Chapter 3

Risk Assessment Procedures

*Risk assessment procedures* are used to obtain an understanding of the entity and its environment, including internal control. -Examples include inquiries of management and others, analytical procedures, and observation and inspection.

The phases of an Audit that relate to Audit Planning

1. Client acceptance and continuance 2. Preliminary engagement activities 3. Plan the audit

Information Circumstances that May Indicate an Illegal Act

1. Unauthorized transactions, improperly recorded transactions, or transactions not recorded in a complete or timely manner. 2. Investigation by a government agency, enforcement proceeding, or payment of unusual fines or penalties. 3. Violations of laws or regulations cited in reports of examinations by regulatory agencies. 4. Large payments for unspecified services to consultants, affiliates, or employees. 5. Sales commissions or agents' fees that appear excessive. 6. Large payments in cash or bank cashiers' 7. Unexplained payments to government officials. 8. Failure to file tax returns or pay government duties.

Dual-Purpose Test

A dual purpose test is one that tests both *controls* and is a *substantive test of transactions.*

Prospective Client Acceptance

As an auditor considers a prospective client, the auditor should: 1. Obtain and review financial information. 2. Inquire of third parties regarding client integrity. 3. Consider unusual business or audit risks. 4. Determine if the firm is independent. 5. Determine if the firm has the necessary technical skills and knowledge. 6. Determine if acceptance violates any applicable regulatory agency requirements or the Code of Professional Conduct.

If the independent auditors decide that it is efficient to consider how the work performed by the internal auditors may affect the nature, timing, and extent of audit procedures, they should assess the internal auditors'

Competence and objectivity.

During the initial planning phase of an audit, a CPA most likely would

Discuss the timing of the audit procedures with the entity's management.

A written understanding between the auditor and the entity concerning the auditor's responsibility for fraud is usually set forth in a(n)

Engagement letter.

List the important information that the engagement letter should contain.

In addition, the engagement letter might include: -Arrangements involving the use of specialists or internal auditors. -Any limitation of the liability of the auditor or client, such as indemnification to the auditor for liability arising from knowing misrepresentations to the auditor by management. (Note that regulatory bodies, such as the SEC, may restrict or prohibit such liability limiting arrangements.) -Additional services to be provided relating to regulatory requirements. -Arrangements regarding other services (e.g., assurance, tax, or consulting services).

Tolerable misstatement is

Materiality used to establish a scope for the audit procedures for the individual account balance or disclosures.

As generally conceived, the audit committee of a publicly held company should be made up of

Members of the board of directors who are not officers or employees.

Give three examples of qualitative factors that might affect the auditor's choice of the percentage to apply to the benchmark used to establish overall materiality.

Qualitative factors that may affect the establishment of the overall materiality (step 1) include: -Material misstatements in prior years; -High risk of fraud; -The entity is close to violating a covenant in a loan agreement; -Small amounts may cause the entity to miss forecasted revenues or earnings, or affect the trend in earnings; -The entity operates in a volatile business environment, has complex operations (multi-locations), or operates in a highly regulated industry

Related Parties

Sources of information that may be used to identify related parties include (see AS18, Appendix A): -Inquires of management. -Minutes of the board of directors meetings. -Conflict-of-interest statements from management and others. -Financial and reporting information provided to creditors, investors, and regulators. -Contracts or other agreements (including side agreements that may not be formally documented between customers and vendors, and management). -Contracts and other agreements representing significant unusual transactions.

Steps in Applying Materiality on an Audit

Step 1: Determine overall materiality Step 2: Determine tolerable misstatement Step 3: Evaluation audit findings

What types of inquiries about a prospective client should an auditor make to third parties?

The auditor should inquire of the prospective client's *bankers and attorneys, credit agencies,* and other members of the business community *who may have knowledge about the integrity of the prospective client and its management.*

What type of information should be requested from the predecessor auditor?

The successor auditor's communication with the predecessor auditor should include questions related to the: -Integrity of management -Disagreements with management over accounting and auditing issues -Communications to those charged with governance regarding fraud and noncompliance with laws or regulations by the entity -Communications to management -Those charged with governance regarding significant deficiencies -Material weaknesses in internal control -Predecessor auditor's understanding of the change in auditors.

Before accepting an audit engagement, a successor auditor should make specific inquiries of the predecessor auditor regarding the predecessor's

Understanding as to the reasons for the change of auditors.

Which of these statements concerning illegal acts by clients is correct? a. An auditor's responsibility to detect illegal acts that have a direct and material effect on the financial statements is the same as that for errors and fraud. b. An audit in accordance with generally accepted auditing standards normally includes audit procedures specifically designed to detect illegal acts that have an indirect but material effect on the financial statements. c. An auditor considers illegal acts from the perspective of the reliability of management's representations rather than their relation to audit objectives derived from financial statement assertions. d. An auditor has no responsibility to detect illegal acts by clients that have an indirect effect on the financial statements.

a. An auditor's responsibility to detect illegal acts that have a direct and material effect on the financial statements is the same as that for errors and fraud.

When planning an audit, an auditor should

b. Determine overall materiality for audit purposes.

Which of the following would an auditor most likely use in determining overall materiality when planning the audit? a. The anticipated sample size of the planned substantive tests. b. The entity's income before taxes for the period-to-date (e.g., 6 months). c. The results of tests of controls. d. The contents of the engagement letter.

b. The entity's income before taxes for the period-to-date (e.g., 6 months).

The engagement partner and manager review the work of engagement team members to evaluate which of the following? a. The work was performed and documented. b. The objectives of the procedures were achieved. c. The results of the work support the conclusions reached. d. All of the above are correct.

d. All of the above are correct.

Determine overall materiality

*Step 1: Determine overall materiality (planning materiality).* -The auditor should *establish a materiality level* for the financial statements taken as a whole. -This will be referred to as *overall materiality*. -Overall materiality is the *maximum amount by which the auditor believes the financial statements could be misstated and still not affect the decisions of users.* -Materiality, however, is a *relative*, not an absolute, *concept*.

Determine tolerable misstatement

*Step 2: Determine tolerable misstatement for accounts (performance materiality).* -This step involves *determining tolerable misstatement based on overall materiality.* -Tolerable misstatement is the *amount of overall materiality that is used to establish the scope of audit procedures for the individual account balance or class of transactions*.

Evaluation audit findings

*Step 3: Evaluate audit findings.* -Based on the results of the audit procedures conducted, the *auditor aggregates misstatements from each account or class of transactions.* -The auditor considers the effect of misstatements not adjusted in the prior period. -When the *aggregated misstatements are less than the overall materiality, the auditor can conclude that the financial statements are fairly presented.* -Conversely, when the *aggregated misstatements are greater than overall materiality, the auditor should request that the entity to adjust the financial statements*.

Substantive Procedures

*Substantive procedures* are performed to detect material misstatements (i.e., monetary errors) in a transaction class, an account balance, and disclosure component of the financial statements. -Examples of substantive procedures are: (1) *tests of details*: Tests for errors or fraud in individual transactions, account balances, and disclosures (i.e., substantive tests of transactions and test of details of account balances) (2) *analytical procedures*: Evaluations of financial information through analysis of plausible relationships among financial and non-financial data

Tests of Controls

*Tests of controls* are audit procedures directed toward the evaluation of the effectiveness of the design and operation of internal controls. -Examples of tests of controls include 1. *inquiries* of appropriate management, supervisory, and staff personnel; 2. *inspection* of documents, reports, and electronic files; 3. *walkthroughs*; 4. *observation* and 5. *reperformance* of the application of the control by the auditor.

What is an audit committee and what are its responsibilities?

-An *audit committee* is a *subcommittee of the board of directors composed of independent members*. -The audit committee is *responsible for the financial reporting and disclosure process.* -The committee should *encourage fair reporting* from the perspective of the stockholders, creditors, and employees. -The audit committee should *meet regularly with the external and internal auditors*, providing for the independence of the external and internal auditors.

How is generally hired for an audit committee

-An audit committee is a subcommittee of the board of directors that is responsible for the financial reporting and disclosure process. -Audit committees are required for public companies subject to SOX and may be established by private companies. -The audit committee should be composed of *independent members of the board.*

Consider Multilocations or Business Units

-An auditor must consider multilocations or business units. -The auditor correlates the amount of audit attention devoted to the location or business unit with the level of risk present.

Continuing Client Retention

-An auditor should evaluate client retention *periodically*, generally *near audit completion or after a significant event*. -They should consider *conflict over accounting and auditing issues* and *disputes over fees.*

What is the purpose of an engagement letter?

-An engagement letter is used to *formalize the arrangement reached between the auditor and client.* -It serves as a *contract that outlines the responsibilities of both parties* and is intended to *prevent misunderstandings between the two parties.* -The letter states the: 1. Responsibilities of the auditor and management 2. The audit will be conducted in accordance with auditing standards 3. Certain types of audit procedures will be conducted and written representations will be obtained from management 4. The audit may not detect all material errors and fraud.

Preliminary Engagement Activities

-As part of the preliminary engagement activities, an audit firm must *determine the engagement team requirements* and *assess compliance with ethical and independence requirements.*

Identify the reasons why audit committees have been formed and are currently in operation.

-Audit committees are formed to satisfy the shareholders' need for assurance that directors are exercising due care in the performance of their duties. -For public companies they are required. -They may also be formed so that a private company can be more responsive to the needs of those interested in financial reporting. -They may also be formed to reinforce auditor's independence, particularly the appearance of independence, from the management of a company whose financial statements are being examined by the auditor.

Document Audit Strategy, Audit Plan, and Audit Programs

-Document overall audit strategy and audit plan, which involves documenting the decisions about the nature, timing, and extent of audit tests. -The auditor documents how the entity is managing its risk (via internal control processes) and the effects of the risks and controls on the planned audit procedures. -Auditors ensure they have addressed the risks they identified by documenting the linkage from the entity's business, objectives, and strategy to the audit plan. -The auditor's preliminary decision concerning control risk determines the level of control testing, which in turn affects the auditor's substantive tests of the account balances and transactions.

Assess the Need for Specialists

-In planning, a major consideration that must be assessed is the need for specialists. -The use of an IT specialist is a significant aspect of most audit engagements, particularly those with complex IT environments.

Additional Value-Added Services

-In planning, an Auditor should consider additional value added services, such as tax planning, system design and integration, benchmarking, risk assessment, electronic commerce, or internal reporting. -Auditors who audit public companies are limited in the types of consulting services that they can offer their auditees.

The *quantitative* base for materiality is a percentage of:

-Income (loss) before taxes. -Income from continuing operations. -Three year average income. -Total assets. -Net assets. -Total revenues. -Gross profit. -Total equity

Assess Business Risks

-It is important that an auditor assess business risks: 1. To understand the entity's business and transactions 2. To identify financial statement accounts likely to contain errors -By understanding the entity's business and identifying where errors are likely to occur, the auditor can allocate more resources to investigate more risky accounts.

The quantitative amounts of materiality may be adjusted lower for *qualitative* factors such as:

-Material misstatements in prior years. -High risk of fraud. -Potential loan covenant violations. -High market pressures. -Volatile business environment. -Higher than normal risk of bankruptcy.

Section 301 of Sarbanes-Oxley Act requires the following for audit committee members of publicly held companies

-Member of board of directors and independent. -Directly responsible for overseeing work of any registered public accounting firm employed by the company. -Must preapprove all audit and nonaudit services provided by its auditors. -Must establish procedures to follow for complaints. -Must have authority to engage independent counsel.

Combined tolerable misstatement is generally greater than planning materiality because:

-Not all accounts will be misstated by their full tolerable misstatement allocation. -Audits of individual accounts are conducted simultaneously. -Materiality is often a small fraction of the account being audited and planned procedures will be sufficiently precise to identify significant misstatements. -When errors are identified, additional testing is typically performed in that account and related accounts. -Overall materiality serves as a "safety net."

Why is it important for CPA firms to develop policies and procedures for establishing materiality?

-Professional standards provide very little *specific* guidance on how to *assess what is material to a reasonable user.* -As a result, auditing firms should develop *policies and procedures to assist their auditors in establishing materiality judgments for clients in order to minimize the variability of such judgments by firm personnel.* -In other words, firms would prefer to have their auditors establish *similar materiality judgments* for clients with *similar circumstances.*

Who is responsible for initiating the communication between the predecessor and successor auditors?

-The *successor auditor is responsible for initiating the communication with the predecessor auditor.* -However, the *successor auditor should request permission of the prospective client before contacting the predecessor auditor.*

List the matters an auditor should consider when developing an audit plan

-The auditor should be guided by the *results of the client acceptance/continuance process, procedures performed to gain the understanding of the entity, and preliminary engagement activities*. Additional steps that should be performed include the following: -Assess business risks. -Establish materiality. -Consider multilocations. -Assess the need for specialists. -Consider violations of laws and regulations. -Identify related parties. -Consider additional value-added services. -Document the overall audit strategy, audit plan, and prepare audit programs.

Supervision of the Audit

-The engagement partner has the *overall responsibility for the engagement and its performance* and should *supervise the audit engagement team* so that the *work is performed as directed and supports the conclusions reached*.

Consider Violations of Laws and Regulations

-The first type of illegal acts is *direct and material*: Includes *violations of laws and regulations*, such as tax laws, that are generally recognized as having a *direct and material effect on the determination of financial statement amounts.* -Other illegal acts are *material and indirect* Includes *violations of laws or regulations* such as the Securities Acts, the Occupational Safety and Health Act, Food and Drug Administration regulations, environmental protection laws, equal employment statutes, and price fixing or other antitrust violations that may have a *material but indirect effect on the financial statements.*

Internal Audit Function

-There are three main factors for evaluating the reliability of the internal audit function: *Objectivity, Competence, and a Systematic and Disciplined Approach*

While net income before taxes is frequently used for calculating overall materiality, discuss circumstances when total assets or revenues might be better bases for calculating overall materiality.

-Total assets or total revenues may be better bases for entities in certain industries. -For example, in a *not-for-profit entity, total revenues or total expenses might be more appropriate benchmarks, while for asset-based entities (e.g., mutual funds) net assets might be a better benchmark.*

List four factors that would cause the auditor to use a lower percentage for establishing tolerable misstatement.

Factors that would cause the auditor to use a lower percentage for tolerable misstatement: 1. High risk of misstatement within the account balance, class of transaction, or disclosure; 2. Increased number of accounting issues that require significant judgment and/or more estimates with high estimation uncertainty; 3. A history of material weaknesses, significant deficiencies, and/or a high number of deficiencies in internal control; 4. High turnover of senior management or key financial reporting personnel.

Establish an Understanding with the Entity

In establishing the terms of the engagement, three topics must be discussed: 1. The engagement letter; 2. Using the work of the internal audit function; and 3. The role of the audit committee. -The terms of the engagement, which are documented in the *engagement letter*, should include the objectives of the engagement, management's responsibilities, the auditor's responsibilities, and the limitations of the engagement.

What factors should an external auditor use to assess the *competence* of internal auditors?

The *competence* of internal audit function can be determined by assessing the following factors: -Whether the IAF is adequately and appropriately resourced relative to the size of the entity and the nature of its operations. -Whether established policies for hiring, training, and assigning internal auditors to internal audit engagements exist. -Whether the internal auditors have adequate technical training and proficiency in auditing. (e.g., the internal auditors' possession of a relevant professional designation and experience). -Whether the internal auditors possess the required knowledge relating to the entity's financial reporting and the applicable financial reporting framework and whether the IAF possesses the necessary skills to perform work related to the entity's financial statements. -Whether the internal auditors are members of relevant professional bodies that oblige them to comply with the relevant professional standards, including continuing professional development requirements.

What actions should the engagement team members be informed of *by the engagement partner and other engagement team members* as part of their *supervisory role*?

The *engagement partner* and other engagement team members performing supervisory activities should: 1. *Inform engagement team members of their responsibilities*, including: -the objectives of the procedures that they are to perform; -the nature, timing, and extent of procedures they are to perform; and -matters that could affect the procedures to be performed or the evaluation of the results of those procedures 2. *Direct engagement team members to bring any significant accounting and auditing issues they identify to the attention of the engagement partner or other engagement team members* performing supervisory activities so they can evaluate those issues and determine appropriate actions. 3. *Review the work of engagement team members to evaluate* whether: -the work was performed and documented; -the objectives of the procedures were achieved; and -the results of the work support the conclusions reached.

What factors should an external auditor use to assess the *objectivity* of internal auditors?

The following factors can be used to judge the *objectivity* of the internal audit function: -Whether the organizational status of the IAF, including the function's authority and accountability, supports the ability of the function to be free from bias, conflict of interest, or undue influence of others to override professional judgments (e.g., the IAF reports to audit committee or an officer with appropriate authority, or if the function reports to management, whether it has direct access to audit committee). -Whether the IAF is free of any conflicting responsibilities (e.g., having managerial or operational duties or responsibilities that are outside of the IAF). -Whether audit committee oversees employment decisions related to the IAF. -Whether any constraints or restrictions placed on the IAF by management or audit committee exist, for example, in communicating the IAF's findings to the external auditor. -Whether the internal auditors are members of relevant professional bodies and their memberships obligate their compliance with relevant professional standards relating to objectivity or whether their internal policies achieve the same objectives

Describe the functions of an audit committee.

The functions of an audit committee may include the following: -Selection of the independent auditor, discussion of audit fee with the auditor, and review of the auditor's engagement letter. -Review of the independent auditor's overall audit plan (scope, purpose, and general audit procedures). -Review of the annual financial statements before submission to the full board of directors for approval. -Review of the results of the auditor's examination including experiences, restrictions, cooperation received, findings, and recommendations. -Matters that the auditor believes should be brought to the attention of the directors or shareholders should be considered. -Review of the independent auditor's evaluation of the company's internal control systems. -Review of the company's accounting, financial, and operating controls. -Review of the reports of internal audit staff. -Review of interim financial reports to shareholders before the board of directors approves them. -Review of company policies concerning political contributions, conflicts of interest, and compliance with federal, state, and local laws and regulations, and investigation of compliance with those policies. -Review of financial statements that are part of prospectuses or offering circulars; review of reports before they are submitted to regulatory agencies. -Review of the independent auditor's observations of financial and accounting personnel. -Participation in the selection and establishment of accounting policies; review the accounting for specific items or transactions as well as alternative accounting treatments and their effects. -Review of the impact of new or proposed pronouncements by the accounting profession or regulatory bodies. -Review of the company's insurance program. -Review and discussion of the independent auditor's management letter

Parker is the in-charge auditor for the upcoming annual audit of FGH Company, a continuing audit client. Parker will supervise two assistants on the engagement and will visit the entity before the fieldwork begins. Parker has completed the engagement letter and established an understanding with the Chief Internal Auditor on the assistance to be provided by the internal audit function. Required: List the preliminary engagement and planning activities that Parker needs to complete.

The preliminary engagement and planning activities that Parker needs to complete are: -Reading the current year's interim financial statements. -Discussing the scope of the examination with management of the client. -Establishing the timing of the audit work. -Arranging with the client for adequate working space. -Coordinating the assistance of client personnel in data preparation. -Establishing and coordinating staffing requirements, including time budget. -Holding a brainstorming meeting with assistants assigned to the engagement and discussing possible fraud-related issues. -Determining the extent of involvement, if any, of consultants, specialists, and internal auditors. -Considering the effects of applicable accounting and auditing pronouncements, particularly recent ones. -Preparing documentation setting forth the preliminary audit plan. -Establish overall materiality and tolerable misstatement. -Making a preliminary assessment about control risk. -Updating the prior year's written audit program and possibly developing new procedures as warranted by changes in the business.

Types of Audit Tests

The three general types of audit tests are 1. Risk Assessment Procedures 2. Tests of Controls 3. Substantive Tests.

Establish Materiality

There are three parts to establishing materiality: 1. Establishing overall materiality, 2. establishing tolerable misstatement for accounts, and 3. establishing tolerable misstatement for disclosures.

Suppose that you are the auditor of a major retail client who has reported the following income before taxes (IBT) for the first two quarters of the year: 1st quarter = $1,200,000 and 2nd quarter = $1,500,000. You are in the process of establishing overall materiality for the client. Based on prior years, the client has a 10% decline in IBT from the 2nd quarter to the 3rd quarter. You also know that IBT in the 4th quarter increases by 25% over the 3rd quarter. Required: Determine the amount of overall materiality for the audit based on these preliminary amounts.

To determine overall materiality based on the information provided, the auditor would make the following calculation for the full year income before taxes: Q1: 1,200,000 Q2: 1,500,000 Q3: 1,500,000 x .90 = 1,350,000 Q4: 1,350,000 x 1.25 = 1,687,500 Total: $5,737,500 Using 5% as a benchmark, overall materiality based on the estimated income before taxes would be $ 287,000 (rounded).