ACC 235 Test 2

8 general audit procedures to gather evidence

(1) inspection of records and documents (vouching, tracing, scanning), (2) inspection of tangible assets, (3) observation, (4) inquiry, (5) confirmation, (6) recalculation, (7) reperformance, and (8) analytical procedures. -For each relevant assertion, auditors need to gather enough evidence to conclude that the risk of material misstatement for that assertion has been reduced to an acceptably low level. In the following sections, we discuss each of these audit procedures in more detail.

risk management activities

(1) perform procedures regarding the acceptance or continuance of the audit client relationship, (2) determine compliance with independence and ethics requirements, and (3) reach a contractual understanding with the client for the terms and conditions of the audit engagement. Each of these areas is now discussed.

Audit Documentation is classified in 2 categories

(1) permanent files (which contain information that is relevant to ongoing client relationships) and (2) current files (which relate to just one year of the client relationship).

What is included in an Engagement Letter?

(1) the objectives of the engagement, (2) management's responsibilities, (3) the auditors' responsibilities, and (4) any limitations of the engagement. -Other matters of understanding, such as the ones shown in Exhibit 3.1, also may be included in the letter. For example, the additional internal control considerations required by the Public Company Accounting Oversight Board are specifically mentioned in the example engagement letter. In fact, a close review of this exhibit reveals the importance of an auditor being quite detailed when completing the engagement letter.

Some amount of inaccuracies are allowed in financial statements because

(1) unimportant inaccuracies do not affect users' decisions and hence are not material, (2) the cost of finding and correcting small misstatements is too high, and (3) the time taken to find them would delay issuance of the financial statements. -As a result, to plan the nature, timing, and extent of further audit procedures to be per-formed, an auditor "should establish a materiality level for the financial statements as a whole that is appropriate in light of the particular circumstances. -This includes consideration of the company's earnings and other relevant factors." The professional standards also now require that the "materiality level for the financial statements as a whole needs to be expressed as a specified amount.

Potential for increased management supervision .

- Computerized information systems offer management a wide variety of analytical tools to review and supervise the company's operations. The availability of these additional controls can enhance the entire system of internal control and, therefore, reduce control risk. For example, traditional comparisons of actual operating ratios with those budgeted as well as reconciliation of accounts frequently are available for review on a timelier basis when such information is computerized.

Preventive Controls vs. Detective Controls

- Preventive: procedures that prevent misstatements before they occur (those that ensure hiring competent people, limit-ing access, requiring approval, separating duties, etc.), are preferable to -detective controls: procedures that detect misstatements after they occur. -In some sense, all control activities can be thought of as preventive controls because the possibility of being caught by a detec-tive control might prevent someone from committing an error or a fraud. Control activities include performance reviews, separation of duties, physical controls, and information-processing controls.

Lead Schedule

-A lead schedule is a summary of the accounts or components in an account group. For cash, the lead schedule includes all of the company's cash accounts. For inventory, the lead schedule may include inventory amounts by product line, cost of goods sold, and reserves for obsolescence.

Audit Committee

-A subcommittee of the board of directors that is generally composed of three to six independent members (those not involved in the entity's day-to-day management) of the organization's board of directors. Each member must be financially literate, and one member must be a financial expert. -The purpose of including independent members is to provide a buffer between the audit team and the operating management team of the company

COMPONENTS OF INTERNAL CONTROL

-According to the COSO framework, an internal control system that is designed and operating effectively will have met three categories of objectives within an organization (Exhibit 5.3). -First, the system will allow for effective and efficient operations. -Second, it will allow for reliable financial reporting. And, -third, the system will allow the organization to comply with laws and regulations. -To achieve the specific objectives for each of these categories of objectives, the COSO report defines five basic components of a properly designed internal control system. The five components are (1) control environment, (2) risk assessment, (3) control activities, (4) monitoring, and (5) information and communication. -components should not operate independently of each other. Instead, they should be considered as working in an interrelated manner to support the internal control system's overall effectiveness.

(3) Observation

-Although inventory observation often refers to the physical inspection of inventory (i.e., tangible assets), auditors use observation when they view the client's physical facilities and personnel on an inspection tour, when they watch personnel carry out accounting and control activities (such as observing client inventory counts), and when they participate in a surprise payroll distribution. -Observation also can produce a general awareness of events in the client's offices. In this sense, observation is commonly used as a test of controls.

(7) Reperformance

-Although similar to recalculation, reperformance is much broader in approach. As discussed in Chapter 4, reperformance is commonly used by auditors while completing walkthroughs when gaining an understanding of a client's internal control system. -In fact, reperformance can generally be completed for any client control procedure such as matching vendor invoices with supporting purchase orders and receiving reports. -Reperformance may be done either manually or with the assistance of CAATs.

Materiality Calculation

-Although some accountants wish that standard setters could issue definitive, quantitative materiality guidelines, many fear the rigidity that such guidelines would impose. There-fore, in the end, materiality is a matter of professional judgment that the engagement partner must decide on each audit engagement. -However, on each audit engagement, the planning process begins with a calculation of a preliminary materiality amount that is based on a relevant benchmark and a rule of thumb percentage applied to that benchmark.

Audit Plan

-An audit plan is a comprehensive list of the specific audit procedures that the audit team needs to perform to gather sufficient appropriate evidence on which to base their opinion on the financial statements. -The professional standards require that the auditor plan each audit engagement, including the establishment of an overall strategy for each audit engagement. Specifically, when planning the engagement, the auditor needs to develop and document a plan that describes the nature, timing, and extent of further audit procedures to be performed to assess the risk of material misstatement at the financial statement and the assertion level. - -Next, the auditor must carefully plan the nature, timing, and extent of control tests and substantive tests that are designed to mitigate these risks to an acceptable level. This planning process is required to be led by the assigned engagement partner

Possibility of temporary transaction trails.

-An audit trail is a chain of evidence provided through coding, cross-references, and documentation connecting account balances and other summary results with the original transaction source documents. -Some computerized systems are designed so that a complete transaction trail, useful for audit purposes, could exist only for a short time or only in computer-readable form. -Often the loss of hard copy documents and reports and the temporary nature of the audit trail require external auditors to alter both the timing and the nature of audit procedures.

Engagement Circumstances

-An auditor's legal liability is always a relevant consideration when determining materiality. That is, auditors generally place extra emphasis on the detection of misstatements in financial statements that will be widely used (such as those of public companies) or used by important outsiders (such as bank loan officers). -Other circumstances that affect quantitative materiality involve amounts that could turn a net loss into a profit or allow a company to meet earnings expectations. -Finally, matters surrounded by uncertainty about the outcome of future events usually come under more stringent quantitative materiality considerations.

The nature of the item or issue

-An important qualitative factor is the descriptive nature of the item or issue. -An illegal payment is important primarily because of its nature as well as because of its absolute or relative amount. In addition, the auditor would consider any type of fraud committed by a member of management material regardless of the amount. -Finally, generally speaking, potential errors in the more liquid assets (cash, receivables, and inventory) are considered more important than potential errors in other accounts (such as fixed assets and deferred charges).

Possible Cumulative Effects of Misstatements

-At the end of each audit engagement, auditors must also evaluate the aggregate sum of known or potential misstatements. For example, consider an audit for which overall materiality is set at $50,000. If the audit test work revealed five individual $15,000 misstatements, they would each, on their own, be considered immaterial. -However, what if all five misstatements each had the effect of increasing net income? In that situation, the auditor must factor in the probability that the aggregate of uncorrected and undetected misstatements could exceed overall materiality for the financial statements.

(6) Recalculation

-Auditor recalculation of computations previously performed by client personnel pro-duces compelling evidence. A client calculation must always be mathematically accurate. Client calculations performed by computer programs can be recalculated using computer-assisted audit techniques (CAATs) with differences printed out for further audit investigation. -Mathematical evidence can serve the objectives of existence and valuation for financial statement amounts that exist principally as calculations, for example, depreciation, interest expense, pension liabilities, actuarial reserves, bad debt reserves, and product guarantee liabilities. Recalculation, in combination with other procedures, is also used to provide evidence of valuation for all other financial data.

(8) Analytical Procedures

-Auditors can evaluate financial statement accounts by developing expectations about what an account balance should be based on an analysis of relevant financial and nonfinancial data. -When an auditor compares the expectation to a recorded balance, analytical procedures are being performed. -Because of their effectiveness in directing attention to high-risk areas, professional standards require that analytic procedures be used during planning and during final evaluationphases of the audit. Although not required to be used during the substantive testing phase of the engagement, auditors must consider the value of analytical procedures, especially because they are usually less costly than more detailed, document-oriented procedures. -Consequently, analytical procedures often take a prominent place in the audit plan.

independence in fact

-Auditors must maintain independence in mental attitude; that is, auditors are expected to be unbiased and impartial with respect to the financial statements and other information they audit. This "state of mind" is often referred to as the auditor possessing independence in fact. -This independence allows auditors to form an opinion on the entity's financial statements without being affected by influences that might compromise that opinion.

AUDIT PROCEDURES FOR OBTAINING AUDIT EVIDENCE

-Auditors use audit procedures for three purposes. 1. they use audit procedures to gain an understanding of the client and the risks associated with the client (risk assessment procedures). 2. auditors use audit procedures to test the operating effectiveness of client internal control activities (tests of controls) 3. auditors use audit procedures to produce evidence about management's assertions (i.e., relating to existence, occurrence, completeness, cutoff, rights and obligations, valuation and allocation, accuracy, classification, and understandability) related to the amounts and disclosures in a client's financial statements.

planning memorandum

-Basically, the planning memo summarizes all important overall planning information and documents that the audit team is following generally accepted auditing

The Need for Specialized Skills

-CPA firms generally have auditors who are specially trained to evaluate computerized controls and processes. Often they may be called on to write specialized computer pro-grams to retrieve and analyze data. See Module H for more discussion of how to audit computerized controls and processes.

Client Continuation vs Acceptance

-Client continuance decisions are similar to acceptance decisions except that the firm will have more firsthand experience with the entity. These types of client retention reviews are typically done annually and also with the occurrence of major events such as changes in management, directors, ownership, legal counsel, financial condition, litiga-tion status, nature of the client's business, or scope of the audit engagement. In general, conditions that would have caused a public accounting firm to reject a prospective client can develop and lead to a decision to discontinue the engagement. For example, a client company could expand and diversify on an international scale so that a small public accounting firm might not have the resources to continue the audit. In addition, it would not be unusual to see newspaper stories about public accounting firms dropping clients after directors or officers admit to falsification of financial statements or to theft and misuse of corporate assets.

Organizational Structure of Computerized Processing

-Clients can exhibit great differences in the way that their computerized processing activi-ties are organized. The degree of centralization inherent in the organizational structure can vary. A highly centralized organizational structure generally has all significant com-puterized processing controlled and supervised at a central location. The control environ-ment, the computer hardware, and the computerized systems can be uniform throughout the company. Auditors can obtain most of the necessary computerized processing infor-mation by visiting the central location. At the other extreme, a highly decentralized organizational structure generally allows various departments, divisions, subsidiaries, or geographical locations to develop, control, and supervise computerized processing in an autonomous fashion. In this situation, the computer hardware and the computer systems are usually not uniform throughout the company. Thus, auditors might need to visit many locations to obtain the necessary audit information.

Uniform processing of transactions.

-Computerized processing subjects similar trans-actions to the same processing instructions. Consequently, computerized processing virtually eliminates the occurrence of random errors. As a result, programming errors (or other similar systematic errors in either the computer hardware or software) will result in all similar transactions being processed incorrectly when those transactions are processed under the same conditions.

Availability of Data

-Computerized systems provide an ability to store, retrieve, and analyze large amounts of data. Input data, certain computer files, and other data that the audit team needs might exist for only short periods or only in computer-readable form. In some computerized information systems, hard copy input documents may not exist at all because information is entered directly. -In addition, certain information generated by the computerized system for manage-ment's internal purposes can be useful in performing analytical procedures. For example, because storage is easy, the client can save large amounts of operating information (data warehousing) such as sales information by month, by product, and by salesperson. Such information can be accessed (data mining) for use in analytical procedures to determine whether the revenue amounts are reasonable.

Control Activities

-Control activities are specific actions that a client's management and employees take to help ensure that management's directives are carried out.

Documents Prepared and Processed by the Client

-Documentation of this type is referred to as internal evidence. Some of these documents may be quite informal and not very authoritative or reliable. -When such documents are prepared by the client but are mailed to third parties, they become slightly more reliable. -However, as a general proposition, the reliability of these documents depends on the quality of internal control under which they were produced and processed.

Audit Documentation Arrangement and Indexing

-Each public accounting firm has a different method of arranging and indexing audit doc-umentation files. In general, however, the documentation is grouped (or electronically hyperlinked) in order behind the trial balance according to balance-sheet and income-statement captions. Usually, the current assets appear first, followed by fixed assets, other assets, liabilities, equities, income, and expense accounts.

Considering the Work of Internal Auditors

-External auditors must obtain an understanding of a client's internal audit department and its work as part of the understanding of the client's internal control system. -However, prior to relying on the work of internal auditors, external auditors should consider internal auditors' objectivity and competence: -internal auditors should never be delegated tasks that require the external auditors' pro-fessional judgment.

Separation of Duties

-Four types of functional responsibilities should be performed by different departments (see Exhibit 5.8), or at least by different persons on the entity's accounting staff: 1. Authorization to execute transactions. This duty belongs to people who have the authority and the responsibility for initiating or approving transactions. Authorization may be general, referring to a class of transactions (e.g., all purchases up to $100,000), or it may be specific (e.g., sale of a major asset). 2. Recording transactions. This duty refers to the accounting and record-keeping func-tion, which in most organizations is delegated to a computerized information system. People who control computerized processing are the record keepers. 3. Custody of assets involved in the transactions. This duty refers to the actual physical possession or effective physical control of property. 4. Periodic reconciliation of existing assets to recorded amounts. This duty refers to making comparisons at regular intervals and taking appropriate action with respect to any differences.

Assessment of control risk HIGH vs. LOW

-High: -An audit team's assessment of control risk as high implies that the controls are not effective at preventing or detecting material misstatements and could not be relied upon by the audit team. In this situation, the audit team would likely use substantive tests of details designed to obtain evidence (nature) at or near the entity's fiscal year-end (timing) with large sample sizes (extent). -Low: -an audit team's assessment of control risk as low implies that the controls are effective at preventing or detecting material misstatements and could possibly be relied upon by the audit team. In this situation, the audit team might be able to useless time-consuming substantive analytical proceduresto obtainevidence (nature) at an interim date before the entity's fiscal year-end (timing) with much smaller sample sizes (extent).

Information Processing Control Activities

-Information processing control activities are essential to the effectiveness of an internal control system. Generally, all organizations employ computerized information processing on a routine basis. When entities use computerized information processing, the profes-sional standards make clear that information technology (IT) poses specific risks to an entity's internal control system.

(4) Inquiry

-Inquiry is a procedure that generally involves the collection of verbal evidence from independent parties and management (commonly referred to as management representations). -Important inquiries and responses should be documented by the auditor in the workpapers. -Auditors typically use inquiry procedures during the early planning stages of the engagement.

(2) Inspection of Tangible Assets

-Inspection of tangible assets includes examining property, plant, and equipment; inventory; and securities certificates. Physical inspection of tangible assets provides compel-ling evidence of existence and may provide tentative evidence of valuation.

Competence

-Internal auditors' competence is investigated by obtaining evidence about their educational and experience qualifications, their certifications (CPA, CIA, CISA, etc.) and continuing education status, the department's policies and procedures for work quality and for making personnel assignments, the supervision and review activities, and the quality of reports and audit documentation. -This evidence enables the external auditors to evaluate internal auditors' performance.

Objectivity

-Internal auditors' objectivity is investigated by learning about their organizational status and lines of communication in the company -Objectivity is questioned when the internal auditors report to divisional management, line managers, or other persons with a stake in the outcome of their findings. -Objectivity is especially questioned when managers have some power over the pay or job tenure of the internal auditors. -Similarly, objectivity is questioned when individual internal auditors have relatives in audit-sensitive areas or are scheduled to be promoted to positions in the activities under internal audit review

Internal Control Defined

-Internal control is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three categories: 1992 ∙ Reliability of financial reporting. ∙ Effectiveness and efficiency of operations. ∙ Compliance with applicable laws and regulations. 2013: . A key goal of the updated version is to provide "enhancements and clarifications intended to ease use and application" of the framework in an ever-changing global environment.

Effect of Client's Computerized Processing on Audit Planning

-Largely, all organizations use computers to process their data. Although client automation raises some difficulties (e.g., temporary transaction trails, potential for fraud), auditors can use the speed and accuracy of their own laptops to increase audit efficiency and effective-ness. Accordingly, when evaluating the effect of a client's computerized processing on an audit of financial statements, auditors should consider matters such as the following: ∙ The complexity of the computer operations used by the entity (e.g., batch processing, online processing, outside service centers). ∙ The organizational structure of the computerized processing activities. ∙ The availability of data required by the auditor. ∙ The computer-assisted audit techniques (CAATs) available to increase the efficiency of audit procedures. ∙ The need for specialized skills.

(1) Inspection of Records and Documents

-Much auditing work involves gathering evidence by examining authoritative documents prepared by independent parties and by the client. Auditors frequently inspect such documents to ensure they contain the correct information and/or authorization. Such documents can provide "evidence of varying degrees of reliability, depending on their nature and source," regarding many of management's financial statement assertions.

Independence in appearance

-Not only is it important for auditors to be unbiased, but they must appear to be unbiased. Independence in appearance relates to others' (particularly financial statement users') perceptions of auditors' independence. In fact, if the auditor is not independent, the financial statements are considered unaudited for all practical purposes. -A lack of independence can result in disciplinary action by regulators and/or professional organizations and litigation by those who relied on the financial statements (e.g., clients and investors).

(1) client acceptance and continuance policies and procedures generally include

-Obtaining and reviewing financial information about the prospective client: annual reports, interim statements, registration statements, Form 10-Ks, and reports to regulatory agencies. ∙ -Acquiring detailed criminal background checks of all senior managers. ∙ -Inquiring of the prospective client's bankers, legal counsel, underwriters, analysts, or other persons who do business with the entity for information about it and its management. ∙ -Considering whether the engagement would require special attention or involve unusual risks to the public accounting firm. ∙ -Evaluating the public accounting firm's independence with regard to the prospective client. -Considering the need for individuals possessing special skills or knowledge to com-plete the audit (e.g., IT auditor, valuation specialist, industry specialist).

Computer-Assisted Audit Techniques (CAATs)

-One major trend in current auditing practice is the use of data analysis tools like CAATs to take full advantage of the growing amounts of data available in the financial statement audit process. -In general, CAATs allow auditors to complete a number of important tasks through the use of the cutting-edge devices (e.g., tablets, laptops) that are available to auditors. CAATs allow the auditor to directly access a client's dataset for the year under audit. In addition, in today's environment, auditors use their own laptops and/or tablets regularly to perform steps such as preparing the working trial balance, posting adjusting entries, computing comparative financial statements and common ratios for analytical procedures, preparing supporting audit documentation schedules, and producing draft financial statements.

Risk Assessment

-One way managers address these concerns is to employ an enterprise risk management (ERM) framework such as the one developed by the Commit-tee of Sponsoring Organizations (COSO)2 to facilitate the assessment and mitigation of business risks that the entity faces. -COSO defines ERM as "a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."3 -In other words, management, boards, and employ-ees have to be constantly thinking about what could go wrong with the business and how they can prevent it.

Performance Reviews

-Performance reviews require management's active participation in the supervision of operations. Management's study of budget variances with follow-up action is an example of a performance review. Management that performs frequent performance reviews has more opportunities to detect errors in the records than management that does not.

Physical Controls

-Physical access to assets and important records, documents, and blank forms should be limited to authorized personnel. Assets such as inventory and securities should not be available to persons who have no need to handle them. Likewise, access to records should be denied to people who do not have a record-keeping responsibility for them. Some blank forms are very important for accounting and control, and their availability should be restricted. -In addition, given the importance of the computerized information processing sys-tem, physical security of computer equipment and restricting access to the organization's data and computer application files are important to achieving effective internal control.

(3) Engagement Letter

-Professional standards require auditors to reach a mutual understanding with clients concerning engagement requirements and expectations and to document this understanding, usually in the form of a written letter. When a new client is accepted or when an audit engagement continues from year to year, an engagement letter should be prepared. -In effect, the engagement letter acts as a contract. Thus, it serves as a means for reducing the risk of misunderstandings with the client and as a means of avoiding legal liability for claims that the auditors did not perform the work promised.

Termination Letter

-Provides an opportunity to deal with the subject of future services, in particular, (1) access to audit documentation by successor auditors, (2) reissuance of the auditors' report when required for SEC report-ing or comparative financial reporting, and (3) fee arrangements for such future services. -The termination letter also may include a report of the auditors' understanding of the circumstances of termination (e.g., disagreements about accounting principles and audit procedures, fees, or other conflicts). These matters can be of great interest to prospective auditors who should always remember to ask for a copy of the termination letter

COSO Framework

-Representatives from the Financial Executives Institute, the American Accounting Association, the Institute of Inter-nal Auditors, the Institute of Management Accountants, and the American Institute of Certified Public Accountants—collectively referred to as the Committee of Sponsoring Organizations, or COSO—debated internal control theory and definitions.

Scanning—Examination of Documents

-Scanning is the way auditors exercise their general alertness to unusual items and events in clients' documentation. A typical scanning directive in an audit plan is: "Scan the expense accounts for credit entries; vouch any to source documents." -In general, scanning is an "eyes-open" approach of looking for anything unusual. The scanning procedure usually does not produce direct evidence itself, but it can raise ques-tions related to other evidence that must be obtained.

Monitoring

-The COSO framework recognizes that in order to allow for continuous improvements and consider changes in the entity's operating environment, management needs to monitor its internal control systems. According to COSO, a well-functioning monitoring system is characterized by philosophies such as the following: ∙ Ongoing and separate evaluations. Ongoing evaluations of controls that are separate from other types of evaluations (e.g., operational) enable management to determine whether the other components of internal control continue to function over time. ∙ Reporting deficiencies. Internal control deficiencies are identified and communicated in a timely manner to those parties responsible for taking corrective action and to man-agement and the board as appropriate.

Auditors' Internal Control Responsibilities

-The audit team has at least three reasons for conducting an evaluation of an entity's internal control. 1. Sarbanes-Oxley requires an audit of management's assessment of the effectiveness of internal control over financial reporting for public companies. 2. For each fraud risk identified during the planning stage, the audit team should evaluate whether the client has implemented control activities that are specifically designed to address the risk of fraud that has been identified. 3. The final reason for evaluating an entity's internal control is to assess preliminary risk of material misstatement (RMM) for each relevant assertion. -RMM is composed of inherent risk and control risk -The assessment of RMM at the assertion level is completed for all financial statement audits in order to give the audit team a basis for planning the audit and determining the nature,timing, and extent of further audit procedures to be conducted for the financial statement audit.

The best rule of thumb

-The best rule of thumb depends upon the relevant benchmark selected for the client within a particular industry. For example, 3-5 percent of PBT or 1/2-1 percent of revenue or total assets are often used as starting points for the determination of materiality -"misstatements are not immaterial simply because they fall beneath a numerical threshold."5 Thus, auditors must examine both quantitative and qualitative factors when assessing materiality

How to choose an appropriate benchmark

-The choice of appropriate benchmark relates directly back to the financial statement users. When making an initial determination of materiality, the auditor should consider what is most important to users. -For example, for an asset management company or a hedge fund, it is likely that total net assets would be the most appropriate benchmark. However, for a company in the manufacturing industry, profit before tax (PBT) is likely to be most appropriate. -Although many different benchmarks may be used, auditors most commonly use PBT, total net assets, or total revenues as the benchmark for their initial determination of materiality. Of course, in the end, it is a matter of professional judgment.

Control Environment

-The control environment sets the tone of the organization. It is the foundation for all other components of internal control. It provides discipline and structure to all participants and stakeholders. Control environment factors include the integrity, ethical values, and com-petence of the entity's people. According to COSO, a well-functioning internal control environment is characterized by philosophies such as the following: ∙ Integrity and ethical values. Sound integrity and ethical values, particularly of top management, are developed and understood and set the standard of conduct for finan-cial reporting. ∙ Board of directors. The board of directors understands and exercises oversight respon-sibility related to financial reporting and related internal control. ∙ Management's philosophy and operating style. Management's philosophy and operating style support achieving effective internal control over financial reporting. ∙ Organizational structure. The company's organizational structure supports effective inter-nal control over financial reportingby establishing clear and unambiguous reporting lines. ∙ Financial reporting competencies. The company retains individuals who are competent in financial reporting and related oversight roles. ∙ Authority and responsibility. Management and employees are assigned appropriate lev-els of authority and responsibility to facilitate effective internal control over financial reporting. ∙ Human resources. Human resource policies and practices are designed and implemented to facilitate effective internal control over financial reporting. -Most importantly, the effectiveness of the control environment is influenced heavily by a company's management team and is strongly and unquestionably related to the "tone at the top" set by management.

(2) Current Files

-The current files include all client acceptance or continuance documentation along with planning documentation for the year under audit. They usually include the engagement letter, staff assignment notes, conclusions related to understanding the client's business, results of preliminary analytical procedures, assessments of audit risks, and determination of audit materiality. Many public accounting firms follow the practice of summarizing these data in a planning memorandum with specific directions about the impact on the

Integrated Audit

-The internal control audit is conducted along with the financial statement audit as part of an integrated audit -In essence, the audit firm employs one integrated process that culminates in the issuance of two opinions: one on the entity's financial statements and one on management's assessment of the effective-ness of the entity's internal control over financial reporting.

Documents Prepared by Independent Outside Parties

-The most reliable form of documentary evidence is external, which means that the document was received directly from an independent outside third party (e.g., a bank). -The signatures, seals, engraving, or other distinctive artistic attributes of formal authoritative documents make such sources more reliable (less susceptible to alteration) than ordinary documents prepared by outsiders. -a great deal of documentary evidence is considered external-internal, which means that the documents were initially prepared by an external third party but they were received by the client first and then given to the auditor. -Since the client had possession of the documents, there is always a possibility that the client altered the documents. As a result, external-internal documents are not as reliable as external documents.

(1) Permanent Files

-The permanent files (or continuing audit files) contain information of continuing audit sig-nificance over many years' audits of the same client. The audit team may use this file year after year, but each year's current audit documentation is stored after the files have served their purpose. Documents of permanent interest and applicability include 1. Copies or excerpts of the corporate or association charter, bylaws, or partnership agreement. 2. Copies or excerpts of continuing contracts such as leases, bond indentures, and royalty agreements. 3. A history of the company, its products, markets, and background. 4. Copies or excerpts of minutes of meetings of stockholders and/or directors on matters of lasting interest. 5. Continuing schedules of accounts with balances that are carried forward for several years, such as owners' equity, retained earnings, partnership capital, and the like. 6. Copies of prior-years' financial statements and audit reports. 7. Client organization chart

Potential for errors and frauds.

-The potential for individuals to gain unauthorized access to or alter data without visible evidence as well as to gain access (direct or indirect) to assets is significant in computerized information systems. Employees have more access to information through numerous terminals hooked together in a common computer net-work. Less human involvement in handling transactions processed by computers can reduce the potential for observing errors and frauds. Errors or fraud made in designing or changing application programs can remain undetected for long periods of time.

PLANNING IN A COMPUTERIZED ENVIRONMENT

-The technology application (e.g., SAP, Sage 50) used to process accounting transactions will affect an entity's financial reporting process and influence the procedures and techniques used to accomplish the organization's financial reporting goals and objectives. The following are characteristics that an auditor needs to consider when evaluating a client's computerized environment:

Time Budget

-The timing of the work and the number of hours that each segment of the engagement is expected to take are detailed in a preliminary time budget. -Time budgets are used to maintain control of the audit by identifying problem areas early in the engagement, thereby ensuring that the engagement is completed on a timely basis. -Focus more on riskier accounts

AUDIT DOCUMENTATION

-The written record of the basis for the auditor's conclusions that provides the support for the auditor's representations, whether those representations are contained in the auditor's report or otherwise. -In other words, audit documentation provides the auditors' record of compliance with generally accepted auditing standards. -The audit documentation communicates the quality of the audit, so it must be clear, concise, complete, neat, well indexed, and informative. Each workpaper must be com-plete in the sense that it can be removed from the audit documentation file and considered on its own with proper cross-references available to show how the document coordinates with other audit documents.

performance materiality

-Therefore, auditors use performance materiality (an amount less than materiality for the financial statements as a whole) to make sure that the aggregate of uncorrected and undetected immaterial misstatements does not exceed materiality for the financial statements as a whole.

Planning Meetings

-These planning meetings help to ensure that the engagement is properly planned and that the audit team (especially new) members are properly supervised. The meetings also are intended to be brainstorming sessions to (1) ensure that all audit team members are informed about potential risks in the engagement and (2) increase team members' aware-ness for potential fraud.

Why is the time taken to perform each phase of the audit recorded?

-These time reports are recorded by budget categories for the purposes of (1) evaluating the efficiency of the audit team members, (2) compiling a record for billing the client, and (3) compiling a record for planning the next audit.

Staffing the Audit Engagement

-When a new client is obtained, most public accounting firms assign a full-service team to the engagement. For a typical audit engagement, this team usually consists of the : -audit engagement partner: (the person with final responsibility for the audit and usually an indus-try specialist), -an audit manager, -an information technology (IT) audit specialist, -a tax specialist, -a quality assurance partner (the second audit partner who reviews the audit team's work in critical audit areas), and -audit staff. The assignment of staff depends on the riskiness of the engagement. For new clients, companies with complex significant transactions and public companies, more experienced staff members are typically assigned. No matter the type of engagement, planning meetings should include all team members and focus on the financial statement accounts that represent the highest risk of material misstatement.

Complexity of Computerized Operations

-When assessing the complexity of computerized information processing, the audit team members should consider his or her training and experience relative to the methods of information processing. A review of the client's computer hardware could show the extent of complexity involved. If the client outsources significant accounting applications (e.g., payroll), the audit team might need to coordinate audit procedures with service auditors at the processing center.

Information and Communication

-When evaluating the information and communication component of internal control, the "auditor should obtain an understanding of the information system [emphasis added] includ-ing the related business processes, relevant to financial reporting. -As part of that process, the auditor must seek to understand the nature of the underlying accounting records, sup-porting information and the accounts that are used to fully execute a transaction." -The audi-tor should also understand "how the information system captures events and conditions, other than transactions, that are significant to the financial statements.

Tracing—Examination of Documents

-When testing the completeness assertion, the auditor will take the tracing direction when examining documents. When taking the tracing direction, the auditor selects a basic source document and follows its processing path forward to find its final recording in a summary journal or ledger and ultimately the financial statements. -Using tracing, an auditor can decide whether all significant transactions and events that should have been recorded actually were recorded (the completeness assertion). In doing so, the auditor complements the evidence obtained by vouching.

Vouching—Examination of Documents

-When testing the existence or the occurrence assertion, the auditor will take the vouching direction when examining documents. -The important point about vouching is that the auditor begins the search for evidence by focusing on transactions that have already been recorded in the financial statements. -In vouching, an auditor selects an item in the financial records, usually from a journal or ledger, and follows its path back through the processing steps to its origin -Vouching of documents can help auditors decide whether all recorded significant transactions are adequately supported (the existence and occurrence assertions), but vouching does not provide evidence to show whether all significant transactions were actually recorded (the completeness assertion).

IT Auditors

-Whenever a complex computing environment exists, specialized information technology skills are needed to evaluate the effect of computerized processing on the audit process. -These IT auditors are members of the audit team and are called on when the need for their specialized skills arises,

Initiation or subsequent execution of transactions by computer

-With automatic transaction initiation, certain transactions can be initiated or executed automatically by a computerized system without human review. Computer-initiated transactions include the generation of invoices, checks, shipping orders, and purchase orders. Without a human-readable docu-ment indicating the transaction event, the correctness of automatic transactions can be dif-ficult to judge. In addition, management's authorization of transactions can be implicit in its acceptance of the design of the accounting system. For example, authorization of transac-tions occurs when certain flags are installed in programs or records (e.g., inventory quantity falling below reorder point). Therefore, authorization can be difficult to trace to the proper person. Control procedures must be designed into the system to ensure the genuineness and reasonableness of automatic transactions and to prevent or detect erroneous transactions.

Use of cloud computing applications.

-With cloud computing, an audit client may be accessing certain software applications and data contained in the "cloud" via the Internet with its laptop, tablet, smartphone, or other computing device. By access-ing software applications and data in this manner, a client may save substantial com-puting costs because it need not purchase its own software site licenses and/or data storage hardware. However, this decision is not without risk because data security, service interruptions, and data migration issues can occur. Control procedures must be designed to ensure the completeness and accuracy of the informational flows to and from the cloud and that data security within the cloud is ensured.

Year-end audit work

-Year-end audit work refers to procedures performed shortly before and after the date of the financial statements.

Control Risk

-control risk is the probability that an entity's controls will fail to prevent or detect material misstatements due to errors or frauds that would otherwise have entered the system. -The audit team assesses control risk to complete the preliminary determination of RMM for each relevant assertion identified in the audit plan; the higher the assessment of control risk, the higher the assessment of RMM.

Business Risks

-factors, events, and conditions that can prevent organizations from achieving their business objectives.

Audit Specialist

-persons skilled in fields other than accounting and auditing—actuaries, appraisers, attorneys, environmental engineers, and geologists—who are not members of the audit team.

Interim audit work

-refers to procedures performed several weeks or months before the date of the financial statements. (Account balances audited during interim are later rolled forward at year-end.)

Common qualitative factors that auditors use in making materiality judgements

-the nature of the item or issue, -engagement circumstances, and -possible cumulative effects

Form 8-K Report

-when a public company changes auditors, the company must file a Form 8-K report with the SEC and disclose that the board of directors approved the change. Form 8-K, the "special events report," is required whenever certain significant events such as changes in control and legal proceedings occur. -Public companies also must report any disagreements with the former auditors concerning matters of accounting principles, financial statement disclosures, or auditing procedures. At the same time, the former auditor must submit a letter stating whether the auditors agree with the explanation and, if not, provide particulars.

substantive audit plan

-would contain a list of audit procedures for gathering evidence related to the relevant assertions identified for an audit client's significant financial statement accounts and disclosures. The substantive audit plan (i.e., the nature, timing, and extent of further procedures) depends almost exclusively upon the assessment of risk at an audit client. -As an example, consider the nature of procedures. There are two ways to conduct substantive tests: (1) substantive analytical procedures and (2) tests of details.

internal control audit plan

-would contain the specific procedures needed to obtain an understanding of the client's internal control system and test that understanding for those controls that relate to the relevant financial statement assertions. -If the auditor decides to rely on specific internal control activities, the plan would also identify the specific types of tests of controls that would need to be completed to validate the operating effectiveness of the internal control activities.

An audit team uses materiality in 3 ways

1. As a guide to planning substantive testing procedures—directing attention and audit work to those items or accounts that are important, uncertain, or susceptible to material misstatements. ∙ 2. As a guide for determining performance materiality to help make sure that the aggregate of uncorrected and undetected immaterial misstatements does not exceed the materiality level for the financial statements as a whole. For example, auditors may use an amount smaller than overall financial statement materiality when auditing particular classes of significant transactions, account balances, or disclosures. ∙ 3. As a guide for making decisions about the audit report. An account such as inventory can be material in an audit context because of its size or its place in the financial statements.

3 Principles of Information and Communication

1. The organization obtains or generates and uses relevant quality information to support the functioning of internal control.. 2. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.. 3. The organization communicates with external parties regarding matters affecting the functioning of internal control.

3 Principles of Control Activities

1. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 2. The organization selects and develops general control activities over technology to support the achievement of objectives. 3. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

4 Principles of Risk Assessment

1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 2. The organization identifies risks to the achievement of its objectives across the entity and analyzes the risks as a basis for determining how the risks should be managed. 3. The organization considers the potential for fraud in assessing risks to the achievement of objectives. 4. The organization identifies and assesses changes that could significantly impact the system of internal control.

(5) Confirmation

Confirmation by direct correspondence with independent parties is a procedure widely used in auditing. It can produce evidence of existence and rights and obligations and sometimes of valuation and cutoff. Auditors typically limit their use of confirmation to significant transactions and balances about which outside parties could be expected to provide information. A selection of confirmation applications includes the following: ∙ Banks—cash and loan balances. ∙ Customers—receivables balances. ∙ Borrowers—note terms and balances. ∙ Agents—inventory on consignment or in warehouses. ∙ Lenders—note terms and balances. ∙ Policyholders—life insurance contracts. ∙ Vendors—accounts payable balances. ∙ Registrar—number of shares of stock outstanding. ∙ Attorneys—litigation in progress. ∙ Trustees—securities held, terms of agreements. ∙ Lessors—lease terms.

5 Principles of Control Environment

Principles of Control Environment as per COSO Report. 1. The organization demonstrates a commitment to integrity and ethical values.. 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.. 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.. 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

predecessor auditor

The public accounting firm that has been terminated or has voluntarily withdrawn from the engagement (whether the audit has been completed or not) -for a new audit engagement, public accounting firms are required to attempt to communicate with the predecessor auditor, if any, for information on management's integrity; on disagreements with management about accounting principles, audit procedures, or similar matters; and the reasons for a change of auditors.

3 Goals of Audit Plan

The ultimate goal of engagement planning is to establish an acceptable level of detection risk so that the auditors find potential misstatements and have them corrected by the client. 1. To make sure that the firm has the requisite staff to conduct the audit in accordance with professional standards in a timely and profitable manner; 2. To determine materiality; and ∙ 3. To outline the specific audit procedures, including tests of control and substantive tests that need to be executed properly in order to mitigate assessed risks of material misstatment and be in compliance with professional standards.

Duties of the audit committee

∙ Appointment, compensation, and oversight of the public accounting firm conducting the entity's audit. ∙ Resolution of disagreements between management and the audit team. ∙ Oversight of the entity's internal audit function. ∙ Approval of nonaudit services provided by the public accounting firm performing the audit engagement. ∙ Oversight of the anonymous fraud hotline that is designed to provide employees a con-fidential and effective manner in which to report possible financial reporting issues. ∙ Authority to engage legal counsel in the event of management fraud.

Several audit documentation preparation techniques are quite important for the quality of the finished product.

∙ Indexing. Each document (whether electronic or paper) is given an index number, like a book page number, so it can be found, removed, and replaced without loss. ∙ Cross-referencing. Numbers or memoranda related to other documents carry the index of the other documents so the connections can be followed. ∙ Heading. Each document is titled with the name of the company, the balance-sheet date, and a descriptive title of the document's contents. ∙ Signatures and initials. The auditor who performs the work and the supervisor who reviews it must sign the audit documentation so personnel can be identified. ∙ Dates of audit work. The dates of performance and review are recorded on the docu-ments so reviewers of the documentation can tell when the work was performed. ∙ Audit marks and explanations. Audit marks (or "tick marks") are the auditor's short-hand for abbreviating comments about work performed. Audit marks always must be accompanied by a full explanation of the auditing work. (Notice in Exhibit 3.6 the auditor's confirmation of the disputed account payable liability.) On electronic docu-ments, comments can be hyperlinked so that reviewers can find additional explana-tions of audit procedures performed.

Things audit team should keep in mind regarding Control Activities

∙ Information technology. Has the audit client taken full advantage of significant advances in information technology by using entirely automated control activities whenever it is efficient and effective? ∙ Level of integration with their risk assessment process. Has the audit client's manage-ment team taken the action necessary to address the identified risks to the achievement of financial reporting objectives? ∙ Selection and development of control activities. Has the audit client's management team selected and developed control activities considering their cost and their poten-tial effectiveness in mitigating the risks identified? ∙ Policies and procedures. Have the policies related to reliable financial reporting been documented and communicated throughout the company by the audit client's manage-ment team?

Monitoring Controls Include

∙ Periodic evaluation of controls by internal audit. ∙ Analysis of and appropriate follow-up of operating reports or metrics that might identify anomalies indicative of a control failure. ∙ Supervisory review of controls, such as reconciliation reviews as a normal part of processing. ∙ Self-assessments by boards and management regarding the tone they set in the organi-zation and the effectiveness of their oversight functions. ∙ Audit committee inquiries of internal and external auditors. ∙ Quality assurance reviews of the internal audit department.

CAAT can be used to

∙ Recalculation. The audit software can be used to test the accuracy of client computa-tions and to perform analytical procedures to evaluate the reasonableness of account balances. Examples of this use are to (1) recalculate depreciation expense; (2) recalcu-late extensions on inventory items; (3) compute file totals; and (4) compare budgeted, standard, and prior-year data with current-year data. ∙ Confirmation. Auditors can program statistical or judgmental criteria for selecting custom-ers' accounts receivable, loans, and other receivables for confirmation. In addition, although not a CAAT, the use of electronic confirmations by auditors (e.g., confirmation.com) has led to improvements in both the effectiveness and the efficiency of the confirmation process. ∙ Scanning. Auditors can use CAATs to examine records to determine quality, complete-ness, consistency, and correctness. This is the computerized version of scanning the records for exceptions to the auditors' criteria. For example, scan (1) accounts receiv-able balances for amounts over the credit limit, (2) inventory quantities for negative balances or unreasonably large balances, (3) payroll files for terminated employees, or (4) loan files for loans with negative balances. ∙ Analytical procedures. CAATs functions can match data in separate files to help extract the data necessary to make comparisons between financial and nonfinancial information. In addition, CAATs can be used to extract the data necessary to make comparisons to other companies in the same industry. ∙ Fraud investigation. CAATs can be used in a variety of ways to search for fraudu-lent activities. For example, lists of vendor addresses can be compared to employee address files to see whether employees are paying invoices to companies that they own or operate. Duplicate payments can be found by sorting payments by invoice number and amount paid. Telephone records can be quickly sorted and scanned to ensure that employees are not misusing company telephones.