AUDIT

What is a non-issuer and issuer?

Non-issuer = private

• AICPA SAS, ASB

Issuer = public

• PCAOB AS

Meaning/responsibility for the following terms:

- Must or Is required

- Should

- May, might, could

• “Must” or “is required”: unconditional requirement

• Should: presumptively mandatory requirement

• “May”, “might”, and “could”: a recommendation

Purpose of an audit

To provide financial statement users with an opinion on whether the financial stmts are presented fairly with GAAP (or their framework)

What should an auditor do to obtain reasonable assurance during an audit?

Plan the work and properly supervise any assistants

What order are the sections in for an unmodified opinion for nonissuers?

1. Opinion

2. Basis for Opinion

3. Management’s Responsibility

4. Auditor’s Responsibility

What is the Opinion section for nonissuers?

• States the framework

• Info: fin stmt titles, periods covered, and nature of the engagement

• GAAP

What is the Basis for Opinion section for nonissuers?

• States that the auditor is required to be independent

• States whether the auditor believes that sufficient evidence has been obtained to form an opinion

• GAAS (PCAOB)

What is the Management’s Responsibility section for nonissuers?

• States the framework again

• GAAP

What is the Auditor’s Responsibility section for nonissuers?

• Where the opinion/judgement is

• Where they evaluate the entity’s ability to continue as a going concern

• GAAS (PCAOB)

What order are the sections in for an unqualified opinion for issuers?

1. Opinion

2. Basis for Opinion

3. Critical Audit Matters (required)

What does the Critical Audit Matters section for an issuer need to make a reference to?

The opinion should make a reference to PCAOB and GAAP

What is a Disclaimer of Opinion?

From Audit Issues

Disclaimer:

Material and pervasive.

Due to:

• Time constraints

• Inability to obtain sufficient appropriate audit evidence (such as):

• Inability to observe or confirm

• Inadequacy of accounting records

• Refusal of client’s attorney to respond to inquiry (this is a SCOPE LIMITATION)

• Refusal of management to provide acknowledgment for their responsibility to present fairly with GAAP

• Not independent

What is a Qualified Opinion (due to Audit Issues)?

Material but not pervasive.

Due to:

• Time constraints

• Inability to obtain sufficient appropriate audit evidence (such as):

• Inability to observe or confirm

• Inadequacy of accounting records

• Refusal of client’s attorney to respond to inquiry (this is a SCOPE LIMITATION)

What is a Qualified Opinion (due to Fin Stmt Issues)?

Material but not pervasive.

Due to:

• Inappropriate accounting principles

• Unreasonable estimates

• Inadequate disclosures

• Including related party transactions

• Incorrect numbers

• No reasonable justification for change in accounting principles

What is an Adverse Opinion?

Financial statement issue.

Material and pervasive.

Due to:

• Inappropriate accounting principles

• Unreasonable estimates

• Inadequate disclosures

• Including related party transactions

• Incorrect numbers

• No reasonable justification for change in accounting principles

What is an “except for” opinion?

“Except for opinion”: a qualified opinion that says the fin stmts are a fair representation of of their financial position, except for a specific issue described in the report

What % would generally be considered material and pervasive?

15%

(This isn’t a hard number but its what they generally use)

What are the contents for a nonissuer for the Emphasis-of-Matter Paragraph?

Contents/Info:

• No specific location

• Material justified change in accounting principle

• Change in audit opinion

• Special Purpose framework

What are the contents for a nonissuer for the Other-Matter Paragraph?

Contents/Info:

• Change in audit opinion

• Prior fin stmts audited by prior auditor and prior auditor’s report is not presented

• Comparative fin stmts where the current year is audited and prior year is not

• Restrict use of report

• Report on compliance in auditor’s report

What are the contents for an issuer for the Explanatory Paragraph?

Contents/info:

• AFTER the Opinion Paragraph

• Material justified change in accounting principle

• Change in audit opinion

• Prior fin stmts audited by prior auditor and prior auditor’s report is not presented

• Comparative fin stmtswhere the current year is audited and prior year is not

• Reference to other info required when issues with info

• Report on supplementary info w/in auditor's report

• Reference to supplementary info required when issues with info

• Special purpose framework

• Restrict use of report

• Going concern when substantial doubt is not alleviated (this is an unqualified opinion)

• Report on compliance in auditor’s report

What are recognized subsequent events?

Events that provide additional info about conditions that existed AT the balance sheet date.

What are nonrecognized subsequent events?

Events that occurred AFTER the balance sheet date and did not exist at the balance sheet date.

They should consider disclosing it though.

What procedures should be performed to evaluate subsequent events?

Procedures done for subsequent events (PRIME)?

• Post balance sheet transactions (changes in stock or LT debt after year end)

• Representation letter (about subsequent events)

• Inquiry (legal counsel and mgmt)

• Minutes

• Examine (prior stmts vs current)

What are the special purpose frameworks?

• Cash

• Tax

• Regulatory basis

• Contractual basis

• Other basis

(aka accrual is the only non-special one?)

What all is in an engagement letter?

• Addressee

• Objective and scope of audit

• Responsibility of the auditor

• Resp. of mgmt

• Other relevant info

• Reporting

• Signature

Does the client have to give the new auditor consent to contact the previous auditor?

Yes

What can the new auditor ask the previous auditor about?

• Management integrity

• Disagreements with management

• The reason for the change in auditor

• Any fraud, noncompliance, and internal control matters related to communications

• Nature of entity’s relationships and transactions with related parties and significant unusual transactions

What are the unacceptable reasons for a change in auditor?

• The client refused to allow correspondence with legal counsel

• The client refuses to provide a signed representation letter

The auditor should consider withdrawing from the engagement if so ^^

basically the client is refusing correspondence/a letter

Elements of Quality Control: Human Resources

• Assign personnel to the engagement

• Professional development

• Performance eval, compensation, advancement

Elements of Quality Control: Engagement/Client Acceptance and Continuance

• Accept or continue relationship?

• Policies should give reasonable assurance that the client’s mgmt doesn’t lack integrity and that the firm can be independent

Elements of Quality Control: Leadership Responsibilities

Firm leadership bears ultimate responsibility for the firm’s quality control system

Elements of Quality Control: Performance of the Engagement

• Provides means to resolve differences in opinion

• Consultation with experts

• Proper supervision and work is appropriately reviewed

• Keep the info safe

Elements of Quality Control: Monitoring

• Ongoing eval of the quality control system

• Having a 2nd partner or “wrap up” to review work of other person (only required for issuers)

• Peer review

Elements of Quality Control: Ethical Requirements

• Maintenance of independence

• Helps maintain public confidence in the profession

What are the elements of Quality Control?

• Human resources

• Engagement/Client acceptance and continuance

• Leadership responsibilities

• Performance of the engagement

• Monitoring

• Ethical requirements

HELP ME

What are the differences between the quality control standards and GAAS?

Quality control standards:

• Applies to all professional activities of the firm

• HELPME

GAAS:

• Applies to each individual engagement

• Engagement process:

  • Acceptance

  • Assess risk and plan response

  • Perform procedures and obtain evidence

  • Form conclusions

  • Reporting

What is the report release date?

Often the date on which the report is delivered to the client. (usually the same date as the audit report)

(Date on which the auditor grants the client permission to use the report)

What is are the document retention requirements?

• Nonissuers: documents need to be retained for at least 5 years

• Issuers: documents need to be retained for at least 7 years

According to PCAOB standards, the documentation completion date is fourteen days following the report release date (for an issuer)

What goes in the permanent/continuous file and current file?

Permanent/continuous:

• Pension plans

• Multi-year leases

• Minutes of board meetings

• Stock options

• Articles of incorporation

Current:

• Bank recs

• Statement of earnings

• The audit plan

What goes in the current file?

Typically just for the year under audit

• Bank recs

• Statement of earnings

• The audit plan

At completion of the audit, who has ownership of the working papers?

The CPA firm/auditor!

Client owns the evidence only.

Internal control categories

ORC:

• Effectiveness and efficiency of operations

• Reliability of financial reporting (most relevant objective for audit)

• Compliance with applicable laws and regulations

What are the five components of internal control (COSO)?

• Control environment

• Risk assessment

• Information and communication systems

• Monitoring

• Existing control activities

CRIME!

COSO: Control Environment

Component: Control environment (is the foundation for the other components)

Description: Sets the tone of the organization (tone at the top)

Key Points:

• Integrity

• Competence

• Participation of those charged with governance

• Mgmt philosophy

• Org structure

• Assignment of responsibility

• HR policies

COSO: Risk assessment

Component: Risk assessment

Description: Identification by mgmt of risks relevant to the prep of the fin stmts.

Key Points: Changes or anything new!

COSO: Information and communication systems

Component: Information and communication systems

Description: Methods used to classify and report roles and responsibilities.

Key Points:

• Initiating, authorizing, recording, processing, and reporting entity transactions, conditions and events

• Communicating roles and responsibilities

COSO: Monitoring

Component: Monitoring

Description: Procedures established to assess the quality of control performance over time.

Key Points:

• Internal audit function

• Regular mgmt and supervisory activities

• Other procedures such as mailing customer statements

COSO: Existing control activities

Component: Existing control activities

Description: Policies and procedures established to ensure that mgmt objectives are carried out.

Key Points:

• Authorization

• Segregation of duties

• Safeguarding of assets

• Asset accountability

• Technology

• Deploying policies and procedures (esp. with IT)

Components and principles of the COSO framework/internal control:

Control Environment

Control environment (EBOCA):

• E: commitment to ethics and integrity

• B: board independence and oversight

• O: organizational structure

• C: commitment to competence

• A: accountability

Components and principles of the COSO framework/internal control:

Risk Assessment

Risk assessment (SAFR):

• S: specify objectives

• A: identify and assess change

• F: consider potential for fraud

• R: identify and analyze risks

Basically anything new is a risk!!

Components and principles of the COSO framework/internal control:

Information and communication

Information and communication (OIE):

• O: obtain and use info

• I: internally communicate info

• E: communicate with external parties

Components and principles of the COSO framework/internal control:

Monitoring Activities

Monitoring activities (SOD):

• SO: ongoing and/or separate evaluations 

• D: communication of deficiencies 

1st step is establishing a baseline!

Components and principles of the COSO framework/internal control:

(Existing) Control Activities

(Existing) Control Activities (CATP):

• CA: select and develop control activities 

• T: select and develop technology controls

• P: deployment of policies and procedures

What functions should not be combined with a good segregation of duties?

ARC:

• Authorization

• Record keeping

• Custody of related assets

What phase will the auditor discuss timing of audit procedures with management?

Planning phase

What is the audit strategy?

Audit strategy: An outline that sets the scope, timing, and directions of the audit

What are the two categories for audit procedures? DELETE ME

Risk assessment procedures: used to obtain understanding of the entity.

Further audit procedures

• Substantive procedures (required): to detect material misstatements

• Test of controls (if applicable): to evaluate operating effectiveness of controls

Assertions for Financial Statements (COVERUP) :

Completeness

All account balances, transactions, and disclosures that should’ve been recorded and included in the fin stmts

Assertions for Financial Statements (COVERUP):

Cutoff (O)

Transactions have been recorded in the correct accounting period

Assertions for Financial Statements (COVERUP):

Valuation, allocation, and accuracy

Account balances, transactions, and disclosures are recorded and described fairly and measured at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded

Assertions for Financial Statements (COVERUP):

Existence and occurrence

Account balances exist and transactions that have been recorded and disclosed have occurred and pertain to the entity

Assertions for Financial Statements (COVERUP):

Rights and obligations

The entity holds or controls the rights to assets, and liabilities are the obligations of the entity

Assertions for Financial Statements (COVERUP):

Understandability of presentation and classification (UP)

Transactions have been recorded in the proper accounts and appropriately aggregated or disaggregated. Financial information is appropriately presented and described, and disclosures are clearly expressed and understandable in the context of the applicable financial reporting framework

If risk of material misstatement increases, what does detection risk do?

Detection risk decreases, control risk increases

If risk of material misstatement decreases, what does detection risk do?

Detection risk increases, control risk decreases

What is Audit Risk (AR)?

Audit risk: risk that auditor may unknowingly fail to appropriately modify the opinion on fin stmts that are materially misstated

What is Inherent Risk (IR)?

Inherent risk: the susceptibility that an error or omission will occur in a financial statement due to a factor other than a failure of control

What is Control Risk (CR)?

Control risk: risk that a material misstatement will not be prevented or detected (and corrected) on a timely basis by the entity’s system of internal control

What is Detection Risk (DR)?

Detection risk: risk that the auditor will not detect a material misstatement that exists in a relevant assertion

Does sample size have a direct or inverse relationship with control risk (CR)?

Direct relationship (ie, CR decreases, sample size decreases)

What is fraudulent financial reporting?

Involves intentional misstatements or omissions of amounts/disclosures in the fin stmts, usually involves management

What is misappropriation of assets?

Involves theft of an entity’s assets when the theft causes the fin stmts to not  be presented in conformity with GAAP, usually involves individuals among mgmgt, employees, or third parties

• May involve stealing assets or causing an entity to pay for something that has not been received

Fraud risk factors:

Incentives/pressures

A reason to commit fraud

Examples:

• excessive pressure for mgmt to meet aggressive goals

Fraud risk factors:

Opportunity

A lack of effective controls

Examples:

• Weak controls over cash, like no locks on cash registers

Fraud risk factors:

Rationalization/Attitude

An attempt to justify the fraudulent behavior

What is the purpose of risk assessment?

To identify and assess the risks of RMM and make informed judgements about other audit matters

What are the risk assessment procedures?

• Obtain understanding of the entity and its environment (and their internal control)

• Inquire of the audit committee, mgmt, and others about RMM

• Perform analytical procedures to find inconsistencies or unusual transactions/events

• Perform substantive procedures or tests of controls concurrently with risk assessment procedures

What is the objective of analytical procedures?

To identify unusual transactions, events, etc. that might be significant

What do analytical procedures often involve?

• Comparing the current year to the prior year

• Comparing current year to budget

• Ratios to prior year or industry

What is the sequence of a typical business cycle?

Options: contractionary, expansionary, peak, trough

1. Expansionary phase

2. Peak of economic activity

3. Contractionary phase

4. Trough of economic activity

What are leading indicators?

They tend to predict economic activity and change before the economy starts to follow a trend.

Examples:

• average weekly unemployment insurance claims

• interest rate spreads

• S&P 500 stock index

What are coincident indicators?

Change at approximately the same time as the whole economy and provide information about the current state of the economy.

Examples:

• industrial production

• GDP

What are lagging indicators?

Tend to follow economic activity and after a trend has already started, used to confirm or dispute previous forecasts.

Examples:

• Average prime rate from banks

• Average duration of employment

• Inventories to sales ratios

What are detective controls?

Used to provide assurance that errors or irregularities are discovered and corrected on a timely basis (like bank recs)

Documentation that the auditor can use

FIND:

• flowchart

• internal control questionnaire or checklists

• narrative

• documentation from the client

How much assurance does a strong system of internal control provide?

Only reasonable assurance (not absolute)

What are financial statement level risks?

Risks that relate pervasively to the fin stmts as a whole and potentially impact many individual assertions

What are assertion level risks?

Risks of RMM that do not relate pervasively to the fin stmts but rather to specific transactions, balances, or disclosures

What may the auditor do in overall response to fin stmt level risk?

• communicate to the audit team an increased need to professional skepticism

• assign staff with more experience or specialized skills

• change the nature, extent, or timing of direction and supervision of the engagement team members

• incorporate a greater level of unpredictability into the audit

• make changes to the overall audit strategy

What is the substantive approach?

The auditor assesses the RMM but excludes the effects of internal controls.

Control risk is assessed at a maximum (because):

• there are no effective controls relative to the specific assertion

• the controls aren’t operating effectively

• the risk for the assertion may b e addressed by performing only substantive procedures

When are tests of controls required?

• Situations in which a significant amount of info is being recorded/handled

• When an entity conducts its business using information technology (IT), and it is maintained only through the IT system

What is the combined approach?

Control testing and substantive testing

What are dual purpose tests?

Test of controls and a test of details

When are test of controls performed?

The controls are operating effectively (based on auditor’s assessment) or when the substantive procedures alone are insufficient

What is the Nature of Tests of Controls (NET)? (it is also the most accurate and complete list of walkthrough procedures)

Inquiries, observation, inspection, re-performance

• Inquiries: this alone is not sufficient 

• Observation: generally pertinent only at the time the observation is made, so it is supplemental to other procedures

If the operating effectiveness can’t be evidenced by documentation, what would the auditor rely on?

Inquiry and observation

What procedures test design effectiveness?

• inquiries

• observation

• inspection

What procedures test operating effectiveness?

• inquiries

• observation

• inspection

• reperformance (used exclusively for this)

How often does operating effectiveness need to be retested?

Every 3 years if no controls have changed (current period if they have changed)

Are substantive auditing procedures required in either the fin stmt audit or the audit of internal control?

They are only required in the fin stmt audit