Planning Activities
Audit Risk
"The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of the risks of material misstatement and detection risk." (Source—AU 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with [GAAS]. ) Note that the concept of audit risk is really a probability and that audit risk and materiality are interrelated by the definition of audit risk. The presence of audit risk is indicated in the auditor's report by reference to reasonable assurance, meaning that audit risk cannot be reduced to a zero probability (which would imply "absolute assurance") owing to the inherent limitations of an audit. Reasonable assurance is defined as follows: "In the context of an audit of financial statements, a high, but not absolute, level of assurance." Note that reasonable assurance means a "high level of assurance" and a "low level of audit risk." Risk of Material Misstatement—The risk of material misstatement (RMM) is defined as: "The risk that the financial statements are materially misstated prior to the audit." RMM exists at two levels: (1) the overall financial statement level; and (2) the assertion level for classes of transactions, account balances, and disclosures. A. RMM at the Overall Financial Statement Level— This refers to risks that are "pervasive" to the financial statements and that potentially affect many assertions. B. RMM at the Assertion Level— The auditor assesses RMM at the assertion level for the purpose of determining the nature, timing, and extent of further audit procedures to obtain sufficient appropriate audit evidence. RMM at the assertion level consists of two components: (1) inherent risk; and (2) control risk (see below). C. At the assertion level, audit risk consists of three component risks: (1) inherent risk (IR); (2) control risk (CR); and detection risk (DR). RMM consists of inherent risk and control risk. Inherent Risk (IR): The probability that a material misstatement would occur in the particular audit area in the absence of any internal control policies and procedures. Control Risk (CR): The probability that a material misstatement that occurred in the first place would not be detected and corrected by internal controls that are applicable. Detection Risk (DR): The probability that a material misstatement that was not prevented or detected and corrected by internal control was not detected by the auditor's substantive audit procedures (i.e., an undetected material misstatement exists in a relevant assertion). "Detection risk" is the only component risk that is specifically the auditor's responsibility—"inherent risk" arises because of the particular audit area under investigation and "control risk" reflects management's responsibility to design and implement internal controls. Note that the auditor must "assess" inherent risk and control risk, but the auditor actually makes the decisions that, in effect, result in some level of detection risk, which should take into consideration the auditor's assessment of the risk of material misstatement. 1. If IR and CR are seen by the auditor as too high, the auditor must compensate by decreasing DR. 2. If IR and CR are perceived as low, the auditor may consider accepting a higher DR. Increasing or decreasing DR is accomplished by adjusting the nature, timing, and/or extent of the auditor's substantive audit procedures. These might be viewed as the auditor's three strategic variables that, in effect, "set" DR based on the auditor's professional judgment about the following: 1. Nature—What specific audit procedures to perform (perhaps shifting the relative emphasis placed on the "soft evidence" analytical procedures versus the "hard evidence" tests of details)? 2. Timing—When will the procedures be performed? At an "interim" date (prior to year-end) or at "final" (after year-end when the books have been closed) and the auditor is actually auditing the numbers that the entity intends to report in its financial statements)? 3. Extent—Are large samples required for the auditor's test work or can somewhat smaller sample sizes be justified? How extensively should substantive procedures be performed? Performing substantive tests at an interim date increases the risk that misstatements that exist at the balance sheet date will not be detected by the auditor. Evidence collected at an interim date is therefore less strong than evidence collected at year end. Increasing detection risk means that the auditor can obtain less or weaker evidence. As a result, the auditor may be able to push the timing of substantive tests from year end to an interim date. Inherent risk and control risk are environmental risks pertaining to the client. They are assessed by the auditor and exist independently of the financial statement audit. Detection risk is the only risk controllable by the auditor. It relates to the auditor's procedures and can be changed by the auditor. Detection risk is inversely related to the assurance provided by substantive tests. The lower the detection risk, the more assurance needed from substantive testing. An increase in the assessed level of control risk means that the risk of a material misstatement occurring and not being detected has increased. To offset that increased risk, the auditor should make decisions that decrease the level of detection risk. Increasing the emphasis on tests of details would decrease detection risk
Audit Data Analytics
"the science and art of discovering and analyzing patterns, identifying anomalies, and extracting other useful information in data underlying or related to the subject matter of an audit through analysis, modeling, and visualization for the purpose of planning or performing the audit" Purposes of ADAs—ADAs may be used for multiple purposes, including to perform (1) risk assessment, (2) tests of control, (3) substantive procedures, or (4) evaluating conclusions. The Guide identifies a five-step approach applicable to using ADAs: (1) plan the ADA, (2) access and prepare the data for purposes of the ADA, (3) consider the relevance and reliability of the data used, (4) perform the ADA, and (5) evaluate the results and decide whether the purpose and specific objectives have been achieved. The Five-Step Approach to Using ADAs A. Step #1—Plan the audit data analytic. 1. Procedures a. Describe the objective of an ADA—Recall that ADAs may be used for risk assessment or substantive purposes. i. Risk assessment procedures involve obtaining an understanding of the entity and its environment, including the entity's internal control, to identify and assess risks of material misstatement. ii. Substantive procedures are designed to detect material misstatements at the relevant assertion level—These can be classified as either tests of details or substantive analytical procedures. b. Brainstorm potential ADAs—Involves the audit team's discussion of where the potential ADAs and related objectives can be applied 2. Understand the relationship between specific audit assertions and ADAs. B. Step #2—Access and prepare the data for use in an ADA. 1. Accessing the data—Request and access the data from a client or third party considering the objectives of the ADA; determine the relevant characteristics of the data and the related technology. a. Types of data i. Structured—The data conform to a specified organization; for example, data in a relational database or a spreadsheet that is organized in the format of rows and columns. ii. Semi-structured—The data are tagged, for example, as in HTML, XML, or XBRL. iii. Unstructured—Data such as text, audio, or video b. File types—Auditors should understand and document the types of files they are requesting and using. Common file types include the following: i. Comma-separated values files (.csv) ii. Database files (.db or .dbf) iii. Microsoft Access database files (.mdb) iv. Structured Query Language (SQL) database files (.sql) v. Extensible Markup Language (XML) files (.xml) vi. Image files (for example, .jpg, .png, .bmp, .tif) vii. Video files (for example, .mp4, .avi) c. Data storage—Auditors should understand and document where the data are stored prior to extraction. d. Extraction methodologies—Auditors should understand and document how the data were extracted and by whom. e. Metadata—Characteristics that provide context and additional information about the data (such as file name, file type, file size, creation date/time, last modification date/time, and identification of who can access and/or update the data) f. Understand and document the accounting system(s) and the flow of transactions with an emphasis on the entity's business processes. g. Understand and document how the IT general controls and application controls impact the integrity of the data. 2. Preparing the data for use in the ADA—The process used is known as "ETL" (which stands for extract, transform, and load) a. Extract—The process of extracting the appropriate data from the data set b. Transform—The process of cleaning the extracted data so that it can be appropriately analyzed. Note that errors in the data may indicate that controls over the data are not operating effectively. i. Field format inconsistency—Should identify and correct inconsistencies in data fields (for example, some data may be presented as Month-Day-Year, whereas other data in the same field could be presented as Day-Month-Year) ii. Blank fields—Should verify that blank fields are appropriate and not a result of missing data iii. Field-type mistakes—Should identify and correct instances where fields contain the wrong type of data; for example, an intended numerical field might consist of letters (text) instead of numbers c. Load—The process of uploading the cleaned data in the software that will be used to perform the ADA C. Step #3—Consider the relevance and reliability of the data used. 1. Data should have the following attributes: a. Accuracy—Data are free from significant errors. b. Completeness—Data contain all the requisite data (that is, there are no omissions of data that should be present). c. Consistency—Data fields are well defined and managed. d. Freshness—Data contain the most up-to-date changes/additions. e. Timeliness—Data are available when needed. f. Clarity and relatedness—Data fields are clearly defined and related to the objective(s) being tested. 2. Consider the integrity of the data (with emphasis on accuracy and completeness over the data's life cycle) -Determine whether data have been protected whenever acquired and/or delivered. a. Determine whether files are encrypted to protect access to data. b. Critically examine a data set and the procedures used to obtain the data to understand where it originated (regarding freshness, timeliness, and clarity and relatedness). 3. Actions primarily directed at ensuring the accuracy and completeness of the data set a. Reconciliations—Prepare or review reconciliations of underlying data. b. Sequence checks—Verify the appropriateness of the sequence; gaps may indicate possible omissions. c. Record counts—Verify that the appropriate number of records are accounted for. 4. Consider the impact of changes to the environment that may increase the risks of errors in the data—For example, changes in management or changes in the accounting system (such as an ERP system) D. Step #4—Perform the ADA. 1. Simple ADAs might be used to test journal entry posting, cash accounts, accounts receivable, accounts payable, and inventory. 2. The auditor should identify and address any "notable items." a. When a large number of notable items is identified—The auditor may use a grouping and filtering process to identify characteristics of interest common to the groups; should perform appropriate procedures to address the risks of each group b. When a small number of notable items is identified—The auditor may perform manual risk assessment procedures; further audit procedures should be responsive to the assessed risks of material misstatement 3. When using ADAs in forming an overall conclusion—The auditor may decide it appropriate to revise previous risk assessments and perform further audit procedures in response. 4. ADAs may be used to test management's analytics, including those in footnote disclosures and even in Management's Discussion and Analysis (MD&A) presentation for consistency with other information known by the auditor. Step #5—Evaluate the results and decide whether the purpose and specific objectives have been achieved. 1. The auditor should develop preliminary conclusions or recommendations for an ADA. 2. The auditor should evaluate whether the ADA has been appropriately planned and performed—If not, the auditor should refine and reperform the ADA. 3. Documentation—The auditor should document the performance and results of the ADAs; any screenshots of graphics necessary to support the auditor's work should also be retained. Notable Item: "An item identified from the population being analyzed that has one or more characteristics that, for the relevant assertions, may do the following: (a) Be indicative of a risk of material misstatement that (i) was not previously identified (a new risk) or (ii) is higher than originally assessed by the auditor; (b) Provide information that is useful in designing or tailoring procedures to address risks of material misstatement."
Pre-Engagement Planning Issues
A. One of the six elements of a quality control system is acceptance and continuance of clients and engagements. Auditors should avoid clients whose management lacks integrity or clients who are viewed as too risky owing to industry considerations or entity-specific issues. B. The auditor should also evaluate the compliance with applicable ethics requirements, especially regarding independence issues and competencies to properly perform the engagement, before proceeding with other significant audit-related activities. AU 210, Terms of Engagement Auditor's Objective under AU 210—The auditor's objective is to accept an audit engagement involving a new or existing audit client only when the basis for the audit has been agreed upon by (1) establishing when the preconditions for an audit are present; and (2) confirming that a common understanding of the terms of the engagement exists between the auditor and management (and those charged with governance, as applicable). Preconditions for an Audit: The use by management of an acceptable financial reporting framework in the preparation of the financial statements and the agreement of management to the premise on which an audit is conducted. Agreement on audit engagement terms—The agreement of the terms of the engagement should be documented in an audit engagement letter and address the following: a. The objective and scope of the audit; b. The auditor's responsibilities; c. Management's responsibilities; d. A statement about the inherent limitations of an audit; e. A statement identifying the applicable financial reporting framework; f. Reference to the expected content of any reports to be issued; and g. Other matters as warranted in the auditor's judgment. Initial audits—Initial audit refers to when the prior year's financial statements have been audited by a different auditor (referred to as the predecessor auditor). 1. Before accepting the engagement, the auditor should request that management authorize the predecessor auditor to respond to the auditor's inquiries relevant to the decision whether to accept the engagement. 2. The predecessor is expected to respond fully and to indicate when the response is limited. The auditor should evaluate the predecessor's response in deciding whether to accept the engagement. If management does not authorize the predecessor to respond (or otherwise limits the predecessor's response), the auditor should consider that fact in deciding whether to accept the engagement. 3. The auditor's communication with the predecessor auditor may be written or verbal. Typical matters expected to be addressed include the following: a. Information that might bear on the integrity of management b. Any disagreements with management about accounting or auditing issues c. Communications involving those charged with governance with respect to fraud and/or noncompliance with applicable laws or regulations d. Communications involving management and those charged with governance regarding significant deficiencies in internal control e. The predecessor's understanding about the reasons for the entity's change in auditors Acceptance of a Change in the Terms of the Audit Engagement 1. If the auditor is asked to change the audit engagement to an engagement resulting in a lower level of assurance (prior to completing the audit engagement), the auditor should determine whether reasonable justification for doing so exists; if not, the auditor should decline the request. 2. Suppose that the auditor concludes no reasonable justification for such a change exists, but management will not permit the auditor to continue the original audit engagement. The auditor should: (a) withdraw from the audit engagement when possible; (b) communicate the circumstances to those charged with governance; and (c) determine whether there is any legal or other obligation to report the matter to any other parties. 3. Reasonable basis for a change—Reasonable justification would exist when there is a change in circumstances affecting management's requirements, or if there was a misunderstanding about the nature of the service originally requested. The resulting report should not refer to any audit procedures performed prior to changing the engagement to a review or other service. look at this section for engagement letter example Professional standards require that the auditor establish an understanding with the client regarding the services to be performed. The understanding would generally include: 1. the objective of the audit; 2. management's responsibilities with regard to the financial statements, internal control, compliance with laws and regulations, availability of records, and the management representation letter; 3. the auditor's responsibilities for GAAS and reportable conditions; 4. a description of an audit; and 5. management's responsibilities regarding correction of material misstatements and evaluation of immaterial adjustments.
PCAOB on Communications with Audit Committees
Audit Committee: A committee (or equivalent body) established by and among the board of directors of a company for the purpose of overseeing the accounting and financial reporting processes of the company and audits of the financial statements of the company; if no such committee exists with respect to the company, the entire board of directors of the company. Critical Accounting Estimate: An accounting estimate where (a) the nature of the estimate is material due to the levels of subjectivity and judgment necessary to account for highly uncertain matters or the susceptibility of such matters to change and (b) the impact of the estimate on financial condition or operating performance is material. Critical Accounting Policies and Practices: A company's accounting policies and practices that are both most important to the portrayal of the company's financial condition and results, and require management's most difficult, subjective, or complex judgments, often as a result of the need to make estimates about the effects of matters that are inherently uncertain. The auditor's objectives are to: (1) communicate to the audit committee the auditor's responsibilities regarding the audit and establish an understanding of the terms of the audit engagement with the audit committee; (2) obtain information from the audit committee relevant to the audit; (3) communicate to the audit committee information about the strategy and timing of the audit; and (4) provide the audit committee with timely observations about the audit that are significant. Establishing an Understanding of the Terms of the Audit 1. The auditor should establish an understanding of the terms of the engagement with the audit committee, including the following matters: (a) the objective of the audit; (b) the auditor's responsibilities; and (c) management's responsibilities. 2. The auditor should provide an engagement letter to the audit committee annually. A. Accounting Policies and Practices, Estimates, and Significant Unusual Transactions—The auditor should communicate the following matters: (1) significant accounting policies and practices; (2) critical accounting policies and practices (and the reasons they are considered critical); (3) critical accounting estimates (including a description of management's processes, significant assumptions, and significant changes to those processes or assumptions); and (4) significant unusual transactions (matters that are outside the normal course of business). If management communicates any of those matters, the auditor is not required to communicate them again at the same level of detail. B. Auditor's Evaluation of the Quality of Financial Reporting—The auditor should communicate the following matters: 1. Qualitative aspects of significant accounting policies and practices (including any indications of management bias); 2. Assessment of critical accounting policies and practices; 3. Conclusions regarding critical accounting estimates; 4. Significant unusual transactions (and their business rationale); 5. The conformity of the financial statement presentation with applicable financial reporting framework; 6. Any new accounting pronouncements affecting financial reporting; and 7. Alternative accounting treatments discussed with management. Uncorrected and Corrected Misstatements 1. Uncorrected misstatements—The auditor should provide the audit committee with a schedule of uncorrected misstatements that the auditor presented to management, and discuss with the audit committee the basis for the determination that the uncorrected misstatements were immaterial. 2. Corrected misstatements—The auditor should communicate those corrected misstatements (other than those that are clearly trivial) that were detected by the auditor, and discuss the implications of those matters relative to internal control over financial reporting. Difficulties Encountered in Performing the Audit —The auditor should communicate any significant difficulties encountered, such as: (1) significant delays or the unavailability of personnel; (2) unreasonable time pressures to complete the audit; (3) unreasonable management restrictions; and (4) unexpected difficulties in obtaining sufficient appropriate audit evidence. Timing—The auditor should communicate all of these required matters to the audit committee on a timely basis and prior to the issuance of the auditor's report.
Fraud: Evaluation and Communication
Required Documentation—The auditor should document the following matters related to the consideration of fraud in the financial statement audit: A. The discussion among engagement personnel about fraud in planning the audit, including how and when the discussion occurred, the team members who participated, and the subject matter discussed; B. The procedures performed to obtain information necessary to assess the risks of material fraud: C. Specific risks of material fraud that were identified at the financial statement level and at the assertion level, including a description of how the auditor responded to those identified risks (including the linkage of audit procedures to the risk assessment); D. Reasons supporting the auditor's conclusion if revenue recognition was not identified as a fraud risk contrary to the presumption that revenue recognition is a fraud risk; E. The results of procedures performed to further address the risk of management override of controls; F. Other conditions and analytical relationships that caused the auditor to perform additional auditing procedures; and G. The nature of any communication about fraud made to management, those charged with governance, regulators, and others. Required Communications When Fraud Is Detected or Suspected—The auditor's communication of fraud issues with management (or those charged with governance) may be written or oral, but should be timely. As indicated above, such communication should be documented in the audit documentation. A. If the fraud is not material to the financial statements and senior management is not involved in the fraud, the appropriate level of management (which is usually considered to be at least one level above where the fraud is believed to have occurred) should be notified. Determining the appropriate level of management for such communication is a matter of judgment, and includes consideration of the likelihood of collusion within management. B. If the fraud is material to the financial statements or if senior management is involved in the fraud, those charged with governance should be notified. C. Other Matters Related to Fraud—The auditor may choose to discuss a variety of other matters with those charged with governance, including the following: 1. Concerns about the adequacy of management's assessment of the entity's controls to prevent and detect fraud 2. Failure by management to respond appropriately to identified fraud or to address identified significant deficiencies in internal control 3. Concerns about the entity's control environment, including the competence or integrity of management 4. Concerns about management's efforts to "manage earnings" 5. Concerns about the authorization of transactions that do not appear to be within the normal course of the entity's business D. The auditor should consider whether any identified fraud risk factors may constitute a "significant deficiency" (or material weakness) regarding internal control that should be reported to senior management and those charged with governance. E. Whistleblowing—Informing others (outside) the entity such as regulatory and enforcement authorities, is ordinarily prohibited by the auditor's confidentiality requirements, although the duty of confidentiality may be overridden by law or regulation (or the requirements of audits for governmental entities). Accordingly, it would be appropriate for the auditor to seek legal guidance when facing such circumstances. The auditing (and ethical) standards historically have identified four basic exceptions to the auditor's confidentiality requirements: 1. The auditor must respond truthfully to a valid legal subpoena. 2. The auditor must comply with applicable legal and regulatory requirements (including complying with the SEC's 8-K requirements about important matters, such as the entity's decision to change auditors). 3. A predecessor auditor must respond appropriately to the successor auditor's inquiries when the former client has given permission for the predecessor auditor to respond to the auditor's questions. 4. The auditor must report fraud to the applicable funding agency under the requirements of government auditing standards.
Detecting Fraud
The relevant AICPA guidance is provided by AU 240, Consideration of Fraud in a Financial Statement Audit. This pronouncement states that the auditor's objectives are to: (1) identify and assess the risks of material misstatement due to fraud; (2) obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud, through designing and implementing appropriate responses; and (3) respond appropriately to fraud or suspected fraud identified during the audit. Fraud: An intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception that results in a misstatement in the financial statements. Fraud Risk Factors: Events or conditions that indicate (a) an incentive or pressure to perpetrate fraud; (b) provide an opportunity to commit fraud; or (c) indicate attitudes or rationalizations to justify a fraudulent action. There are two different types of misstatements that are relevant to the auditor's consideration of fraud: 1. Fraudulent financial reporting—This type of fraud involves misstatements that are intended to deceive financial statement users. 2. Misappropriation of assets—This type of fraud involves theft of assets causing the financial statements to be misstated owing to false entries intended to conceal the theft. A. In general, the auditor is required to design (plan) the audit to provide "reasonable assurance" of detecting misstatements that are material to the financial statements. In particular, the auditor should specifically assess the risk of material misstatement due to fraud (in addition to error), and design the audit procedures to be responsive to that risk assessment. That risk assessment should be performed at both the financial statement level and the assertion level. B. Specifically, key audit team members must have a "brainstorming" discussion to consider how and where the financial statements might be susceptible to material misstatement owing to fraud and to emphasize the importance of maintaining professional skepticism. That discussion involving key members of the engagement team should consider such matters as the following: 1. Known internal and external fraud risk factors relevant to the entity 2. The risk of management override of controls 3. Indications of "earnings management" 4. The importance of maintaining professional skepticism throughout the engagement 5. How the auditor might respond to the risk of material fraud Fraud Risk Factors—The auditing standards identify three characteristics generally associated with fraud: (1) incentive/pressure; (2) opportunity; and (3) attitude/rationalization. These three categories of risk factors are sometimes referred to as the fraud triangle. A. Fraudulent Financial Reporting—Example risk factors the auditor should consider: 1. Incentive/pressure—Reasons that management might be motivated to commit fraudulent financial reporting. a. Financial stability/profitability—When the entity is threatened by deteriorating economic conditions, for example: operating losses threaten bankruptcy; there are recurring negative cash flows from operations; there is vulnerability to rapid changes due to technology or other factors; there are increasing business failures in the industry; or the entity reports unusual profitability relative to others in the industry. b. Excessive pressure to meet the expectations of outsiders—Senior management may face significant pressure to meet external expectations, for example: there are overly optimistic press releases; the entity is only barely able to meet the stock exchange's listing requirements; the entity is having difficulty meeting debt covenants; or the entity must obtain additional outside financing to retool production to be competitive. 2. Opportunities—Circumstances that might give management a way to commit fraudulent financial reporting. a. Nature of the industry or the entity's operations—For example: significant related-party transactions not in the ordinary course of business; ability to dominate suppliers or customers in a certain industry sector; unnecessarily complex transactions close to year-end raise "substance over form" issues; significant bank accounts or business operations in "tax-haven" jurisdictions with no clear business justification; major financial statement elements that involve significant estimates by management that are difficult to corroborate. b. Ineffective monitoring of management—For example, domination of management by a single person or small group without compensating controls or; ineffective oversight by those charged with governance. c. Complex or unstable organizational structure—For example, organization consists of unusual legal entities; high turnover of senior management, counsel, or board members. d. Internal controls are deficient—For example, inadequate monitoring of controls; high turnover rates in accounting, internal auditing, and information technology staff; ineffective accounting and information systems (There are significant deficiencies that rise to the level of material weaknesses.) 3. Attitudes/rationalizations—Attitudes, behaviors, or justifications of management that might be associated with fraudulent financial reporting: a. Lack of commitment to establishing and enforcing ethical standards b. Previous violations of securities laws (or other regulations) c. Excessive focus by management on the entity's stock price d. Management's failure to correct reportable conditionsPattern of justifying inappropriate accounting as immaterial e. Management has a strained relationship with the predecessor or current auditor B. Misappropriation of Assets—Example risk factors the auditor should consider: 1. Incentive/pressure—An employee or member of management might be motivated to commit the misappropriation for a variety of reasons, such as the following: employees who have access to cash (or other assets susceptible to theft), may have personal financial problems, or they may have adverse relationships with the entity under audit, (perhaps in response to anticipated future layoffs or recent decreases to their benefits or compensation levels). 2. Opportunities—Circumstances that might give someone a way to commit the misappropriation include the following: a. When assets are inherently vulnerable to theft— For example, there are large amounts of liquid assets on hand, or inventory items are small, but valuable. b. Inadequate internal control over assets— For example, there is inadequate segregation separation of duties, inadequate documentation or reconciliation for assets, or inadequate management understanding related to information technology. 3. Attitudes/rationalizations—The individual perpetrating the misappropriation might possess attitudes or justifications that might be associated with that rationalize the improper behaviors and avoid any feelings of remorse for this misconduct. Generally, the auditor cannot normally observe these attitudes, but should consider the implications of such matters when they are discovered. The following might be of interest to the auditor: a. The employee's behavior indicates dissatisfaction with the entity under audit. b. There are changes in the employee's behavior or lifestyle that are suspicious. c. The employee exhibits a disregard for internal control related to assets by overriding existing controls or failing to correct known deficiencies. 1. Examine adjusting journal entries—The auditor should be especially attentive to nonstandard journal entries (involving unusual accounts or amounts and those involving complex issues or significant uncertainty). Likewise, the auditor should also be especially attentive to journal entries near the end of the reporting period (both for the fiscal year and any applicable interim reporting periods, such as quarterly reports). 2. Evaluate accounting estimates for bias—The auditor should consider performing a "retrospective review," which means evaluating prior years' estimates for reasonableness in light of facts occurring after those estimates were made. In other words, did later events support or refute the appropriateness of management's estimates in prior periods? That may affect the auditor's perception of the reliability of management's estimates in the current period. 3. Evaluate the business rationale for any unusual transactions—The auditor should look for appropriate authorization of any unusual transactions by those charged with governance.
Detecting Illegal Acts
The relevant AICPA guidance is provided by AU 250, Consideration of Laws and Regulations in an Audit of Financial Statements. This pronouncement states that the auditor's objectives are to: (1) obtain sufficient appropriate audit evidence regarding material amounts and disclosures about laws and regulations generally recognized to have a direct effect on the financial statements; (2) perform specified audit procedures that may identify instances of noncompliance with other laws and regulations that may have a material effect on the financial statements; and (3) respond appropriately to noncompliance (or suspected noncompliance) with laws and regulations identified during the audit. 1. Inherent limitations—The auditor cannot be expected to detect all noncompliance with all laws and regulations, since that is a legal determination and because many laws focus on an entity's operations instead of on the financial statements. (Note that the personal misconduct of management, those charged with governance, or others is outside the meaning of the term noncompliance.) 2. The SAS distinguishes between two categories of considerations: a. Laws and regulations having a direct effect on the amounts and/or disclosures in the financial statements—The auditor should obtain sufficient appropriate audit evidence regarding material amounts and disclosures. b. Other laws and regulations not having a direct effect on the financial statements—The auditor should perform specified audit procedures that may identify noncompliance that may have a material effect on the financial statements. The specified audit procedures include inquiry of management and those charged with governance about compliance issues, inspection of any correspondence with regulatory authorities, reading minutes, and so forth. Auditor's Consideration of Compliance with Laws and Regulations—In obtaining an understanding of the entity and its environment, the auditor should obtain an understanding of 1. The entity's applicable legal and regulatory framework; and 2. How the entity is complying with that framework. Reporting of Identified or Suspected Noncompliance 1. Reporting noncompliance to those charged with governance—The auditor should communicate with those charged with governance any noncompliance with laws and regulations (unless it is clearly inconsequential). When management or those charged with governance is involved, the auditor should communicate to the next higher level of authority. If no higher level of authority within the entity exists, the auditor should consider obtaining legal advice. 2. Reporting noncompliance in the auditor's report—If a material effect on the financial statements has not been appropriately reported, the auditor should modify the opinion (expressing either a qualified or adverse opinion). If the auditor has been prevented from obtaining sufficient appropriate audit evidence to evaluate the financial statement impact of the matter, the auditor should modify the opinion (expressing either a qualified opinion or disclaimer of opinion) for a scope limitation. 3. Reporting noncompliance to regulatory/enforcement authorities—The auditor should determine whether there is a responsibility to report the matter to parties outside the entity, which may take priority over confidentiality responsibilities. The auditor should consider obtaining legal advice about this issue. 4. Withdrawal—If the entity refuses to accept a modified opinion and if withdrawal is possible under applicable law or regulation, the auditor may withdraw from the engagement and inform those charged with governance of the reasons in writing. Likewise, if the entity does not take the appropriate corrective action regarding noncompliance issues, the auditor may withdraw if such action is permitted by applicable law or regulation.
Required Communications with Those Charged with Governance
The relevant AICPA guidance is provided by AU 260, The Auditor's Communication with Those Charged with Governance. This pronouncement states that the auditor's objectives are to: (1) communicate clearly the auditor's responsibilities related to the audit and an overview of the planned scope and timing of the audit and (2) obtain from those charged with governance information relevant to the audit. Significant Findings from the Audit—The auditor should communicate: 1. The auditor's views about the qualitative aspects of the entity's significant accounting policies including the quality (not just the acceptability) of significant accounting practices, estimates, and disclosures; 2. Significant difficulties encountered during the audit including significant delays caused by management, unreasonable time pressure, unavailability of expected information, etc.; 3. Disagreements with management over accounting and auditing matters whether or not those disagreements were satisfactorily resolved; and 4. Any other matters that the auditor believes would be important to those charged with governance in their oversight of financial reporting. Uncorrected misstatements—The auditor should request that uncorrected misstatements be corrected and communicate any uncorrected misstatements accumulated by the auditor, including the financial statement effect. Other matters—The auditor should communicate the following matters: 1. Material misstatements communicated to management that were corrected; 2. Any significant findings or issues discussed with management; 3. Any known instances where management consulted with other accountants about accounting or auditing matters; and 4. The written representations that the auditor requested from management. The Communication Process—Clear communication by the auditor facilitates effective two-way communication with those charged with governance. Generally, the communication may be oral or in writing (effective communication may include formal presentations, written reports, or informal discussions, as determined by the auditor's judgment). A. The auditor should communicate the significant findings from the audit in writing when oral communication is inadequate in the auditor's judgment. B. When a significant matter is discussed with an individual member or subset of those charged with governance (such as the chair of the audit committee or others), the auditor should evaluate whether the matter should be summarized in a subsequent communication to all those charged with governance. C. Timing of Communications—The auditor should communicate on a timely basis so that those charged with governance can take appropriate action. However, that timing may vary depending upon the circumstances. D. Adequacy of the Communication Process—The auditor should evaluate whether the two-way communication has been adequate for purposes of the audit. 1. An inadequate two-way communication may suggest an unsatisfactory control environment, which the auditor should consider. 2. If the two-way communication is inadequate, the auditor should consider whether a scope limitation may exist and consider the possible effect on the assessment of the risks of material misstatement. This might warrant modification of the opinion, or even withdrawal. Other Statements on Auditing Standards—Other statements require that certain specific matters should be communicated to those charged with governance regarding: A. Illegal Acts—The auditor should communicate any illegal acts that come to the auditor's attention. B. Going-Concern Issues—When substantial doubt about the entity's ability to continue as a going concern remains after considering management's strategy, the auditor should communicate (1) the nature of the conditions identified; (2) the possible effect on the financial statements and disclosures; and (3) the effects on the auditor's report: C. Fraud—The auditor should: 1. Inquire of the audit committee about the risks of fraud and the audit committee's knowledge of any fraud or suspected fraud; 2. Communicate any fraud discovered involving senior management and any fraud that causes a material misstatement (whether or not management is involved); and 3. Obtain an understanding with those charged with governance regarding communications about misappropriations committed by lower-level employees.
Planning and Supervision
The relevant AICPA guidance is provided by AU 300, Planning An Audit. Involvement of Key Engagement Team Members —The engagement partner and other key members of the audit team should be involved in planning activities. 1. The nature and extent of planning varies with the size and complexity of the entity, the audit team's experience with the entity, and changes in circumstances occurring during the engagement. Likewise, the extent of supervision and review can vary depending upon the size and complexity of the entity, the nature of the audit area involved, the assessed risks of material misstatement, and the competence of the audit personnel involved. 2. Planning is an ongoing iterative process, not a one-time activity. Planning encompasses risk assessment procedures, understanding the applicable legal and regulatory framework, the determination of materiality, the involvement of specialists, and so forth. 3. The engagement partner may delegate portions of planning and supervision to other personnel, but a discussion about the risk of material misstatement (including fraud risks) among key members of the audit team, including the engagement partner, is required. 1. The auditor should establish an overall audit strategy dealing with the scope and timing of the audit work, which affects the development of the required audit plan. (An audit plan is more detailed than the overall strategy and deals with the nature, timing, and extent of audit procedures to be performed.) In establishing the overall audit strategy, the auditor should: a. Identify relevant characteristics of the engagement affecting its scope. b. Identify the reporting objectives of the engagement and required communications. c. Consider the factors that are significant in utilizing the audit team. d. Consider the results of preliminary engagement activities. e. Determine the nature, timing, and extent of necessary resources for the engagement. f. The overall strategy affects the auditor's decisions regarding the allocation of audit resources to specific audit areas and how those resources are managed and supervised. g. Communication with those charged with governance—The auditor is required to communicate with those charged with governance about an overview of the planned scope and timing of the engagement. The auditor may discuss planning issues with management, but should be careful to avoid divulging details that might reduce the effectiveness of the audit by making the auditor's procedures and scope too predictable. 2. The auditor should also develop an audit plan. (In practice, the term audit program is often used in place of what the AICPA calls the audit plan. ) The audit plan encompasses (a) the nature and extent of planned risk assessment procedures; (b) the nature, timing, and extent of planned further audit procedures at the relevant assertion level; and (c) other planned audit procedures necessary to comply with GAAS. Note: Because planning is an iterative process, the auditor should make appropriate changes to the overall strategy and to the audit plan as necessary during the course of the audit if unexpected circumstances are encountered.
Materiality
The relevant AICPA guidance is provided by AU 320, Materiality in Planning and Performing An Audit. The magnitude of an omission or misstatement of accounting information that, in the light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement." (Note that this definition emphasizes that materiality judgments involve both quantitative and qualitative considerations.) The determination of materiality is a matter of professional judgment, and involves both quantitative (the relative magnitude of the items in question) and qualitative (the surrounding circumstances) considerations. Performance Materiality: The amount(s) set by the auditor at less than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole; if applicable, it is also the amount(s) set by the auditor at less than the materiality level(s) for particular classes of transactions, account balances, or disclosures. Tolerable Misstatement: The application of performance materiality to a particular sampling procedure. Revision during the audit —The auditor should revise materiality for the financial statements as a whole and, if applicable, the materiality level(s) for specific classes of transactions or account balances when the auditor becomes aware of information affecting the auditor's initial judgments. The auditor should also determine whether "performance materiality" should be revised and whether the nature, timing, and extent of further audit procedures are appropriate. Documentation—The auditor should document the following matters: 1. Materiality for the financial statements as a whole 2. Materiality level(s) for particular classes of transactions, account balances, or disclosures, as applicable 3. Performance materiality 4. Any revision of those considerations during the audit engagement 1. Quantitative guidelines—In practice, auditors frequently apply a variety of "benchmarks" as a starting point in determining the appropriate materiality levels. A few examples of frequently used general guidelines follow (these are not specifically identified in the AICPA auditing standards, however): a. 5% to 10% of net income or earnings before taxes b. 0.50% to 2% of the larger of net sales or total assets c. 5% of owners' equity for private companies 2. Qualitative matters—The surrounding circumstances and perceived risks might affect the auditor's judgment of what is material to the users. There are too many such factors to list here, but two examples follow: a. Public versus private companies— A lower materiality threshold may apply to public companies owing to more exposure to litigation and because the owners of private companies may be closer to the day-to-day operations and, therefore, have different information needs. b. Unstable versus stable industry— A lower materiality threshold may apply to a company in an unstable industry, which is by nature more susceptible to business failure. 3. Tolerable misstatement (which, in practice, is sometimes referred to as "tolerable error")—This term refers to the maximum error in a population that the auditor is willing to accept. This should be established in such a way that tolerable misstatement, combined for the entire audit plan, does not exceed materiality for the financial statements taken as a whole. PCAOB Standards—The relevant PCAOB guidance is provided by Consideration of Materiality in Planning and Performing an Audit. The auditor's responsibilities regarding materiality under the PCAOB standards are very similar to those under AICPA standards, although the PCAOB standard does not use the term "performance materiality." go with the lowest aggregate materiality
Analytical Procedures
The relevant AICPA guidance is provided by AU 520, Analytical Procedures. This pronouncement states that the auditor's objectives are to: (1) obtain relevant and reliable audit evidence when using substantive analytical procedures; and (2) design and perform analytical procedures near the end of the audit that assist the auditor when forming an overall conclusion about whether the financial statements are consistent with the auditor's understanding of the entity. Evaluations of financial information through analysis of plausible relationships among both financial and nonfinancial data A. Used in planning for risk assessment purposes—Required, must be performed B. Used for substantive purposes as a partial basis for conclusions—Not technically required for this purpose, but still widely used on a voluntary basis; referred to as "substantive analytical procedures" in this context C. Used as a final review to determine that sufficient appropriate evidence has been gathered to support audit conclusions—Required, must be performed Substantive Analytical Procedures Steps comprising the auditor's performance of substantive analytical procedures: 1. Determine the suitability of the analytical procedures for the identified assertions involved. 2. Evaluate the reliability of the data used to develop the auditor's expectation. 3. Develop the auditor's expectation of the recorded amounts (or ratios), and evaluate whether the expectation is sufficiently precise. 4. Compare the recorded amounts (or ratios) to the auditor's expectation. 5. Determine whether any difference relative to the auditor's expectation requires further investigation (such as inquiry of management or other actions). Nature of the assertion—Analytical procedures may be particularly effective (compared to tests of details) in detecting omissions of transactions (regarding the "completeness" assertion); tests of details may not be effective in detecting omissions when there are no underlying source documents associated with unrecorded transactions Precision of the expectation—The likelihood of detecting a misstatement increases as the level of aggregation of the data decreases. a. Relationships of interest to the auditor may be obscured by the noise in the data at high levels of aggregation of the data. b. For example, simply comparing the current year's sales in total to the prior year's total sales is a high level of aggregation; a more precise analysis (at a lower level of aggregation) would be analyzing the sales by month broken down by product line. Analytical Procedures in Forming Overall Conclusions A. Purpose—To assist the auditor in forming an overall conclusion as to whether the financial statements are consistent with the auditor's understanding of the entity B. Similarity to risk assessment procedures—The auditor should read the financial statements and consider any unusual or unexpected relationships that were not previously identified. C. Revise risk assessment as necessary—The auditor may revise the assessment of the risk of material misstatement and modify the planned further audit procedures as necessary. Documentation Requirements A. The auditor's expectation and the factors considered in developing it B. The results of comparing the recorded amounts (or ratios) with the auditor's expectation C. The results of any additional auditing procedures performed to investigate significant differences identified by that comparison
Using the Work of a Specialist
The relevant AICPA guidance is provided by AU 620, Using the Work of an Auditor's Specialist. This pronouncement states that the auditor's objectives are to determine: (1) whether to use the work of an auditor's specialist; and (2) whether the work of the auditor's specialist is adequate for the auditor's purposes. Auditor's Specialist: An individual or organization possessing expertise in a field other than accounting or auditing, whose work in that field is used by the auditor to assist the auditor in obtaining sufficient appropriate audit evidence. Management's Specialist: An individual or organization possessing expertise in a field other than accounting or auditing, whose work in that field is used by the entity to assist the entity in preparing the financial statements. A. Determining the Need—The auditor should determine whether an auditor's specialist is needed to obtain sufficient appropriate audit evidence, taking into consideration the following: 1. The nature of the matter involved; 2. The risks of material misstatement involved; 3. The significance of the matter to the audit; 4. The auditor's experience with any previous work of the auditor's specialist; and 5. Whether the auditor's specialist is subject to the audit firm's quality controls (which would apply to an internal specialist, but not to an external one). B. Competence, Capabilities, and Objectivity of the Specialist—The auditor should evaluate the competence, capabilities, and objectivity of the auditor's specialist for the auditor's purposes. 1. The auditor should consider information about the competence, capabilities, and objectivity of an auditor's specialist, which might be obtained from the following: a. Personal experience with the specialist's previous work b. Discussions with the specialist or with other auditors familiar with the specialist c. Knowledge of the specialist's credentials or professional/industry affiliations, including whether the work is subject to any particular technical performance standards or industry requirements d. Any journal articles or books written by the specialist 2. For an external auditor's specialist, the auditor should inquire about any relationships that might threaten the specialist's objectivity. The auditor should consider any threats to the specialist's objectivity, along with any safeguards that might reduce such threats to an acceptable level. C. Obtaining an Understanding of the Field of Expertise—The auditor should obtain a sufficient understanding of the field of expertise of the auditor's specialist so that the auditor can 1. Determine the nature, scope, and objectives of the work; and 2. Evaluate the adequacy of that work for the auditor's purposes. This understanding may be obtained from having experience with other entities requiring that same field of expertise, through specific education in that field, or through discussion with the auditor's specialist. D. Agreement with the Auditor's Specialist—The auditor and the auditor's specialist should agree (in writing when appropriate) about the following: 1. The nature, scope, and objectives of the work involved; 2. Their respective roles and responsibilities; 3. The nature, timing, and extent of communications between the auditor and the auditor's specialist, including any reports to be delivered; and 4. The requirements for the auditor's specialist to adhere to confidentiality considerations applicable to an audit engagement. The agreement between the auditor and the external specialist is usually in the form of an engagement letter. E. Evaluating the Adequacy of the Work 1. The auditor should evaluate the adequacy of the work performed by the auditor's specialist, including the following matters: a. The relevance and reasonableness of the conclusions; b. The relevance and reasonableness of any underlying assumptions and the methods used; and c. The relevance, completeness, and accuracy of any source data used by the auditor's specialist. 2. The auditor may perform specific procedures to evaluate such work, including: a. Making inquiries of the specialist; b. Reviewing the specialist's working papers; and c. Performing certain corroborative procedures, such as performing analytical procedures, examining published data, or confirming some matters with third parties, among other possibilities. F. If the Work is not Adequate—The auditor and the auditor's specialist should agree on any further work to be performed, or the auditor should perform additional audit procedures that are appropriate to the circumstances (which could include engaging another auditor's specialist). If the auditor is unable to resolve the matter, it could constitute a scope limitation that would result in a modified opinion. G. Reference to the Auditor's Specialist in the Auditor's Report 1. If the auditor's report contains an unmodified opinion, the auditor should not refer to the work of an auditor's specialist. 2. If the auditor's report contains a modified opinion and the auditor believes that it would help readers understand the reason for the modification, the auditor may reference the work of an external auditor's specialist. Normally, such a reference would first require the permission of the auditor's specialist. The auditor should also point out, in the auditor's report, that such a reference does not reduce the auditor's responsibility for the expressed opinion. Specialist: Similar to the AICPA, the PCAOB defines a specialist as follows: "... a person (or firm) possessing special skill or knowledge in a particular field other than accounting or auditing." The PCAOB classifies "specialists" into the following three categories: 1. Company's specialist—A specialist employed or engaged by the company 2. Auditor-employed specialist—A specialist employed by the auditor's firm 3. Auditor-engaged specialist—A specialist engaged by the auditor's firm