SAS 109 for the discussion among the audit team in planning
the audit?
This discussion should include the audit partner and key members
of the audit team.
b. This discussion should include the audit partner and all members
of the audit team.
c. Fraud risk must be discussed separately from other risks of material
misstatement.
d. All members of the audit team should have a comprehensive knowledge of all facets of the audit.
a.
Top_Aud_09_book.indb 311
9/30/2008 8:18:47 AM
312
TOP AUDITING ISSUES FOR 2009 CPE COURSE
70.
Nonroutine transactions involving significant risks are often characterized by:
Related party transactions.
Reduced manual intervention in data collection.
Lack of management intervention to control the accounting treatment.
d. Highly automated data processing.
a.
b.
c.
71.
Which of the following circumstances might ordinarily indicate that
substantive procedures alone would not provide sufficient appropriate
audit evidence for an account balance or transaction class?
Audit evidence exists only in electronic form.
Audit evidence is highly dependent on the effectiveness of manual
controls over its completeness and accuracy.
c. The transaction class contains only a few large transactions.
d. The account balance or transaction class contains judgmental matters that involve significant estimates or uncertainties.
a.
b.
72.
The concept of a linkage between audit tests performed and risks assessed essentially means that:
Audit procedures should be applied uniformly to all financial statement amounts and disclosures.
b. Audit procedures should be directly correlated to materiality for
the financial statements taken as a whole.
c. Areas of higher risk should receive more attention from the audit
team than areas of lower risk.
d. More intensive audit procedures should be applied to larger monetary amounts in the financial statements.
a.
Top_Aud_09_book.indb 312
9/30/2008 8:18:48 AM
QUIZZER QUESTIONS — Module 2
73.
313
Which of the following statements best applies to SAS 110’s requirement that internal controls be tested at least once every three years in
an annual audit?
Auditors should plan to test a portion of the controls at least every
other year, and must test each control at least once in every three
audits.
b. Significant personnel changes that affect control application do not
ordinarily result in shortening the period for retesting a control.
c. Auditors should test the operating effectiveness of some controls
every year, irrespective of their planned reliance on the controls.
d. When there is a significant assessed risk of material misstatement at
the relevant assertion level and the auditor plans to rely on a control
to mitigate that risk, the operating effectiveness of that control should
be tested in the current period, regardless of the three year rule.
a.
74.
The sources and reliability of information and the persuasiveness
of audit evidence should be considered in forming a conclusion as
to whether sufficient appropriate evidence has been obtained to
reduce the risk of material misstatement to an appropriately low
level. True or False?
75.
The size of a sample for tests of details is usually influenced by other
factors in which of the following ways?
a.
b.
c.
d.
76.
Sample size decreases as expected misstatement increases.
Sample size increases as audit risk decreases.
Sample size increases as expected misstatement decreases.
Sample size increases as audit risk increases.
Statistics such as interest rates and the consumer price index can be
useful to auditors in developing expectations for analytical procedures.
True or False?
77.
The requirements of SAS 114 for the auditor to communicate with
those charged with governance do not apply to:
a.
b.
b.
d.
Top_Aud_09_book.indb 313
Small, owner-managed entities.
SEC-issuers.
Entities that do not have formally constituted audit committees.
Governmental and nonprofit entities.
9/30/2008 8:18:48 AM
314
TOP AUDITING ISSUES FOR 2009 CPE COURSE
78.
In a family-owned enterprise without a formally defined governance
structure, auditors should direct communications to those charged with
governance to:
a.
b.
c.
d.
79.
The controller or senior accounting employee.
The majority owner.
Such person or persons as agreed to with the engaging party.
No one, because they are not required under these circumstances.
Under AS-5, a significant deficiency is described as a deficiency or combination of deficiencies in internal control over financial reporting:
That creates more than a remote likelihood that a misstatement that
is more than inconsequential will not be prevented or detected on
a timely basis.
b. Such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will
not be prevented or detected on a timely basis.
c. That is less severe than a material weakness, yet important enough to
merit attention by those responsible for oversight of the company’s
financial reporting.
d. That creates more than a remote likelihood that a material misstatement will not be prevented or detected on a timely basis.
a.
80.
When quoted prices for identical assets or liabilities in active markets are
not available as an input to measure fair value, which of the following
inputs would be regarded by FAS 157 as the least reliable alternative?
Unobservable inputs in which the reporting entity makes its own
assumptions about the marketplace.
b. Observable inputs other than quoted prices, such as interest rates
or yield curves, observable at commonly quoted intervals.
c. Quoted prices for identical or similar assets or liabilities in markets
that are not active.
d. Inputs derived from or corroborated by observable market data by
correlation or other means.
a.
Top_Aud_09_book.indb 314
9/30/2008 8:18:48 AM
QUIZZER QUESTIONS — Module 2
81.
315
FAS 158 requires, with respect to the overfunded or underfunded status
of a defined benefit postretirement plan (other than a multi-employer
plan), that an employer:
Report the excess of plan assets over benefit obligations as accumulated other comprehensive income.
b. Recognize current-year changes in the overfunded or underfunded
status as a part of net income from continuing operations.
c. Recognize an asset or liability in its financial statements.
d. Disclose the overfunded or underfunded status in a footnote only.
a.
82.
In evaluating a tax position under FIN 48, entities should do all of the
following except:
Assume, when determining whether a position meets the morelikely-than-not threshold, that the taxing authority will have full
knowledge of all relevant information.
b. Not consider possible resolution through appeals or litigation when
determining whether a position meets the more-likely-than-not
threshold.
c. Evaluate tax positions for all jurisdictions in which the entity is
subject to taxes based on income.
d. Measure the amount of benefit to recognize in the statements as
the largest amount that would be more than 50 percent likely of
being realized on settlement.
a.
83.
Which of the following statements best applies to auditors who wish
to provide assistance to their audit clients in implementing FIN 48?
They should advise their clients to seek assistance from a third party
in implementing FIN 48.
b. They cannot assist clients in measuring the amount of the benefit
to be recognized.
c. They should take care to observe the requirements of ET 101-3 for
providing nonattest services.
d. Auditors are prohibited from providing assistance to their audit
clients in implementing FIN 48.
a.
Top_Aud_09_book.indb 315
9/30/2008 8:18:48 AM
316
TOP AUDITING ISSUES FOR 2009 CPE COURSE
84.
The AICPA’s Clarity Project envisions all of the following except:
Redrafting all existing SASs according to the new Clarity Project
conventions.
b. Including an exposure draft and public comment period for the
redrafted standards
c. More clearly differentiating between professional requirements and
application or explanatory material.
d. Providing special considerations for audits of SEC issuers.
a.
85.
The PCAOB has created seven task forces charged with monitoring
certain IAASB activities and working toward convergence with international auditing standards. True or False?
86.
One of the purposes of the “Findings for Further Consideration” (FFC)
form under the new Standards is to:
Eliminate the letter of comments on report reviews.
Document matters warranting further consideration in the evaluation of a firm’s QC system.
c. Document the reviewer’s recommendations and the reviewed firm’s
responses.
d. Summarize all “Matter for Further Consideration” (MFC) forms,
ensure that they have been addressed, and document how they were
resolved.
a.
b.
87.
Which of the following statements best describes the disposition of
the “Findings for Further Consideration” (FFC) form under the new
Standards?
Copies of this form should be maintained by the peer reviewer
and the administering entity until after the completion of the
next review.
b. This form should be filed with the AICPA Peer Review Board by
the administering entity.
c. This form must be retained by the administering entity for public
inspection in jurisdictions with mandatory peer review requirements.
d. This form should be maintained by the reviewed firm until 90 days
after the approval of the peer review is received from the administering entity.
a.
Top_Aud_09_book.indb 316
9/30/2008 8:18:48 AM
QUIZZER QUESTIONS — Module 2
88.
When the review captain in an engagement review concludes that deficiencies are evident on all engagements submitted for review, except
when the exact same deficiency appears on multiple engagements and
no other deficiencies were evident, which of the following report ratings
is appropriate under the new Standards?
a.
b.
c.
d.
Pass with deficiencies.
Modified.
Fail.
Adverse.
89.
Among the significant changes to the old reporting model are that the
new report is shorter and contains a URL that takes readers to a “plain
English” description of the nature, objectives, scope, limitations of, and
procedures performed on the peer review. True or False?
90.
The new Standards have merged:
a.
b.
c.
d.
91.
The old engagement review into the new system review.
The old report review into the new engagement review.
The old CPCAF review into the report review.
The old report review into the system review.
Documented quality control policies and procedures are required under
SQCS 7 for:
a.
b.
c.
d.
92.
317
All firms in states with mandatory peer review requirements.
All AICPA member firms, regardless of the nature of their practice.
All firms except those with only no-disclosure compilation practices.
All firms with accounting or auditing practices.
Under the new quality control element “leadership responsibilities for
quality within the firm,” firms are required to:
Promote an internal culture based on the recognition that the quality
of work is important, but secondary to economic considerations.
b. Establish policies and procedures to promote an internal culture
based on the recognition that quality is essential.
c. Assign management responsibilities consistent with commercial
considerations.
d. Address performance evaluation, compensation, and promotion so
as to reward members who bring in new clients over technicians.
a.
Top_Aud_09_book.indb 317
9/30/2008 8:18:48 AM
318
TOP AUDITING ISSUES FOR 2009 CPE COURSE
93.
Which of the following statements best describes an engagement quality
control review under SQCS 7?
It is a pre-issuance process performed by or under the supervision
of the engagement partner.
b. It is designed to provide a post-issuance assessment of engagement
quality as part of the firm’s monitoring program.
c. It is designed to provide an objective evaluation of the significant
judgments the engagement team made and the conclusions they
reached in formulating the report.
d. It is a post-issuance process performed by persons who are not
otherwise involved in performing the engagement.
a.
94.
The criteria for which engagements will be subject to engagement
quality control reviews are to be established by each firm in its quality
control policies and procedures. True or False?
95.
Under the requirements of SQCS 7 for monitoring, firms should:
Establish policies and procedures for withdrawal from a specific
engagement or from a client relationship.
b. Assign responsibility for monitoring to randomly selected individuals within the firm.
c. Evaluate the effects of deficiencies noted in monitoring to determine
if they are systemic in nature.
d. Communicate deficiencies and recommendations for remedial action to appropriate firm personnel monthly.
a.
Top_Aud_09_book.indb 318
9/30/2008 8:18:48 AM