AUD - Notes Chapter 3

http://www.cpa-cfa.org
Planning and Supervision
TIP PIE ACDO

The audit committee is responsible for the selection and the appointment of the auditor and the reviewing the
nature and scope of the engagement

In a new client relationship, it is mandatory to make inquiries of the predecessor auditor. Client permission is
needed. If the client is unwilling it is a scope limitation.

Before accepting the client, inquiry the old CPA regarding:

• Information that may reveal mgmt integrity
• Disagreements with mgmt (accounting principles, auditing procedures)
• Reasons for change of auditor
• Communication to the audit committee regarding fraud, illegal acts, internal control matters
After acceptance, inquiry the old CPA regarding:
• Make specific inquiries about the audit
• Review predecessors audit documentation (workpapers)

Preliminary Engagement Activities

• Assess the integrity of mgmt
• Assess the availability and adequacy of the clients accounting records (lack of records = scope limitation)
• Evaluate the firm’s quality control policies and procedures

An engagement letter – a signed contract which documents the understanding with the client is required for an
audit engagement (should be signed and dated by the client)

Management’s is responsible for:

• The F/S
• Internal controls
• Compliance with laws
• Representation letter (letter to auditor at end of the engagement that confirms the representation made)

Auditor is responsible for:

• Conduct the audit in accordance with GAAS (obtain reasonable assurance about whether the F/S are free
from material misstatements

An audit is not designed to detect error or fraud that is immaterial to the F/S

An audit is not designed to provide assurance on internal control or to identify significant deficiencies

Audit is subject to inherent risks that errors and fraud will not be detected. If we discover fraud then we report
it to the audit committee

Planning the Audit

The nature, extent and timing of planning procedures will vary based on the engagement (the NET we cast over
the audit)

The auditor is required to obtain an understanding of the entity, its environment and internal controls

Obtain knowledge about the clients industry and business through:

• Audit guides, trade publications and public information

1
 AUD - Notes Chapter 3
http://www.cpa-cfa.org
• Tour client facilities
• Review financial history of client
• Obtain understanding of client accounting
• Inquire of client personnel

Analytical Procedures used for:

• For planning the nature, extent, and timing of other audit procedures (required)
• Substantive tests to obtain evidential matter (optional)
• Overall review in the final stage of the audit (required)

Analytical procedures performed during planning

• Used to enhance the auditors understanding, and identify unusual transactions, events and amounts
• During planning, analytical procedures consist of a review of data aggregated at a high level, such as
comparing financial statements to budgeted amounts
• Financial data is used through relevant nonfinancial data (number of employees, square footage)

The audit plan

• Must be written
• Specific audit procedures are documented
• Description of the nature, extent, and timing of:
- Planned risk assessment procedures (assess risk of material misstatement) (required)
- Planned further audit procedures
• Timing of audit procedures should be discussed with mgmt

Materiality
Known misstatements – specific misstatements identified during the audit

Likely misstatements – misstatements the auditor considers likely to exist due to differences between auditor
and mgmt judgements or from audit evidence

Tolerable misstatements – maximum error in a specific population that the auditor is willing to accept

All misstatements must be communicated to mgmt

Because the F/S are interrelated, the auditor should use the smallest level of misstatement that could be material
to any one of the F/S

The auditor must consider the effects, both individually and in aggregate, of the uncorrected misstatements
(both known and likely)

Misstatements are more likely to be considered if they:

• Affect trends in profitability
• Affect’s entity’s compliance with loan covenants, contracts or regulatory provisions
• Increase mgmt’s compensation
• Affect significant F/S elements
• Can be objectively determined

The auditor should document:

• Planning levels of materiality and tolerable misstatement, the basis for those levels and any subsequent
changes
• Known and likely misstatements that were corrected by mgmt
2
 AUD - Notes Chapter 3
http://www.cpa-cfa.org
• A summary of uncorrected misstatements (known and likely), auditors conclusions on whether those
misstatements cause the F/S to be materially misstated, and the basis for the conclusion
Documentation of uncorrected misstatements should include:
• Separate identification of known and likely misstatements
• The aggregate effect on the F/S
• Relevant qualitative factors affecting materiality judgements

Audit Risk
Audit risk is the risk that the auditor may unknowingly fail to modify appropriately the opinion on the F/S that
are materially misstated (risk that the auditor will give the wrong opinion)

AR = RMM * DR
AR = (IR * CR) * DR

Audit risk (AR) should be low

Risk of Material Misstatement (RMM) – assessed by auditor and is independent of F/S audit
Inherent risk (IR) – susceptibility of a relevant assertion to a material misstatement, assuming there are
no related controls (mistake in the clients acctg system). Auditor assesses IR but can’t change
Control risk (CR) – risk that a material misstatement could occur in a relevant assertion will not be
prevented or detected on a timely basis by the clients internal controls (clients internal control does not
catch it)
Detection risk (DR) – risk that the auditor will not detect a misstatement that exists within a relevant assertion
(auditor will miss the mistake). Detection risk is a function of the effectiveness of audit procedures. The auditor
can change the detection risk

RMM and DR have inverse relationship. When risk of material misstatement is high, detection risk should be
set low (so we have to do more work)

Substantive procedures are always required

Direct relationship between RMM and assurance required from Substantive procedures. Greater the risk
(RMM) the more persuasive evidence needed.

Audit risk and materiality must be considered at both the F/S level and the account balance (item level)
• At the F/S level, the auditor should consider risks that have pervasive effect on the F/S, potentially affecting
many relevant assertions
• The account balance level (transaction & item level) is used to determine the nature, extent, and timing of
audit procedures. Inverse relationship between audit risk and materiality

Audit Procedures:
1. Risk assessment procedures
2. Test of controls – test of internal controls (CRIME)
3. Substantive procedures – tests $ balances

F/S Assertions (made by mgmt)

Transactions and events
C – Completeness
P – Proper period cutoff
A – Accuracy
C – Classification
O – Occurrence

3
 AUD - Notes Chapter 3
http://www.cpa-cfa.org
Account balances
C – Completeness
A – Allocation and valuation
R – Rights and obligations
E – Existence

Presentation and disclosure

C – Completeness
U – Understandability and classification
R – Rights and obligations
V – Valuation and accuracy

After sufficient planning information has been gathered, an audit plan should be drafted. A written audit plan is
required for every audit.

When planning the audit, the auditor should consider the extent of involvement of the client’s internal auditors
in the audit. Internal auditors are not independent, thus, the external auditor can’t share with the internal auditor
any responsibility for audit decisions.
• Auditor must obtain an understanding of the internal audit function
• If the auditor uses the work of internal audit, competence and objectivity must be assessed
• The higher the level the internal auditors report to, the more objectivity can be assumed
• The auditor remains solely responsible for the report on the F/S. The internal auditor may not be utilized to
make judgement calls

If a specialist is used must evaluate the competence and objectivity of the specialist. Treat like one of your
staff.

Fraud and Illegal Acts

Errors – unintentional
Fraud – intentional; 2 types
1. Fraudulent financial reporting (lying) – designed to deceive F/S users. Usually involve
manipulation, misrepresentation, intentional misapplication of accounting principles
2. Misappropriation of assets (stealing) – theft of an entities assets

Fraud risk factors include:

• Incentives/pressures: a reason to commit fraud
• Opportunity: lack of effective controls
• Rationalization/attitude: an attempt to justify fraudulent behaviour

Its mgmt’s responsibility to design and implement programs and controls to prevent and detect fraud

The auditor has a responsibility to plan and perform (referred to as design) the audit to obtain reasonable
assurance about whether the F/S are free from material misstatement, whether caused by error or fraud.

Mgmt override of controls is a major factor in fraud.

Inquire entire personnel regarding their views of fraud risk

- Inconsistent responses indicate a need for additional evidence

Consider the results of analytical procedures (required during the planning and final stage)

4
 AUD - Notes Chapter 3
http://www.cpa-cfa.org
Attributes of risk:
• Type of risk: fraudulent F/S or misappropriation of assets
• Significance of risk: can it lead to a material misstatement
• Likelihood of the risk: how likely is this to happen
• Pervasiveness of the risk: does it affect the whole F/S or only specific accounts or transactions
2 Areas of greatest fraud concern:
1. Improper revenue recognition
2. Mgmt override controls

Items are more susceptible to manipulation when they involve:

1. High degree of mgmt judgement and subjectivity
2. Highly complex accounting principles

The auditor is required to respond to the results of the risk assessment on three levels
1. Overall, general response
- assigning personnel to the engagement
- determining the appropriate level of supervision of engagement personnel
- evaluating mgmt’s selection and application of accounting principles
2. Response encompassing specific audit procedures
- change nature
- change extent
- change timing
3. Response addressing risks related to mgmt override
- examine journal entries and other adjustments
- review accounting estimates for biases
- evaluate the business purpose for significant unusual transactions

Significant fraud risk – may consider withdrawing from the engagement

Revenue recognition
- perform substantive analytical procedures relating to revenue
- confirm with customers contract terms and the absence of side agreements
Revenue recognition criteria
1. must have an arrangement (signed agreement)
2. must be a delivery
3. must be fixed or determinable price
4. collectability

Inventory quantities
- concern that there may be a failure to reconcile books to physical inventory

Mgmt estimates
- engage a specialist
- develop an independent estimate
- perform a retrospective review of prior period estimates (how good were last yr’s estimates)

Misstatements caused by fraud (even immaterial misstatements) may be indicative of an underlying problem
with mgmt integrity. The auditor may need to reevaluate the assessment of fraud risk, the assessed
effectiveness of controls, and the appropriateness of audit procedures applied.

Inform the audit committee of any fraud. Parties outside the entity that we may communicate with in certain
circumstances:
- to comply with certain legal and regulatory requirements
5
 AUD - Notes Chapter 3
http://www.cpa-cfa.org
- to a successor auditor
- in response to a subpoena
- to a funding agency

Complete documentation of the auditors risk assessment and response is required

If the auditor has not identified improper revenue recognition as fraud risk, support for this conclusion
Illegal acts – violation of law
The auditors responsibility to detect illegal acts are the same for fraud and errors.
The auditor has no obligation to look for illegal acts having an indirect effect on the F/S
The auditor generally does not include procedures to specifically detect illegal acts

Effect of illegal acts on the auditors report

Departure from GAAP – “expect for” or adverse
Insufficient evidence – “except for” or disclaimer
Clients refuses to modify report – withdraw

Risk Assessment
TIP PIE ACDO (fieldwork)

Audit Steps IMACPA

I – Internal control, understand
M – Material misstatement, assess
A – Assess risk control
C – Control testing
P – Perform substantive testing
A – Audit evidence, evaluate appropriateness and sufficiency

I - Internal control – obtain an understanding of the entity and its environment

Risk assessment procedures
• Inquires
• Analytical procedures (required for planning and final stages)
• Observation and inspection
• Discussion among audit team
• Other procedures
• The auditor may choose to perform substantive procedures or tests of controls, if its efficient to do so
Factors to understand
• Industry, regulatory, and other external factors
• Nature of the entity
• Objectives, strategies and business risks
- Business risks – events or circumstances that could adversely affect the firm (ie competition)
• Financial performance
• Internal controls and accounting policies

M – Material misstatement, assessing the risks

Factors that my be indicative of significant risks
• Unusual, complex transactions
• Business risks
• Fraud risk
• Significant related party transactions

6
 AUD - Notes Chapter 3
http://www.cpa-cfa.org
• Highly subjective accounting estimates and principles
Response to significant risks
• Evaluate the design of the entity’s related controls
• Determine whether the controls have been implemented
• Evaluate whether and how mgmt responds to such risks

Test of controls – test strengths to be relied upon, not weaknesses

Controls that are more directly related to an assertion are more effective in preventing, detecting and correcting
a misstatement in that assertion, than controls which only relate indirectly to an assertion.

Documentation requirements
• Discussion among the audit team
• Key elements of the understanding of the entity and its environment
• The assessment of the risks of material misstatement
• The identified risks and related controls evaluated by the auditor

Document
1. control factors that were used/helped to plan the audit engagement
2. control factors that helped ensure mgmt rules and directives were followed

Forms of documentation may include any item the auditor can FIND
F – Flowchart
I – Internal control questionnaire or checklists
N – Narrative
D – Decision table

Flowcharts – symbolic diagram representing the sequential flow of authority, processes and documents. Depicts
the auditors understanding of the system
• An adequate flowchart shows the origin of each document in the system, its subsequent processing, and its
final disposition
• IT flowcharts are initially created to document the logic and existing flow of a computer program

Internal control questionnaires – used for each item of mgmt assertions

Narratives – a narrative is a written version of a flow chart (hard to “see” weaknesses

Decision tables or trees – graphic illustrations that depict the logic of an operation or a process

A flowchart is sequential while a decision table/tree is logical

Internal Control
TIP PIE ACDO

Entity objectives
1. Reliability of financial reporting (most relevant to the audit)
2. Effectiveness and efficiency of operations
3. Compliance with applicable laws and regulations

Controls that pertain to the first objective (reliability of financial reporting) are the most relevant to the audit,
and these are the controls that the auditor must consider and understand.

7
 AUD - Notes Chapter 3
http://www.cpa-cfa.org
Five components of internal controls – CRIME
C – Control environment: overall tone of the organization
R – Risk assessment – mgmt’s identification of risk
I – Information and communication systems
M – Monitoring: assessment of internal controls over time
E – Existing control activities: control policies and procedures
It’s a CRIME not to have strong internal controls

Control testing = internal controls (CRIME)

Substantive testing = $ balances

The auditor should obtain an understanding of CRIME as it pertains to financial reporting:

1. evaluate the design of relevant controls and determine whether then have been implemented
2. assess the risk of material misstatement
3. design the nature, extent and timing of further audit procedures (CPA tests internal controls in order to
adequately plan the NET audit)

Limitations of internal controls

• Human error
• Collusion
• Mgmt override
• Segregation of duties may be difficult to achieve in a smaller entity

IT system may make it impossible to reduce detection risk through substantive testing alone (must do control
testing as well)

IT benefits:
• Ability to process large volumes of transactions accurately
• Improved timeliness and availability of information
• Facilitation of data analysis and performance monitoring
• Reduction is the risk that controls will be circumvented
• Enhanced segregation of duties through effective security controls

IT Risks:
• Potential reliance on inaccurate systems
• Unauthorized access to data
• Unauthorized changes to data, systems and programs
• Failure to make required changes and updates to systems or programs

Auditor should document use of programs and perform tests more often during the yr

Organizational structure of the IT department

C – Control group – responsible for internal control within IT dept.
O – Program Operators – input data
P – Programmers – write and develop computer programs
A – System Analysts – design the overall program, while programmers do the detailed work
L – Librarian – maintains the storage of the data

Anyone doing for an 1 job or supervising another area is a weakness

CRIME

8
 AUD - Notes Chapter 3
http://www.cpa-cfa.org
C – Control Environment – has pervasive effect on the auditors risk of assessment and preliminary judgements
about its effectiveness may influence NET of further audit procedures to be performed
• Sets the tone of an organization, influencing the control consciousness of its people
• Communication and enforcement of integrity and ethical values
• Mgmt’s philosophy and operating style
• Organizational structure
• Assignment of authority, responsibility and accountability
• Human resource policies and practices

R – Risk assessment
• CPA should obtain understanding and knowledge

I – Information and communication

• CPA should obtain understanding and knowledge
• Accounting process (automated and manual), from initiation of a transaction to F/S
• Accounting records (electronic and manual) supporting information and specific accounts involved in
initiating, authorizing, recording, processing and reporting transactions
• The financial reporting process, including the development of significant accounting estimates and the
inclusion of appropriate disclosure

M – Monitoring
• CPA should obtain understanding and knowledge
• Process that assesses the quality of internal control performance over time
• Establishing and maintaining internal control is a responsibility of mgmt

E – Existing control activities

Control activities in a strong internal control system have PAID TIPS
P – Prenumbering of documents
A – Authorization of transactions
I – Independent checks to maintain asset accountability
D – Documentation
T – Timely and appropriate performance reviews
I – Information processing controls – ensure that transactions are valid, authrorized, and accurate
- Application controls – controls for processing of individuals transactions
- General controls – apply to information processing throughout the company
P – Physical controls for safeguarding assets – simply security
S – Segregation of duties – client should separate: ARC
- Authorization
- Recordkeeping
- Custody of related assets

The internal control environment should be detected in the ordinary course of business by an employee, not
- Collusion
- Mgmt overrides

For internal controls the auditor should

• Obtain the necessary understanding of the user organizations internal control to plan the audit
• Assess the control risk at the user organization, and
• Perform substantive procedures

9
 AUD - Notes Chapter 3
http://www.cpa-cfa.org
Report on controls placed in operation – may aid the auditor in obtaining an understanding of controls,
however, it is provided when tests of operating effectiveness were not performed, and therefore it does not
provide the user with a basis for reducing the assessment of control risk

Responding to Assessed Risks

IMACPA

Audit approach – the auditors specific approach to identified risks at the relevant assertion level may consist of
either a substantive or combined approach

Use substantive approach when:

• Controls are not strong for an assertion
• Not cost/benefit to test the effectiveness of the controls

Combined approach – both control testing and substantive procedures are used. If controls are operating
effectively, less assurance will be required from substantive procedures.

Test of controls may be required in highly electronic environments, substantive procedures alone may not be
sufficient

Audit approach
Status of internal control Risk level Perform control tests Perform substantive tests
None or weak high No (because nothing to rely on) yes-maximum
Some medium Yes
Strong low Yes minimal (but never
eliminate for material
balances, transaction classes, or disclosures)

Test of Controls - IMACPA

Test of controls are performed when the auditors risk assessment is based on the assumption that controls are
operating effectively, or when substantive procedures alone are insufficient. (test control strengths, not
weaknesses)

Obtaining an understanding of internal controls includes evaluating the design of controls and determining
whether they have been implemented

Only controls that are suitably designed to prevent or detect material misstatements are subject to tests of
operating effectiveness

Inspect client records documenting use and changes to IT programs

Nature of tests of controls

• Tests of operating effectiveness of controls include: inquiries, inspection, observation, and reperfornance
• As the planned level of assurance (about operating effectiveness) increases, the auditor should obtain more
reliable or more extensive audit evidence

Evidence hierarchy:
1. Personal observation and knowledge
2. External evidence
3. Internal evidence
4. Oral evidence
10
 AUD - Notes Chapter 3
http://www.cpa-cfa.org

Timing of tests of controls

• When tests of controls are performed at one particular time, they provide evidence that controls operated
effectively only at that time. Controls tested throughout the period provide evidence of operating
effectiveness during that period
• Controls that are tested only during an interim period should be supplemented by additional evidence for
the remaining period (roll forward)
• If controls have changed since they were last tested, operating effectiveness must be retested in the current
period
• Even if controls have not changed, operating effectiveness must be tested at least one every third year
Perform substantive testing – IMACPA
• Used to detect material misstatements at the relevant assertion level
• Substantive procedures should be designed to be responsive to assessed risks, however, regardless of the
assessed risk, substantive procedures are required for each material transaction class or account balance

2 types of substantive procedures

1. Test of details – applied to transaction classes, account balances and disclosures. $ balances, ratios
2. Substantive analytical procedures – used for large volume predictable transactions

Directional testing
To test existence or occurrence assertion – Top down, start from F/S. Look for support = vouching
Test existence for overstatement of assets and revenues
To test completeness assertion – Bottom up, start from item, look to see its included/covered in F/S = tracing
Test completeness for understatement of liabilities and expenses

If substantive procedures are performed at an interim date, the auditor should perform further substantive
procedures (maybe with test of controls) to provide reasonable basis for extending audit conclusions to period
end

If risk of material misstatement is low, performing substantive procedures at interim increases the risk that the
auditor will not detect material misstatements in the F/S

In certain situations, such as those in which there is an identified fraud risk, the auditor may choose to perform
substantive procedures at or near period end.

Audit evidence, evaluate appropriateness and sufficiency – IMACPA

• Audit evidence obtained may cause the auditor to modify this or her initial risk assessment
• The auditor should not assume that an identified instance of fraud or error is an isolated occurrence
• When there is a change in the assessed level of risk, the auditor should modify planned procedures
accordingly
• The auditor uses judgement to evaluate the sufficiency and appropriateness of audit evidence

11