Typical Audit Engagement

Following are the steps in a fairly typical audit of a new client. This list is designed to show how the procedures in an audit engagement fit
together. The steps presented here are roughly in chronological order but always remember that some degree of flexibility does exist. Think
of this as a study guide more than as a design for an audit. Understanding an audit as a sequential process is helpful as you consider the
work performed by the auditor. This knowledge will enable you to envision how each topic that you study fits into the overall engagement. I
would not attempt to memorize these steps. It is an outline for an audit so that, as you study specific auditing procedures, you can
understand the role each plays within the entire process.

1. The CPA or the CPA firm is approached by (or approaches) a potential audit client. Frequently, the client will open discussion
for a future engagement to a number of audit firms allowing each to make a proposal.
2. As a professional, the CPA must make certain what type of assurance that the client wants and needs (a compilation, a review,
an audit, or some other type of attestation). The CPA does not want to charge the client for a level of assurance that is not
needed.
3. The auditor obtains general information about the possible client—its history, ownership, management, products, financing,
profitability, relationship with former auditors, and the like. During the audit, this knowledge assists the auditor in making
appropriate evaluations of the financial assertions made by the client. The auditor tours the client's office and plant examining
production facilities, company records, tax returns, the accounting system, and the like. The auditor is attempting to determine
the difficulty and risk involved in the engagement. The auditor also talks with key client personnel to ascertain their abilities and
level of knowledge. If the engagement is accepted, the auditor must also gain an adequate understanding of the client's industry
before making any specific evaluations. This knowledge is often gained by reading AICPA industry audit guides, looking at
competing companies and the like.
4. The CPA firm makes a proposal to the client outlining the work to be done and the cost. The decision as to which firm to hire
should be made by the Audit Committee of the Board of Directors to emphasize the auditor's independence from the
management of the company.
5. The auditor cannot accept an engagement without further investigation. With client permission, the auditor talks with the
predecessor auditor to assess the integrity of the client management and any potential accounting or auditing problems. New
auditor also asks when and why predecessor felt obliged to communicate with company's audit committee. Such
communications provide evidence about problems arising between auditor and management. Unless client has a very good
reason, auditor will not pursue the job if not permitted to talk with predecessor auditor. Auditor does not talk with predecessor
until an offer is made so that a bunch of firms seeking the engagement do not pester the predecessor over and over.
6. Auditor evaluates the firm's own ability to do the audit engagement by addressing issues such as: (a) is there any reason that
the firm is not properly independent, (b) does the firm have (or can it get) sufficient knowledge of the industry to make
evaluations of the assertions made by the client's management, (c) are the client's records in a condition to be audited, (d) are
there any auditing or accounting problems that pose too much risk, (e) does the client management have sufficient integrity? If
everything is okay, auditor accepts the offer.
7. Auditor is required to have a documented understanding with client as to the services to be provided. It can be an engagement
letter or a contract but no single form is mandated. This understanding should include the objectives of an audit, management's
responsibilities, and the auditor's responsibilities.
8. Auditor returns to predecessor auditor to review working papers from past audits. Auditor focuses on a number of elements
such as the establishment of asset cost figures, identifying specific accounting methods being used, the existence of
contingencies, and other possible reporting problems. The auditor tends to concentrate more on balance sheet items because
they carry over from year to year.
9. Auditor begins planning stage of the engagement. Auditor makes a preliminary assessment of the necessary size for a
misstatement to be judged as material (an assessment which may change during the audit as more data is obtained). "Material"
is defined as any misstatement of a size or quality that would cause decision makers to change their decisions. Misstatements
are errors (unintentional mistakes), fraud (intentional mistakes to hide theft or manipulate the records), and direct illegal acts.
10. Management is responsible for the financial statements and makes five assertions about every group of accounts
(inventory/cost of goods sold, for example) being reported as well as the financial statements as a whole: (1) they are valued
correctly (the numbers were determined according to GAAP), (2) assets and debts do exist and transactions did occur (the
account balance is not overstated—there are no extra amounts or transactions included), (3) presentation and disclosure within
the financial statements is appropriate (the numbers are in the right place and the footnotes provide all necessary information),
(4) all balances are complete (balance is not understated—no transactions or amounts have been left out), and (5) obligations –
all debts are recorded and rights - the reporting company has title to all the reported assets.
11. Auditor seeks sufficient substantive evidence to corroborate these five assertions made by management. This evidence
eventually provides a reasonable basis for determining whether the statements contain any material misstatements. If satisfied,
the auditor's opinion provides reasonable assurance that the statements are presented fairly according to GAAP.
12. For each group of accounts, the auditor seeks to reduce the actual audit risk to an acceptably low level. Audit risk is the chance
that a material misstatement will occur in one or more of management's assertions and manage to get into the released
financial statements. Actual audit risk cannot be reduced to zero because the auditor does not look at all transactions and most
audit procedures are performed by humans who can make mistakes. However, an acceptable level of audit risk can be
achieved. That is the point where the risk that a material misstatement does exist in the financial statements has become so low
that the auditor is willing to provide reasonable (but not perfect) assurance.
13. Audit risk is made up of three components: (1) inherent risk (the chance that a material misstatement could occur in an account
group), (2) control risk (the chance that a material misstatement which had occurred would not be detected by the client's
control system), and (3) detection risk (the chance that a material misstatement that had occurred and also gotten through the
control system will not be detected by the independent auditor). The auditor cannot provide reasonable assurance until actual
audit risk (the combination of these three separate risks) has been reduced to an acceptably low level.
14. Auditor first studies the company and estimates both the inherent risk and control risk associated with the organization and its
operations. Auditor uses these estimated levels of inherent risk and control risk to determine what the acceptable level of
detection risk must be to achieve the overall desired level of audit risk. If inherent and control risks are high, detection risk must
be reduced a low level. If inherent and control risks are low, detection risk can be higher. Inherent risk and control risk are both
assessments made by the auditor about the client. In contrast, detection risk varies based on the type and quantity of the
auditor's work. Actual detection risk is then reduced to its acceptable level by performing substantive testing (to gather
 corroborating evidence). More testing reduces detection risk as does better testing (using more sophisticated techniques, for
example, or testing closer to year end or using more experienced people.)
15. Throughout the assessment of both inherent risk and control risk and the performance of substantive tests (to reduce detection
risk to the acceptable level), the auditor also must make an ongoing assessment of risk factors that could indicate that fraud has
occurred. That is part of the risk assessment process. At the beginning of the audit (and throughout the engagement) members
of the audit team (or the entire team) brainstorm as to where and how fraud might occur within the client company that would
impact the financial reporting. This alerts the team to specific fraud risk factors relevant to this particular engagement. In
addition, during the audit, the team looks for the existence of any of a long list of general fraud risk factors. If any of these
factors are found, assessed risk levels are increased and additional testing will probably be necessary to compensate.
16. The auditor first assesses inherent risk in relation to various account groups. This judgment is based on: analytical procedures,
past problems, integrity of management, materiality of the balance in question, evaluation of accounting system and personnel,
etc. Inherent risk can be high for some accounts and low for others. If risk is higher than expected, additional substantive testing
or better substantive testing is likely to be needed for a greater reduction in detection risk.
17. Analytical procedures must be performed at the beginning of the audit to help assess inherent risk. These procedures provide
an overview; they do not look at individual transactions. The auditor sets an expected range for account balances, ratios, and
other relationships (age of receivables, gross profit percentage, etc.) to see if client figures fall within this range. These auditor
expectations come from budgets, competition, past balances, industry figures, relationships with other accounts, and
nonfinancial changes. Any client figure that falls outside of the expected range probably has a higher assessed level of inherent
risk.
18. Auditor next seeks to assess control risk. To do this, the auditor must gain a general understanding of the client's internal
control components: (a) control environment, (b) risk assessment, (c) control activities, (d) information and communication, (e)
monitoring.
19. Based on an understanding of these control components, auditor makes a preliminary assessment of control risk. Auditor
evaluates whether control risk seems to be at a maximum level or possibly below the maximum level. If judged to be at the
maximum risk level (control appears to be weak), documentation of the components is necessary but no further work or
documentation of control system is required. Even if the internal control looks as if it might be effective, auditor can still assume
maximum control risk if further testing of control activities would be more expensive than any potential savings in time and
money from reducing the amount of substantive testing.
20. If preliminary assessment of five controls components is that (a) control risk might possibly be below maximum level and (b)
further testing of controls could reduce the cost of overall testing, auditor should perform tests of those controls. To do this, the
auditor first determines the design of specific control activities within the individual systems. Determining the design of control
activities within a specific system can be done by memorandum, questionnaire, and/or flow chart. Second, the auditor should
anticipate the kinds of problems that might occur in this particular system. Third, the auditor should attempt to identify specific
control activities within the design of the system that would significantly reduce the risk of misstatement by either preventing or
detecting each of the anticipated problems. Fourth, for any such control activities that are identified, the auditor should ascertain
whether these specific controls are operating effectively. This can be done by inquiry, observation, or by looking for physical
proof of occurrence. Statistical sampling for attributes may be used here in testing effectiveness. Testing for attributes estimates
a rate and can be used here to estimate an error rate.
21. The last component of audit risk is "detection risk," the chance that a material misstatement will be missed by the auditor. The
auditor can only change the amount of detection risk. As mentioned previously, if inherent and/or control risks are assessed as
high in relation to the acceptable level of audit risk, detection risk must be reduced by more testing or better testing (referred to
as substantive testing). Conversely, if inherent and/or control risks are assessed as low in relation to the desired audit risk, the
auditor can afford to do less testing or testing of a lesser quality.
22. After the assessment of inherent risk and control risk, the desired level of detection risk is set to reduce actual audit risk to the
acceptable level. At that point, an audit program for the substantive tests to be performed is designed to ensure that sufficient,
competent evidence will be obtained. This is a required procedure to indicate proper planning.
23. All kinds of substantive testing can be done to provide evidence about account balances. The nature, extent, and timing of the
testing depend on the assessment of inherent risk, control risk, and the presence of any fraud risk factors. Testing done directly
on an account balance is a "test of a balance." Testing of individual entries is a "test of details." Statistical sampling for variables
is one technique used in some of the testing of balances procedures because it uses a sample in order to estimate a total (such
as the account balance). (A) - All findings from the substantive testing are recorded in auditor's working papers (known as "audit
documentation") to provide support for the auditor's opinion. (B) – Substantive testing includes confirmation, computation,
reconciliation, vouching, tracing, inquiry, inspection, analytical procedures, etc. (C) - Cut-off testing is done for the period around
year's end to make sure items are recorded in the correct time period. (D) - Auditor also tests transactions in the period
subsequent to the end of the year to provide additional evidence and to look for transactions that need disclosure. (E) -
Analytical procedures are required again at the very end of the audit to make sure that nothing was missed or overlooked. Final
client figures may vary from the auditor's expectations so that further investigation is needed.
24. Auditor must get management to furnish a representation letter on last day (or later) to acknowledge its responsibility for the
financial statements, to indicate its belief that statements are according to GAAP, to provide evidence for events that might not
have other physical evidence, and to put oral representations made by management into a written form.
25. Audit firm issues an audit report to be attached to financial statements to provide opinion. An unqualified opinion typically has
three paragraphs. The first (introductory) paragraph identifies the financial statements and indicates the responsibility of both
the management and the audit firm. The second (scope) paragraph describes the audit and the work of the auditor. The third
(opinion) paragraph indicates whether reasonable assurance is being given that the financial statements are presented fairly in
all material respects in accordance with generally accepted accounting principles.