aud - amazon s3 · nature and scope 1 nature and scope of audit engagements 1 ... understanding an...

AUD 2019 SuperfastCPA Review Notes

Table of Contents

Ethics & Professional Responsibilities Nature and Scope 1

Nature and Scope of Audit Engagements 1 Audits Under GAO and GAS Standards 5 Non-Audit Engagements 7

Ethics & Independence 11 AICPA Code of Professional Conduct 11 Requirements of SEC and PCAOB 15 Requirements of the GAO and the DOL 17

Terms of Engagement 19 Preconditions for an Engagement 19 Terms of Engagement and Engagement Letter 20

Requirements for Engagement Documentation 21 Communication with Management & Those Charged with Governance 22

Planned Scope and Timing of an Engagement 22 Internal Control Related Matters 23 All Other Matters 25

Communication with Component Auditors and Others 26 A Firm's System of Quality Control 28

Assessing Risk and Developing a Planned Response 30 Planning an Engagement 30

Developing an Overall Strategy 30 Developing a Detailed Engagement Plan 31

Understanding an Entity and Its Environment 37 External Factors Including the Applicable Financial Reporting Framework 37 Internal Factors Including Nature of Entity, Risk Strategy 38

Understanding an Entity's Internal Control 39 Control Environment and Entity-Level Controls 39 Flow of Transactions and Design of Internal Controls 50 Implications of Using a Service Organization 51

IT General and Application Controls 53 Identifying and Assessing Risk of Material Misstatement 57

Impact of Risk at Financial Statement Level 57 Limitations of Controls and Risk of Management Override 59 Impact of Risks for Each Relevant Assertion 61 Further Procedures Responsive to Identified Risks 64

Materiality 65 For the Financial Statements as a Whole 65 Performance Materiality and Tolerable Misstatement 66

Planning for and Using the Work of Others 67 Specific Areas of Engagement Risk 70

An Entity's Compliance with Laws and Regulations 70 Accounting Estimates, Including FV Estimates 72 Related Parties and Related Party Transactions 74

Performing Further Procedures and Obtaining Evidence 75 Understanding Sufficient Appropriate Evidence 75 Sampling Techniques 77 Performing Specific Procedures to Obtain Evidence 81

Analytical Procedures 81 External Confirmations 84 Inquiry of Management and Others 85 Observation and Inspection 86 Recalculation and Reperformance 87 All Other Procedures 88

Specific Matters 89 Opening Balances 89 Investments in Securities and Derivatives 90 Physical Observation of Inventory and Inventory Held by Others 91 Litigation, Claims, and Assessments 92 An Entity's Ability to Continue as a Going Concern 93 Accounting Estimates, Including FV Estimates 94

Misstatement and Internal Control Deficiencies 95 Written Representations 97

Subsequent Events 98 Forming Conclusions and Reporting 100

Reports on Audit Engagements 100 Forming an Auditing Opinion & Modification of an Opinion 100 Form and Content of an Audit Report & Emphasis of Matter Paragraphs 104 Audit of Internal Control Integrated with Audit of Financial Statements 110

Reports on Attestation Engagements 116 General Standards for Attestation Reports 116 Agreed-Upon Procedures Reports 117 Reporting on Controls at a Service Organization 118

Accounting and Review Service Engagements 120 Preparation Engagements 120 Compilation Reports 121 Review Reports 122

Reporting on Compliance 125 Other Reporting Considerations 126

Comparative Statements and Consistency Between Periods 126 Other Information in Documents with Audited Statements 128 Review of Interim Financial Information 129 Supplementary Information 130 Single Statements 131 Special-Purpose and Other Country Frameworks 132 Letters for Underwriters and Filings with the SEC 133 Alerts that Restrict Written Communication 134 Additional Reporting Requirements Under Gov Auditing Standards 135

1 Copyright © 2019 SuperfastCPA.com

Ethics & Professional Responsibilities

Nature and Scope

Nature and Scope of Audit Engagements

The purpose of an audit is to have an independent auditor issue an opinion as to whether the financial statements are presented fairly according to the applicable framework. Non-Issuer Audits These are non-public companies, and audits of non-issuers are subject to the clarified auditing standards (AU-Cs) issued by Auditing Standards Board (ASB). Objectives of an Audit of Financial Statements According to AU-C 200

• Obtain reasonable assurance that the financial statements are free from material error, which allows the auditor to express an opinion whether the statements are presented fairly according to the applicable framework.

• Report on the financial statements and communicate as required by GAAS (generally accepted auditing standards), in accordance with the auditor’s findings.

Issuer Audits (public companies) These audits are subject to the PCAOB’s Auditing Standards (AS 1015 for example).


Objective of the Independent Auditor According to AS 1001 The objective of the ordinary audit of financial statements by the independent auditor is the expression of an opinion on the fairness with which they present, in all material respects, financial position, results of operations, and its cash flows in conformity with generally accepted accounting principles. The auditor's report is the medium through which he expresses his opinion or, if circumstances require, disclaims an opinion. In either case, he states whether his audit has been made in accordance with the standards of the PCAOB. These standards require him to state whether, in his opinion, the financial statements are presented in conformity with generally accepted accounting principles and to identify those circumstances in which such principles have not been consistently observed in the preparation of the financial statements of the current period in relation to those of the preceding period. In both cases the main objective of an audit is to have an independent auditor express an opinion on whether the financial statements are presented fairly based on the applicable reporting framework.

Assertions The “assertions” are key to the whole audit process. The assertions are the underlying claims made by management about the financial statements. When management gives the auditor their listing of PP&E for example, management is essentially making the “claim”, or assertion, that the items on that list actually exist, that list is complete (nothing left out), that the business actually owns the items listed, and that the values of the items are listed correctly. The auditor then assesses the risk of material misstatement based on these assertions and performs audit procedures. That’s how the audit works in a nutshell.


It helps a LOT to just “think” about the meaning of the words, especially in the context of the question being asked. For example, “completeness” … this includes procedures or tests to determine if a population is complete- or if everything has been included that should be included. They are grouped into 3 categories: Account balances (4 assertions)

• Existence: This assertion means that all the assets, liabilities, and equity actually exist

• Completeness: That all assets, liabilities, and equity that should have been recorded, have been recorded. That nothing has been left out

• Rights and Obligations: That the entity holds or controls the rights to its assets, and the liabilities are that of the entity. Any restrictions on either need to be disclosed

• Valuation and Allocation: That the assets, liabilities, and equity are included in the financial statements at the proper amounts

Presentation and disclosure (4 assertions)

• Occurrence and Rights & Obligations: That the disclosed events and transactions have actually occurred and pertain to the entity

• Completeness: That all disclosures that should have been included have been included. Nothing left out.

• Classification and Understandability: That the financial information is appropriately presented, described, and clearly expressed

• Accuracy and valuation: That the financial information is disclosed fairly and at the appropriate amounts

Classes of transactions and events (5 assertions)

• Accuracy: That amounts and other data have been recorded appropriately


• Occurrence: That transactions and events recorded actually occurred

• Completeness: That all transactions and event that should have been recorded have been recorded. Nothing left out

• Cutoff: That the transactions have been recorded in the proper period

• Classification: That the transactions have been recorded in the proper accounts

Read through the assertions until you understand them. This makes everything about AUD easier to understand.


Audits Under GAO and Government Auditing Standards

The GAO issues Government Auditing Standards (Yellow Book) - also referred to as GAGAS (generally accepted government auditing standards) - and these standards apply to audits involving federal government programs or activities, or other entities that receive federal funds. The objective of a financial statement audit under GAGAS is similar to a non-government audit: determining whether the financial statements are presented fairly based on the applicable reporting framework. Additionally, GAGAS audits require separate reporting on internal controls and adherence to applicable laws and regulations, depending on the entity being audited. Therefore, the scope of a GAGAS audit is larger than a non-government audit. Governmental auditing standards require a separate report on internal control that includes a description of the scope of the auditor’s work in obtaining an understanding of internal control. This report will also include any significant deficiencies or material weaknesses noted. BUT, the regular audit report and the report on internal controls can be combined. A government audit will also include a report on compliance with laws, regulations, and the provisions of any grant agreements. An audit subject to the yellow book standards includes 3 reports:

• An audit report • A report on internal control (this and the audit report can be

combined) • A report on any applicable compliance with laws or

regulations


In a government audit, the auditor is required to report any fraud or illegal acts to outside authorities IF:

• Management fails to report the information as required by law,

• OR, if management fails to take timely action to respond to the fraud or illegal act

Single Audits State and local government agencies that spend at least $750,000 in federal funding must get a “single audit”. The point of a single audit to verify that federal funds have been spent according to the programs the funds were received for. Materiality for single audits is determined separately for each major federal financial assistance program.


Non-Audit Engagements

For non-audit engagements, there are basically two categories: 1) Engagements dealing with historical financial statements that are not a full audit engagement. The AICPA’s SSARs govern these types of engagements, and they include:

• Reviews - provides limited assurance, is an attest engagement.

• Compilations - provides no assurance, is an attest engagement.

• Preparation of financial statements - provides no assurance, is not an attest engagement.

These services apply to non-issuers (non-public companies). Each of these engagement types require an engagement letter, and a report from the auditor is part of both reviews and compilations, but there is no report issued with a preparation of financial statements. See the details of each engagement type below. 2) Engagements dealing with written representations or subject matter other than historical financial statements. The AICPA’s Statements on Standards for Attestation Engagements (SSAEs) apply to these types of engagements. These include:

• Examination engagements • Review engagements (different than a financial statement

review above) • Agreed-upon procedures engagements


SSARs or “Statements on Standards for Accounting and Review Services” These standards apply to “reviews”, “compilations”, and now “preparation of financial statements”. A review is an assurance engagement & an attestation engagement that provides “limited assurance” that there are no material modifications that should be made to the financial statements. For a review, the auditor must be independent. The basics of a review are:

• Possess knowledge of a client’s industry • Apply analytical procedures • Perform inquiries of management • Obtain a representation letter

Each page of an entity’s financial statements that have been ‘reviewed’ should include the reference “See Accountant’s Review Report” In a review engagement, the auditor is NOT required to obtain an understanding of internal controls. A compilation is basically assisting management to draft the financial statements, without providing ANY level of assurance. It is an attestation engagement but NOT an assurance engagement. Also, a compilation can be performed for prospective or pro-forma information in addition to historical financial statements. An auditor does NOT have to be independent to do a compilation for a client since no assurance is provided. BUT, if the auditor is not independent, the accountant should disclose this fact in the compilation report.


The compilation report explicitly states that the financial statements have not been audited, and that the accountant has compiled the financial statements. Remember that no procedures whatsoever are performed on the data in a compilation. The auditor is expected to understand the client and the client’s industry, but no audit procedures of any kind are performed since no assurance is being provided. Preparation of financial statements: this is what it sounds like. The accountant takes the information from management and prepares the financial statements. A preparation is a nonattest service. The accountant does NOT have to be independent for this type of engagement. There should be an engagement letter that outlines management’s responsibilities & the accountant’s responsibilities. Each page of the financial statements should include a statement that no assurance is provided.

SSAEs or “Statements on Standards for Attestation Engagements” For all types of engagements under the SSAEs, the CPA needs to be independent. Examinations These are fairly in-depth engagements where the CPA ultimately obtains reasonable assurance about the subject matter being


fairly stated or in accordance with applicable criteria (that it is what it says it is). It differs from an audit in that it’s not dealing with historical financial statements. A report is issued that provides the CPA’s opinion as to whether the subject matter conforms to the criteria. Attestation Review Engagements (not a financial statement review) In this type of engagement, the CPA is providing limited assurance that the subject matter conforms to the criteria, and again, the subject matter can be a number of things, just not historical financial statements or it would be a financial statement review. A report is issued that contains a conclusion about whether there is a need for any material modifications in order to be in accordance with the criteria. Agreed Upon Procedures Engagements In this type of engagement, a CPA is engaged to perform procedures and report findings based on the criteria set by the specified parties. A report is issued that describes the procedures performed and the findings as a result of the procedures.


Ethics & Independence

AICPA Code of Professional Conduct

One of the main points of the code of professional conduct is for CPAs to go above and beyond the minimum requirements to show the public that CPAs willing to accept responsibility to the public. Along with that, CPAs should not only be competent with the professional services they provide, they should also cooperate with other CPAs to improve the accounting profession. The 3 main groups of rules that CPAs must honor involve:

• Integrity • Objectivity • Independence

As far as gifts from clients go, the 2 things to keep in mind are:

• Gifts from clients cannot violate the client’s laws or regulations, OR the CPA’s laws or regulations

• Even if a gift isn’t explicitly violating any laws, it still needs to be “reasonable under the circumstances”

When a CPA disagrees with their superior about the treatment of a significant transaction, if the discussion with the superior does not resolve the issue, then the CPA should go over the superior’s head. Even if a CPA has not handled a certain type of transaction or tax issue before, they can still accept such engagements if they believe in good faith that they can research the issues and handle them properly.


Outsourcing professional services requires the notification and approval of the client. If the client doesn’t want any of their services outsourced, the CPA should either not outsource the work, or not accept the engagement in the first place. The client controls who a CPA can release audit documentation to, unless ordered by a court or the CPA society’s quality review board. Even if a CPA firm is purchased, the client has to agree that the purchaser can access the audit documentation. Also, client records are owned by the client and must be returned to the client upon request, even if the CPA has not been paid yet. Schedules or workpapers that the CPA has prepared do NOT need to be returned to the client if the client has not paid. A CPA that fails to pay their own income tax is considered an act discreditable to the profession. A CPA cannot receive a contingent fee for attest-related services. A CPA can receive a contingent fee for a private letter ruling. Accepting a commission for recommending a product to an audit client is essentially a kickback and is prohibited. Tax accountants can accept referral fees and commissions if they are disclosed to the client.


The only times a CPA should provide confidential client information to another party is:

• A review of the CPA’s professional practice by the state CPA society

• An inquiry from the professional ethics division of the AICPA • The potential buyers of a CPA firm can view client records,

but before the records are actually turned over to the new buyers, the client must give permission

• A court-ordered subpoena o (A mere request or letter from the SEC or IRS does

NOT count, and the CPA should never provide client information until there is an actual court-ordered subpoena)

As long as the information is accurate, informative, and truthful, a CPA can advertise his or her services like other businesses advertise. Independence Rules All CPAs should be independent when involved in attest services. If the code and its interpretations do not directly provide guidance for a certain situation, then the conceptual framework should be applied. Threats to independence are concentrated in 4 areas:

• Financial relationships: A audit partner can’t own stock in an audit client

• Employment relationships: An audit partner can’t be on the board of an audit client

• Family relationships: An audit partner shouldn’t audit his brother’s company

• Consulting relationships: An audit firm can’t provide internal audit consulting to an audit client


Covered members: You’ll see questions on the exam about “covered members”, which means someone who falls under the independence rules based on their situation. The following would be considered covered members:

• Any member of the attest engagement team • Any person in a position to influence the attest engagement • A partner or manager that provides more than 10 hours of

nonattest services to the client within the fiscal year • A partner in the same office as the lead engagement partner

If a “covered member” is very wealthy and has no investments that are individually materially to that member, they still cannot have a direct investment in an attest client, no matter how small. That includes mutual funds. The member’s spouse also cannot have a direct financial interest. A covered member can have a car loan with a client bank. An audit firm can lease office space from an attest client as long as the operating lease is on normal terms and all amounts are paid on time and in accordance with the terms of the lease.


Requirements of SEC and PCAOB

SEC Rules The rules from the SEC for independence and professional conduct are very similar to the AICPA rules. Main requirements as a CPA to audit a public company:

• Must be in good standing and registered under the laws of the CPA’s state

• Must be independent and capable of exercising objective and impartial judgement

Other specific rules you could see a question on:

• The CPA (firm) or the CPA’s direct family members can’t have a direct investment in an audit client such as stocks or bonds

• Members/employees of the firm can’t own more than 5% of the stock of an audit client

• Can’t have direct or material indirect investment in a company that the audit client has a material investment in, nor in a company that has a material investment in the audit client

• Can’t have a credit card issued from an audit client if the balance is $10,000 or more owed to the client

• An audit client can’t make a direct investment in the accounting firm

PCAOB Rules SOX created the PCAOB to govern public company audit firms and creates standards for such audits.


Specific rules you might see a question on: • Any kind of contingent fee charged to an audit client impairs

independence • Members of the audit firm impair their independence if they

perform any tax service to a person in a financial reporting oversight role from the audit client

• Tax consulting services can be performed for a public company audit client if it is pre-approved by the client’s audit committee. The CPA firm is required to describe the scope and compensation for the service, discuss it with the audit committee, and document the discussion

• Other non-audit services can be approved in this same way, except for consulting related to internal controls over financial reporting


Requirements of the GAO and the DOL

GAO Standards Again, these are very similar to the AICPA code of professional conduct. Auditors who perform GAGAS audits are expected to be independent, and adhere to the following ethical principles:

• The public interest • Integrity • Objectivity • Proper use of government info and resources in performing

audits; auditor should never use government resources for personal gain

• Professional behavior including avoiding conflicts of interest, complying with applicable laws and regulations, and meeting technical and professional standards

The GAO’s ethical principles apply to firms that audit federal government agencies, or schools/entities that receive federal grants. They do not apply to audit firms that audit public companies. According to the GAO’s standards, there are 3 types of impairments to independence:

• Personal • External • Organizational

GAO standards allow for auditors to perform non-audit services for their audit clients. One thing they can’t do is design an entity’s accounting system and then audit the entity. Auditors that perform GAGAS audits should complete 24 hours of yellowbook CPE every two years.


Department of Labor Rules The DOL rules in this context mostly deal with the audit of employee benefit plans under ERISA. Most DOL audits follow government auditing standards, which include audits of compliance with laws or evaluating the effectiveness achieving program results. Like with the other rules, the big overriding rule is that auditors must be independent. The two broad categories that would impair independence are financial (having a direct financial interest in an entity to be audited) and employment ties to a plan sponsor.


Terms of Engagement

Preconditions for an Engagement

The preconditions for an audit are: • Determine whether the financial reporting framework to be

applied is acceptable • Obtain an agreement of management that it acknowledges

and understands its responsibility:

⁃ for the preparation and fair presentation of the financial statements in accordance with the applicable reporting frameworks

⁃ for the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error

⁃ to provide the auditor with

⁃ access to all information, documents, records, etc that is relevant to the preparation of the financial statements

⁃ additional information that the auditor may request for purposes of the audit

⁃ unrestricted access to persons within the entity from whom the auditor determines it necessary to obtain audit evidence

These written representations are made by management in the

“rep letter”.


Terms of Engagement and Engagement Letter

The auditor needs to agree with management to the terms and only accepts the engagement if the preconditions for an audit exist and an understanding of the terms is agreed to by the auditor and management (or those charged with governance). These terms are agreed to in the engagement letter, which contains:

• The objective and scope of the audit of the financial statements

• The responsibilities of the auditor • The responsibilities of management • A statement addressing the inherent limitations of an audit

that could still lead to missing a material misstatement that exists

• Identification of the applicable reporting framework for the audit

• Reference to the expected form and content of any reports to be issued by the auditor


Requirements for Engagement Documentation

The overriding idea behind audit documentation is to compile documentation to the point that an experienced auditor that had no previous connection with the audit could look through the documentation and understand:

• the nature, timing, and extent of audit procedures performed • the results of the audit procedures performed, and the audit

evidence obtained • significant findings or issues discovered during the audit, the

conclusions reached, and significant professional judgements made in reaching those conclusions

Considerations in actually documenting the audit:

• The identifying characteristics of the specific items or matters tested should be documented

• Who performed the audit work and the date such work was completed should be documented

• Who reviewed the audit work and the date and extent of such review should be documented

The actual audit workpapers and copies of significant contracts, agreements, documents, schedules, etc make up the “audit file”, which should be in physical or electronic form. The auditor should document the report release date in the audit documentation, and the final audit file should be assembled no later than 60 days after the report release date. The retention period for the final audit file should not be less than 5 years from the report release date. The auditor should adopt reasonable procedures to maintain the confidentiality of the client information.


Communication with Management & Those

Charged with Governance

Planned Scope and Timing of an Engagement

When communicating with management regarding the audit, an overview of the audit process should be provided but it should not be so detailed as to reduce the effectiveness of the audit procedures, meaning that the audit procedures shouldn’t become completely predictable to management. The exact details of the auditor’s plan for tests and procedures should not be communicated. The auditor should communicate:

• How the auditor will address the risks of material misstatements whether due to fraud or error

• Issues regarding internal control and the internal audit function (if exists)

• The application of materiality in the context of the audit


Internal Control Related Matters

The auditor should communicate in writing any significant deficiencies or material weaknesses in internal control to management or those charged with governance. This communication should be provided by the audit report date and not later than 60 days after the report release date. Significant deficiency in internal control: A deficiency or combination of deficiencies in the design or operation of a control that doesn’t prevent, detect, or correct misstatements on a timely basis. This is less severe than a material weakness. Material weakness in internal controls: A deficiency or combination of deficiencies that results in a reasonable possibility that a material misstatement will result as a result of the deficiency. The communication should include:

• The definition of material weakness and if applicable, the definition of a significant deficiency

• A description of the significant deficiencies and material weaknesses and an explanation of the effects

• Elements that explain

⁃ That the purpose of the audit was for the auditor to express an opinion on the financial statements

⁃ The audit included consideration over internal control but not for the purpose of expressing an opinion on internal control

⁃ The auditor is not expressing an opinion on the effectiveness of internal control

⁃ The consideration over internal controls was not designed to detect all possible deficiencies in internal


control and that there could be other deficiencies in internal control that weren’t identified


All Other Matters

There are many items that would require communicating to management or those charged with governance besides the scope of the audit or internal control deficiencies, such as:

• Significant misstatements discovered by the auditor but corrected by management

• Disagreement with management on significant issues that could affect the financial statements

• Management’s consultations with other accountants regarding significant accounting matters

• Any significant difficulties in dealing with management in performing the audit such as not making key information available to the auditor


Communication with Component Auditors and Others When a group of businesses is being audited, it is a “group audit”. It’s common in a group audit to use component auditors, who will gather audit evidence for the group audit. Communications with a Component Auditor Communication with a component auditor should include the following:

• A request to confirm that the component auditor will cooperate with the engagement team

• The ethical requirements and independence requirements applicable to the group audit

• A list of related parties and a request for the component auditor to identify any related parties relevant to the group audit

• Identified significant risks of material misstatement due to fraud or error that are relevant to the component auditor’s tasks within the group audit

There are also several communications that the engagement team should request from the component auditor, such as:

• Whether the component auditor has complied with the ethical and independence requirements of the group audit

• Identification of the financial information of the component on which the component auditor is reporting

• The component auditor’s overall findings, conclusion, or opinion

Matters to be Communicated to Parties Other Than Management and Those Charged with Governance If the auditor discovers noncompliance with laws or regulations, and the auditor suspects that management and those charged


with governance are involved in the noncompliance, then the auditor should go to the next higher level of authority. If no such higher authority exists, then the auditor should consider the need to seek legal advice and determine whether the auditor has a responsibility to report the identified or suspected noncompliance to parties outside the entity.


A Firm's System of Quality Control

Statements on Quality Control Standards (SQCSs) These are statements issued by the AICPA’s Auditing Standards Board. They apply to everything about accounting and auditing engagements and provide guidelines for implementing a quality control system. 6 Elements to a quality control system

• Leadership responsibilities such as “tone at the top”

⁃ Emphasis should be on performing work that complies with professional standards

• Relevant and ethical requirements

⁃ Policies should be implemented that help ensure that firm personnel comply with applicable ethical requirements

• Acceptance and continuance of clients and specific engagements

⁃ One of the main purposes for QC regarding client acceptance is so a firm only accepts engagement that it is qualified to perform

⁃ On the other side, to minimize the chances of working with a client whose management lacks integrity

• Human resources

⁃ QC procedures over human resources should ensure the firm has sufficient, competent personnel to handle the firm’s engagements in accordance with the applicable requirements and issue required reports required by the engagements

• Engagement performance

⁃ One primary purpose is to ensure that engagements are adequately supervised


⁃ Needs to provide elements to support consistency of engagement performance, supervision, and review functions

• Monitoring- meaning ongoing quality control efforts

⁃ Ongoing review of the QC procedures to ensure that they are appropriate, relevant, and operating effectively.

The engagement partner is responsible for overall audit quality. A firm’s QC procedures can be communicated to employees orally or in writing. When there is a difference of opinion on a significant matter between members of the audit team, the details of reaching a resolution should be documented. The nature and extent of a firm’s QC procedures are based on the firm’s size, the nature of the firm’s practice, and cost/benefit considerations. The SQCS’s scope is limited to auditing, accounting, and review services. The procedures can obviously be applied to a firm’s other service areas, but the SQCSs don’t require it.


Assessing Risk and Developing a Planned

Response

Planning an Engagement

Developing an Overall Strategy

In developing an overall audit strategy, the auditor should: • Identify the characteristics of the audit that define its scope • Assess the reporting objectives in order to plan the timing of

the audit and nature of communications required • Decide what factors are significant in directing the audit team • Analyze the results of the preliminary procedures • Assess the nature, timing, and extent of resources

necessary to perform the engagement


Developing a Detailed Engagement Plan

Developing a detailed engagement plan involves doing a risk assessment and obtaining an understanding of the entity and its environment, and if applicable, this is done while comparing/contrasting to the previous year’s engagement. Audit Planning The point of audit planning is to plan the audit so that it will be performed effectively. The engagement partner and other key members of the audit team should be the ones involved in planning. Preliminary Engagement Activities The auditor needs to evaluate any quality control issues that could affect client acceptance. The auditor needs to evaluate any potential independence issues. The auditor needs to determine if the audit will require the work of a specialist. This could be appraisers, tax specialists, IT specialists, valuation experts, or others. The auditor should be sufficiently knowledgeable to accomplish the objectives of the audit, but in some cases the work of a specialist will be required to complete certain audit procedures. In the audit documentation, the auditor should include:

• The overall audit strategy • The audit programs • Any major changes made to the overall strategy or audit

programs during the audit, and the reasons for any such changes


Materiality Materiality means an amount that if missing or misstated on the financials would likely lead a reasonable person to be influenced to make a different decision than if the amount had been correct. Materiality really just means “big enough to matter”. Under the Clarified Standards, the focus is on “performance materiality” Under the Clarified Standards, materiality needs to be documented at:

• The financial statement level • Materiality levels for specific transactions or account

balances – “performance materiality” • Document any revisions to materiality during the audit

Audit Risk This is the risk or probability that the auditor expresses a clean opinion when there is actually a material misstatement in the financial statements The auditor’s responsibility is to plan and perform the audit in a way that obtains “reasonable assurance” that any material misstatements are detected. Reasonable assurance is a high level of assurance, which in turn provides a low level of audit risk. Audit risk model: It has 3 elements:

• IR (inherent risk) • CR (control risk) • DR (detection risk)

Audit Risk = IR x CR x DR


Inherent Risk: This is the risk of misstatement due to error or omission as a result of factors other than the failure of internal controls. Control Risk: This is the risk of material misstatement due to a failure in internal controls. Detection Risk: The risk that the auditors fail to detect a material misstatement in the financial statements. Analytical Procedures These are evaluations of financial information based on relationships among both financial data and non-financial data. This can involve trends, comparing this year’s balances to last years, ratios, etc. Analytics are used in 3 ways:

• They’re used in the planning stage for risk assessment • They can be used as a substantive procedure, but it’s not

required • They are used as a final review

Just remember that analytics are required in the planning and review stage. The auditor’s “expectation” is the key to effective analytics. Detecting Fraud This will be asked in many forms on the exam, so the key words to remember is that an audit provides REASONABLE assurance that material errors or fraud will be detected.


Also, audit procedures that are effective for detecting an unintentional misstatement still might not be able to detect an intentional misstatement (fraud) when collusion is involved. The idea of “professional skepticism” is a big topic- it means having a “questioning” mind and a “critical assessment” of audit evidence- NOT “assuming” that fraud is happening, but “questioning” assertions made by management. Types of Fraud There is fraudulent financial reporting, and there is misappropriation of assets (actually physically stealing cash or inventory). Risk factors that could lead to fraudulent financial reporting:

• Pressure to meet expectations or requirements such as • Earnings projections • Debt covenants • Requirements for financing agreements

The risk also increases if there is a large opportunity to manipulate financials such as the business model involves a lot of estimates that are hard to corroborate, or if there are many significant decisions being made by just a few key decision-makers. Risk factors leading to asset misappropriation:

• Pressures on employees such as personal financial problems.

• Low employee morale or the attitude of “the company owes me” or “I’m underpaid”

• If assets are easy to access, such as employees that have access to the cash


Management Override of Internal Controls One of the biggest risk factors for fraud is when management overrides the internal controls. This could be a member of management pushing through a transaction that doesn’t have a real business purpose, or an unauthorized journal entry, or putting pressure on an employee to make a journal entry they wouldn’t normally make. Procedures would include:

• Examining adjusting journal entries • Especially JE’s close to beginning and end of reporting

periods • Evaluate estimates for bias • Examine authorization for unusual transactions

Communication if fraud is found: The auditor informs ‘those charged with governance when senior management is involved in the fraud, OR if the misstatement is material even if senior management is not involved. If the misstatement is NOT material, the auditor must inform the appropriate level of management (one level above where the fraud has occurred).


When does the auditor report fraud to an outside party? • When a subpoena has been issued • When an SEC client is changing auditors • As required by government auditing standards • When an auditor has been authorized to communicate with

the preceding auditor


Understanding an Entity and Its Environment

External Factors Including the Applicable Financial

Reporting Framework

External factors that the auditor should consider when gaining an understanding of the entity include:

• Industry factors: The industry market and competition, demand, cyclical or seasonal activity, energy supply and cost, price competition

• Industry factors or regulation might inherently give rise to the risk of material misstatement. Example is long-term contracts involve lots of estimates about revenues and expenses which increases the risk of material misstatement.

• Regulatory factors: Industry-specific accounting practices, specific regulatory frameworks, taxation, government policies, environmental regulations

• Economic conditions such as interest rates, availability of financing, inflation, etc.


Internal Factors Including Nature of Entity, Risk Strategy

Internal factors the auditor should consider: • Nature of operations • Ownership and governance structure • What type of investments the entity is making • How the entity is structured and financed • How the entity selects accounting policies and if they are

appropriate to its industry • The entity’s objectives and strategies and related business

risks involved


Understanding an Entity's Internal Control

Control Environment and Entity-Level Controls

The auditor is required to document their understanding of the client’s internal control structure. This includes a written audit plan for gathering sufficient audit evidence (the audit program). It also includes an engagement letter that summarizes the timing and extent of procedures to be performed, as well as outlining management’s responsibilities with regards to the audit. The whole point of “gaining an understanding” of internal controls is to get the knowledge of the client necessary to plan the audit. The main thing the auditor is interested in about the internal controls is whether they affect the financial statement assertions. “Obtaining an understanding of internal controls” involves evaluating the design of the control and determining whether the control has been implemented. The auditor performs “walkthroughs” of key controls to verify that the controls have been implemented. The auditor should focus on the substance of the procedures (are they working and effective?) instead of their form, because management might have appropriate controls on paper, but they might not be being enforced. For accounts that are immaterial, AND have a low inherent risk, the auditor does NOT need to perform procedures to evaluate internal controls


Sometimes an auditor will make a flowchart to document a client’s accounting system, and this depicts the auditor’s understanding of the system. Preliminary Evaluation The auditor first considers the adequacy of controls, or the “design effectiveness”, which is how effective they are on paper. Consider any errors that could occur with the controls, and any kinds of procedures that could prevent or detect these errors. Then evaluate the implications of any weaknesses identified. If the auditor decides to rely on internal controls to reduce substantive audit procedures, then the auditor will perform “tests of controls” to make sure that the ‘design effectiveness’ of the controls is also working like they’re supposed to (operating effectiveness). If the auditor is NOT going to rely on controls, then the audit plan will be “wholly substantive”, which means the auditor will test the account through substantive procedures and will not rely on the internal controls. A primary criterion of any system of internal control is the cost-benefit relationship. The cost of a company’s internal controls should not exceed the benefits. If the auditor questions management’s integrity, the audit should not be conducted, and the auditor would withdraw from the engagement. Remember the formula: IR x CR x DR = Audit Risk The auditor assesses control risk and inherent risk because it affects the level of detection risk that the auditor can accept.


The auditor is NOT required to assess operating effectiveness of controls. This will only be done if the auditor decides to perform “tests of controls” in order to reduce substantive testing. Assertions The “assertions” are key to the whole audit process. The assertions are basically the underlying claims made by management about the financial statements. It helps a LOT to just “think” about the meaning of the words, especially in the context of the question being asked. For example, “completeness” … this includes procedures or tests to determine if a population is complete- or if everything has been included that should be included. They are grouped into 3 categories: Account balances (4 assertions)












• Accuracy: That amounts, and other data have been recorded appropriately





Read through the assertions until you understand them. This makes everything about AUD easier to understand. Internal Control Standards Definition: Internal controls are processes effected by those charged with governance or management designed to provide reasonable assurance about the achievement of the entity’s objectives with regard to financial reporting, effectiveness of operations, and compliance with laws.


Internal control consists of 5 elements: • Control environment

⁃ This is made up of the policies and procedures to establish overall control of the organization (the tone at the top)

• Risk assessment

⁃ The policies set to identify and analyze relevant risks so that they can be managed

• Information and communication systems

⁃ The policies and procedures to identify, capture, and exchange relevant information so that employees can meet their responsibilities in a timely manner

• Control activities

⁃ The policies and procedures set so that management’s objectives will be achieved

⁃ This includes segregation of duties, physical controls, and authorization

• Monitoring

⁃ The policies and procedures to measure the effectiveness of internal controls as time goes on

Risk assessment procedures: These are what the auditors do to assess the ‘risk of material misstatement’.

• Inquiries of management and others • Observation and inspection of documents • Analytical planning procedures • The review of information from prior periods • Audit team discussing about the risks identified. Discuss how

the risks affect specific areas of the audit


Documentation: There are certain things the audit team is required to document:

• Audit team discussion about RMM and the key elements about the entity, its environment, etc.

• The assessment of RMM at the financial statement level and at the relevant assertion level

• Identified significant risks and the related controls the auditor obtained an understanding of (walkthroughs)

Other considerations: The best way to compensate for lack of segregation of duties at a small company is to have greater management oversight of overlapping duties The auditor is NOT obligated to search for significant deficiencies in the design or operation of internal control. But, if they are found, the auditor is required to communicate them to those charged with governance. If documentary evidence of certain controls does not exist, the auditor can test the controls by observation and inquiry. Remember that an auditor is required obtain an understanding of the client’s internal controls, AND document their understanding of the controls. The auditor is NOT required to:

• Perform tests of controls (but can if necessary) • Search for significant deficiencies in internal controls (but

they may find them) • Determine whether controls are suitably designed to prevent

or detect material misstatements (the auditor does this, but ONLY to controls related to significant assertions and accounts, NOT all controls)


Regardless of the assessed level of control risk, the auditor will always perform some substantive tests to lower detection risk for significant transaction classes. When the auditor assesses control risk below the maximum level, the auditor is required to document BOTH their basis for this conclusion, and their understanding of the internal control elements. If there is substantial risk that there has been intentional misapplication of accounting principles or management override of controls, the auditor would likely conclude that the audit cannot be performed. Required Communications There are 2 things an auditor must communicate with regard to the design or operation of internal control:

• Any identified “material weaknesses”

⁃ A deficiency in internal control such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, detected, or corrected on a timely basis

• Any identified “significant deficiencies”

⁃ A deficiency in internal control that is less severe than a material weakness but important enough to be communicated to those charged with governance

The auditor has to decide if a deficiency is a material weakness or a significant deficiency. Any identified significant deficiencies or material weaknesses are then communicated to management and those charged with governance. This communication is to be made within 60 days of issuing the audit report. There should also be a restriction on the


distribution of this communication. It is only for the audit committee, those charged with governance, and management. The communication should also include a paragraph stating that the purpose of the audit was to report on the financial statements and not provide assurance on internal control. The deficiencies in internal control happened to be found as a result of auditing the financial statements If no significant deficiencies are found, the auditor does NOT report that none were found. There is simply no communication about significant deficiencies if none are found. Using an Internal Auditor If a client has internal auditors that are competent and objective, they can be used to perform tests of internal controls and substantive tests To assess the internal auditors’ competence, the CPA should obtain info about their educational background, professional experience, and professional certifications. To assess the objectivity of the internal auditors, the CPA should determine the organizational level to which the internal auditors report BUT, the external auditor cannot allow judgment from the internal auditor on materiality of misstatements, or the evaluation of accounting estimates. The internal auditor can be used to help test internal controls and perform substantive tests, but the final conclusions must be made by the external auditor. An internal auditor’s work would NOT likely be used in areas requiring significant auditor judgment such as valuation of intangible assets, valuation of related party transactions, valuation and existence of contingencies, or significant estimates.


Internal Control Transactions Segregation of duties is best tested by observing employees as they apply control procedures. Segregation of duties involves separating duties so that employees aren’t in a position to both commit fraud and then be able to cover it up. Internal Control Objectives for Sales Segregation of duties: The 3 main types of tasks that should be separated are:

• Authorization (execution) such as granting credit • Access (custody) such as custody of the pre-numbered

sales invoices or the goods being handled by the shipping department

• Accounting (recordkeeping) such as entering customer’s order form and dealing with receivables and collections

Physical controls:

• Computer passwords and different account types within the system with different levels of permissions

• Custody of cash receipts and inventory should be handled by employees without access to record keeping

Authorization

• Transactions should be authorized • Adjusting journal entries should be reviewed and approved

by management Review

• Monthly statements should be sent to customers • Related documents such as the sales invoice, sales order

form, and shipping documents should be compared • Cutoff should be verified to make sure transactions have

been recorded in the proper period


Information processing • Focus on the entity’s records regarding the “audit trail” • All key documents should be pre-numbered, and the

sequence should be accounted for • Aged trial balance should be reconciled to the general ledger

periodically Internal Control Objectives for Receipt of Cash

• When cash (checks) are received, they are posted to a remittance log which is a listing of all cash receipts

• The transaction is also posted in the cash receipts journal, and all cash receipts will be posted to that month’s receipts in the general ledger

• Different employees should open the mail, do the accounting activities, prepare the deposit of checks, and reconcile the bank accounts

• Each cash receipt should be listed immediately when the mail is open

⁃ The best control over cash receipts is a bank lockbox system- then employees never touch cash receipts

• Employers will “bond” employees that handle cash receipts. Bonding insures the company against loss from illegal acts by employees, and this reduces the risk of dishonesty by employees because the bonding company must approve the employees in the first place, and if employee theft happens, the bonding company does an investigation before paying the company back. So, bonded employees know they will be highly scrutinized if theft occurs.

• Lapping is when cash received from a customer is stolen and the shortage is hidden by crediting the first customer’s account with cash received from a second customer. To prevent this, two different people should be receiving cash, and posting payments received to the accounts receivable ledger


Internal Control Procedures for Expenses/Disbursements

• The purchasing department should make the purchases using pre-numbered purchase orders

• The receiving department takes possession of deliveries • The accounts payable department should handle the

accounting function and approve payments • Only designated employees should be able to make

purchases for the company • Checks should require dual signatures • For both receipts and disbursements bank reconciliations

should be prepared on a timely basis • Again, all key documents should be pre-numbered, and the

sequence should be accounted for as well • Supporting documents such as invoices should be canceled

as “paid” as soon as they are paid Internal Control Procedures for Payroll

• Process consists of employee timecards, time sheets, or time sheets for salary employees taken and then payroll is prepared and recorded in the payroll journal. Then checks are given to employees, and the month’s payroll is posted to the general ledger

⁃ The approval of time cards by an employee’s direct supervisor is one of the best controls for making sure employees only get paid for work performed

• HR keeps records that contain pay rates and personnel files. Certain HR employees should be the only ones who have access to these files

• The treasury issues the checks and signs them and distributes the checks

• Payroll department calculates payroll and does the record-keeping each period


Flow of Transactions and Design of Internal Controls

Performing a walkthrough is a standard procedure to make sure the auditor understands the flow of transactions and can document it. The auditor selects a few transactions and traces them through the client’s accounting system. A walkthrough is part of gaining an understanding and is not a “test of controls”.


Implications of an Entity Using a Service Organization

When a client being audited uses a service organization, such as outsourcing their payroll to a payroll company, the auditor needs to gain an understanding of the services provided by the service organization and the effect on the client’s internal controls. The auditor can gain an understanding of the service organization’s controls through a SOC (service organization control) report- they can be a “Type 1” or a “Type 2” report that is prepared by a “service auditor”, and these reports provide a description of the service organization’s system and their internal controls, and a type 2 report includes an opinion on the operating effectiveness of the controls. Specifically:

• A Type 1 report covers the service organization’s system and design of controls. A type 1 report will include a disclaimer of opinion about the operating effectiveness of the controls. A type 2 report includes an opinion on the operating effectiveness of controls

• A Type 2 report covers the service organization’s system, design of controls, AND the operating effectiveness of controls

Whether or not the auditor needs to see a SOC report depends on the risk assessment, and the degree to which the audit client’s activities interact with the service organization, and the degree to which the audit client can implement effective controls over what the service organizations processes for the client. If the audit client has effective controls over the service org’s processing, then the auditor can gain an understanding from the audit client alone and probably doesn’t need to use a SOC report.


On the other end, if the risk assessment includes an expectation that the service organization’s controls are operating effectively, then the auditor would need a type 2 report.


IT General and Application Controls

There are 2 main categories of IT controls: • General controls: These have an impact on all parts of an IT

system • Application controls: These affect specific IT tasks within

departments such as payroll IT General Controls These are policies and procedures that apply to many applications and support the functioning of the application controls. These typically include:

• Controls over data and network operations • Software acquisition and maintenance • Access security • Physical security of assets, such as access to records • Authorization to computer programs and data • File backup & disaster recovery plan

Within the IT department, there are several main positions (these are also forms of segregation of duties for the IT department):

• Systems analyst: designs the system

⁃ A “systems documentation” file should be kept so that there are narratives and flowcharts for each application system. This is a general IT control

• Programmer: develops the code for the system • Operator: runs the system • Librarian: keeps track of data within the system • Security: safeguards the system

There are several ‘built-in’ controls within an IT system:

• Parity check: this is transmission of information between system hardware components


• Echo check: transmission of information over phone lines • Diagnostic routines: checks internal operations of hardware

components • Boundary protection: allows multiple jobs running

simultaneously • A ‘source code comparison program’ tests for unauthorized

program changes by comparing the compiled code to the original program

• One disadvantage of computer data files compared to manual data files is that it’s easier for an unauthorized person to access and alter computer data files

A “secure” password:

• Has 7 characters in length • Includes special characters • Should have a mixture of lower and uppercase letters • Should be unique • And passwords should be changed regularly so that hackers

don’t have unlimited time to try and crack them As part of an entity’s disaster-recovery plan: The entity should store duplicate files at a separate location. Application Controls These are more specific controls that relate to specific applications and/or individual transactions. Input controls: These are meant to reduce mistakes when data is being entered into the system.

• Batch totals: these are totals that actually mean something such as the total of cash received that day

• Hash totals: these are totals that don’t have a dollar meaning but can be used to check for mistakes. An example would be the employee ID numbers being added up so that if one was


missing it would be noticed by comparing to a hash total of employee ID numbers

• Record count: Keeping track of the number of records processed to determine that the right number of records has been accounted for

Logic checks: These are certain computer checks that can determine if data has been entered incorrectly.

• Limit tests: this would be where a system wouldn’t accept if someone tried to enter 300 hours worked in one week.

• Validity checks: this will limit a certain input to only valid responses. For example, in the phone number field it would only accept numbers and no letters.

• Missing data checks: input fields can be required and won’t allow the user to move on until all required fields have been entered.

Processing checks: These are processes to verify the processing of data is accurate and authorized.

• Checkpoints: for long processes, a procedure which makes checkpoints so that if a process crashes the entire process doesn’t have to be re-executed

• Limit on processing time: if a process takes longer than a certain limit, the process shuts down because it assumes an error has occurred

Evidence Gathering Types of audit software:

• Generalized software: These are “out of the box” software for auditing that have general functions for testing clients’ data

• Customized software: This would be a program created to access the files of a certain client. This can be more


expensive in the long run if custom software is being developed for several clients individually

• Data mining software: This is commercial audit software that provides features for doing substantive analytics

Tests of Controls Procedures When IT controls are internal, the auditor can use some of the following procedures to test the system’s controls:

• Test data: the auditor can put dummy transactions through the system that contain known errors to see of the system catches the errors

• Integrated Test Facility: this involves creating a dummy division within the client’s system and running through dummy data alongside the client’s real data

• Parallel Simulation: This involves processing the client’s data on the auditor’s software to compare the client’s output with the auditor’s output

• Tagging: This is when an auditor “tags” a transaction in order to follow it through the client’s system

Other Considerations When auditing a client that processes most of its financial data in electronic form, the auditor would most likely consider using an ‘embedded audit module’, which is a computer program actually inserted into the client’s system which will select transactions for further review by the auditor.


Identifying and Assessing the Risk of Material

Misstatement

Impact of Risk at Financial Statement Level

Risks of material misstatement at the financial statement level refer to risks that could have a pervasive effect on the financial statements and that could affect many assertions at once. They can result from a poor control environment, questions about the integrity of management, or the reliability of an entity’s records. The risk at the financial statement level is more likely if there is the possibility of fraud. If the control environment is considered ineffective, then it may require an “overall response” by the auditor. This can mean assigning more experienced staff to the audit, using specialists, using more unpredictable audit procedures, etc. If substantive procedures alone wouldn’t yield appropriate audit evidence, then the auditor would use a combined approach and use tests of controls to test the operating effectiveness of controls in addition to substantive tests. If there are significant concerns about risks of material misstatement at the financial statement level due to the integrity of management or a poor control environment, it may raise doubts about the auditability of the financial statements and the auditor may consider withdrawing from the audit. Remember that the risk assessment can change as the audit goes on and more information/audit evidence is obtained, and the


auditor accordingly adjusts the audit approach to match the assessed levels of risk.


Limitations of Controls and Risk of Management Override

Limitations of Controls There are of course inherent limitations to internal controls: no system of internal controls can guarantee to prevent, detect, or correct any possible misstatement. This is especially true if two or more individuals collude to get around controls, or if a member of management simply overrides the controls. Other factors are that humans make mistakes, controls are only implemented to the point that the benefits outweigh the costs - so they aren’t all encompassing, the nature of business (always looking for increased performance/profits) can lead to people rationalizing and committing fraud. Management Override of Internal Controls One of the biggest risk factors for fraud is when management overrides the internal controls. This could be a member of management pushing through a transaction that doesn’t have a real business purpose, or an unauthorized journal entry, or putting pressure on an employee to make a journal entry they wouldn’t normally make. Procedures would include:

• Examining adjusting journal entries • Especially JE’s close to beginning and end of reporting

periods • Evaluate estimates for bias • Examine authorization for unusual transactions

Communication If fraud is found:

• The auditor informs ‘those charged with governance when senior management is involved in the fraud, OR if the


misstatement is material even if senior management is not involved

• If the misstatement is NOT material, the auditor must inform the appropriate level of management (one level above where the fraud has occurred)

When does the auditor report fraud to an outside party?

• When a subpoena has been issued • When an SEC client is changing auditors • As required by government auditing standards


Impact of Risks for Each Relevant Assertion

The auditor uses the assessed level of risk of material misstatement to determine the acceptable level of detection risk for the financial statement assertions. From there, the auditor uses the acceptable level of detection risk to determine the nature and extent of audit procedures to use. For significant transaction classes there will always be some substantive procedures performed. In general, the risk of material misstatement is highest in transactions that require significant judgement, and lowest in routine transactions. As risks are identified, the auditor determines whether the risks relate to specific assertions or the financial statements as a whole. Then, the auditor identifies controls related to the risks and specific assertions. The auditor may not be able to gather sufficient audit evidence from substantive procedures alone and would then do tests of controls in addition to the substantive procedures.

Assertions The “assertions” are key to the whole audit process. The assertions are the underlying claims made by management about the financial statements. When management gives the auditor their listing of PP&E for example, management is essentially making the “claim”, or assertion, that the items on that list actually exist, that the list is complete (nothing left out), that the business actually owns the items listed, and that the values of the items are listed correctly. The auditor then assesses the risk of material


misstatement based on these assertions and performs audit procedures. That’s how the audit works in a nutshell. It helps a LOT to just “think” about the meaning of the words, especially in the context of the question being asked. For example, “completeness” … this includes procedures or tests to determine if a population is complete- or if everything has been included that should be included. They are grouped into 3 categories: Account balances (4 assertions)












• Accuracy: That amounts, and other data have been recorded appropriately





Read through the assertions until you understand them. This makes everything about AUD easier to understand.


Further Procedures Responsive to Identified Risks

For an identified risk, if substantive procedures alone won’t provide sufficient audit evidence, then the auditor would perform tests of controls in addition to the substantive procedures. If a deviation in a control is found, the auditor should make inquiries in order to understand the potential consequences of the deviation (what else happens if this error isn’t detected?) If the auditor wants to lower the acceptable level of audit risk, then the auditor can make changes to the substantive procedures such as:

• Increasing the sample size • Expanding the substantive procedures • Using independent parties for testing such as confirmations

The general idea is when there is a high risk of misstatement identified, the effectiveness and reliability of the substantive testing should be increased, meaning more reliable forms of testing are used.


Materiality

For the Financial Statements as a Whole

Materiality means an amount that if missing or misstated on the financials would likely lead a reasonable person to be influenced to make a different decision than if the amount had been correct. Materiality really just means “big enough to matter”. Under the Clarified Standards, the focus is on “performance materiality”. Under the Clarified Standards, materiality needs to be documented at:

• The financial statement level • Materiality levels for specific transactions or account

balances – “performance materiality” • Any revisions to materiality during the audit

Materiality set for the financial statements as a whole is a set amount. This can be calculated a number of different ways, but some common approaches are:

• 1% to 2% of total assets • 5% to 10% of net profit • 1% of equity

Also, some firms have their own formulas and worksheets for determining materiality.


Performance Materiality and Tolerable Misstatement

Performance materiality is an amount lower than materiality for the financial statements, and it’s set lower so that it lowers the risk of uncorrected misstatement detected, and that undetected misstatements will still be lower than financial statement materiality. Again, performance materiality can be set a number of ways or through simple or complex calculations. For example, it might be 10% of materiality, 5%, or a certain percentage of a transaction class or account balance. But it will of course always be a fraction of financial statement materiality. Tolerable Misstatement (TM) This is an amount determined by the auditor, that if an error or misstatement is found where the difference from the correct amount is below the TM, it won’t impact the fair presentation of the financial statements.


Planning for and Using the Work of Others

Using the Internal Audit Function as Part of the Audit The external auditor has sole responsibility for the audit opinion and the quality of the audit work performed, and using any work performed by the internal audit function doesn’t take away any of that responsibility. Therefore, when the external auditor is considering using the internal auditors to help with the audit, the most important things to consider are:

• The competence of the internal auditors • The objectivity of the internal auditors • The internal auditors use of a systematic and disciplined

approach If a client has internal auditors that are competent and objective, they can be used to perform tests of internal controls and substantive tests. To assess the internal auditors’ competence, the CPA should obtain info about their educational background, professional experience, and professional certifications. To assess the objectivity of the internal auditors, the CPA should determine the organizational level to which the internal auditors report. BUT, the external auditor cannot allow judgment from the internal auditor on materiality of misstatements, or the evaluation of accounting estimates. The internal auditor can be used to help test internal controls and perform substantive tests, but the final conclusions must be made by the external auditor. An internal auditor’s work would NOT likely be used in areas requiring significant auditor judgment such as valuation of


intangible assets, valuation of related party transactions, valuation and existence of contingencies, or significant estimates. If any of these factors are lacking, then the auditor shouldn’t use the internal audit function to help with the audit. When the external auditor does use work performed by the internal auditors, any judgements about the audit evidence obtained needs to be made by the external auditor. Using the Work of a Specialist Just like with using the work of internal auditors, the external auditor is solely responsible for the audit opinion and the quality of the audit work and using a specialist doesn’t lessen or deflect that responsibility. So again, the primary concern for the auditor in using a specialist will be to evaluate the specialist’s competence and objectivity. The auditor would consider using a specialist when there is expertise needed outside of accounting and auditing that is necessary for gathering appropriate and sufficient audit evidence. If the auditor decides to use the work of a specialist, there should be an agreement in writing that details what services will be performed, the requirements of the work needed, and any expected communications as a result of the specialist’s work. Using the Work of a Component Auditor in a Group Audit It is up to the group audit engagement partner to evaluate the component auditor’s independence and professional competence and understand the extent of the component auditor’s work on the group audit. If the engagement partner decides to reference the component auditor’s work in the audit report, the component’s financial


statements needs to be prepared using the same framework as the group, and the component auditor needs to have performed their audit according to the applicable standards. The auditor can decide to assume responsibility for the component auditor’s work, and if they do then they don’t reference the component auditor on the report at all. The group audit partner can decide to name the component auditor in the report - must obtain permission to do so - and then the component auditor’s report would be included with the group audit report in the financial statements.


Specific Areas of Engagement Risk

An Entity's Compliance with Laws and Regulations

Auditor’s Responsibility with Laws and Regulations That Have a Direct Effect on the Financial Statements The auditor should obtain sufficient appropriate evidence regarding material amounts and disclosures on the financial statements that relate to laws or provisions known to have a direct effect on the financial statements. The most direct example is determining how the entity is complying with the reporting framework the financial statements are based on. If the auditor discovers information that suggests noncompliance, the auditor should gather additional evidence and evaluate the issue’s effects on the financial statements. If the auditor suspects noncompliance, then the auditor should discuss the issue with management or those charged with governance, one level above where the suspected issue is. The step above that, if the auditor suspects management or those charged with governance are involved, would be to obtain legal counsel. Auditor’s Responsibility with Laws and Regulations That Do Not Have a Direct Effect on the Financial Statements These could be other laws and regulations that are necessary for the business to comply to, and could possibly result in material effects if noncompliance was found. The auditor should perform procedures to identify any noncompliance with the applicable laws or regulations. Obtaining


an understanding of the applicable laws and regulations that apply to the business being audited can lead to discovering noncompliance in other areas of the audit. Items that could be a possible sign of noncompliance:

• Irregular cash payments • Sudden discontinued business segment • Investigations by government agency • Unauthorized transactions • Unexplained payments to government employees


Accounting Estimates, Including Fair Value Estimates

Many significant parts of accrual accounting require estimates, and because of the nature of estimates it’s a big area of attention for an auditor. The more complex the estimate, the more room there is for material misstatements. For example, fair value estimates for financial instruments not traded on an active market are complex estimates that can leave a lot of room for error. For accounting estimates, the auditor’s objective is to evaluate whether accounting estimates are reasonable in the circumstances. When evaluating an entity’s accounting estimates, the auditor should focus on estimates that are susceptible to bias. The auditor evaluates estimates by gaining an understanding of how management develops its estimates. For evaluating fair value estimates, the best indicator of “fair value” that the auditor can rely on is published prices in an active market (such as stock prices). The auditor is NOT required to engage a specialist for evaluating management’s fair value estimates. The auditor may choose to do so if the auditor doesn’t have the necessary skill and knowledge, but it is not a required audit procedure. The main things the auditor should do when evaluating a significant estimate are:

• Determine whether management has applied the rules of the reporting framework correctly

• Been consistent in their methods for making the estimate


The specific procedures the auditor might perform are:

• Evaluate management’s assumptions used to make the estimate

• Evaluate the methods of measurement used to make the estimate

• Perform tests of controls on the controls used to make the estimate, in addition to substantive testing


Related Parties and Related Party Transactions

Procedures to identify related party transactions include:

• Inquiry of management, or requesting a list of all related parties to the entity

• Reviewing board minutes • Inspecting large, unusual transactions. This would be

something like seeing a large note payable with a 1% interest rate

• Reviewing confirmations on large balances All related party transactions need to be disclosed as such, and the auditor should perform procedures to understand the business purpose and financial statement effect of these transactions. The auditor’s main focus once related party transactions are identified, is adequate disclosure by management.


Performing Further Procedures and Obtaining

Evidence

Understanding Sufficient Appropriate Evidence

When evaluating whether audit evidence is “sufficient” and “appropriate”, there are some key things to understand: “Sufficient” relates to the quantity of audit evidence obtained. The quantity needed is based on the assessed levels of risk, and the quality of the evidence gathered. “Appropriate” relates to the quality of the audit evidence obtained. When it comes to the quality of evidence, here are some considerations:

• Audit evidence is highly reliable when it is obtained from independent sources outside the entity, such as confirmations

• When audit evidence is obtained internally from the client being audited, it is more reliable if the auditor can rely on the controls pertaining to the evidence

• Evidence obtained by the auditor directly is higher quality than evidence obtained indirectly: Example would be observing controls operating effectively vs asking an employee if they perform the control

• Audit evidence in hard copy is more reliable than evidence conveyed orally: looking at a document vs someone telling you something happened

• Evidence on original documents is much higher quality than a copy of a document


Again, the assertions come into play: When auditing a balance or class of transactions, you can use the assertions to evaluate what type of testing would produce reliable audit evidence. For the listing of a company’s inventory, evaluate the “existence” assertion: picking a sample of items from the listing and then going and looking at them in person to verify they exist.


Sampling Techniques

In auditing there is attribute sampling for tests of controls (Does every purchase order have the right signature?), and variables sampling for substantive testing. Attributes Sampling Attribute sampling is the type of test used to perform a “test of controls”. With attribute sampling, the auditor is looking at transactions to determine if a control was either performed or not performed. First step is to identify what the objective of the test is, such as testing the population of cash disbursements for proper authorization. Then the auditor defines what a “deviation” is based on the test, such as a disbursement that wasn’t properly authorized. Then the auditor defines and acquires the population, such as all cash disbursements during the year. Then the auditor chooses the sampling method:

• Either statistical sampling which is usually random number (best approach) or systematic (every 20th transaction for example)

• OR judgmental sampling such as haphazard (arbitrarily selecting transactions just by looking at the population)

• The auditor then chooses a sample size. The sample size will be based on AICPA tables and will be provided in questions on the exam

Once the sample is selected, the transactions are tested, and any deviations are identified.


Then the auditor can calculate the deviation rate, for example if the sample size was 20 and 1 deviation was found, the deviation rate is 1 in 20 or 5%. The auditor determines a “tolerable deviation rate” which just means how many errors can be found and still rely on the internal control. A “confidence interval” for the achieved upper precision limit is calculated based on the deviations observed. Again, tables are used for this. Then the upper precision limit is compared to the deviation rate. The internal control can only be relied on if the deviation rate is less than or equal to the stated tolerable rate. The auditor then decides if any other factors have implications on the decision to rely on the control or not. If not, and the deviation rate is lower than the tolerable rate, the auditor will determine that the control can be relied on. Population size has little to no effect on the sample size. This is counterintuitive, but the tables for sample size are based on an assumption of very large populations, so a change in population size has very little impact on the sample size. You will see questions about this. Formula for accept/modify questions:

• The ‘sample error rate’ is the number of deviations actually found in a sample. So, 3 deviations in 100 is a sample error rate of 3%.

• You then ADD the ‘allowance for sampling risk’ rate to the ‘sample error rate’ to get your ‘upper error limit’. If the allowance for sampling risk is 2%, you add this to the sample error rate found, which would give you a 5% upper error limit in this example.


• Then compare this to your tolerable rate. If the tolerable rate was 5%, you can rely on the internal control in this example. If the tolerable rate was 4%, then you need to “modify the planned level of control risk”, which means you cannot rely on the internal control.

Variables Sampling Variables sampling is used for substantive testing of populations, usually to test an ending balance in an account. The steps are essentially the same as listed above for attribute sampling, except that since transactions in variables sampling will be dollar amounts, the auditor tests all transactions that are individually material. These amounts are not being sampled… they are tested 100%, so they and their amounts are not considered part of the population being sampled. You probably don’t need to know how to manually calculate a sample size, but you should know these elements of general statistics:

• n is the sample size • SD represents the estimated standard deviation for the

population • Z is the Z-coefficient is the measure of reliability (confidence

interval) • N is the size of the population • A is the ‘allowance for sampling risk’

The basic formula is:

•


Other concepts Stratification: This is separating a population into groups of transactions that are similar, such as all transactions over a certain dollar amount. Stratifying a population can decrease sample size. Remember that falsely concluding that a material misstatement does not exist based on a sample is “incorrect acceptance”. This is a “type 2 error”. An increase in ‘tolerable misstatement’ would decrease the sample size, and vice versa. In other words, if more mistakes are allowed, the sample size can be smaller. If less mistakes are allowed, a larger sample needs to be tested to gain assurance a lower number of mistakes exist. If the ‘assessed level of control risk’ increases, then the sample size needs to be larger, and vice versa. This means if an auditor thinks a population has a high risk of material misstatement, then the sample size will be larger.


Performing Specific Procedures to Obtain

Evidence

Analytical Procedures

Analytics are evaluations of financial information based on relationships among both financial data and non-financial data. This can involve trends, comparing this year’s balances to last years, ratios, etc. Analytics are used in 3 ways:

• They’re used in the planning stage for risk assessment • They can be used as a substantive procedure, but it’s not

required • They are used at the end of the audit to form an overall

conclusion about whether the financial statements are consistent with the auditor’s understanding of the entity

Remember that analytics are required in the planning and review stage, and that the auditor’s “expectation” is the key to the analytics process. Analytics and Assertions When deciding how to use analytics to test an assertion, there are a few factors to consider:

• Does the nature of the assertion lend itself to analytical procedures?

• Is there a plausible and predictable relationship? • Is the data used to develop the expectation reliable? • Is the expectation precise?


Some assertions can be tested solely through analytics, and some might require a combination of analytics and tests of details, and some might not be a good fit for analytics. For example, transactions subject to management discretion might not have a predictable relationship with what happened the previous year or even month to month, so tests of details might provide more reliable audit evidence for an assertion such as cutoff. Developing Expectations There are 5 factors used to develop an expectation:

• Comparable information from a prior period

⁃ If sales had increased by similar percentages in the past 3 years, you’d expect a proportionate increase in the current year

• Anticipated results of the entity from budgets or forecasts

⁃ If management forecasted sales of $50,000 at the beginning of the year, auditor would expect sales to be close to $50,000

• Similar industry information such as ratios compared to industry averages

⁃ Gross margin percentage compared to its industry averages

• Relationship between elements of financial information

⁃ If sales increased a certain percentage, a similar increase in accounts receivable would be expected

• Relationships between financial and non-financial information

⁃ Payroll costs compared to the number of employees


Analytics in the Planning Stage In the planning stage, the auditor will use high-level analytics, such as looking at quarterly reports or unaudited financial information provided by the client and making analytical comparisons as a starting point for identifying areas to take a closer look at. An example would be comparing the current year’s sales to prior year’s sales for any significant changes. The focus in the planning stage is to use analytics to enhance the auditor’s understanding of the business and the transactions that have happened since the last audit. Analytics and Forming Overall Conclusions A wide variety of analytical procedures may be used when forming an overall conclusion. These procedures may include reading the financial statements and considering the adequacy of the evidence gathered in response to unusual or unexpected balances identified during the course of the audit and unusual or unexpected balances or relationships that were not previously identified. Results of these analytical procedures may indicate that additional evidence is needed. In the review stage the analytics should be performed by a manager or partner that has comprehensive knowledge of the client’s business and industry.


External Confirmations

External confirmations are sent by the auditor to a third party, in order to confirm a balance or transaction that they have or have had with the company being audited. However, the auditor controls the requests and responses, or it defeats the purpose of trying to “confirm” with the third party. The whole idea is to take the audit client out of the equation and ask the client’s customer “is this balance correct?” Confirmations best address the existence/occurrence assertion. There are two types of confirmation requests:

• Positive confirmation: This type is asking for a response whether or not the third party agrees on the amount on the confirmation

⁃ If not enough responses are received, then the auditor will perform alternate procedures

• Negative confirmation: This type only asks for a response if the third party disagrees with the amount on the confirmation

⁃ No response is viewed as the third party “agreeing” to the amount. Of course, there could be a lot of reasons why someone doesn’t respond, so this type of confirmation is less reliable than actual responses received from positive confirmations

Alternate Procedures For receivables the auditor would look at cash receipts to see if the receivables were paid. For payables, the auditor would look at cash disbursements to see if the client paid the invoices.


Inquiry of Management and Others

Inquiry is useful to gain an understanding of transaction flows and to learn about how things work within an organization. On its own however, it is poor audit evidence. What usually happens is the auditor will inquire of management to gain an understanding first, and then take that information into account as the auditor decides how certain balances or transaction classes will be tested.


Observation and Inspection

Tests of operating effectiveness of controls or “control testing”, or to “rely on controls” all refer to testing a specific internal control by reperforming the control, observing the control in action, or by inspection, such as inspecting documents for indications that the control has been performed. Observation and Inspection The test of controls would begin with inquiry: the auditor would ask a key employee or management, “how is this control supposed to work?”, then the employee explains the steps of a process, such as what happens for a purchase order to get approved. The auditor would document how the employee says the control is supposed to work. Then, the auditor would randomly select a number of transactions that should have gone through the control being tested - such as key signatures on approved purchase orders - and then find the original documents and inspect them to see if each document contains the required signatures. If there were no deviations, then the auditor can “rely on controls”, which reduces substantive testing. If more deviations are found than the acceptable amount, then the auditor would conclude that controls are weak, and it would require additional substantive testing.


Recalculation and Reperformance

Reperformance is when the auditor re-executes a control or procedure that was originally performed by an employee to see if they get the same result. This can be done manually or through computer-assisted techniques. Recalculation is recalculating a figure to test for accuracy. A common example is recalculating depreciation expense to verify its accuracy.


All Other Procedures

“Other procedures” would be analytics, which can take many forms. See the previous section on analytical procedures.


Specific Matters

Opening Balances

In an initial audit, the auditor needs to gain assurance that the opening balances are fairly stated. The procedures to test and evaluate opening balances include:

• Inquiry of management • Reviewing records, accounting policies, and control

procedures to see if they were consistently applied • Consulting with the predecessor auditor and with their

permission, reviewing their workpapers from the previous audit

• Substantive testing of the balances if the auditor determines that more evidence is needed to substantiate the opening balances


Investments in Securities and Derivatives

The first step in considering the fair value measurement for investments and derivatives used by management is to consult the applicable accounting framework to see how the framework measures fair value. Then, the auditor would evaluate management’s measurement of fair value compared to the measurement according to the applicable framework. In some cases evaluating the fair value will be straightforward if the investment has “observable” price data such as exchange-traded prices or some other readily available data. This also applies if the model for determining fair value is well-known or generally accepted. If quoted market prices aren’t available for the investment or derivative, then estimates of fair value can usually be obtained from a broker-dealer or other third-party source. The auditor should understand the valuation model used, and the auditor might obtain fair value estimates from multiple sources, especially if the third party has a relationship with the client that could impair its objectivity, or if the valuation model is based on highly subjective assumptions.


Physical Observation of Inventory and Inventory Held by

Others

If inventory is material to the financial statements, the auditor should obtain audit evidence of existence and the condition of inventory by attending physical inventory counting being performed by the employees. The steps are:

• Evaluate management’s instructions and procedures for recording and controlling the results of the entity’s physical inventory counts

• Observe the employees performing the counts according to said procedures

• Inspect the inventory

⁃ The auditor should be looking for inventory that seems damaged or obsolete, and viewing the inventory in person helps verify existence

• Perform test counts

⁃ Usually this involves choosing items from the inventory listing and then finding them in the warehouse to see that they exist, and then choosing some items at random from around the warehouse and tracing them to the inventory record to verify that they are included in the listing correctly.

• Perform audit procedures on the final inventory records to assess whether they accurately reflect the count results


Litigation, Claims, and Assessments

The procedures to identify litigation, claims, and assessment involving the client being audited include:

• Inquiring of management and the client’s legal counsel and obtaining a description and evaluation of any litigation, claims, and assessments as of the date of the financial statements

• Reviewing board meeting minutes or any documents obtained from management regarding litigation or lawsuits

• Reviewing legal expense accounts and invoices from external legal counsel

For actual or potential litigation, claims, or assessments identified, the auditor will obtain evidence regarding:

• The period in which the cause for the legal action occurred • The degree of probability of an unfavorable outcome • The amount or range of potential loss

The attorney’s letters to the client’s external legal counsel serves to corroborate the information provided by management regarding any litigation, claims, or assessments. If audit opinion will be modified if legal counsel refuses to respond appropriately to the auditor’s letter of inquiry and the auditor can’t gather sufficient audit evidence via alternative procedures, or if management refuses permission to communicate with the external legal counsel.


An Entity's Ability to Continue as a Going Concern

The factors that could cause substantial doubt about an entity’s ability to continue as a going concern include:

• Negative financial trends such as recurring operating losses, working capital deficiencies, negative cash flows, and other adverse financial ratios

• Defaulting on loans, falling out of covenant on debt obligations, denial of trade credit from suppliers, debt restructuring, seeking new methods of financing, etc

• Work stoppages, labor disputes, dependence on the success of a particular project, unsustainable long-term commitments

• Legal proceedings or legislation that harm the ability to operate, loss of key franchises or patents, loss of a principal customer or supplier, catastrophes

When the auditor does have substantial doubt about a client’s ability to continue as a going concern, the auditor is required to consider the financial statement effects and evaluate the adequacy of the disclosures of the possible inability to continue as a going concern.


Accounting Estimates, Including Fair Value Estimates

This has been covered in previous sections. See “Accounting estimates, including fair value estimates” and “Investments in securities and derivatives”.


Misstatement and Interal Control Deficiencies

A misstatement is any difference between the amount, classification, presentation, or disclosure of what’s reported on the financial statements, and the amount, classification, presentation, or disclosure of what is required in order to be in accordance with the applicable accounting framework. In other words, differences the auditors find in what management has on their financials and what is correct. Misstatements are accumulated as the audit progresses, and the auditor evaluates whether the audit strategy needs to be changed based on the misstatements found. The auditor decides what amount is “clearly trivial”, and any misstatements below this threshold are ignored and not accumulated. The auditor does NOT tell management the amounts for materiality and what is trivial. Differences between the auditor and management about accounting estimates are not usually considered misstatements. This is because judgment or “educated guessing” is involved. However, management’s unreasonable accounting estimates for something like the amount of bad debt allowance would be a “judgmental misstatement”. Misstatements should be communicated with management as they are found, and management can either book the adjustments, or if management refuses to make the adjustment, the auditor needs to evaluate the effects of not making the change on the financial statements.


The auditor needs to decide whether the uncorrected misstatements are material, either individually or all added together, based on their size and nature, and any effects of uncorrected misstatements in prior periods. Even if management makes the entry to book a misstatement, the auditor still records all non-trivial misstatements found.


Written Representations

The auditor is required to obtain written representations from management to corroborate management’s verbal responses to important questions from the auditor. This is called the “rep letter” or the representation letter. The date of the rep letter should coincide with the date of the auditor’s report. It usually includes the following:

• That management is responsible for the fairness, internal control, significant assumptions, and related party transactions as they pertain to financial reporting and the financial statements

• That any uncorrected misstatements are immaterial • That the effects of any litigation or claims against the

company have been properly accounted for and disclosed • That all relevant financial records were made available to the

auditor • There was no fraud involving management or employees

with significant financial reporting responsibilities


Subsequent Events

Subsequent events are events that happen after the date of the financial statements, but before the date of the auditor’s report. Financial statements might be dated as Dec 31, 2014 and the auditor’s report isn’t issued until March 2015. So it would include any events that happened during that time. 2 types of subsequent events:

• Events that require adjustment. If the event provides better information about conditions as of the balance sheet date, it will be included

• Events that require disclosure: If the event doesn’t relate to conditions as of the balance sheet date, but is still material, it will be disclosed

The auditor’s responsibility for the audited financial statements ends when the auditor’s report is issued, UNLESS the auditor becomes aware of additional information that existed as of the balance sheet date. If this happens, the auditor must evaluate whether the information would affect the current report. The main ways that the auditor reviews subsequent events are by reading the latest interim financial statements, the latest board minutes, inquiring with the client’s attorneys regarding any pending litigations, or asking management specific questions.


Identifying Subsequent Events The steps to identify possible material subsequent events:

• Obtaining an understanding of any procedures that management has established to ensure that subsequent events are identified

• Inquiring of management and, when appropriate, those charged with governance about whether any subsequent events have occurred that might affect the financial statements

• Reading minutes, if any, of the meetings of the entity's owners, management, and those charged with governance that have been held after the date of the financial statements and inquiring about matters discussed at any such meetings for which minutes are not yet available

• Reading the entity's latest subsequent interim financial statements, if any


Forming Conclusions and Reporting

Reports on Audit Engagements

Forming an Auditing Opinion & Modification of an Opinion

This is straight from AU-C 700 on forming an opinion: The auditor should form an opinion on whether the financial statements are presented fairly, in all material respects, in accordance with the applicable financial reporting framework. In order to form that opinion, the auditor should conclude whether the auditor has obtained reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error. The auditor should evaluate whether the financial statements are prepared, in all material respects, in accordance with the requirements of the applicable financial reporting framework. This evaluation should include consideration of the qualitative aspects of the entity's accounting practices, including indicators of possible bias in management's judgments. In particular, the auditor should evaluate whether, in view of the requirements of the applicable financial reporting framework: The financial statements adequately disclose the significant accounting policies selected and applied;

• the accounting policies selected and applied are consistent with the applicable financial reporting framework and are appropriate;

• the accounting estimates made by management are reasonable;


• the information presented in the financial statements is relevant, reliable, comparable, and understandable;

• the financial statements provide adequate disclosures to enable the intended users to understand the effect of material transactions and events on the information conveyed in the financial statements; and

• the terminology used in the financial statements, including the title of each financial statement, is appropriate.

The auditor should also evaluate whether the financial statements adequately refer to or describe the applicable financial reporting framework. Remember the “Standards of Reporting”

• GAAP: The auditor states whether the financial statements are “in accordance with GAAP”

• Consistency: The auditor points out what GAAP principles have not been consistently applied in relation to the prior period

• Disclosures: If the auditor determines the disclosures in the financials are NOT adequate, the auditor needs to say so in the audit report

• Opinion: The whole point of an audit for is for the auditor to render their opinion. Different types of opinions will be discussed in a later section

Other key points:

• If unaudited statements from a prior period along with audited statements for comparative purposes, the unaudited statements should be clearly marked,

⁃ AND, either the report on the unaudited financials should be reissued, or the audited financials should contain a separate paragraph describing the level of responsibility assumed for the unaudited statements


• If the auditor thinks there is only a REMOTE chance of a loss resulting from an uncertain matter, the auditor should still issue an unmodified opinion

Types of Opinions Unmodified Opinion A “clean opinion”, meaning the auditor believes the financial statements are fairly stated and comply with GAAP, results in an “unmodified opinion”. This used to be called a “unqualified opinion”. Note: PCAOB audits use the term “unqualified opinion”. So, a “modified” opinion means there’s something wrong with the statements. There are 3 types of ‘modified opinions’: Qualified Opinion Two reasons for a qualified opinion:

• Presentation- the financial statements are misstated (GAAP departure)

• Scope- the auditor was not able to get “sufficient appropriate audit evidence”

What a qualified opinion really means is that the auditor is expressing reservations about the financial statements, but that they are still fairly stated because the scope limitation or misstatement is not “pervasive”. Pervasive means affecting multiple areas of the financial statements.


Adverse Opinion There’s only one reason for giving an adverse opinion: When there are financial misstatements that are BOTH material AND pervasive. This means that there are misstatements that affect most areas of the financial statements. The financial statements are misleading because they are not fairly presented. Disclaimer of Opinion This happens when the auditor is unable to obtain sufficient appropriate audit evidence, and the effects could be BOTH material and pervasive. So remember that a scope limitation happens for the same reason, but on a lesser scale, which results in a qualified opinion. But when the auditor can’t obtain audit evidence to the degree that the effects could be both material and pervasive, the auditor issues a ‘disclaimer of opinion’, which means the auditor is unable to even give an opinion. When a disclaimer of opinion is issued, it will have the heading “Disclaimer of Opinion” and the paragraph makes it clear that no opinion is being expressed, and there will also be a paragraph with the heading “Basis for Disclaimer of Opinion” that explains the reasoning for disclaiming an opinion.


Form and Content of an Audit Report (AICPA Standards)

You don’t need to be able to draft an audit report from memory, but you should know the main sections of the audit report and how they are changed for certain circumstances. Here’s an overview of the key areas, in order of how they appear on an audit report for a non-issuer: (the differences in a PCAOB report are included below) Title The title should be be labeled “Independent Auditor’s Report”. To The report should be addressed to the board of directors of the audit client, or as the circumstances of the audit dictate. Introductory Paragraph This paragraph should include:

• Identify the entity whose financial statements have been audited

• State that the financial statements have been audited • Identify the title of each statement included in the financial

statements • Specify the date or period covered by each financial

statement included in the financial statements Management’s Responsibility Paragraph Should include the heading “Management’s Responsibility for the Financial Statements.”


The auditor's report should describe management's responsibility for the preparation and fair presentation of the financial statements. The description should include an explanation that management is responsible for the preparation and fair presentation of the financial statements in accordance with the applicable financial reporting framework; this responsibility includes the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error. Auditor’s Responsibility Paragraph Heading should say “Auditor’s Responsibility”. The auditor's report should state that the responsibility of the auditor is to express an opinion on the financial statements based on the audit. The auditor's report should state that the audit was conducted in accordance with generally accepted auditing standards and should identify the United States of America as the country of origin of those standards. The auditor's report should also explain that those standards require that the auditor plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement. The auditor's report should describe an audit by stating that

• an audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements.

• the procedures selected depend on the auditor's judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments, the auditor


considers internal control relevant to the entity's preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances but not for the purpose of expressing an opinion on the effectiveness of the entity's internal control, and accordingly, no such opinion is expressed.

• an audit also includes evaluating the appropriateness of the accounting policies used and the reasonableness of significant accounting estimates made by management, as well as the overall presentation of the financial statements.

In circumstances when the auditor also has a responsibility to express an opinion on the effectiveness of internal control in conjunction with the audit of the financial statements, the auditor should omit the phrase required that the auditor's consideration of internal control is not for the purpose of expressing an opinion on the effectiveness of internal control, and accordingly, no such opinion is expressed. The auditor's report should state whether the auditor believes that the audit evidence the auditor has obtained is sufficient and appropriate to provide a basis for the auditor's opinion. Opinion Paragraph The heading should say “Opinion”. When expressing an unmodified opinion on financial statements, the auditor's opinion should state that the financial statements present fairly, in all material respects, the financial position of the entity as of the balance sheet date and the results of its operations and its cash flows for the period then ended, in accordance with the applicable financial reporting framework.


Signature of the Auditor This can be the handwritten or printed signature of the auditor’s firm. Auditor’s Address The auditor should name the city and state where the auditor practices. Date of the Auditor’s Report Should be dated no earlier than the date on which the auditor has obtained sufficient appropriate audit evidence on which to base the auditor’s opinion on the financial statements. Differences on a PCAOB (public company) Report There are a few key differences on a PCAOB auditor’s report:

• The title will be “Report of the Independent Registered Public Accounting Firm”

• Then the line that addresses the report, which says “To the Board of Directors and Shareholder of ABC Company”

• There are 3 paragraphs within 2 sections, in this order:

⁃ The opinion paragraph with the heading: ‘Opinion on the Financial Statements’. This makes up the first section

⁃ After the opinion paragraph there is a heading that says: ‘Basis for Opinion’, this is the second section

⁃ Under the ‘Basis for Opinion’ heading, there is a paragraph describing management’s responsibility and the auditor’s responsibility.

⁃ Then there is a “We conducted our audits in accordance with the standards of the PCAOB” paragraph.


⁃ Then there are the signatures:

⁃ The auditor’s signature

⁃ The auditor’s tenure (“We have served as the auditor since 20XX”

⁃ Auditor’s address

⁃ Date

• IF an audit of internal control was also conducted (integrated audit), then the opinion paragraph would also reference the audit of internal controls and the separate report on internal controls

“Emphasis of Matter” Paragraphs This is a paragraph that the auditor adds right after the opinion paragraph to point out a matter that is crucial to the user being able to understand the financial statements. This would be something like the auditor doubts the firm’s ability to continue as a going concern, Or if the financials are prepared using a special accounting framework, Or a change in accounting principle. The heading “Emphasis of Matter” must be used There can also be an “Other Matter” paragraph. This will go after the opinion paragraph, or after the “Emphasis of Matter” paragraph if there is one. Use the heading “Other Matter”.


This would be about something that the auditor considers relevant, but not crucial to the user’s understanding of the financial statements.


Audit of Internal Control Integrated with Audit of Financial

Statements

Forming an Opinion of the Effectiveness of Internal Controls in an Integrated Audit Here are the considerations of forming an opinion on the effectiveness of internal controls in an Audit of Internal Control Over Financial Reporting (ICFR) integrated with an audit of the financial statements: The auditor should form an opinion on the effectiveness of ICFR by evaluating evidence obtained from all sources, including

• the auditor's testing of controls for the ICFR audit, • any additional tests of controls performed to achieve the

objective related to expressing an opinion on the financial statements,

• misstatements detected during the financial statement audit, and

• any identified deficiencies As part of evaluating evidence obtained from all sources, the auditor should review reports issued during the year by the internal audit function (or similar functions) that address controls related to ICFR and evaluate deficiencies identified in those reports. In addition to evaluating the findings from the auditor's testing of controls for the audit of ICFR, the auditor should evaluate the effect of the findings of the substantive procedures performed in the audit of financial statements on the effectiveness of ICFR.


This evaluation should include, at a minimum: • the risk assessments in connection with the selection and

application of substantive procedures, especially those related to fraud;

• findings with respect to noncompliance with laws and regulations;

• findings with respect to related party transactions and complex or unusual transactions;

• indications of management bias in making accounting estimates and selecting accounting principles; and

• the nature and extent of misstatements detected by substantive procedures

After forming an opinion on the effectiveness of the entity's ICFR, the auditor should evaluate management's report, which will accompany the auditor's report, to determine whether it contains the following:

• A statement regarding management's responsibility for ICFR • A description of the subject matter of the audit (for example,

controls over the preparation of the entity's financial statements in accordance with accounting principles generally accepted in the United States of America)

• An identification of the criteria against which ICFR is measured

• Management's assessment about ICFR • A description of the material weakness(es), if any • The date as of which management's assessment about

ICFR is made If the auditor determines that any required element of management's report is incomplete or improperly presented, the auditor should request management to revise its report.


The Auditor’s Report on the Audit of ICFR (AICPA Standards) The report can be separate or combined with the opinion on the financial statements. The auditor's report on the audit of ICFR should be in writing and should include the following elements: The title states that the auditor is independent: “Independent Auditor’s Report”. An addressee as required by the circumstances of the engagement, but usually to the “board of directors and Shareholders of ABC Company”. “Report on Internal Control Over Financial Reporting” Paragraph An introductory paragraph that includes the following:

• Identification of the entity whose ICFR has been audited • A statement that the entity's ICFR has been audited • Identification of the as of date • Identification of the criteria against which ICFR is measured

"Management's Responsibility for Internal Control Over Financial Reporting" Paragraph A section with the heading "Management's Responsibility for Internal Control Over Financial Reporting" that includes the following:

• A statement that management is responsible for designing, implementing, and maintaining effective ICFR

• A statement that management is responsible for its assessment about the effectiveness of ICFR

• A reference to management's report on ICFR


“Auditor’s Responsibility” Paragraph A section with the heading "Auditor's Responsibility" that includes the following:

• A statement that the auditor's responsibility is to express an opinion on the entity's ICFR based on the audit

• A statement that the audit was conducted in accordance with auditing standards generally accepted in the United States of America

• A statement that such standards require that the auditor plan and perform the audit to obtain reasonable assurance about whether effective ICFR was maintained in all material respects

• A description of the audit by stating that:

⁃ an audit of ICFR involves performing procedures to obtain audit evidence about whether a material weakness exists

⁃ the procedures selected depend on the auditor's judgment, including the assessment of the risks that a material weakness exists

⁃ an audit includes obtaining an understanding of ICFR and testing and evaluating the design and operating effectiveness of ICFR based on the assessed risk

• A statement about whether the auditor believes that the audit evidence the auditor has obtained is sufficient and appropriate to provide a basis for the audit opinion

“Definition and Inherent Limitations of Internal Control Over Financial Reporting” Paragraph A section with the heading "Definition and Inherent Limitations of Internal Control Over Financial Reporting" or other appropriate heading that includes the following:

• A definition of ICFR (the auditor should use the same description of the entity's ICFR as management uses in its report)


• A paragraph stating that because of inherent limitations, ICFR may not prevent, or detect and correct, misstatements and that projections of any assessment of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate

“Opinion” Paragraph A section with the heading "Opinion" that includes the auditor's opinion on whether the entity maintained, in all material respects, effective ICFR as of the specified date, based on the criteria. Signature (not a heading) The manual or printed signature of the auditor's firm. City and State (not a heading) The city and state where the auditor practices. Date (not a heading) The date of the auditor's report. Other things to know:

• If the auditor issues a separate report on ICFR (such as the report described above), meaning there will be a separate report for both the opinion on ICFR and the opinion on the financial statements, then the auditor will add an “other matter” paragraph to both reports that reference the opposite report. On the IC report, the paragraph heading would be “Report on Financial Statements” and reference the auditor’s report on the financial statements

• If there is a material weakness identified as part of the audit of ICFR, then an adverse opinion will be issued, and the report needs to contain the definition of a material weakness


(a deficiency or combination of deficiencies that produce the possibility that a material misstatement of the financial statements won’t be prevented, detected, or corrected on a timely basis)

Differences on a PCAOB Report on Internal Controls The main differences are:

• The title is “Report of the Independent Registered Public Accounting Firm”

• The report is addressed “To the Board of Directors and Shareholders of ABC Company”

• There are just 3 headings: • The opinion paragraph is the first paragraph and has the

heading “Opinion on the Internal Control Over the Financial Reporting”

• Then there is the basis for opinion section with the heading “Basis for Opinion”

• Then the section with the heading “Definition and Limitations of Internal Control Over Financial Reporting”

• The report must be manually signed by the audit firm • The auditor’s tenure must also be listed on the report on

internal controls, usually in the signatures section that states “We have served as ABC’s auditor since 20XX”


Reports on Attestation Engagements

General Standards for Attestation Reports

To refresh on these engagement types, refer to the “Non-Audit Engagements” section. Examination Reports The opinion is whether the subject matter is in accordance with the criteria in all material respects, or if the assertion is fairly stated in all material respects. The report (needs to be in writing) should express an opinion on the written assertion or an opinion directly on the subject matter. The opinion can vary and are the same “opinions” that would be issued for an audit such as unmodified, qualified, adverse, or a disclaimer of opinion. Review Reports The auditor concludes whether any material modifications should be made to the subject matter or the responsible party’s assertion. The (written)report should state the conclusion on the subject matter or the assertion. Specifically in a review engagement under the attestation standards, if there is a material but not pervasive misstatement, it results in a “modified conclusion”. If there are material and pervasive misstatements, then the auditor should withdraw from the engagement.


Agreed-Upon Procedures Reports

These engagements need to have the “agree upon procedures” outlined in the engagement letter, and then the auditor’s report will identify the procedures performed and the conclusions reached (or findings). The report will include the statement: “this agreed upon procedures engagement was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants”. A report on an AUP engagement doesn’t state an opinion, it just reports the procedures performed and the findings based on the procedures. There will also be a paragraph limiting the distribution of the report to specified parties.


Reporting on Controls at a Service Organization

A service organization is an entity that provides services to user entities which are likely to be relevant to the user entities’ controls over financial reporting, such as a payroll service. A service auditor is an auditor that reports on the controls at a service organization, and they issue either “Type 1” or “Type 2” reports, which auditors auditing other entities that use that service organization use in their audit since the controls of the service organization are relevant to their client’s controls. Example: Paul audits ABC corp, and ABC uses DEF for payroll services. Ben is a service auditor and reports on the controls at DEF, so Paul obtains a Type 2 report from Ben to use in his audit of ABC, since DEF’s controls are relevant to ABC’s controls. Service Auditor’s Reports Type 1 reports contain an opinion on whether management’s description is presented fairly and suitability of the design of controls at the service organization. Type 2 reports are the same as a Type 1 report, but they also report on the operating effectiveness of the controls at the service organization. Because of this, if an auditor at a user entity is going to rely on the operating effectiveness of the controls at the service organization, they’ll need a Type 2 report.


The service auditor will modify their opinion if: • Management’s description isn’t fairly presented in all

material respects • The controls are not suitably designed • The controls didn’t operate effectively throughout the

specified period (Type 2 report) • The service auditor couldn’t gather sufficient appropriate

evidence


Accounting and Review Service Engagements

Preparation Engagements

Preparation of financial statements: this is what it sounds like. The accountant takes the information from management and prepares the financial statements. A preparation is a nonattest service. The accountant does NOT have to be independent for this type of engagement. There should be an engagement letter that outlines management’s responsibilities & the accountant’s responsibilities. Each page of the financial statements should include a statement that no assurance is provided.


Compilation Reports

A compilation is basically assisting management to draft the financial statements, without providing ANY level of assurance. It is an attestation engagement but NOT an assurance engagement. Also, a compilation can be performed for prospective or pro-forma information in addition to historical financial statements. An auditor does NOT have to be independent to do a compilation for a client since no assurance is provided. BUT, if the auditor is not independent, the accountant should disclose this fact in the compilation report. Compilation Report The compilation report is one paragraph. It states that the accountant performed the compilation in accordance with SSARSs issued by the ARSC of the AICPA. It also includes a disclaimer that the financial statements have not been audited, and that the accountant has compiled the financial statements and is not issuing an opinion or conclusion nor providing any assurance on the statements. Remember that no procedures whatsoever are performed on the data in a compilation. The auditor is expected to understand the client and the client’s industry, but no audit procedures of any kind are performed since no assurance is being provided.


Review Reports

A review is an assurance engagement & an attestation engagement that provides “limited assurance” that there are no material modifications that should be made to the financial statements. For a review, the auditor must be independent. The basics of a review are:

• Possess knowledge of a client’s industry • Apply analytical procedures • Perform inquiries of management • Obtain a representation letter

Each page of an entity’s financial statements that have been ‘reviewed’ should include the reference “See Accountant’s Review Report”. In a review engagement, the auditor is NOT required to obtain an understanding of internal controls. The Review Report The basic elements of the report are: Title The accountant's review report should have a title that clearly indicates that it is the accountant's review report and includes the word independent. An appropriate title would be "Independent Accountant's Review Report." Addressee The accountant's report should be addressed as required by the circumstances of the engagement.


Introductory Paragraph The introductory paragraph in the accountant's report should:

• identify the entity whose financial statements have been reviewed;

• state that the financial statements have been reviewed; • identify the financial statements; that have been reviewed; • specify the date or period covered by the financial

statements; • include a statement that a review includes primarily applying

analytical procedures to management's (owners') financial data and making inquiries of company management (owners); and

• include a statement that a review is substantially less in scope than an audit, the objective of which is the expression of an opinion regarding the financial statements as a whole, and that, accordingly, the accountant does not express such an opinion.

Management's Responsibility for the Financial Statements A statement that management (owners) is (are) responsible for the preparation and fair presentation of the financial statements in accordance with the applicable financial reporting framework and for designing, implementing, and maintaining internal control relevant to the preparation and fair presentation of the financial statements. Accountant's Responsibility A statement that the accountant's responsibility is to conduct the review in accordance with SSARSs issued by the AICPA. A statement that those standards require the accountant to perform the procedures to obtain limited assurance that there are no material modifications that should be made to the financial statements.


A statement that the accountant believes that the results of his or her procedures provide a reasonable basis for his or her report. Results of Engagement A statement that, based on his or her review, the accountant is not aware of any material modifications that should be made to the financial statements in order for them to be in conformity with the applicable financial reporting framework, other than those modifications, if any, indicated in the report. Signature of the Accountant The manual or printed signature of the accounting firm or the accountant as appropriate. Date of the Accountant's Report The date of the review report (the accountant's review report should not be dated earlier than the date on which the accountant has accumulated review evidence sufficient to provide a reasonable basis for concluding that the accountant has obtained limited assurance that there are no material modifications that should be made to the financial statements in order for the statements to be in conformity with the applicable financial reporting framework).


Reporting on Compliance

If a CPA is engaged to provide assurance on whether or not an entity is in compliance with applicable laws, regulations, or financial requirements of some kind, the engagement can either be an examination or an “agreed upon procedures” engagement. Management accepts responsibility for compliance with the specified requirements. The CPA should obtain an understanding of the specified requirements. For an examination engagement, the end result is an examination report where the CPA expresses an opinion on whether management complied with the specified requirements. For an agreed upon procedures engagement, the CPA applies procedures set by the specified parties to evaluate compliance with the specified requirements. The report will list the requirements, and then the procedures performed and the findings as a result of the procedures.


Other Reporting Considerations

Comparative Statements and Consistency Between Periods

A few items that would affect the consistency of the financial statements between periods are:

• A change in accounting principle • A change in the reporting entity • Correction of a material misstatement in previously issued

statements • A change in classification, such what things are called on the

balance sheet. Unless material, doesn’t need to be mentioned in the audit report

Any of the above changes that are material would be mentioned in an “emphasis of matter” paragraph in the audit report. There are other rules for changes in accounting principle that are covered in FAR. Comparative Financial Statements Like the changes above, when there is a change in the comparative financial information from a prior period, the auditor will add either an “emphasis of matter” or an “other matter” paragraph depending on the situation. Some common examples are:

• The opinion on previously issued statements changes. An emphasis of matter paragraph would describe the reasons for the change, the date of the previous report, the opinion previously expressed, and that the updated opinion differs from the original opinion


• If prior period statements are not audited. An “other matter” paragraph would be added to the audit report that describes what service was performed in the previous period (review, compilation, etc), and a statement that the service was less in scope than an audit and that no opinion was issued on the previous financial statements


Other Information in Documents with Audited Statements

“Other information” that can be included with audited financial statements include:

• Material inconsistencies • Material misstatements of fact • Financial summaries or highlights • Employment data • Financial ratios • Planned capital expenditures • Names of officers and directors

If applicable, the auditor can use an “other matter” paragraph to disclaim an opinion on the “other information” included with the financial statements.


Review of Interim Financial Information

Interim financial statements are a review, and they consist primarily of analytics and inquiry. The financial statements produced as part of a review should make clear on each page that they are unaudited. The end result is the CPA stating that there are no material modifications needed to be in accordance with the applicable framework. The report on an interim review contains:

• Intro paragraph stating the statements have been reviewed • Paragraph of management’s responsibility • Paragraph of auditor’s responsibility • A conclusion paragraph

⁃ If no material modifications are needed, then this paragraph states “Based on our review, we are not aware of any material modifications that should be made to the accompanying interim financial information for it to be in accordance with (applicable framework).

• Contains auditor’s signature, city and state, and the date of the report


Supplementary Information

If the auditor is engaged to determine whether supplementary information is fairly stated in relation to the financial statements, the phrase is that the supplementary information if fairly stated “in all material respects in relation to the financial statements as a whole”. If the auditor is auditing supplementary information, the materiality levels used are the same as what was used for auditing the financial statements. Required supplementary information is information that a “designated standard-setter” has required to accompany the basic financial statements. The auditor is NOT required to “audit” supplementary information but apply “certain limited procedures” to them and report any deficiencies in the information.


Single Statements

The auditor can express an opinion on a single statement, such as just the balance sheet, if access to the underlying information is not limited. This means the auditor still has to obtain ‘sufficient appropriate audit evidence’, which would mean they look at more than just the balance sheet. If the auditor is engaged to report on financial data that are included in client-prepared information that contains audited financial statements, in the auditor’s report they should refer to the report issued on the audited financial statements.


Special-Purpose and Other Country Frameworks

Financial Statements Prepared Using Another Country’s Framework The main responsibility of the auditor in this situation is to understand the accounting principles that are generally accepted in the other country, or the applicable framework, and then evaluate if the financial statements were prepared in accordance with that framework. Special Purpose Frameworks Special purpose frameworks are other reporting frameworks besides GAAP such as cash basis, tax basis, a regulatory basis, or a contractual basis. The auditor’s report should describe the purpose of the financial statements or refers to the note in the financials that describes the reporting framework (why they are in another framework besides GAAP). This is done in an ‘emphasis of matter’ paragraph, or an ‘other matter’ paragraph. A common question type on the AUD exam is what an auditor should do if the statements are not “appropriately titled”, and the answer is that the auditor should disclose their reservations on the audit report and qualify the opinion. This just means that with certain reporting frameworks, the financial statements have certain titles other than just “balance sheet” or “income statement” and the auditor has to make sure they are titled according to the framework they’re using.


Letters for Underwriters and Filings with the SEC

Letters given to underwriters as part of the due diligence process to provide the underwriter with “reasonable grounds to believe there are no material omissions or misstatements in financial statements related to a securities offering”. They are addressed to the client’s underwriter, and they are signed by the independent auditor. Comfort letters do NOT address internal controls. Comfort letters provide negative assurance on whether unaudited financial information complies with GAAP. A comfort letter provides an opinion as to whether the audited financial statements comply in form with the accounting requirements of the SEC.


Alerts that Restrict the Use of Written Communication

The auditor's written communication should include an alert, in a separate paragraph, that restricts its use when the subject matter of the auditor's written communication is based on:

• measurement or disclosure criteria that are determined by the auditor to be suitable only for a limited number of users who can be presumed to have an adequate understanding of the criteria,

• measurement or disclosure criteria that are available only to the specified parties, or

• matters identified by the auditor during the course of the audit engagement when the identification of such matters is not the primary objective of the audit engagement (commonly referred to as a by-product report)

The alert that restricts the use of the auditor's written communication required should:

• state that the auditor's written communication is intended solely for the information and use of the specified parties.

• identify the specified parties for whom use is intended. In situations covered by paragraph .06c, the specified parties should only include management, those charged with governance, others within the entity, the parties to the contract or agreement, or the regulatory agencies to whose jurisdiction the entity is subject, as appropriate in the circumstances

• state that the auditor's written communication is not intended to be and should not be used by anyone other than the specified parties


Additional Reporting Requirements Under Gov Auditing

Standards

GAO Audits and Reporting on Internal Controls Financial statement audits performed under the GAGAS require reporting on internal control and compliance with laws, regulations, and agreements. Reporting on Internal Controls and Compliance The report should describe the scope of the testing performed on the internal controls and compliance with applicable laws and regulations. Assurance over internal controls isn’t provided, but the report states whether the tests performed provided sufficient and appropriate evidence to support the opinion on internal control and compliance. The auditor should report any significant deficiencies or material weaknesses in internal control, any fraud discovered, or any noncompliance with applicable laws or regulations that would have a material effect on the financial statements.