ACG 2

Audit risk equation

Audit Risk = Inherent Risk x Control Risk x Detection Risk Inherent risk x control risk is RMM

Sufficient and appropriate audit evidence

How do we know when we have enough evidence - perform enough procedures in order to get sufficient appropriate evidence Sufficient is a measure of quantity, appropriate is a measure of quality

Evidence with management's opinions

If evidence supports management assertions, it also supports our opinion about management's assertions If evidence contradicts management assertions, we need management to change their assertions

Audit risk and detection risk

audit risk - •"the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated, i.e., the [audited] financial statements are not presented fairly in conformity with the applicable financial reporting framework." detection risk - •"the risk that the procedures performed by the auditor will not detect a misstatement [in the unaudited financial statements] that exists and that could be material, individually or in combination with other misstatements. Detection risk is affected by (1) the effectiveness of the substantive procedures and (2) their application by the auditor, i.e., whether the procedures were performed with due professional care" •The risk that the auditor will miss an error in the unaudited financial statements

Account type prone to misstatement

chart slide 28

most common sample selection method and why

haphazard it is easiest and most efficient and still random, can be done by hand

do the 4 parts of the audit process have to happen in order?

no

do you use numbers usually for equation

no, use low, medium, high because they are easier to define

4 parts of the audit process

planning control evaluation substantive testing completion

Another View of the Audit Risk Model

slide 37 Key Take-away: Auditors can control detection risk and therefore manage audit risk to an acceptable level by adjusting the nature, timing, and extent of substantive procedures. Recall that we should think of audit risk as being "acceptable audit risk." Acceptable risk is inversely related to the level of confidence an auditor needs achieve. The more confidence an auditor requires, the more effort that auditor will need to exert to achieve that required level of confidence.

Control risk

the risk that controls will fail to prevent that error Control Risk: The risk that a misstatement due to error or fraud that could occur in an assertion and that could be material, individually or in combination with other misstatements, will not be prevented or detected on a timely basis by the company's internal control

Inherent risk

the risk that something will go wrong/ an error will occur Inherent Risk: The susceptibility of an assertion to a misstatement, due to error or fraud, that could be material, individually or in combination with other misstatements, before consideration of any related controls

The entire planning process relies HEAVILY on what?

what you do last year

Example Benchmarks Used in Determining Materiality Thresholds

•.5% - 2% of total assets •.5% - 2% of revenue •5% - 10% of net income •Need consider all ranges when determining materiality. - some companies have many/few assets etc

Materiality

•A matter is "material" if there is a substantial likelihood that a reasonable person would consider it important. •Consideration of Supreme Court ruling that a fact is material if there is a substantial likelihood that the... fact would have been viewed by the reasonable investor as having significantly altered the "total mix" of information made available

Role of Internal Control in Audits

•All audits require an understanding of internal controls: •Control Risk assessment is part of planning on all audits (Risk of Material Misstatement) •Auditor reports and responsibilities on IC differ based on public vs. private clients and size Private companies do not have to report on internal controls - neither management nor the auditor unless they find an IC problem, but they do not have to look for problem. Small public companies - management has to report on internal control, again auditors do not have to issue a report Large public companies - management has to report on IC, and auditors have to attest to that management report - in effect must audit internal controls.

Performance materiality

•An amount less than planning materiality (e.g. 50-75%, KPMG=75%) •Used in "scoping" to figure out which accounts to test •Generally, do not test accounts with a balance lower than this amount •Official purpose: Used to make sure that the aggregate of uncorrected and undetected immaterial misstatements does not exceed overall materiality

Clearly Trivial

•An amount significantly lower than performance materiality •Detected misstatements under this amount are not aggregated •Misstatements below this level, even when aggregated with all other misstatements, are not expected to be material •Purpose: Used to help auditors be efficient with respect to tiny errors that will never matter A number in which errors below this amount will never matter and we can ignore If a misstatement is above the clearly trivial line but below the performance materiality threshold, we need to keep track of them and see if they add up to the performance materiality threshold

Risk assessment procedures

•Risk assessments tell us where we need audit evidence, audit procedures provide that audit evidence •For planning purposes only •Do not provide audit audit evidence •Indicate when audit evidence is necessary and what kind of audit evidence is necessary

What type of evidence is the strongest/weakest

•Strongest - outside information because it does not have bias (independent) •Weakest - knowledge of the client because it's not backed on evidence "cant staple your brain to the work papers"

Further audit procedures types

•Tests of controls** •Substantive procedures

Two Main Types of Substantive Procedures

•Tests of details Substantive analytical procedures

What is risk?

•The exposure to the chance of injury or loss •It includes the concept of uncertainty (chance) •It also includes the potential for loss

What is audit risk

•The risk that an auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. •The risk that an auditor says "Everything's OK" when everything's not OK •The risk of an audit failure •The risk the auditor gives an unqualified opinion on materially misstated financial statements •Auditors want audit risk to be low. Think of this as "acceptable audit risk."

what to do if there is a mistake

2 things to do if there is a mistake 1.Have management fix the mistake 2.Take a larger sample - extension of the previous sample

3 concepts around audit evidence

3 concepts around audit evidence Auditors don't look at evidence in a vacuum, we look at it to support our opinion. We collect the most evidence where things are most likely to go wrong Risk assessments tell us where things are most likely to go wrong and that's where we collect the most audit evidence Risk assessments tell us where we need audit evidence, audit procedures provide that audit evidence

2 categories of audit procedure

1. Risk assessment 2. Further audit procedures

•Risk typically includes two components:

1. •A probability 2. •An outcome •The risk can then be quantified as an expectation based on the probability and outcome: risk = probability * outcome •Always a question of cost-benefit. Can we lower the probability or magnitude at low enough cost to make it worthwhile?

Testing control is necessary for private companies IF

1.Control Risk assessment is below maximum 2.Substantive procedures alone will not provide sufficient appropriate evidence (e.g. sending confirmations to parties with a historically low response rate) (ex hospitals with HIPAA laws)

the two most important steps that auditors must take to achieve a representative sample are

A. (1) ensuring that all units in the population can be selected into the sample and (2) avoiding bias when we select the sample. If there are units in the population that cannot be selected into the sample - or if the audit team is picking the sample in a biased manner (i.e., choosing only items that are likely to be correct), then the sample will not be representative (regardless of size).

If auditors find a misstatement in a sample

A. If auditors find a misstatement in a sample, they must either expand the sample and continue testing or identify a known and likely audit difference. Replacing a misstated item in a sample with a properly-stated item will lead to the wrong conclusion (and be a non-sampling mistake)

Inverse Relationship Between Audit Risk and Materiality

All else equal, if the materiality threshold decreases, then audit risk increases. Slide 42

Chapter 6

Chapter 6

Chapter 7

Chapter 7

Chapter 8

Chapter 8

Timing of Procedures: Cut-off tests

Cutoff tests: Applied to transactions recorded during cutoff period •Provide evidence, as to whether transactions have been recorded in the proper record period Cutoff period: Covers several days before and after client's balance sheet date •Risk- Recording transactions in wrong period

2 types of detection risk pt 2

Detection risk - 2 types 1. sampling risk - we don't pull a sample that accurately shows the population (its good but the rest is all bad) (pull a larger sample) 2. nonsampling risk - risk we pull a good sample, but we mess up the procedure (hire better people, be more skeptical)

Detection risk

Detection risk - the risk we fail to detect misstatement in the financial statements

dixon case

Dixon case - audit firm didn't break any independence rules. They were doing the bookkeeping for the city but it wasn't against the rules because they are not a public company. It made them look bad but wasn't against the rules

materiality is based on the judgement of all persons t/f

False only REASONABLE persons

How do we determine what is material?

First decide what benchmarks users care about and then what percentage to use. Then what qualitative information •Magnitude of financial statement impact (quantitative) •What is important to users (qualitative)

Why is it Important to understand risk of material misstatement during planning

Important to understand risk of material misstatement during planning 1.If the risk is higher and we need to do more work, we might need to hire more people and schedule more people 2.Need to make sure the client knows what to expect 3.If there is high risk, we might need to think outside the box and think of a whole new procedure (consult with others) which takes a lot of time

detection risk

In practice, auditors manage detection risk to achieve the desired acceptable level of audit risk, whatever level that may be. Only thing auditors can control is detection risk - can use detection risk to manage audit risk Can control detection risk through the nature, extent, and timing of procedures

Audit risk definitions

Inherent Risk: The risk that an error will occur (irrespective of client's internal controls) Control Risk: The risk that an error will not be prevented or detected/corrected by client's internal controls Risk of Material Misstatement: Risk that an error exists in the unaudited financial statements OR... Risk that an error occurs and is not prevented or detected/corrected by ICOFR OR... Risk that the unaudited financials are wrong

3 kinds of risk

Inherent risk Control Risk Risk of material misstatement

Equation for 3 types of risk

Inherent risk x control risk = risk of material misstatement

Different Materiality Thresholds

Materiality Performance materiality Clearly trivial

meet the parents video

Meet the parents = if we need evidence, we cannot collect a bunch of bad evidence and make it enough evidence If we audited last years inventory and this inventory, and then found purchases. We can solve for cost of good sold and that's all we need to do to test it.

Old school movie and scrub daddy example

Old school movie and scrub daddy shark tank video - auditing the completeness and existence of inventory. Scrub daddies at bed bath and beyond. Step 1. wake up early Step 2. Drive to bed bath and beyond. Get a list of inventory from management and verify it. To test the existence, we use a procedure called vouching, where we find all 100 scrub daddies they say they have. We haven't tested completeness for this procedure, it is not relevant at all. Testing completeness is the opposite of testing existence Tracing would be hunting through the store to find all the scrub daddies they have. Count everything we can find and add that up, then compare that count to the inventory report. Do not stop looking at a number. Tracing is more relevant to the completeness assertion than to the existence assertion

Qualitative Materiality factors

Precisely - we should know cash down to the penny. Allowance for loan losses is a guess. If an item is misstated and we should know it precisely, we should have management fix it Loss into income - changes income from a gain to a loss Anything that could cause a user to care about a quantitatively small adjustment •Item is measured precisely (vs. imprecise estimates) •Item masks a change earnings or other trends •Hides failure to meet analysts consensus expectations •Item changes loss into income or vice versa •Item concerns significant segment of business •Item affects regulatory compliance •Item affects compliance with loan covenants (or other agreements) •Item increases management compensation •Item conceals an unlawful transaction

Related Party Transactions

Related party transaction - Transaction that happens between 2 companies that have a shared owner Most common example is when someone owns 2 businesses and sells stuff from one company to the other at a deep discount so one company looks better. EX autobody shop and parts store that sells parts to the autobody shop. Another example is a pizza shop and a radio show that is shouting out the pizza shop. SEC and FASB require companies to disclose their related parties Auditors need to find any related party transactions. There is a reasonable assumption that all transactions are done at market rate, so if this is not true, we need to disclose this Need to identify related parties so managers disclose of them correctly. They cause financial statements to be misleading so we need to alert people to make the best decisions •Auditor responsibility: Make sure financial statements reflect economic substance

Risk of material misstatement

Risk that an error makes its way into the unaudited financial statements •OR... Risk that an error occurs and is not prevented or detected/corrected by IC •OR... Risk that the unaudited financials are wrong

Scanning

Scanning - audit firms look over all journal entries. Rolls forward last years general ledger to this years, we can use software to analyze attributes that seem "off". The people who are doing the calculations should be doing the entries. CFO shouldn't prepare and CEO review.

Audit Risk and Materiality (planning stage)

Set materiality in the planning stage Can't define risk without using materiality •Must be considered together in designing the nature, timing, and extent of audit procedures and in evaluating the results of those procedures reflected in auditor report

Materiality "Refrigerator"

Slide 17 Refrigerator Clearly trivial - sweep it under the fridge Performance materiality - put it in the fridge and as long as it fits were good Materiality - the freezer, cant put misstatements in the freezer Clearly trivial - Ignore all individual misstatements in this range. They are considered to be "Clearly Trivial" and will not be material in the aggregate. Performance materiality - Auditors must keep track of all misstatements in this range (e.g. 5 à 75). All misstatements in this range (e.g. 5 à 75) must be less than "performance materiality" (e.g. 75) both individually and in the aggregate Material - This gives auditors a cushion, which accounts for the fact that auditors will not find and aggregate all immaterial misstatements (e.g. "clearly trivial") We have to set a materiality threshold and set a number. The 2 decisions we have to make to calculate that number 1. benchmark - assets, revenue, etc. 2. percentage of that benchmark that we think users will care about

What are the Components of Audit Risk?

Slide 30 Detection risk - 2 types 1. sampling risk - we don't pull a sample that accurately shows the population (its good but the rest is all bad) (pull a larger sample) 2. nonsampling risk - risk we pull a good sample, but we mess up the procedure (hire better people, be more skeptical)

Types of Recalculations Performed by Auditor

Slide 32

Sufficient Appropriate Evidence: Sufficient

Sufficient: measure of quantity •We need more evidence when RMM is assessed as high •As the quality of the evidence increases, the need for additional corroborating evidence decreases. Someone one very good control is enough You cannot compensate for having poor evidence by collecting more of the same type of poor evidence Completeness assertions - need to start outside of the accounting system - like an inventory observation. Need a sample from inventory list and make sure its in the warehouse. Look in the warehouse and make sure its on the inventory list. Test from BOTH directions and test different assertions Confirmations are good evidence but are better if they require action and the client confirms it (positive confirmation)

Even if we are not testing controls, you are evaluating controls

TRUE

SEC requires an unqualified opinion

TRUE

Test of details

Test of details - getting source document that supports financial statements including inventory, bank reconciliation, etc. provide direct evidence that transactions happen and assets/liabilities exist Substantive analytical procedures - auditors develop an expectation of what an account balance should be, and compare managements actual amount to our expectation. If it is close, that is good indirect circumstantial evidence. Includes interest expense and payroll

Tracing

Testing for completeness •Tracing: Taking a sample of original source documents and ensuring that transactions related to source documents have been recorded in appropriate journal and general ledger •For example, going to a warehouse/store location and finding a sample of items on the shelves à and then looking in the detailed inventory listing to make sure the items are included in it. Tracing can often become vouching, you can find existence problems with tracing We worry more about the existence for assets for them being overstated

Vouching

Testing for existence •Vouching: Taking a sample of recorded transactions and obtaining original source documents supporting recorded transaction •For example, taking a sample from a detailed listing of all items in inventory à and then going to the warehouse/store location to make sure the items are there.

Control Evaluation

The auditor should evaluate the effect of compensating controls when determining whether a control deficiency or combination of deficiencies is a material weakness. To have a mitigating effect, the compensating control should operate at a level of precision that would prevent or detect a misstatement that could be material.

Materiality conceptually

The concept of materiality recognizes that some matters, either individually or in the aggregate, are important for fair presentation of financial statements in conformity with GAAP, while other matters are not important

Difference between integrated audit and FSA

The only difference between an integrated audit (public companies FS and IC) and a Financial Statement audit is the completion stage Integrated audit: Opine on management's assessment of ICOFR FSA: Do not Opine on management's assessment of ICOFR Internal controls over financial reporting = ICOFR

incorrect acceptance

The risk of incorrect acceptance is the possibility that the population has a lot of misstatements in it, but the sample perfectly picks around these misstatements and is instead perfectly clean. This is dangerous for auditors because if the sample is clean, then they will stop after testing the sample and conclude that the rest of the population is also clean - leading to an audit failure.

incorrect rejection

The risk of incorrect rejection is the possibility that the population has a very small number of misstatements, but the small sample happens to include all (or most) of these misstatements. While this is not ideal for auditors, management will usually ask auditors to expand their sample before recording a likely misstatement

Aggregating Errors in Materiality Judgments

To obtain reasonable assurance about whether the financial statements are free of material misstatement, the auditor should plan and perform audit procedures to detect misstatements that, individually or in combination with other misstatements, would result in material misstatement of the financial statements. • •When an auditor identifies a misstatement above the "clearly trivial" threshold, she/he must keep track of this audit difference in a summary of audit differences. •At the end of the audit, the audit team reviews all audit differences in this summary of audit differences.

Tolerable misstatement

Tolerable Misstatement: the maximum error in a specific population (e.g. account balance) that an auditor is willing to accept.

Timing of procedures

When to perform procedures (interim vs. final) •Interim date - Earlier than balance sheet date must be "rolled forward" •After the balance sheet date - Cut-off testing •Decision based on: 1. Assessment of risk associated with account 2. Effectiveness of internal controls 3. Nature of the account 4. Availability of audit staff •Performing procedures after year end may provide most convincing evidence •Performing procedures prior to the balance sheet date might require less overtime of the audit staff during busy season but, might be less effective

how is audit risk different than RMM

•Audit Risk = the risk that the AUDITED financial statements contain a material misstatement •RMM = the risk that the UNAUDITED financial statements contain a material misstatement • •Audit Risk = the risk that everything's not OK after the auditors do their jobs •RMM = the risk that everything's not OK before the auditors do their jobs

What risk can auditors control

•Auditors cannot control Inherent Risk •This relates to the nature of the client, its industry, and several other factors •Auditors must assess inherent risk •Auditors cannot control Control Risk •This relates to whether the client has effective internal controls. Maintaining effective internal controls is management's job •Auditors must assess control risk •Auditors assess control risk one of two ways: •Assess at maximum and do not test any controls •Test controls (required for SOX audits) Auditors can control Detection Risk

Auditors use accounting cycles to

•Auditors use accounting cycles to: •Organize audit evidence (documentation) •Analyze a coherent picture of related accounts •Breakdown the complex business operations of their clients into manageable and comprehensible processes.

Specialists: Nature and Extent

•Certain accounts require expertise in another field to obtain appropriate audit evidence •Firms have guidance on when consultation of specialists is required. •Responsibility for audit opinion lies with the auditor

Accounting Cycles

•Class of transactions that affects a common set of accounts •A business process affects several accounts All transactions affect at least 2 accounts (double entry accounting auditors will look at groups of accounts together •Auditors begin control testwork by understanding processes (process walkthrough) •Substantive testwork over different accounts within an accounting cycle is often linked

What does planning include

•Client acceptance & continuance decisions Risk assessments fraud brainstorming staffing and budgeting decisions materiality scoping

Assertions

•Completeness - All transactions and accounts that should be presented in the financial statements are included •Existence or occurrence - Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. •Valuation or allocation - Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. •Obligations and rights - The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. •Presentation and disclosure - The components of the financial statements are properly classified, described, and disclosed

What is an Auditor's Objective?

•Develop and support an opinion based on evidence. •What kind of evidence to obtain and how to obtain it •Critical thinking based on evidence and assertions The objective of the auditor is to design and perform audit procedures that enable the auditor to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the auditor's opinion

Nature of procedures

•Direct vs. Indirect evidence •External evidence (stronger) vs. Internal evidence (weaker) What procedures were doing, how many procedures were doing Test of details - direct evidence Substantive analytical procedure - indirect evidence

The audit program provides an effective means for

•Distributing work to audit team members (in theory, but not really) •Organizing the documentation of procedures •Monitoring the audit process and progress (in theory, but not really) •Recording the audit work performed and those responsible for performing the work (this is also noted on the workpapers themselves) •Reviewing the completeness and persuasiveness of the procedures performed (executive summary at the cycle level)

Planning: Risk

•Does the client have systems in place to manage its own enterprise risks? •What do we need to do as part of the audit to manage the various risks? (planning) •Do we want to audit the client? •Risk Assessment is the starting point of the audit

Audit risk in practice

•During planning, partners and managers assess inherent risk (i.e. low or high) •After testing controls (usually at interim), partners and managers assess control risk (i.e. low or high) •Prior to substantive testing, the engagement team uses firm guidance to determine ROMM based on inherent risk and control risk (this guidance is usually conservative and requires significant judgment). ROMM is Assessed by the auditor; the auditor cannot control ROMM. •ROMM is used to determine nature, timing, and extent of substantive procedures

key premise for audit process doing more work gives 2 benefits

•If a material misstatement in the unaudited financial statements is more likely to exist, the auditor will plan to perform more substantive testwork 1. If there is an error, then the additional testwork will increase the probability of the auditor finding the error 2. If there is an error and the auditor does not find it, then the additional testwork performed will provide the auditor with more evidence to support a due diligence defense in court

Control Risk in a Financial Statement Audit

•If auditors choose to test controls in a financial statement audit, they may be able to assess Control Risk below 100%. •But, unless auditors actually test controls and find those controls to be designed appropriately and operating effectively in a financial statement audit, they MUST assess Control Risk at 100%. •As a practical matter, it is generally not worth the extra effort of testing controls in a financial statement audit. Therefore, auditors generally assess Control Risk at 100% (maximum) in Financial Statement Audits (i.e., non-SOX audits).

Impact of Materiality on audit risk summary

•If we increase the materiality level then we decrease audit risk (all else equal) •As the size of the acceptable error increases, we have less risk we will miss the error. •If we decrease materiality level then we increase audit risk •As the size of the acceptable error decreases, we have more risk we will miss it •If materiality increases, thereby decreasing audit risk, then auditors can increase detection risk by cutting back on substantive procedures to be more efficient. •If materiality decreases, thereby increasing audit risk, then auditors will need to decrease detection risk by performing additional substantive procedures in order to maintain the effectiveness of the audit.

Audit evidence

•Information used by auditor in arriving at conclusions on which the audit opinion is based •Obtained through audit procedures

Risk summary

•Inherent Risk (IR) = The risk that an error will occur (irrespective of client's internal controls) •Control Risk (CR) = The risk that an error will not be prevented or detected/corrected by client's internal controls •Detection Risk (DR) = The risk that the auditor will miss an error in the unaudited financial statements •Audit Risk (AR) = The risk of an audit failure

Specific Audit Procedures for Tests of Details

•Inspection - Auditor looks at records (or tangible assets) •Observation - Auditor looks at process •Inquiry - Seek information (consider source) •External Confirmation - Obtain evidence directly from third party •Recalculation - Check mathematical accuracy •Reperformance - Auditor independently executes procedures •Scanning - Scan journal entries for unusual activity Vouching Tracing

Types of audit evidence

•Knowledge of client (e.g., planning, inquiries, experience) •Internal control quality (control testing-need more than walkthrough) •Accounting systems (client-generated reports-generally need to test) •Outside information (confirmations, bank statements)

Omissions and misstatements, known vs likely

•Known: one where the auditor knows the exact amount •Likely: an auditor's best guess Likely: •1. If we sample, we need to extrapolate that to the rest of the sample •2. We use estimates for many accounts which are management's best guess. When we audit it, we use our best guess. The number we get from this difference is still a best guess •Management is willing to book known misstatements but not likely misstatements

Materiality: Key Concepts

•Magnitude of an error/omission affect judgment of a reasonable person •Plain English definition: The amount of misstatement that would affect the judgment of a reasonable person.

Materiality def

•Materiality for financial statements as a whole •Based on a percentage of a benchmark Materiality threshold represents what financial statement users care about - based on benchmark and percentage of that benchmark If we think we'll care about a 100$ difference, then well design an audit to catch 70$ misstatements to be sure A number slightly lower than the materiality threshold that we use to design and plan the audit - performance materiality. Tells us what accounts we need to test and tells us which misstatements we need to fix. If its above the materiality we need to fix it, if its not, we don't necessarily need to If PM is 70 and we find misstatement for 75, we need to fix at least 5

•The sufficiency and appropriateness of audit evidence is determined by

•Nature - what procedures •Extent - number of procedures, sample size •Timing - when are the procedures performed? NET

Sufficient Appropriate Evidence: Appropriate

•Overall idea: support audit opinion Relevance and Reliability Evidence from a third party is more reliable than from the client Evidence from a good internal control system is more reliable than a bad Anything we get directly from other parties is more reliable than the one we get from our client Any time we have the original is more reliable than a photocopy Anything in writing is more reliable than orally Independent, third party, straight from the source is more relaible

Impact of Materiality on audit risk

•Overall premise: It is easier to find a large error than a small error. •Audit risk depends on materiality level If materiality goes down, our audit risk goes up, so we need to decrease detection risk to balance audit risk out As materiality goes up, the audit risk goes down As materiality goes down, the audit risk goes up (if you don't change procedures) As materiality goes up, inherent risk goes down As materiality goes down, inherent risk goes up Margin of error is getting smaller/larger Detection risk doesn't change with materiality changes As materiality risk goes up, audit risk goes down If materiality risk goes down, audit risk goes up As materiality goes up, control risk goes down As materiality goes down, control risk goes up

Substantive Testing Includes:

•Performing testwork to obtain evidence over the assertions of material accounts •Usually all assertions are relevant •Key question is risk related to an assertion - this risk drives judgments re: "sufficient, appropriate evidence" and "reasonable assurance" •Conclude on CEVOP of material account balances Assertions are not equally risky for all accounts Preform enough substantive testing to make sure management's assertions are correct

Automobile safety analogy

•Preview: Audit Risk ~ Risk that you are injured in a car accident •Inherent risk: Risk that something really bad will go wrong on the road (before considering how you drive) •Control risk: Risk that the way you drive will not protect you from really bad things that COULD go wrong on the road •Risk of material misstatement: Risk that something really bad happens on the road and your own defensive driving will not protect you from it (Note: this does not mean that an injury accident occurs... it just means that something other than your own driving efforts would have to prevent it) •Detection risk: Risk that your car will not protect you from injury when something has gone wrong and your own driving efforts hade failed to protect you from it Analogy: Car safety features (air bags, ABS, sensors, accident detection, automatic braking, crumple points in the frame, other design-related safety features) IR * CR * DR = Audit Risk = Risk that you are injured in a car accident

Audit procedures

•Procedures designed to obtain audit evidence related to material accounts and the relevant assertions for those accounts

Timing of Procedures: Issues

•Procedures performed at an interim date must be "rolled forward" •Roll-forward period: Period between the confirmation date and the balance sheet date •Key take-away: Performing testwork at "interim" usually takes more hours overall, but makes busy season manageable.

Judgment in Materiality

•Quantitative thresholds •Which benchmark? •Where in range? •Qualitative thresholds: •What events/factors would make a difference in investors' decision making?

Extent of audit procedures

•Relates to Sample sizes Bigger the sample size, stronger the evidence The more extensively a substantive procedure is performed, the greater the evidence obtained from the procedure. Very judgemental Cannot compensate for poor quality with superior quantity.

Completion

•Review the overall financial statements and the overall body of audit evidence •Consider whether materiality thresholds set during planning are still appropriate Decide what kind of report to issue (unqualified opinion or nothing) What changes we need to make to the financial statements in order to issue a clean unqualified opinion

Non-SOX Audits

•There is no required reporting on internal controls on non-SOX audits. •Auditors assess internal controls as part of the assessment of the Risk of Material Misstatement (Inherent Risk * Control Risk) •But, in many cases, auditors just assume maximum CR. •Under maximum Control Risk assumption, the auditor responds by planning more substantive testwork. •Nature (e.g. more tests of details, less substantive analytical procedures) •Extent (e.g. larger samples, more tests) •Timing (as of year end, instead of interim)

Revised Materiality

•What if we find several material errors during the audit that significantly impact the benchmark used to calculate materiality thresholds during planning? •Need to revise materiality thresholds •May need to do more work We have to go back and test accounts that now fit within the criteria

Evidence is More Reliable When It Is

•obtained from knowledgeable independent sources outside the client (vs. sources at the client) •the product of a system (and overall client) with effective internal controls •obtained directly by the auditor •provided by original documents •written, as opposed to strictly oral (e.g. written meeting minutes vs. an agenda with an oral explanation of the nature of the discussion)