SU 9
Before communicating with a subgroup (e.g., an audit committee) of those charged with governance, the auditor may consider such matters as:
(1) the responsibilities of the subgroup and the governing body, (2) the nature of the matter, (3) legal or regulatory requirements, (4) whether the subgroup can (a) act on the information and (b) provide further information and explanations the auditor may need, and (5) whether the auditor is aware of potential conflicts of interest between the subgroup and other members of the governing body.
Procedures the auditor performs to test operating effectiveness include a mix of
(a) inquiry of appropriate personnel, (b) observation of operations, (c) inspection of relevant documentation, and (d) reperformance of the control
Matters to be communicated include:
(a) the auditor's responsibilities in accordance with GAAS, (b) an overview of the audit, and (c) significant and relevant findings.
Planned Scope and Timing of the Audit (THE AUDITOR'S COMMUNICATION WITH THOSE CHARGED WITH GOVERNANCE)
-Overview to not compromise the audit Issues to be addressed include 1) How the auditor proposes to address the risks of material misstatement, whether due to fraud or error; 2) Issues related to internal control and the internal audit function; and 3) Materiality in planning and performing the audit.
Communicating IC matters identified in an audit:
-auditor is not required to perform procedures specifically to identify deficiencies in internal control or to express an opinion on internal control -BUThe auditor should report significant deficiencies and material weaknesses in internal control over financial reporting that have been identified -communication should be in writing and directed to management and those charged with governance
The auditor should communicate in writing:
-significant deficiencies and material weaknesses to management and those charged with governance. 1) The communication also should describe these conditions and explain their potential effects - The communication is best made by the audit report release date , but no later than 60 days after -Communication of significant and urgent matters during the audit need not be in writing. But the auditor ultimately should communicate significant deficiencies and material weaknesses in writing even if they have been corrected -auditor should communicate to management other deficiencies that merit attention but are not significant deficiencies or material weaknesses. This communication may be made orally or in writing
Risk factors may indicate whether a reasonable possibility exists that one or more deficiencies will result in a misstatement. The following are examples of risk factors:
1) Accounts, transaction classes, disclosures, and assertions involved (e.g., overstatement of revenues and understatement of expenses) 2) Cause and frequency of exceptions 3) Susceptibility of the related asset or liability to loss or fraud 4) Degree of judgment required to determine the amount involved 5) Relationship of the control with other controls 6) Interaction among deficiencies 7) Possible consequences of the deficiency 8) Importance to financial reporting
Sarbanes-Oxley Act of 2002 a. The act requires the auditor to report the following to those charged with governance:
1) All critical accounting policies and practices to be used 2) All material alternative treatments of financial information within GAAP discussed with management 3) Ramifications of the use of alternative disclosures and treatments 4) The treatment preferred by the auditor
The auditor should (1) consider the results of the fraud risk assessment and (2) evaluate (a) whether controls sufficiently address the identified risks of material fraud and (b) controls over the risk of management override. The following controls address these risks:
1) Controls over significant, unusual transactions, particularly those that result in late or unusual journal entries 2) Controls over journal entries and adjustments made in the period-end financial reporting process 3) Controls over related party transactions 4) Controls related to significant management estimates 5) Controls that mitigate incentives for, and pressures on, management to falsify or inappropriately manage financial results
If the user auditor plans to use a type 1 or type 2 report, the user auditor should
1) Evaluate whether the report is appropriate for the user auditor's purposes; 2) Evaluate the sufficiency and appropriateness of the evidence provided by the report for understanding the user entity's relevant internal control; and 3) Determine whether complementary user entity controls identified by the service organization are relevant to the RMMs relating to the relevant assertions in the user entity's financial statements and, if so, obtain an understanding of whether the user entity has designed and implemented such controls
The following are examples of deficiencies, significant deficiencies, or material weaknesses related to operational failures:
1) Failures in the operation of effectively designed controls over a significant account or process 2) Failure of the information and communication component of internal control to provide timely, complete, and accurate information 3) Failure of controls designed to safeguard assets 4) Failure to perform reconciliations of significant accounts 5) Undue bias or lack of objectivity by those responsible for accounting decisions 6) Misrepresentation by client personnel to the auditor 7) Management override of controls 8) Failure of an application control caused by deficient design or operation of an IT general control 9) An excessive observed deviation rate in a test of controls
Indicators of material weaknesses include the following:
1) Identification of any fraud by senior management 2) Restatement of financial statements to correct a material misstatement due to fraud or error 3) Identification by the auditor of a material misstatement that would not have been detected by internal control 4) Ineffective oversight of financial reporting and internal control by those charged with governance
The following are examples of possible deficiencies, significant deficiencies, or material weaknesses related to design:
1) Inadequate design of internal control over financial statement preparation 2) Inadequate design of controls over a significant account or process 3) Inadequate documentation of the components of internal control 4) Insufficient control consciousness 5) Absent or inadequate segregation of duties or controls 6) An ineffective control environment, risk assessment process, or response to significant risks over the safeguarding of assets 7) Inadequate design of IT general and application controls 8) Employees or management who lack the proper qualifications and training 9) Inadequate design of monitoring controls 10) The absence of an internal process to report deficiencies on a timely basis
The integrated audit should be properly planned. The auditor should evaluate how the following affect the examination of internal control:
1) Knowledge of internal control obtained during other engagements or from the predecessor's working papers 2) Industry issues, such as financial reporting practices, economic conditions, laws and regulations, and technological changes 3) Matters related to the business, e.g., operating characteristics, capital structure, and organization 4) Recent changes in the entity, operations, or internal control 5) Preliminary judgments about materiality, risk, and other factors relating to the determination of material weaknesses 6) Control deficiencies previously communicated to those charged with governance or management 7) Legal or regulatory matters 8) The type and extent of available evidence related to the effectiveness of internal control 9) Preliminary judgments about internal control 10) Public information relevant to the likelihood of material misstatements and the effectiveness of internal control 11) The relative complexity of operations 12) Knowledge about risks obtained from the client acceptance and retention evaluation
The auditor should evaluate the control environment by assessing whether:
1) Management's philosophy and operating style promote effective internal control. 2) Sound integrity and ethical values, particularly of management, are developed and understood. 3) The board or audit committee understands and exercises oversight responsibility over financial reporting and internal control.
If the user auditor is unable to obtain a sufficient understanding of the controls from the user entity, the user auditor should obtain that understanding from one or more of the following procedures:
1) Obtaining and reading a service auditor's report, if available 2) Contacting the service organization, through the user entity, to obtain specific information 3) Performing procedures at the service organization to provide the necessary information about its relevant controls 4) Using another auditor to perform procedures to provide the necessary information about the relevant controls at the service organization.
When the user auditor's risk assessment includes an expectation that controls at the service organization are operating effectively , the user auditor should obtain audit evidence about the operating effectiveness of those controls from one or more of the following:
1) Obtaining and reading a type 2 report 2) Performing appropriate tests of controls at the service organization 3) Using another auditor to perform tests of controls at the service organization
The service auditor reports on controls at a service organization in one of the following reports:
1) Report on management's description of a service organization's system and the suitability of the design of controls (a type 1 report) 2) Report on management's description of a service organization's system, the suitability of the design of the controls, and operating effectiveness of controls (a type 2 report)
The following are risk factors related to accounts and disclosures:
1) Size and composition of the account 2) Susceptibility to misstatement due to fraud or error 3) Volume of activity, complexity, and homogeneity of the transactions 4) Nature of the account or disclosure 5) Accounting and reporting complexities 6) Exposure to losses in the account 7) Possibility of significant contingent liabilities arising from the activities reflected in the account or disclosure 8) Existence of related party transactions in the account 9) Changes from the prior period or disclosure characteristics
The written communication should:
1) State that the purpose of the audit was to express an opinion on the financial statements. 2) State that the audit considered internal control to design audit procedures, not to express an opinion, and that the auditor is not expressing an opinion on the effectiveness of internal control. 3) State that the auditor's consideration of internal control was not designed to identify all deficiencies that might be significant deficiencies or material weaknesses. 4) Include the definition of a material weakness and, if relevant, the definition of a significant deficiency. 5) Describe significant deficiencies and material weaknesses. 6) Explain the potential effects of each significant deficiency and material weakness. 7) Restrict the use of the communication to (a) management, (b) those charged with governance, and (c) others within the entity (and possibly governmental agencies).
For type 1 and type 2 reports, the service auditor should obtain sufficient appropriate evidence to support
1) The assessment of management's description of the service organization's system and whether those controls described have been implemented 2) The opinion that the controls are suitably designed
Testing Design Effectiveness
1) The auditor should determine whether controls, if they are operated as prescribed by persons with the necessary authority and competence to perform them effectively, (a) satisfy the control objectives and (b) can effectively prevent, or detect and correct, fraud or error that could result in material misstatements in the financial statements. 2) Procedures include (a) inquiry of appropriate personnel, (b) observation of operations, and (c) inspection of relevant documentation. Walkthroughs that include these procedures ordinarily are sufficient to evaluate design effectiveness
Examples of entity-level controls:
1) The control environment 2) Controls over management override 3) Monitoring of the results of operations 4) Controls over the period-end financial reporting process 5) Monitoring of other controls, including activities of internal auditing, the audit committee, and self-assessment programs 6) The risk assessment process 7) Policies that address significant business control and risk management practices
The magnitude of a misstatement depends on:
1) The financial statement amounts or transactions involved and 2) The activity in the relevant balance or transaction class.
The severity of a deficiency depends on:
1) The magnitude of the potential misstatement and 2) Whether a reasonable possibility exists that the controls will fail
Understanding a Service Organization's Services and Internal Control
1) The nature of the services provided by the service organization and their significance to the user entity, including their effect on the user entity's internal control 2) The nature and materiality of the transactions processed (or accounts or financial reporting processes affected) by the service organization 3) The degree of interaction between the service organization and the user entity 4) The nature of the relationship between the user entity and the service organization, including the relevant contractual terms
For type 2 reports, the service auditor also should obtain sufficient appropriate audit evidence to support
1) The opinion that the controls operated effectively throughout the period
A service organization's services and controls are part of the client's information system relevant to financial reporting if they have an effect on
1) The significant classes of transactions in the user entity's operations; 2) The systems, both IT and manual, that initiate, authorize, record, process, correct, and report the user entity's transactions; 3) How the user entity's information system captures significant events and conditions, other than transactions; or 4) The process used to prepare statements, including significant estimates and disclosures.
The auditor should evaluate the period-end financial reporting process , including procedures:
1) Used to enter transaction totals into the general ledger; 2) Related to the selection and application of accounting policies; 3) Used to initiate, authorize, record, and process journal entries; 4) Used to record recurring and nonrecurring adjustments to the annual and quarterly financial statements; and 5) For preparing annual and quarterly financial statements and related disclosures.
Objectives of the User Auditor
Obtain an understanding of the nature and significance of the services provided by the service organization and their effect on the user entity's internal control relevant to the audit. The understanding should be sufficient to identify and assess the risks of material misstatement
Timing of tests of controls:
Testing controls over a greater period of time provides more evidence of the effectiveness of controls than testing over a shorter period of time. Moreover, testing closer to the date of management's assessment provides more evidence than testing earlier in the year.
Qualitative Aspects of the Entity's Significant Accounting Practices:
The auditor should inform those charged with governance about the following: 1) The auditor's views on the entity's significant accounting practices, including policies, estimates, and disclosures 2) The reasons that the entity should not use a significant accounting practice that is acceptable under the applicable reporting framework 3) Management's process for making sensitive accounting estimates (including fair value estimates) and the basis for the auditor's conclusions about their reasonableness 4) Management's selection of, changes in, and application of significant accounting policies 5) Management's methods used to account for significant, unusual transactions 6) The effects of significant accounting policies in controversial or emerging areas that lack authoritative guidance or consensus, such as revenue recognition, off-balance-sheet financing, and accounting for equity investments
Nature of tests of controls:
The following tests are presented in order of the evidence that they ordinarily produce, from least to most: (1) inquiry, (2) observation, (3) inspection of relevant documentation, and (4) reperformance of a control. Inquiry alone does not provide sufficient evidence to support a conclusion about the effectiveness of a control.
Misstatements:
The maximum overstatement ordinarily is the recorded amount, but the understatement is unlimited. 1) The auditor need not quantify the probability of misstatement. 2) A small misstatement often is more likely than a large misstatement.
Extent of tests of controls.
The more extensively a control is tested, the greater the evidence obtained from that test.
Roll-forward procedures.
To roll forward the results of interim work, the auditor should consider (1) the specific controls, their associated risks, and the test results; (2) the sufficiency of evidence obtained at the interim date; (3) the length of the remaining period; and (4) the possibility of changes
The auditor begins an integrated audit at the financial statement level by
Using a top down approach. understanding overall risks to internal control over financial reporting and focusing on entity-level controls . (S)he then performs procedures on significant accounts, disclosures, and their relevant assertions
A significant deficiency is:
a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness but that merits attention by those charged with governance.
A material weakness is:
a deficiency, or combination of deficiencies, in internal control that results in a reasonable possibility that a material misstatement of the financial statements will not be prevented or timely detected and corrected
The auditor should design tests of controls to obtain sufficient appropriate evidence to support the auditor's opinion on internal control over financial reporting
a) At a moment in time (e.g., at year end) and b) Taken as a whole (i.e., addressing the effectiveness of selected controls over all relevant assertions).
The auditor should modify the standard report on internal control in any of the following circumstances:
a. A material weakness requires an adverse opinion . 1) The report must include the definition of a material weakness. b. Elements of management's annual report on internal control are incomplete or improperly presented. c. The scope of the engagement is restricted. d. The auditor decides to refer to the report of other auditors as the basis, in part, for the auditor's own report. e. Other information is contained in management's annual report on internal control. f. Management's annual certification under Section 302 of the Sarbanes-Oxley Act is misstated.
The following are indicators of material weaknesses in internal control:
a. Identification of fraud, whether or not material, on the part of senior management b. Restatement of previously issued financial statements to reflect the correction of a material misstatement c. Identification by the auditor of a material misstatement in the current period in circumstances that indicate that the misstatement would not have been detected by internal control d. Ineffective oversight by the audit committee of external financial reporting and internal control
Discussions may be appropriate about circumstances or relationships that, in the auditor's professional judgment:
a. May reasonably bear on independence and b. Were given significant consideration by the auditor in reaching the conclusion that independence has not been impaired.
Auditor's Responsibilities under GAAS (THE AUDITOR'S COMMUNICATION WITH THOSE CHARGED WITH GOVERNANCE)
a. The auditor may provide a copy of the engagement letter to those charged with governance. Among other things, the engagement letter states that: 1) The auditor is responsible for forming and expressing an opinion about whether the financial statements are presented fairly. 2) The audit does not relieve management or those charged with governance of their responsibilities for fair reporting.
Reporting by the User Auditor
a. The user auditor should express a qualified opinion or disclaim an opinion if (s)he cannot obtain sufficient appropriate audit evidence regarding the services provided by the service organization relevant to the audit of the user entity. b. The user auditor should not refer to the work of a service auditor in the user auditor's report containing an unmodified opinion. c. If a reference to the work of a service auditor is relevant to understanding a modification of the opinion, the report should indicate that the reference does not reduce the user auditor's responsibility
Tests of controls
are designed to evaluate the operating effectiveness of controls in achieving the control objectives stated in management's description of the service organization's system
Complementary user entity controls
are those that management of the service organization assumes, in the design of its service, will be implemented by user entities to achieve the control objectives.
The user auditor
audits and reports on the financial statements of the user entity.
Those charged with governance should be informed of significant difficulties encountered in dealing with management, such as:
delays in providing required information and unnecessary time constraints on the audit. Other significant problems may include unavailability of information and management-imposed restrictions.
A type 1 report
expresses an opinion on the fair presentation of management's description and whether the controls are suitably designed at the specified date. a) Suitable design means the controls can attain the control objectives if they operate effectively
A type 2 report
expresses not only the type 1 opinions but also an opinion on whether the controls were operating effectively (meeting the control objectives). a) Type 2 opinions relate to design and effectiveness throughout the period rather than at a specific date
Uncorrected misstatements
heir effect on the opinion should be communicated to those charged with governance. a. The auditor also should communicate 1) The effect of uncorrected misstatements from prior periods on the statements as a whole and relevant transaction classes, etc.; 2) Material, corrected misstatements communicated to management; and 3) Written representations requested by the auditor
The auditor may communicate:
immaterial, corrected misstatements that recur frequently and may indicate a bias in the statements
A significant deficiency
is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
A material weakness
is a deficiency, or a combination of deficiencies, in internal control such that a reasonable possibility exists that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis
scaling
is an extension of the risk-based approach
The auditor's objective in an audit of internal control over financial reporting
is to express an opinion on whether the entity maintained, in all material respects, effective internal control over financial reporting (internal control) as of the specified date, based on the control criteria. However, internal control is not effective if a material weakness exists.
A subservice organization
is used by another service organization to perform some of the services provided to user entities that are relevant to their internal control over financial reporting.
Every public company (an issuer) must include in its annual report
management's assessment of the design and effectiveness of internal control over financial reporting
A walkthrough:
often is an effective way of achieving the following objectives related to understanding the likely sources of potential misstatement: a. Understanding the flow of transactions related to relevant assertions, including how transactions are initiated, authorized, processed, and recorded b. Identifying the points within the company's processes at which a material misstatement, including a misstatement due to fraud, could arise c. Identifying the controls that management has implemented to address these potential misstatements d. Identifying the controls that management has implemented for the prevention or timely detection of unauthorized acquisition, use, or disposition of assets
The service organization
provides services to users that are relevant to their internal control over financial reporting.
An auditor should not issue a written communication:
stating that no significant deficiencies were identified
A deficiency in internal control exists when :
the design or operation of a control does not allow management or employees, in the normal course of their assigned functions, to prevent, or detect and correct, misstatements on a timely basis
The user entity
uses a service organization. The user entity's financial statements are being audited.
A deficiency exists
when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis.
The auditor should discuss:
with those charged with governance the implications of not correcting misstatements.