AUDnotes 17

AUD
2019 SuperfastCPA Review Notes

Table of Contents
Ethics & Professional Responsibilities
Nature and Scope 1
Nature and Scope of Audit Engagements 1
Audits Under GAO and GAS Standards 5
Non-Audit Engagements 7
Ethics & Independence 11
AICPA Code of Professional Conduct 11
Requirements of SEC and PCAOB 15
Requirements of the GAO and the DOL 17
Terms of Engagement 19
Preconditions for an Engagement 19
Terms of Engagement and Engagement Letter 20
Requirements for Engagement Documentation 21
Communication with Management & Those Charged with
Governance 22
Planned Scope and Timing of an Engagement 22
Internal Control Related Matters 23
All Other Matters 25
Communication with Component Auditors and Others 26
A Firm's System of Quality Control 28
Assessing Risk and Developing a Planned Response 30
Planning an Engagement 30
Developing an Overall Strategy 30
Developing a Detailed Engagement Plan 31
Understanding an Entity and Its Environment 37
External Factors Including the Applicable Financial
Reporting Framework 37
Internal Factors Including Nature of Entity, Risk
Strategy 38
Understanding an Entity's Internal Control 39
Control Environment and Entity-Level Controls 39
Flow of Transactions and Design of Internal Controls 50
Implications of Using a Service Organization 51
IT General and Application Controls 53
Identifying and Assessing Risk of Material Misstatement 57
Impact of Risk at Financial Statement Level 57
Limitations of Controls and Risk of Management
Override 59
Impact of Risks for Each Relevant Assertion 61
Further Procedures Responsive to Identified Risks 64
Materiality 65
For the Financial Statements as a Whole 65
Performance Materiality and Tolerable Misstatement 66
Planning for and Using the Work of Others 67
Specific Areas of Engagement Risk 70
An Entity's Compliance with Laws and Regulations 70
Accounting Estimates, Including FV Estimates 72
Related Parties and Related Party Transactions 74
Performing Further Procedures and Obtaining Evidence 75
Understanding Sufficient Appropriate Evidence 75
Sampling Techniques 77
Performing Specific Procedures to Obtain Evidence 81
Analytical Procedures 81
External Confirmations 84
Inquiry of Management and Others 85
Observation and Inspection 86
Recalculation and Reperformance 87
All Other Procedures 88
Specific Matters 89
Opening Balances 89
Investments in Securities and Derivatives 90
Physical Observation of Inventory and Inventory Held
by Others 91
Litigation, Claims, and Assessments 92
An Entity's Ability to Continue as a Going Concern 93
Accounting Estimates, Including FV Estimates 94
Misstatement and Internal Control Deficiencies 95
Written Representations 97
Subsequent Events 98
Forming Conclusions and Reporting 100
Reports on Audit Engagements 100
Forming an Auditing Opinion & Modification of an
Opinion 100
Form and Content of an Audit Report & Emphasis of
Matter Paragraphs 104
Audit of Internal Control Integrated with Audit of
Financial Statements 110
Reports on Attestation Engagements 116
General Standards for Attestation Reports 116
Agreed-Upon Procedures Reports 117
Reporting on Controls at a Service Organization 118
Accounting and Review Service Engagements 120
Preparation Engagements 120
Compilation Reports 121
Review Reports 122
Reporting on Compliance 125
Other Reporting Considerations 126
Comparative Statements and Consistency Between
Periods 126
Other Information in Documents with Audited
Statements 128
Review of Interim Financial Information 129
Supplementary Information 130
Single Statements 131
Special-Purpose and Other Country Frameworks 132
Letters for Underwriters and Filings with the SEC 133
Alerts that Restrict Written Communication 134
Additional Reporting Requirements Under Gov Auditing
Standards 135
Ethics & Professional Responsibilities
Nature and Scope
Nature and Scope of Audit Engagements

The purpose of an audit is to have an independent auditor issue
an opinion as to whether the financial statements are presented
fairly according to the applicable framework.
Non-Issuer Audits
These are non-public companies, and audits of non-issuers are
subject to the clarified auditing standards (AU-Cs) issued by
Auditing Standards Board (ASB).
Objectives of an Audit of Financial Statements According to

AU-C 200
• Obtain reasonable assurance that the financial statements
are free from material error, which allows the auditor to
express an opinion whether the statements are presented
fairly according to the applicable framework.
• Report on the financial statements and communicate as
required by GAAS (generally accepted auditing standards),
in accordance with the auditor’s findings.
Issuer Audits (public companies)

These audits are subject to the PCAOB’s Auditing Standards (AS
1015 for example).
1
Copyright © 2019 SuperfastCPA.com
Objective of the Independent Auditor According to AS 1001
The objective of the ordinary audit of financial statements by the
independent auditor is the expression of an opinion on the
fairness with which they present, in all material respects, financial
position, results of operations, and its cash flows in conformity
with generally accepted accounting principles. The auditor's
report is the medium through which he expresses his opinion or, if
circumstances require, disclaims an opinion. In either case, he
states whether his audit has been made in accordance with the
standards of the PCAOB. These standards require him to state
whether, in his opinion, the financial statements are presented in
conformity with generally accepted accounting principles and to
identify those circumstances in which such principles have not
been consistently observed in the preparation of the financial
statements of the current period in relation to those of the
preceding period.
In both cases the main objective of an audit is to have an

independent auditor express an opinion on whether the financial
statements are presented fairly based on the applicable reporting
framework.
Assertions
The “assertions” are key to the whole audit process. The
assertions are the underlying claims made by management about
the financial statements. When management gives the auditor
their listing of PP&E for example, management is essentially
making the “claim”, or assertion, that the items on that list actually
exist, that list is complete (nothing left out), that the business
actually owns the items listed, and that the values of the items are
listed correctly. The auditor then assesses the risk of material
misstatement based on these assertions and performs audit
procedures. That’s how the audit works in a nutshell.
2
It helps a LOT to just “think” about the meaning of the words,
especially in the context of the question being asked. For
example, “completeness” … this includes procedures or tests to
determine if a population is complete- or if everything has been
included that should be included.
They are grouped into 3 categories:

Account balances (4 assertions)
• Existence: This assertion means that all the assets,
liabilities, and equity actually exist
• Completeness: That all assets, liabilities, and equity that
should have been recorded, have been recorded. That
nothing has been left out
• Rights and Obligations: That the entity holds or controls the
rights to its assets, and the liabilities are that of the entity.
Any restrictions on either need to be disclosed
• Valuation and Allocation: That the assets, liabilities, and
equity are included in the financial statements at the proper
amounts
Presentation and disclosure (4 assertions)

• Occurrence and Rights & Obligations: That the disclosed
events and transactions have actually occurred and pertain
to the entity
• Completeness: That all disclosures that should have been
included have been included. Nothing left out.
• Classification and Understandability: That the financial
information is appropriately presented, described, and
clearly expressed
• Accuracy and valuation: That the financial information is
disclosed fairly and at the appropriate amounts
Classes of transactions and events (5 assertions)

• Accuracy: That amounts and other data have been recorded
appropriately
3
• Occurrence: That transactions and events recorded actually
occurred
• Completeness: That all transactions and event that should
have been recorded have been recorded. Nothing left out
• Cutoff: That the transactions have been recorded in the
proper period
• Classification: That the transactions have been recorded in
the proper accounts
Read through the assertions until you understand them. This

makes everything about AUD easier to understand.
4
Audits Under GAO and Government Auditing Standards
The GAO issues Government Auditing Standards (Yellow Book) -
also referred to as GAGAS (generally accepted government
auditing standards) - and these standards apply to audits
involving federal government programs or activities, or other
entities that receive federal funds.
The objective of a financial statement audit under GAGAS is

similar to a non-government audit: determining whether the
financial statements are presented fairly based on the applicable
reporting framework.
Additionally, GAGAS audits require separate reporting on internal

controls and adherence to applicable laws and regulations,
depending on the entity being audited. Therefore, the scope of a
GAGAS audit is larger than a non-government audit.
Governmental auditing standards require a separate report on

internal control that includes a description of the scope of the
auditor’s work in obtaining an understanding of internal control.
This report will also include any significant deficiencies or material
weaknesses noted. BUT, the regular audit report and the report
on internal controls can be combined.
A government audit will also include a report on compliance with

laws, regulations, and the provisions of any grant agreements.
An audit subject to the yellow book standards includes 3 reports:

• An audit report
• A report on internal control (this and the audit report can be
combined)
• A report on any applicable compliance with laws or
regulations
5
In a government audit, the auditor is required to report any fraud
or illegal acts to outside authorities IF:
• Management fails to report the information as required by
law,
• OR, if management fails to take timely action to respond to
the fraud or illegal act
Single Audits
State and local government agencies that spend at least
$750,000 in federal funding must get a “single audit”.
The point of a single audit to verify that federal funds have been
spent according to the programs the funds were received for.
Materiality for single audits is determined separately for each
major federal financial assistance program.
6
Non-Audit Engagements
For non-audit engagements, there are basically two categories:
1) Engagements dealing with historical financial statements

that are not a full audit engagement.
The AICPA’s SSARs govern these types of engagements, and
they include:
• Reviews - provides limited assurance, is an attest
engagement.
• Compilations - provides no assurance, is an attest
engagement.
• Preparation of financial statements - provides no assurance,
is not an attest engagement.
These services apply to non-issuers (non-public companies).

Each of these engagement types require an engagement letter,
and a report from the auditor is part of both reviews and
compilations, but there is no report issued with a preparation of
financial statements. See the details of each engagement type
below.
2) Engagements dealing with written representations or

subject matter other than historical financial statements.
The AICPA’s Statements on Standards for Attestation
Engagements (SSAEs) apply to these types of engagements.
These include:
• Examination engagements
• Review engagements (different than a financial statement
review above)
• Agreed-upon procedures engagements
7
SSARs or “Statements on Standards for Accounting
and Review Services”
These standards apply to “reviews”, “compilations”, and now
“preparation of financial statements”.
A review is an assurance engagement & an attestation

engagement that provides “limited assurance” that there are no
material modifications that should be made to the financial
statements. For a review, the auditor must be independent.
The basics of a review are:

• Possess knowledge of a client’s industry
• Apply analytical procedures
• Perform inquiries of management
• Obtain a representation letter
Each page of an entity’s financial statements that have been

‘reviewed’ should include the reference “See Accountant’s Review
Report”
In a review engagement, the auditor is NOT required to obtain an
understanding of internal controls.
A compilation is basically assisting management to draft the

financial statements, without providing ANY level of assurance. It
is an attestation engagement but NOT an assurance
engagement. Also, a compilation can be performed for
prospective or pro-forma information in addition to historical
financial statements.
An auditor does NOT have to be independent to do a compilation

for a client since no assurance is provided. BUT, if the auditor is
not independent, the accountant should disclose this fact in the
compilation report.
8
The compilation report explicitly states that the financial
statements have not been audited, and that the accountant has
compiled the financial statements.
Remember that no procedures whatsoever are performed on the

data in a compilation. The auditor is expected to understand the
client and the client’s industry, but no audit procedures of any kind
are performed since no assurance is being provided.
Preparation of financial statements: this is what it sounds like.

The accountant takes the information from management and
prepares the financial statements. A preparation is a nonattest
service.
The accountant does NOT have to be independent for this type of

engagement.
There should be an engagement letter that outlines

management’s responsibilities & the accountant’s responsibilities.
Each page of the financial statements should include a statement

that no assurance is provided.
SSAEs or “Statements on Standards for Attestation

Engagements”
For all types of engagements under the SSAEs, the CPA needs to
be independent.
Examinations
These are fairly in-depth engagements where the CPA ultimately
obtains reasonable assurance about the subject matter being
9
fairly stated or in accordance with applicable criteria (that it is
what it says it is). It differs from an audit in that it’s not dealing
with historical financial statements. A report is issued that
provides the CPA’s opinion as to whether the subject matter
conforms to the criteria.
Attestation Review Engagements (not a financial statement

review)
In this type of engagement, the CPA is providing limited
assurance that the subject matter conforms to the criteria, and
again, the subject matter can be a number of things, just not
historical financial statements or it would be a financial statement
review. A report is issued that contains a conclusion about
whether there is a need for any material modifications in order to
be in accordance with the criteria.
Agreed Upon Procedures Engagements

In this type of engagement, a CPA is engaged to perform
procedures and report findings based on the criteria set by the
specified parties. A report is issued that describes the procedures
performed and the findings as a result of the procedures.
10
Ethics & Independence
AICPA Code of Professional Conduct

One of the main points of the code of professional conduct is for
CPAs to go above and beyond the minimum requirements to
show the public that CPAs willing to accept responsibility to the
public.
Along with that, CPAs should not only be competent with the
professional services they provide, they should also cooperate
with other CPAs to improve the accounting profession.
The 3 main groups of rules that CPAs must honor involve:

• Integrity
• Objectivity
• Independence
As far as gifts from clients go, the 2 things to keep in mind are:
• Gifts from clients cannot violate the client’s laws or
regulations, OR the CPA’s laws or regulations
• Even if a gift isn’t explicitly violating any laws, it still needs to
be “reasonable under the circumstances”
When a CPA disagrees with their superior about the treatment of

a significant transaction, if the discussion with the superior does
not resolve the issue, then the CPA should go over the superior’s
head.
Even if a CPA has not handled a certain type of transaction or tax

issue before, they can still accept such engagements if they
believe in good faith that they can research the issues and handle
them properly.
11
Outsourcing professional services requires the notification and
approval of the client. If the client doesn’t want any of their
services outsourced, the CPA should either not outsource the
work, or not accept the engagement in the first place.
The client controls who a CPA can release audit documentation

to, unless ordered by a court or the CPA society’s quality review
board. Even if a CPA firm is purchased, the client has to agree
that the purchaser can access the audit documentation.
Also, client records are owned by the client and must be returned
to the client upon request, even if the CPA has not been paid yet.
Schedules or workpapers that the CPA has prepared do NOT
need to be returned to the client if the client has not paid.
A CPA that fails to pay their own income tax is considered an act
discreditable to the profession.
A CPA cannot receive a contingent fee for attest-related services.

A CPA can receive a contingent fee for a private letter ruling.
Accepting a commission for recommending a product to an audit

client is essentially a kickback and is prohibited.
Tax accountants can accept referral fees and commissions if they

are disclosed to the client.
12
The only times a CPA should provide confidential client
information to another party is:
• A review of the CPA’s professional practice by the state CPA
society
• An inquiry from the professional ethics division of the AICPA
• The potential buyers of a CPA firm can view client records,
but before the records are actually turned over to the new
buyers, the client must give permission
• A court-ordered subpoena
o (A mere request or letter from the SEC or IRS does
NOT count, and the CPA should never provide client
information until there is an actual court-ordered
subpoena)
As long as the information is accurate, informative, and truthful, a

CPA can advertise his or her services like other businesses
advertise.
Independence Rules
All CPAs should be independent when involved in attest services.

If the code and its interpretations do not directly provide guidance
for a certain situation, then the conceptual framework should be
applied.
Threats to independence are concentrated in 4 areas:

• Financial relationships: A audit partner can’t own stock in an
audit client
• Employment relationships: An audit partner can’t be on the
board of an audit client
• Family relationships: An audit partner shouldn’t audit his
brother’s company
• Consulting relationships: An audit firm can’t provide internal
audit consulting to an audit client
13
Covered members: You’ll see questions on the exam about
“covered members”, which means someone who falls under the
independence rules based on their situation. The following would
be considered covered members:
• Any member of the attest engagement team
• Any person in a position to influence the attest engagement
• A partner or manager that provides more than 10 hours of
nonattest services to the client within the fiscal year
• A partner in the same office as the lead engagement partner
If a “covered member” is very wealthy and has no investments

that are individually materially to that member, they still cannot
have a direct investment in an attest client, no matter how small.
That includes mutual funds.
The member’s spouse also cannot have a direct financial interest.
A covered member can have a car loan with a client bank.
An audit firm can lease office space from an attest client as long
as the operating lease is on normal terms and all amounts are
paid on time and in accordance with the terms of the lease.
14
Requirements of SEC and PCAOB
SEC Rules
The rules from the SEC for independence and professional
conduct are very similar to the AICPA rules.
Main requirements as a CPA to audit a public company:

• Must be in good standing and registered under the laws of
the CPA’s state
• Must be independent and capable of exercising objective
and impartial judgement
Other specific rules you could see a question on:

• The CPA (firm) or the CPA’s direct family members can’t
have a direct investment in an audit client such as stocks or
bonds
• Members/employees of the firm can’t own more than 5% of
the stock of an audit client
• Can’t have direct or material indirect investment in a
company that the audit client has a material investment in,
nor in a company that has a material investment in the audit
client
• Can’t have a credit card issued from an audit client if the
balance is $10,000 or more owed to the client
• An audit client can’t make a direct investment in the
accounting firm
PCAOB Rules
SOX created the PCAOB to govern public company audit firms
and creates standards for such audits.
15
Specific rules you might see a question on:
• Any kind of contingent fee charged to an audit client impairs
independence
• Members of the audit firm impair their independence if they
perform any tax service to a person in a financial reporting
oversight role from the audit client
• Tax consulting services can be performed for a public
company audit client if it is pre-approved by the client’s audit
committee. The CPA firm is required to describe the scope
and compensation for the service, discuss it with the audit
committee, and document the discussion
• Other non-audit services can be approved in this same way,
except for consulting related to internal controls over
financial reporting
16
Requirements of the GAO and the DOL
GAO Standards
Again, these are very similar to the AICPA code of professional
conduct.
Auditors who perform GAGAS audits are expected to be

independent, and adhere to the following ethical principles:
• The public interest
• Integrity
• Objectivity
• Proper use of government info and resources in performing
audits; auditor should never use government resources for
personal gain
• Professional behavior including avoiding conflicts of interest,
complying with applicable laws and regulations, and meeting
technical and professional standards
The GAO’s ethical principles apply to firms that audit federal

government agencies, or schools/entities that receive federal
grants. They do not apply to audit firms that audit public
companies.
According to the GAO’s standards, there are 3 types of

impairments to independence:
• Personal
• External
• Organizational
GAO standards allow for auditors to perform non-audit services

for their audit clients. One thing they can’t do is design an entity’s
accounting system and then audit the entity.
Auditors that perform GAGAS audits should complete 24 hours of

yellowbook CPE every two years.
17
Department of Labor Rules
The DOL rules in this context mostly deal with the audit of
employee benefit plans under ERISA.
Most DOL audits follow government auditing standards, which

include audits of compliance with laws or evaluating the
effectiveness achieving program results.
Like with the other rules, the big overriding rule is that auditors
must be independent. The two broad categories that would impair
independence are financial (having a direct financial interest in an
entity to be audited) and employment ties to a plan sponsor.
18
Terms of Engagement
Preconditions for an Engagement
The preconditions for an audit are:
• Determine whether the financial reporting framework to be
applied is acceptable
• Obtain an agreement of management that it acknowledges
and understands its responsibility:
⁃ for the preparation and fair presentation of the financial
statements in accordance with the applicable reporting
frameworks
⁃ for the design, implementation, and maintenance of
internal control relevant to the preparation and fair
presentation of financial statements that are free from
material misstatement, whether due to fraud or error
⁃ to provide the auditor with
⁃ access to all information, documents, records, etc
that is relevant to the preparation of the financial
statements
⁃ additional information that the auditor may request
for purposes of the audit
⁃ unrestricted access to persons within the entity
from whom the auditor determines it necessary to
obtain audit evidence
These written representations are made by management in the

“rep letter”.
19
Terms of Engagement and Engagement Letter
The auditor needs to agree with management to the terms and
only accepts the engagement if the preconditions for an audit
exist and an understanding of the terms is agreed to by the
auditor and management (or those charged with governance).
These terms are agreed to in the engagement letter, which

contains:
• The objective and scope of the audit of the financial
statements
• The responsibilities of the auditor
• The responsibilities of management
• A statement addressing the inherent limitations of an audit
that could still lead to missing a material misstatement that
exists
• Identification of the applicable reporting framework for the
audit
• Reference to the expected form and content of any reports
to be issued by the auditor
20
Requirements for Engagement Documentation
The overriding idea behind audit documentation is to compile
documentation to the point that an experienced auditor that had
no previous connection with the audit could look through the
documentation and understand:
• the nature, timing, and extent of audit procedures performed
• the results of the audit procedures performed, and the audit
evidence obtained
• significant findings or issues discovered during the audit, the
conclusions reached, and significant professional
judgements made in reaching those conclusions
Considerations in actually documenting the audit:

• The identifying characteristics of the specific items or
matters tested should be documented
• Who performed the audit work and the date such work was
completed should be documented
• Who reviewed the audit work and the date and extent of
such review should be documented
The actual audit workpapers and copies of significant contracts,

agreements, documents, schedules, etc make up the “audit file”,
which should be in physical or electronic form.
The auditor should document the report release date in the audit
documentation, and the final audit file should be assembled no
later than 60 days after the report release date. The retention
period for the final audit file should not be less than 5 years from
the report release date. The auditor should adopt reasonable
procedures to maintain the confidentiality of the client information.
21
Communication with Management & Those
Charged with Governance
Planned Scope and Timing of an Engagement

When communicating with management regarding the audit, an
overview of the audit process should be provided but it should not
be so detailed as to reduce the effectiveness of the audit
procedures, meaning that the audit procedures shouldn’t become
completely predictable to management. The exact details of the
auditor’s plan for tests and procedures should not be
communicated.
The auditor should communicate:

• How the auditor will address the risks of material
misstatements whether due to fraud or error
• Issues regarding internal control and the internal audit
function (if exists)
• The application of materiality in the context of the audit
22
Internal Control Related Matters
The auditor should communicate in writing any significant
deficiencies or material weaknesses in internal control to
management or those charged with governance. This
communication should be provided by the audit report date and
not later than 60 days after the report release date.
Significant deficiency in internal control: A deficiency or

combination of deficiencies in the design or operation of a control
that doesn’t prevent, detect, or correct misstatements on a timely
basis. This is less severe than a material weakness.
Material weakness in internal controls: A deficiency or

combination of deficiencies that results in a reasonable possibility
that a material misstatement will result as a result of the
deficiency.
The communication should include:

• The definition of material weakness and if applicable, the
definition of a significant deficiency
• A description of the significant deficiencies and material
weaknesses and an explanation of the effects
• Elements that explain
⁃ That the purpose of the audit was for the auditor to
express an opinion on the financial statements
⁃ The audit included consideration over internal control
but not for the purpose of expressing an opinion on
internal control
⁃ The auditor is not expressing an opinion on the
effectiveness of internal control
⁃ The consideration over internal controls was not
designed to detect all possible deficiencies in internal
23
control and that there could be other deficiencies in
internal control that weren’t identified
24
All Other Matters
There are many items that would require communicating to
management or those charged with governance besides the
scope of the audit or internal control deficiencies, such as:
• Significant misstatements discovered by the auditor but
corrected by management
• Disagreement with management on significant issues that
could affect the financial statements
• Management’s consultations with other accountants
regarding significant accounting matters
• Any significant difficulties in dealing with management in
performing the audit such as not making key information
available to the auditor
25
Communication with Component Auditors and Others
When a group of businesses is being audited, it is a “group audit”.
It’s common in a group audit to use component auditors, who will
gather audit evidence for the group audit.
Communications with a Component Auditor

Communication with a component auditor should include the
following:
• A request to confirm that the component auditor will
cooperate with the engagement team
• The ethical requirements and independence requirements
applicable to the group audit
• A list of related parties and a request for the component
auditor to identify any related parties relevant to the group
audit
• Identified significant risks of material misstatement due to
fraud or error that are relevant to the component auditor’s
tasks within the group audit
There are also several communications that the engagement

team should request from the component auditor, such as:
• Whether the component auditor has complied with the
ethical and independence requirements of the group audit
• Identification of the financial information of the component on
which the component auditor is reporting
• The component auditor’s overall findings, conclusion, or
opinion
Matters to be Communicated to Parties Other Than

Management and Those Charged with Governance
If the auditor discovers noncompliance with laws or regulations,
and the auditor suspects that management and those charged
26
with governance are involved in the noncompliance, then the
auditor should go to the next higher level of authority. If no such
higher authority exists, then the auditor should consider the need
to seek legal advice and determine whether the auditor has a
responsibility to report the identified or suspected noncompliance
to parties outside the entity.
27
A Firm's System of Quality Control
Statements on Quality Control Standards (SQCSs)
These are statements issued by the AICPA’s Auditing Standards
Board.
They apply to everything about accounting and auditing
engagements and provide guidelines for implementing a quality
control system.
6 Elements to a quality control system

• Leadership responsibilities such as “tone at the top”
⁃ Emphasis should be on performing work that complies
with professional standards
• Relevant and ethical requirements
⁃ Policies should be implemented that help ensure that
firm personnel comply with applicable ethical
requirements
• Acceptance and continuance of clients and specific
engagements
⁃ One of the main purposes for QC regarding client
acceptance is so a firm only accepts engagement that it
is qualified to perform
⁃ On the other side, to minimize the chances of working
with a client whose management lacks integrity
• Human resources
⁃ QC procedures over human resources should ensure
the firm has sufficient, competent personnel to handle
the firm’s engagements in accordance with the
applicable requirements and issue required reports
required by the engagements
• Engagement performance
⁃ One primary purpose is to ensure that engagements
are adequately supervised
28
⁃ Needs to provide elements to support consistency of
engagement performance, supervision, and review
functions
• Monitoring- meaning ongoing quality control efforts
⁃ Ongoing review of the QC procedures to ensure that
they are appropriate, relevant, and operating effectively.
The engagement partner is responsible for overall audit quality.
A firm’s QC procedures can be communicated to employees

orally or in writing.
When there is a difference of opinion on a significant matter

between members of the audit team, the details of reaching a
resolution should be documented.
The nature and extent of a firm’s QC procedures are based on the

firm’s size, the nature of the firm’s practice, and cost/benefit
considerations.
The SQCS’s scope is limited to auditing, accounting, and review

services. The procedures can obviously be applied to a firm’s
other service areas, but the SQCSs don’t require it.
29
Assessing Risk and Developing a Planned
Response
Planning an Engagement
Developing an Overall Strategy

In developing an overall audit strategy, the auditor should:
• Identify the characteristics of the audit that define its scope
• Assess the reporting objectives in order to plan the timing of
the audit and nature of communications required
• Decide what factors are significant in directing the audit team
• Analyze the results of the preliminary procedures
• Assess the nature, timing, and extent of resources
necessary to perform the engagement
30
Developing a Detailed Engagement Plan
Developing a detailed engagement plan involves doing a risk
assessment and obtaining an understanding of the entity and its
environment, and if applicable, this is done while
comparing/contrasting to the previous year’s engagement.
Audit Planning
The point of audit planning is to plan the audit so that it will be
performed effectively.
The engagement partner and other key members of the audit
team should be the ones involved in planning.
Preliminary Engagement Activities

The auditor needs to evaluate any quality control issues that
could affect client acceptance.
The auditor needs to evaluate any potential independence issues.
The auditor needs to determine if the audit will require the work of
a specialist. This could be appraisers, tax specialists, IT
specialists, valuation experts, or others.
The auditor should be sufficiently knowledgeable to accomplish

the objectives of the audit, but in some cases the work of a
specialist will be required to complete certain audit procedures.
In the audit documentation, the auditor should include:

• The overall audit strategy
• The audit programs
• Any major changes made to the overall strategy or audit
programs during the audit, and the reasons for any such
changes
31
Materiality
Materiality means an amount that if missing or misstated on the
financials would likely lead a reasonable person to be influenced
to make a different decision than if the amount had been correct.
Materiality really just means “big enough to matter”.
Under the Clarified Standards, the focus is on “performance

materiality”
Under the Clarified Standards, materiality needs to be

documented at:
• The financial statement level
• Materiality levels for specific transactions or account
balances – “performance materiality”
• Document any revisions to materiality during the audit
Audit Risk
This is the risk or probability that the auditor expresses a clean
opinion when there is actually a material misstatement in the
financial statements
The auditor’s responsibility is to plan and perform the audit in a
way that obtains “reasonable assurance” that any material
misstatements are detected. Reasonable assurance is a high
level of assurance, which in turn provides a low level of audit risk.
Audit risk model: It has 3 elements:

• IR (inherent risk)
• CR (control risk)
• DR (detection risk)
Audit Risk = IR x CR x DR
32
Inherent Risk: This is the risk of misstatement due to error or
omission as a result of factors other than the failure of internal
controls.
Control Risk: This is the risk of material misstatement due to a

failure in internal controls.
Detection Risk: The risk that the auditors fail to detect a material
misstatement in the financial statements.
Analytical Procedures
These are evaluations of financial information based on
relationships among both financial data and non-financial data.
This can involve trends, comparing this year’s balances to last
years, ratios, etc.
Analytics are used in 3 ways:

• They’re used in the planning stage for risk assessment
• They can be used as a substantive procedure, but it’s not
required
• They are used as a final review
Just remember that analytics are required in the planning and

review stage. The auditor’s “expectation” is the key to effective
analytics.
Detecting Fraud
This will be asked in many forms on the exam, so the key words
to remember is that an audit provides REASONABLE assurance
that material errors or fraud will be detected.
33
Also, audit procedures that are effective for detecting an
unintentional misstatement still might not be able to detect an
intentional misstatement (fraud) when collusion is involved.
The idea of “professional skepticism” is a big topic- it means

having a “questioning” mind and a “critical assessment” of audit
evidence- NOT “assuming” that fraud is happening, but
“questioning” assertions made by management.
Types of Fraud
There is fraudulent financial reporting, and there is
misappropriation of assets (actually physically stealing cash or
inventory).
Risk factors that could lead to fraudulent financial reporting:

• Pressure to meet expectations or requirements such as
• Earnings projections
• Debt covenants
• Requirements for financing agreements
The risk also increases if there is a large opportunity to

manipulate financials such as the business model involves a lot of
estimates that are hard to corroborate, or if there are many
significant decisions being made by just a few key decision-
makers.
Risk factors leading to asset misappropriation:

• Pressures on employees such as personal financial
problems.
• Low employee morale or the attitude of “the company owes
me” or “I’m underpaid”
• If assets are easy to access, such as employees that have
access to the cash
34
Management Override of Internal Controls
One of the biggest risk factors for fraud is when management
overrides the internal controls.
This could be a member of management pushing through a

transaction that doesn’t have a real business purpose, or an
unauthorized journal entry, or putting pressure on an employee to
make a journal entry they wouldn’t normally make.
Procedures would include:

• Examining adjusting journal entries
• Especially JE’s close to beginning and end of reporting
periods
• Evaluate estimates for bias
• Examine authorization for unusual transactions
Communication if fraud is found:

The auditor informs ‘those charged with governance when senior
management is involved in the fraud, OR if the misstatement is
material even if senior management is not involved.
If the misstatement is NOT material, the auditor must inform the

appropriate level of management (one level above where the
fraud has occurred).
35
When does the auditor report fraud to an outside party?
• When a subpoena has been issued
• When an SEC client is changing auditors
• As required by government auditing standards
• When an auditor has been authorized to communicate with
the preceding auditor
36
Understanding an Entity and Its Environment
External Factors Including the Applicable Financial

Reporting Framework
External factors that the auditor should consider when gaining an
understanding of the entity include:
• Industry factors: The industry market and competition,
demand, cyclical or seasonal activity, energy supply and
cost, price competition
• Industry factors or regulation might inherently give rise to the
risk of material misstatement. Example is long-term
contracts involve lots of estimates about revenues and
expenses which increases the risk of material misstatement.
• Regulatory factors: Industry-specific accounting practices,
specific regulatory frameworks, taxation, government
policies, environmental regulations
• Economic conditions such as interest rates, availability of
financing, inflation, etc.
37
Internal Factors Including Nature of Entity, Risk Strategy
Internal factors the auditor should consider:
• Nature of operations
• Ownership and governance structure
• What type of investments the entity is making
• How the entity is structured and financed
• How the entity selects accounting policies and if they are
appropriate to its industry
• The entity’s objectives and strategies and related business
risks involved
38
Understanding an Entity's Internal Control
Control Environment and Entity-Level Controls

The auditor is required to document their understanding of the
client’s internal control structure. This includes a written audit plan
for gathering sufficient audit evidence (the audit program).
It also includes an engagement letter that summarizes the timing

and extent of procedures to be performed, as well as outlining
management’s responsibilities with regards to the audit.
The whole point of “gaining an understanding” of internal controls

is to get the knowledge of the client necessary to plan the audit.
The main thing the auditor is interested in about the internal

controls is whether they affect the financial statement assertions.
“Obtaining an understanding of internal controls” involves

evaluating the design of the control and determining whether the
control has been implemented. The auditor performs
“walkthroughs” of key controls to verify that the controls have
been implemented.
The auditor should focus on the substance of the procedures (are

they working and effective?) instead of their form, because
management might have appropriate controls on paper, but they
might not be being enforced.
For accounts that are immaterial, AND have a low inherent risk,
the auditor does NOT need to perform procedures to evaluate
internal controls
39
Sometimes an auditor will make a flowchart to document a client’s
accounting system, and this depicts the auditor’s understanding of
the system.
Preliminary Evaluation
The auditor first considers the adequacy of controls, or the
“design effectiveness”, which is how effective they are on paper.
Consider any errors that could occur with the controls, and any
kinds of procedures that could prevent or detect these errors.
Then evaluate the implications of any weaknesses identified.
If the auditor decides to rely on internal controls to reduce

substantive audit procedures, then the auditor will perform “tests
of controls” to make sure that the ‘design effectiveness’ of the
controls is also working like they’re supposed to (operating
effectiveness).
If the auditor is NOT going to rely on controls, then the audit plan
will be “wholly substantive”, which means the auditor will test the
account through substantive procedures and will not rely on the
internal controls.
A primary criterion of any system of internal control is the cost-

benefit relationship. The cost of a company’s internal controls
should not exceed the benefits.
If the auditor questions management’s integrity, the audit should

not be conducted, and the auditor would withdraw from the
engagement.
Remember the formula: IR x CR x DR = Audit Risk
The auditor assesses control risk and inherent risk because it

affects the level of detection risk that the auditor can accept.
40
The auditor is NOT required to assess operating effectiveness of
controls. This will only be done if the auditor decides to perform
“tests of controls” in order to reduce substantive testing.
Assertions
assertions are basically the underlying claims made by
management about the financial statements.


amounts

to the entity
41
clearly expressed

• Accuracy: That amounts, and other data have been recorded
appropriately
occurred
proper period
the proper accounts

Internal Control Standards

Definition: Internal controls are processes effected by those
charged with governance or management designed to provide
reasonable assurance about the achievement of the entity’s
objectives with regard to financial reporting, effectiveness of
operations, and compliance with laws.
42
Internal control consists of 5 elements:
• Control environment
⁃ This is made up of the policies and procedures to
establish overall control of the organization (the tone at
the top)
• Risk assessment
⁃ The policies set to identify and analyze relevant risks so
that they can be managed
• Information and communication systems
⁃ The policies and procedures to identify, capture, and
exchange relevant information so that employees can
meet their responsibilities in a timely manner
• Control activities
⁃ The policies and procedures set so that management’s
objectives will be achieved
⁃ This includes segregation of duties, physical controls,
and authorization
• Monitoring
⁃ The policies and procedures to measure the
effectiveness of internal controls as time goes on
Risk assessment procedures: These are what the auditors do

to assess the ‘risk of material misstatement’.
• Inquiries of management and others
• Observation and inspection of documents
• Analytical planning procedures
• The review of information from prior periods
• Audit team discussing about the risks identified. Discuss how
the risks affect specific areas of the audit
43
Documentation: There are certain things the audit team is
required to document:
• Audit team discussion about RMM and the key elements
about the entity, its environment, etc.
• The assessment of RMM at the financial statement level and
at the relevant assertion level
• Identified significant risks and the related controls the auditor
obtained an understanding of (walkthroughs)
Other considerations:
The best way to compensate for lack of segregation of duties at a
small company is to have greater management oversight of
overlapping duties
The auditor is NOT obligated to search for significant deficiencies
in the design or operation of internal control. But, if they are
found, the auditor is required to communicate them to those
charged with governance.
If documentary evidence of certain controls does not exist, the

auditor can test the controls by observation and inquiry.
Remember that an auditor is required obtain an understanding of

the client’s internal controls, AND document their understanding
of the controls.
The auditor is NOT required to:

• Perform tests of controls (but can if necessary)
• Search for significant deficiencies in internal controls (but
they may find them)
• Determine whether controls are suitably designed to prevent
or detect material misstatements (the auditor does this, but
ONLY to controls related to significant assertions and
accounts, NOT all controls)
44
Regardless of the assessed level of control risk, the auditor will
always perform some substantive tests to lower detection risk for
significant transaction classes.
When the auditor assesses control risk below the maximum level,
the auditor is required to document BOTH their basis for this
conclusion, and their understanding of the internal control
elements.
If there is substantial risk that there has been intentional

misapplication of accounting principles or management override
of controls, the auditor would likely conclude that the audit cannot
be performed.
Required Communications
There are 2 things an auditor must communicate with regard to
the design or operation of internal control:
• Any identified “material weaknesses”
⁃ A deficiency in internal control such that there is a
reasonable possibility that a material misstatement of
the entity’s financial statements will not be prevented,
detected, or corrected on a timely basis
• Any identified “significant deficiencies”
⁃ A deficiency in internal control that is less severe than a
material weakness but important enough to be
communicated to those charged with governance
The auditor has to decide if a deficiency is a material weakness or

a significant deficiency.
Any identified significant deficiencies or material weaknesses are

then communicated to management and those charged with
governance. This communication is to be made within 60 days of
issuing the audit report. There should also be a restriction on the
45
distribution of this communication. It is only for the audit
committee, those charged with governance, and management.
The communication should also include a paragraph stating that

the purpose of the audit was to report on the financial statements
and not provide assurance on internal control. The deficiencies in
internal control happened to be found as a result of auditing the
If no significant deficiencies are found, the auditor does NOT
report that none were found. There is simply no communication
about significant deficiencies if none are found.
Using an Internal Auditor

If a client has internal auditors that are competent and objective,
they can be used to perform tests of internal controls and
substantive tests
To assess the internal auditors’ competence, the CPA should
obtain info about their educational background, professional
experience, and professional certifications.
To assess the objectivity of the internal auditors, the CPA should

determine the organizational level to which the internal auditors
report
BUT, the external auditor cannot allow judgment from the internal
auditor on materiality of misstatements, or the evaluation of
accounting estimates. The internal auditor can be used to help
test internal controls and perform substantive tests, but the final
conclusions must be made by the external auditor.
An internal auditor’s work would NOT likely be used in areas

requiring significant auditor judgment such as valuation of
intangible assets, valuation of related party transactions, valuation
and existence of contingencies, or significant estimates.
46
Internal Control Transactions
Segregation of duties is best tested by observing employees as
they apply control procedures. Segregation of duties involves
separating duties so that employees aren’t in a position to both
commit fraud and then be able to cover it up.
Internal Control Objectives for Sales

Segregation of duties: The 3 main types of tasks that should be
separated are:
• Authorization (execution) such as granting credit
• Access (custody) such as custody of the pre-numbered
sales invoices or the goods being handled by the shipping
department
• Accounting (recordkeeping) such as entering customer’s
order form and dealing with receivables and collections
Physical controls:
• Computer passwords and different account types within the
system with different levels of permissions
• Custody of cash receipts and inventory should be handled
by employees without access to record keeping
Authorization
• Transactions should be authorized
• Adjusting journal entries should be reviewed and approved
by management
Review
• Monthly statements should be sent to customers
• Related documents such as the sales invoice, sales order
form, and shipping documents should be compared
• Cutoff should be verified to make sure transactions have
been recorded in the proper period
47
Information processing
• Focus on the entity’s records regarding the “audit trail”
• All key documents should be pre-numbered, and the
sequence should be accounted for
• Aged trial balance should be reconciled to the general ledger
periodically
Internal Control Objectives for Receipt of Cash

• When cash (checks) are received, they are posted to a
remittance log which is a listing of all cash receipts
• The transaction is also posted in the cash receipts journal,
and all cash receipts will be posted to that month’s receipts
in the general ledger
• Different employees should open the mail, do the accounting
activities, prepare the deposit of checks, and reconcile the
bank accounts
• Each cash receipt should be listed immediately when the
mail is open
⁃ The best control over cash receipts is a bank lockbox
system- then employees never touch cash receipts
• Employers will “bond” employees that handle cash receipts.
Bonding insures the company against loss from illegal acts
by employees, and this reduces the risk of dishonesty by
employees because the bonding company must approve the
employees in the first place, and if employee theft happens,
the bonding company does an investigation before paying
the company back. So, bonded employees know they will be
highly scrutinized if theft occurs.
• Lapping is when cash received from a customer is stolen
and the shortage is hidden by crediting the first customer’s
account with cash received from a second customer. To
prevent this, two different people should be receiving cash,
and posting payments received to the accounts receivable
ledger
48
Internal Control Procedures for Expenses/Disbursements
• The purchasing department should make the purchases
using pre-numbered purchase orders
• The receiving department takes possession of deliveries
• The accounts payable department should handle the
accounting function and approve payments
• Only designated employees should be able to make
purchases for the company
• Checks should require dual signatures
• For both receipts and disbursements bank reconciliations
should be prepared on a timely basis
• Again, all key documents should be pre-numbered, and the
sequence should be accounted for as well
• Supporting documents such as invoices should be canceled
as “paid” as soon as they are paid
Internal Control Procedures for Payroll

• Process consists of employee timecards, time sheets, or
time sheets for salary employees taken and then payroll is
prepared and recorded in the payroll journal. Then checks
are given to employees, and the month’s payroll is posted to
the general ledger
⁃ The approval of time cards by an employee’s direct
supervisor is one of the best controls for making sure
employees only get paid for work performed
• HR keeps records that contain pay rates and personnel files.
Certain HR employees should be the only ones who have
access to these files
• The treasury issues the checks and signs them and
distributes the checks
• Payroll department calculates payroll and does the record-
keeping each period
49
Flow of Transactions and Design of Internal Controls
Performing a walkthrough is a standard procedure to make sure
the auditor understands the flow of transactions and can
document it. The auditor selects a few transactions and traces
them through the client’s accounting system.
A walkthrough is part of gaining an understanding and is not a

“test of controls”.
50
Implications of an Entity Using a Service Organization
When a client being audited uses a service organization, such as
outsourcing their payroll to a payroll company, the auditor needs
to gain an understanding of the services provided by the service
organization and the effect on the client’s internal controls.
The auditor can gain an understanding of the service

organization’s controls through a SOC (service organization
control) report- they can be a “Type 1” or a “Type 2” report that is
prepared by a “service auditor”, and these reports provide a
description of the service organization’s system and their internal
controls, and a type 2 report includes an opinion on the operating
effectiveness of the controls.
Specifically:
• A Type 1 report covers the service organization’s system
and design of controls. A type 1 report will include a
disclaimer of opinion about the operating effectiveness of the
controls. A type 2 report includes an opinion on the operating
effectiveness of controls
• A Type 2 report covers the service organization’s system,
design of controls, AND the operating effectiveness of
controls
Whether or not the auditor needs to see a SOC report depends

on the risk assessment, and the degree to which the audit client’s
activities interact with the service organization, and the degree to
which the audit client can implement effective controls over what
the service organizations processes for the client. If the audit
client has effective controls over the service org’s processing,
then the auditor can gain an understanding from the audit client
alone and probably doesn’t need to use a SOC report.
51
On the other end, if the risk assessment includes an expectation
that the service organization’s controls are operating effectively,
then the auditor would need a type 2 report.
52
IT General and Application Controls
There are 2 main categories of IT controls:
• General controls: These have an impact on all parts of an IT
system
• Application controls: These affect specific IT tasks within
departments such as payroll
IT General Controls
These are policies and procedures that apply to many
applications and support the functioning of the application
controls.
These typically include:
• Controls over data and network operations
• Software acquisition and maintenance
• Access security
• Physical security of assets, such as access to records
• Authorization to computer programs and data
• File backup & disaster recovery plan
Within the IT department, there are several main positions (these

are also forms of segregation of duties for the IT department):
• Systems analyst: designs the system
⁃ A “systems documentation” file should be kept so that
there are narratives and flowcharts for each application
system. This is a general IT control
• Programmer: develops the code for the system
• Operator: runs the system
• Librarian: keeps track of data within the system
• Security: safeguards the system
There are several ‘built-in’ controls within an IT system:

• Parity check: this is transmission of information between
system hardware components
53
• Echo check: transmission of information over phone lines
• Diagnostic routines: checks internal operations of hardware
components
• Boundary protection: allows multiple jobs running
simultaneously
• A ‘source code comparison program’ tests for unauthorized
program changes by comparing the compiled code to the
original program
• One disadvantage of computer data files compared to
manual data files is that it’s easier for an unauthorized
person to access and alter computer data files
A “secure” password:
• Has 7 characters in length
• Includes special characters
• Should have a mixture of lower and uppercase letters
• Should be unique
• And passwords should be changed regularly so that hackers
don’t have unlimited time to try and crack them
As part of an entity’s disaster-recovery plan:

The entity should store duplicate files at a separate location.
Application Controls
These are more specific controls that relate to specific
applications and/or individual transactions.
Input controls: These are meant to reduce mistakes when data

is being entered into the system.
• Batch totals: these are totals that actually mean something
such as the total of cash received that day
• Hash totals: these are totals that don’t have a dollar meaning
but can be used to check for mistakes. An example would be
the employee ID numbers being added up so that if one was
54
missing it would be noticed by comparing to a hash total of
employee ID numbers
• Record count: Keeping track of the number of records
processed to determine that the right number of records has
been accounted for
Logic checks: These are certain computer checks that can

determine if data has been entered incorrectly.
• Limit tests: this would be where a system wouldn’t accept if
someone tried to enter 300 hours worked in one week.
• Validity checks: this will limit a certain input to only valid
responses. For example, in the phone number field it would
only accept numbers and no letters.
• Missing data checks: input fields can be required and won’t
allow the user to move on until all required fields have been
entered.
Processing checks: These are processes to verify the

processing of data is accurate and authorized.
• Checkpoints: for long processes, a procedure which makes
checkpoints so that if a process crashes the entire process
doesn’t have to be re-executed
• Limit on processing time: if a process takes longer than a
certain limit, the process shuts down because it assumes an
error has occurred
Evidence Gathering
Types of audit software:
• Generalized software: These are “out of the box” software
for auditing that have general functions for testing clients’
data
• Customized software: This would be a program created to
access the files of a certain client. This can be more
55
expensive in the long run if custom software is being
developed for several clients individually
• Data mining software: This is commercial audit software that
provides features for doing substantive analytics
Tests of Controls Procedures

When IT controls are internal, the auditor can use some of the
following procedures to test the system’s controls:
• Test data: the auditor can put dummy transactions through
the system that contain known errors to see of the system
catches the errors
• Integrated Test Facility: this involves creating a dummy
division within the client’s system and running through
dummy data alongside the client’s real data
• Parallel Simulation: This involves processing the client’s data
on the auditor’s software to compare the client’s output with
the auditor’s output
• Tagging: This is when an auditor “tags” a transaction in order
to follow it through the client’s system
Other Considerations
When auditing a client that processes most of its financial data in
electronic form, the auditor would most likely consider using an
‘embedded audit module’, which is a computer program actually
inserted into the client’s system which will select transactions for
further review by the auditor.
56
Identifying and Assessing the Risk of Material
Misstatement
Impact of Risk at Financial Statement Level

Risks of material misstatement at the financial statement level
refer to risks that could have a pervasive effect on the financial
statements and that could affect many assertions at once. They
can result from a poor control environment, questions about the
integrity of management, or the reliability of an entity’s records.
The risk at the financial statement level is more likely if there is

the possibility of fraud.
If the control environment is considered ineffective, then it may

require an “overall response” by the auditor. This can mean
assigning more experienced staff to the audit, using specialists,
using more unpredictable audit procedures, etc.
If substantive procedures alone wouldn’t yield appropriate audit

evidence, then the auditor would use a combined approach and
use tests of controls to test the operating effectiveness of controls
in addition to substantive tests.
If there are significant concerns about risks of material

misstatement at the financial statement level due to the integrity
of management or a poor control environment, it may raise doubts
about the auditability of the financial statements and the auditor
may consider withdrawing from the audit.
Remember that the risk assessment can change as the audit

goes on and more information/audit evidence is obtained, and the
57
auditor accordingly adjusts the audit approach to match the
assessed levels of risk.
58
Limitations of Controls and Risk of Management Override
Limitations of Controls
There are of course inherent limitations to internal controls: no
system of internal controls can guarantee to prevent, detect, or
correct any possible misstatement.
This is especially true if two or more individuals collude to get

around controls, or if a member of management simply overrides
the controls. Other factors are that humans make mistakes,
controls are only implemented to the point that the benefits
outweigh the costs - so they aren’t all encompassing, the nature
of business (always looking for increased performance/profits)
can lead to people rationalizing and committing fraud.
Management Override of Internal Controls

One of the biggest risk factors for fraud is when management
overrides the internal controls.
This could be a member of management pushing through a
transaction that doesn’t have a real business purpose, or an
unauthorized journal entry, or putting pressure on an employee to
make a journal entry they wouldn’t normally make.
Procedures would include:

• Examining adjusting journal entries
• Especially JE’s close to beginning and end of reporting
periods
• Evaluate estimates for bias
• Examine authorization for unusual transactions
Communication
If fraud is found:
• The auditor informs ‘those charged with governance when
senior management is involved in the fraud, OR if the
59
misstatement is material even if senior management is not
involved
• If the misstatement is NOT material, the auditor must inform
the appropriate level of management (one level above where
the fraud has occurred)
When does the auditor report fraud to an outside party?

• When a subpoena has been issued
• When an SEC client is changing auditors
• As required by government auditing standards
60
Impact of Risks for Each Relevant Assertion
The auditor uses the assessed level of risk of material
misstatement to determine the acceptable level of detection risk
for the financial statement assertions. From there, the auditor
uses the acceptable level of detection risk to determine the nature
and extent of audit procedures to use.
For significant transaction classes there will always be some

substantive procedures performed.
In general, the risk of material misstatement is highest in

transactions that require significant judgement, and lowest in
routine transactions.
As risks are identified, the auditor determines whether the risks

relate to specific assertions or the financial statements as a
whole. Then, the auditor identifies controls related to the risks and
specific assertions.
The auditor may not be able to gather sufficient audit evidence

from substantive procedures alone and would then do tests of
controls in addition to the substantive procedures.
Assertions
assertions are the underlying claims made by management about
the financial statements. When management gives the auditor
their listing of PP&E for example, management is essentially
making the “claim”, or assertion, that the items on that list actually
exist, that the list is complete (nothing left out), that the business
actually owns the items listed, and that the values of the items are
listed correctly. The auditor then assesses the risk of material
61
misstatement based on these assertions and performs audit
procedures. That’s how the audit works in a nutshell.


amounts

to the entity
clearly expressed
62
• Accuracy: That amounts, and other data have been recorded
appropriately
occurred
proper period
the proper accounts

63
Further Procedures Responsive to Identified Risks
For an identified risk, if substantive procedures alone won’t
provide sufficient audit evidence, then the auditor would perform
tests of controls in addition to the substantive procedures.
If a deviation in a control is found, the auditor should make

inquiries in order to understand the potential consequences of the
deviation (what else happens if this error isn’t detected?)
If the auditor wants to lower the acceptable level of audit risk, then
the auditor can make changes to the substantive procedures such
as:
• Increasing the sample size
• Expanding the substantive procedures
• Using independent parties for testing such as confirmations
The general idea is when there is a high risk of misstatement

identified, the effectiveness and reliability of the substantive
testing should be increased, meaning more reliable forms of
testing are used.
64
Materiality
For the Financial Statements as a Whole

Materiality means an amount that if missing or misstated on the
financials would likely lead a reasonable person to be influenced
to make a different decision than if the amount had been correct.
Materiality really just means “big enough to matter”.
Under the Clarified Standards, the focus is on “performance

materiality”.
Under the Clarified Standards, materiality needs to be

documented at:
• The financial statement level
• Materiality levels for specific transactions or account
balances – “performance materiality”
• Any revisions to materiality during the audit
Materiality set for the financial statements as a whole is a set

amount.
This can be calculated a number of different ways, but some

common approaches are:
• 1% to 2% of total assets
• 5% to 10% of net profit
• 1% of equity
Also, some firms have their own formulas and worksheets for
determining materiality.
65
Performance Materiality and Tolerable Misstatement
Performance materiality is an amount lower than materiality for
the financial statements, and it’s set lower so that it lowers the risk
of uncorrected misstatement detected, and that undetected
misstatements will still be lower than financial statement
materiality.
Again, performance materiality can be set a number of ways or

through simple or complex calculations.
For example, it might be 10% of materiality, 5%, or a certain

percentage of a transaction class or account balance. But it will of
course always be a fraction of financial statement materiality.
Tolerable Misstatement (TM)

This is an amount determined by the auditor, that if an error or
misstatement is found where the difference from the correct
amount is below the TM, it won’t impact the fair presentation of
the financial statements.
66
Planning for and Using the Work of Others
Using the Internal Audit Function as Part of the Audit
The external auditor has sole responsibility for the audit opinion
and the quality of the audit work performed, and using any work
performed by the internal audit function doesn’t take away any of
that responsibility. Therefore, when the external auditor is
considering using the internal auditors to help with the audit, the
most important things to consider are:
• The competence of the internal auditors
• The objectivity of the internal auditors
• The internal auditors use of a systematic and disciplined
approach
If a client has internal auditors that are competent and objective,

they can be used to perform tests of internal controls and
substantive tests.
To assess the internal auditors’ competence, the CPA should

obtain info about their educational background, professional
experience, and professional certifications.
To assess the objectivity of the internal auditors, the CPA should

determine the organizational level to which the internal auditors
report.
BUT, the external auditor cannot allow judgment from the internal
auditor on materiality of misstatements, or the evaluation of
accounting estimates. The internal auditor can be used to help
test internal controls and perform substantive tests, but the final
conclusions must be made by the external auditor.
An internal auditor’s work would NOT likely be used in areas

requiring significant auditor judgment such as valuation of
67
intangible assets, valuation of related party transactions, valuation
and existence of contingencies, or significant estimates.
If any of these factors are lacking, then the auditor shouldn’t use
the internal audit function to help with the audit. When the
external auditor does use work performed by the internal auditors,
any judgements about the audit evidence obtained needs to be
made by the external auditor.
Using the Work of a Specialist

Just like with using the work of internal auditors, the external
auditor is solely responsible for the audit opinion and the quality of
the audit work and using a specialist doesn’t lessen or deflect that
responsibility. So again, the primary concern for the auditor in
using a specialist will be to evaluate the specialist’s competence
and objectivity.
The auditor would consider using a specialist when there is

expertise needed outside of accounting and auditing that is
necessary for gathering appropriate and sufficient audit evidence.
If the auditor decides to use the work of a specialist, there should

be an agreement in writing that details what services will be
performed, the requirements of the work needed, and any
expected communications as a result of the specialist’s work.
Using the Work of a Component Auditor in a Group Audit

It is up to the group audit engagement partner to evaluate the
component auditor’s independence and professional competence
and understand the extent of the component auditor’s work on the
group audit.
If the engagement partner decides to reference the component

auditor’s work in the audit report, the component’s financial
68
statements needs to be prepared using the same framework as
the group, and the component auditor needs to have performed
their audit according to the applicable standards.
The auditor can decide to assume responsibility for the

component auditor’s work, and if they do then they don’t
reference the component auditor on the report at all.
The group audit partner can decide to name the component

auditor in the report - must obtain permission to do so - and then
the component auditor’s report would be included with the group
audit report in the financial statements.
69
Specific Areas of Engagement Risk
An Entity's Compliance with Laws and Regulations

Auditor’s Responsibility with Laws and Regulations That
Have a Direct Effect on the Financial Statements
The auditor should obtain sufficient appropriate evidence
regarding material amounts and disclosures on the financial
statements that relate to laws or provisions known to have a direct
effect on the financial statements. The most direct example is
determining how the entity is complying with the reporting
framework the financial statements are based on.
If the auditor discovers information that suggests noncompliance,

the auditor should gather additional evidence and evaluate the
issue’s effects on the financial statements. If the auditor suspects
noncompliance, then the auditor should discuss the issue with
management or those charged with governance, one level above
where the suspected issue is.
The step above that, if the auditor suspects management or those

charged with governance are involved, would be to obtain legal
counsel.
Auditor’s Responsibility with Laws and Regulations That Do

Not Have a Direct Effect on the Financial Statements
These could be other laws and regulations that are necessary for
the business to comply to, and could possibly result in material
effects if noncompliance was found.
The auditor should perform procedures to identify any

noncompliance with the applicable laws or regulations. Obtaining
70
an understanding of the applicable laws and regulations that
apply to the business being audited can lead to discovering
noncompliance in other areas of the audit.
Items that could be a possible sign of noncompliance:

• Irregular cash payments
• Sudden discontinued business segment
• Investigations by government agency
• Unauthorized transactions
• Unexplained payments to government employees
71
Accounting Estimates, Including Fair Value Estimates
Many significant parts of accrual accounting require estimates,
and because of the nature of estimates it’s a big area of attention
for an auditor. The more complex the estimate, the more room
there is for material misstatements.
For example, fair value estimates for financial instruments not

traded on an active market are complex estimates that can leave
a lot of room for error.
For accounting estimates, the auditor’s objective is to evaluate

whether accounting estimates are reasonable in the
circumstances.
When evaluating an entity’s accounting estimates, the auditor

should focus on estimates that are susceptible to bias.
The auditor evaluates estimates by gaining an understanding of

how management develops its estimates.
For evaluating fair value estimates, the best indicator of “fair

value” that the auditor can rely on is published prices in an active
market (such as stock prices).
The auditor is NOT required to engage a specialist for evaluating

management’s fair value estimates. The auditor may choose to do
so if the auditor doesn’t have the necessary skill and knowledge,
but it is not a required audit procedure.
The main things the auditor should do when evaluating a

significant estimate are:
• Determine whether management has applied the rules of the
reporting framework correctly
• Been consistent in their methods for making the estimate
72
The specific procedures the auditor might perform are:
• Evaluate management’s assumptions used to make the
estimate
• Evaluate the methods of measurement used to make the
estimate
• Perform tests of controls on the controls used to make the
estimate, in addition to substantive testing
73
Related Parties and Related Party Transactions
Procedures to identify related party transactions include:

• Inquiry of management, or requesting a list of all related
parties to the entity
• Reviewing board minutes
• Inspecting large, unusual transactions. This would be
something like seeing a large note payable with a 1%
interest rate
• Reviewing confirmations on large balances
All related party transactions need to be disclosed as such, and

the auditor should perform procedures to understand the business
purpose and financial statement effect of these transactions.
The auditor’s main focus once related party transactions are

identified, is adequate disclosure by management.
74
Performing Further Procedures and Obtaining
Evidence
Understanding Sufficient Appropriate Evidence

When evaluating whether audit evidence is “sufficient” and
“appropriate”, there are some key things to understand:
“Sufficient” relates to the quantity of audit evidence obtained. The

quantity needed is based on the assessed levels of risk, and the
quality of the evidence gathered.
“Appropriate” relates to the quality of the audit evidence obtained.

When it comes to the quality of evidence, here are some
considerations:
• Audit evidence is highly reliable when it is obtained from
independent sources outside the entity, such as
confirmations
• When audit evidence is obtained internally from the client
being audited, it is more reliable if the auditor can rely on the
controls pertaining to the evidence
• Evidence obtained by the auditor directly is higher quality
than evidence obtained indirectly: Example would be
observing controls operating effectively vs asking an
employee if they perform the control
• Audit evidence in hard copy is more reliable than evidence
conveyed orally: looking at a document vs someone telling
you something happened
• Evidence on original documents is much higher quality than
a copy of a document
75
Again, the assertions come into play: When auditing a balance or
class of transactions, you can use the assertions to evaluate what
type of testing would produce reliable audit evidence.
For the listing of a company’s inventory, evaluate the “existence”

assertion: picking a sample of items from the listing and then
going and looking at them in person to verify they exist.
76
Sampling Techniques
In auditing there is attribute sampling for tests of controls (Does
every purchase order have the right signature?), and variables
sampling for substantive testing.
Attributes Sampling
Attribute sampling is the type of test used to perform a “test of
controls”. With attribute sampling, the auditor is looking at
transactions to determine if a control was either performed or not
performed.
First step is to identify what the objective of the test is, such as
testing the population of cash disbursements for proper
authorization.
Then the auditor defines what a “deviation” is based on the test,

such as a disbursement that wasn’t properly authorized.
Then the auditor defines and acquires the population, such as all
cash disbursements during the year.
Then the auditor chooses the sampling method:

• Either statistical sampling which is usually random number
(best approach) or systematic (every 20th transaction for
example)
• OR judgmental sampling such as haphazard (arbitrarily
selecting transactions just by looking at the population)
• The auditor then chooses a sample size. The sample size
will be based on AICPA tables and will be provided in
questions on the exam
Once the sample is selected, the transactions are tested, and any
deviations are identified.
77
Then the auditor can calculate the deviation rate, for example if
the sample size was 20 and 1 deviation was found, the deviation
rate is 1 in 20 or 5%.
The auditor determines a “tolerable deviation rate” which just

means how many errors can be found and still rely on the internal
control. A “confidence interval” for the achieved upper precision
limit is calculated based on the deviations observed. Again, tables
are used for this.
Then the upper precision limit is compared to the deviation rate.

The internal control can only be relied on if the deviation rate is
less than or equal to the stated tolerable rate.
The auditor then decides if any other factors have implications on

the decision to rely on the control or not. If not, and the deviation
rate is lower than the tolerable rate, the auditor will determine that
the control can be relied on.
Population size has little to no effect on the sample size. This is

counterintuitive, but the tables for sample size are based on an
assumption of very large populations, so a change in population
size has very little impact on the sample size. You will see
questions about this.
Formula for accept/modify questions:

• The ‘sample error rate’ is the number of deviations actually
found in a sample. So, 3 deviations in 100 is a sample error
rate of 3%.
• You then ADD the ‘allowance for sampling risk’ rate to the
‘sample error rate’ to get your ‘upper error limit’. If the
allowance for sampling risk is 2%, you add this to the sample
error rate found, which would give you a 5% upper error limit
in this example.
78
• Then compare this to your tolerable rate. If the tolerable rate
was 5%, you can rely on the internal control in this example.
If the tolerable rate was 4%, then you need to “modify the
planned level of control risk”, which means you cannot rely
on the internal control.
Variables Sampling
Variables sampling is used for substantive testing of populations,
usually to test an ending balance in an account.
The steps are essentially the same as listed above for attribute
sampling, except that since transactions in variables sampling will
be dollar amounts, the auditor tests all transactions that are
individually material. These amounts are not being sampled…
they are tested 100%, so they and their amounts are not
considered part of the population being sampled.
You probably don’t need to know how to manually calculate a

sample size, but you should know these elements of general
statistics:
• n is the sample size
• SD represents the estimated standard deviation for the
population
• Z is the Z-coefficient is the measure of reliability (confidence
interval)
• N is the size of the population
• A is the ‘allowance for sampling risk’
The basic formula is:
79
Other concepts
Stratification: This is separating a population into groups of

transactions that are similar, such as all transactions over a
certain dollar amount. Stratifying a population can decrease
sample size.
Remember that falsely concluding that a material misstatement

does not exist based on a sample is “incorrect acceptance”. This
is a “type 2 error”.
An increase in ‘tolerable misstatement’ would decrease the

sample size, and vice versa. In other words, if more mistakes are
allowed, the sample size can be smaller. If less mistakes are
allowed, a larger sample needs to be tested to gain assurance a
lower number of mistakes exist.
If the ‘assessed level of control risk’ increases, then the sample

size needs to be larger, and vice versa. This means if an auditor
thinks a population has a high risk of material misstatement, then
the sample size will be larger.
80
Performing Specific Procedures to Obtain
Evidence
Analytical Procedures
Analytics are evaluations of financial information based on
relationships among both financial data and non-financial data.
This can involve trends, comparing this year’s balances to last
years, ratios, etc.
Analytics are used in 3 ways:

• They’re used in the planning stage for risk assessment
• They can be used as a substantive procedure, but it’s not
required
• They are used at the end of the audit to form an overall
conclusion about whether the financial statements are
consistent with the auditor’s understanding of the entity
Remember that analytics are required in the planning and review

stage, and that the auditor’s “expectation” is the key to the
analytics process.
Analytics and Assertions

When deciding how to use analytics to test an assertion, there are
a few factors to consider:
• Does the nature of the assertion lend itself to analytical
procedures?
• Is there a plausible and predictable relationship?
• Is the data used to develop the expectation reliable?
• Is the expectation precise?
81
Some assertions can be tested solely through analytics, and
some might require a combination of analytics and tests of details,
and some might not be a good fit for analytics.
For example, transactions subject to management discretion

might not have a predictable relationship with what happened the
previous year or even month to month, so tests of details might
provide more reliable audit evidence for an assertion such as
cutoff.
Developing Expectations
There are 5 factors used to develop an expectation:
• Comparable information from a prior period
⁃ If sales had increased by similar percentages in the
past 3 years, you’d expect a proportionate increase in
the current year
• Anticipated results of the entity from budgets or forecasts
⁃ If management forecasted sales of $50,000 at the
beginning of the year, auditor would expect sales to be
close to $50,000
• Similar industry information such as ratios compared to
industry averages
⁃ Gross margin percentage compared to its industry
averages
• Relationship between elements of financial information
⁃ If sales increased a certain percentage, a similar
increase in accounts receivable would be expected
• Relationships between financial and non-financial
information
⁃ Payroll costs compared to the number of employees
82
Analytics in the Planning Stage
In the planning stage, the auditor will use high-level analytics,
such as looking at quarterly reports or unaudited financial
information provided by the client and making analytical
comparisons as a starting point for identifying areas to take a
closer look at. An example would be comparing the current year’s
sales to prior year’s sales for any significant changes.
The focus in the planning stage is to use analytics to enhance the

auditor’s understanding of the business and the transactions that
have happened since the last audit.
Analytics and Forming Overall Conclusions

A wide variety of analytical procedures may be used when
forming an overall conclusion. These procedures may include
reading the financial statements and considering the adequacy of
the evidence gathered in response to unusual or unexpected
balances identified during the course of the audit and unusual or
unexpected balances or relationships that were not previously
identified. Results of these analytical procedures may indicate
that additional evidence is needed.
In the review stage the analytics should be performed by a

manager or partner that has comprehensive knowledge of the
client’s business and industry.
83
External Confirmations
External confirmations are sent by the auditor to a third party, in
order to confirm a balance or transaction that they have or have
had with the company being audited. However, the auditor
controls the requests and responses, or it defeats the purpose of
trying to “confirm” with the third party. The whole idea is to take
the audit client out of the equation and ask the client’s customer
“is this balance correct?”
Confirmations best address the existence/occurrence assertion.
There are two types of confirmation requests:

• Positive confirmation: This type is asking for a response
whether or not the third party agrees on the amount on the
confirmation
⁃ If not enough responses are received, then the auditor
will perform alternate procedures
• Negative confirmation: This type only asks for a response if
the third party disagrees with the amount on the confirmation
⁃ No response is viewed as the third party “agreeing” to
the amount. Of course, there could be a lot of reasons
why someone doesn’t respond, so this type of
confirmation is less reliable than actual responses
received from positive confirmations
Alternate Procedures
For receivables the auditor would look at cash receipts to see if
the receivables were paid. For payables, the auditor would look at
cash disbursements to see if the client paid the invoices.
84
Inquiry of Management and Others
Inquiry is useful to gain an understanding of transaction flows and
to learn about how things work within an organization. On its own
however, it is poor audit evidence. What usually happens is the
auditor will inquire of management to gain an understanding first,
and then take that information into account as the auditor decides
how certain balances or transaction classes will be tested.
85
Observation and Inspection
Tests of operating effectiveness of controls or “control testing”, or
to “rely on controls” all refer to testing a specific internal control by
reperforming the control, observing the control in action, or by
inspection, such as inspecting documents for indications that the
control has been performed.
Observation and Inspection

The test of controls would begin with inquiry: the auditor would
ask a key employee or management, “how is this control
supposed to work?”, then the employee explains the steps of a
process, such as what happens for a purchase order to get
approved. The auditor would document how the employee says
the control is supposed to work.
Then, the auditor would randomly select a number of transactions

that should have gone through the control being tested - such as
key signatures on approved purchase orders - and then find the
original documents and inspect them to see if each document
contains the required signatures.
If there were no deviations, then the auditor can “rely on controls”,

which reduces substantive testing. If more deviations are found
than the acceptable amount, then the auditor would conclude that
controls are weak, and it would require additional substantive
testing.
86
Recalculation and Reperformance
Reperformance is when the auditor re-executes a control or
procedure that was originally performed by an employee to see if
they get the same result. This can be done manually or through
computer-assisted techniques.
Recalculation is recalculating a figure to test for accuracy. A

common example is recalculating depreciation expense to verify
its accuracy.
87
All Other Procedures
“Other procedures” would be analytics, which can take many
forms. See the previous section on analytical procedures.
88
Specific Matters
Opening Balances
In an initial audit, the auditor needs to gain assurance that the
opening balances are fairly stated.
The procedures to test and evaluate opening balances include:
• Inquiry of management
• Reviewing records, accounting policies, and control
procedures to see if they were consistently applied
• Consulting with the predecessor auditor and with their
permission, reviewing their workpapers from the previous
audit
• Substantive testing of the balances if the auditor determines
that more evidence is needed to substantiate the opening
balances
89
Investments in Securities and Derivatives
The first step in considering the fair value measurement for
investments and derivatives used by management is to consult
the applicable accounting framework to see how the framework
measures fair value. Then, the auditor would evaluate
management’s measurement of fair value compared to the
measurement according to the applicable framework.
In some cases evaluating the fair value will be straightforward if

the investment has “observable” price data such as exchange-
traded prices or some other readily available data. This also
applies if the model for determining fair value is well-known or
generally accepted.
If quoted market prices aren’t available for the investment or

derivative, then estimates of fair value can usually be obtained
from a broker-dealer or other third-party source. The auditor
should understand the valuation model used, and the auditor
might obtain fair value estimates from multiple sources, especially
if the third party has a relationship with the client that could impair
its objectivity, or if the valuation model is based on highly
subjective assumptions.
90
Physical Observation of Inventory and Inventory Held by
Others
If inventory is material to the financial statements, the auditor
should obtain audit evidence of existence and the condition of
inventory by attending physical inventory counting being
performed by the employees.
The steps are:

• Evaluate management’s instructions and procedures for
recording and controlling the results of the entity’s physical
inventory counts
• Observe the employees performing the counts according to
said procedures
• Inspect the inventory
⁃ The auditor should be looking for inventory that seems
damaged or obsolete, and viewing the inventory in
person helps verify existence
• Perform test counts
⁃ Usually this involves choosing items from the inventory
listing and then finding them in the warehouse to see
that they exist, and then choosing some items at
random from around the warehouse and tracing them to
the inventory record to verify that they are included in
the listing correctly.
• Perform audit procedures on the final inventory records to
assess whether they accurately reflect the count results
91
Litigation, Claims, and Assessments
The procedures to identify litigation, claims, and assessment
involving the client being audited include:
• Inquiring of management and the client’s legal counsel and
obtaining a description and evaluation of any litigation,
claims, and assessments as of the date of the financial
statements
• Reviewing board meeting minutes or any documents
obtained from management regarding litigation or lawsuits
• Reviewing legal expense accounts and invoices from
external legal counsel
For actual or potential litigation, claims, or assessments identified,

the auditor will obtain evidence regarding:
• The period in which the cause for the legal action occurred
• The degree of probability of an unfavorable outcome
• The amount or range of potential loss
The attorney’s letters to the client’s external legal counsel serves

to corroborate the information provided by management regarding
any litigation, claims, or assessments.
If audit opinion will be modified if legal counsel refuses to respond

appropriately to the auditor’s letter of inquiry and the auditor can’t
gather sufficient audit evidence via alternative procedures, or if
management refuses permission to communicate with the
external legal counsel.
92
An Entity's Ability to Continue as a Going Concern
The factors that could cause substantial doubt about an entity’s
ability to continue as a going concern include:
• Negative financial trends such as recurring operating losses,
working capital deficiencies, negative cash flows, and other
adverse financial ratios
• Defaulting on loans, falling out of covenant on debt
obligations, denial of trade credit from suppliers, debt
restructuring, seeking new methods of financing, etc
• Work stoppages, labor disputes, dependence on the
success of a particular project, unsustainable long-term
commitments
• Legal proceedings or legislation that harm the ability to
operate, loss of key franchises or patents, loss of a principal
customer or supplier, catastrophes
When the auditor does have substantial doubt about a client’s

ability to continue as a going concern, the auditor is required to
consider the financial statement effects and evaluate the
adequacy of the disclosures of the possible inability to continue as
a going concern.
93
Accounting Estimates, Including Fair Value Estimates
This has been covered in previous sections. See “Accounting
estimates, including fair value estimates” and “Investments in
securities and derivatives”.
94
Misstatement and Interal Control Deficiencies
A misstatement is any difference between the amount,
classification, presentation, or disclosure of what’s reported on the
financial statements, and the amount, classification, presentation,
or disclosure of what is required in order to be in accordance with
the applicable accounting framework. In other words, differences
the auditors find in what management has on their financials and
what is correct.
Misstatements are accumulated as the audit progresses, and the

auditor evaluates whether the audit strategy needs to be changed
based on the misstatements found.
The auditor decides what amount is “clearly trivial”, and any

misstatements below this threshold are ignored and not
accumulated.
The auditor does NOT tell management the amounts for

materiality and what is trivial.
Differences between the auditor and management about

accounting estimates are not usually considered misstatements.
This is because judgment or “educated guessing” is involved.
However, management’s unreasonable accounting estimates for

something like the amount of bad debt allowance would be a
“judgmental misstatement”.
Misstatements should be communicated with management as

they are found, and management can either book the
adjustments, or if management refuses to make the adjustment,
the auditor needs to evaluate the effects of not making the
change on the financial statements.
95
The auditor needs to decide whether the uncorrected
misstatements are material, either individually or all added
together, based on their size and nature, and any effects of
uncorrected misstatements in prior periods.
Even if management makes the entry to book a misstatement, the

auditor still records all non-trivial misstatements found.
96
Written Representations
The auditor is required to obtain written representations from
management to corroborate management’s verbal responses to
important questions from the auditor.
This is called the “rep letter” or the representation letter. The date
of the rep letter should coincide with the date of the auditor’s
report.
It usually includes the following:

• That management is responsible for the fairness, internal
control, significant assumptions, and related party
transactions as they pertain to financial reporting and the
• That any uncorrected misstatements are immaterial
• That the effects of any litigation or claims against the
company have been properly accounted for and disclosed
• That all relevant financial records were made available to the
auditor
• There was no fraud involving management or employees
with significant financial reporting responsibilities
97
Subsequent Events
Subsequent events are events that happen after the date of the
financial statements, but before the date of the auditor’s report.
Financial statements might be dated as Dec 31, 2014 and the

auditor’s report isn’t issued until March 2015. So it would include
any events that happened during that time.
2 types of subsequent events:

• Events that require adjustment. If the event provides better
information about conditions as of the balance sheet date, it
will be included
• Events that require disclosure: If the event doesn’t relate to
conditions as of the balance sheet date, but is still material, it
will be disclosed
The auditor’s responsibility for the audited financial statements

ends when the auditor’s report is issued, UNLESS the auditor
becomes aware of additional information that existed as of the
balance sheet date. If this happens, the auditor must evaluate
whether the information would affect the current report.
The main ways that the auditor reviews subsequent events are by
reading the latest interim financial statements, the latest board
minutes, inquiring with the client’s attorneys regarding any
pending litigations, or asking management specific questions.
98
Identifying Subsequent Events
The steps to identify possible material subsequent events:
• Obtaining an understanding of any procedures that
management has established to ensure that subsequent
events are identified
• Inquiring of management and, when appropriate, those
charged with governance about whether any subsequent
events have occurred that might affect the financial
statements
• Reading minutes, if any, of the meetings of the entity's
owners, management, and those charged with governance
that have been held after the date of the financial statements
and inquiring about matters discussed at any such meetings
for which minutes are not yet available
• Reading the entity's latest subsequent interim financial
statements, if any
99
Forming Conclusions and Reporting
Reports on Audit Engagements
Forming an Auditing Opinion & Modification of an Opinion

This is straight from AU-C 700 on forming an opinion:
The auditor should form an opinion on whether the financial
statements are presented fairly, in all material respects, in
accordance with the applicable financial reporting framework.
In order to form that opinion, the auditor should conclude whether

the auditor has obtained reasonable assurance about whether the
financial statements as a whole are free from material
misstatement, whether due to fraud or error.
The auditor should evaluate whether the financial statements are

prepared, in all material respects, in accordance with the
requirements of the applicable financial reporting framework. This
evaluation should include consideration of the qualitative aspects
of the entity's accounting practices, including indicators of
possible bias in management's judgments.
In particular, the auditor should evaluate whether, in view of the

requirements of the applicable financial reporting framework:
The financial statements adequately disclose the significant
accounting policies selected and applied;
• the accounting policies selected and applied are consistent
with the applicable financial reporting framework and are
appropriate;
• the accounting estimates made by management are
reasonable;
100
• the information presented in the financial statements is
relevant, reliable, comparable, and understandable;
• the financial statements provide adequate disclosures to
enable the intended users to understand the effect of
material transactions and events on the information
conveyed in the financial statements; and
• the terminology used in the financial statements, including
the title of each financial statement, is appropriate.
The auditor should also evaluate whether the financial statements

adequately refer to or describe the applicable financial reporting
framework.
Remember the “Standards of Reporting”

• GAAP: The auditor states whether the financial statements
are “in accordance with GAAP”
• Consistency: The auditor points out what GAAP principles
have not been consistently applied in relation to the prior
period
• Disclosures: If the auditor determines the disclosures in the
financials are NOT adequate, the auditor needs to say so in
the audit report
• Opinion: The whole point of an audit for is for the auditor to
render their opinion. Different types of opinions will be
discussed in a later section
Other key points:

• If unaudited statements from a prior period along with
audited statements for comparative purposes, the unaudited
statements should be clearly marked,
⁃ AND, either the report on the unaudited financials
should be reissued, or the audited financials should
contain a separate paragraph describing the level of
responsibility assumed for the unaudited statements
101
• If the auditor thinks there is only a REMOTE chance of a
loss resulting from an uncertain matter, the auditor should
still issue an unmodified opinion
Types of Opinions
Unmodified Opinion
A “clean opinion”, meaning the auditor believes the financial
statements are fairly stated and comply with GAAP, results in an
“unmodified opinion”. This used to be called a “unqualified
opinion”.
Note: PCAOB audits use the term “unqualified opinion”.
So, a “modified” opinion means there’s something wrong with the

statements. There are 3 types of ‘modified opinions’:
Qualified Opinion
Two reasons for a qualified opinion:
• Presentation- the financial statements are misstated (GAAP
departure)
• Scope- the auditor was not able to get “sufficient appropriate
audit evidence”
What a qualified opinion really means is that the auditor is

expressing reservations about the financial statements, but that
they are still fairly stated because the scope limitation or
misstatement is not “pervasive”.
Pervasive means affecting multiple areas of the financial

statements.
102
Adverse Opinion
There’s only one reason for giving an adverse opinion:
When there are financial misstatements that are BOTH material
AND pervasive.
This means that there are misstatements that affect most areas of
the financial statements. The financial statements are misleading
because they are not fairly presented.
Disclaimer of Opinion
This happens when the auditor is unable to obtain sufficient
appropriate audit evidence, and the effects could be BOTH
material and pervasive.
So remember that a scope limitation happens for the same

reason, but on a lesser scale, which results in a qualified opinion.
But when the auditor can’t obtain audit evidence to the degree
that the effects could be both material and pervasive, the auditor
issues a ‘disclaimer of opinion’, which means the auditor is unable
to even give an opinion.
When a disclaimer of opinion is issued, it will have the heading

“Disclaimer of Opinion” and the paragraph makes it clear that no
opinion is being expressed, and there will also be a paragraph
with the heading “Basis for Disclaimer of Opinion” that explains
the reasoning for disclaiming an opinion.
103
Form and Content of an Audit Report (AICPA Standards)
You don’t need to be able to draft an audit report from memory,
but you should know the main sections of the audit report and
how they are changed for certain circumstances.
Here’s an overview of the key areas, in order of how they appear

on an audit report for a non-issuer:
(the differences in a PCAOB report are included below)
Title
The title should be be labeled “Independent Auditor’s Report”.
To
The report should be addressed to the board of directors of the
audit client, or as the circumstances of the audit dictate.
Introductory Paragraph
This paragraph should include:
• Identify the entity whose financial statements have been
audited
• State that the financial statements have been audited
• Identify the title of each statement included in the financial
statements
• Specify the date or period covered by each financial
statement included in the financial statements
Management’s Responsibility Paragraph

Should include the heading “Management’s Responsibility for the
Financial Statements.”
104
The auditor's report should describe management's responsibility
for the preparation and fair presentation of the financial
statements. The description should include an explanation that
management is responsible for the preparation and fair
presentation of the financial statements in accordance with the
applicable financial reporting framework; this responsibility
includes the design, implementation, and maintenance of internal
control relevant to the preparation and fair presentation of
financial statements that are free from material misstatement,
whether due to fraud or error.
Auditor’s Responsibility Paragraph

Heading should say “Auditor’s Responsibility”.
The auditor's report should state that the responsibility of the

auditor is to express an opinion on the financial statements based
on the audit.
The auditor's report should state that the audit was conducted in
accordance with generally accepted auditing standards and
should identify the United States of America as the country of
origin of those standards. The auditor's report should also explain
that those standards require that the auditor plan and perform the
audit to obtain reasonable assurance about whether the financial
statements are free from material misstatement.
The auditor's report should describe an audit by stating that

• an audit involves performing procedures to obtain audit
evidence about the amounts and disclosures in the financial
statements.
• the procedures selected depend on the auditor's judgment,
including the assessment of the risks of material
misstatement of the financial statements, whether due to
fraud or error. In making those risk assessments, the auditor
105
considers internal control relevant to the entity's preparation
and fair presentation of the financial statements in order to
design audit procedures that are appropriate in the
circumstances but not for the purpose of expressing an
opinion on the effectiveness of the entity's internal control,
and accordingly, no such opinion is expressed.
• an audit also includes evaluating the appropriateness of the
accounting policies used and the reasonableness of
significant accounting estimates made by management, as
well as the overall presentation of the financial statements.
In circumstances when the auditor also has a responsibility to

express an opinion on the effectiveness of internal control in
conjunction with the audit of the financial statements, the auditor
should omit the phrase required that the auditor's consideration of
internal control is not for the purpose of expressing an opinion on
the effectiveness of internal control, and accordingly, no such
opinion is expressed.
The auditor's report should state whether the auditor believes that
the audit evidence the auditor has obtained is sufficient and
appropriate to provide a basis for the auditor's opinion.
Opinion Paragraph
The heading should say “Opinion”.
When expressing an unmodified opinion on financial statements,

the auditor's opinion should state that the financial statements
present fairly, in all material respects, the financial position of the
entity as of the balance sheet date and the results of its
operations and its cash flows for the period then ended, in
accordance with the applicable financial reporting framework.
106
Signature of the Auditor
This can be the handwritten or printed signature of the auditor’s
firm.
Auditor’s Address
The auditor should name the city and state where the auditor
practices.
Date of the Auditor’s Report

Should be dated no earlier than the date on which the auditor has
obtained sufficient appropriate audit evidence on which to base
the auditor’s opinion on the financial statements.
Differences on a PCAOB (public company) Report

There are a few key differences on a PCAOB auditor’s report:
• The title will be “Report of the Independent Registered Public
Accounting Firm”
• Then the line that addresses the report, which says “To the
Board of Directors and Shareholder of ABC Company”
• There are 3 paragraphs within 2 sections, in this order:
⁃ The opinion paragraph with the heading: ‘Opinion on
the Financial Statements’. This makes up the first
section
⁃ After the opinion paragraph there is a heading that
says: ‘Basis for Opinion’, this is the second section
⁃ Under the ‘Basis for Opinion’ heading, there is a
paragraph describing management’s responsibility and
the auditor’s responsibility.
⁃ Then there is a “We conducted our audits in
accordance with the standards of the PCAOB”
paragraph.
107
⁃ Then there are the signatures:
⁃ The auditor’s signature
⁃ The auditor’s tenure (“We have served as the auditor
since 20XX”
⁃ Auditor’s address
⁃ Date
• IF an audit of internal control was also conducted (integrated

audit), then the opinion paragraph would also reference the
audit of internal controls and the separate report on internal
controls
“Emphasis of Matter” Paragraphs

This is a paragraph that the auditor adds right after the opinion
paragraph to point out a matter that is crucial to the user being
able to understand the financial statements.
This would be something like the auditor doubts the firm’s ability
to continue as a going concern,
Or if the financials are prepared using a special accounting

framework,
Or a change in accounting principle.
The heading “Emphasis of Matter” must be used
There can also be an “Other Matter” paragraph.

This will go after the opinion paragraph, or after the “Emphasis of
Matter” paragraph if there is one.
Use the heading “Other Matter”.
108
This would be about something that the auditor considers
relevant, but not crucial to the user’s understanding of the
109
Audit of Internal Control Integrated with Audit of Financial
Statements
Forming an Opinion of the Effectiveness of Internal Controls
in an Integrated Audit
Here are the considerations of forming an opinion on the
effectiveness of internal controls in an Audit of Internal Control
Over Financial Reporting (ICFR) integrated with an audit of the
financial statements:
The auditor should form an opinion on the effectiveness of ICFR

by evaluating evidence obtained from all sources, including
• the auditor's testing of controls for the ICFR audit,
• any additional tests of controls performed to achieve the
objective related to expressing an opinion on the financial
statements,
• misstatements detected during the financial statement audit,
and
• any identified deficiencies
As part of evaluating evidence obtained from all sources, the

auditor should review reports issued during the year by the
internal audit function (or
similar functions) that address controls related to ICFR and
evaluate deficiencies identified in those reports.
In addition to evaluating the findings from the auditor's testing of

controls for the audit of ICFR, the auditor should evaluate the
effect of the findings of the substantive procedures performed in
the audit of financial statements on the effectiveness of ICFR.
110
This evaluation should include, at a minimum:
• the risk assessments in connection with the selection and
application of substantive procedures, especially those
related to fraud;
• findings with respect to noncompliance with laws and
regulations;
• findings with respect to related party transactions and
complex or unusual transactions;
• indications of management bias in making accounting
estimates and selecting accounting principles; and
• the nature and extent of misstatements detected by
substantive procedures
After forming an opinion on the effectiveness of the entity's ICFR,

the auditor should evaluate management's report, which will
accompany the auditor's report, to determine whether it contains
the following:
• A statement regarding management's responsibility for ICFR
• A description of the subject matter of the audit (for example,
controls over the preparation of the entity's financial
statements in accordance with accounting principles
generally accepted in the United States of America)
• An identification of the criteria against which ICFR is
measured
• Management's assessment about ICFR
• A description of the material weakness(es), if any
• The date as of which management's assessment about
ICFR is made
If the auditor determines that any required element of

management's report is incomplete or improperly presented, the
auditor should request management to revise its report.
111
The Auditor’s Report on the Audit of ICFR (AICPA Standards)
The report can be separate or combined with the opinion on the
The auditor's report on the audit of ICFR should be in writing and

should include the following elements:
The title states that the auditor is independent: “Independent

Auditor’s Report”.
An addressee as required by the circumstances of the

engagement, but usually to the “board of directors and
Shareholders of ABC Company”.
“Report on Internal Control Over Financial Reporting”

Paragraph
An introductory paragraph that includes the following:
• Identification of the entity whose ICFR has been audited
• A statement that the entity's ICFR has been audited
• Identification of the as of date
• Identification of the criteria against which ICFR is measured
"Management's Responsibility for Internal Control Over

Financial Reporting" Paragraph
A section with the heading "Management's Responsibility for
Internal Control Over Financial Reporting" that includes the
following:
• A statement that management is responsible for designing,
implementing, and maintaining effective ICFR
• A statement that management is responsible for its
assessment about the effectiveness of ICFR
• A reference to management's report on ICFR
112
“Auditor’s Responsibility” Paragraph
A section with the heading "Auditor's Responsibility" that includes
the following:
• A statement that the auditor's responsibility is to express an
opinion on the entity's ICFR based on the audit
• A statement that the audit was conducted in accordance with
auditing standards generally accepted in the United States of
America
• A statement that such standards require that the auditor plan
and perform the audit to obtain reasonable assurance about
whether effective ICFR was maintained in all material
respects
• A description of the audit by stating that:
⁃ an audit of ICFR involves performing procedures to
obtain audit evidence about whether a material
weakness exists
⁃ the procedures selected depend on the auditor's
judgment, including the assessment of the risks that a
material weakness exists
⁃ an audit includes obtaining an understanding of ICFR
and testing and evaluating the design and operating
effectiveness of ICFR based on the assessed risk
• A statement about whether the auditor believes that the audit
evidence the auditor has obtained is sufficient and
appropriate to provide a basis for the audit opinion
“Definition and Inherent Limitations of Internal Control Over

Financial Reporting” Paragraph
A section with the heading "Definition and Inherent Limitations of
Internal Control Over Financial Reporting" or other appropriate
heading that includes the following:
• A definition of ICFR (the auditor should use the same
description of the entity's ICFR as management uses in its
report)
113
• A paragraph stating that because of inherent limitations,
ICFR may not prevent, or detect and correct, misstatements
and that projections of any assessment of effectiveness to
future periods are subject to the risk that controls may
become inadequate because of changes in conditions, or
that the degree of compliance with the policies or procedures
may deteriorate
“Opinion” Paragraph
A section with the heading "Opinion" that includes the auditor's
opinion on whether the entity maintained, in all material respects,
effective ICFR as of the specified date, based on the criteria.
Signature (not a heading)

The manual or printed signature of the auditor's firm.
City and State (not a heading)

The city and state where the auditor practices.
Date (not a heading)

The date of the auditor's report.
Other things to know:

• If the auditor issues a separate report on ICFR (such as the
report described above), meaning there will be a separate
report for both the opinion on ICFR and the opinion on the
financial statements, then the auditor will add an “other
matter” paragraph to both reports that reference the opposite
report. On the IC report, the paragraph heading would be
“Report on Financial Statements” and reference the auditor’s
report on the financial statements
• If there is a material weakness identified as part of the audit
of ICFR, then an adverse opinion will be issued, and the
report needs to contain the definition of a material weakness
114
(a deficiency or combination of deficiencies that produce the
possibility that a material misstatement of the financial
statements won’t be prevented, detected, or corrected on a
timely basis)
Differences on a PCAOB Report on Internal Controls
The main differences are:

• The title is “Report of the Independent Registered Public
Accounting Firm”
• The report is addressed “To the Board of Directors and
Shareholders of ABC Company”
• There are just 3 headings:
• The opinion paragraph is the first paragraph and has the
heading “Opinion on the Internal Control Over the Financial
Reporting”
• Then there is the basis for opinion section with the heading
“Basis for Opinion”
• Then the section with the heading “Definition and Limitations
of Internal Control Over Financial Reporting”
• The report must be manually signed by the audit firm
• The auditor’s tenure must also be listed on the report on
internal controls, usually in the signatures section that states
“We have served as ABC’s auditor since 20XX”
115
Reports on Attestation Engagements
General Standards for Attestation Reports

To refresh on these engagement types, refer to the “Non-Audit
Engagements” section.
Examination Reports
The opinion is whether the subject matter is in accordance with
the criteria in all material respects, or if the assertion is fairly
stated in all material respects.
The report (needs to be in writing) should express an opinion on

the written assertion or an opinion directly on the subject matter.
The opinion can vary and are the same “opinions” that would be
issued for an audit such as unmodified, qualified, adverse, or a
disclaimer of opinion.
Review Reports
The auditor concludes whether any material modifications should
be made to the subject matter or the responsible party’s
assertion. The (written)report should state the conclusion on the
subject matter or the assertion.
Specifically in a review engagement under the attestation

standards, if there is a material but not pervasive misstatement, it
results in a “modified conclusion”.
If there are material and pervasive misstatements, then the

auditor should withdraw from the engagement.
116
Agreed-Upon Procedures Reports
These engagements need to have the “agree upon procedures”
outlined in the engagement letter, and then the auditor’s report
will identify the procedures performed and the conclusions
reached (or findings).
The report will include the statement: “this agreed upon

procedures engagement was conducted in accordance with
attestation standards established by the American Institute of
Certified Public Accountants”.
A report on an AUP engagement doesn’t state an opinion, it just

reports the procedures performed and the findings based on the
procedures.
There will also be a paragraph limiting the distribution of the

report to specified parties.
117
Reporting on Controls at a Service Organization
A service organization is an entity that provides services to user
entities which are likely to be relevant to the user entities’ controls
over financial reporting, such as a payroll service.
A service auditor is an auditor that reports on the controls at a

service organization, and they issue either “Type 1” or “Type 2”
reports, which auditors auditing other entities that use that service
organization use in their audit since the controls of the service
organization are relevant to their client’s controls.
Example: Paul audits ABC corp, and ABC uses DEF for payroll
services. Ben is a service auditor and reports on the controls at
DEF, so Paul obtains a Type 2 report from Ben to use in his audit
of ABC, since DEF’s controls are relevant to ABC’s controls.
Service Auditor’s Reports

Type 1 reports contain an opinion on whether management’s
description is presented fairly and suitability of the design of
controls at the service organization.
Type 2 reports are the same as a Type 1 report, but they also
report on the operating effectiveness of the controls at the service
organization. Because of this, if an auditor at a user entity is going
to rely on the operating effectiveness of the controls at the service
organization, they’ll need a Type 2 report.
118
The service auditor will modify their opinion if:
• Management’s description isn’t fairly presented in all
material respects
• The controls are not suitably designed
• The controls didn’t operate effectively throughout the
specified period (Type 2 report)
• The service auditor couldn’t gather sufficient appropriate
evidence
119
Accounting and Review Service Engagements
Preparation Engagements
Preparation of financial statements: this is what it sounds like.
The accountant takes the information from management and
prepares the financial statements. A preparation is a nonattest
service.
The accountant does NOT have to be independent for this type of

engagement.
There should be an engagement letter that outlines

management’s responsibilities & the accountant’s responsibilities.
Each page of the financial statements should include a statement

that no assurance is provided.
120
Compilation Reports
A compilation is basically assisting management to draft the
financial statements, without providing ANY level of assurance. It
is an attestation engagement but NOT an assurance
engagement. Also, a compilation can be performed for
prospective or pro-forma information in addition to historical
An auditor does NOT have to be independent to do a compilation

for a client since no assurance is provided. BUT, if the auditor is
not independent, the accountant should disclose this fact in the
compilation report.
Compilation Report
The compilation report is one paragraph. It states that the
accountant performed the compilation in accordance with
SSARSs issued by the ARSC of the AICPA. It also includes a
disclaimer that the financial statements have not been audited,
and that the accountant has compiled the financial statements
and is not issuing an opinion or conclusion nor providing any
assurance on the statements.
Remember that no procedures whatsoever are performed on the

data in a compilation. The auditor is expected to understand the
client and the client’s industry, but no audit procedures of any kind
are performed since no assurance is being provided.
121
Review Reports
A review is an assurance engagement & an attestation
engagement that provides “limited assurance” that there are no
material modifications that should be made to the financial
statements. For a review, the auditor must be independent.
The basics of a review are:

• Possess knowledge of a client’s industry
• Apply analytical procedures
• Perform inquiries of management
• Obtain a representation letter
Each page of an entity’s financial statements that have been

‘reviewed’ should include the reference “See Accountant’s Review
Report”.
In a review engagement, the auditor is NOT required to obtain an

understanding of internal controls.
The Review Report

The basic elements of the report are:
Title
The accountant's review report should have a title that clearly
indicates that it is the accountant's review report and includes the
word independent. An appropriate title would be "Independent
Accountant's Review Report."
Addressee
The accountant's report should be addressed as required by the
circumstances of the engagement.
122
Introductory Paragraph
The introductory paragraph in the accountant's report should:
• identify the entity whose financial statements have been
reviewed;
• state that the financial statements have been reviewed;
• identify the financial statements; that have been reviewed;
• specify the date or period covered by the financial
statements;
• include a statement that a review includes primarily applying
analytical procedures to management's (owners') financial
data and making inquiries of company management
(owners); and
• include a statement that a review is substantially less in
scope than an audit, the objective of which is the expression
of an opinion regarding the financial statements as a whole,
and that, accordingly, the accountant does not express such
an opinion.
Management's Responsibility for the Financial Statements

A statement that management (owners) is (are) responsible for
the preparation and fair presentation of the financial statements in
accordance with the applicable financial reporting framework and
for designing, implementing, and maintaining internal control
relevant to the preparation and fair presentation of the financial
statements.
Accountant's Responsibility
A statement that the accountant's responsibility is to conduct the
review in accordance with SSARSs issued by the AICPA.
A statement that those standards require the accountant to

perform the procedures to obtain limited assurance that there are
no material modifications that should be made to the financial
statements.
123
A statement that the accountant believes that the results of his or
her procedures provide a reasonable basis for his or her report.
Results of Engagement
A statement that, based on his or her review, the accountant is
not aware of any material modifications that should be made to
the financial statements in order for them to be in conformity with
the applicable financial reporting framework, other than those
modifications, if any, indicated in the report.
Signature of the Accountant

The manual or printed signature of the accounting firm or the
accountant as appropriate.
Date of the Accountant's Report

The date of the review report (the accountant's review report
should not be dated earlier than the date on which the accountant
has accumulated review evidence sufficient to provide a
reasonable basis for concluding that the accountant has obtained
limited assurance that there are no material modifications that
should be made to the financial statements in order for the
statements to be in conformity with the applicable financial
reporting framework).
124
Reporting on Compliance
If a CPA is engaged to provide assurance on whether or not an
entity is in compliance with applicable laws, regulations, or
financial requirements of some kind, the engagement can either
be an examination or an “agreed upon procedures” engagement.
Management accepts responsibility for compliance with the

specified requirements.
The CPA should obtain an understanding of the specified

requirements.
For an examination engagement, the end result is an examination

report where the CPA expresses an opinion on whether
management complied with the specified requirements.
For an agreed upon procedures engagement, the CPA applies

procedures set by the specified parties to evaluate compliance
with the specified requirements. The report will list the
requirements, and then the procedures performed and the
findings as a result of the procedures.
125
Other Reporting Considerations
Comparative Statements and Consistency Between Periods

A few items that would affect the consistency of the financial
statements between periods are:
• A change in accounting principle
• A change in the reporting entity
• Correction of a material misstatement in previously issued
statements
• A change in classification, such what things are called on the
balance sheet. Unless material, doesn’t need to be
mentioned in the audit report
Any of the above changes that are material would be mentioned

in an “emphasis of matter” paragraph in the audit report. There
are other rules for changes in accounting principle that are
covered in FAR.
Comparative Financial Statements

Like the changes above, when there is a change in the
comparative financial information from a prior period, the auditor
will add either an “emphasis of matter” or an “other matter”
paragraph depending on the situation.
Some common examples are:

• The opinion on previously issued statements changes. An
emphasis of matter paragraph would describe the reasons
for the change, the date of the previous report, the opinion
previously expressed, and that the updated opinion differs
from the original opinion
126
• If prior period statements are not audited. An “other matter”
paragraph would be added to the audit report that describes
what service was performed in the previous period (review,
compilation, etc), and a statement that the service was less
in scope than an audit and that no opinion was issued on the
previous financial statements
127
Other Information in Documents with Audited Statements
“Other information” that can be included with audited financial
statements include:
• Material inconsistencies
• Material misstatements of fact
• Financial summaries or highlights
• Employment data
• Financial ratios
• Planned capital expenditures
• Names of officers and directors
If applicable, the auditor can use an “other matter” paragraph to

disclaim an opinion on the “other information” included with the
128
Review of Interim Financial Information
Interim financial statements are a review, and they consist
primarily of analytics and inquiry.
The financial statements produced as part of a review should

make clear on each page that they are unaudited.
The end result is the CPA stating that there are no material
modifications needed to be in accordance with the applicable
framework.
The report on an interim review contains:

• Intro paragraph stating the statements have been reviewed
• Paragraph of management’s responsibility
• Paragraph of auditor’s responsibility
• A conclusion paragraph
⁃ If no material modifications are needed, then this
paragraph states “Based on our review, we are not
aware of any material modifications that should be
made to the accompanying interim financial information
for it to be in accordance with (applicable framework).
• Contains auditor’s signature, city and state, and the date of
the report
129
Supplementary Information
If the auditor is engaged to determine whether supplementary
information is fairly stated in relation to the financial statements,
the phrase is that the supplementary information if fairly stated “in
all material respects in relation to the financial statements as a
whole”.
If the auditor is auditing supplementary information, the materiality

levels used are the same as what was used for auditing the
Required supplementary information is information that a

“designated standard-setter” has required to accompany the basic
The auditor is NOT required to “audit” supplementary information

but apply “certain limited procedures” to them and report any
deficiencies in the information.
130
Single Statements
The auditor can express an opinion on a single statement, such
as just the balance sheet, if access to the underlying information
is not limited. This means the auditor still has to obtain ‘sufficient
appropriate audit evidence’, which would mean they look at more
than just the balance sheet.
If the auditor is engaged to report on financial data that are

included in client-prepared information that contains audited
financial statements, in the auditor’s report they should refer to
the report issued on the audited financial statements.
131
Special-Purpose and Other Country Frameworks
Financial Statements Prepared Using Another Country’s
Framework
The main responsibility of the auditor in this situation is to
understand the accounting principles that are generally accepted
in the other country, or the applicable framework, and then
evaluate if the financial statements were prepared in accordance
with that framework.
Special Purpose Frameworks

Special purpose frameworks are other reporting frameworks
besides GAAP such as cash basis, tax basis, a regulatory basis,
or a contractual basis.
The auditor’s report should describe the purpose of the financial

statements or refers to the note in the financials that describes the
reporting framework (why they are in another framework besides
GAAP).
This is done in an ‘emphasis of matter’ paragraph, or an ‘other

matter’ paragraph.
A common question type on the AUD exam is what an auditor

should do if the statements are not “appropriately titled”, and the
answer is that the auditor should disclose their reservations on
the audit report and qualify the opinion. This just means that with
certain reporting frameworks, the financial statements have
certain titles other than just “balance sheet” or “income statement”
and the auditor has to make sure they are titled according to the
framework they’re using.
132
Letters for Underwriters and Filings with the SEC
Letters given to underwriters as part of the due diligence process
to provide the underwriter with “reasonable grounds to believe
there are no material omissions or misstatements in financial
statements related to a securities offering”.
They are addressed to the client’s underwriter, and they are

signed by the independent auditor.
Comfort letters do NOT address internal controls.
Comfort letters provide negative assurance on whether unaudited

financial information complies with GAAP.
A comfort letter provides an opinion as to whether the audited

financial statements comply in form with the accounting
requirements of the SEC.
133
Alerts that Restrict the Use of Written Communication
The auditor's written communication should include an alert, in a
separate paragraph, that restricts its use when the subject matter
of the auditor's written communication is based on:
• measurement or disclosure criteria that are determined by
the auditor to be suitable only for a limited number of users
who can be presumed to have an adequate understanding of
the criteria,
• measurement or disclosure criteria that are available only to
the specified parties, or
• matters identified by the auditor during the course of the
audit engagement when the identification of such matters is
not the primary objective of the audit engagement
(commonly referred to as a by-product report)
The alert that restricts the use of the auditor's written

communication required should:
• state that the auditor's written communication is intended
solely for the information and use of the specified parties.
• identify the specified parties for whom use is intended. In
situations covered by paragraph .06c, the specified parties
should only include management, those charged with
governance, others within the entity, the parties to the
contract or agreement, or the regulatory agencies to whose
jurisdiction the entity is subject, as appropriate in the
circumstances
• state that the auditor's written communication is not intended
to be and should not be used by anyone other than the
specified parties
134
Additional Reporting Requirements Under Gov Auditing
Standards
GAO Audits and Reporting on Internal Controls
Financial statement audits performed under the GAGAS require
reporting on internal control and compliance with laws,
regulations, and agreements.
Reporting on Internal Controls and Compliance

The report should describe the scope of the testing performed on
the internal controls and compliance with applicable laws and
regulations. Assurance over internal controls isn’t provided, but
the report states whether the tests performed provided sufficient
and appropriate evidence to support the opinion on internal
control and compliance.
The auditor should report any significant deficiencies or material

weaknesses in internal control, any fraud discovered, or any
noncompliance with applicable laws or regulations that would
have a material effect on the financial statements.
135

AUDnotes 17

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

AUDnotes 17

Încărcat de

Drepturi de autor:

Formate disponibile

AUD

2019 SuperfastCPA Review Notes

Nature and Scope

Nature and Scope of Audit Engagements

Objectives of an Audit of Financial Statements According to

Issuer Audits (public companies)

In both cases the main objective of an audit is to have an

They are grouped into 3 categories:

Presentation and disclosure (4 assertions)

Classes of transactions and events (5 assertions)

Read through the assertions until you understand them. This

The objective of a financial statement audit under GAGAS is

Additionally, GAGAS audits require separate reporting on internal

Governmental auditing standards require a separate report on

A government audit will also include a report on compliance with

An audit subject to the yellow book standards includes 3 reports:

1) Engagements dealing with historical financial statements

These services apply to non-issuers (non-public companies).

2) Engagements dealing with written representations or

A review is an assurance engagement & an attestation

The basics of a review are:

Each page of an entity’s financial statements that have been

A compilation is basically assisting management to draft the

An auditor does NOT have to be independent to do a compilation

Remember that no procedures whatsoever are performed on the

Preparation of financial statements: this is what it sounds like.

The accountant does NOT have to be independent for this type of

There should be an engagement letter that outlines

Each page of the financial statements should include a statement

SSAEs or “Statements on Standards for Attestation

Attestation Review Engagements (not a financial statement

Agreed Upon Procedures Engagements

AICPA Code of Professional Conduct

The 3 main groups of rules that CPAs must honor involve:

When a CPA disagrees with their superior about the treatment of

Even if a CPA has not handled a certain type of transaction or tax

The client controls who a CPA can release audit documentation

A CPA cannot receive a contingent fee for attest-related services.

Accepting a commission for recommending a product to an audit

Tax accountants can accept referral fees and commissions if they

As long as the information is accurate, informative, and truthful, a

All CPAs should be independent when involved in attest services.

Threats to independence are concentrated in 4 areas:

If a “covered member” is very wealthy and has no investments

The member’s spouse also cannot have a direct financial interest.

A covered member can have a car loan with a client bank.

Main requirements as a CPA to audit a public company:

Other specific rules you could see a question on:

Auditors who perform GAGAS audits are expected to be

The GAO’s ethical principles apply to firms that audit federal

According to the GAO’s standards, there are 3 types of

GAO standards allow for auditors to perform non-audit services

Auditors that perform GAGAS audits should complete 24 hours of

Most DOL audits follow government auditing standards, which

These written representations are made by management in the

These terms are agreed to in the engagement letter, which

Considerations in actually documenting the audit:

The actual audit workpapers and copies of significant contracts,

Planned Scope and Timing of an Engagement

The auditor should communicate:

Significant deficiency in internal control: A deficiency or

Material weakness in internal controls: A deficiency or

The communication should include: