AUDIT 3.txt

Responsible for selection and appointment of the independent external auditor, and for reviewing the nature and scope of the engagement. Should pre-approve all services provided by the auditor

• - Firm's ability to meet reporting deadlines (impacted by timing/complexity)
• - Firm's ability to staff the engagement
• - Independence
• - Integrity of client management

• - Availability and adequacy of accounting records (lack of records = scope limitation)
• - Management's attitude towards internal control environment (risk may be too high)

• Making inquiries of the predecessor auditor, with the client's permission about:
• - Info that might bear on mgmt integrity
• - Disagreements with management
• - Predecessor's understanding as to reason for change of auditors
• - Communication to mgmt, audit committee and those charged w/ governance regarding fraud, illegal acts by client, and matters relating to internal control

• - Make specific inquiries of the predecessor
• - Review the predecessors audit documentation (workpaper -> evidence)
• - If successor finds problems with predecessor, should arrange a meeting to resolve the matter

• - Objectives of the engagement
• - Management's responsibilities
• - Auditor's responsibilities
• - Limitations of engagement
• - Other matters (conduct of engagement)

• - Entity's F/S, selection/application of acct policies
• - Internal control
• - Compliance with laws
• - Make all financial records available to auditor
• - Provide auditor w/ mgmt's representation
• - Correct identified material misstatements
• - Affirm that uncorrected misstatements are immaterial in F/S
• Auditor's responsibilities in an engagement

• Limitations of an engagement
• - Material misstatement may go undetected
• - Audit's designed to detect only material errors (not immaterial)
• - Audit's not designed to provide assurance on internal controls or identify significant deficiencies, but if discovered then need to report to audit committee

ISA210 states auditor and client should agree on new terms, and if auditor can't agree then should withdraw and consider whether there's any obligation to report to other parties

• - Read about client's industry
• - Gain knowledge of client's business (tour facilities, review financial history)
• - Obtain understanding of accounting methods
• - Inquire of client personnel

• - Overall strategy helps auditor determine resources needed to complete audit. Includes:
• - Scope, reporting objects, audit timing, require communications
• - Factors that determine focus (preliminary evaluations and areas of higher risk of mm)
• - Materiality and tolerable misstatement

• - Materiality - consider quantitative & qualitative judgement, influenced by needs of user
• - Use professional judgement and smallest level of misstatement that could be material
• - Preliminary assessment should be revised as audit progresses
• - One or more levels of tolerable misstatement should be determined

Required documentation that's based on the audit strategy and outlines nature, extent and timing of procedures to be performed. Should list audit procedures believed necessary, in detail (with NET) and reference to assertion under consideration

• - Risk assessment procedures
• - Further audit procedures (tests of controls and substantive procedures)
• - Other procedures (e.g. letter to client's attorney)
• - Timing of audit procedures

• C - completeness (that nothing's missing)
• O - cut-Off (proper period)
• V - valuation, allocation and accuracy (recorded fairly)
• E - existence and occurence
• R - rights and obligations (account balances/disclosures of assets/liabilities)
• U - understandability and classification (disclosures)

• - Assertions with meaningful bearing on whether sometihng's fairly stated
• - Transactions and events (completeness, cutoff, accuracy, classification, occurrence)
• - Account balances (completeness, allocation and valuation, rights and obligations, existence)
• - Presentation and disclosure (completeness, understandability and classification, rights and obligations, and valuation and accuracy)

• - Shouldn't have responsibility for audit decisions/judgements/assessments, nor for issuing report
• - Can provide useful information to auditor in understanding IC, assessing risk, and performing substantive tests
• - Also can provide direct assistance to CPA

• - Obtain and understanding of internal audit function (part of monitoring internal control)
• - Assess competence and objectivity (if using work of internal auditor)
• - Supervise and review
• - Bear responsibility (ultimate responsibility is to external auditor)

External should evaluate and test work (US says test some of work related to significant assertions), through examining what internal auditor examined or similar ones

• - May be engaged whenever auditor deems necessary, but auditor must understand nature of work and evaluate their findings for suitability in corroborating F/S amounts
• - Auditor should be satisfied to professional competence and repurtation of specialist (treat as own staff)
• - Any unresolved disagreements/findings -> qualified opinion or disclaimer of opinion (scope limitation)
• - Shouldn't reference specialist if standard unqualified, but reference if departure

Audit risk is the risk that the auditor may issue unqualified opinion on a bad F/S. Should reduce audit risk to a low level, and is because auditor can only obtain reasonable (not absolute) assurance

Omissions or misstatement of accounting information that makes it probable the judgement of a reasonable person would be changed by it. Can result from errors or fraud, and consist of known misstatements (specific identified ones) adn likely misstatements (likely to exist due to differences between auditors and mgmt judgment)

Equals RMM (assessed by auditor, exists independently of audit) x DR (controlled by auditor)

• Inherent risk - that the client's accounting system has errors
• Control risk - client's internal control doesn't catch the errors

• What does DR consist of? (Detection risk)
• That auditor will miss this mistake/error. Auditor can/will revise "NET" to change DR risk based on RMM. Some amount always exist.

• - Considered at F/S level (risks that have pervasive effect on F/S to many assertions, often relates to control. Relates to designing further audit procedures and response to it)
• - Considerations at account balance, transaction class or disclosure item level (determine 'NET' of audit procedures, and there's an inverse relationship between audit risk and materiality)
• - Affected by size/complexity, auditor experience and knowledge of entity
• Substantive tests
• - Will always be necessary for all relevant assertions related to material transaction classes, account balances and disclosures
• - Is inversely related to the acceptable level of detection risk

• - Fraudulent financial reporting (lying) in intentional misstatements or omissions from F/S to deceive users
• - Misappropriation of assets (stealing)
• - Corruption (cheating)

• - Incentives/pressures - a reason to commit fraud
• - Opportunity - lack of effective controls
• - Rationalization/attitude - attempt to justify fraudulent behavior

• - Threatened financial stability or profitability
• - Excessive pressure for management to meet third party expectations
• - Threats to management or board of director's personal financial situation based on entity's financial performance
• - Excessive pressure on mgmt or operating personnel to meet financial targets

• - Nature of industry or entity's operations
• - Ineffective monitoring of management
• - Complex or unstable organizational structure
• - Deficiencies in internal control

Even a properly planned and executed audit may fail to detect fraud since those engaged in fraud will generall try to conceal it, so should just try to limit audit risk to a low level

• - Management's responsibility to design and implement programs and controls to prevent, deter and detect fraud
• - Auditor's responsibility is to design a plan and perform the audit to obtain reasonable assurance about whether the F/S are free of material misstatement either from error or fraud (should assess RMM from fraud)

Auditor should obtain written representation from management that it has disclosed to the auditor the results of its assessment of the risk that the F/S may be materially misstated as a result of fraud

• - Professional skepticism (can occur regardless of past experience/thoughts of mgmt's integrity, and shouldn't dismiss any info as a fluke)
• - Discussion among personnel should include consideration of risk of mgmt override of controls and other potential MM due to fraud

• - Inquire of entity personnel (in-house) of anything regarding fraud and inconsistent responses indicate need for additional evidence
• - Consider results of analytical procedures (during planning stage and final review stage)
• - Evaluate fraud risk factors (POR, and use professional judgement to determine if they're there) - absence doesn't mean there's no fraud

• - Attributes to consider when analyzing risk (type, significance, likelihood, and pervasiveness)
• - Presumption of risk (improper revenue recognition and mgmt override of controls)
• - Size/complexity/ownership characteristics of entity and management
• - Susceptibility of items to manipulation (when management judgement is involved or very complex accounting principles)
• - After identifying, evaluate risks with effects to entity's programs/controls

• - Overall, general response (assigning personnel, determining level of supervision, evaluating management, mixing procedures up)
• - Response encompassing specific audit procedures (nature/extent/timing)
• - Response addressing risks related to management override (examine J/E, review acct estimates, evaluate purposes of unusual transactions)

• - Revenue recognition (confirm contracts, analytical procedures of data, etc.)
• - Inventory quantities
• - Management estimates (use specialist or have independent estimate, compare to last years)

• - Conditions identified during fieldwork (discrepancies in accounting records, conflicting/missing evidential matter, problematic relationships between auditor/management)
• - Analytical procedures (required during planning stage and final review stage)
• - Misstatements due to fraud (should withdraw of management's integrity, and reevaluate assessments and procedures)
• - Final evaluation (might need to perform additional procedures)

• - Fraud causing material misstatement -> senior management and charged with governance
• - Fraud involving senior management -> those charged with governance
• - Significant deficiencies or weaknesses in internal control -> senior management and charged with governance
• - Other -> charged with governance

• - Planning discussion, procedures performed, specific identified risks, results of procedures, other relationships
• - If auditor hasn't identified improper revenue recognition as a fraud risk, support for conclusion (WHY?)

• - Auditor's responsibility is to detect direct effect illegal acts, but no obligation of indirect effect illegal acts (may be discovered)
• - Possible illegal acts should be investigated into, and detected illegal acts should be communicated
• - Effects should be considered in auditor's report and evaluation of internal control

• I - internal control, entity and environment (obtain an understanding)
• M - material misstatement - assess the risk
• A - assessed level of risk response
• C - control testing
• P - perform substantive testing
• A - audit evidence - evaluate appropriateness and sufficiency

• - Inquiries
• - Analytical procedures (planning/final review, and required GAAS analytical procedures performed during planning to review data (financial/non-financial) and understand entity and identify unusual items)
• - Observation and inspection
• - Risk assessment discussion with audit team
• - Other procedures (reviewing external info, prior period evidence, etc)

• - Industry, regulatory, and other external factors
• - Nature of the entity
• - Objectives, strategies, and business risks (latter results from events/circumstances that could adversely affect entity's ability to achieve it's objectives/executive strategies)
• - Entity's financial performance
• - Internal control, including selection/application of accounting policies
• Analytical procedures performed during planning an audit
• - Review of data aggregated at a high level, such as comparing F/S to budgeted or anticipated results
• - Generally, financial data is used although non-financial (# of employees, square footage of selling space, volume of goods produced) may also be considered
• - Objectives of these procedures is to enhance auditor's understanding of entity and transactions/events that have occurred since last audit date, and identify unusual transactions/events, amounts, ratios, trends, etc that might be significant to F/S or represent relevant risks

• - Reliability of financial reporting
• - Effectiveness and efficiency of operations
• - Compliance with applicable laws and regulations

• C - control environment (overall tone of organization)
• R - risk assessment (management's identification of risk)
• I - information and communication systems (means of recording transactions and communicating responsibilities)
• M - monitoring (assessment of internal control performance over time)
• E - existing control activities (control policies and procedures)

• - Communication and enforcement of integrity and ethical values of the people who're in charge of internal controls
• - Commitment to competence
• - Participation of those charged with governance
• - Management's philosophy and operating style
• - Organizational structure
• - Assignment of authority, responsibility and accountability
• - Human resource policies and practices

• - Entity's identification and analysis of risks to achievement of its objectives (which auditor should obtain understanding of)
• - Includes business risks and accounting risks arising from circumstances or events
• - Management may take action or decide to accept risk

• - Support identification, capture, and exchange of information in a timely and useful manner.
• - The procedures (automated and manual) and records to initiate, process, authorize, record and report transactions, events and conditions

• - Accounting processing from initiation to inclusion in F/S
• - Accounting records (electronic and manual) supporting info, and specific accounts involved in initiating, authorizing, recording, processing and reporting transactions
• - The financial reporting process, including the development of significant accounting estimates and the inclusion of appropriate disclosures
• Monitoring in an internal control system
• - Process that assesses the quality of internal control performance over time by assessing design/operation of controls and taking necessary corrective actions
• - Establishing and maintaining internal control is a responsibility of management

• P - prenumbering of documents (ensure completeness and existence)
• A - authorization of transactions (signed approval)
• I - independent checks to maintain asset accountability (verification of work by others)
• D - documentation (paper trail)
• T - timely and appropriate performance reviews (analytical procedures comparing performances)
• I - information processing controls (application controls and general controls to ensure valid and accurate transactions)
• P - physical controls for safeguarding assets (security)
• S - segregation of duties (separate authority/recording/custody "ARC")

• - Not necessary to assess all, but use judgement to determine which ones
• - Preventative controls vs. detective controls

• - Evaluate design, implementation and procedures (used to obtain evidence about design/implementation through inquiry, observation, inspection, observation of premises, and walkthroughs)
• - Assess the risk of material misstatement by ID'ing the different types
• - Design the 'NET' of further audit procedures

• - Trace transactions from inception through recording to confirm auditor's understanding and evaluate design
• - Done through single transaction or identifying key steps in processing of a class of transactions
• - Involve inquiry and additional procedures (observing individuals, re-performance, inspecting records, corroborating inquiry responses with others)

• F - flowcharts (system flowcharts and program flowcharts)
• I - internal control questionnaires (yes/no/explanations, used for each assertion of mgmt ('COVERU'))
• N - narratives (hard to "see", use for less complex)
• D - documentation from client

IT exception - IT system may make it impossible to reduce detection risk thru substantive testing alone, so must do control testing as well

• - Manual controls are performed by people when needing judgement and discretion for large/unusual/difficult/nonrecurring/changing transactions, and are also used to monitor automated controls (but pose additional risk of human error or being ignored/overriden)
• - Automated controls are performed by IT and are good for high volume/recurring transactions and control activities that can be adequately designed and automated
• General vs. application controls
• - General controls related to many applications and support effective functioning and proper operation of the information system
• - Application controls apply to processing of individual transactions and help ensure they occurred, authorized, are accurate (e.g. controls over input, processing, and output)

• - Ability to process large volumes of transactions and data accurately and consistently
• - Improved timeliness and availability of information
• - Facilitation of data analysis
• - Reduction in the risk that controls will be circumvented
• - Enhanced segregation of duties through effective implementation of security controls
• - Enhanced ability to monitor performance of entity's activities and its policies and procedures

• - Potential reliance on inaccurate systems (garbage in/garbage out)
• - Unauthorized access to data, which may result in loss/inaccuracies
• - Unauthorizated changes
• - Failure to make required changes or updates
• - Inappropriate manual intervention
• - Potential loss of data
• **Auditor should document program use and perform tests more often during year

• - Management override of internal control
• - Human error (in design or use)
• - Deliberate circumvention of controls by collusion of two or more people
• - Segregation of duties may be difficult to achieve in a smaller entity (separate control group, operators, programmers, analysts, librarian)

• Service organization services are considered to be a part of a user's entity's information system when those services affect the initiation, execution, processing
• or reporting of the user company's transactions

• - Type 1 report: report on management's description of the service organization's system and the suitability of the design of controls (doesn't provide user/CPA with a basis for reducing the assessment of control risk)
• - Type 2 report: report on management's description of the service organization's system and the suitability of the design and operating effectiveness of controls(may provide evidence that would allow a reduction in assessed level of control risk)

• - Assertion level risks relate to specific transactions, balances, or disclosures at relevant assertion level
• - Financial statement level risks are risks that relative pervasively to the F/S as aw hole

• - Risk of fraud
• - Significant recent economic, accounting, or other developments
• - Related parties and related party transactions
• - Improper revenue recognition
• - Nonroutine, unusual or complex transactions
• - Accounting estimates or other subjective measurements of financial information
• - Illegal acts
• - Accounting principles that are subject to different interpretations

Only inherent risk, when it's exceptionally high (ignore effects of controls)

• - Discussion among audit team
• - Key elements of the understanding of the entity and its environment
• - The assessment of the risks of material misstatement
• - The identified risks and related controls evaluated by the auditor

• - Nature
• - Extent
• - Timing

• Use if there are:
• - No effective controls relative to the specific assertion
• - The implemented controls are assessed as ineffective
• - It would not be efficient to test the operating effectiveness of controls

Both tests of operating effectiveness of controls and substantive procedures are used. Typically, if controls are operating effectively, less assurance will be required from substantive procedures.

• - The auditor's risk assessment is based on the assumption that controls are operating effectively
• - In situations where a significant amount of IT is used, substantive procedures may not be sufficient
• - Only controls that are suitably designed to prevent or detect material misstatements are subject to tests of operating effectiveness
• - Include inquiries, inspection, observation and re-performance (inquiry alone is not sufficient)

• 1) Personal observation knowledge
• 2) External evidence
• 3) Internal evidence
• 4) Oral evidence

• - Should perform tests throughout a period to prove it's been working well, not just as one time
• - Controls tested only during interim period should be supplemented by additional evidence for the remaining period (roll-forward)
• - If using evidence from prior audit, need to re-test if controls have changed
• - If controls haven't changed, since operating effectiveness must be tested at least once every third year

• - Used to detect material misstatements at the relevant assertion level, and are required for each material transaction class, account balance or disclosure
• - Nature: tests of details and substantive analytical procedures
• - Extent: referring to sample size
• - Timing: roll forward interim tests, and testing at interim increases risk (so should be done at/near end period)

• - Results may lead auditor to change audit plan and procedures accordingly
• - If fraud's discovered, use professional skepticism
• - Use judgement to evaluate sufficiency and appropriateness of audit evidence

• - Overall response addressing assessed risk at the F/S level
• - Nature, extent and timing of further audit procedures
• - Linkage of audit procedures with assessed risks at relevant assertion level
• - The results of audit procedures
• - The conclusions reached regarding use of prior period audit evidence in evaluating current operating effectiveness of controls

• - Types of misstatements that could occur
• - The risk that misstatements could occur
• - Factors that influence the design of tests of controls and substantive tests
• - The assessment of inherent risk
• - Judgments about materiality
• - The complexity and sophistication of the entity's operations and systems
• - The use of manual vs. computerized control procedures

• - $ balances
• - Analytical procedures
• - Ratios