Documente Academic
Documente Profesional
Documente Cultură
Non-Issuer Audits
These are non-public companies, and audits of non-issuers are
subject to the clarified auditing standards (AU-Cs) issued by
Auditing Standards Board (ASB).
1
Copyright © 2019 SuperfastCPA.com
Objective of the Independent Auditor According to AS 1001
The objective of the ordinary audit of financial statements by the
independent auditor is the expression of an opinion on the
fairness with which they present, in all material respects, financial
position, results of operations, and its cash flows in conformity
with generally accepted accounting principles. The auditor's
report is the medium through which he expresses his opinion or, if
circumstances require, disclaims an opinion. In either case, he
states whether his audit has been made in accordance with the
standards of the PCAOB. These standards require him to state
whether, in his opinion, the financial statements are presented in
conformity with generally accepted accounting principles and to
identify those circumstances in which such principles have not
been consistently observed in the preparation of the financial
statements of the current period in relation to those of the
preceding period.
Assertions
The “assertions” are key to the whole audit process. The
assertions are the underlying claims made by management about
the financial statements. When management gives the auditor
their listing of PP&E for example, management is essentially
making the “claim”, or assertion, that the items on that list actually
exist, that list is complete (nothing left out), that the business
actually owns the items listed, and that the values of the items are
listed correctly. The auditor then assesses the risk of material
misstatement based on these assertions and performs audit
procedures. That’s how the audit works in a nutshell.
2
Copyright © 2019 SuperfastCPA.com
It helps a LOT to just “think” about the meaning of the words,
especially in the context of the question being asked. For
example, “completeness” … this includes procedures or tests to
determine if a population is complete- or if everything has been
included that should be included.
4
Copyright © 2019 SuperfastCPA.com
Audits Under GAO and Government Auditing Standards
The GAO issues Government Auditing Standards (Yellow Book) -
also referred to as GAGAS (generally accepted government
auditing standards) - and these standards apply to audits
involving federal government programs or activities, or other
entities that receive federal funds.
5
Copyright © 2019 SuperfastCPA.com
In a government audit, the auditor is required to report any fraud
or illegal acts to outside authorities IF:
• Management fails to report the information as required by
law,
• OR, if management fails to take timely action to respond to
the fraud or illegal act
Single Audits
State and local government agencies that spend at least
$750,000 in federal funding must get a “single audit”.
The point of a single audit to verify that federal funds have been
spent according to the programs the funds were received for.
Materiality for single audits is determined separately for each
major federal financial assistance program.
6
Copyright © 2019 SuperfastCPA.com
Non-Audit Engagements
For non-audit engagements, there are basically two categories:
7
Copyright © 2019 SuperfastCPA.com
SSARs or “Statements on Standards for Accounting
and Review Services”
These standards apply to “reviews”, “compilations”, and now
“preparation of financial statements”.
8
Copyright © 2019 SuperfastCPA.com
The compilation report explicitly states that the financial
statements have not been audited, and that the accountant has
compiled the financial statements.
Examinations
These are fairly in-depth engagements where the CPA ultimately
obtains reasonable assurance about the subject matter being
9
Copyright © 2019 SuperfastCPA.com
fairly stated or in accordance with applicable criteria (that it is
what it says it is). It differs from an audit in that it’s not dealing
with historical financial statements. A report is issued that
provides the CPA’s opinion as to whether the subject matter
conforms to the criteria.
10
Copyright © 2019 SuperfastCPA.com
Ethics & Independence
Along with that, CPAs should not only be competent with the
professional services they provide, they should also cooperate
with other CPAs to improve the accounting profession.
As far as gifts from clients go, the 2 things to keep in mind are:
• Gifts from clients cannot violate the client’s laws or
regulations, OR the CPA’s laws or regulations
• Even if a gift isn’t explicitly violating any laws, it still needs to
be “reasonable under the circumstances”
11
Copyright © 2019 SuperfastCPA.com
Outsourcing professional services requires the notification and
approval of the client. If the client doesn’t want any of their
services outsourced, the CPA should either not outsource the
work, or not accept the engagement in the first place.
Also, client records are owned by the client and must be returned
to the client upon request, even if the CPA has not been paid yet.
Schedules or workpapers that the CPA has prepared do NOT
need to be returned to the client if the client has not paid.
A CPA that fails to pay their own income tax is considered an act
discreditable to the profession.
12
Copyright © 2019 SuperfastCPA.com
The only times a CPA should provide confidential client
information to another party is:
• A review of the CPA’s professional practice by the state CPA
society
• An inquiry from the professional ethics division of the AICPA
• The potential buyers of a CPA firm can view client records,
but before the records are actually turned over to the new
buyers, the client must give permission
• A court-ordered subpoena
o (A mere request or letter from the SEC or IRS does
NOT count, and the CPA should never provide client
information until there is an actual court-ordered
subpoena)
Independence Rules
An audit firm can lease office space from an attest client as long
as the operating lease is on normal terms and all amounts are
paid on time and in accordance with the terms of the lease.
14
Copyright © 2019 SuperfastCPA.com
Requirements of SEC and PCAOB
SEC Rules
The rules from the SEC for independence and professional
conduct are very similar to the AICPA rules.
PCAOB Rules
SOX created the PCAOB to govern public company audit firms
and creates standards for such audits.
15
Copyright © 2019 SuperfastCPA.com
Specific rules you might see a question on:
• Any kind of contingent fee charged to an audit client impairs
independence
• Members of the audit firm impair their independence if they
perform any tax service to a person in a financial reporting
oversight role from the audit client
• Tax consulting services can be performed for a public
company audit client if it is pre-approved by the client’s audit
committee. The CPA firm is required to describe the scope
and compensation for the service, discuss it with the audit
committee, and document the discussion
• Other non-audit services can be approved in this same way,
except for consulting related to internal controls over
financial reporting
16
Copyright © 2019 SuperfastCPA.com
Requirements of the GAO and the DOL
GAO Standards
Again, these are very similar to the AICPA code of professional
conduct.
17
Copyright © 2019 SuperfastCPA.com
Department of Labor Rules
The DOL rules in this context mostly deal with the audit of
employee benefit plans under ERISA.
Like with the other rules, the big overriding rule is that auditors
must be independent. The two broad categories that would impair
independence are financial (having a direct financial interest in an
entity to be audited) and employment ties to a plan sponsor.
18
Copyright © 2019 SuperfastCPA.com
Terms of Engagement
Preconditions for an Engagement
The preconditions for an audit are:
• Determine whether the financial reporting framework to be
applied is acceptable
• Obtain an agreement of management that it acknowledges
and understands its responsibility:
⁃ for the preparation and fair presentation of the financial
statements in accordance with the applicable reporting
frameworks
⁃ for the design, implementation, and maintenance of
internal control relevant to the preparation and fair
presentation of financial statements that are free from
material misstatement, whether due to fraud or error
⁃ to provide the auditor with
⁃ access to all information, documents, records, etc
that is relevant to the preparation of the financial
statements
⁃ additional information that the auditor may request
for purposes of the audit
⁃ unrestricted access to persons within the entity
from whom the auditor determines it necessary to
obtain audit evidence
19
Copyright © 2019 SuperfastCPA.com
Terms of Engagement and Engagement Letter
The auditor needs to agree with management to the terms and
only accepts the engagement if the preconditions for an audit
exist and an understanding of the terms is agreed to by the
auditor and management (or those charged with governance).
20
Copyright © 2019 SuperfastCPA.com
Requirements for Engagement Documentation
The overriding idea behind audit documentation is to compile
documentation to the point that an experienced auditor that had
no previous connection with the audit could look through the
documentation and understand:
• the nature, timing, and extent of audit procedures performed
• the results of the audit procedures performed, and the audit
evidence obtained
• significant findings or issues discovered during the audit, the
conclusions reached, and significant professional
judgements made in reaching those conclusions
The auditor should document the report release date in the audit
documentation, and the final audit file should be assembled no
later than 60 days after the report release date. The retention
period for the final audit file should not be less than 5 years from
the report release date. The auditor should adopt reasonable
procedures to maintain the confidentiality of the client information.
21
Copyright © 2019 SuperfastCPA.com
Communication with Management & Those
Charged with Governance
22
Copyright © 2019 SuperfastCPA.com
Internal Control Related Matters
The auditor should communicate in writing any significant
deficiencies or material weaknesses in internal control to
management or those charged with governance. This
communication should be provided by the audit report date and
not later than 60 days after the report release date.
23
Copyright © 2019 SuperfastCPA.com
control and that there could be other deficiencies in
internal control that weren’t identified
24
Copyright © 2019 SuperfastCPA.com
All Other Matters
There are many items that would require communicating to
management or those charged with governance besides the
scope of the audit or internal control deficiencies, such as:
• Significant misstatements discovered by the auditor but
corrected by management
• Disagreement with management on significant issues that
could affect the financial statements
• Management’s consultations with other accountants
regarding significant accounting matters
• Any significant difficulties in dealing with management in
performing the audit such as not making key information
available to the auditor
25
Copyright © 2019 SuperfastCPA.com
Communication with Component Auditors and Others
When a group of businesses is being audited, it is a “group audit”.
It’s common in a group audit to use component auditors, who will
gather audit evidence for the group audit.
27
Copyright © 2019 SuperfastCPA.com
A Firm's System of Quality Control
Statements on Quality Control Standards (SQCSs)
These are statements issued by the AICPA’s Auditing Standards
Board.
They apply to everything about accounting and auditing
engagements and provide guidelines for implementing a quality
control system.
28
Copyright © 2019 SuperfastCPA.com
⁃ Needs to provide elements to support consistency of
engagement performance, supervision, and review
functions
• Monitoring- meaning ongoing quality control efforts
⁃ Ongoing review of the QC procedures to ensure that
they are appropriate, relevant, and operating effectively.
29
Copyright © 2019 SuperfastCPA.com
Assessing Risk and Developing a Planned
Response
Planning an Engagement
30
Copyright © 2019 SuperfastCPA.com
Developing a Detailed Engagement Plan
Developing a detailed engagement plan involves doing a risk
assessment and obtaining an understanding of the entity and its
environment, and if applicable, this is done while
comparing/contrasting to the previous year’s engagement.
Audit Planning
The point of audit planning is to plan the audit so that it will be
performed effectively.
The engagement partner and other key members of the audit
team should be the ones involved in planning.
The auditor needs to determine if the audit will require the work of
a specialist. This could be appraisers, tax specialists, IT
specialists, valuation experts, or others.
31
Copyright © 2019 SuperfastCPA.com
Materiality
Materiality means an amount that if missing or misstated on the
financials would likely lead a reasonable person to be influenced
to make a different decision than if the amount had been correct.
Audit Risk
This is the risk or probability that the auditor expresses a clean
opinion when there is actually a material misstatement in the
financial statements
The auditor’s responsibility is to plan and perform the audit in a
way that obtains “reasonable assurance” that any material
misstatements are detected. Reasonable assurance is a high
level of assurance, which in turn provides a low level of audit risk.
Audit Risk = IR x CR x DR
32
Copyright © 2019 SuperfastCPA.com
Inherent Risk: This is the risk of misstatement due to error or
omission as a result of factors other than the failure of internal
controls.
Detection Risk: The risk that the auditors fail to detect a material
misstatement in the financial statements.
Analytical Procedures
These are evaluations of financial information based on
relationships among both financial data and non-financial data.
This can involve trends, comparing this year’s balances to last
years, ratios, etc.
Detecting Fraud
This will be asked in many forms on the exam, so the key words
to remember is that an audit provides REASONABLE assurance
that material errors or fraud will be detected.
33
Copyright © 2019 SuperfastCPA.com
Also, audit procedures that are effective for detecting an
unintentional misstatement still might not be able to detect an
intentional misstatement (fraud) when collusion is involved.
Types of Fraud
There is fraudulent financial reporting, and there is
misappropriation of assets (actually physically stealing cash or
inventory).
34
Copyright © 2019 SuperfastCPA.com
Management Override of Internal Controls
One of the biggest risk factors for fraud is when management
overrides the internal controls.
35
Copyright © 2019 SuperfastCPA.com
When does the auditor report fraud to an outside party?
• When a subpoena has been issued
• When an SEC client is changing auditors
• As required by government auditing standards
• When an auditor has been authorized to communicate with
the preceding auditor
36
Copyright © 2019 SuperfastCPA.com
Understanding an Entity and Its Environment
37
Copyright © 2019 SuperfastCPA.com
Internal Factors Including Nature of Entity, Risk Strategy
Internal factors the auditor should consider:
• Nature of operations
• Ownership and governance structure
• What type of investments the entity is making
• How the entity is structured and financed
• How the entity selects accounting policies and if they are
appropriate to its industry
• The entity’s objectives and strategies and related business
risks involved
38
Copyright © 2019 SuperfastCPA.com
Understanding an Entity's Internal Control
For accounts that are immaterial, AND have a low inherent risk,
the auditor does NOT need to perform procedures to evaluate
internal controls
39
Copyright © 2019 SuperfastCPA.com
Sometimes an auditor will make a flowchart to document a client’s
accounting system, and this depicts the auditor’s understanding of
the system.
Preliminary Evaluation
The auditor first considers the adequacy of controls, or the
“design effectiveness”, which is how effective they are on paper.
Consider any errors that could occur with the controls, and any
kinds of procedures that could prevent or detect these errors.
Then evaluate the implications of any weaknesses identified.
If the auditor is NOT going to rely on controls, then the audit plan
will be “wholly substantive”, which means the auditor will test the
account through substantive procedures and will not rely on the
internal controls.
40
Copyright © 2019 SuperfastCPA.com
The auditor is NOT required to assess operating effectiveness of
controls. This will only be done if the auditor decides to perform
“tests of controls” in order to reduce substantive testing.
Assertions
The “assertions” are key to the whole audit process. The
assertions are basically the underlying claims made by
management about the financial statements.
42
Copyright © 2019 SuperfastCPA.com
Internal control consists of 5 elements:
• Control environment
⁃ This is made up of the policies and procedures to
establish overall control of the organization (the tone at
the top)
• Risk assessment
⁃ The policies set to identify and analyze relevant risks so
that they can be managed
• Information and communication systems
⁃ The policies and procedures to identify, capture, and
exchange relevant information so that employees can
meet their responsibilities in a timely manner
• Control activities
⁃ The policies and procedures set so that management’s
objectives will be achieved
⁃ This includes segregation of duties, physical controls,
and authorization
• Monitoring
⁃ The policies and procedures to measure the
effectiveness of internal controls as time goes on
43
Copyright © 2019 SuperfastCPA.com
Documentation: There are certain things the audit team is
required to document:
• Audit team discussion about RMM and the key elements
about the entity, its environment, etc.
• The assessment of RMM at the financial statement level and
at the relevant assertion level
• Identified significant risks and the related controls the auditor
obtained an understanding of (walkthroughs)
Other considerations:
The best way to compensate for lack of segregation of duties at a
small company is to have greater management oversight of
overlapping duties
The auditor is NOT obligated to search for significant deficiencies
in the design or operation of internal control. But, if they are
found, the auditor is required to communicate them to those
charged with governance.
44
Copyright © 2019 SuperfastCPA.com
Regardless of the assessed level of control risk, the auditor will
always perform some substantive tests to lower detection risk for
significant transaction classes.
When the auditor assesses control risk below the maximum level,
the auditor is required to document BOTH their basis for this
conclusion, and their understanding of the internal control
elements.
Required Communications
There are 2 things an auditor must communicate with regard to
the design or operation of internal control:
• Any identified “material weaknesses”
⁃ A deficiency in internal control such that there is a
reasonable possibility that a material misstatement of
the entity’s financial statements will not be prevented,
detected, or corrected on a timely basis
• Any identified “significant deficiencies”
⁃ A deficiency in internal control that is less severe than a
material weakness but important enough to be
communicated to those charged with governance
45
Copyright © 2019 SuperfastCPA.com
distribution of this communication. It is only for the audit
committee, those charged with governance, and management.
46
Copyright © 2019 SuperfastCPA.com
Internal Control Transactions
Segregation of duties is best tested by observing employees as
they apply control procedures. Segregation of duties involves
separating duties so that employees aren’t in a position to both
commit fraud and then be able to cover it up.
Physical controls:
• Computer passwords and different account types within the
system with different levels of permissions
• Custody of cash receipts and inventory should be handled
by employees without access to record keeping
Authorization
• Transactions should be authorized
• Adjusting journal entries should be reviewed and approved
by management
Review
• Monthly statements should be sent to customers
• Related documents such as the sales invoice, sales order
form, and shipping documents should be compared
• Cutoff should be verified to make sure transactions have
been recorded in the proper period
47
Copyright © 2019 SuperfastCPA.com
Information processing
• Focus on the entity’s records regarding the “audit trail”
• All key documents should be pre-numbered, and the
sequence should be accounted for
• Aged trial balance should be reconciled to the general ledger
periodically
50
Copyright © 2019 SuperfastCPA.com
Implications of an Entity Using a Service Organization
When a client being audited uses a service organization, such as
outsourcing their payroll to a payroll company, the auditor needs
to gain an understanding of the services provided by the service
organization and the effect on the client’s internal controls.
Specifically:
• A Type 1 report covers the service organization’s system
and design of controls. A type 1 report will include a
disclaimer of opinion about the operating effectiveness of the
controls. A type 2 report includes an opinion on the operating
effectiveness of controls
• A Type 2 report covers the service organization’s system,
design of controls, AND the operating effectiveness of
controls
51
Copyright © 2019 SuperfastCPA.com
On the other end, if the risk assessment includes an expectation
that the service organization’s controls are operating effectively,
then the auditor would need a type 2 report.
52
Copyright © 2019 SuperfastCPA.com
IT General and Application Controls
There are 2 main categories of IT controls:
• General controls: These have an impact on all parts of an IT
system
• Application controls: These affect specific IT tasks within
departments such as payroll
IT General Controls
These are policies and procedures that apply to many
applications and support the functioning of the application
controls.
These typically include:
• Controls over data and network operations
• Software acquisition and maintenance
• Access security
• Physical security of assets, such as access to records
• Authorization to computer programs and data
• File backup & disaster recovery plan
53
Copyright © 2019 SuperfastCPA.com
• Echo check: transmission of information over phone lines
• Diagnostic routines: checks internal operations of hardware
components
• Boundary protection: allows multiple jobs running
simultaneously
• A ‘source code comparison program’ tests for unauthorized
program changes by comparing the compiled code to the
original program
• One disadvantage of computer data files compared to
manual data files is that it’s easier for an unauthorized
person to access and alter computer data files
A “secure” password:
• Has 7 characters in length
• Includes special characters
• Should have a mixture of lower and uppercase letters
• Should be unique
• And passwords should be changed regularly so that hackers
don’t have unlimited time to try and crack them
Application Controls
These are more specific controls that relate to specific
applications and/or individual transactions.
Evidence Gathering
Types of audit software:
• Generalized software: These are “out of the box” software
for auditing that have general functions for testing clients’
data
• Customized software: This would be a program created to
access the files of a certain client. This can be more
55
Copyright © 2019 SuperfastCPA.com
expensive in the long run if custom software is being
developed for several clients individually
• Data mining software: This is commercial audit software that
provides features for doing substantive analytics
Other Considerations
When auditing a client that processes most of its financial data in
electronic form, the auditor would most likely consider using an
‘embedded audit module’, which is a computer program actually
inserted into the client’s system which will select transactions for
further review by the auditor.
56
Copyright © 2019 SuperfastCPA.com
Identifying and Assessing the Risk of Material
Misstatement
57
Copyright © 2019 SuperfastCPA.com
auditor accordingly adjusts the audit approach to match the
assessed levels of risk.
58
Copyright © 2019 SuperfastCPA.com
Limitations of Controls and Risk of Management Override
Limitations of Controls
There are of course inherent limitations to internal controls: no
system of internal controls can guarantee to prevent, detect, or
correct any possible misstatement.
Communication
If fraud is found:
• The auditor informs ‘those charged with governance when
senior management is involved in the fraud, OR if the
59
Copyright © 2019 SuperfastCPA.com
misstatement is material even if senior management is not
involved
• If the misstatement is NOT material, the auditor must inform
the appropriate level of management (one level above where
the fraud has occurred)
60
Copyright © 2019 SuperfastCPA.com
Impact of Risks for Each Relevant Assertion
The auditor uses the assessed level of risk of material
misstatement to determine the acceptable level of detection risk
for the financial statement assertions. From there, the auditor
uses the acceptable level of detection risk to determine the nature
and extent of audit procedures to use.
Assertions
The “assertions” are key to the whole audit process. The
assertions are the underlying claims made by management about
the financial statements. When management gives the auditor
their listing of PP&E for example, management is essentially
making the “claim”, or assertion, that the items on that list actually
exist, that the list is complete (nothing left out), that the business
actually owns the items listed, and that the values of the items are
listed correctly. The auditor then assesses the risk of material
61
Copyright © 2019 SuperfastCPA.com
misstatement based on these assertions and performs audit
procedures. That’s how the audit works in a nutshell.
63
Copyright © 2019 SuperfastCPA.com
Further Procedures Responsive to Identified Risks
For an identified risk, if substantive procedures alone won’t
provide sufficient audit evidence, then the auditor would perform
tests of controls in addition to the substantive procedures.
If the auditor wants to lower the acceptable level of audit risk, then
the auditor can make changes to the substantive procedures such
as:
• Increasing the sample size
• Expanding the substantive procedures
• Using independent parties for testing such as confirmations
64
Copyright © 2019 SuperfastCPA.com
Materiality
Also, some firms have their own formulas and worksheets for
determining materiality.
65
Copyright © 2019 SuperfastCPA.com
Performance Materiality and Tolerable Misstatement
Performance materiality is an amount lower than materiality for
the financial statements, and it’s set lower so that it lowers the risk
of uncorrected misstatement detected, and that undetected
misstatements will still be lower than financial statement
materiality.
66
Copyright © 2019 SuperfastCPA.com
Planning for and Using the Work of Others
Using the Internal Audit Function as Part of the Audit
The external auditor has sole responsibility for the audit opinion
and the quality of the audit work performed, and using any work
performed by the internal audit function doesn’t take away any of
that responsibility. Therefore, when the external auditor is
considering using the internal auditors to help with the audit, the
most important things to consider are:
• The competence of the internal auditors
• The objectivity of the internal auditors
• The internal auditors use of a systematic and disciplined
approach
BUT, the external auditor cannot allow judgment from the internal
auditor on materiality of misstatements, or the evaluation of
accounting estimates. The internal auditor can be used to help
test internal controls and perform substantive tests, but the final
conclusions must be made by the external auditor.
67
Copyright © 2019 SuperfastCPA.com
intangible assets, valuation of related party transactions, valuation
and existence of contingencies, or significant estimates.
If any of these factors are lacking, then the auditor shouldn’t use
the internal audit function to help with the audit. When the
external auditor does use work performed by the internal auditors,
any judgements about the audit evidence obtained needs to be
made by the external auditor.
69
Copyright © 2019 SuperfastCPA.com
Specific Areas of Engagement Risk
70
Copyright © 2019 SuperfastCPA.com
an understanding of the applicable laws and regulations that
apply to the business being audited can lead to discovering
noncompliance in other areas of the audit.
71
Copyright © 2019 SuperfastCPA.com
Accounting Estimates, Including Fair Value Estimates
Many significant parts of accrual accounting require estimates,
and because of the nature of estimates it’s a big area of attention
for an auditor. The more complex the estimate, the more room
there is for material misstatements.
72
Copyright © 2019 SuperfastCPA.com
The specific procedures the auditor might perform are:
• Evaluate management’s assumptions used to make the
estimate
• Evaluate the methods of measurement used to make the
estimate
• Perform tests of controls on the controls used to make the
estimate, in addition to substantive testing
73
Copyright © 2019 SuperfastCPA.com
Related Parties and Related Party Transactions
74
Copyright © 2019 SuperfastCPA.com
Performing Further Procedures and Obtaining
Evidence
75
Copyright © 2019 SuperfastCPA.com
Again, the assertions come into play: When auditing a balance or
class of transactions, you can use the assertions to evaluate what
type of testing would produce reliable audit evidence.
76
Copyright © 2019 SuperfastCPA.com
Sampling Techniques
In auditing there is attribute sampling for tests of controls (Does
every purchase order have the right signature?), and variables
sampling for substantive testing.
Attributes Sampling
Attribute sampling is the type of test used to perform a “test of
controls”. With attribute sampling, the auditor is looking at
transactions to determine if a control was either performed or not
performed.
First step is to identify what the objective of the test is, such as
testing the population of cash disbursements for proper
authorization.
Then the auditor defines and acquires the population, such as all
cash disbursements during the year.
Once the sample is selected, the transactions are tested, and any
deviations are identified.
77
Copyright © 2019 SuperfastCPA.com
Then the auditor can calculate the deviation rate, for example if
the sample size was 20 and 1 deviation was found, the deviation
rate is 1 in 20 or 5%.
78
Copyright © 2019 SuperfastCPA.com
• Then compare this to your tolerable rate. If the tolerable rate
was 5%, you can rely on the internal control in this example.
If the tolerable rate was 4%, then you need to “modify the
planned level of control risk”, which means you cannot rely
on the internal control.
Variables Sampling
Variables sampling is used for substantive testing of populations,
usually to test an ending balance in an account.
The steps are essentially the same as listed above for attribute
sampling, except that since transactions in variables sampling will
be dollar amounts, the auditor tests all transactions that are
individually material. These amounts are not being sampled…
they are tested 100%, so they and their amounts are not
considered part of the population being sampled.
79
Copyright © 2019 SuperfastCPA.com
Other concepts
80
Copyright © 2019 SuperfastCPA.com
Performing Specific Procedures to Obtain
Evidence
Analytical Procedures
Analytics are evaluations of financial information based on
relationships among both financial data and non-financial data.
This can involve trends, comparing this year’s balances to last
years, ratios, etc.
81
Copyright © 2019 SuperfastCPA.com
Some assertions can be tested solely through analytics, and
some might require a combination of analytics and tests of details,
and some might not be a good fit for analytics.
Developing Expectations
There are 5 factors used to develop an expectation:
• Comparable information from a prior period
⁃ If sales had increased by similar percentages in the
past 3 years, you’d expect a proportionate increase in
the current year
• Anticipated results of the entity from budgets or forecasts
⁃ If management forecasted sales of $50,000 at the
beginning of the year, auditor would expect sales to be
close to $50,000
• Similar industry information such as ratios compared to
industry averages
⁃ Gross margin percentage compared to its industry
averages
• Relationship between elements of financial information
⁃ If sales increased a certain percentage, a similar
increase in accounts receivable would be expected
• Relationships between financial and non-financial
information
⁃ Payroll costs compared to the number of employees
82
Copyright © 2019 SuperfastCPA.com
Analytics in the Planning Stage
In the planning stage, the auditor will use high-level analytics,
such as looking at quarterly reports or unaudited financial
information provided by the client and making analytical
comparisons as a starting point for identifying areas to take a
closer look at. An example would be comparing the current year’s
sales to prior year’s sales for any significant changes.
83
Copyright © 2019 SuperfastCPA.com
External Confirmations
External confirmations are sent by the auditor to a third party, in
order to confirm a balance or transaction that they have or have
had with the company being audited. However, the auditor
controls the requests and responses, or it defeats the purpose of
trying to “confirm” with the third party. The whole idea is to take
the audit client out of the equation and ask the client’s customer
“is this balance correct?”
Alternate Procedures
For receivables the auditor would look at cash receipts to see if
the receivables were paid. For payables, the auditor would look at
cash disbursements to see if the client paid the invoices.
84
Copyright © 2019 SuperfastCPA.com
Inquiry of Management and Others
Inquiry is useful to gain an understanding of transaction flows and
to learn about how things work within an organization. On its own
however, it is poor audit evidence. What usually happens is the
auditor will inquire of management to gain an understanding first,
and then take that information into account as the auditor decides
how certain balances or transaction classes will be tested.
85
Copyright © 2019 SuperfastCPA.com
Observation and Inspection
Tests of operating effectiveness of controls or “control testing”, or
to “rely on controls” all refer to testing a specific internal control by
reperforming the control, observing the control in action, or by
inspection, such as inspecting documents for indications that the
control has been performed.
86
Copyright © 2019 SuperfastCPA.com
Recalculation and Reperformance
Reperformance is when the auditor re-executes a control or
procedure that was originally performed by an employee to see if
they get the same result. This can be done manually or through
computer-assisted techniques.
87
Copyright © 2019 SuperfastCPA.com
All Other Procedures
“Other procedures” would be analytics, which can take many
forms. See the previous section on analytical procedures.
88
Copyright © 2019 SuperfastCPA.com
Specific Matters
Opening Balances
In an initial audit, the auditor needs to gain assurance that the
opening balances are fairly stated.
The procedures to test and evaluate opening balances include:
• Inquiry of management
• Reviewing records, accounting policies, and control
procedures to see if they were consistently applied
• Consulting with the predecessor auditor and with their
permission, reviewing their workpapers from the previous
audit
• Substantive testing of the balances if the auditor determines
that more evidence is needed to substantiate the opening
balances
89
Copyright © 2019 SuperfastCPA.com
Investments in Securities and Derivatives
The first step in considering the fair value measurement for
investments and derivatives used by management is to consult
the applicable accounting framework to see how the framework
measures fair value. Then, the auditor would evaluate
management’s measurement of fair value compared to the
measurement according to the applicable framework.
90
Copyright © 2019 SuperfastCPA.com
Physical Observation of Inventory and Inventory Held by
Others
If inventory is material to the financial statements, the auditor
should obtain audit evidence of existence and the condition of
inventory by attending physical inventory counting being
performed by the employees.
91
Copyright © 2019 SuperfastCPA.com
Litigation, Claims, and Assessments
The procedures to identify litigation, claims, and assessment
involving the client being audited include:
• Inquiring of management and the client’s legal counsel and
obtaining a description and evaluation of any litigation,
claims, and assessments as of the date of the financial
statements
• Reviewing board meeting minutes or any documents
obtained from management regarding litigation or lawsuits
• Reviewing legal expense accounts and invoices from
external legal counsel
92
Copyright © 2019 SuperfastCPA.com
An Entity's Ability to Continue as a Going Concern
The factors that could cause substantial doubt about an entity’s
ability to continue as a going concern include:
• Negative financial trends such as recurring operating losses,
working capital deficiencies, negative cash flows, and other
adverse financial ratios
• Defaulting on loans, falling out of covenant on debt
obligations, denial of trade credit from suppliers, debt
restructuring, seeking new methods of financing, etc
• Work stoppages, labor disputes, dependence on the
success of a particular project, unsustainable long-term
commitments
• Legal proceedings or legislation that harm the ability to
operate, loss of key franchises or patents, loss of a principal
customer or supplier, catastrophes
93
Copyright © 2019 SuperfastCPA.com
Accounting Estimates, Including Fair Value Estimates
This has been covered in previous sections. See “Accounting
estimates, including fair value estimates” and “Investments in
securities and derivatives”.
94
Copyright © 2019 SuperfastCPA.com
Misstatement and Interal Control Deficiencies
A misstatement is any difference between the amount,
classification, presentation, or disclosure of what’s reported on the
financial statements, and the amount, classification, presentation,
or disclosure of what is required in order to be in accordance with
the applicable accounting framework. In other words, differences
the auditors find in what management has on their financials and
what is correct.
95
Copyright © 2019 SuperfastCPA.com
The auditor needs to decide whether the uncorrected
misstatements are material, either individually or all added
together, based on their size and nature, and any effects of
uncorrected misstatements in prior periods.
96
Copyright © 2019 SuperfastCPA.com
Written Representations
The auditor is required to obtain written representations from
management to corroborate management’s verbal responses to
important questions from the auditor.
This is called the “rep letter” or the representation letter. The date
of the rep letter should coincide with the date of the auditor’s
report.
97
Copyright © 2019 SuperfastCPA.com
Subsequent Events
Subsequent events are events that happen after the date of the
financial statements, but before the date of the auditor’s report.
The main ways that the auditor reviews subsequent events are by
reading the latest interim financial statements, the latest board
minutes, inquiring with the client’s attorneys regarding any
pending litigations, or asking management specific questions.
98
Copyright © 2019 SuperfastCPA.com
Identifying Subsequent Events
The steps to identify possible material subsequent events:
• Obtaining an understanding of any procedures that
management has established to ensure that subsequent
events are identified
• Inquiring of management and, when appropriate, those
charged with governance about whether any subsequent
events have occurred that might affect the financial
statements
• Reading minutes, if any, of the meetings of the entity's
owners, management, and those charged with governance
that have been held after the date of the financial statements
and inquiring about matters discussed at any such meetings
for which minutes are not yet available
• Reading the entity's latest subsequent interim financial
statements, if any
99
Copyright © 2019 SuperfastCPA.com
Forming Conclusions and Reporting
Reports on Audit Engagements
100
Copyright © 2019 SuperfastCPA.com
• the information presented in the financial statements is
relevant, reliable, comparable, and understandable;
• the financial statements provide adequate disclosures to
enable the intended users to understand the effect of
material transactions and events on the information
conveyed in the financial statements; and
• the terminology used in the financial statements, including
the title of each financial statement, is appropriate.
Types of Opinions
Unmodified Opinion
A “clean opinion”, meaning the auditor believes the financial
statements are fairly stated and comply with GAAP, results in an
“unmodified opinion”. This used to be called a “unqualified
opinion”.
Qualified Opinion
Two reasons for a qualified opinion:
• Presentation- the financial statements are misstated (GAAP
departure)
• Scope- the auditor was not able to get “sufficient appropriate
audit evidence”
102
Copyright © 2019 SuperfastCPA.com
Adverse Opinion
There’s only one reason for giving an adverse opinion:
When there are financial misstatements that are BOTH material
AND pervasive.
This means that there are misstatements that affect most areas of
the financial statements. The financial statements are misleading
because they are not fairly presented.
Disclaimer of Opinion
This happens when the auditor is unable to obtain sufficient
appropriate audit evidence, and the effects could be BOTH
material and pervasive.
But when the auditor can’t obtain audit evidence to the degree
that the effects could be both material and pervasive, the auditor
issues a ‘disclaimer of opinion’, which means the auditor is unable
to even give an opinion.
103
Copyright © 2019 SuperfastCPA.com
Form and Content of an Audit Report (AICPA Standards)
You don’t need to be able to draft an audit report from memory,
but you should know the main sections of the audit report and
how they are changed for certain circumstances.
Title
The title should be be labeled “Independent Auditor’s Report”.
To
The report should be addressed to the board of directors of the
audit client, or as the circumstances of the audit dictate.
Introductory Paragraph
This paragraph should include:
• Identify the entity whose financial statements have been
audited
• State that the financial statements have been audited
• Identify the title of each statement included in the financial
statements
• Specify the date or period covered by each financial
statement included in the financial statements
104
Copyright © 2019 SuperfastCPA.com
The auditor's report should describe management's responsibility
for the preparation and fair presentation of the financial
statements. The description should include an explanation that
management is responsible for the preparation and fair
presentation of the financial statements in accordance with the
applicable financial reporting framework; this responsibility
includes the design, implementation, and maintenance of internal
control relevant to the preparation and fair presentation of
financial statements that are free from material misstatement,
whether due to fraud or error.
The auditor's report should state that the audit was conducted in
accordance with generally accepted auditing standards and
should identify the United States of America as the country of
origin of those standards. The auditor's report should also explain
that those standards require that the auditor plan and perform the
audit to obtain reasonable assurance about whether the financial
statements are free from material misstatement.
The auditor's report should state whether the auditor believes that
the audit evidence the auditor has obtained is sufficient and
appropriate to provide a basis for the auditor's opinion.
Opinion Paragraph
The heading should say “Opinion”.
106
Copyright © 2019 SuperfastCPA.com
Signature of the Auditor
This can be the handwritten or printed signature of the auditor’s
firm.
Auditor’s Address
The auditor should name the city and state where the auditor
practices.
107
Copyright © 2019 SuperfastCPA.com
⁃ Then there are the signatures:
⁃ The auditor’s signature
⁃ The auditor’s tenure (“We have served as the auditor
since 20XX”
⁃ Auditor’s address
⁃ Date
This would be something like the auditor doubts the firm’s ability
to continue as a going concern,
108
Copyright © 2019 SuperfastCPA.com
This would be about something that the auditor considers
relevant, but not crucial to the user’s understanding of the
financial statements.
109
Copyright © 2019 SuperfastCPA.com
Audit of Internal Control Integrated with Audit of Financial
Statements
Forming an Opinion of the Effectiveness of Internal Controls
in an Integrated Audit
Here are the considerations of forming an opinion on the
effectiveness of internal controls in an Audit of Internal Control
Over Financial Reporting (ICFR) integrated with an audit of the
financial statements:
110
Copyright © 2019 SuperfastCPA.com
This evaluation should include, at a minimum:
• the risk assessments in connection with the selection and
application of substantive procedures, especially those
related to fraud;
• findings with respect to noncompliance with laws and
regulations;
• findings with respect to related party transactions and
complex or unusual transactions;
• indications of management bias in making accounting
estimates and selecting accounting principles; and
• the nature and extent of misstatements detected by
substantive procedures
111
Copyright © 2019 SuperfastCPA.com
The Auditor’s Report on the Audit of ICFR (AICPA Standards)
The report can be separate or combined with the opinion on the
financial statements.
112
Copyright © 2019 SuperfastCPA.com
“Auditor’s Responsibility” Paragraph
A section with the heading "Auditor's Responsibility" that includes
the following:
• A statement that the auditor's responsibility is to express an
opinion on the entity's ICFR based on the audit
• A statement that the audit was conducted in accordance with
auditing standards generally accepted in the United States of
America
• A statement that such standards require that the auditor plan
and perform the audit to obtain reasonable assurance about
whether effective ICFR was maintained in all material
respects
• A description of the audit by stating that:
⁃ an audit of ICFR involves performing procedures to
obtain audit evidence about whether a material
weakness exists
⁃ the procedures selected depend on the auditor's
judgment, including the assessment of the risks that a
material weakness exists
⁃ an audit includes obtaining an understanding of ICFR
and testing and evaluating the design and operating
effectiveness of ICFR based on the assessed risk
• A statement about whether the auditor believes that the audit
evidence the auditor has obtained is sufficient and
appropriate to provide a basis for the audit opinion
113
Copyright © 2019 SuperfastCPA.com
• A paragraph stating that because of inherent limitations,
ICFR may not prevent, or detect and correct, misstatements
and that projections of any assessment of effectiveness to
future periods are subject to the risk that controls may
become inadequate because of changes in conditions, or
that the degree of compliance with the policies or procedures
may deteriorate
“Opinion” Paragraph
A section with the heading "Opinion" that includes the auditor's
opinion on whether the entity maintained, in all material respects,
effective ICFR as of the specified date, based on the criteria.
115
Copyright © 2019 SuperfastCPA.com
Reports on Attestation Engagements
Examination Reports
The opinion is whether the subject matter is in accordance with
the criteria in all material respects, or if the assertion is fairly
stated in all material respects.
The opinion can vary and are the same “opinions” that would be
issued for an audit such as unmodified, qualified, adverse, or a
disclaimer of opinion.
Review Reports
The auditor concludes whether any material modifications should
be made to the subject matter or the responsible party’s
assertion. The (written)report should state the conclusion on the
subject matter or the assertion.
116
Copyright © 2019 SuperfastCPA.com
Agreed-Upon Procedures Reports
These engagements need to have the “agree upon procedures”
outlined in the engagement letter, and then the auditor’s report
will identify the procedures performed and the conclusions
reached (or findings).
117
Copyright © 2019 SuperfastCPA.com
Reporting on Controls at a Service Organization
A service organization is an entity that provides services to user
entities which are likely to be relevant to the user entities’ controls
over financial reporting, such as a payroll service.
Example: Paul audits ABC corp, and ABC uses DEF for payroll
services. Ben is a service auditor and reports on the controls at
DEF, so Paul obtains a Type 2 report from Ben to use in his audit
of ABC, since DEF’s controls are relevant to ABC’s controls.
Type 2 reports are the same as a Type 1 report, but they also
report on the operating effectiveness of the controls at the service
organization. Because of this, if an auditor at a user entity is going
to rely on the operating effectiveness of the controls at the service
organization, they’ll need a Type 2 report.
118
Copyright © 2019 SuperfastCPA.com
The service auditor will modify their opinion if:
• Management’s description isn’t fairly presented in all
material respects
• The controls are not suitably designed
• The controls didn’t operate effectively throughout the
specified period (Type 2 report)
• The service auditor couldn’t gather sufficient appropriate
evidence
119
Copyright © 2019 SuperfastCPA.com
Accounting and Review Service Engagements
Preparation Engagements
Preparation of financial statements: this is what it sounds like.
The accountant takes the information from management and
prepares the financial statements. A preparation is a nonattest
service.
120
Copyright © 2019 SuperfastCPA.com
Compilation Reports
A compilation is basically assisting management to draft the
financial statements, without providing ANY level of assurance. It
is an attestation engagement but NOT an assurance
engagement. Also, a compilation can be performed for
prospective or pro-forma information in addition to historical
financial statements.
Compilation Report
The compilation report is one paragraph. It states that the
accountant performed the compilation in accordance with
SSARSs issued by the ARSC of the AICPA. It also includes a
disclaimer that the financial statements have not been audited,
and that the accountant has compiled the financial statements
and is not issuing an opinion or conclusion nor providing any
assurance on the statements.
121
Copyright © 2019 SuperfastCPA.com
Review Reports
A review is an assurance engagement & an attestation
engagement that provides “limited assurance” that there are no
material modifications that should be made to the financial
statements. For a review, the auditor must be independent.
Title
The accountant's review report should have a title that clearly
indicates that it is the accountant's review report and includes the
word independent. An appropriate title would be "Independent
Accountant's Review Report."
Addressee
The accountant's report should be addressed as required by the
circumstances of the engagement.
122
Copyright © 2019 SuperfastCPA.com
Introductory Paragraph
The introductory paragraph in the accountant's report should:
• identify the entity whose financial statements have been
reviewed;
• state that the financial statements have been reviewed;
• identify the financial statements; that have been reviewed;
• specify the date or period covered by the financial
statements;
• include a statement that a review includes primarily applying
analytical procedures to management's (owners') financial
data and making inquiries of company management
(owners); and
• include a statement that a review is substantially less in
scope than an audit, the objective of which is the expression
of an opinion regarding the financial statements as a whole,
and that, accordingly, the accountant does not express such
an opinion.
Accountant's Responsibility
A statement that the accountant's responsibility is to conduct the
review in accordance with SSARSs issued by the AICPA.
Results of Engagement
A statement that, based on his or her review, the accountant is
not aware of any material modifications that should be made to
the financial statements in order for them to be in conformity with
the applicable financial reporting framework, other than those
modifications, if any, indicated in the report.
124
Copyright © 2019 SuperfastCPA.com
Reporting on Compliance
If a CPA is engaged to provide assurance on whether or not an
entity is in compliance with applicable laws, regulations, or
financial requirements of some kind, the engagement can either
be an examination or an “agreed upon procedures” engagement.
125
Copyright © 2019 SuperfastCPA.com
Other Reporting Considerations
126
Copyright © 2019 SuperfastCPA.com
• If prior period statements are not audited. An “other matter”
paragraph would be added to the audit report that describes
what service was performed in the previous period (review,
compilation, etc), and a statement that the service was less
in scope than an audit and that no opinion was issued on the
previous financial statements
127
Copyright © 2019 SuperfastCPA.com
Other Information in Documents with Audited Statements
“Other information” that can be included with audited financial
statements include:
• Material inconsistencies
• Material misstatements of fact
• Financial summaries or highlights
• Employment data
• Financial ratios
• Planned capital expenditures
• Names of officers and directors
128
Copyright © 2019 SuperfastCPA.com
Review of Interim Financial Information
Interim financial statements are a review, and they consist
primarily of analytics and inquiry.
The end result is the CPA stating that there are no material
modifications needed to be in accordance with the applicable
framework.
129
Copyright © 2019 SuperfastCPA.com
Supplementary Information
If the auditor is engaged to determine whether supplementary
information is fairly stated in relation to the financial statements,
the phrase is that the supplementary information if fairly stated “in
all material respects in relation to the financial statements as a
whole”.
130
Copyright © 2019 SuperfastCPA.com
Single Statements
The auditor can express an opinion on a single statement, such
as just the balance sheet, if access to the underlying information
is not limited. This means the auditor still has to obtain ‘sufficient
appropriate audit evidence’, which would mean they look at more
than just the balance sheet.
131
Copyright © 2019 SuperfastCPA.com
Special-Purpose and Other Country Frameworks
Financial Statements Prepared Using Another Country’s
Framework
The main responsibility of the auditor in this situation is to
understand the accounting principles that are generally accepted
in the other country, or the applicable framework, and then
evaluate if the financial statements were prepared in accordance
with that framework.
132
Copyright © 2019 SuperfastCPA.com
Letters for Underwriters and Filings with the SEC
Letters given to underwriters as part of the due diligence process
to provide the underwriter with “reasonable grounds to believe
there are no material omissions or misstatements in financial
statements related to a securities offering”.
133
Copyright © 2019 SuperfastCPA.com
Alerts that Restrict the Use of Written Communication
The auditor's written communication should include an alert, in a
separate paragraph, that restricts its use when the subject matter
of the auditor's written communication is based on:
• measurement or disclosure criteria that are determined by
the auditor to be suitable only for a limited number of users
who can be presumed to have an adequate understanding of
the criteria,
• measurement or disclosure criteria that are available only to
the specified parties, or
• matters identified by the auditor during the course of the
audit engagement when the identification of such matters is
not the primary objective of the audit engagement
(commonly referred to as a by-product report)
134
Copyright © 2019 SuperfastCPA.com
Additional Reporting Requirements Under Gov Auditing
Standards
GAO Audits and Reporting on Internal Controls
Financial statement audits performed under the GAGAS require
reporting on internal control and compliance with laws,
regulations, and agreements.
135
Copyright © 2019 SuperfastCPA.com