Chapter One - Horizon

Summary

This Chapter presents an overview of Horizon – Grant Thornton’s audit methodology.

Overview of Horizon
1.01 This Chapter presents an overview of Horizon – Grant Thornton's audit
methodology. Although Horizon is the same regardless of the size or type of entity, the
procedures selected and the extent of work performed will vary considerably for each
audit. Horizon is Grant Thornton’s means of complying with firm policies and
professional standards, including the standards established by the International Auditing
and Assurance Standards Board (IAASB).

1.02 The following flowchart depicts the principal components of the Horizon
methodology. It is not intended to suggest that the audit is a linear process.
1.03 As the chart depicts, Horizon’s principal components consist of:
 identifying financial statement risks
 evaluating the likelihood that those risks could cause a material
misstatement
 responding to the identified risks

Identifying Financial Statement Risks

Understanding the Entity and its Environment

1.04 Horizon requires an understanding of the entity and its environment, including its
internal control. This understanding helps the audit team:
 identify where misstatements could occur in the financial statements
 tailor audit procedures to achieve an effective audit
 determine whether special skills are needed to achieve the audit
objectives

1.05 Obtaining an understanding of the entity and its environment is a dynamic

process that occurs throughout the entire audit. This process enables the audit team to
understand how the entity fulfills its objectives and how the transactions are captured
and recorded in the financial statements. The audit team should be in a position to know
not only what risks the entity may face, but where those risks will manifest themselves
in the financial statements.

1.06 The procedures performed by the audit team to obtain this understanding are
called the risk assessment procedures. While the risk assessment procedures are
performed primarily to obtain the understanding of the entity and its environment, they
may also provide evidence to support certain financial statement assertions.

Risk Assessment Procedures

1.07 The audit process has three phases: planning, execution, and completion. While
all three phases are important to achieving a quality audit, the planning phase is
particularly important because that is where risks are identified and audit procedures
are designed to respond to identified risks. It is in the planning phase where the
understanding of the entity and the skills and experience of the audit team come
together to create a tailored audit program that addresses the risks of each
engagement.

1.08 In Horizon, performing risk assessment procedures means that the audit team:
 captures information about the entity and its environment, including its
outsourced activities, IT profile, operating structure and nature of its
revenues
  makes inquiries of management, internal auditors, and those charged with
governance
 makes inquiries of others in the entity, as needed
 determines materiality
 performs preliminary analytical procedures
 evaluates the inherent risk indicators
 captures entity-level controls
 identifies significant cycles
 captures information about the accounting system

1.09 Risk assessment procedures are concentrated at the beginning of the audit, but
they also could occur during the execution phase of the audit as the audit team reacts to
findings.

1.10 As the risk assessment procedures are performed, the audit team acquires a
great deal of knowledge about the entity and its environment. This knowledge results in
the identification of conditions and events that may or may not affect the financial
statements. Horizon refers to these conditions and events as “matters.” Matters are the
bridge between the understanding obtained in performing the risk assessment
procedures and the risks that could cause the financial statements to be materially
misstated.

Financial Statement Risks

1.11 Horizon is designed to detect material misstatements in the financial statements.

The risk of failing to detect a material misstatement is managed by the work performed
by the audit team. The nature, timing, and extent of this work are directly proportionate
to the risks of material misstatements and where they are more likely to occur. That is
why the proper identification of risk is very important in the Horizon methodology.

1.12 The financial statement risks generally fall into four broad categories. These are:
 accounting errors
 financial reporting errors
 fraud
 going concern

1.13 Accounting errors occur when people make mistakes or the system is poorly
designed. Financial reporting errors are mistakes or omissions in the financial
statements, including disclosures. Fraud includes both fraudulent financial reporting and
misappropriation of assets. Finally, there are risks associated with the entity’s ability to
continue as a going concern.

1.14 While it is helpful to think of risks in such broad terms, it is difficult to focus audit
effort at this level. Accordingly, Horizon further classifies these broad risks into specific
risks at the financial statement assertion level. This allows Horizon to suggest an
appropriate response when a risk is identified by the audit team.
1.15 Audit attention is focused on those financial statement risks that are more likely
to cause a material misstatement. Horizon identifies these risks as reasonably possible
risks or, expressed differently, risks that are more likely to be the cause of a material
misstatement. Some reasonably possible risks have an elevated level of inherent risk
and certain other characteristics including fraud, adoption of a new accounting standard,
complexity, and measurement uncertainty, among others. These risks are identified as
significant risks. Because the risk assessment process is such an important aspect of
Horizon, the audit partner and manager are required to actively participate in the
process.

Matters

1.16 As described above, Horizon uses the term “matters” to describe the conditions
and events identified in performing the risk assessment procedures that may be the
source of a financial reporting risk that may have an impact on the financial statements.
Voyager introduces matters into the engagement file based on the industry and
information entered by the audit team. Matters can also be added by the audit team.

1.17 Matters are used to bridge the information gathered by the audit team in
obtaining an understanding of the entity and its environment to the financial statement
assertions and the risks that could cause material misstatements.

1.18 Matters themselves are not the end objective. As previously stated, they are
simply the way Horizon connects the information learned about the entity and its
environment to financial statement risks. The ultimate objective is to identify the
financial statement risks that could cause the financial statements to be materially
misstated.

Cycles

1.19 Financial statement elements are the individual transactions and balances that
collectively make up the financial statements. Sales and receivables are two examples
of financial statement elements. In understanding a business process, financial
statement elements are not independent items. There is a relationship among various
income and expense accounts and balance sheet accounts. An example is sales,
accounts receivable and cash receipts. Accounts receivable exist because sales occur
and are realized when converted to cash upon receipt of consideration from a customer.
These groupings of accounts are called cycles to reflect normal business processes,
double entry bookkeeping, and the functioning of accounting and control systems.

1.20 Horizon utilizes the cycle approach in designing an audit program. This permits
consideration of the interrelationships throughout the financial statements and
disclosures, such as between income and expense accounts and their corresponding
balance sheet accounts in designing an audit strategy.

1.21 The Horizon methodology only requires audit procedures to be performed on

accounts within significant cycles. A significant cycle is one that contains accounts or
disclosure amounts that are quantitatively or qualitatively material to the financial
statements. Quantitative materiality and tolerable error are judgments made by the audit
team. Accordingly, a cycle would be significant if any accounts or disclosures within the
cycle are greater than tolerable error. Qualitatively material accounts may not be large,
but they represent a risk due to other factors such as related party implications,
complexity or the relative importance of the account to users of the financial statements
or regulators.

1.22 This is not to say that Horizon requires the same level of audit effort for every
account in a significant cycle. Designating a cycle as being significant is the starting
point and the audit team will later identify the financial statement risks within the cycle
and how to respond to them.

Financial Statement Assertions

1.23 Assertions are representations by management that are embodied in the

financial statements. The assertions used in Horizon are:
 existence or occurrence
 completeness
 cut-off
 rights and obligations
 valuation or allocation (gross and net)
 presentation and disclosure

1.24 In Horizon, specific financial statement risks are grouped within the relevant
assertion where they could manifest themselves. The audit team identifies the pertinent
risks and and identifies where the misstatements could occur in the financial statements
by asking “what could go wrong?” Based on the likelihood that such risks could cause a
material misstatement, and the significance of those risks, the audit team develops an
appropriate response.

Evaluating the Likelihood that Risks Could Cause Material Misstatements

1.25 After the audit team identifies the financial statement risks that could cause a
material misstatement, the audit team then evaluates which of the identified risks are
more likely to cause a material misstatement, including those that should be considered
significant. This may prove to be a challenging aspect of the risk assessment process
for the audit team. Because the impact of this evaluation on the audit strategy is so
significant, it is essential that the partner and manager be part of this process.

1.26 Horizon is designed to focus audit effort on assertions that pose the greatest risk.
This requires the audit team to first identify the specific risks within an assertion that
could cause a material misstatement. Next, because the same degree of risk of material
misstatement does not necessarily apply to all the identified risks within an assertion,
the audit team must make a judgment about the likelihood that each risk could cause a
material misstatement. Accordingly, Horizon categorizes risks as those that are
reasonably possible, including those that are significant risks, and those that are not
reasonably possible. Horizon also considers fraud risks. When fraud risks are identified,
they are always designated as reasonably possible and significant risks.

1.27 A risk is “reasonably possible” when the likelihood of a material misstatement

occurring is more than remote. When the audit team believes that a material
misstatement is not very likely in a particular account, then the associated risks are
remote (not reasonably possible).

1.28 Risk of material misstatement is implicit in all financial statements and therefore
every audit will have risks that are reasonably possible. Designating a risk as
reasonably possible does not mean that the audit team expects to find material errors or
fraud. However, it does cause the documentation to reflect the possibility that material
errors or fraud could be present.

1.29 Some reasonably possible risks are also significant risks. Significant risks have a
higher risk of material misstatement that require special audit consideration beyond the
ordinary or routine. Designating a risk as being a significant risk is a judgment made by
the audit team.

Responding to Identified Risks

Reasonably Possible Risks

1.30 As previously mentioned, reasonably possible risks are those where the
likelihood of a material misstatement occurring is more than remote. To respond to a
reasonably possible risk, the audit team should first understand how the entity responds
to the risk.

1.31 An entity responds to a risk by establishing internal controls. Internal controls are
the policies and procedures that the entity implements to produce accurate financial
statements and protect its assets. For risks assessed as being reasonably possible, the
audit team should obtain an understanding of these controls before an adequate
response can be designed. To understand internal control, the audit team:
 captures the controls
 evaluates their design
 verifies they are implemented

1.32 When controls are designed effectively and implemented, testing them to
determine whether they operate effectively will frequently be the most effective and
efficient response to a particular risk. This is because the audit team may rely on
controls that were tested effective to reduce the substantive procedures that would
otherwise be performed.

1.33 The audit team should assess inherent risk for each assertion with reasonably
possible risks. Inherent risk is the susceptibility of an assertion to material misstatement,
assuming there are no related internal controls. This risk is greater for some assertions
and related classes of transactions, account balances or disclosures than for others. For
example, cash transactions are generally more susceptible to theft than certain
inventories. Complex calculations are more likely to be materially misstated than simple
calculations. Accounts consisting of amounts derived from accounting estimates will
have greater risk of misstatement than accounts consisting of relatively routine, factual
data.

1.34 Ordinarily, audit teams will assess inherent risk as either medium or high since it
is not logical to assess inherent risk as low for an assertion that contains reasonably
possible risks. In rare cases where the audit team considers the proper assessment of
inherent risk for an assertion to be low, therefore requiring only a minimal response to
the risks within that assertion, it is likely that the associated risks were incorrectly
assessed as being reasonably possible.

1.35 The last step in responding to reasonably possible risks is to determine the
nature, timing and extent of the substantive procedures to perform. The audit team
makes these judgments by using their understanding of the controls (including whether
the audit team performed tests of controls and whether the tested controls operate
effectively) and the inherent risk assessment of the relevant assertion. Horizon uses
that information (inherent risk and intended control reliance) to suggest an audit
program that the audit team tailors to appropriately respond to the risks.

Significant Risks

1.36 As previously mentioned, significant risks are those reasonably possible risks
that have a higher risk of material misstatement and require special audit consideration.
Special audit consideration means:
 Understanding internal controls related to the risk sufficient to design an
appropriate response, and
 Performing substantive procedures that are specifically responsive to the
risk.

1.37 In some situations, it may be possible to respond to a significant risk by testing

controls and performing substantive procedures. However, many significant risks may
be associated with assertions, events and transactions that may involve non-routine,
non-systematic events for which controls may not be well established. When the
response to a significant risk consists only of substantive procedures, those procedures
should include tests of details.

Not Reasonably Possible Risks

1.38 As mentioned previously, Horizon requires an audit response for all significant
cycles. The audit team may judge that a transaction cycle has no reasonably possible
risks even though it may contain material monetary amounts.
1.39 When the risk of material misstatement is not reasonably possible, the audit team
may decide that substantive procedures alone will appropriately reduce the risk of a
material misstatement to an acceptably low level. Further, the substantive procedures
performed in response to not reasonably possible risks are ordinarily less extensive
than those procedures required for reasonably possible risks. For example, the risk of
material misstatement for the risk “capital asset activity not valid” may be addressed by
scanning the additions to identify large and unusual additions to vouch whereas
sampling might be appropriate if the risk were assessed as reasonably possible.
Exhibit 1.1 - Financial Statement Assertions
E01 Horizon uses the following financial statement assertions:

Existence or Occurrence

E02 Assertions about existence or occurrence deal with whether assets or liabilities
exist at a given date (referred to as existence), and whether recorded transactions have
in fact occurred during a given period (referred to as occurrence). The audit of the
existence and occurrence assertions is essentially concerned with establishing that
balances within transaction cycles are not overstated.

Completeness

E03 Assertions about completeness deal with whether all balances and
transactions that should be presented in the financial statements are properly recorded.
The audit of the completeness assertion is essentially concerned with establishing that
balances within transaction cycles are not understated.

Cut-off

E04 Assertions about cut-off deal with whether all assets, liabilities, income and
expenses are reported in the appropriate period. Cut-off is a separate assertion
because the substantive procedures to verify it are typically different from those applied
to the other components of completeness.

Rights and Obligations

E05 Assertions about rights and obligations deal with whether the entity has rights
to assets (i.e., whether the entity has ownership and title to assets) and liabilities
represent all the entity’s obligations at a given date. These assertions relate to whether
the entity was, in actuality, party to a transaction, and whether the transaction was for
valid business purposes.

E06 Rights and obligations assertions may in many cases be inseparable from the
existence and completeness assertions, and do not normally require separate audit
attention. However, where an entity deals with assets, liabilities or transactions
pertaining to other parties, this may not be so.

Valuation

E07 Assertions about valuation deal with whether assets and liabilities are included
in the financial statements at appropriate amounts. Horizon subdivides the valuation
assertion for asset and liability accounts into “gross” and “net.” Valuation “gross” deals
with recording or allocating the proper amounts and valuation “net” deals with
recognizing appropriate impairment adjustments. Because the required responses to
financial statement risks associated with “gross” and “net” are typically different, the
valuation assertion in Horizon is separated into two assertions: valuation-gross and
valuation-net.

Presentation and Disclosure

E08 Assertions about presentation and disclosure deal with whether particular
items in the financial statements are properly classified, described, and disclosed.

E09 Presentation and disclosure assertions are considered during the course of
the audit by procedures to determine that disclosures are complete and accurate. The
disclosures that are most susceptible to material misstatement are those that require
significant judgment and qualitative assessments. Audit teams assess the
completeness and accuracy of disclosures by determining that the disclosures provide
information in a manner that does not materially omit, distort or mislead the user.

E10 Many firms use a financial statement disclosure checklist, generally completed
near the conclusion of the audit, to assist in determining that disclosures are complete.
Chapter Two — Responsibilities of Those Involved in the
Audit
Summary

This Chapter discusses the responsibilities of management and the audit team in
achieving a successful audit.

Introduction
2.01 The professional literature makes an important distinction between the
responsibilities of management and those of the independent auditor. Management is
responsible for preparing and presenting the entity's financial statements in accordance
with the applicable financial reporting framework. The auditor is responsible for forming
and expressing an opinion on the financial statements.

Management Responsibilities
2.02 Management is responsible for preparing and presenting the financial
statements in accordance with the applicable financial reporting framework. These
responsibilities include:
 designing, implementing, and maintaining internal control relevant to the
preparation and presentation of financial statements to ensure the
financial statements are free of material misstatements, whether due to
error or fraud
 selecting and applying appropriate accounting policies
 making accounting estimates that are reasonable in the circumstances

Designing, Implementing, and Maintaining Internal Control over Financial

Statement Preparation and Presentation

2.03 Management is responsible for designing, implementing, and maintaining

internal control relevant to the preparation and presentation of financial statements. This
includes the financial reporting processes that will initiate, authorize, record, process,
and report transactions consistent with management's assertions embodied in the
financial statements. Management is also responsible for preventing and detecting
fraud, and complying with laws, regulations, grants, and contracts.

2.04 Effective internal control includes the people who perform the financial
reporting processes. Management’s responsibilities include hiring decisions, evaluating
the capabilities and integrity of the entity's personnel and the day-to-day supervision of
personnel to ensure that they fulfill their assigned responsibilities.
2.05 During the course of the audit, the audit team may identify misstatements and
propose adjusting entries. Nevertheless, such entries remain the responsibility of
management and must be approved by management before being recorded.
Management is responsible for adjusting the financial statements to correct
misstatements and for affirming to the audit team in a representation letter that the
effects of any uncorrected misstatements are immaterial, both individually and in the
aggregate, to the financial statements taken as a whole.

2.06 Due to public company independence rules, the audit team cannot be part of
an entity’s financial reporting processes and controls. This includes assisting in the
preparation of financial statements. However, management of non-public entities may
request assistance from the audit team in drafting financial statements and notes in an
acceptable format.

2.07 [Tailor the following paragraph for your available reference material and your
policies and procedures] When permitted by independence rules, the audit team may
assist a non-public audit client in drafting financial statements. This is considered a
nonattest service, which can impair the firm’s independence, unless certain precautions
are taken. Therefore, in this situation, management is also responsible for the following,
which must be documented in the engagement letter:
 making management decisions and performing all management functions
 designating a competent employee to oversee the services the audit team
performs in assisting with financial statement preparation
 evaluating the adequacy of the audit team’s work
 accepting responsibility for the financial statements
For a complete discussion on independence matters, refer to the Independence and
Ethics Manual, which is located in GEL.

2.08 The audit team can propose modifications in financial statement format and
various suggestions as to wording of notes to the financial statements and other
disclosures without impairing independence.

Selecting and Applying Appropriate Accounting Policies

2.09 Management's selection of appropriate accounting policies provides the basis
for a fair presentation of the financial statements. In areas of accounting where
alternative accounting principles exist, it is management's responsibility to review the
nature and peculiarities of its business and to select those principles that will most
clearly and accurately communicate the financial position and results of operations. The
audit team may counsel and advise management as to the desirability and propriety of
adopting certain accounting principles, but management makes the ultimate decision.

2.10 When the audit team believes that critical accounting policies are inappropriate
or not the best alternative available, they are responsible for communicating this to
those charged with governance.
Making Reasonable Accounting Estimates

2.11 Management is responsible for making the accounting estimates included in

the financial statements. These estimates are often made in conditions of uncertainty
regarding the outcome of events that have occurred or are likely to occur and involve
the use of judgment.

Audit Team Responsibilities

Professional Considerations
2.12 The responsibilities and functions of the independent auditor are expressed in
professional standards. The primary responsibility is to express an opinion on
management's financial statements based on the audit.

2.13 Auditing standards and related guidelines and interpretations relate to the
conduct of an individual audit engagement and address concepts such as competence,
due care, independence, audit evidence, and financial reporting. Auditors who fail to
comply with auditing and other related professional practice standards are subject to
disciplinary sanctions by regulatory and professional bodies.

2.14 [Tailor the penultimate sentence for your applicable regulation] Quality control
standards relate to the conduct of a firm's audit practice as a whole. As a member of the
Forum of Firms, each GTI member firm must comply with the international quality
control standards when associated with financial statements. Likewise, the U.S. firm is
subject to PCAOB and AICPA standards. Thus, each auditor or firm who fails to comply
with the auditing and other related professional practice standards is subject to
disciplinary sanctions.

Confidentiality

2.15 Client affairs are confidential and all precautions should be taken to avoid any
breach of confidentiality. During the course of an engagement, certain information may
become known regarding the client's future business plans, results of current
operations, sensitive payroll or personnel matters, etc. Care should be taken by firm
personnel to be discreet about such matters, both with client personnel and with
external parties. In connection therewith:
 client affairs should not be discussed with third parties such as bankers,
lawyers, investment advisers, or other clients, without proper authorization
 clients should give their written approval for us to email financial
information to them or to others (generally included in the engagement
letter)
 confidential information should not be discussed with client personnel who
are not authorized to hear such information and who have no business
need to know
  discretion should be used in discussing client matters with firm personnel
who are not involved with the client. Disclosure of confidential information
to such personnel should be avoided if it serves no business purpose.
 never discuss client matters, even those of a non-confidential nature, with
outsiders such as personal friends or relatives
 never discuss client matters in public places where the conversation may
be overheard by others

2.16 [Tailor the following paragraph to suit your policies, procedures and relevant
outsiders] Except for routine situations, such as tax matters where a power of attorney
is obtained, firm personnel should not discuss current or former clients or the firm's work
with outsiders, (including IRS, Inspector General, FBI agents, and attorneys). They
should tell the inquirer such matters cannot be discussed and refer them to RRLA to
determine the appropriateness of the request.

2.17 [Tailor the following paragraph for your applicable policies and procedures]
Firm policy and professional ethics require that the above matters not be discussed,
whether or not the individual believes the matters are confidential. Firm personnel
should not agree to an interview or to provide documents or any other information until
RRLA is contacted. If firm personnel are served with a subpoena, they should
immediately contact RRLA. The result of unauthorized discussion is additional
subpoenas, increased cost to the firm, and legal actions.

2.18 [Tailor the following paragraph for your applicable policies and procedures]
Situations might exist, such as in response to a subpoena, where the firm has a duty to
disclose otherwise confidential information to a proper authority. These situations
should be cleared through the NPPD and RRLA.

Insider Trading

2.19 [Tailor the following paragraph for your applicable regulations] Securities laws
provide for actions that could be taken by the SEC to seek civil penalties from any
person purchasing or selling a security while in possession of material nonpublic
information. During the course of their work, firm personnel might become aware of
such information. Any actions taken by firm personnel based upon discussions with
other employees in the firm, which might be construed as insider trading, are strictly
prohibited.

2.20 Therefore, all firm partners, principals, and professional and administrative
personnel, without regard to their line of business or position in the firm, should be
aware of the insider trading rules. In addition, everyone should exercise caution when
discussing client information in any public place or from making inadvertent disclosures
of client-related information to others, including family members. Because of
professional responsibilities, these rules apply without regard to how the individual
became privy to such non-public, confidential client information.
Material Non-Public Information

2.21 Information on revenues, earnings, mergers, acquisitions, tender offers, joint

ventures, new products, new developments regarding customers and suppliers,
changes in management, changes in auditors, bankruptcies, and similar information are
examples of the types of non-public information that would be considered material non-
public information.

Client Records and Documents

2.22 Client records in the audit team’s custody at the client's office should be
appropriately safeguarded and protected from unauthorized access. All client records
and documents should be returned to authorized client personnel in proper condition.

2.23 Records and documents should not be removed from a client's office except
for special circumstances or when the nature of the firm’s services includes the
processing of accounting records. Receipt of written permission from the client is
recommended when records or documents are removed from the client's office. In such
cases, adequate safeguards should be maintained. The firm recommends that receipts
be obtained from the client when records are returned.

2.24 In circumstances where a client data processing file is to be used off-site, such
as for IDEA processing, the file removed from the client premises should be a copy, not
an original.

Conduct of Engagements

2.25 Each engagement should be conducted in conformity with the terms of the
understanding with the client (evidenced by an engagement letter), and in conformity
with the standards of the profession and the firm.

Team Member Roles

2.26 This section discusses the roles in an audit and the responsibilities associated
with each one. Ordinarily these roles will be filled by personnel from the classifications
indicated (partner, manager, etc.), although occasionally they may be filled by personnel
from other staff classifications. For example, a manager may serve as the in-charge
accountant on a certain audit engagement.

2.27 The following roles and responsibilities may exist in an audit:

 client services partner – The client services partner has overall
responsibility for all services (audit and non-audit) rendered to the client.
This partner may be primarily assigned to any of the firm's disciplines.
 lead partner – The lead partner is responsible for the overall quality of the
engagement, including the report that is issued. The lead partner must be
an audit partner.
  support partner – In larger engagements, other partners may be
responsible for segments of the engagement. Support partners work with
the lead partner to achieve a quality audit.
 manager – In most audits, the partner is assisted in fulfilling such
responsibilities by a manager. The manager helps the partner through
detailed involvement in control and supervision of audit work.
 in-charge accountant – The in-charge accountant is responsible for the
day-to-day conduct of the audit, and the quality of the audit documentation
(along with the partner and the manager) in accordance with standards of
the profession and the firm.
 assistant accountant – The assistant accountant (also referred to as the
staff accountant) is primarily responsible for performing procedures
assigned under supervision by the in-charge accountant.
 quality control reviewer – see Chapter 19.
 tax, IT, and valuation specialists – These specialists may also be included
in the audit team, as discussed elsewhere in the Manual.

2.28 The size and complexity of the engagement are factors in determining the
assignment of personnel. For example, in larger audits, the audit team may include
personnel in all of the foregoing categories, whereas in smaller audits, the client
services partner and the lead partner may be the same person and a manager may not
be assigned.

2.29 Audit staff at all levels should clearly understand their responsibilities and the
objectives of the procedures that they are to perform. They should be made aware of
any matters identified during planning and risk assessment discussions that may affect
the nature, timing, and extent of these procedures. There are various ways this
awareness and understanding may be obtained, including:
 communicating responsibilities and expectations
 studying the prior year's workpapers and financial statements
 reading the audit planning and risk assessment workpapers
 participating in the planning and risk assessment meetings
 having discussions prior to and during field work

Due Care and Professional Skepticism

2.30 Professionals at all levels are expected to exercise due care in the
performance of their responsibilities. The concept of due care is based on a legal
consideration frequently referred to as the prudent man rule. In auditing, it is based on
an assumed prudent practitioner and the knowledge, skill, caution, and responsiveness
that could be expected under the circumstances at issue. While such a concept does
not give objective advance answers to the question of responsibility in any given case, it
does give useful criteria to the auditor and to those who judge the quality of his or her
work.
2.31 Professionals should also approach every audit engagement with an attitude
of professional skepticism. Professional skepticism is an attitude that includes a
questioning mind and a critical assessment of audit evidence. Auditors must objectively
evaluate observed conditions and audit evidence and follow-up on any potentially
material negative indicators to determine whether the financial statements are free of
material misstatement, whether by error or by fraud.

2.32 Due care may be expressed as the need for an auditor to:
 be acquainted with the client, its methods of operation, and any significant
practices peculiar to it, or the industry of which it is a part
 understand the internal control of the client
 obtain any knowledge readily available which is pertinent to the
accounting and financial problems of the client
 persist until any reasonable doubt has been eliminated regarding the
existence of material misstatements
 exercise professional skepticism
 exercise caution in instructing audit team members and reviewing their
work

Client Services Partner

2.33 Ordinarily, each client is assigned to a client services partner, a partner who is
considered skillful in managing client relations. The client services partner has primary
responsibility for coordination of all services rendered to that client and for maintaining
the firm's relationship with the client. The client services partner is responsible to the
OMP with respect to such clients. A client services partner who is not a lead partner will
not have responsibility or authority for the resolution of significant technical issues, but
is expected to be kept informed and could render advice. Such matters will be resolved
by the lead partner.

Lead Partner

2.34 The lead partner must be an audit partner (a partner assigned to the audit
practice), unless specifically permitted by other firm policies, such as in an audit of
internal controls at a service organization.

2.35 The lead partner is responsible for conducting the engagement in accordance
with professional standards and ensuring that the report issued by the firm is
appropriate. Therefore, the primary responsibility for professional performance of the
audit, including observance of firm policies and ethical requirements as well as the
exercise of good business and common sense rests with the lead partner.

2.36 To accomplish this, the lead partner has overall responsibility for supervising
the work of the audit team. The nature, timing, and extent of supervision vary with the
size and complexity of the engagement and the audit team's experience with, and
knowledge about, the entity's business.
2.37 [Tailor the following paragraphs to reflect your firms titles and roles and to suit
your policies and procedures] The lead partner is expected to keep up-to-date with audit
and accounting matters, and to consider the practical effect of new developments on the
clients assigned to him or her. The lead partner should maintain knowledge of the
industries in which those clients operate, and should consult, where appropriate, with
the RMP, the NPPD, individuals designated as industry specialists within the firm,
industry specialists outside the firm, the OMP, and the PSP.

2.38 The extent of the lead partner's involvement may vary depending on the
complexity of the engagement, the background and abilities of the audit team members
assigned to the engagement and whether a manager is assigned. Regardless of these
factors, the extent of the lead partner's involvement should always be sufficient to
enable the lead partner to reach informed conclusions regarding the adequacy of the
audit procedures performed and documentation, and the quality and sufficiency of the
audit evidence obtained.

Key Guidelines for Lead Partner Performance

2.39 The lead partner takes responsibility for the overall quality of the audit. Overall
quality is a broad concept that covers such items as:
 compliance with relevant ethical and independence requirements
 client acceptance and reacceptance
 appropriateness of the engagement team
 direction, supervision, and performance of the audit in compliance with
professional standards and applicable legal and regulatory requirements
 reviews being performed in accordance with the firm’s policies
 the auditor’s report being appropriate in the circumstances

2.40 The lead partner fulfills his or her responsibilities by actively participating
during all phases of the audit. Activities include remaining alert to possible violations of
policies, performing observations, making inquiries, participating in meetings, and
assessing information provided by the firm's quality control and management
information systems.

2.41 The lead partner documents the fulfillment of this role by completing Voyager's
Partner Review program, signing-off workpapers reviewed, and maintaining time
records.

Support Partners

2.42 More than one partner may be assigned to an engagement, especially in very
large engagements. Support partners are typically responsible for areas or segments of
an audit and work closely with the lead partner to achieve a quality audit. The lead
partner may delegate some of his or her responsibilities as set forth above to support
partners, as appropriate. The support partner role should be filled by an audit partner.
Partners from other service lines (such as tax) participate in the audit in a specialist role
rather than a support partner role.

Manager

2.43 The manager is responsible for the day-to-day direction, supervision and
performance of the audit in compliance with professional standards and applicable legal
and regulatory requirements. The manager performs audit procedures, supervises
others, performs on-the-job training, and reviews the documentation of the work
performed. Working with the lead partner, the manager coordinates the planning,
execution, and completion of the audit.

2.44 The manager documents the fulfillment of this role by completing Voyager's
Manager Review program, signing-off workpapers reviewed, and maintaining time
records.

2.45 The role of the manager may be filled by a senior manager or manager. When
the manager role is not assigned, these responsibilities are fulfilled by the in-charge
accountant or the lead or support partner.

In-Charge Accountant

2.46 The in-charge accountant has the primary responsibility for the conduct of the
audit as it is outlined by the lead partner and manager, in accordance with firm policies
and professional standards.

2.47 [Tailor the following paragraph to reflect your firm’s titles] The in-charge
accountant is a specific designation for a particular audit. The professional so
designated may bear the general classification of manager, senior associate, or
associate and, for that particular engagement, may or may not be aided by either senior
associates or associates.

2.48 The in-charge accountant carries out the audit in accordance with the
approved audit plan and during all phases, keeps the manager and lead or support
partner aware of progress, any material deviations from the time budget, discovery of
any fraud or errors, difficulties in completing the audit as assigned, and any problems in
relationships with the client's personnel or the assistant accountants.

2.49 In conducting the audit, the in-charge accountant:

 prepares the budget
 participates in the planning and risk assessment meetings
 tailors the Voyager file in consultation with the lead partner and/or
manager
 modifies procedures in Voyager to reflect the entity’s business practices,
identified risks and accounting policies and procedures in consultation with
the lead partner and/or manager
  specifies segments of the audit program to be carried out by other
members of the audit team, communicating with assistant accountants so
that they understand their responsibilities and that they are provided with
appropriate on-the-job training
 supervises the work of the assistant accountants directly. The degree of
supervision depends on the qualifications and experience of the staff and
the tasks they are assigned.
 handles the quality of the audit documentation, including documentation
prepared by assistants
 controls the audit day-to-day including that the audit is completed in
accordance with the agreed timetable and budgets
 promptly notifies the lead or support partner and manager of any problems
of a technical, administrative, or personnel nature that need action
 completes the planned audit work to satisfy professional standards, the
audit objectives and support the report
 shares responsibility with the manager to see that appropriate
commentaries are prepared and that the conclusion reached support the
audit report
 prepares or reviews audit documentation
 prepares or reviews report drafts
 reviews the workpapers and financial statements
 maintains a good working relationship with the client

Assistant Accountant

2.50 [Tailor the following paragraph to reflect your firm’s titles] In-charge
accountants may be assisted by senior associates or associates or other members of
the audit staff, depending on the size and complexity of the engagement.

2.51 The assistant accountant is a specific designation for a particular audit, not an
employment classification. The assistant accountant is primarily responsible for
performing procedures assigned by the in-charge accountant and reporting the findings
resulting from that work to the in-charge accountant. Such procedures vary with the
nature of the engagement and the experience of the assistant accountant. They may
range from a single step in the audit program to a complete cycle in Voyager, to the
responsibility for a division or a branch of the client.

2.52 In all phases of an audit, the assistant accountant is responsible for

conducting the work in accordance with the standards of the firm and the profession.
More specifically, the assistant accountant is expected to:
 exercise alertness and diligence in carrying out and completing assigned
tasks
 exercise professional skepticism
 prepare audit documentation appropriately to support the work performed
 inform the in-charge accountant promptly of problems encountered
  provide explanations and on-the-job training to assistants with less
experience
 maintain a good working relationship with the client

2.53 In particular, the assistant accountant should be aware that a discrepancy

discovered, however small, may be significant and should be brought to the attention of
the in-charge accountant so that it is not overlooked.

Tax Specialist

2.54 A tax specialist has the primary responsibility for addressing relevant tax
issues in the audit and is usually a partner or manager. The tax specialist, lead or
support partner, and manager are jointly responsible for the completion of the relevant
income tax procedures and determining the correctness of the accounting and
disclosures related to income taxes.

Supervision

2.55 Supervision is vital to engagement planning and is essential to audit

effectiveness and the satisfactory accomplishment of all assignments. Supervision
includes directing and reviewing the work of subordinates by the person responsible.
Proper supervision also helps to maximize efficiency. Areas where inefficiencies may
occur include:
 spending excess time gathering audit evidence for risks that are not
reasonably possible
 improper timing of various phases of audit work, for example, starting work
before the client is ready, or scheduling work in an improper sequence, as
this may cause duplication of effort
 failure to obtain an initial draft of the financial statements and all related
disclosures well in advance of completing fieldwork. Significant technical
problems that frequently develop during the preparation of the financial
statements are more efficiently resolved when detected early
 preparing summaries of accounts that neither interpret nor provide audit
evidence
 failure to utilize client's supplemental records to the maximum extent
practicable, such as depreciation or job cost schedules and analyses of
accounts for management
 failure to use automated audit procedures and tools like IDEA

2.56 Proper supervision mitigates the risk of an ineffective or inefficient audit due to
inadequate control over personnel performing the work, or poor timing, or poor quality of
work.

2.57 Review of workpapers should not be done at the end of the audit. While the
immediate supervisor is continuously exercising control over the members of the audit
team, his or her own direct application of procedures or other responsibilities should not
take precedence over the need to review completed sections. All reviewers should
review each audit section as soon as possible after its completion to minimize
inefficiencies and adequately address issues. Necessary adjustments in documentation
procedures can then be evaluated in time to make the appropriate changes in the audit
program and achieve a high quality audit.

Continuing Professional Education and On-the-Job Training

2.58 The firm expects its personnel to adhere to all applicable continuing
professional education (CPE) requirements of professional, state, and regulatory
agencies. The firm maintains CPE records to assist all professional personnel in
developing a list of CPE courses attended; however, personnel are individually
responsible for compliance with applicable continuing education requirements.

2.59 [Tailor the following hours to reflect your policies – note member firms are
expected to at least comply with the IFAC code] Every professional in the firm is
responsible for obtaining and documenting the minimum CPE credit hours, which
include 20 hours of CPE each calendar year, and 120 hours of CPE every rolling three
years.

2.60 On-the-job training is one of the most important aspects of the training and
development of an auditor. Therefore, the lead and support partners, manager, and in-
charge accountant are expected to provide such training to staff working under their
direction and to make recommendations to the professional development of personnel.

2.61 As the audit progresses, the lead or support partner or manager should inform
the in-charge accountant of areas they performed well and of areas that need
improvement. The in-charge accountant conducts the same communication with
assistant accountants. At the conclusion of the engagement, appropriate performance
evaluations are to be prepared in accordance with firm policies.

Employment Opportunities with Audit Clients

2.62 The policies in the following paragraphs apply when a professional of the firm
(this is broadly defined and includes any audit, tax, IT, or valuation specialist) has a
potential opportunity with an audit client or any of its affiliates. These situations may
cast doubt on the firm’s ability to appear independent of the audit client.

2.63 [Tailor this paragraph to reflect your notification policies] Accordingly, the firm
requires its professionals to immediately notify the PSP, APL, and/or OMP
(alternatively, a service line managing partner) when an audit client or any of its
affiliates:
 approaches the professional about a potential employment opportunity
 holds discussions or participates in employment interviews with them
 offers them an employment opportunity
2.64 [Tailor this paragraph to reflect your reference policies and sources] The firm
will remove the professional from any assignments for the audit client until the
discussions have terminated or the employment offer is rejected or withdrawn. The
professional should also refer to the Independence and Ethics Manual in GEL for
additional firm policies. In addition, this Manual describes the consultation and
communication requirements to clients and audit committees that may apply.

2.65 Reserved for possible future use.

2.66 Reserved for possible future use.

2.67 Reserved for possible future use.

[Tailor the following section for your applicable regulatory registration requirements, if
any]

PCAOB Registration Requirements

2.68 The PCAOB is an independent, non-governmental, non-profit corporation

created by SOX. Its mission is to protect investors in U.S. securities markets and to
further the public interest by ensuring that public company financial statements are
audited according to the highest standards of quality, independence, and ethics. SOX
prohibits public accounting firms that are not registered with the Board from preparing or
issuing auditors’ reports on U.S. public companies and from participating in such audits.

2.69 To assist with the PCAOB registration, each GT partner, principal, and
employee identified as an accountant is required to provide personal information within
MyGT. Accountants are also required to submit information about their educational
background, CPA certificates, licenses to practice auditing or accounting, AICPA
membership, and whether they have provided (or will provide) ten or more service hours
to a public client.

2.70 Every firm partner and employee is also required to consent to cooperate in,
and comply with, any request for testimony or the production of documents made by the
PCAOB. This consent agreement must be manually signed and returned to the local
office human resource representative. This consent is required as a condition of
continued employment with the firm. All partners and employees must provide all
requested information in an accurate manner and on a timely basis.
Chapter Three - Client Acceptance and Continuance
Summary

The firm establishes policies and procedures for accepting new audit clients and
continuing relationships with existing audit clients (continuance). These policies and
procedures are a key element of the firm’s quality control systems. Accordingly, client
acceptance policies and procedures attempt to identify and reject prospective clients of
dubious reputation or who present engagements that are likely to involve the firm in
litigation or government investigations, or will not bring a proper reward in light of the
risks involved. Client continuance policies and procedures attempt to identify and reject
existing clients with similar characteristics.

This Chapter summarizes the firm’s policies and procedures related to acceptance of
new clients and continuance with existing clients. This Chapter also discusses
additional considerations when the prospective engagement includes the audit of
previously audited financial statements (reaudits).

Introduction
3.01 The auditing profession operates in a climate where litigation and liability
are continuing concerns. In this climate, if an entity experiences legal
difficulties and if plaintiffs can find any basis (or pretext) for alleging
reliance on the entity's financial statements, it is almost certain that any
litigation will ultimately involve the auditors. The auditors then become
defendants, no matter how professionally they performed their services.
Defending such litigation is expensive, even without a trial.

3.02 The firm is also exposed to risk of reputational damage as a result of

litigation, adverse publicity, or other events arising in connection with the
reports it issues on financial statements. This exposure is also present
even if the audit team performed the audit in accordance with professional
standards and appropriately reported on those financial statements.

3.03 The firm responds to engagement risks in a variety of ways, ranging from
assuring that fees are appropriate to decisions directly affecting the audit
process, such as client continuance, assignment of personnel to audit
teams, and whether to include a quality control reviewer.

3.04 Accordingly, all professionals must assess and manage the risks related to
the firm’s association with client financial information. This Chapter
presents guidance and firm policies to help manage risks related to
accepting an engagement and continuing with existing relationships.
Acceptance of Clients and Engagements

Overview

3.05 [Tailor this paragraph to reflect the positions / people involved in your firm’s
process] The firm’s client acceptance policies represent a key element of
the firm’s quality control systems. The lead partner, OMP and the PSP
actively participate in this process and approve the acceptance of every
new client. Certain engagements that meet specified criteria also require
the approval of the RMP, NPPD, the NMP Risk Mgmt and a committee
comprised of National Office personnel called the Client Acceptance
Committee.

3.06 Accordingly, client acceptance policies and procedures attempt to identify

and reject prospective clients of dubious reputation, or who present
engagements that are likely to involve the firm in litigation or government
investigations, or will not bring a proper reward in light of the risks involved.
Client acceptance procedures also call for an evaluation of independence
and the ability to provide proper service considering industry expertise, size
of engagement, and personnel available to staff the engagement.

GTIL Client Acceptance Policies

3.07 To identify and assess assurance engagements that could pose significant
risks to GTIL and its member firms, GTIL also has acceptance policies for
assurance engagements. These policies require GTIL’s Key Assurance
Assignement, (‘KAA”) committee be given an opportunity to review all
assurance engagements meeting certain criteria prior to acceptance. GTIL
reserves the right to reject engagements where the risk is considered
unacceptably high, or to require certain actions be taken to further mitigate
identified risks as a condition of acceptance. This KAA review
supplements, but does not replace, the firm’s client acceptance policies.
Assurance engagements include financial statement audits, review
engagements, service organization controls audits and other subject matter
attestation engagements.

3.08 Accordingly, client acceptance and continuance processes include a

determination of whether the assurance engagement exceeds the
quantitative thresholds or meets one of the other qualitative criteria
described below. If so, a key assurance assignment (KAA) is submitted to
GTIL, and GTIL’s approval of the engagement is received prior to entering
into any contract or engagement letter.

3.09 [Tailor the first three bullets to reflect the criteria that are applicable to your
firm]GTIL approval is required for assurance engagements that meet one
or more of the following quantitative criteria:
  assets are greater than $X
 revenues are greater than $X
 estimated fees are greater than $X
 estimated fees are greater than 5% of your member firm’s net
revenue. (Involvement by a partner from another member firm is
typically required in these cases)

3.10 Note that the criteria above apply to the potential client. For example, a
benefit plan should evaluate the assets and revenues of the prospective
client, not the sponsoring entity.

3.11 GTIL approval is also required for assurance engagements that meet one
or more of the following qualitative criteria:
 the engagement is a group audit and the group has components whose assets,
revenues or net income in aggregate exceed 50% of the consolidated values of the
group and those components are audited by other firms (other firms include GTIL
member firms), unless your member firm has been recognized as a firm with an
acceptable national consultation policy and process for reviewing such engagements
prior to acceptance.the assurance report will be included in a public offering in a
foreign country
 the potential or existing client (or components of potential or existing client) is listed,
planning to list or planning to conduct a public offering in a foreign country or
jurisdiction
 the assurance report for the potential or existing client will be, or is expected to be
included in any regulatory filing in a foreign country or jurisdiction
 the assurance report for the potential or existing client will be, or is expected to be
included in a private placement offering that contains mandatory registration rights in
a foreign country or jurisdiction
 the engagement requires a cross-border filing review agreement or related services
 assurance engagements for any of the areas identified below where the engagement
team has limited or no experience in the last 12 months in providing this type of
assurance service:
– listed entities
– deposit-taking entities (e.g., banks, central banks, monetary
authorities, others)
– insurance entities
– financial services entities (e.g., broker dealers, mutual funds, hedge
funds, others)
– national or international not-for-profit organizations
– transnational audits (see below)
– service organization controls audits
 other factors are present that could have a negative impact on the Grant Thornton
brand, examples include:
 – the reputation of the prospective client
– its officers or directors have received negative or controversial media
coverage
– the prospective client engages in fund raising activities when there is
questionable need for those funds

3.12 Firms with a national consultation policy and process for acceptance and
continuance of assurance engagements where the minority of the
components are being audited by the firm (as further described in the first
bullet of 3.11 above), may seek exemption from GTIL from needing to
submit KAAs for review where only this KAA criteria is met. Assurance
leaders who have a consultation policy and process in place and wish to
claim exemption from this criterion should send a request with supporting
documentation to KAR@gti.gt.com. This documentation should include:

 a copy of the firm’s policy in English together with a description of the process
and controls implemented and followed by the firm personnel to comply with
that policy.

 The qualification of the person being consulted.

 The evidence required by the consultation policy to determine the

qualification of component auditors, especially those auditors that are not
GTIL member firms

 Firm policy or guidance where the group audit team will perform their own
audit procedures on the component, including procedures such as site visits,
discussions with management of the component and the nature, timing and
extent of such procedures

3.13 KAA submissions to GTIL with any of the following circumstances will
generally be considered as representing an unacceptable risk and will be
rejected:

 Engagements where we have reason to believe that the company and/or its
directors, key officers or significant shareholders are involved in activities
considered incompatible with our values, such as terrorism, money laundering,
fraud, embezzlement or other illegal activities
 Where fees are material to the member firm as a whole and a suitably
experienced partner from another member firm cannot be identified to serve as
the engagement quality control reviewer or the engagement partner
 Where the firm does not have the capabilities or competencies necessary to
perform the engagement (e.g., has limited experience in a specialized industry)
and another member firm cannot be identified to supplement the engagement
team and participate in the engagement quality control process.
  Where there is a threat to independence that cannot be overcome or mitigated
to an appropriate level

3.14 A KAA submission to GTIL is also required for assurance engagements

when:
– an existing engagement meets one or more of the criteria listed above and
that criterion or criteria that did not exist at the time of the initial KAA
submission; or
– an existing engagement for which a KAA was not previously submitted
now meets one or more of the criteria requiring acceptance; or
– when, the assurance client acceptance review committee requires the firm
to resubmit the client for continuance evaluation

Transnational Audits
3.15 Transnational audits are defined as an audit of financial statements which
are or may be relied upon outside the audited entity's home jurisdiction for
purposes of significant lending, investment or regulatory decisions. This
includes audits of all financial statements of companies with listed equity or
debt and other public interest entities which attract particular public
attention because of their size, products or services provided.

3.16 Assessing whether the attribute “listed equity or debt” is applicable is

straight forward. Assessing whether the attribute “other public interest
entities which attract particular public attention because of their size,
products or services provided” requires judgment.

3.17 The Transnational Audit Committee of the Forum of Firms publishes

guidance on making this assessment. Key aspects of the guidance include
whether there is a reasonable expectation that the financial statements of
the entity may be relied upon by a user outside the entity’s home
jurisdiction for purposes of significant lending, investment or regulatory
decisions. Examples they provide include large charitable organizations or
trusts, major monopolies or duopolies, providers of financial or other
borrowing facilities to commercial or private customers, deposit-taking
organizations and those holding funds belonging to third parties in
connection with investment or savings activities. The complete guidance is
available at
http://www.ifac.org/sites/default/files/downloads/TAC_Guidance_Statement_1.pdf .

International Engagements

3.18 Potential clients (or subsidiaries of any potential client) that are listed or are
planning to list in a foreign country require notification to the head of
assurance of the GTIL member firm in the country where that potential
client or subsidiary is listed or planning to list. In the case where there are
 two or more member firms in one country, the Global Leadership Team
shall designate which member firm to notify. While the member firm will not
directly become involved in accepting the potential client, the acceptance
policies of the member firm (e.g., background investigations,
communications with predecessor auditors) should be considered.

3.19 [Tailor this paragraph to indicate the appropriate person in your firm to
contact with respect to auditor registration requirements] Before accepting
the client, the lead partner should determine whether acceptance of a new
client will trigger a requirement for the firm to register with the regulator in
the country or countries where the prospective client is listed. When
registration requirements exist, the lead partner should determine whether
the firm is registered in the foreign country. When the firm is not registered,
the lead partner should contact the appropriate person in the member firm
to discuss how and whether to initiate the registration process. Further
information concerning “third country registration” requirements is
maintained on GTInet under Services & markets > Assurance > Cross-
border audit firm registration and reporting.

3.20 [Tailor the last sentence to reflect the location of your firm’s policies and
guidance] In addition, GTIL and firm independence policies and
procedures need to be followed before the member firm or its network
firms accept an engagement. Refer to GTIL’s independence policies with
checking the Global Conflicts List (“GCL”) and the Global Restricted List
(“GRL”) and performing an International Relationship Checks (“IRCs”) on
GTInet under Supporting you > Risk & regulatory > Independence or to the
firm’s Independence Manual.

Engagement Acceptance Risk

3.21 Engagement acceptance risk is the risk inherent in accepting a new
engagement. It encompasses risks that:
 the business will subsequently fail
 management lacks integrity
 the industry has difficult issues or is in decline
 management capabilities and track record are deficient

3.22 [Tailor this paragraph to reflect the software / forms used in your client
acceptance process] To assist the audit team in properly applying the
firm’s client acceptance policies and procedures and to measure
engagement acceptance risk, the firm developed Client Acceptance
software. This software tool facilitates compliance with firm policies and
procedures and evaluates engagement acceptance risk associated with the
proposed new client.
 3.23 [Tailor this paragraph to reflect the approval process in your firm]
Engagement acceptance risk is assessed based on an evaluation of the
risk indicators that are present with the potential new client. This
assessment determines who must be involved in the approval process. The
three levels of client acceptance risk (green, yellow, and red) and the
significance of each are as follows:
Local – Risks associated with the prospective client are acceptable to the firm. The PSP
and OMP approvals are normally sufficient to accept the client.
National-Level 1 – There are matters present that could pose risk to the firm. Such risks
and mitigating factors should be documented and evaluated by the lead partner before
seeking approvals. PSP and OMP preliminary approval is required before issuing a
proposal. Required final approvers include the OMP, PSP, RMP, NPPD and the NMP
Risk Mgmt.
National-Level 2 – There are matters that could pose a threat to the firm. All relevant
facts, including facts mitigating risks to the firm should be documented and evaluated by
the lead partner before seeking approvals. PSP and OMP preliminary approval is
required before issuing a proposal. Required final approvers include the OMP, PSP,
RMP, NPPD, NMP Risk Mgmt and the CAC.

3.24 Engagement acceptance risk is not audit risk. It is possible for engagement
acceptance risk to require “National” approvals and inherent audit risk for
an assertion or assertions be assessed as “Low.” Similarly, potential
engagements might be approved by the local office when inherent risk for
certain assertions is assessed as “High.” While these two risks are not
directly linked to each other, the lead partner should understand the
reasons behind the risk assessments.

3.25 While the software tool assists in evaluating the engagement acceptance
and other risks associated with a potential client, no criteria can be
established to serve in all circumstances. It is paramount, therefore, for the
lead partner to consider each situation with professional skepticism and be
alert to situations that pose risk to the firm. These include, among others:
 allegations that raise questions about management's integrity, including
allegations of fraud or illegal acts by senior management
 going concern issues
 enforcement actions or investigations by regulatory agencies
 predecessor auditor issues, including: resignations, disagreements with
management, questions about management's integrity, or internal control
deficiencies
 one-time engagements
 reaudits

3.26 [Tailor the example if it is not appropriate to your circumstances] In

addition, certain tax shelter and other limited partnership engagements
present risks which should be evaluated. For example, the firm would not
wish to associate with tax shelter offerings for a syndicator who is not
 otherwise a client, unless the background and financial conditions of the
syndicator and related entities is understood. Similarly, after undertaking
such engagements, the financial position of the syndicator and related
entities should be assessed periodically. In some circumstances, the
foregoing references to a "syndicator" may pertain to general partners, fund
managers, etc.

When to Perform New Client Acceptance Procedures

3.27 [Tailor the bulleted list to reflect your policies. Tailor the last sentence to
reflect the people involved in your process] The firm requires the use of
the client acceptance software for all potential new assurance service
clients. Assurance services, for this purpose, include the following:
 audits, including service organization controls audits (type I and II)
 reviews
 attestation engagements, excluding agreed-up on procedures
 reports on the application of accounting principles
 SysTrust and WebTrust engagements
Compilation and AUP engagements are not required to be documented in the client
acceptance software; however, the OMP, PSP, NPPD, RMP or other firm management
may require background investigations and/or formal client acceptance procedures.

3.28 [Tailor this paragraph to reflect your policies] In addition, the following are
considered "new client" situations for which new client acceptance
procedures should be performed:
 an initial stock or debt offering by an existing client (including those not involving
SEC registration)
 an existing client that files for bankruptcy (regardless of the assurance service
performed)
 an existing BAS, tax or consulting client requesting a financial reporting
engagement (other than a compilation or AUP) for the first time (e.g., an audit,
review, forecast)
 non-client entities seeking to acquire a client or former client where the firm plans
to reissue the auditor’s report and/or consent to the inclusion of the report in the
acquirer’s filing (such as a registration statement)

3.29 [Tailor the last line to reflect the person in your firm that should be
consulted] Referrals from GTIL member firms or correspondent firms that
are expected to result in the issuance of a report on an assurance service
are also considered “new client” situations. Principle #3 of the International
Engagement Protocol sets out specific criteria that are acceptable reasons
for declining an international referral. The International Engagement
Protocol can be found on GTILnet under Winning business > IBC > Tools
>Engagement Protocols. If the partner believes that the firm should not
 accept work that is referred by a GTIL member firm or correspondent firm,
the NMP Risk Mgmt should be notified.

3.30 [Tailor this paragraph to reflect your policies] When a tax shelter
engagement is similar to other engagements for the same syndicator, client
acceptance procedures are required only for the first engagement. For
example, after approval of the first real estate tax shelter engagement, the
use of the client acceptance tool is not required for subsequent similar
engagements for that syndicator. (However, if applicable, NPPD notification
is still required).

Other Considerations

3.31 [Tailor this paragraph to reflect your policies] Some prospective

engagements may require extensive time and out-of-pocket expenses
investigating the proposed client. In such circumstances, the partner should
consider asking the proposed client to pay for time and expenses incurred
in our acceptance investigation. It goes without saying that, if such an
engagement is accepted, the firm should insist on receiving a substantial
portion of the fee "up front" and exercise great care to ensure that unpaid
fees do not excessively accumulate.

3.32 [Include paragraphs 3.23 through 3.36 if your firm has implemented or
intends to implement the Client Acceptance application]

The Phases of Client Acceptance

3.33 The Client Acceptance software guides the user through the acceptance
process in an orderly and logical manner. The phases of client acceptance
can be separated into (1) the information-gathering phase, (2) the
engagement acceptance risk assessment phase, (3) the verification phase,
and (4) the approval phase.
For a detailed explanation of the Client Acceptance software, refer to the Help Guide
included in VIS Tracking 2012.

The Information-Gathering Phase

3.34 In this phase, all information regarding the prospective client is gathered.
This includes information about management, business operations, public
announcements, financial results, and the proposed service team.

3.35 Most of this information will be used to understand the client and its
business and be available to those involved in the approval process. Some
information gathered during this phase will also be used in the verification
phase. For example, information about management and the board of
 directors carries to the background search form that is used by the
background investigation researchers, should the partner proceed to the
verification phase.

3.36 Most of the information gathered will be entered into the Organization
Structure tool. Audit teams are familiar with this tool because they have
used it in Voyager. Now the information entered during the client
acceptance process will transfer automatically into Voyager. The
Organization Structure tool contains information about the entity including
its size, its components, where the components are located, its
management, and its industry. Global flags such as whether the entity is
listed, has foreign operations, has other auditors and requires an internal
control audit are also set in the Organization Structure tool.

3.37 Additional characteristics about the entity are captured during this phase in
navigation bar sections:
 GTIL Financial Thresholds
 Entity Characteristics
 Financial and Other Information

3.38 The GTIL Financial Thresholds section is where the audit team enters
certain financial thresholds of the entity. These determine whether GTIL
KAA review is required.

3.39 The Entity Characteristics section contains characteristics about the entity
that the firm or GTIL has determined that if present, require further
attention. An example of this type of characteristic is whether the entity is in
the insurance industry. The presence of these characteristics individually or
in combination with others could require additional levels of approval.

3.40 The Financial and Other Information section is where prior year financial
statements are referenced. In addition, results of inquiries of management
and others are documented together with independence considerations.
Here the audit team evaluates and documents the results of these
procedures to assist approvers in evaluating the potential client.

3.41 All documents necessary to evaluate a prospective client should be

included in the File Cabinet. This is especially critical when national
approvals are required and those individuals are not physically located in
the office seeking approval. Information attached to the file will normally
include financial statements, background investigations, budgeting
templates (Form 1), and regulatory filings. Links to websites or other
external sources are not an acceptable alternative to attaching a document
to the electronic file.
The Engagement Acceptance Risk Assessment Phase

3.42 As previously discussed, engagement acceptance risk is the risk inherent

in accepting a prospective client. The assessment of this risk is primarily
based on an evaluation of risk indicators, which if present, could result in
greater risk to the firm. The engagement acceptance risk assessment
assists personnel who are involved in the approval process to better
evaluate the expected benefits of a new client relationship versus the
possible cost. Engagement acceptance risk also reflects the value system
that the firm attributes to certain industries and situations. For example, the
firm has determined that entities with property and casualty insurance
operations and banks with CAMELS ratings of 4 or 5 will rarely be
accepted. The engagement acceptance risk assessment for such entities
will reflect this determination.

3.43 For these reasons, engagement acceptance risk does not necessarily
translate into audit risk. It is possible that engagement acceptance risk may
be assessed at a high level due to a circumstance such as the prior auditor
resigned. Whether this circumstance translates into audit risk is a judgment
that must be evaluated on a facts and circumstances basis. Therefore, it is
essential for the audit team to understand engagement acceptance risk
and determine its relationship to risk assessments made in assessing risks
for the audit.

3.44 The Engagement Acceptance Risk Indicators section contains the

indicators that the firm or GTIL have determined are relevant to the client
acceptance decision. Examples of these indicators are “prior auditors
resigned” and “management frequently changes or sues its financial
advisors”. The presence of one or more of these indicators individually or in
the aggregate could elevate the engagement acceptance risk to a higher
level.

3.45 After the audit team documents the risk indicators, there are additional
circumstances that the firm or GTIL have determined need consideration.
These are found in the Firm Risk Considerations section. Examples of
these additional considerations include whether the firm or GTIL audit less
than 50% of a group or whether the financial statements are prepared
using the GAAP of another country. If present, these circumstances may
elevate engagement acceptance risk. Approvers should carefully consider
these additional considerations in determining whether to accept the
potential client.

3.46 At the conclusion of this phase, the software evaluates the risk indicators
that are present and measures engagement acceptance risk.
 3.47 Prior to issuing a proposal for a potential client, completion of all
information in the client acceptance software through the Engagement
Acceptance Risk Assessment Phase is strongly encouraged.

The Verification Phase

3.48 Verification procedures primarily involve communicating with predecessor

accountants and conducting background investigations of the entity and its
key management.

The Approval Phase

3.49 In the Authorization for Final Approval section, the engagement partner
evaluates and documents all relevant facts supporting acceptance of the
engagement. Here the partner should address his or her evaluation of the
business risks to the firm such as client profitability considerations,
strategic fit, staff development and retention issues and the timing of the
work. When this is complete, the partner makes a recommendation to
accept the client. The software then permits individuals involved in the final
approval process to sign off in the Final Approvals section.

3.50 Persons involved in approving a prospective client are contacted

electronically and approve the client by accessing the proposed new client
information in the database. The software controls electronic sign-offs and
restricts approvals to those authorized. The software notifies appropriate
approvers when prospective clients are awaiting their approval.

The Client Acceptance Database

3.51 The proposed new client information is stored in VIS. Changes to the
information must be made using the client acceptance application within
VIS Tracking.

3.52 Within VIS Tracking, users can filter the data to perform searches, approve
new clients, and access detail data for each entity. The status of each
prospective client is also viewable. These are:
 Draft – the record is in the information-gathering phase
 Awaiting Final Approval – the approval process is underway
 Withdrawn – the prospective client selected another auditor or withdrew
their request for services
 Declined – the firm declined to serve the prospective client
 Approved – the prospect was approved as a client of the firm
Communications with Predecessor Auditors
3.53 [Tailor the last sentence if the content is not applicable to your firm] The
lead partner or manager should make certain inquiries of the predecessor
auditor before accepting a new client, including whether the predecessor
auditor communicated with the audit committee or others with equivalent
authority regarding fraud, illegal acts, and internal control matters. A
predecessor auditor is an auditor who (1) has reported on the most recent
audited financial statements or was engaged to perform, but did not
complete an audit of any subsequent financial statements, and (2) has
resigned, declined to stand for reappointment, or been notified that his or
her services have been, or may be, terminated. (The SEC considers an
auditor who is named as an “auditor of record” in a registrant’s registration
statement, such as a Form 8-K, to be a predecessor auditor regardless of
whether the auditor rendered an auditors’ report).

3.54 [Tailor the last sentence to reflect the location of your templates] In
considering a potential new engagement, firm personnel should explain to
the prospective client their need to communicate with the predecessor
auditor and request that they authorize the auditors to respond to our
inquiries. Illustrative letters for such purpose are found in GEL under
Letters, Forms and Templates > Access and Termination Letters.

3.55 [Tailor the last sentence to reflect the location of your templates]
Ordinarily, a predecessor auditor will fully respond to reasonable inquiries.
However, where a predecessor auditor severely limits or refuses to
respond to our inquiries, the implications of a limited or non-response
should be considered in evaluating whether to accept the engagement.
Frequently, it is also advantageous to review the predecessor auditors'
workpapers prior to accepting a new client. When appropriate, the partner
should request the prospective client to authorize the predecessor auditors
to allow access to review such workpapers. Illustrative letters for such a
purpose can be found in the GEL under Letters, Forms and Templates >
Access and Termination Letters.

Other Reasons to Communicate with the Predecessor Auditor

3.56 Once an audit engagement is accepted, the audit team must obtain
sufficient evidence to provide a basis for the opinion on the financial
statements. This includes evaluating the consistency of the application of
accounting principles and analyzing opening balances. The predecessor
auditor is often an important starting point for gathering this evidence. The
evidence may be obtained through inquiries of the predecessor auditor,
review of their workpapers, and other audit procedures such as those on
account balances at the beginning of the period and to transactions in prior
periods.
 3.57 The audit team’s review of the predecessor auditor’s workpapers may
affect the nature, timing, and extent of procedures related to opening
balances and consistency of accounting principles. The procedures
performed by the audit team depend in part on the assessment of the work
performed by the predecessor auditor, as evidenced by the quality of the
predecessor’s report and supporting workpapers.

3.58 If the predecessor auditor’s workpapers are unavailable (such as when a

predecessor auditor has ceased operations or access is otherwise denied),
the audit team must obtain sufficient appropriate audit evidence about
opening balances by performing other auditing procedures. If the audit
team is unable to obtain sufficient evidence by performing such
procedures, they should qualify or disclaim an opinion because of the
inability to obtain evidence supporting opening balances and not because
of the unavailability of the predecessors’ workpapers.

Engagement Proposals
3.59 The firm is frequently asked to provide potential clients with a written
proposal for its services. The proposal team should prepare a separate
proposal document (and not include proposal language in an engagement
letter). The proposal can state that an engagement letter will be issued if
our proposal is accepted; however, when preparing a proposal,
consideration should be given to the firm's policies and guidelines relating
to new client acceptance and engagement letters so as not to contradict or
extend our responsibilities, as they would be stated in an engagement
letter.

3.60 [Tailor the following paragraph to reflect your processes] National

Marketing can provide general assistance with developing proposals. For
assistance with proposals to potential clients in certain specialized
industries, the proposal team should consider consulting with the firm's
industry specialists or the NPPD.

3.61 If the proposal is to include client references, the firm prefers that proposals
only refer to our publicly-held clients because it is a matter of public record
that the firm provides accounting services for them. Advance clearance
should be obtained from any non-public client that is used as a reference to
preclude the possibility of a misunderstanding arising as to the firm’s
confidential relationship with our clients. The partner should determine that
any client used as a reference has current information about the firm and
that the referral will be favorably received.

3.62 [Tailor the following paragraph to reflect your processes] Preliminary

approvals should normally be obtained and documented prior to issuing a
proposal.
 3.63 The proposal should indicate that firm policy requires formal approvals of
client acceptance and background investigations on all proposed clients
and their key personnel and affiliated entities prior to acceptance.

3.64 In addition, the firm requires communication with the predecessor auditor
before accepting a new client. Whenever practicable, such inquiries should
be made prior to issuing a formal proposal. Where this is not practicable,
the wording of the proposal should indicate that if chosen as auditors, the
firm needs to make such inquiries before accepting the engagement.

3.65 [Tailor the following paragraph to reflect your processes] Proposals should
make no reference to other accountants, except, if appropriate, to indicate
that the firm will make inquiries of the predecessor auditors to obtain
information relevant to the engagement. However, the laws or regulations
of some states require that notification be made to the firm being replaced.
Notification may also be required in some states when accepting a special
engagement for a client served by another firm.

Background Investigations
3.66 GTIL policy requires that background checks be performed for all public
interest entities and all KAAs. KAA submissions should include results of
background checks together with the disposition of any matters identified
by the engagement team. Checks should cover shareholders of 10% or
more of the equity, directors, the chief executive officer/managing director
and chief financial officer/finance director.

3.67 [Tailor this paragraph to reflect your polices] In addition, the firm requires a
background investigation in the following situations:
all potential new assurance clients (as previously defined), including those that are
already firm clients in other service lines and long-time friends and community leaders
all current assurance clients with changes in key decision makers (owners,
management, principal investors, directors, legal counsel or principal investors of
subsidiaries or divisions where there is an expectation that the subsidiary or division will
grow to become significant to the overall entity)
current or prospective clients considering an IPO using an underwriter with whom the
firm has no prior experience

3.68 [Tailor the last sentence to reflect your policies] Subjects of a background
investigation will include the potential client organization and its key
decision makers. Key decision makers are normally all board members,
chief executive officer, chief financial officer and principal accounting
officer. The investigation should also include significant principal investors
and shareholders, or others who exercise significant influence over entity
operations. Significant entity-related entities and/or subsidiaries should be
considered as additional subjects. For civic and charitable organizations
 with large, primarily advisory boards, discussion with the NMP Risk Mgmt
on the appropriate selection of board members is encouraged.

3.69 As discussed previously, referrals from another GTIL member firm or

correspondent firm of a new assurance client are subject to the firm’s client
acceptance procedures, including background investigations.

3.70 [Tailor the following paragraph to reflect your processes] The Investigative
Research Group performs all background investigations for the firm, and
the Investigation Request Form (“Form”) for background investigations is
embedded in the client acceptance software. At the verification phase of
the client acceptance process, the Form is automatically forwarded to the
IRG via email. Within one business day of emailing the Form, an
investigator should contact the partner or manager to briefly discuss the
potential client. Understanding the type of engagement, learning what the
team already knows about the subjects, and determining if additional
subjects should be included in the investigation are integral to properly
scoped research. The IRG will email a report that summarizes adverse
findings from news and public records sources, eliminating extraneous
findings and, to the extent possible, any ambiguities. It will include, if
applicable, a selection of attachments to enhance the key information
discovered. The projected turnaround time for investigations is five to ten
business days.

3.71 [Tailor the following paragraph to reflect your processes] The IRG will look
for all information on a subject with a particular emphasis on identifying
issues of concern to the firm in accepting a potential client or retaining an
existing one. These issues include management reputation, management
performance at prior entities, securities violations, regulatory investigations,
frequent auditor changes, history of lawsuits against auditors and other
professional advisors, financial difficulties, ties to organized crime, fraud
allegations, accounting issues, bankruptcies, judgments and liens.

3.72 [Tailor the following paragraph to reflect your processes] The investigation
also includes an online search of civil and criminal filings in federal courts.
Some noteworthy criminal cases not filed at the federal level appear in
other online legal sources, but coverage is not comprehensive. The federal
search is supplemented with a search for civil filings at the state court level
for many available jurisdictions (primarily larger metropolitan areas).
Additionally, non-federal criminal filings are sometimes covered in media
reports and regulatory filings, which are also searched extensively.

3.73 [Tailor the following paragraph to reflect your processes] Because access
to online criminal databases is limited, the IRG may determine that it is
appropriate to perform a manual courthouse search. Considerations
include when information found is inconclusive or needs amplification, or
when data limitations significantly impact the comprehensiveness of a
 particular search. Further courthouse searches will be performed at the
direction of the partner.

3.74 [Tailor the following paragraph to reflect your processes] When the
investigation is completed, the IRG investigator will make a professional
judgment about the results of the investigation. To reflect this assessment,
the banner at the top of the first page of each investigation report will be
color-coded as follows:
GREEN – no adverse information identified
YELLOW – potential risks identified
RED – significant threat(s) identified

3.75 [Tailor the following paragraph to reflect your processes] The background
investigation report is intended to be used by the firm in its client
acceptance evaluation procedures and should not be distributed outside
the firm. The background investigation information should be attached to
the client acceptance file and the audit team enters this “grade” into the
client acceptance software. A “Yellow” or “Red” rating may require
additional approvals.

3.76 [Tailor the following paragraph to reflect your processes] To manage the
costs associated with performing background investigations, these are
ordinarily conducted as the final step in the acceptance process and only
after the potential client has agreed to engage the firm. However, it may be
advantageous to perform background investigations earlier in the process,
especially in situations where the proposal is expected to involve a
significant effort and cost.

3.77 [Tailor the following paragraph to reflect your processes] The firm
recognizes that performing background investigations slows down the new
client acceptance process. While it is best practice to avoid entering into an
engagement letter with a client until the investigation is complete, the firm
might be willing to enter into an engagement letter with a non-public client
(see the definition of a public entity below in “Firm Policies”) prior to
concluding the investigation. However, in such circumstances an
understanding that our acceptance is subject to the completion of the
background investigation should be documented in the engagement letter.
Prior to issuing an engagement letter to a non-public entity subject to the
completion of the background searches, the partner should consult with the
OMP and the PSP.

3.78 [Tailor to reflect your process or remove the text from following paragraph if
the topic is not applicable to your firm. Suggest stating “reserved for
possible future use” to preserve the paragraph numbering] Because a
Form 8-K is a public document, the firm will not ordinarily agree to become
the auditor of record in a Form 8-K filing until the background investigation
is complete, the new client is accepted and approvals are documented in
 the client acceptance database. Accordingly, unless specifically approved
by the NMP Risk Mgmt, the partner should not enter into an engagement
letter or agree to the firm being named as the auditor of record in a Form 8-
K filing until the background investigation is complete and approvals are
obtained. Background investigations for public companies should be
requested in sufficient time to allow for required National Office review and
approval, especially in situations where the potential client must file Form
8-K shortly after the audit committee selects an auditor.

Other Times to Perform a Background Investigation

3.79 Background investigations may be useful information in other situations,

such as:
existing assurance clients where concerns arise about the integrity of management
entities acquired by an existing client
nonclient entities seeking to acquire a client
general due diligence regarding client related entities, suppliers, business partners,
adversary witnesses, etc.
new members of senior management
new board members

3.80 [Tailor the following paragraph to reflect your process] The IRG will perform
investigations at the request of the partner. To initiate this search, the
partner or manager should complete the Background Investigation Request
Form located in GEL under Letters, Forms and Templates > Background
Investigation Request Form.

3.81 [Tailor paragraphs 3.79 to 3.85 to reflect your policies and procedures]

Responsibilities for Client and Engagement Acceptance

3.82 The acceptance of a new client is primarily the responsibility of the OMP
and, secondarily, of the partner recommending acceptance. The process of
managing risks depends on the firm's operating offices. Therefore, this is
an important aspect of an OMP’s responsibility and is also a responsibility
of every partner and manager in the office. Although National Office
approvals may be required, acceptance remains the responsibility of the
OMP, who is encouraged to involve the PSP and APL to the fullest
possible extent.

National Office Approval

3.83 The firm requires approval by the RMP, NPPD and NMP Risk Mgmt for
potential new clients that meet any of the following criteria:
 public entities
  engagement acceptance risk is assessed as National-Level 1
 financial institutions operating under a memorandum of understanding or other
regulatory orders or agreements
 situations where there have been special investigations conducted by the
company (or an external law firm) involving senior personnel
 situations where there was a reported disagreement with the predecessor auditor
over any matter of accounting principles or practices, financial statement
disclosure or auditing scope or procedures, or there was a “reportable event” as
defined in S-K item 304(a)
 prospective client appears to be opinion shopping
 situations where there are related entities that are not audited
 situations where there are significant related party transactions
 all audits of internal controls at service organizations

Additional National Approvals

3.84 In addition to RMP, NPPD and NMP Risk Mgmt approval, the firm requires
approval by the CAC for prospective new clients that meet any of the
following criteria:
engagement acceptance risk is assessed as National-Level 2
all “large” entities (revenues greater than $3 billion, assets greater than $6 billion or fees
greater than $3 million)
factors are present that could have a negative impact on the Grant Thornton name,
examples include:
– the reputation of the prospective client
– its officers or directors have received negative or controversial
media coverage
– the prospective client engages in fund raising activities when there
is questionable need for those funds
the engagement is a group audit and the group has components whose assets,
revenues or net income in aggregate exceed 50% of the consolidated values of the
group and those components are audited by other firms (other firms include GTIL
member firms)
a subsidiary of a listed entity (the listed entity is audited by a non-affiliated firm) and has
assets or revenues equal to or greater than 20% of the consolidated values of the group
report will be included in a public offering in a foreign country
companies that intend to raise capital (i.e., public or private offering of debt or equity)
the prospective client imposes unreasonable scope or timing restrictions (see
Engagement Acceptance Restrictions below)
management or the audit committee is aware of allegations of fraud or communications
regarding fraud
situations where there are pending enforcement matters or other investigations, the
outcome of which could adversely impact the viability or reputation of the business
resignation of predecessor auditors, or where other accounting firms or professional
advisors declined to serve the prospective client
situations where acceptance of the engagement could create independence conflicts for
many of our people

3.85 In addition to National Office approvals, the Regional Advisory Services

Leaders (RASL) and the NMP Advisory must approve all prospective audits
of internal controls audits.

Engagement Acceptance Restrictions

3.86 The firm will rarely, if ever, accept new assurance engagements for the
following entities:
property and casualty insurance companies, unless it is a wholly-owned captive of an
existing assurance client
public entity risk pools
financial institutions with an overall CAMELS rating of 4 or 5
entities operating under any regulatory cease and desist order
government securities dealers
unregulated (e.g., internet) casinos
companies with limited or no viable business activities, including but not limited to,
internet companies
examinations of prospective financial statements or to perform feasibility studies for use
by a third party
potential clients that will not be continuing due to a probable sale of the company
entities planning to go public using a reverse merger with a public shell company
blank check companies
special purpose acquisition companies (SPACs)

3.87 The NMP Risk Mgmt and CAC must approve any exceptions to the general
rule regarding the foregoing engagements.

3.88 The firm will not accept any engagement when management imposes a
scope limitation that will result in a disclaimer.

Group Audits
3.89 There are additional considerations when evaluating the acceptance of a
group audit engagement when the firm will serve as the group auditor.
These considerations include determining:
the portion of the work that the firm will directly perform versus the portion of the work
that will be performed by component auditors
whether the component auditors will include GTIL member firms or other audit firms
whether the firm can be involved sufficiently with the component auditors to fulfill its
responsibilities as the group auditor
 3.90 The firm will not accept any group audit engagement where it will not be
able to fulfill its responsibilities as the group auditor.

Tax Shelters
[Tailor this section to reflect your policies regarding tax shelters]

3.91 Special consideration should be given to engagements involving audited or

unaudited (i.e., compiled or reviewed) financial statements, or prospective
financial information (such as forecasts or projections) for tax shelters. The
definition of a tax shelter for this purpose is extremely broad:
it includes investments that have as a significant feature either deductions in excess of
income in any year that can reduce income from other sources, or credits in excess of
the tax attributable to the income from the investment in any year that can offset taxes
on income from other sources
this definition may encompass other than traditional tax shelter clients, and is subject to
periodic revision by the Internal Revenue Service
tax shelter engagements for this purpose do not include planning assignments on behalf
of existing clients, including those that lead to the formation of partnerships or other
entities controlled by clients, and provided such activities do not entail distribution of
data to prospective investors with which the firm is associated

3.92 For firm policies related to tax shelters income tax return preparation or
review, refer to the Tax Services Manual in GEL.

3.93 Private placement offering engagements will not be accepted unless it is

reasonably expected that any intended tax benefits will stand the test of
IRS examination. Further, the firm will not accept as a client any tax shelter
with a fact pattern the IRS has classified as abusive.

3.94 Ordinarily, a private placement with which the firm is associated should
offer reasonable economic rewards in addition to intended tax benefits.
This will not necessarily apply, however, in the case of a shelter created by
legislative subsidy, such as a low-income housing development.

Joint Audit Engagements

3.95 The firm occasionally participates in joint audit engagements with other
auditors. (For this purpose, a joint audit is defined as one where two or
more auditors work together on an engagement and produce an audit
report signed by each firm.) See Chapter 24 for a discussion of the firm's
pertinent policies. Under no circumstances will the firm participate in a joint
audit of a SEC client.
Shopping for Accounting Principles

3.96 [Tailor this paragraph to reflect your policies] From time to time, entities
seek professional advice from an auditor other than their auditor as to the
appropriate application of an accounting principle or auditing standard
(SAS 50 engagements). Their reasons for seeking such advice are often
valid and, in such cases, the firm is prepared to undertake an engagement
to respond to the entity’s inquiry. However, the firm will not accept
engagements when it appears the motivation is to pressure the other
accounting firm. Refer to Chapter 31 for policies related to SAS 50
engagements.

3.97 Reserved

3.98 Reserved

Client Continuance

General Considerations
3.99 The paragraphs above discuss client acceptance and the need for the firm
to be careful in assessing the risks relating to the firm’s association with the
potential client's financial information. Similar risks pertain to continued
association with certain existing clients, and the following paragraphs
discuss pertinent policies and procedures. The firm does not vouch for the
integrity or reliability of a client, nor does the firm have a duty to anyone
else with respect to the acceptance of or continuance with clients.
However, lead partners must be aware that the integrity and reputation of a
client's management could reflect on the reliability of their accounting
records and financial representations and; therefore, on the firm's
reputation or involvement in litigation.

Firm Policies

3.100 [Tailor this paragraph to reflect your continuance process] The firm requires
a determination at least annually, or upon the occurrence of certain
specified events, as to whether the relationship with a client should be
continued. For all public and non-public financial statement audits, service
organization controls audits, and financial statement reviews, this annual
evaluation must be documented within the client acceptance application.
Consistent with the definition used in international standards, the firm
defines a public entity as an entity:
whose debt or equity securities are traded in a public market, including those traded on
a foreign or domestic stock exchange or in the over-the-counter market including
securities quoted only locally or regionally
that is a conduit bond obligor for conduit debt securities that are traded in a public
market (a domestic or foreign stock exchange or an over-the-counter market, including
local or regional markets)
whose financial statements are filed with a regulatory agency in preparation for the sale
of any class of securities in a public market
that is required to file or furnish financial statements with the SEC
that files periodic reports with a banking or other regulatory agency (the SEC has
responsibility over the periodic reporting requirements of these entities, but sometimes
delegates its authority to the regulatory agencies that directly supervise them)
that is a subsidiary, corporate joint venture, or significant investee of an entity described
above

3.101 Engagement teams should begin the client continuance process shortly
after the completion of each engagement.

3.102 No specific criteria can be established to serve in all circumstances, but the
continuation of existing client relationships should be carefully assessed
from both a professional and a business perspective, focusing particularly
on the following matters:
the identification and resignation from clients of dubious reputation, or who offer
engagements that are likely to involve the firm in litigation
the identification of engagements that present significant risks to the firm (Refer to
Chapter 19)
business considerations, such as conditions that might indicate the likelihood of
unplanned write-offs, fee collection difficulties, etc. In general, the firm should be
satisfied that the fees or other benefits to be derived from the engagement make good
business sense in relation to our proposed undertaking. Audit partners should be
cognizant that, given the present litigation and liability climate, accounting firms are
often seen as a "deep pocket"

3.103 [Tailor the following list for conditions and positions that are relevant to your
firm] Other conditions or events that should give rise to a reconsideration
of client relationships include:
conditions that might have caused the firm to reject the client had those conditions
existed (or been known to us) at the time the client was initially accepted. These
conditions may include unreliable processes for making accounting estimates,
questionable estimates by management, questions regarding the entity’s ability to
continue as a going concern, or other factors that may increase the risk of being
associated with the client.
changes in the nature or scope of the engagement, including requests for additional
services or a major acquisition in an industry that changes the risk profile of the overall
assignment
significant changes in ownership, management, directors, legal counsel, or other key
aspects of the client's organization or the nature of its business
continuing lack of cooperation by management, especially those responsible for
financial affairs
unexplained delays in management's furnishing of evidential matter and/or apparently
evasive answers to our inquiries
delinquency in paying fees
proposed change in the scope of the engagement that would significantly increase the
firm’s responsibilities or diminish its access to pertinent data
matters that might adversely affect the firm’s ability to serve the client, such as possible
independence impairments, unanticipated loss of key client service personnel
sub-prime lenders – OMPs and PSPs should be prepared to discuss these clients in the
annual discussion with the NPPD
regulatory investigations or litigation that raise integrity questions or the outcome of
which may adversely impact the client's status or reputation
serious financial difficulties including bankruptcy, or other indications of possible
litigation risk relating to association with the client's financial statements

3.104 Naturally, in assessing client continuance, the firm might reach differing
conclusions based on the history of our relationship with the client. For
example, in assessing the continuation of a long-standing client who has
dealt with the firm fairly and honestly, the audit team may reach a different
judgment than they would with respect to a relatively new client. The many
possible combinations of circumstances make it impracticable to establish
more precise guidelines. However, in summary, the firm does not wish to
continue associating with clients when the audit team has lost confidence
in management or key financial personnel. In such instances, the
relationship should be discontinued as soon as practicable.

3.105 There may be circumstances where, although the firm believes it

appropriate to continue with the relationship, the audit team should insist
on receiving a retainer or substantial portion of the fee in advance, continue
to bill in advance of the work performed, and ensure that unpaid fees do
not accumulate. Alternatively, there may be other situations where the
likelihood of becoming involved in litigation or regulatory investigation is
such that the firm will only continue with the client if suitable after-cost
protection is obtained.

3.106 [Tailor the following paragraph to reflect your policies and processes] The
client services partner is primarily responsible for applying the foregoing
policies. However, the OMP is also expected to focus on these matters.
When the client services partner becomes aware of conditions that warrant
re-evaluation of a client relationship, the matter should be brought to the
attention of the OMP. The OMP may wish to consult with the NPPD and
the RMP. The NPPD and RMP should be consulted if the matter involves a
client whose acceptance would be subject to the firm's approval policies for
new clients.
Audits of Previously Audited Financial Statements (Reaudits)
3.107 The firm may be engaged to reaudit and report on financial statements that
were previously audited and reported on by another auditor (the
predecessor auditor). As the successor auditor (or reauditor), the audit
team should not place reliance on the work performed by the predecessor
auditor, regardless of their reputation. The reaudit work performed and the
conclusions reached are solely the audit team’s responsibility.

3.108 Two common circumstances under which the firm may be requested to
reaudit and report on financial statements that have been previously
audited and reported on by another auditor are:
the predecessor auditor is unwilling or unable to reissue its report for the intended
purpose
a company may wish to have another firm audit and report on its financial statements

3.109 As a successor auditor, the audit team should make inquiries of the
predecessor auditor and state that the purpose of the inquiries is to obtain
information about whether to accept an engagement to perform a reaudit
(as discussed above). The audit team should also request workpapers for
the period or periods under reaudit and the period prior to the reaudit
period. However, the extent, if any, to which the predecessor auditor
permits access to the workpapers is a matter of judgment.

3.110 Information obtained by the successor auditor through inquiries and any
review of the predecessor auditor’s report and workpapers may be used in
planning the reaudit, but does not provide the firm with a sufficient basis for
expressing an opinion. If the firm has audited the current period, the results
of that audit may be considered in planning and performing the reaudit of
the preceding periods and may provide evidential matter that is useful in
performing the reaudit.

3.111 Since the audit team will generally be unable to observe inventory or make
physical counts at the reaudit date, they may consider the knowledge
obtained from our review of the predecessor auditor’s workpapers and
inquiries of the predecessor to determine the nature, timing, and extent of
procedures to be applied in the circumstances. However, it will always be
necessary for the audit team to make or observe some physical counts of
inventory (if material) at a date subsequent to the period of reaudit
(generally in connection with a current audit) and apply appropriate tests of
intervening transactions. Appropriate procedures may include tests of prior
transactions, reviews of records of prior counts, and the application of
analytical procedures such as gross profit tests. The audit team may not
assume responsibility for the work of the predecessor or issue a report that
reflects divided responsibility for the reaudit.
 3.112 If, in a reaudit engagement, the audit team is unable to obtain sufficient
audit evidence to express an opinion on the financial statements, they
should qualify or disclaim an opinion because of the inability to perform
procedures considered necessary in the circumstances.

Engagement Acceptance Procedures and Considerations

3.113 The firm’s client acceptance policies and procedures are required for
reaudits. In making a decision to perform a reaudit, the client acceptance
decision should consider the following:
whether the reaudit is being undertaken in connection with the audit of a subsequent
period, as a separate engagement to be reported on before completing a current period
audit, or a one-time engagement
the ability to obtain third-party confirmation or other primary audit evidence as of the
balance sheet date(s) or the need to obtain confirmations as of a subsequent date and
test the intervening transactions
the ability to obtain the necessary audit evidence
whether there has been a significant change in the top management of the client and
whether client management is willing, and has sufficient knowledge of the financial
statements subject to reaudit, to make all required management representations
whether there have been significant changes in internal control subsequent to the
reaudit period and whether an adequate understanding of internal control in operation
during the reaudit period can be obtained to plan the reaudit
whether sufficient audit evidence can be obtained in support of material financial
statement assertions in situations where significant amounts of information are initiated,
recorded, processed, or reported electronically, and no other documentation of these
transactions is produced or maintained, other than through the IT system

3.114 [Tailor the first bullet to reflect sources available in your environment] Prior
to accepting an engagement to reaudit financial statements, the audit team
should also consider information pertaining to the integrity of management
and any disagreements between management and the predecessor from
the following sources, if applicable:
reading the Form 8-K reporting the resignation or dismissal of the predecessor auditor
and the predecessor auditor’s response
reading the audit committee communications issued by the predecessor auditor
reading the management representation letters including the summary of uncorrected
financial statement misstatements
reading the company’s copies of correspondence with the predecessor auditor and
regulators

3.115 If the predecessor auditor is unwilling or unable to reissue its report, the
audit team should consider the reasons and their implications.

3.116 The audit team should consider the independence and professional
reputation of the predecessor auditor, and whether there are factors that
 preclude obtaining any evidence from reading the financial statements for
the prior period and the predecessor auditor’s report or reviewing the
predecessor auditor’s audit documentation.

Planning the Reaudit

3.117 The nature, timing and extent of the audit procedures performed and the
conclusions reached are solely the firm’s responsibility.

3.118 The audit team should consider the information obtained from inquiries of
the predecessor auditor and review of the predecessor auditor’s report and
audit documentation in planning the reaudit. The audit team should
consider specifically examining the predecessor auditor’s audit
documentation related to the following:
understanding of internal control and control risk assessments
the identification of internal control related matters noted in the audit, such as significant
deficiencies, material weaknesses, and other control deficiencies or advisory comments
identification of fraud risk factors and the results of audit procedures in response to
specifically identified fraud risks
understanding the company’s business
uncorrected financial statement misstatements
other identified risks of material misstatement
other audit documentation with respect to critical or significant accounting and audit
areas

3.119 It is customary for the predecessor auditor, absent certain circumstances,

to permit the reauditor to review the audit documentation, including
documentation of planning, internal control, audit results, and other matters
of continuing accounting and auditing significance.

3.120 The reaudit should be planned in conjunction with the current audit, if
applicable, and the audit procedures for both should be coordinated.

Understanding the Entity’s Business

3.121 The audit team may obtain significant information related to understanding
the entity’s business as a result of inquiries of the predecessor auditor and
review of the predecessor auditor’s audit documentation. If they utilize this
information, the audit team should corroborate the information through
inquiries of management, inspection of key documents, and other
procedures as considered necessary.
Understanding of Internal Control, Assessment of Control Risk and Tests
of Controls

3.122 Information obtained from the review of the predecessor auditor’s audit
documentation may assist the audit team in obtaining the required
understanding of internal control and evaluating the design of relevant
controls. The audit team should perform procedures to corroborate the
understanding and evaluation and determine whether key controls have
been placed in operation. If the intended control reliance is to test controls,
appropriate tests of controls should be designed to determine that relevant
controls were operating effectively during the reaudit period. The audit
team may either test relevant controls in operation during the reaudit period
or test relevant controls in operation currently, and perform a rollback of
changes in design of the internal controls to the prior periods.

3.123 In instances where a rollback is not possible and the intended control
reliance is not achieved, additional audit evidence should be obtained via
substantive testing. However, if a significant portion of the information
supporting one or more financial statement assertions is electronically
initiated, recorded, processed, or reported, the audit team should
reconsider whether it is possible to design effective substantive tests that
by themselves will provide sufficient evidence that financial statement
assertions are not materially misstated.

Substantive Audit Procedures

3.124 The audit team may consider the knowledge obtained from the review of
the predecessor auditor’s audit documentation and inquiries of the
predecessor auditor to determine the nature, timing, and extent of
procedures to be applied in the circumstances and to determine
expectations when performing analytical procedures.

3.125 In performing analytical procedures as a substantive audit procedure, the

audit team should develop expectations and use those expectations to
determine matters requiring further investigation.

Inventory

3.126 Since the audit team did not observe physical inventories in the prior year,
they must be able to perform satisfactory alternative procedures if
inventories are material. This includes performing a current physical
observation and a rollback of amounts to prior periods. The audit team
should perform tests of intervening transactions and analytical procedures.
Confirmations with Third Parties

3.127 The audit team may consider responses to confirmation requests received
by the predecessor auditor, provided the audit team is able to obtain copies
from the predecessor auditor. The audit team should evaluate the process
used by the predecessor auditor in controlling the confirmation process and
in selecting the accounts/items for confirmation and the persons or entities
for inquiry. The audit team is responsible for conclusions as to the
adequacy of the confirmation responses received by the predecessor
auditor, including the number and quality of those replies, and for
alternative procedures with respect to nonreplies. The audit team should
also consider directly obtaining confirmation responses relating to
significant matters.

3.128 If the audit team is not able to obtain copies of confirmation requests from
the predecessor auditor or when we conclude that additional evidence is
required, the audit team should perform either of the following:
reconfirm the amounts/terms of balances and transactions as of the balance sheet date
confirm at a date subsequent to the period of the reaudit, in connection with a current
audit or otherwise, and apply appropriate tests of intervening transactions

3.129 In addition, the audit team should perform appropriate subsequent events
procedures, which may provide additional evidence concerning certain
assertions.

3.130 If the substance of an inquiry to lawyers relates to a significant matter, we

should obtain responses directly.

Opening Balances and Consistency of Applications of Accounting Principles

3.131 The audit team may obtain some evidence regarding opening balances
and consistency of accounting principles by reading the audited financial
statements for the prior period and the predecessor auditor’s report
thereon, and making inquiries and reviewing the audit documentation of the
predecessor auditor.

3.132 If the audit team is not permitted to review the audit documentation of the
predecessor auditor, they will not be able to obtain any evidence from
reading the audited financial statements for the prior period and the
predecessor auditor’s report. The audit team should perform appropriate
alternative procedures with respect to the opening balances as of the
beginning of the audit period and with respect to the consistency of
accounting principles.

3.133 The audit procedures performed on the reaudit period transactions may
provide some audit evidence about the opening balances. Also, see the
related guidance in the section “Predecessor Auditor Considerations.”
Uncorrected Financial Statement Misstatements

3.134 The audit team should evaluate the treatment and effects of uncorrected
financial statement misstatements on both opening and closing balances of
the period under reaudit. The firm cannot be held to any decisions of the
entity and the predecessor auditor regarding the materiality of uncorrected
misstatements or their disposition. In addition, the audit team is solely
responsible for obtaining sufficient audit evidence to support conclusions
that the financial statements are free of material misstatement when
evaluating all identified uncorrected misstatements, regardless of whether
the misstatements were identified by the predecessor auditor.

Representation Letter
3.135 If a different management team is in place currently than during the original
audit period, current management may believe that it bears no
responsibility for the audited financial statements developed by prior
management. However, the audit team must obtain an appropriately signed
representation letter from current management for all periods being
reported on.

3.136 The audit team should discuss the requirement for a signed representation
letter early in the process to ensure that the appropriate officials are aware
of their responsibility and the need to provide the representations to us. If
we are unable to obtain a written representation letter from current
management for all periods being reported on, a scope limitation exists.

Reporting Implications

3.137 If the audit team is unable to obtain sufficient appropriate audit evidence to
express an opinion on the financial statements, they would qualify the
opinion or disclaim an opinion because of the inability to perform
procedures considered necessary in the circumstances (e.g., insufficient
controls to allow reauditor to rely on types of procedures available to
evaluate accounts such as inventory). The firm may elect to resign from
such engagements.

Other Audit Issues

3.138 Because the reaudit report is dated as of the date sufficient evidence has
been obtained to support the opinion, subsequent events procedures are to
be performed through that date.

3.139 The entity’s ability to continue as a going concern for a reasonable period
of time takes into consideration our knowledge of relevant conditions and
events that exist or have occurred prior to completion of the reaudit
fieldwork. The audit team should consider whether the financial statements
adequately disclose such conditions and events, other conditions and
events occurring subsequent to the balance sheet date, their possible
effects, and any mitigating factors, including management’s plans. If the
audit team concludes that substantial doubt remains about the entity’s
ability to continue as a going concern, the audit report should include an
explanatory paragraph reflecting that conclusion.
Chapter Four - Audit Evidence and Audit Procedures
Summary

This Chapter presents a discussion on the various aspects of audit evidence as well as
defining the types of audit procedures that are incorporated into the Horizon
methodology. These audit procedures are specifically discussed throughout the Manual
and used in the Voyager audit programs.

Audit Evidence
4.01 Auditing is a process of accumulating and evaluating evidence about
management’s assertions in the financial statements for the purpose of determining and
reporting on the relationship between such assertions and established criteria. The audit
team’s overall objective is to obtain sufficient appropriate audit evidence to afford a
reasonable basis for the opinion on the entity’s financial statements.

4.02 The audit process consists of five steps:

 performing risk assessment procedures to identify the assertions where
sufficient, appropriate audit evidence is required
 specifying and performing procedures to collect such evidence
 evaluating the relevance and sufficiency of the evidence
 determining whether the weight of the evidence is positive or negative
 deciding whether the evidence supports the assertions

4.03 “Audit evidence” is all the information used by the audit team to form its opinion.
It is cumulative in nature, and includes evidence obtained from the procedures
performed during the current and prior audits, and the firm’s quality control procedures.

4.04 The audit team uses one or more types of audit procedures for gathering audit
evidence. Auditing standards categorize these procedures as follows:
 inquiry
 analytics
 inspection
 observation
 confirmation
 recalculation
 reperformance
These audit procedures, or any combinations of these procedures, may be used as risk
assessment procedures, tests of controls, or substantive procedures. These procedures
are described further under “Procedures for Obtaining Audit Evidence.”
4.05 In Horizon, these procedures are described as above, with the exception of
“inspection.” Horizon may refer to inspection procedures as one of the following:
 examine (documents, securities, etc.)
 trace (source documents to accounting records)
 count (inventory quantities)
 reconcile
 review
Note to the reader: When these or similar terms are used in this Chapter, they are
presented in bold text.

4.06 In evaluating the sufficiency and appropriateness of audit evidence obtained

through the application of audit procedures:
 sufficiency relates to the quantity of audit evidence obtained.
 appropriateness is the measure of the quality of the evidence (i.e., its
relevance and reliability in supporting the financial statement assertions
and detecting misstatements)

4.07 The quantity of audit evidence needed is affected by the risk of material
misstatement (the greater the risk, the more audit evidence is likely to be required) and
also by the quality of such audit evidence (the higher the quality, the less audit evidence
that may be required). Accordingly, sufficiency and appropriateness of audit evidence
are interrelated. As a caution, obtaining large quantities of audit evidence does not
typically compensate for a lower quality.

Professional Skepticism

4.08 The audit team must maintain an attitude of appropriate professional skepticism
in evaluating the relevancy, sufficiency, and appropriateness of audit evidence.
Accordingly, when applying procedures to the client’s records, schedules and
supporting data, the audit team should remain skeptical and avoid unquestioning
acceptance of documents and explanations.

4.09 In performing its procedures, the audit team should ask themselves questions
such as the following:
 What additional documentation (invoices, contracts, etc.) exists to support
the balance or transaction?
 Is there more persuasive or corroborating evidence that should be
obtained?
 Was the transaction properly authorized?
 Is the transaction one the entity would be expected to carry out?
 Do the terms of the transaction seem reasonable?
Reliability of Evidence

4.10 The reliability of audit evidence is dependent on the circumstances under which it
is obtained. Accordingly, while generalizations about the reliability of various types of
evidence can be made, they are subject to important exceptions. However, the following
interrelated presumptions concerning the reliability of audit evidence is meaningful:

Evidence that is more reliable Evidence that is less reliable

direct evidence obtained through indirect evidence obtained through

procedures such as inspection or inquiry
recalculation
obtained from outside, independent obtained solely from management
sources
Documented undocumented
obtained from inspecting original obtained from inspecting copies and
documents faxes
obtained in the presence of an effective obtained in the context of an ineffective
control environment control environment

Obtaining Audit Evidence

4.11 In obtaining audit evidence, the audit team considers specific audit objectives in
light of the matters discussed above and the individual circumstances. In adopting the
overall audit approach and in selecting particular audit procedures to be performed, the
audit team considers, among other things:
 the risk of material misstatement in the financial statements, including the
risk assessment procedures, and the expected effectiveness and
efficiency of our audit procedures
 the nature and materiality of the items being tested, the types and
reliability of available evidence
 the audit objective to be achieved

4.12 Therefore, the exact nature, timing, and extent of the procedures applied in a
particular engagement are a matter of professional judgment and determined based on
the specific circumstances.

4.13 The methods of applying audit procedures to obtain audit evidence may be
influenced by the entity’s method of processing information. Horizon assumes most
clients use some form of computerized or automated processing. By default, Voyager
assumes the audit team will utilize automated auditing procedures. However, the audit
team can use manual audit procedures, CAATs, or a combination of both, as applicable.
Regardless of the methods used, the specific audit objectives do not change.

Conclusions from Audit Evidence

4.14 The conclusions obtained from different types of evidence should be consistent
with one another. When audit evidence obtained from one source appears to be
inconsistent with evidence obtained from another source or contradicts other evidence,
the auditor needs to perform more work to resolve the inconsistency, since the reliability
of each remains in doubt. Accordingly, evidence obtained from different areas of the
audit and the related documentation needs to be consistent with one another. When the
evidence from different areas appears inconsistent, the audit team needs to resolve the
discrepancy by performing additional procedures, considering the implications, if any,
on other aspects of the audit and documenting the results.

4.15 The weight given to evidence obtained from management representations should
be considered in light of management's incentives, intentions and depth of knowledge.
Apart from the possibility of intentional misrepresentation, management's natural
tendency is to defend the figures produced by their own accounting system.
Accordingly, management representations (or representations from their staff) should
usually be validated by other evidence.

4.16 In determining that sufficient relevant, reliable and appropriate audit evidence
was obtained to provide the audit team with a reasonable basis for the opinion, it is
usually necessary to rely on evidence that is persuasive rather than convincing. For
example, when testing for existence of a particular customer’s accounts receivable
balance at year-end, one would consider the following as convincing evidence - the
receipt of a subsequent cash payment with a remittance advice specifically identifying
the invoice in question. Using the same example, comparing invoices to a purchase
order and related shipping documentation would represent persuasive evidence. Both
the individual assertions in financial statements and the overall proposition (that the
financial statements as a whole present the financial position and results of operations
in conformity with generally accepted accounting principles) are of such a nature that
even an experienced auditor is seldom convinced beyond all doubt with respect to all
aspects of the statements being audited.

4.17 Where there is substantial doubt regarding audit evidence, the audit team should
not issue an opinion on the financial statements until sufficient relevant, reliable and
appropriate audit evidence is obtained to remove such doubt, or the report should be
appropriately modified or an opinion disclaimed, as required by professional standards.

4.18 While there are rational relationships between the cost of obtaining evidence and
the usefulness of the information obtained, the difficulty and expense involved in
obtaining evidence is not a valid basis for not obtaining it.

Automated Environments
4.19 In most entities, most (if not all) of the accounting data and corroborating
evidential matter are available only in electronic form. Source documentation such as
purchase orders, bills of lading, invoices and checks are replaced with electronic
records. For example, in EDI (electronic data interchange) systems, the entity and its
customers or suppliers use communication links to transact business electronically.
Purchase, shipping, billing, cash receipt, and cash disbursement transactions are often
consummated entirely by the exchange of electronic messages between entities. In
these circumstances, the audit team should consider performing tests of controls for
certain assertions and using computer assisted techniques for substantive tests. In
these environments, the audit team might consider using CAATs and adding an IT
specialist to the audit team.

Procedures for Obtaining Audit Evidence

4.20 In Horizon, four general types of procedures are used to gather audit evidence:
 risk assessment procedures, which are intended to identify financial
statement risks that could cause the financial statements to be materially
misstated
 walkthroughs, which are intended to provide evidence that internal
controls are implemented
 tests of controls, which are intended to provide evidence that internal
controls are operating as designed
 substantive tests, which are intended to provide evidence as to the validity
and propriety of financial statement balances and their underlying
transactions

4.21 This section discusses the procedures used to obtain audit evidence. The audit
team would rarely use all of the procedures to obtain evidence on any one assertion.
Rather, procedures should be selected in terms of the quality of the evidence they will
produce and the cost of the procedures compared to the alternative procedures that the
audit team could perform to obtain the necessary audit evidence.

4.22 The nature and timing of the audit procedures selected by the audit team may be
determined based on the availability of accounting data and other information. For
example, information may only be available in electronic form or at certain points in
time. Therefore, the audit team should consider the evidence available in planning the
nature and timing of audit procedures.

4.23 The procedures described below serve as the basis for the discussion of audit
procedures throughout this Manual and in the Voyager audit programs. The various
audit procedures can be classified, in general terms, as follows:

Inquiry Procedures

4.24 Inquiry is to seek information from knowledgeable persons, either verbally, or in

writing. This procedure is useful in testing every financial statement assertion; however,
inquiry alone does not provide sufficient audit evidence to detect a material
misstatement or to test the operating effectiveness of internal control. Accordingly, other
corroborating evidence should validate responses.

4.25 While management and employees may be less objective than independent third
parties, they will be more knowledgeable concerning the operations, systems, and
accounts of the business. Inquiry contributes to all examination, observation,
confirmation, tests of controls, and substantive objectives. It is a useful starting point
for most other auditing procedures. Generally, it is far more efficient to obtain
explanations through inquiry and then seek to validate these explanations than to try to
find explanations by sifting through large quantities of detailed evidence.

4.26 The reliability of inquiry depends to a large extent on the integrity of the client's
management and employees.

4.27 The steps performed in inquiry include:

 identifying the question or the missing information required (deal with one
issue at a time)
 identifying the right people to ask
 posing the question (and any necessary supplementary questions)
tactfully, clearly and in a way that does not suggest a “proper” or “yes/no”
response
 actively listening to the response
 evaluating the responses with professional skepticism
 comparing the explanations obtained to other information known, and
performing additional procedures, when warranted
 reaching a conclusion
 documenting the conversation

4.28 The audit team might use inquiry procedures in four different ways:
 as an essential component of obtaining an understanding of the entity,
including its internal control and validating that understanding
 as a starting point for further audit work
 to obtain explanations of significant or unusual items encountered
 to elicit information that may not be obtainable in any other way

Analytical Procedures
4.29 The audit team uses analytical procedures to analyze information obtained
during the audit to seek evidence as to the completeness, accuracy, and validity of
information contained in the financial statements. Analysis of a balance appearing in an
accounting record is finding out "what is in" a given figure and comparing it to an
expectation. Sometimes, analytical procedures are a preliminary step preceding other
auditing procedures to identify account balances that require more in-depth audit
procedures.

Inspection Procedures

4.30 Inspection is to examine, trace, count, reconcile, or verify records or other

documents, processes, conditions or transactions. Inspection of documentation
provides further evidence as to the assertions being audited. For example, the
inspection of a lawyer's letter would provide some evidence of the existence of a
contract. Inspection may provide evidence as to an asset or liability balance, such as
the observation of inventory quantities or vouching a note receivable to the signed note,
or it may provide some evidence as to information to be disclosed in the financial
statements, such as agreements and minutes.

4.31 The steps performed in inspecting documentation include:

 examining the documentation (paper, electronic or other)
 comparing all information contained in the documentation with other
information recorded in the accounts or known to us
 investigating any differences
 reaching a conclusion

4.32 The audit team should be alert to the authenticity of the document being
inspected. While they cannot be expected to detect forged documents, they might, in
the case of externally prepared documents, be able to discern crude forgeries,
misrepresentations, or alterations. Lack of authenticity may also be indicated by the
nature of the information on the document.

Observation Procedures

4.33 Observation consists of looking at a process or procedure being performed by

others in order to understand:
 who performs the process
 when it is performed
 how well the process is performed
An example is the audit team observing a client’s process of counting its inventories.
Observation is often used when there is no tangible audit trail. Therefore, it is rarely
sufficient substantive audit evidence on its own and additional corroborating procedures
will be necessary.

Confirmation Procedures

4.34 Confirmation is a process by which the audit team obtains and evaluates
evidence in response to a direct request for information, usually to a third party.
Confirmations are primarily written, and may include aspects of inquiry, examination
and sampling. Although confirmation can be used to test all assertions, it is primarily
used in the existence-occurrence and rights and obligations assertions.

4.35 Factors that suggest that confirmation procedures may be appropriate include:
 the potential risk of a material misstatement is high
 unusual or complex transactions
Recalculation Procedures

4.36 Recalculation consists of verifying the mathematical accuracy of documents or

records and recomputing financial statement amounts or supporting details, including
totaling client schedules. This may include recalculating items such as depreciation
expense for specific assets, extending invoices and verifying the mathematical accuracy
of general ledger postings. Automated tools and CAATS are often more efficient than
manual recalculations. Therefore, audit teams should use these tools as appropriate.
Recalculation procedures can be used for all assertions, except rights and obligations.

Reperformance Procedures

4.37 Reperformance occurs when the audit team independently executes processes
or controls that were originally performed as part of the entity’s internal control. In
Horizon, reperformance is performed routinely as a test of internal control.
Chapter Five – Automated Tools
Summary

This Chapter describes Grant Thornton's automated tools available to assist in

the planning, execution, control, completion and administration of audits and
other engagements. This Chapter also summarizes the types of functions
available in the software and their use in various engagement activities.

Introduction
5.01 Automated tools are designed to enable the audit team to be efficient and
effective. Although primarily designed to assist in audits, automated tools can be
used in other types of engagements as well. Automated tools offer a number of
benefits, including:
 cost-effective auditing
 tailored audit programs for a wide variety of industries
 consistent performance
 ability to analyze a large volume of transactions or data that is not
feasible to analyze manually
 reduction or elimination of mechanical tasks

5.02 Grant Thornton encourages the use of electronic workpapers as much as

practicable therefore; audit teams should request management to provide their
schedules, reconciliations, and source documentation in electronic format.

5.03 The automated tools discussed in this Chapter are:

 Voyager
 TBeam
 Voyager Information System
 GTI Client Acceptance
 Consultation
 Grant Thornton Electronic Library
 Pentana disclosure checklist
 IDEA
 Microsoft Excel

Voyager
5.04 Voyager is a software application developed by GTIL to implement the
Horizon methodology. In particular, Horizon tailors the audit approach for a
particular engagement to the unique risks and circumstances of the specific client
situation. Voyager is central to Horizon because it enforces the Horizon
methodology.

5.05 Voyager is required for all audit, review, and compilation engagements.
5.06 Voyager provides the ability to create industry-specific engagement
programs from one national masterfile that is developed and maintained by each
GTI member firm. The first step in effectively and efficiently tailoring audit
procedures is selection of the appropriate industry upon creation of the Voyager
file.

5.07 The following industries are currently available:

 Commercial
 Manufacturing
 Depository institution
 Construction
 Not-for-profit
 Governmental
 Health care
 Energy
 Software
 Brokers and dealers in securities
 Investment partnership
 Mortgage banking
 Insurance
 Employee benefit plan
 Service
 Real estate

5.08 The audit team then uses Voyager’s automatic tailoring functionality to
customize the audit program to the specific client circumstances. Automatic
tailoring works primarily in the following ways:
 Selecting the appropriate flags upon file creation, for example:
 First year
 Public
 Internal control audit
 Completing Voyager’s built-in tools such as:
 Organization Structure
 Revenues
 EPF
 IT Profile
 Accounting System
 Materiality
 Risk Indicators
 Linkage – Matters to Financial Statement Risks
 Assertion-Level Risk Assessments
 Answering global tailoring questions (for example, “Will the work of
an expert be used? Yes / No”) or cycle-specific tailoring questions,
(for example, “Does the entity maintain significant cash on hand?
Yes/No”)

5.09 Finally, the audit team uses Voyager’s direct tailoring feature to further
customize the audit procedures. Direct tailoring may include deleting general file
sections or procedures that are not applicable, adding procedures or modifying
the wording of existing procedures. Voyager further facilitates direct tailoring by
allowing the audit team to append cycles from another industry.

5.10 The audit team uses Voyager in all aspects of the engagement: planning
and risk assessment, execution, completion, documentation, and management.
Electronic documents contained within the Voyager engagement file become the
primary means of documenting the audit work. Voyager allows the audit team to:
 complete or update the documentation of the understanding of the
entity and its environment
 automatically tailor the substantive audit procedures and
questionnaires by answering tailoring questions for the entity as a
whole and for individual cycles
 identify matters that affect the financial statements, significant
cycles and their related financial statement risks including those
that have a reasonable possibility of causing a material
misstatement in the financial statements
 select between automated procedures (those completed with IDEA)
and manual audit procedures
 determine the timing of the audit procedures to include interim
procedures, where appropriate, and add procedures to roll forward
the results to the balance sheet date
 directly tailor individual procedures by adding, deleting, or
modifying the procedures to reflect the specific client situation
 review the tailoring of all changes made to the audit program to
assist in the approval process
 approve the tailored audit program
 record team members and control electronic signatures and
responsibilities of the audit team
 make necessary changes to the approved audit procedures (these
are logged for later quality control review)
 attach supporting electronic memos and schedules (references)
and document external workpaper references
 electronically sign-off procedures, memos and references as they
are completed
 create and manage review notes
 distribute (check out) portions of the engagement file to different
audit team members and consolidate (check in) the audit program
into a completed engagement file
 archive file for rollforward next year and long-term storage
 rollforward an existing, tailored engagement file for a subsequent
year engagement

5.11 Voyager also provides the audit team the ability to document, evaluate
and test internal control. Voyager’s approach to internal control embraces the
framework described in the international auditing standards, which encompasses
controls at both the entity level and activities level of client organizations. Audit
teams use Voyager to:
 document entity-level activities, processes and controls (control
environment, monitoring, information and communication,
information technology and financial reporting)
  identify very and somewhat important processes
 document activities-level processes and controls
 document the IT profile, including the IT applications integral to the
financial reporting process
 document service organizations used
 assess design effectiveness of both entity-level and activities-level
controls
 document the results of walkthroughs performed
 identify key controls for the financial statement and/or internal
control audit
 select an effective and efficient approach to test key controls
 generate the tests of controls programs
 document the results of tests of controls
 evaluate control findings using Design Effectiveness
 accumulate control deficiencies on the Summary of Control
Deficiencies

TBeam
5.12 Many different automated trial balance and workpaper preparation
software packages exist today. These programs are designed to automate many
functions, enabling audit teams to be more cost effective and efficient. The use of
this type of software package is encouraged to perform functions such as:
 importing a client's data automatically
 assigning accounts to lead schedules
 assisting in performing period-to-period comparisons
 producing trial balances and lead schedules
 linking to other applications, such as word processing for the
production of financial statements and spreadsheets for further
analysis
 posting adjusting, passed, reclassification and eliminating journal
entries
 producing consolidated workpapers

5.13 TBeam is a software application developed by GTIL that provides an audit

team with the capabilities described above. In addition, it provides audit teams
with the ability to integrate trial balance lead schedules and other workpapers
with Voyager.

Voyager Information System

[Include this section if your firm has implemented the application]

5.14 VIS is a database system designed to collect certain information contained

in Voyager engagement files for use in managing and monitoring the firm’s
practice. This information is transferred to the VIS database when certain defined
events occur during the engagement. Those events include:
 completing the Organization Structure information
  determining EPF
 releasing the report
 archiving the completed file

5.15 The information in the VIS database can be viewed using the VIS Viewer
application. The VIS Viewer assists audit teams in the following areas:
 documenting approval of EPF assessments
 documenting assignment of quality control reviewers
 generating email notifications for engagements with unapproved
EPF assessments

5.16 In addition, the VIS Viewer provides an effective and reliable method for
tracking engagements to determine whether engagement files are archived in
accordance with professional standards. This is done by:
 tracking audit engagements from the report release date
 providing a complete history of all archived files stored within VIS
 generating email notifications for engagements after 30 days if the
file is unarchived
 continuing to send email notifications until the file is archived

5.17 The automated email notifications in VIS to partners and audit teams, as
previously discussed, are vital to maintaining an accurate record of engagements
and monitoring compliance with firm policies and professional standards,
including those relevant to record retention (file archiving). Noncompliance with
the firm’s archiving policies is a violation of professional standards and securities
laws. Therefore, it is imperative that all automated emails get the prompt
attention of the persons involved.

5.18 The primary source of data in VIS is the Organization Structure tool in
Voyager. To maintain data integrity, audit teams should diligently review the
information in Organization Structure and correct inaccurate or incomplete
information prior to transmission. The primary areas of concern are:
 client names with spelling and typographical errors and instances
where the entity’s legal name is not used
 partner names and email addresses improperly formatted and
spelled (audit teams should use the import function on the
Engagement Team screen to obtain names and email addresses).
When incorrect email addresses are transmitted, VIS is unable to
send email notifications to the partner.
 dates entered incorrectly cause tracking issues because the VIS
engagement tracking system and related email notifications rely on
accurate dating
 names of entities missing or entered incorrectly. Within
Organization Structure, audit teams should enter all components
and related entities which includes subsidiaries or entities
controlled by the client, investees (where it has both significant
influence and a material investment), and the parent entity (where it
has both significant influence and a material investment).
5.19 The PSP and their designee (Client Administrator) are responsible for
monitoring the accuracy and completeness of the VIS records for their office.
When errors and omissions are found, the PSP or Client Administrator should
notify the appropriate persons so corrections can be made in Voyager
Organization Structure information and resubmitted to VIS.

Creating New Voyager Files versus Using the Rollforward Option

5.20 Only in exceptional circumstances (e.g., the prior year's file is corrupted or
there is a change in the level of service) should an audit team create a new
Voyager file rather than rolling forward the prior year’s file.

5.21 There are two very important reasons for doing this:
 when a new engagement file is created, all information must be re-
entered and all direct tailoring is lost. This is highly inefficient.
 the engagement tracking history in VIS is lost whenever a new
record is created because the duplicate record must be removed.

5.22 Therefore, before creating a new engagement file instead of rolling

forward the prior year file, a member of the audit team should contact A&A
Software Support to determine the appropriate course of action.

GTI Client Acceptance

[Include this section if your firm has implemented the application]

5.23 GTI Client Acceptance enforces the firm’s client acceptance policies
through efficient, automated documentation and approval procedures. The
software resides on each user’s computer, which interacts and updates a
database that resides on the firm’s network. This enables authorized individuals
and firm management to access, review, and approve or decline client
acceptance records. GTI Client Acceptance provides additional efficiencies
because it links to Voyager. The audit team can import client information and risk
factors noted during the acceptance process as well as the final report.

Consultation

[Include this section if your firm has implemented the application]

5.24 The firm’s Consultation software automates the process of documenting

and approving consultations on significant audit, accounting and independence
issues, primarily with the NPSG. Individuals involved in a consultation matter
enter, edit and approve consultation documentation in a database. This software
is required to document consultations with the NPSG, but can also be used for
other consultations occurring within an operating office.
Grant Thornton Electronic Library

[Tailor paragraph 24-26 to reflect your practices with respect to electronic

library]

5.25 GEL is an electronic library that contains firm, PCAOB, AICPA, IFAC and
SEC electronic literature. Through NextPage, a search and retrieval software
program, all sections or paragraphs containing a specific word, a combination of
words or an exact phrase can be searched. These searches can be performed in
one specific area or simultaneously through all of the literature. The Quick Find
interface allows users to access content through a categorized listing of topics by
author. Content can also be accessed through the traditional Table of Contents.

5.26 NextPage Solo technology includes all of the literature on each user’s
computer. This enables the NextPage search engine to be used without being
online. Users can also access GEL through KSource. The content for GEL is
periodically updated (ordinarily monthly). Users receive GEL updates
automatically when they connect to the firm network.

5.27 Some of the most frequently used items in GEL includes:

 Manuals:
 Audit and Assurance Services Manual
 Independence and Ethics Manual
 Guides:
 Consultation User Guide
 GTI Client Acceptance Software User Guide
 VIS User Guide
 Plain English Guide to Independence Requirements in the
United States
 Communications:
 Audit Services Bulletins
 New Developments Summaries
 APFYIs
 Letters, Forms and Templates
 Audit Engagement Letters
 Audit Representation Letters
 Communications with Those Charged with Governance
 Harvest Investments
 Practice Aids
 Confirmation Letters
 Group Audits (Component Evaluation worksheet and CAAM)
 Effective Date Schedule
 Professional Standards
 AICPA libraries (Professional Standards, Audit and Accounting
Guides, Technical Practice Aids, and AICPA Practice Aids)
 PCAOB (Final Auditing Standards, Staff Questions and
Answers, Staff and Audit Practice Alerts)
 SEC (SEC Handbook, Financial Reporting Manual)
  IFAC (Handbook of International Quality Control, Auditing,
Review, and Other Assurance, and Related Services
Pronouncements)
 Industry Practice Aids
 Financial Services (Reg AB, HUD Submission Instructions)
 Governmental and Not-for-Profit (OMB Circulars, Yellow Book -
Government Auditing Standards, OMB A-133 Compliance
Supplement)
 Communication Topical Groups
 Business Combinations
 Financial Reporting Tools
 Revenue Recognition

Pentana
5.28 Pentana is a software tool that generates a financial statement disclosure
checklist to allow the audit team to assess whether the financial statements are
in accordance with International Financial Reporting Standards. As with Voyager,
initial questions allow the checklist to be tailored to the client's circumstances.
The tailored checklist can either be completed electronically on screen or printed
and completed manually. GTIL has an international license for Pentana.
Information about this license is available on GTInet. Pentana should be used for
all engagements where IFRS is the accounting framework.

IDEA

General

5.29 Computerized financial applications provide an opportunity to use CAATs.

Several factors favor the use of computer-assisted auditing:
 widespread use of computerized financial applications
 ease of techniques to transfer data from the client’s applications to
our computers (this makes the use of CAATs practical for both
small and large engagements)
 ability to use Voyager’s “automated” procedures, which is the
default setting for the performance of all substantive procedures
and is designed for increased efficiency and effectiveness
 ability to analyze the entire population instead of using sampling
techniques
 ability to perform more robust fraud procedures where the audit
team identifies fraudulent financial reporting or misappropriation of
assets risks

5.30 Exhibit 5.1 contains a list of possible CAATs.

5.31 When developing CAATs, it is important for the audit team to define the
objective of the procedure prior to initiating the test. Any application of a CAAT
should be under the direction and supervision of a member of the audit team that
is knowledgeable about the area.

Using IDEA

5.32 GTIL obtains an international license for IDEA, a data interrogation audit
software program. Benefits of using IDEA include:
 efficiency - the amount of audit time can be reduced
 effectiveness - allows a more comprehensive analysis and allows
us to focus on more important items
 independence - reduces our reliance on client information
technology personnel
 consistency - procedures can be performed more consistently year
to year

5.33 Planning is required to use IDEA effectively and efficiently. Audit teams
should collaborate with the client to determine whether the client can provide the
requested electronic files timely. This communication is of particular importance
when the audit team requires electronic files from prior periods.

5.34 The testing of computer-assisted procedures during planning will expedite

the processing of interim or year-end data. For example, if the audit team plans
to use IDEA to select a sample of December accounts receivable balances, they
should obtain a copy of the October or November data file; define the record
layout in IDEA, if necessary; reconcile control totals and prepare the layout of
any confirmation forms to be used well before the December amounts are
available. Testing is particularly important the first time IDEA is used.

5.35 The purpose of using IDEA is to enhance effectiveness, efficiency or

otherwise increase the value of the audit. The audit team achieves these
objectives by applying their creative abilities to use the following functions:
 record extraction
 file indexing, sorting and summarization
 field statistics
 file comparison
 sampling
 calculation
 exporting
 selecting journal entries for testing using Smart Analyzer

Record Extraction

5.36 Record extraction scans data files for specific extraction or exception
criteria to extract all records which meet the specified criteria. Once extracted,
exceptions are investigated for resolution.

5.37 Examples where extracting can be used include scanning for:

 accounts receivable balances for amounts over the credit limit
 inventory items with negative quantities and unreasonably large
balances
  unpriced inventory items (items with quantity on hand but have no
unit cost)
 transactions with related parties

File Indexing, Sorting and Summarization

5.38 IDEA can index, sort and summarize data in many ways. This allows the
audit team to prepare analyses or to simulate the client's data processing
systems. Other analyses can also be performed such as gap detection, duplicate
detection, or summarization once the data is sorted on a key (field). Examples
are:
 summarizing detailed transactions by customer account number
 summarizing general ledger trial balances
 summarizing inventory turnover statistics for obsolescence analysis
 sequencing inventory items by location to facilitate physical
observations
 identifying gaps in inventory tag numbers
 identifying duplicate invoice numbers

Field Statistics

5.39 Field statistic capabilities of IDEA provide the audit team with the ability to
obtain statistics on numeric fields within a data file. Field statistics include the
following information for the fields selected:
 net value
 absolute value
 number of records
 number of zero items
 total of all debit values
 number of debit records
 total of all credit values
 number of credit records
 number of data errors
 number of valid values
 average value
 minimum value
 maximum value
 record number of record of the minimum value
 record number of record of the maximum value
 standard deviation
 variance
 skewness
 kurtosis

5.40 Examples of the use of field statistics are:

 recalculating the totals (proving mathematical accuracy) of
accounts receivable, accounts payable, or inventory listings
 obtaining information about the accounts receivable listing and
determining effect of credit balances for possible reclassification
  analyzing information to determine sampling approach

File Comparison

5.41 In situations where records in separate files contain compatible

information, IDEA may be used to compare the files to determine if the
information agrees.

5.42 Examples include:

 changes in accounts receivable balances between two dates with
details of sales and cash receipts on transaction files
 payroll details with personnel records
 current and prior period inventory files to assist in reviewing for
obsolete or slow-moving items
 comparing last year’s payables with this year’s to identify potentially
understated accounts

Sampling

5.43 IDEA has the capability to select samples using random or statistical
sampling methods. Examples are:
 accounts receivable balances for confirmations
 inventory items for observation
 inventory items for price testing

Calculation

5.44 IDEA can test the accuracy of computations and perform quantitative
analyses to evaluate the reasonableness of client representations. Examples are:
 extensions of inventory items
 reasonableness of depreciation expenses, accumulated
depreciation and useful lives
 the accuracy of sales discounts
 interest

Exporting

5.45 Exporting allows the audit team to take an analysis that they performed
using IDEA and export information to another application. For example,
information can be exported to a spreadsheet such as Microsoft Excel for further
analysis, client presentation or inclusion as a workpaper in the Voyager file.

Selecting Journal Entries for Testing using Smart Analyzer

5.46 The firm also licenses Smart Analyzer, an IDEA add-in that includes pre-
programmed routines to analyze data. Smart Analyzer interrogates data (e.g.,
general ledger, accounts receivable, inventory, fixed assets, and accounts
payable) without manually creating formulas or scripts. The most common use is
for journal entry testing. Refer to Chapter 20 for additional information on using
Smart Analyzer to select journal entries for testing.

Documentation

5.47 When using IDEA, it is important for the audit team to appropriately
document their work. Reviewers should be able to determine what procedures
were performed and the results of such procedures. Typically these requirements
are satisfied by including the field statistics and record extractions generated
from IDEA. This documentation can easily be transferred to Excel and attached
to the appropriate Voyager procedure. It is unnecessary to include the imported
data file and the history logs in the Voyager file in the audit documentation.

Microsoft Excel
5.48 Excel, which is a full-featured spreadsheet package, allows the audit team
to perform the following:
 prepare detail workpapers (e.g., property, plant and equipment,
long-term obligations, debt maturity schedules, etc.)
 perform analytical procedures
 prepare graphic presentations of analyses and relationships

Computer Security
5.49 Computer security is a broad topic. Everyone is responsible for protecting
client and firm information from security threats. Personal computer security
threats include:
 unauthorized access to data
 data loss
 computer viruses
 Internet hacking

Unauthorized Access to Data

5.50 The threat of unauthorized access to data can occur at three levels:
access via the Internet (discussed below), access to information on the
computer, in general, and access to the specific computer data files.

5.51 Power-on passwords and using the security features of Windows are two
ways to control access to the information on the computer in general. Password
protecting files provides additional control for sensitive files.

Data Loss
5.52 Anyone who has used a computer knows that loss of data is a threat.
There are several techniques available to mitigate this risk. One of the most cost
effective is to periodically create a copy of files on media external to the
computer. At the end of each workday, the audit team should create a “package”
of the Voyager file and save it onto an external media device. Voyager also has a
“backup” function that can be used periodically throughout the day. These
backups should be deleted at the end of the day after the package function is
used to create a copy of the file on external media.

Computer Viruses

5.53 Computer viruses are commonplace. Their threat ranges from

inappropriate screen messages to a complete and irretrievable loss of data and
software. Use of antivirus software is the principal means of controlling this
threat.

Internet Hacking

5.54 The threat of Internet hacking includes destruction of the computer

content, use of the computer for inappropriate purposes or gaining access to the
information contained on the computer. The threat occurs whenever the
computer is connected to the Internet either directly or through a network.
Protection at the network level is usually achieved through the use of network
firewalls. However, computer users should be aware that the threat also exists
when they connect the computer directly to the Internet (e.g., using a home
Internet Service Provider) or through an unprotected network (perhaps a poorly
controlled client network). An effective way to control this threat is by using
firewall software on each computer.

Ethical Use of Computer Software

5.55 Software tools are licensed or developed at significant cost. They are for
Grant Thornton business only and must be returned in the event of separation.

5.56 GTI member firms pay license fees not only for the various accounting and
auditing software products described herein, but also for other software such as
Microsoft Windows and various other applications. These licenses limit the
duplication, distribution and resale of software. Generally, these licensing
agreements specify the number of machines on which the software is to be used.
It is Grant Thornton's policy to appropriately license all software and strictly
comply with all license agreements.
Exhibit 5.1 – Potential Computer-Assisted Audit Techniques
E01 Presented below are audit procedures where the audit team may wish
to consider applying computer-assisted audit techniques.

Commercial Entities

Cash
 reconcile intercompany cash transfers
 reconcile disbursements to the voucher register
 total and clear the outstanding checklist

Revenue

Accounts Receivable
 test the mathematical accuracy of totals and extensions of the year-
end balances
 age the file
 identify accounts (or invoices) within specific aging categories and
over specific monetary limits
 identify unusual invoices, refunds, debit memos, etc.
 test for new, large monetary/volume accounts
 identify account balances exceeding their credit limit by a specific
percentage or amount
 identify accounts with large past-due amounts
 select accounts or invoices for confirmation by sampling
 sort and summarize by the customer number or type of account,
type of collateral, or sales terms
 using weekly/monthly update files, move accounts receivable from
the confirmation date to year-end. Select transactions for additional
testing from these files.
 merge the accounts receivable file and the sales file and perform
cut-off tests and ratio analyses
 apply cash receipts, subsequent to the confirmation date, to
accounts receivable to determine uncollected receivables or
receipts for which no receivable was recorded
 merge interim balances with year-end balances to produce either a
comparative trial balance or accounts with changes greater than a
specified percent
 review potential problem areas:
 excessive adjusting entries to accounts
 duplicate:
 invoice numbers
 debit/credit memo numbers
 account numbers
 mailing addresses
 customer names
 age and stratify credit limits and/or balances
  cut-off test by matching year-end invoices with subsequent
credit memos
 balances in excess of credit line
 match the detail and master file record, and list the unmatched
detail records
 prepare confirmation letters using master address file
 analyze receivable accounts by type of receivable
 identify large receivable write-offs during the period for verification
and evaluation of existing receivables
 verify calculation of unearned finance charge reserve included in
receivables
 identify the number and amount of loans receivable that have been
extended or refinanced prior to year-end
 analyze receivable write-offs by type or location
 sample individual open accounts receivable items
 automated printing of selected items list and address envelopes for
confirmations
 automation of confirmation statistics
 age by invoice date, date of last payment, customer, line of
business, type of open item
 histogram customer accounts, or open items
 apply subsequent transactions to the selected account balances or
open items in the file
 match cut-off information to the open items in the file
 compare open accounts receivable items at confirmation date to
open items at a subsequent date to determine changes caused by
subsequent transactions

Sales
 total the sales transactions file or year-to-date sales file
 summarize sales, by the respective account distribution, for
reconciliation to the general ledger posting and accounts receivable
file
 match the sales records to the accounts receivable sales posting
 test for unusually large amounts
 test for missing or duplicate invoice numbers
 compare invoice dates to the month recorded and identify potential
cut-off problems
 test sales invoices for:
 mathematical accuracy of totals and extensions
 unit price
 discount allowed
 analyze by market, product line, customer, cost, sales commission,
etc.
 select a sample for testing
 comparison of revenue information to industry guidelines or trends
 calculation of unearned revenue for sample periods
 consolidation of divisional or subsidiary financial accounts
 computation of cost of sales based on items sold and comparison
to client file
  comparison of profit and loss account balances between two
periods showing percentage and absolute change

Cash Receipts
 total the cash receipts file
 summarize cash receipts by the respective account distribution for
reconciliation to general ledger posting
 select a sample of receipts for testing
 summarize/segregate receipts by type
 match cash receipts to the receipts applied to the accounts
receivable file
 test for unusually large receipts, unusual classifications or
allowances, or discounts
 analyze income and expense relationships for trends among years

Inventory Purchasing

Inventory
 test mathematical accuracy of totals and extensions
 select a sample for price testing using large monetary balances, a
systematic sample, or monetary-value estimation
 physical count files:
 test for duplicate or missing tag numbers
 merge inventory observation test counts with the physical count
 summarize by product number, location, type, etc.
 price the physical count file and compare to the general ledger
or book/physical adjustment
 perpetual inventory - use sampling programs to select and print a
sample for physical testing
 master cost file:
 test for duplicate part or item numbers
 select a sample to test the reasonableness of unit costs
 segregate unusual increases/decreases in standard costs;
merge the updated file with prior period files and print items with
significant fluctuations
 merge with the year-end inventory file for price testing
 lower of cost or net realizable value tests (based on the average
selling price, current year standard costs, etc.)
 test for obsolete/slow-moving items; excess inventory:
 use the date of the last shipment or convert the current year's
sales monetary value to quantities. Identify on-hand quantities in
excess of the normal turnover
 merge the inventory file with the sales file. Calculate the number
of months-on-hand supply and compare to the prior usage.
 identify potential obsolete inventory items by printing those
items with little or no current-year sales
 turnover analysis
 compute the gross profit, or potential gross profit, by product line or
in total
  summarize by product, location, classification, etc.
 LIFO calculations:
 calculate the base and current year's extensions
 summarize and compute the current year's index
 compute the LIFO value for each LIFO pool
 compare base prices from the prior year's files
 calculate the percentage change for inventory items, and print
those outside the range for:
 inventory level
 sales level
 change in the standard cost
 change in the average sales price
 test the inventory cutoff by comparing the last receipts to the
purchases register
 analyze accumulation of costs used to value finished goods
inventories
 comparison of standard and actual costs
 review the costed inventory for items with quantity and no value or
value and no quantity
 review for items with labor hours or value and no overhead
 sort the priced inventory in descending order of value or exception
items with the largest percentage change first
 using other information in the inventory master record, extract any
item with yearly usage smaller than on-hand quantity

Payables
 total the trial balance
 match address of vendors to a file of employee addresses
 summarize the payables based on expense account
 develop or test history by vendor (using 12-month files)
 search for unrecorded liabilities
 sample additions to accounts payable subsequent to the cut-off
date
 merge cash disbursements subsequent to the cut-off date with
accounts payable
 investigate unmatched disbursements
 review potential problem areas
 excessive adjusting entries
 duplicate:
 invoice numbers
 purchase order numbers
 account numbers
 mailing addresses
 vendor names
 age debit items
 review expense accounts for recurring monthly charges not
established as accounts payable at year-end
 match of purchase order and accounts payable files
 summarization of disbursements by month to validate check
register totals
  verification of accounts payable cut-off by comparison of receipt
date to year-end date
 age payments for both transactions and year-end balances

Cash Disbursements
 total the cash disbursements file
 summarize cash disbursements by the respective account
distribution for reconciliation to the general ledger posting
 select a sample of disbursements for testing
 summarize/segregate disbursements by type
 match cash disbursements to the disbursements applied to the
accounts payable file
 test for unusually large disbursements or classifications
 test for missing or duplicate check numbers
 test for duplicate payments of invoice numbers or purchase order
numbers

Capital Assets

Property, Plant, and Equipment

 test the mathematical accuracy of totals and extensions
 calculate book and tax depreciation - compare the results to the
client's calculations
 compare accumulated depreciation to cost, and determine that no
assets are depreciated greater than cost
 summarize the activity of the accounts by type
 summarize by classification, location, etc.
 select samples for testing - additions, retirements, etc.
 test for duplicate or missing asset numbers
 select a sample of disbursements for testing repairs and
maintenance
 analyze the intercompany profit on equipment sales
 recalculate expense and reserve using replacement costs
 comparison of useful lives within asset categories

Debt

Notes Payable/Short Term Debt

 total and summarize the year's activity
 calculate the following:
 average interest rate during the year
 average short-term debt outstanding during the year
 weighted average interest rate
 largest month-end balance

Financing

Equity
  analyze, select, and confirm shareholders’ accounts
 test stock options or stock appreciation rights
 total and list outstanding shares by shareholder
 review the activity for officers and selected employees

Employee Compensation

Payroll
 total the payroll transactions trial balance
 summarize payroll transactions by the respective account
distribution for reconciliation to the general ledger and inventory, or
cost of goods sold, charges
 recompute the computation of gross pay, deductions, and net pay
 merge the payroll journal files with the payroll master files and test
for exceptions:
 difference in the number of exemptions
 gross pay in excess of a specified amount
 differing hourly/salary rates
 payroll deductions differing from a specified percentage
 maximum government insurable earnings exceeded
 duplicate or missing records (employee numbers)
 hours worked greater than a specified amount
 identifying or purging of master records for terminated
employees
 compare employee and vendor addresses
 create file of employees with no withholdings, no insurance, and/or
no participation in other employee benefits
 create file for testing of valid Social Security numbers
 select a sample for testing

Operating Expenses
 select journal entries for testing
 print the year's activity for significant operating accounts (e.g., rent,
taxes, repairs and maintenance, and legal and professional fees)
 merge with the prior year and create a comparative trial balance
 test for unusual journal entries with these attributes:
 accounts with numerous entries where such activity is out of the
ordinary
 accounts with large, out-of-the-ordinary entries
 prepared by someone with few entries
 recorded by someone not expected to record journal entries
 prepared by senior management or IT staff
 unusual posting date or time
 description not included
 includes round numbers

Income Taxes
 prepare trial balances in tax grouping sequence
 calculate income tax provision
  review accounts for non-allowable deductions

Financial Institutions

Loans

By Bank or Branch
 total the outstanding balances
 sort trial balances - by account number, by location/ branch, or by
descending balances
 calculate unearned amounts (interest/discount, insurance)
 compare the calculated unearned amounts with the client amounts
age accounts
 sort and summarize by various installation codes - type of security,
purpose code, class-of-loan, credit rating, borrower, etc.
 calculate maturity schedules
 extract charged-off loans or bankruptcies, and test (calculate the
various percentages, sort by charge-off dates, etc.)
 select loans for confirmation using sampling
 extract delinquent accounts issued prior to a specific date
 extract loans for which the latest payment was less than the regular
payment amount
 calculate extensions of terms for loans which the term was
extended by more than a specified number of months
 select a sample of new or purchased loans since the last audit to
be tested for appropriate documentation, etc.
 extract loans with a principal balance in excess of a specified
amount
 extract loans with unusual payment terms
 extract loans with unusual interest rates
 test for loans for which the number of payments plus the number of
months extended does not agree with the next due date, or test for
loans for which the number of payments does not agree with the
related reduction of principal
 perform various analyses of past-due accounts
 perform various analyses of unearned income
 calculate accrued interest
 test for liability in excess of the institution's lending limit
 summarize loans to customers. Compare total loans to customers'
credit limits on the master file. Extract accounts with balances
greater than a specified amount over the credit limit.
 prepare a frequency distribution by monetary amounts, interest
rates, or maturity dates

Foreign Loans
 summarize loans by the currency type, and extract long and short
positions in each currency

Real Estate Mortgage Loans

  total the real estate mortgage loan file for principal and escrow
balances
 prepare a frequency distribution of loans by monetary value of
principal outstanding
 identify and list all loans past due for a specific number of days
 extract prepaid accounts
 test the daily interest accrued
 select a sample for confirmation

MasterCard, Visa
 total the file
 identify and list all accounts past due for a specified length of time
 identify and list all accounts with balances in excess of credit limits
 test for specific conditions (e.g., excessive adjustments/credits) in
employee accounts
 select a sample for confirmation
 recompute the current month's interest charge

Investment Securities
 calculate accrued interest receivable
 test amortization of premiums and discounts
 extract securities that are not of an authorized investment grade
 calculate average yields by classification
 calculate maturity schedules
 select samples of security purchases and sales since the last audit
date for transaction testing
 merge with revenue data and flag investments for which no
dividends or interest has been received
 select samples of investments for fair value tests
 price the investments by merging the investment file with the
security pricing file
 total the securities file
 prepare a frequency distribution of the market value, interest rates,
or maturity dates
 test computed interest income on investments to amounts actually
received
 test dividends declared per published services to amounts actually
received

Deposits
 list balances - by branch or in total
 select a sample of account balances for confirmations
 recompute the interest on accounts
 recompute service charges on accounts
 select a sample of new or closed accounts for testing
 test for unusual accounts - continuous overdrafts, dormant
accounts, etc.
 test for any below-minimum account balances incorrectly exempted
from service charges
 for inactive accounts - confirm account relationships
  review for excessive adjustments or activity to accounts
 prepare a frequency distribution of accounts by amount, interest
rates, or maturity dates

Other Deposit Activities - Official Checks (e.g., cashier’s, certified, dividend)

 select a sample to determine clearance, length of time outstanding,
etc.

Trust
 select samples to determine if:
 the trust department is buying the types of securities stipulated
in the trust instruments
 security acquisitions are approved
 trust income is being paid on schedule to beneficiaries

Pension and Similar Trusts

 select a sample of asset transactions for testing
 select sample for testing pension calculations, payments, etc.
 year-end assets:
 total the schedule of investments
 test the accrued interest calculations
 select a sample for fair market value tests
 select a sample for other income tests
 edit the participants' file for non-allowable data (e.g., invalid age,
years of service, gender)
 fund balance - calculate the interest and capital gain income/loss
distributed to participants' accounts
 Investment Securities - (See Listing Under Financial Institutions)

Brokers and Dealers in Securities

 customer statement file:
 recalculate the customer statements
 total the money balance and trace to the money line
 match positions to the summarized customer positions on the
stock record
 select customer accounts for confirmation
 stock record file:
 balance the file and list out-of-balance positions
 select street-side positions for counts or confirmations
 test the file for various SEC rules and regulations
 value securities by merging the stock record file with a price
tape
 list inventory and investment accounts
 review the file for invalid customer accounts or security numbers
 print a listing of securities pledged as collateral on loans
 perform a classification of accounts
 test margin requirements for accounts that are over and under-
margined
 prepare classifications for FOCUS reports
 select a sample of transactions from the transactions file for the
testing
 summarize cash receipts and disbursements, and compare it to the
bank activity
 review the transactions file for unusual, excessive, large
adjustment, or large transfers
 test interest calculations on margin accounts
 match securities held at the depository to securities on the stock
record for the respective accounts
Chapter Six – Preaudit Activities
Summary

This Chapter discusses the various preaudit activities that should be completed by the
audit team before commencing work on the current period audit.
[This Chapter contains several paragraphs that you will need to tailor to reflect your policies and
practices. Where you determine that one or more tailorable paragraphs are not applicable to your
environment, we recommend that you replace the content with the statement “reserved for possible future
use.” This action will preserve the paragraphs numbering used in constructing the manual.]

Introduction
6.01 Certain activities should be completed by the audit team before starting the
current period audit. These include the following:
 performing client acceptance procedures for initial audits
 performing client reacceptance procedures for continuing audits
 determining whether GTI member firms, the firm and the audit team are
independent
 obtaining an engagement letter to document the understanding
established with the client of the terms of the engagement
 completing EPF to determine whether a quality control reviewer will be
assigned to the audit team
 determining whether the firm can serve as the group auditor, when
applicable

6.02 These procedures are called preaudit activities. Preaudit activities impact how
the firm will approach the current period audit and in some cases may impact whether
the firm chooses to perform an audit. Accordingly, the timing of preaudit activities will
vary, but should always be performed before significant other audit activities (e.g., risk
assessment procedures) are performed. For example, in most circumstances, it is often
preferable that reacceptance procedures be performed at the conclusion of the prior
period audit whereas other preaudit activities may be performed just prior to beginning
significant other audit activities for the current year audit.

6.03 Preaudit activities should not be confused with risk assessment procedures.
Preaudit activities are performed outside of the current period audit. Yet information
obtained in performing preaudit activities may affect how the audit team assesses risks
related to performing the audit. For example, client acceptance procedures are
performed to identify matters associated with the engagement that may pose risks to
the firm. The firm carefully considers these risks and determines whether or not to
accept the risks and perform the engagement. Some of these risks may have little, if
any, affect on the audit itself, such as risks related to reputation and collection of fees.
In other words, audit risk may be assessed as low even when engagement acceptance
risk was assessed as high.

6.04 As previously mentioned, certain information obtained in performing preaudit

activities may affect how the audit team assesses risks related to performing the audit.
While not performed for the purpose of assessing audit risk, information learned in
performing preaudit activities with audit implications should be carried forward and
addressed when performing risk assessment procedures related to the audit. For
example, while performing client acceptance procedures, the audit team learns that the
predecessor auditor communicated internal control deficiencies related to the financial
reporting process. In this circumstance, the audit team should consider this when
performing risk assessment procedures for the current year audit.

6.05 Many preaudit activities can be performed by the audit team and others in the
firm without the direct involvement of client personnel, especially for continuing
engagements. However, the audit team may need to conduct preliminary discussions
with client personnel to effectively perform certain other preaudit procedures. These
discussions may include:
 understanding matters impacting independence and client continuance
 establishing an understanding of the terms of the engagement, including
fees
 determining the tentative timetable
 maximizing use of client personnel
While assessments of independence, ethics and management integrity are completed
at the beginning of the audit, these should also be re-evaluated throughout the audit as
circumstances change.

Client Acceptance and Reacceptance

6.06 The firm establishes policies and procedures for accepting new audit clients and
continuing relationships with existing audit clients (reacceptance). These policies and
procedures are a key element of the firm’s quality control systems. Accordingly, client
acceptance policies and procedures attempt to identify and reject prospective clients of
dubious reputation or who present engagements that are likely to involve the firm in
litigation or government investigations, or will not bring a proper reward in light of the
risks involved. Client reacceptance policies and procedures aim to identify and reject
existing clients with similar characteristics.

6.07 Chapter 3 discusses these policies and procedures.

Ethics and Independence

6.08 The firm is committed to complying with the applicable codes of professional
ethics, especially independence. Accordingly, the audit team must evaluate whether the
firm, each audit team member and other auditors who participate in the audit (including
GTI member firms and their personnel) maintain independence in fact and appearance.

6.09 [Tailor the following paragraph to suit the practice of your firm] Firm policies and
procedures regarding ethics and independence are discussed in the firm’s
Independence and Ethics Manual, located in GEL.

Engagement Letters
6.10 The audit team should obtain a written engagement letter for every audit. An
engagement letter formalizes the understanding with the client regarding the services
the firm is to provide and describes the nature of the work to be performed. The letter
also deals with various professional, legal and other business considerations.

6.11 [Tailor this paragraph for your firm’s policies] For recurring audit engagements,
professional standards require the audit team to consider whether circumstances
require the terms of the engagement to be revised and whether there is a need to
remind the client of existing terms of the engagement. In the current environment where
firm policies, legal interpretations, and professional standards continuously change and
evolve, a continuing engagement letter, even with addendums and supplements, cannot
adequately protect the firm against the risk of non-compliance with policies and provide
the legal protections that the firm believes are prudent. Accordingly, the firm requires a
new engagement letter every year and precludes the use of continuing engagement
letters for all assurance services.

6.12 Because of their professional and legal implications, engagement letters are
formal in nature. The negative impression such formality may convey to a client may be
mitigated by either delivering the letter to the client personally or including a more
personal transmittal letter with the engagement letter. However, professionals should be
careful that they do not leave the impression in the discussion or use wording in the
transmittal that could be construed as a modification or alteration of the engagement
terms in any way.

6.13 Engagement letters should be included in the current period workpapers. The
actual engagement letter should be maintained in the paper file and an electronic
version in the Voyager file.

Government Engagement Contracts

6.14 [Tailor the following paragraph to suit the policies and practices of your firm]
Engagements to audit various governmental organizations or agencies may require use
of various "audit contracts" instead of the firm's illustrative engagement letter. Such
contracts are frequently incomprehensible or onerous and do not usually contain the
descriptive or protective language that is included in the firm's engagement letters.
Additionally, Government Auditing Standards require the audit team to make certain
communications to the auditee during the planning stage. Generally, these
communications should be included in the engagement letter. Accordingly, the firm will
usually insist upon certain modifications before signing such contracts and consultation
with the NPPD and RRLA is required. When making such consultations:
 the NPPD should be contacted before the matter is referred to RRLA
 the entire proposed contract should be submitted
 considerable time is usually needed to redraft or assist the office in
renegotiating the contract therefore allow sufficient time

Other Services

6.15 Non-audit services directly related to an audit (assistance in drafting financial

statements, preparing reconciliations, preparing tax accruals, etc.) or other attestation
engagements directly related to the audit (supplementary reports) should be included in
the engagement letter covering the audit or other attest services. The acknowledgement
of the services to be provided and management’s responsibilities related to these
services should also be documented in the audit engagement letter.

6.16 Services unrelated to the audit should be documented in a separate engagement

letter. These services may include:
 tax compliance
 internal audit outsourcing
 other bookkeeping services
 forensic services
 other outsourcing arrangements

6.17 In each situation where the audit team intends to perform non-audit services,
they must comply with the applicable independence rules (for example, not performing
management functions or making management decisions; determining whether
management can evaluate the adequacy of the services; and management accepting
responsibility for the results, etc.).

Drafting Engagement Letters

6.18 The audit team should draft the engagement letter using the most current
illustrative letter, which is located in GEL under Letters, Forms and Templates > Audit
Engagement Letters. The audit team should never draft the engagement letter by
tailoring the prior year letter or using an engagement letter issued for another client. The
firm believes this will prevent unintended omissions from letters and thereby reduce the
chance of inappropriate tailoring.

6.19 [Tailor the following paragraph to suit the policies and practices of your firm]
Modifications to the wording in the illustrative letters should only be made to describe
specific terms of a particular engagement and paragraphs that are clearly not applicable
should be omitted. Unless otherwise specifically noted, all paragraphs are required. If a
client proposes eliminating or modifying required verbiage, the audit team should
consult with the PSP and the NPPD, as appropriate.
6.20 [Tailor the following paragraph to suit the policies and practices of your firm]
When drafting engagement letters for assurance services not specifically addressed by
the firm’s existing engagement letters in GEL, preparers should refer to the most closely
related illustrative letters (SEC, non-SEC, governmental) for permitted and prohibited
language. These letters will provide guidance on language prohibited by independence
rules and legal protections for the firm, such as limitation of liability, indemnification
prohibitions and performance standards clauses.

Additional Guidance for Engagement Letters

Address and Salutation

6.21 The engagement letter is addressed to (and signed by) the owner or an officer or
director of the entity, preferably the chief executive officer. For listed entity audit clients,
the audit committee is directly responsible for appointment, compensation and
oversight. Therefore, the engagement letter should be addressed to and signed by the
chair of the audit committee, or the chair of the board of directors, where no audit
committee exists.

6.22 There should be no question as to the official's authority to engage the firm for
this purpose. It is preferable that the letter be addressed to (and signed by) an individual
so that the acknowledgment will be by the person designated instead of the entity
name. Where the letter is addressed to someone who is not in senior management,
such as the chair of the Board of Directors, an officer or member of senior management,
such as the CEO, COO, President or CFO, should ordinarily sign the letter to
acknowledge the terms and conditions of the engagement.

6.23 The introductory paragraph should cordially set forth the primary purpose of the
letter. For example, either of these types of wording options may be used:

The purpose of this letter is to set forth the terms of our engagement.

Thank you for discussing with us the requirements of our forthcoming engagement.

Names of All Entities Included

6.24 The firm prefers that the names of all companies or other entities be identified
instead of being referred to inclusively as in "... and subsidiaries." If one or more
subsidiaries are to be audited by another firm, this fact should be stated as a part of our
understanding. Where there are numerous entities, it is preferable to list them. Some
examples are:

Single Entity

Grant Thornton LLP (“Grant Thornton”) will audit the balance sheet of Brown Equipment
Co., Inc. …
Consolidated Statements

Grant Thornton LLP (“Grant Thornton”) will audit the consolidated balance sheet of Brown
Equipment Co., Inc., and its subsidiaries, Black Warehouse Co., Inc., and Green Machinery
Corporation...

Large Number of Subsidiaries

Grant Thornton LLP (“Grant Thornton”) will audit the consolidated balance sheet of Brown
Equipment Co., Inc., and its subsidiaries:

 Black Warehouse Co., Inc.

 Green Machinery Corporation
 Blue Gadgets, Inc., and
 Red Valve Company

In some cases it may be desirable to refer to an attached list of the entities to be

audited.

Omitted Subsidiary
Follow the same convention as the consolidated statement for a large number of
subsidiaries, with the following added:

The separate financial statements of Red Valve Company, included in the consolidated
financial statements, will be audited by other certified public accountants.

In such situations, the audit team should discuss the procedures they may employ with
respect to the other auditor's work and its possible effects on the report with the client
and should also include language in the engagement letter covering such procedures.

Identification of the Statements to be Audited

All statements to be included in the audit are referred to in the first paragraph, rather
than being referred to inclusively as "... financial statements..." The identification should
be consistent with the captions expected to be used on the statements themselves.

Change in Services

6.25 When the nature of services is significantly modified from the previous year's
engagement letter, it is suggested that this be clearly spelled out, particularly where it
will result in a substantially higher fee. Some of the changes in scope that might be
referred to include:
 inclusion of certain subsidiaries audited by another firm the preceding year
 change from unaudited statements to the expression of an opinion
Reference to the latter change might read:
 The foregoing understanding represents a change from our engagement of the preceding
year, which called for our preparation of compiled financial statements.

This does not refer to limitations of scope imposed after an audit has started or to a
change to unaudited financial statements when an audit was conducted in the
preceding year.

Fees and Billing Arrangements

6.26 All engagement letters should contain language relating to fees and billing
arrangements. When establishing fees with clients, the following should be considered:
 Fee arrangements should be made prior to the work commencing. The
engagement letter, reviewed with the client, is the means to assure that
such arrangements were made.
 Fixed fee arrangements are generally to be avoided.
 [Tailor the following paragraph to suit the policies and practices applied by
your firm in the audit of listed entities] Due to the many uncertainties
involved in SEC registrations and related types of engagements, it is
difficult, if not impossible, to accurately estimate the time charges.
Because of possible implications that work is limited based on fee
limitations, the firm prefers non-fixed fees for registration engagements,
except in certain rare situations when it is necessary to furnish an
estimate. The fee quoted, in such case, should be restricted to an
estimate for fieldwork plus hourly rates for conferences with underwriters,
attorneys, and the SEC, and for any additional, resulting work. An all-
inclusive quotation normally should not be furnished, except in unusual
circumstances. In such cases, a statement indicating that the quotation
should not be considered a maximum fee should be included in the
engagement letter.
 Care should be exercised in providing estimated fee quotations. When
such estimates are provided, the firm's policies with respect to billing,
collections and retainer requests should be followed.
 If a fee or rate quotation is provided, it should avoid comparison with the
prior year. For example, the letter should not state: "The annual fee for
services will be increased from __________ to __________."
 [Tailor the following paragraph to suit the policies and practices of your
firm] Retainer considerations for new clients, clients who have
demonstrated poor payment performance in the past, and other situations
where collection may be deemed problematic. The lead partner may need
to consult with the OMP to determine engagement situations requiring a
retainer.
 [Tailor the following paragraph to suit the policies and practices of your
firm] The firm will not enter into deferred fee arrangements for
engagements where the firm needs to maintain its independence. Other
deferred fee arrangements should be avoided. In instances where a
registration statement is being filed, such an arrangement could impair
 independence because the outcome of the offering is dependent upon the
success of the registration statement and subsequent underwriting.

Standard Fee Clauses

6.27 [Tailor the following paragraph to suit the policies and practices of your firm] The
firm’s standard fee clauses and supplemental schedules are included in the illustrative
engagement letters in GEL under Letters, Forms and Templates.

Fee Estimate Including Hourly Rates

6.28 [Tailor the table for your currency symbol]Individuals' hourly rates should
generally not be spelled out. However, where a client insists, or where the proposal was
based on hourly rates, the following may be used:

This engagement will be undertaken based upon our (per diem or hourly - as appropriate)
rates for this type of work, which are as follows, depending upon the individuals involved:
Partners from $XXX to $XXX
Managers from $XXX to $XXX
Senior associates from $XXX to $XXX
Associates from $XXX to $XXX
Typists and other
administrative personnel from $XXX to $XXX

Fee Clause - Engagement Planning Data

6.29 [Tailor the following paragraph to suit the policies and practices of your firm]
When the optional Engagement Planning Data (see the Appendices for Enhanced Fee
Realization) is used, it should usually be referred to in the engagement letter in a
manner such as:

Our estimated fee takes into account pertinent information you (or your personnel) have
given us concerning your records and audit facilitation materials to be provided by your
personnel, which has been summarized (or if to be completed later: you have agreed to
summarize) on our Engagement Planning Data Form.

When the optional Engagement Planning Data is attached to the engagement, the fee
paragraph of the letter should include language like either of the following examples:

Our estimated fee takes into account the Engagement Planning Data attached (or: reflected
in Attachment X to this letter).

Our fee for this engagement, which takes into account the Engagement Planning Data
attached, is estimated to approximate $XX,000.
Engagement-Related Expenses

6.30 [Tailor the following paragraph to suit the policies and practices of your firm] One
effective way of improving realization of fees is to verify that all expenses relating to an
engagement (both direct and indirect) are billed to our clients in a timely and consistent
manner. This includes billing for administrative charges. Annually, the firm provides
policies for billing and collections and also updates fee language for engagement
letters. Revisions to engagement letter language are updated in the firm’s illustrative
letters.

Optional Recovery for Discounted Fees Upon Termination of Services

6.31 [Tailor the following paragraph to suit the policies and practices of your firm] At
the beginning of a client relationship, the audit team should inform a client in situations
where the firm is providing services at a significant discount from standard rates in
anticipation of a long-term continuing relationship. Although most clients honor that
commitment, a long-term relationship with certain clients does not happen. A change in
auditors may arise for many reasons, such as an initial public offering, debt issuance,
sale of the company, or change in control.

6.32 [Tailor the following paragraph to suit the policies and practices of your firm] In
these instances, the basis for the discount (i.e., the anticipation of a long term
relationship) has not been realized. Had the firm known that the basis for the discount
would not be realized, it likely would not have agreed to provide the services at
discounted fees. Accordingly, the only way to be fairly compensated is by charging the
client a termination fee, which represents the recouping of the discounted fees. In
certain situations, the partner should annually advise clients in the engagement letter
that the firm will recover our discounted fees if our services are terminated. This
termination fee would be in addition to any fees for future services that might be
necessary. Care needs to be taken to avoid any implication that the discounted fees are
either an unpaid or a contingent fee, which in some cases would create independence
impairment or violate state regulatory requirements. Recovering discounted fees upon
termination can be best accomplished by adding language in the engagement letter.
The firm’s illustrative letters contain the appropriate language. (The number of years to
include such a clause is at the discretion of the partner, but ordinarily such a fee would
not be charged after the fifth year of the relationship.)

Adoption of New Standards

6.33 [Tailor the following paragraph to suit the policies and practices of your firm]
Because of the complexities of adopting new standards, it may not be possible to
establish a definitive fee for the procedures that will be required as a result of the
implementation of these standards. The firm’s illustrative engagement letters contain
language that should be used, regardless of whether the client has approved additional
fees related to the adoption of new standards.
Additional Clauses

6.34 [Tailor the following paragraph to suit the policies and practices of your firm]
Additional clauses should be considered in situations where there is a perceived need
for additional protection. In such situations, the NPPD should be consulted and may
include:
 disputes between members of management or ownership that has
resulted or may result in litigation. The firm frequently becomes entangled
in such situations even when not a named target.
 when the client is undergoing or is likely to undergo a regulatory agency
investigation, or other intensive scrutiny

6.35 [Tailor the following paragraph to suit the policies and practices of your firm] In
the non-SEC illustrative engagement letters, the firm includes additional protections,
such as limitation of liability and indemnification clauses (labeled “Standards of
Performance”). These legal protections are only included when they are not prohibited
by the applicable independence rules or other rules and regulations. It is imperative for
the engagement team to carefully follow the instructions in the illustrative engagement
letters so that independence is not impaired by use of these provisions.

Employee Solicitation Clause

6.36 [Tailor the following paragraph to suit the policies and practices of your firm] The
firm expends a great deal of time and effort in ensuring that it has top quality and highly
trained professionals to appropriately service its clients. Likewise, the firm’s clients
make similar investments in their employees. The firm’s investment is in anticipation of
its professionals’ long-term continuing employment. When a professional leaves the firm
for another opportunity, this investment is substantially lost. In many cases, the
professional leaves to join the staff of a client; and the client may not realize the
significant costs the firm has in recruiting and training new staff, scheduling demands on
remaining staff, and lost opportunities to accept new assignments. In some instances,
the firm has been successful in recouping a portion of these costs when an
understanding with a client that a fee will be charged if the client solicits or hires any
firm professional participating in the client’s engagement without our express written
consent. In establishing such an understanding, the firm should avoid any implication
that the fee is either an unpaid fee or a contingent fee, which in certain circumstances,
could create an independence impairment or violate state regulatory requirements.

6.37 [Tailor the following paragraph to suit your firm’s policies and practices regarding
the audit of listed entities.] Due to the changes in independence rules for SEC
registrants when a member of the audit team is lost, the firm not only incurs significant
expenses in hiring and training replacements, but their employment by the client also
raises serious independence issues. If it is determined that Grant Thornton is not
independent because of a client’s employment of an audit team member, the firm would
not be able to complete the audit, perform any interim reviews, or update the firm’s
reports for any subsequent events or other matters for any registrations within the
mandated, one-year “cooling-off” period or for any period for which the firm is not
independent.

6.38 [Tailor the following paragraph to suit the policies and practices of your firm]
Because of this, the firm requires the use of an employment solicitation clause for all
SEC audit engagements and other engagements where the firm is also the auditor of
record under the SEC’s independence rules. This puts the client “on notice” regarding
the ramifications of hiring an audit team member and also protects the firm from any
financial losses incurred as a result of their hiring decision. Therefore, unless prohibited
by statute or by court rulings, SEC engagement letters should contain this clause. For
all other engagement letters, use of this clause is optional.

Electronic Transmittals

6.39 [Tailor the following paragraph to suit the policies and practices of your firm] The
firm’s Technology Usage and Information Security Policy stresses that confidential
information must only be transmitted in a secure manner, like the firm’s secure file
transfer utility. Emails are viewed as the legal equivalent of post cards, sent without the
expectation of privacy inherent in the regular mail, an overnight courier or even a fax.
Although technology is changing rapidly, the law on this subject still suggests that
neither sender nor recipient can have an expectation of privacy in information sent by
email over the Internet. The firm’s external email is transmitted over the Internet, which
is not a secure system under the firm’s control. Therefore, in addition to taking care
whether to transmit information or documents over the Internet, the Technology Usage
and Information Security Policy discourages transmission of confidential client
documents or information by email over the Internet.

6.40 [Tailor the following paragraph to suit the policies and practices of your firm] At a
client’s written request, professionals use email to transmit client financial statements,
confidential documents, or information to clients and to others outside the firm, such as
valuation specialists (e.g. Harvest Investments), legal counsel, etc. The firm’s
Technology Usage and Information Security Policy’s intent is not to preclude these
email transmissions, but to obtain the client’s consent to govern the entire engagement
rather than every time information is about to be sent. Accordingly, the audit team
obtains the client’s consent, including such authorization in engagement letters. If a
client will not agree to the inclusion of this clause in the engagement letter, audit teams
may not transmit any financial information to the client, or to others, including Harvest
Investments, through the Internet.

Dispute Resolution Clause

6.41 [Tailor the following paragraph to suit the policies and practices of your firm] The
firm requires a dispute resolution clause in all engagement letters, unless the RMP, in
consultation with RRLA specifically approves its omission (or modification).

6.42 [Tailor the following paragraph to suit the policies and practices of your firm]
The current business climate along with the costly and often unfair litigation system has
led the firm to reevaluate how it deals with potential claims against it by clients and how
much risk the firm is willing to assume to a client, to a bankruptcy trustee or other entity
which might stand in place of a client and pursue a claim against the firm.

6.43 [Tailor the following paragraph to suit the policies and practices of your firm] One
way to lessen the firm’s risk is through the use of an alternative dispute resolution
(“ADR”) provision in the firm’s engagement letters, specifically binding arbitration. Many
of the lawsuits against the firm were made by clients blaming their own poor decision
making on the firm or by a representative of the former client, such as the FDIC or a
bankruptcy trustee seeking recovery of all losses to the failed client. The engagement
letter provisions for arbitration can provide an equivalent environment for all parties
involved in this type of litigation.

6.44 [Tailor the following paragraph to suit the policies and practices of your firm] The
following are points which support the firm’s use of the arbitration provision:
 The provisions used by the firm do not impair independence. Each
illustrative engagement letter includes an acceptable provision, in
consideration of applicable independence and other rules and regulations.
 ADR allows the firm to privately resolve any disputes with its clients or any
entity standing in place of a client, such as a trustee or the FDIC. This will
alleviate negative publicity associated with a complaint being filed. In
addition, when the provision precludes an arbitrator from awarding
punitive damage awards (discussed below), it can also stop some of the
more outrageous claims for damages.
 ADR has the potential to speed up the time to resolve disputes with our
clients allowing the firm to focus again on its business rather than focusing
energy and resources on litigation. It requires less involvement in the
dispute process for engagement personnel.
 The provision, when managed correctly, can reduce the cost of dispute
resolution, allowing resources to be allocated to other practice areas.
 ADR provides clients an opportunity to raise emotional issues and to talk
through issues which can be an obstacle in traditional litigation.
 When permitted by independence and other rules and regulations, the
provision precludes an arbitrator from awarding punitive damage awards,
which can be larger than actual damages. Punitive damage awards are
not appropriate in what are essentially professional negligence cases, but
are often used to threaten defendants into settling unreasonable cases.

6.45 [Tailor the following paragraph to suit the policies and practices of your firm] The
ADR provision benefits clients in the following ways:
 Arbitration can be tailored to recognize the type of dispute by providing
arbitrators with knowledge of the industry and accounting standards.
 ADR provides an opportunity to discuss the issues in a setting intended to
resolve an issue quickly and to the best advantage of both parties if
possible, ensuring that business and accounting aspects are fully
discussed.
  With arbitration, decision makers can meet in a controlled environment to
express their views and better understand potential solutions including
those solutions which could not normally be ordered by a court.
 There is a better opportunity for both sides to obtain satisfactory business
solutions and to maintaining business relationships by using a dedicated
arbitrator who can spend the necessary time and effort to resolve matters
rather than just the issues presented to the court.
 ADR, when managed correctly, can reduce the cost of dispute resolution,
including attorneys’ fees, for both the firm and its clients. This can keep
the decision making on a dispute in the hands of the client and not the
clients’ attorneys in a court proceeding.
 Discovery is limited by agreement. Relevant information can be produced
by both sides and can avoid time wasting, full-scale, costly discovery into
irrelevant information.
 Opinions of arbitrators are not public record and unwanted publicity can be
avoided while at the same time arbitrators opinions are recognized as
legally binding. Any confidential business information can be kept out of
the public record.
 Arbitration resolves disputes more quickly through the ability to control the
dispute process thereby minimizing the amount of management attention
required to resolve the disputes (also, it is scheduled at the parties’
convenience).

Engagement letter provisions that would impair independence

6.46 When entities are part of a group that operates internationally there is a risk that
clauses in engagement letters that are not prohibited in one jurisdiction may impair
independence in another jurisdiction. Specifically, entities that are subject to the United
States’ Securities and Exchange Commission (SEC) independence requirements pose
this risk because the SEC essentially views the Grant Thornton network as a single
entity for many purposes, including the application of their independence rules. The
SEC independence rules apply when the entity being audited (including its affiliates) is
an SEC registrant. The SEC rules also apply to other entities, such as private funds
advised by a registered investment adviser. Each SEC registrant audit engagement
has an auditor of record, referred to as the primary auditor. There is also a primary audit
partner. The primary audit partner may be a partner in a Grant Thornton member firm or
may be a partner in another firm or another network firm. One of the responsibilities of
the primary audit partner is to determine and communicate the independence
requirements to firms in their network and firms in other networks.

6.47 The primary audit partner determines independence requirements by

establishing whether the work performed by another firm will be used as audit evidence
in their audit of the registrant. When the primary audit partner determines that the work
performed will be used as audit evidence then the firm and any affiliated firms have to
be independent of the SEC registrant audit client and its affiliates under the SEC
independence rules.
6.48 The term affiliated firms includes all Grant Thornton member firms,entities
controlled by member firms, entities that control member firms, or entities that share
ownership, control or management with member firms. This broad definition means that
when the primary audit partner requires independence, all member firms in the network
and their affiliated entities must adhere to theSEC independence rules. This restriction
applies regardless of whether the member firm itself assists or performs audit work with
respect to that SEC registrant or its affiliates.

6.49 There are two types of engagement letter clauses that impair independence
under the SEC rules: (1) indemnification and hold harmless clauses and (2) limitation of
liability clauses.

6.50 An indemnification clause is where the client agrees to compensate the firm for
any loss, damage or cost sustained or incurred by the firm as a result of claims made
against the firm by a third party. A hold harmless clause is where the client releases the
firm from liability for claims or potential claims that may be asserted by the client, its
officers, or directors. Under the SEC independence rules, the inclusion of either type of
clause in any engagement letter (audit and non-audit) impairs the independence of all
firms in the network.

6.51 Therefore, Grant Thornton International prohibits any member firm, and any of
their affiliated firms, from entering into indemnity and hold harmless agreements with an
SEC registrant audit client or its affiliates when a firm in the Grant Thornton network is
the primary auditor.

6.52 This restriction applies to the engagement letters of other auditors that are used
in performing the audit. For example, in a group audit situation a member firm may use
other auditors to perform audit procedures with respect to a component. The member
firm’s application of the SEC independence rules in this situation means that the other
auditors are required to be independent under the SEC rules. In essence, the member
firm engagement partner, with respect to the other auditors, has the same responsibility
as the primary audit partner.

6.53 When the primary auditor is not a member firm, firms should expect the same
restriction to be imposed by the network that acts as the primary auditor if the
subsidiaries that are collectively audited by the Grant Thornton member firm(s)
represent 5% or more of the SEC registrant’s consolidated financial statements.

6.54 The prohibition on indemnification and hold harmless clauses applies to all types
of services, including statutory audits and non-audit services.

6.55 A limitation of liability clause restricts damages that an entity could recover from
the firm arising from the firm’s performance of professional services. A limitation of
liability clause impairs the independence of all firms in the network when included in
engagement letters for audit or review work performed on the financial statements or
financial information forming the basis of the consolidated financial statements, or when
the work being performed by the member firm is being used as audit evidence by the
primary auditor.

6.56 For example, consider an SEC registrant audit that is a group audit and a
member firm is performing a statutory audit or specified audit procedures of a significant
component in the group. In this situation, the work being performed by the member firm
is being used by the primary auditor as audit evidence. Including a limitation of liability
clause in the engagement letter would impair the independence of the primary auditor
and all member firms involved in the audit. Therefore, a limitation of liability clause in
this situation is not permitted.

6.57 Expanding on this example, a member firm performing a statutory audit of an

insignificant component of the group is not performing work that is being used by the
primary auditor as audit evidence. Therefore, including a limitation of liability clause in
this situation would not impair independence.

6.58 For permitted non-audit services, limitation of liability clauses may be included in
the engagement letter if local statutes or regulation, or prevailing practice in the member
firm’s country permit such clauses.

6.59 For an SEC registrant audit clients where a member firm serves as the primary
auditor, determining that a limitation of liability clause for an engagement letter of a
component is appropriate requires the participation of the primary audit partner. It is
GTIL policy that the Grant Thornton member firm serving as the primary auditor reviews
the other member firm’s engagement letter to ensure that all provisions are consistent
with the independence standards, including those issued by the SEC and the United
States’ Public Company Accounting Oversight Board (PCAOB).

6.60 In engagement letters that include a provision that limits liability, the following
wording must be included in the engagement letter, unless specifically waived by the
Grant Thornton member firm that is serving as the primary auditor:

“This provision applies where (Member Firm Name) undertakes work either for (i)
an entity that is registered with the US Securities and Exchange Commission, or
(ii) an affiliate of any such registrant. In such a situation, any term of this
[engagement] [contract] that would, but for this clause, be prohibited by, or impair
the independence of, any member firm of Grant Thornton International under any
law or regulation applying to any such entity, shall not apply to the extent that is
necessary only to avoid such prohibition or impairment."

6.61 The restrictions on the indemnification, hold harmless and limitation of liabilities
clauses applies to:

 the registrant

 the registrant’s, affiliates, officers, and board of directors

 all entities that are included in the consolidated financial statements or interim
information filed with the SEC, including the entity’s subsidiaries, branches, sales
offices, significant investees, and variable interest entities (VIEs)

Signature

6.62 [Tailor the following paragraph to suit the policies and practices of your firm] An
audit An assurance partner must sign all assurance engagement letters. Ordinarily, the
signing partner should be the lead partner. If the lead partner is unavailable, the
engagement letter may be signed by the local OMP or PSP.

Engagement Profile Factor

6.63 The cornerstone of the firm’s quality control review policies is the EPF
determination. EPF evaluates risks along two continuums: the engagement continuum
and the engagement team continuum. A quality control reviewer is added to the audit
team only on those engagements whose risk profile is such that additional resources
are needed to manage the risks inherent in the engagement or the skills of the audit
team.

6.64 [Tailor the following paragraph to suit the policies and practices of your firm] The
lead partner is responsible for initially selecting the appropriate EPF. The PSP should
approve the selection and where necessary, assign a quality control reviewer. The
effectiveness of the firm’s quality control review policies relies upon properly evaluating
the risks of the engagement and the skills of the audit team.

6.65 EPF is a preaudit activity, but is somewhat flexible in when it can be performed. It
can be done at the completion of the prior period engagement, if the audit team is
known, or anytime prior to the start of the current period audit. In all cases, however, it
should be completed prior to beginning significant audit work on the current year
engagement to enable the quality control reviewer, if assigned, to perform his or her
responsibilities.

6.66 Chapter 19 discusses EPF in more detail.

Group Audits
6.67 For audits of consolidated groups, the determination of who can serve as the
group auditor is a matter of judgment. Professional standards allow latitude in
determining who can serve as the group auditor, but provide considerations that
include:
 the materiality of the portion of the group financial statements audited by
the firm in comparison with that audited by other auditors
 the importance of components audited by the firm in relation to the total
entity
  the extent of knowledge of the overall financial statements

6.68 The firm’s policies and procedures for working with other auditors are included in
Chapter 24. Most of the procedures related to working with component auditors are
performed during the course of the audit, but the determination of who the group auditor
is must be done during preaudit activities.

Other Considerations

The Audit Team

6.69 The lead partner is responsible for determining that the audit team assembled
has the requisite skills and time to perform the engagement. The necessary skills
required are unique to each engagement, but may include considerations such as:
 previous experience with the client
 industry expertise
 accounting expertise
 specialized knowledge and skills in IT, tax, or valuation

Staff Scheduling

6.70 Staff scheduling is an important aspect of planning. While the scheduling process
may differ depending on the size of the office, effective scheduling recognizes the
exercise of judgment in choosing among alternatives that may affect the assignment of
staff. In larger offices, the person assigned the scheduling responsibility usually assigns
staff to specific engagements after considering the requests made by audit partners and
managers and factors such as staff utilization, staffing requirements, personnel skills,
individual and overall office needs. The staff scheduler and the audit partner are
expected to satisfy themselves that the assigned personnel have the background and
training requisite to their professional responsibilities on the engagement. In smaller
offices, the audit partners or managers might consider these matters and make staffing
decisions either by themselves or after discussions with the other partners and/or
managers in the office.

6.71 The experience and training of personnel assigned significant engagement

responsibilities should be commensurate with the assessment of risk for the
engagement. Ordinarily, higher risk requires more experienced personnel, team
members with specialized skills or more extensive supervision by the audit partner
and/or manager during the audit.

6.72 The following factors should ordinarily also be considered:

 engagement size and complexity
 matching client and staff personalities
 personnel availability
 efficient conduct of the engagement
  opportunities for on-the-job training
 circumstances where questions about independence or conflicts of
interest might be raised
 ability to perform the work within a reasonable period of time
 involvement of supervisory personnel

6.73 [Tailor the following paragraph to suit the policies and practices of your firm] For
engagements where an OMP or RMP is the lead partner, the PSP should be consulted
regarding the assignment of staff at the in-charge level and above.

6.74 [Tailor the following paragraph to suit the policies and practices of your firm]
Many offices have adopted a policy that the PSP either participate in staffing meetings
or review the staff scheduling on a weekly or other periodic basis. This overall review
meets the objective of the foregoing policy and explicit documentation is not necessary.

Administration

6.75 The audit team should consider matters that affect the administration of the audit.
These matters include:
 preparing a time budget to determine staffing requirements and schedule
fieldwork
 determining that assigned staff have the appropriate background and
experience to fulfill their responsibilities
 preparing a schedule for completion of the audit
 ensuring the audit program considers any additional reports or other
services required
 notifying the partner of issues that might affect the amount of our fees

Engagement Management Tools

6.76 [Tailor the following paragraph to suit the policies and practices of your firm] To
assist in administering engagements, the firm uses Engagement Management Process
(“EMP”) Tools (using Microsoft Excel). These include the Time and Billing Control Form
(Form 1) and the Consolidator Tool. Form 1 is used for budgeting and as the basis for
determining fees, planned realization and net rate per hour. It is also designed to track
actual time incurred and percentage to completion. This can assist in identifying out-of-
scope work for additional billings. The Consolidator Tool is used to summarize multiple
Form 1 workbooks for review at the client level, combing data across service lines and
assignments.

6.77 [Tailor the following paragraph to suit the policies and practices of your firm]
Form 1 is required for assurance engagements greater than 200 hours and should be
approved annually by the APL. The OMP may set local office policy for their approval of
Form 1 and also set lower thresholds for its use. The audit team should update Form 1
each week to ensure timely identification of overruns and out-of-scope work. The APL is
responsible for monitoring compliance with this policy.
6.78 [Tailor the following paragraph to suit the policies and practices of your firm]The
Consolidator Tool is highly recommended, when appropriate, to aggregate client data.

6.79 [Tailor the following paragraph to suit the policies and practices of your firm] The
tools and instructions for their use can be found in GEL under Letters, Forms and
Templates > Audit Form 1.

Voyager Files

6.80 The cornerstone of Voyager is the masterfile, which contains the procedures that
audit teams must execute to demonstrate compliance with firm policies and professional
standards. Therefore, it is imperative that each partner and manager verify that the
correct field version of Voyager is installed before creating or rolling forward Voyager
files.

6.81 Certain basic procedures can be completed without the Voyager file. These
include:
 preparing budgets
 drafting the engagement letter
 meeting with management to plan the audit and make inquiries
 performing preliminary analytical procedures
 obtaining or updating permanent file information
 reviewing work of internal auditors
 obtaining and updating related party information
Later, when the Voyager file is created or rolled forward, documents and forms created
during planning can be attached and sign offs completed.

Multiple Voyager Files

6.82 A separate Voyager engagement file should be created for each report that is to
be issued. For example, if there is a report on the consolidated entity and a report on
one of the subsidiaries, a separate Voyager file should be used for each report. This
provides the most efficient and effective method of documenting and evaluating
materiality, appropriately applying GTSP, performing all procedures for each report in
compliance with professional standards and complying with the documentation
standards and the firm’s record retention and archiving policies.

6.83 There are other fact patterns that also require separate Voyager files for the
same client. See Exhibit 6.1, “When to Create Multiple Voyager Files,” for further
guidance. In situations where the governance structures vary within an entity, a
separate Voyager file should be created for all of these entities. This is necessary
because it is not possible to document more than one governance structure within one
file, as entity-level processes and controls cannot be duplicated in Voyager. In the same
respect, separate Voyager files should be used for locations or business units that use
different financial reporting systems. Since financial reporting processes and controls
are documented in entity-level controls which cannot be duplicated, it is not possible to
document two separate financial reporting systems within a single file.

6.84 In situations where the work performed by other offices for a subsidiary, location
or business unit is extensive, a separate Voyager file is often the most efficient method
to organize the files. This approach allows the other office to complete its work without
having to check files out for an extended period. Once a file is checked out, the risk
assessment tools, global questions and tailoring for the entire file lock. The inability to
change these portions of the file will create noticeable inefficiencies in the performance
of the engagement.

6.85 In instances where the audit team deems only one Voyager file is necessary, the
audit team should consider whether any of the cycles should be duplicated within the
one Voyager file. The audit team should consider duplicating a cycle when there are:
 reasonably possible risks at different locations or business lines and
therefore, internal control documentation and walkthroughs will be
different
 different application systems used; and therefore, processes and controls
will be different

6.86 The internal control documentation and walkthroughs should link to their
associated reasonably possible risk. For example, if an entity has two distinct product
lines with separate processes and controls for recognizing revenue, the engagement
team should duplicate the revenue cycle so that the separate process and controls can
be documented for both sets of reasonably possible risks. Cycles should also be
duplicated when different applications are used and therefore, the process and who
performs the processes and controls are different.
Exhibit 6.1 – When to Create Multiple Voyager Files
Chapter Seven – Materiality
Summary

This chapter discusses materiality in relation to planning and executing an audit. It also
presents guidance to the audit team on how to select an appropriate benchmark and
measurement percentage to use in determining materiality.

Introduction
7.01 The audit team’s consideration of materiality requires professional judgment
and considers the needs of users of financial statements. Materiality is the magnitude of
a misstatement or an omission from the financial statements or related disclosures that
the audit team believes would make it probable that the judgment of a reasonable
person relying on the information would have been changed or influenced by the
misstatement or omission. Auditors are responsible for obtaining reasonable assurance
that financial statements and related disclosures are free from material misstatements
(they have no duty to detect immaterial misstatements). Accordingly, an audit is
designed to identify potential misstatements that, individually or collectively, are
material. This objective requires the audit team to determine and document a materiality
amount for each audit.

The Role of Materiality in Audit Planning and Execution

Planning

7.02 Horizon requires that, during audit planning, the audit team makes and
documents an assessment of planning materiality for the financial statements taken
as a whole for purposes of:
 determining the extent and nature of risk assessment procedures
 identifying and assessing the risks of material misstatement
 determining the nature, timing and extent of further audit procedures

7.03 Planning materiality is determined by applying a percentage to a chosen

benchmark. Examples of benchmarks are total revenues, total assets, cash flows and
earnings before taxes.

7.04 Planning materiality does not establish a threshold below which identified
misstatements are always considered immaterial when evaluating their effect on the
auditor’s report. Chapter 20 provides guidance on financial statement misstatements,
their evaluation and the effect they have on concluding the audit, including
consideration of qualitative factors that could make an otherwise quantitatively
immaterial item material.

Execution

7.05 If planning materiality alone was used to set the scope of audit procedures, it
would be possible that several misstatements, each of which is less than planning
materiality, could aggregate and result in a material misstatement of the financial
statements. For this reason, the audit team should determine tolerable error
(discussed below), which is an amount less than planning materiality. Tolerable error is
used to determine the scope of audit procedures and is equivalent to performance
materiality discussed in the international standards.

Planning Materiality
7.06 Setting planning materiality too low results in a tolerable error that is too low
and the potential for over auditing and inefficiency. Setting planning materiality too high
results in tolerable error that is too high and the potential for not obtaining sufficient,
appropriate audit evidence. Audit teams avoid these two extremes by making two
critical audit judgments:
 selecting a suitable benchmark and
 determining a reasonable measurement percentage

Selecting a Suitable Benchmark

7.07 In determining materiality, a reasonable measurement percentage is often

applied to an appropriate benchmark. The audit team selects an appropriate benchmark
by considering various factors such as the nature of the entity, where the entity is in its
life cycle, the entity’s industry and economic environment, the entity’s ownership
structure and the way it is financed, and the relative volatility of the benchmark..

7.08 In particular, the audit team considers whether there are financial statement
elements or other items where users tend to focus their attention. The most appropriate
benchmarks are ordinarily those that are elements of the financial statements, such as
earnings before taxes, total revenues, cash flows and total assets, among others. In
certain situations, benchmarks other than financial statement elements (for example,
earnings before interest, taxes, depreciation and amortization) are the focus of financial
statement users and may be an appropriate benchmark.

7.09 Factors that the audit team considers in selecting a benchmark include:
 the elements of the financial statements (assets, liabilities, equity, revenues,
expenses)
 the financial statement measures defined in the financial reporting framework
(financial position, financial performance, cash flows)
  the nature of the entity and the industry in which it operates
 the size of the entity
 the nature of the entity’s ownership and how it is financed

7.10 Normally, loan covenants as well as regulatory and listing requirements should
not affect the audit team’s selection of a benchmark. A lender often negotiates
covenants to protect itself in the event that the borrower’s financial condition
deteriorates. Such motivations do not define the best benchmark for determining
planning materiality. For example, the existence of an inventory covenant does not
imply that the lender believes inventory is the best benchmark or that the lender is
uninterested in earnings or other potential benchmarks.

7.11 Voyager provides various benchmarks depending upon the industry. One of
the benchmarks is appropriate for most entities. However, if another benchmark (for
example, cash flows) is more relevant to the entity being audited, it is acceptable to use
that benchmark in determining planning materiality. This is achieved in Voyager by
selecting the “Other” benchmark from the drop-down menu. Then in the “Explanation for
benchmark selection” box, document the benchmark used and the rationale for
selection.

7.12 The audit team must document the considerations that result in the selection
of a benchmark.

7.13 Because the selection of a suitable benchmark involves professional judgment

and has a significant impact on the audit, the audit team is encouraged to consult, as
appropriate.

Determining a Reasonable Measurement Percentage

7.14 After the audit team selects the suitable benchmark, they must determine a
reasonable measurement percentage to apply to the benchmark. Again, this requires
judgment.

7.15 The percentage to apply to the chosen benchmark can be expected to vary
between entities. The most important criteria used to determine the appropriate
percentage is the users of the financial statements. For example, for listed entities,
relatively small percentage changes in a financial statement element might be
considered significant to shareholders. Conversely, a sole owner, actively engaged in
the operations of an entity, likely would not let small changes in a financial statement
element affect his or her economic decisions. It is important to keep in mind that an
audit enhances the degree of confidence of intended financial statement users, and
therefore, the financial statements may not be perceived to have value if the materiality
threshold exceeds the expectations or needs of such users.

7.16 Also, there is a relationship between the measurement percentage and the
chosen benchmark. This means that a smaller percentage would ordinarily be applied to
a benchmark representing a larger financial statement element, such as revenues, than
applied to a benchmark representing a smaller financial statement element, such as
earnings before taxes. For example, an audit team may select a 10% measurement
percentage when the benchmark is earnings before taxes, while another audit team
may select a 1% measurement percentage when the benchmark is total expenditures.
Although these percentages may appropriately vary between entities, it is helpful to
remember the relationship between the measurement percentage and the chosen
benchmark.

7.17 Materiality is a judgment, not a scientific or precise calculation. When auditors

set materiality too low, the result can be an inefficient audit with excessive testing and
audit effort. However, setting materiality too high can result in insufficient testing and
failing to recognize when the financial statements are materially misstated. This
subjects the audit team and the firm to increased risk from a legal and regulatory
perspective as well as potentially damaging our brand. The challenge is to set
materiality at the level where audit effort and the needs of the users are in balance. This
balance can only be achieved with experience and consideration of what a reasonable
person who has the same knowledge and understanding about the entity and its
industry would consider material.

Guidance

7.18 The following table provides guidance for all the benchmarks and
measurement percentage ranges now available in Voyager. Please note that this table
is not intended to be a rigid set of rules. Rather it is guidance for most of the
circumstances audit teams will encounter.

7.19 Voyager provides the opportunity for audit teams to document their judgments
about their choice of benchmark and measurement percentage. Develop the good
practice of making sure this documentation is complete and clear. Reviewers and third
parties should be able to understand the rationale for the materiality judgments made by
the audit team from the audit documentation.

7.20 Bench mark and percentage guide follow.

Benchmark When to use… Range Guidance

Commercial, for-profit entities. This is the
financial statement element most often used  listed entities typically not greater than 5%
Earnings before to evaluate an entity’s performance. When
3% to 10%  privately-owned entities typically 5% to 10%
income taxes earnings are volatile and cannot be (lean to the lower end of range as
normalized, another benchmark may be more ownership widens)
suitable.
Often, the largest financial statement element
 percentage closer to 1% may be
and one whose trend is closely monitored.
appropriate for a larger commercial entity,
Total revenues This benchmark is frequently used for .25% to 3%
while a percentage closer to 3% may be
commercial, for-profit, and not-for-profit
appropriate for a smaller, non-listed entity
entities.
Perhaps most relevant to financial services  similar to total revenues, a lower
Total assets .25% to 2%
entities. Not usually a relevant financial percentage may be appropriate for a larger
 statement element for users of other com- commercial entity, while a higher
mercial, for-profit entity financial statements. percentage may be appropriate for a
This benchmark may be an alternative when smaller, non-listed entity
other benchmarks are not appropriate.

Change in net
This benchmark is frequently used by entities  the range is wide to accommodate the
such as benefit plans and investment 1% to 8% many special industries
assets
partnerships.
 listed plans typically do not exceed 2%
This is often the benchmark of choice for  non-listed plans typically 2% to 3%
Net assets .5% to 3%
benefit plans and investment partnerships.  high-end of range is typically more
appropriate for investment partnerships
Equivalent to total revenues for not-for-profit  use the guidance above related to Total
Total and some governmental entities and is revenues
.25% to 3%
expenditures ordinarily the preferred benchmark for these
entities.

Total
Another revenue equivalent benchmark that is  use the guidance above related to Total
an alternative for not-for-profit and .25% to 3% revenues
contributions
governmental entities.
Equivalent to total expenditures for health and  use the guidance above related to Total
Claim payments 2% to 5%
welfare plans. revenues
Insurance Another equivalent benchmark for health and  use the guidance above related to Total
2% to 5%
premiums welfare plans. revenues
 the appropriate percentage would be
A common financial statement element, but
dependent on the size of this element in
not often used to determine materiality. Other
.25% to relation to other elements of the financial
Cash flows more appropriate benchmarks would
10% statements (e.g., revenues)
ordinarily be used due to the fluctuating
nature of this element.  percentage usually declines as the size of
the element increases
Not a financial statement element, so use with  because it is essentially an earnings
careful consideration. Could be relevant for computation, look to the guidance above for
entities whose interest, depreciation and Earnings before income taxes
amortization charge is disproportionate to
EBITDA their size and level of activity or entities .25% to 5%
operating in certain sectors such as
technology and energy. Its weakness is that it
has to be computed from financial statement
elements.
An equivalent benchmark to revenues.  use the guidance above related to Total
Gross profit Ordinarily revenues is the preferred .25% to 4% revenues
benchmark as these typically trend together.

7.21

Tolerable Error
7.22 Tolerable error is an estimate of the maximum amount of misstatement an
audit team can accept in an individual account or group of related accounts. It is an
amount less than planning materiality. Tolerable error is smaller than planning
materiality because of “aggregation risk” – the risk that multiple errors that are less than
planning materiality may exist in accounts or groups of accounts and aggregate to a
total exceeding materiality. The concept of tolerable error also contemplates a “cushion”
for errors that may exist but will remain undetected or underestimated.

7.23 Tolerable error should be established at a level that provides reasonable

assurance that material misstatements, if any, will be identified and that unidentified
misstatements, if any, will not aggregate to a material amount. The audit team
establishes an appropriate tolerable error by assessing the positive and negative
implications of the following factors on aggregation risk.
 experience in prior audits (number, size and nature of auditor-identified
misstatements)
 the audit team’s knowledge of the entity and its environment, including factors
that increase or decrease the number, size or nature of potential misstatements,
such as:
- business activities or changes in business activities
- accounting system or changes in the accounting system (i.e., accounting
staff, processes used, technology used)
- strengths, weakness and changes in internal control
- fraud risk factors

7.24 The following table illustrates how these factors are applied in practice.
Factor Lower Tolerable Error Higher Tolerable Error
Experience in prior Misstatements were identified in prior Few or no misstatements
audits periods, especially when misstatements were identified in prior
were identified in multiple cycles periods
Business activities Negative changes or increased Few or no misstatements
complexity in business activities increase were identified in prior
the risk of misstatements occurring periods and business
activities are stable in
comparison to prior periods
Positive changes or
decreased complexity
reduce the risk of
misstatements occurring
Accounting system Changes to the accounting system Few misstatements were
(people, process and during the period increase the risk of identified in prior periods
technology) misstatements occurring and there is consistency in
the accounting system
Improvements to the
accounting system during
the period decrease the risk
of misstatements occurring
Internal control Internal controls are not designed Few misstatements were
effectively or are weak identified in prior periods
Few misstatements were identified in and internal controls are
prior years, but changes to controls designed effectively
during the current period increase the
risk of misstatements occurring
Fraud risk Indicators of higher fraud risk are present Indicators of higher fraud
risk are not present

7.25 The audit team should avoid using a tolerable error higher than that used in
the previous period solely because few misstatements were identified in a prior year.
Likewise, when misstatements were identified by the audit team in the prior year, the
other factors, if positive, likely would not justify an increase in tolerable error. The
factors affecting tolerable error should be evaluated each year.

7.26 The audit team will be required to document the basis of their judgment.
Example documentation follows.
 Tolerable error was set at 60% of planning materiality because misstatements were
identified in prior audits and there is an increased risk of misstatements arising from
the introduction of a new accounting system this year
 Tolerable error was set at 70% of planning materiality to recognize that there are
both positive and negative factors present. Only two misstatements were identified in
the prior audit; however, while the controls are designed effectively, the audit team
does not consider the overall system to be robust. Business activities did change
during the year but the changes reflect minor modifications to product lines and
markets. Changes in business activities are not expected to increase the risk of
misstatements occurring
 Tolerable error was set at 60% of planning materiality because fraud risk indicators
are present. A low tolerable error is one of the audit team’s responses to an
increased risk of fraud
 Tolerable error was set at 75% of planning materiality because few misstatements
were identified in prior audits, the accounting system is strong, internal controls are
designed effectively and operations are stable. Also, the accounting personnel who
prepare the financial statements are skilled
 Tolerable error was set at 60% of planning materiality because misstatements were
identified in prior audits. Misstatements arise because the company is small, which
prevents the company from designing and implementing effective controls. The
accounting staff are under resourced and audit experience in prior years identified
many misstatements. The company has not undergone changes in business
practices, accounting system or controls that would reduce the risk of misstatements
arising in the current period

Applying Materiality in Audit Execution

7.27 Planning materiality and tolerable error are important factors in setting the
scope of audit procedures, sampling and the other substantive tests of details. For
example, in the execution of analytical procedures, the audit team would determine the
effect that an error in the amount of tolerable error in one of the components would have
on a ratio under review. As another example, the audit team uses tolerable error to
determine which transactions to test for the appropriate cutoff of revenue.

7.28 The sample size calculator in Voyager determines the appropriate sampling
precision using information provided by the audit team regarding:
 planning materiality
  tolerable error
 the expected error rate in the population
 type of sample (statistical or nonstatistical)

Considerations for Lowering Tolerable Error

7.29 In addition to tolerable error, the audit team also uses qualitative factors to
determine the scope of audit procedures and to evaluate the results. For example, in
determining items to examine the audit team could use qualitative characteristics such
as transactions with a related party, posting from a specific source, special contracts or
non-routine transactions. In addition, the audit team might reduce scopes below
tolerable error to make audit procedures less predictable.

7.30 Some accounts and financial statement items have more risk than others and
the audit team may respond to the identified risk by lowering tolerable error for those
areas. For example, accounts requiring significant judgment, which might include the
allowance for doubtful accounts, and accounts typically used to conceal fraud, which
might include suspense accounts and write-off accounts. Horizon encourages audit
teams to use a lower tolerable error in these circumstances. These judgments should
be documented.

7.31 During the evaluation of audit evidence, tolerable error helps determine the
sufficiency of evidence to meet a given audit objective. For example, when sampling is
used, tolerable error helps the audit team determine if the sample achieved the planned
level of precision.

Materiality for Periods Other Than Twelve Months

7.32 Financial statements are sometimes prepared for a financial reporting period
of more or less than twelve months. Examples include new entities, entities that change
their fiscal reporting period, or entities that report interim financial information.
Materiality relates to the financial statements prepared for that reporting period.
Accordingly, it is not appropriate to use an annualized materiality in these
circumstances.

Other Topics Related to Materiality

Accumulating Misstatements

7.33 During the execution phase of the audit, differences, including missing
disclosures should be accumulated on the summary of unrecorded misstatements. At
the completion phase of the audit, this schedule assists the audit team in determining
whether misstatements are immaterial, either individually or in the aggregate.
7.34 The audit team should determine an amount that would be trivial to the
financial statements and differences smaller than this amount need not be included on
the summary of unrecorded misstatements. This amount should be such that small
audit differences, either individually or in their aggregate, could not cause a material
misstatement from both a quantitative and qualitative perspective. While some amounts
may clearly not be material from a quantitative perspective, the qualitative aspects of
materiality cannot be evaluated unless the differences are captured. For this reason, the
amount used as the posting threshold for differences to be included in the summary of
unrecorded misstatements would not ordinarily exceed 5% of planning materiality. The
amount used should be documented in the workpapers.

7.35 Fraudulent financial reporting, misappropriation of assets involving key

management or management override of controls are always significant, regardless of
how they were discovered or their quantitative amount, and require follow-up. In
addition, such items could influence our judgments in other areas of the audit and
should be included in the summary of unrecorded misstatements and in the design
effectiveness assessment.

7.36 Similarly, illegal acts discovered in executing audit procedures may not be
quantitatively material, but may result in a material contingent liability. Transactions that
are not illegal acts may also have similar characteristics if for example they represent a
breach of contract terms that could lead to a material penalty or loss of income.

Multi-Location Audits

7.37 Tolerable error should be adjusted when some portions of financial statements
are not subjected to the audit test being performed (e.g., if accounts receivable will not
be confirmed or inventory will not be observed at all divisions or units). In these cases,
Voyager will adjust tolerable error based on the value of the population that will be
tested as a percentage of the total population value. The audit team enters both the
total and tested population values into the sampling component. Voyager uses this
information to properly adjust the tolerable error and sample size. The effect of this
modification is to employ the same aggregate sample size that would have been used
had all locations been subjected to testing, although the sample size will increase for
any location subjected to sampling.
For example, a sample of 90 inventory items is required when tolerable error is
$225,000 and total inventory is $9,000,000. If procedures are applied at all locations
and amounts are evenly distributed (based on total monetary amount) across three
locations, the allocation of the sample size to each of the three locations is 30 per
location.
Now, assume the audit team will only perform observation procedures at two of the
three locations making the inventory balance subject to sampling $6,000,000. Because
only two-thirds of the inventory balance will be subject to testing, tolerable error used to
calculate the sample size should be adjusted as follows:
$225,000 x .667 = $150,000
Since the ratio of tolerable error to total inventory (2.5%) in the first situation is the same
as the ratio of adjusted planning materiality to inventory subject to sampling in the
second situation, the aggregate sample size is the same. However, because only two
locations are to be subject to observation tests, the sample size at each location has
increased from 30 to 45.

Group Audits

7.38 The group audit team is responsible for establishing materiality for the group
financial statements as a whole when developing the group audit strategy. To establish
materiality for the group, the group audit team applies the concepts in this Chapter to
the group financial statements. The group audit team also determines:
 group tolerable error
 component materiality, when appropriate (see below)
 component tolerable error
 trivial threshold for aggregating misstatements (defined by Horizon as an amount
ordinarily not exceeding 5% of group materiality)

7.39 Chapter 24 explains the firm’s group audit policies in more detail, including the
process used by the group audit team to identify components and to determine whether
each component is significant. For significant components, Chapter 24 also provides
guidance to assist the group audit team in determining whether a “targeted” or
“comprehensive” audit response is appropriate in the circumstances.

7.40 Numerous components may exist at different levels within the group financial
system. In this situation, an audit approach that aggregates certain of these
components into a single component may be more effective and efficient than an
approach based on individual components. For example, consider the situation where
an entity establishes many components. These components capture financial
information related to various products, share a common accounting system and
contain similar financial reporting risks. In this situation, the audit team may determine
that it is most effective and efficient to aggregate these components and audit each
significant cycle as a single population.

7.41 For targeted responses, the component audit team will perform procedures
directed at specific risks identified by the group audit team. The component audit team
performs these procedures on behalf of the group audit team. Therefore, it is
appropriate for the component audit team to use the same tolerable error as the group
audit team in performing those procedures.

7.42 For comprehensive responses, the group audit team determined that the
component is of such significance to the group that an audit of the component’s
financial information is the appropriate response. In performing the audit of the
component, the group auditor establishes component materiality, an amount that is less
than group materiality.
Establishing Component Materiality

7.43 As discussed above, component materiality is only established when one or

more components will be separately audited (apply a comprehensive response). The
professional standards are clear that component materiality must be an amount lower
than group materiality so that errors in components do not aggregate to an amount that
is material to the group. The group audit team’s objective is to establish component
materiality at a level that reduces this risk to an appropriately low level. Accordingly,
judgment is needed to establish component materiality at the appropriate level in
relation to group materiality.

7.44 Horizon uses the group audit team’s determination of group tolerable error as
the starting point for setting materiality for the component. Using group tolerable error
for establishing component materiality may be appropriate for group audit purposes in
most situations, but some circumstances need to be evaluated further.

7.45 One such circumstance is when a component is subject to audit by statute,

regulation or other reason, and the group engagement team decides to use that audit to
provide audit evidence for the group audit. In this example, the group audit team must
determine whether component materiality and component tolerable error applied by the
component auditor will meet the requirements of the group audit. There will be many
situations where, the component audit team established a materiality for the component
financial statements as a whole that is less than the component materiality established
by the group auditor. The group audit team can accept this lower performance level, but
would object if the component auditor established a materiality that exceeded the
component materiality established for purposes of the group audit.

7.46 In other circumstances, using group tolerable error as component materiality

will result in over auditing. This could occur when one or more components are large in
relation to the group. Increasing component materiality is appropriate when any
component requiring a comprehensive response has a benchmark that exceeds group
tolerable error. As a reminder, component benchmarks are analyzed using the
Component Evaluation spreadsheet. The relevant benchmarks include revenues,
assets and equity, among others. When appropriate, the table below can then be used
to establish component materiality at an appropriate level in relation to group materiality.

7.47 The percentages should not be viewed as bright lines. They are provided as
guidelines for audit teams to use in determining a value for component materiality that
achieves the objectives of the professional standards, namely to reduce to an
acceptable level the risk that errors in components will aggregate to an amount that is
material to the group.
Largest Benchmark % For Any
Component Requiring a Component Materiality As a % of
Comprehensive Response Group Materiality
85 – 95% 90%
75 – 85% 80%
 <75% 60-75%

7.48 If the largest benchmark % for any component requiring a comprehensive

response is less than 75%, then component materiality is normally set at group tolerable
error.

7.49 Therefore, for some group audits, component materiality will be higher than
group tolerable error. Component materiality would rarely, if ever, need to be set lower
than group tolerable error (for purposes of the group audit). The exception would be
when a lower component materiality is needed to respond to qualitative risk factors
present at the component.

7.50 Horizon does not allocate tolerable error among accounts or components.
Accordingly, the group audit team establishes component materiality, and the resulting
component tolerable error is used for all components requiring a comprehensive
response. A component audit team may lower component tolerable error at a given
component to address qualitative risks on a judgment basis.

Applying the Component Materiality Guidance

7.51 The following scenarios demonstrate the guidance provided in this bulletin. In
these scenarios, group materiality is $1,000,000.
Scenario Response
A group has several components, but only The audit team established component
one is large enough to require a materiality at 90% of group materiality or
comprehensive response. This component $900,000.
comprises a large proportion of the group.
The parent is a holding company whose only Because the bank comprises virtually all of
subsidiary, a bank, comprises substantially the operations of the entity, the audit team
all of the consolidated financial statements. determined that, in substance, this is not a
group audit (by definition, a group audit has
more than one component). Accordingly, the
audit team will audit the bank using
materiality of $1,000,000.
The group is comprised of a large number of The group audit team will perform targeted
components. None of the components are and analytical procedures to address the
significant enough to require a risks present in the components. The group
comprehensive response. audit team does not establish component
materiality; instead they will use group
materiality of $1,000,000.
A group has five components that will all be The group audit team established
audited using a comprehensive response. component materiality at group tolerable
None of these components has any error or $600,000.
benchmark greater than 40%.
A group is comprised of numerous The group audit team determined that the
components. The group audit team aggregated component is the only
aggregates many of these components into a component for which a comprehensive
single component (for example, revenues of response is appropriate. Further, because it
all the aggregated components are is such a large proportion of the group, the
considered one population). group audit team established component
materiality at 90% of group materiality or
 $900,000.
A group has four components that will be The group audit team established
audited using a comprehensive response. component materiality at 80% of group
One of the components has a benchmark materiality or $800,000.
that is 79% of the group.

Reassessing Planning Materiality

7.52 Ordinarily, the audit is planned before the period end and the audit team
determines materiality at that time. Due to changing circumstances, the entity’s actual
results of operations and financial position may be substantially different to what was
anticipated at the interim date. The most likely example is when an entity divests of a
significant division late in the year and the resulting entity is much smaller than when
planning materiality was determined. In cases such as this, the assessment of planning
materiality may also change and the audit team should consider revising their
assessment of it. This reassessment may adjust the scope of testing to the appropriate
precision.

7.53 Circumstances requiring a decrease in planning materiality are not common. It

is not necessary for the audit team to recompute planning materiality at the conclusion
of the audit unless circumstances discussed in the previous paragraph are present. If
the relative size of the entity has remained substantially unchanged, then there is no
need to address this in the workpapers. The audit team can continue to use the
planning materiality when performing concluding procedures.
Chapter Eight – Risk Assessment Procedures
Summary

This Chapter discusses Horizon’s risk assessment process. Risk assessment means
identifying the risks that could cause the financial statements to be materially misstated.
One importand aspect ofrisk assessment procedures is to understand the entity and its
environment, including its internal control. This understanding is essential in identifying
risks of material misstatements, whether due to error or fraud, relating them to the
financial statement assertions, and assessing the likelihood that they could cause a
material misstatement. Risk assessment procedures related to obtaining an
understanding of internal control are discussed in Chapter 9.

Introduction
8.01 Professional standards require the audit team to identify and assess risks of
material misstatement at (1) the financial statement level and (2) the assertion-level for
classes of transactions, account balances and disclosures, whether due to error or
fraud. To assess these risks the audit team:
 obtains an understanding of the entity and its environment, including
internal control
 relates the identified risks to what can go wrong at the assertion level
 considers whether the identified risks could result in a material
misstatement
 considers the likelihood that the risks could result in a material
misstatement

8.02 The risk assessment process is the foundation for the audit. This continuous
process requires the audit team to identify and assess risks based on an appropriate
understanding of the entity and its environment, including its internal control. The audit
team needs to first conduct a thorough risk assessment process and then the audit
team properly designs and performs procedures that directly respond to the identified
risks.

8.03 To develop an appropriate audit plan (one that reduces audit risk to an
appropriate level), the audit team must understand the entity being audited and the
environment in which it operates, including its internal control. This provides the audit
team with the information necessary to assess the risks of material financial statement
misstatement, whether due to error or fraud..” The information obtained from this
understanding is used as audit evidence to support the audit team’s assessment of the
risks of material misstatement and to determine the appropriate audit responses to
address those risks.
8.04 The audit team performs certain risk assessment procedures to consider
areas in the financial statements where material misstatements (whether caused by
error or fraud) are more likely to occur, identify the risks that could cause the
misstatements, evaluate the identified risks to determine the likelihood of them causing
the misstatements and finally to identify other areas where audit attention will be
focused. Understanding the entity and its environment, including internal control also
assists in determining the nature, extent and timing of audit procedures to employ in
response to the identified risks.

8.05 In addition to enhancing the effectiveness and efficiency of the audit,

understanding the entity helps to develop meaningful, timely and constructive
recommendations to management and those charged with governance. The list of
possible recommendations should be accumulated as the work progresses, included in
the audit documentation and communicated timely to management and those charged
with governance.

8.06 Audit teams can further improve their understanding of the entity's industry by
obtaining pertinent articles from sources such as periodicals, trade association
publications, professional publications or internet sites.

8.07 Collectively, this knowledge and experience enables the audit team to
evaluate where material misstatements could occur in the financial statements and to
make informed risk assessments.

8.08 Obtaining an understanding of the entity and its environment and assessing
risk is a continuous process that occurs throughout the audit. Risk assessment does not
occur solely at the planning stage. Instead the audit team continually remains alert for
additional risks while conducting the engagement. If additional risks or modifications to
the original risks are noted, the audit team may need to adjust the audit plan.

Understanding the Entity and Its Environment, including Internal

Control
8.09 An understanding of the entity and its environment helps to:
 identify areas that may need special attention (i.e., significant risks)
 understand how accounting data is produced, recorded, processed,
reviewed and stored
 identify important estimates, such as valuation of inventories, allowances
for doubtful accounts, and percentage of completion of long-term contracts
 identify situations requiring management judgments as to the valuation of
assets
 understand management’s determinations as to the selection of
appropriate accounting principles applied and the adequacy of
presentation and disclosures in the financial statements
Nature of Our Understanding

8.10 The nature of our understanding of the entity and its environment that should
be obtained consists of the following:
 Nature of the Entity
– the entity’s business operations, including location, products and/or
services, sources of revenue, markets, major customers and suppliers,
competition, related parties, outsourced activities, employment
– its ownership and governance (who owns the business and is
responsible for governance)
– the types of investments (planned or recent acquisitions, securities,
loans, fixed assets, special-purpose entities), including related matters
such as debt covenants, leasing activities, off-balance sheet
arrangements and the use of derivatives
– the way it is structured and how it is financed (this includes how the
business obtains funds to operate)
– accounting principles and industry practices, revenue recognition
policies, accounting for complex or unusual transactions, financial
statement presentation and disclosure
 Industry, Regulatory and Other External Factors, Including the Applicable
Accounting Framework
– industry conditions, such as the competitive environment, supplier and
customer relationships, technological considerations related to its
products, and energy supply and cost
– regulatory environment including the applicable accounting principles
and industry-specific practices, the type and extent of regulatory
oversight, the legal and political environment, including taxation and
trade issues and government policies, and environmental requirements
– general economic conditions, interest rates, availability of financing
and inflation
 Objectives, Strategies, and Related Business Risks
– the objectives or overall plans for the entity (defined by those charged
with governance) to address business risks
– strategies (operational approaches set by management to achieve
these objectives)
– the related business risks (events, conditions, circumstances or actions
that could adversely affect the entity’s ability to achieve its objectives
and execute its strategies, including the risk of a material financial
statement misstatement)
– these risks may be related to:
o industry developments
o new products and services (for example, increased product liability
risks)
o business expansion
o new accounting pronouncements
o financing requirements (current or future)
 o use of IT
 Measurement and Review of Financial Performance
– key ratios, operating statistics and performance indicators (financial
and non-financial)
– budgets, variance analyses, segment information and divisional,
departmental, and other level performance reports
– comparison of performance with peers
– employee performance measures
 Internal Control (see further discussion in Chapter 9)
– the five components of internal control
– entity-level controls
– activities-level controls associated with reasonably possible risks

8.11 The nature and extent of audit documentation required to understand the
entity is a matter of professional judgment; however, the key elements of each
characteristic (Nature of the Entity, Industry, Regulatory and Other External Factors,
Objectives, Strategies, and Related Business Risks, Measurement and Review of
Financial Performance, Internal Control) and the sources of the information used to
obtain the understanding should be documented. Voyager provides a structure for
documenting this information.

Sources of Information

8.12 Sources of information about the entity and its environment include the
following:
 management and others within the organization
 observations of the audit team
 those charged with governance
 office and plant tours
 preliminary analytical procedures
 entity’s website
 management-prepared reports
 external sources
 firm specialists
 competitors’ websites
 web searches about the entity and its industry
 service organization control reports

Management and Others Within the Organization

8.13 Through inquiries/interviews of management and those responsible for

financial reporting, the audit team can obtain an understanding of the entity, its
organization and operating characteristics. The understanding obtained should be
updated each year or during the course of the audit if entity processes or personnel
change.
8.14 Most inquiries are directed to senior management and financial reporting
personnel. During the course of these discussions, the audit team often learns about
plans and policies that might affect the financial statements, items which relate to the
business and the industry in which it operates, and about important legal and regulatory
matters.

8.15 However, to obtain additional information to identify risks of material

misstatements, it is usually appropriate to interview others who are knowledgeable
about the entity's operations, its internal controls, and the manner in which such
functions and controls are carried out. These may include:
 internal auditors
 production
 marketing
 sales and accounting personnel
 employees with different levels of authority
 employees involved in initiating, processing or recording complex or
unusual transactions
 in-house legal counsel
 those charged with governance

8.16 Planning is the key in determining the number of such interviews and who
should be interviewed. In addition, the timing of these interviews may vary. Some are
most useful if conducted closer to the beginning of the audit, whereas others are best
deferred until later in the audit.

8.17 Obtaining detailed information about the entity requires sensitivity and tact.
Personnel may be defensive about the audit team questioning their areas of
responsibility. They may feel threatened by such questioning or, despite assurances,
they may feel that criticism is implied. Moreover, such personnel, including executives,
often have a very different outlook and perspective than the audit team. Accordingly,
discussions with senior management and other key personnel, in particular sensitive
discussions about the entity’s goals and objectives, should usually be conducted by a
partner or manager.

Those Charged With Governance

8.18 During discussions with those charged with governance, the audit team should
explain and discuss the anticipated scope of their work and obtain knowledge of the
expectations or special needs of those charged with governance. The audit team should
also make inquiries regarding the views of those charged with governance about the
risk of fraud and whether they have knowledge of any fraud or suspected fraud. The
audit team should also reach an understanding regarding the expected nature and
extent of communications about misappropriations perpetrated by lower-level
employees and the aggregate materiality threshold of such misappropriations.
Office and Plant Tours

8.19 The audit team can learn a great amount of information about the entity's
business, accounting systems, and controls by touring the offices and principal plants
and observing personnel performing their daily activities. Similarly, a tour of the plants
and receiving and shipping facilities can convey a great amount of information about the
operations and likely control problems. Observations of the orderliness, cleanliness, and
physical layout of facilities and of the employees’ routine functions and work habits can
often inform the audit team about potential risks of material misstatement. These
observations complement the preliminary analytical (see below) and risk assessment
procedures performed to enhance our overall understanding of the entity.

Analytical Procedures

8.20 Analytical procedures performed during the planning phase of the audit are
used to identify unusual changes in the financial statements, or the absence of
expected changes, and specific risks. Preliminary analytics are required on all audits
and are usually focused on account balances aggregated at the financial statement
level and relationships between account balances. Because the analytical procedures at
this stage generally use data aggregated at a high level, the results of those procedures
only provide a broad initial indication about whether a material misstatement of the
financial statements may exist. However, they are helpful in identifying areas where
audit work will be focused.

8.21 All analytical procedures consist of four phases

 expectation formation
 identification
 investigation
 evaluation

8.22 In the planning phase, the most commonly used analytical procedures are
ratio analysis and trend analysis.

8.23 For ratio analysis and trend analysis, the expectation formation is implicit. This
is because the reasonable expectation is that the prior year, budget or industry data
used for comparative purposes will be consistent with the current period. Therefore, the
data used for comparison in executing ratio and trend analysis (prior year, budget, and
industry data) is the expectation. Explicit (or specific) documentation of the expectation
is not required when using these methods in planning/preliminary analytical procedures.

8.24 In the identification phase, the audit team uses their understanding of the
entity and its environment to identify fluctuations where further audit work is necessary.
This could be because the fluctuation is unusual or unexpected or because the
expected fluctuation did not occur.

8.25 For those fluctuations identified, the audit team considers the possible
explanations for the differences. This is the investigation phase. The audit team then
evaluates whether the explanations are plausible and whether further audit work may be
required. The accounts or assertions where the risk of material misstatement is
evaluated as possible should be discussed in the risk assessment meeting among the
key audit team members (see Discussion Among Audit Team Members below).
Therefore, the documentation required for the identification, investigation and evaluation
phases for the analytical procedures performed in planning should reference or link to
the documentation of the risk assessment meeting. In the risk assessment phase of the
audit, it is not necessary for the audit team to resolve whether or not misstatements are
present.

Management-Prepared Reports and Other Documentation

8.26 During the course of their inquiries and visits, the audit team will likely review
many different documents and records. It is not necessary to retain all such documents
and records. The audit team should prepare abstracts or obtain copies of documents
they believe will help document their understanding of the entity. Examples include:
 policy statements and business plans for the entity or its major
subdivisions
 organization charts and job descriptions
 financial statements, tax returns, regulatory filings, etc., for the past
several years
 internally-directed financial information, such as interim financial
statements, budgets, and cost and variance reports. In smaller
companies, this might include comparative trial balances and similar data
 legal documents, such as articles of incorporation, by-laws, minutes of
directors meetings, loan agreements and significant contracts or leases
 reports by internal audit staff, if any. Reports on operation or financial
audits conducted by internal auditors may provide significant insight into
the entity's operations
 internal control policies or procedures manuals covering the accounting
system and control procedures
 reports of other auditors
 information on the composition of the balances of accounts, such as
capital stock, additional capital, long-term liabilities, reserves, allowances,
property and equipment, deferred charges, and other similar accounts
 agreements with service organizations, a specification of the work
performed, and how it is accounted for
 information about laws and regulations that have a direct effect on the
financial statements
However, all records and entity documents, whether or not included in the audit
workpapers, are to be retained or not retained in accordance with the firm’s records
retention policies.

8.27 Upon obtaining copies of internally prepared financial information, the audit
team should understand how this material is used by management. This is often an
appropriate starting point for the process of gaining an understanding of the other tools
management uses to control and measure the entity's finances and operations.

External Sources

8.28 External sources can provide valuable information about the entity and its
industry. Sources of such external information may include reports distributed by
financial reporting services such as Standard and Poor’s, Dun & Bradstreet and Value
Line or by brokerage firms.

8.29 [Tailor this paragraph to reflect your resources and where they are
located]Audit teams can access information about the entity and its industry through
online services licensed by the firm. External reference material could include relevant
national or international accounting and auditing guidance. Recent reports about the
entity and its industry are available through online services licensed by the firm. These
services are described in KSource > Audit > Service Delivery > Resource Center/Toolkit
> Audit Tools Resource Center and include:
 Board Analyst tool
 Dow Jones Companies & Executives
 IBISWorld

8.30 Other sources of information concerning pertinent external factors include

trade association or other industry publications, publications of governmental agencies,
and local newspapers. It is often useful to read the annual reports of public companies
in the industry. In addition, information can often be obtained from discussion with
individuals knowledgeable about the company or industry, such as consultants,
bankers, and economists specializing in the industry. Information about the business is
often obtained through performing client acceptance procedures and in communications
with bankers, lawyers, and others.

8.31 The audit team uses these sources to gain familiarity with the entity's business
environment. Once familiarity with such external factors is obtained, additional
knowledge may be acquired during the audit if the risks warrant further understanding or
investigation.

Identifying Risks of Material Misstatement

8.32 Horizon focuses on obtaining an understanding of the entity and its
environment (also referred to as risk assessment procedures), to determine where
material misstatements are more likely to occur. This understanding is used to identify
risks that could cause the financial statements to be materially misstated.

8.33 Risks can reside at the financial statement level or at the assertion level. At
the financial statement level, risks are pervasive and can affect several assertions. At
the assertion-level, risks typically only affect a single assertion.
8.34 When assertion-level risks are identified, the audit team must evaluate the
likelihood that the risks could cause a material misstatement and develop an
appropriate response. Assertion-level risks that are more likely to be the cause of a
material misstatement are further evaluated to understand whether:
 internal controls that address the risk are established by management
 the controls are designed effectively
 the controls are implemented
 the operating effectiveness of controls will be tested
The intended control reliance in combination with the inherent risk of an error occurring
determines the response to these assertion-level risks with a higher likelihood of
occurrence. Assertion-level risks with a lower likelihood of occurrence are addressed
entirely with a substantive response.

8.35 When financial statement level risks are identified, the audit team must
carefully consider where these risks could manifest themselves in the financial
statements and respond to them appropriately. Many times these pervasive risks do not
directly affect any particular assertion, but rather impact many assertions. Some are so
pervasive that the entire audit is affected. Sometimes the audit team tailors the audit
program to address pervasive risks. In other situations, the proper response for
pervasive risks may not require a response in the audit program itself, but rather an
overall response such as:
 adding more experienced team members
 applying additional professional skepticism as the work progresses
 providing additional review
 performing procedures at or near year end
 varying the nature of the procedures
 reconsidering continuance
 including procedures with an element of unpredictability

8.36 Examples of ways to incorporate an element of unpredictability include:

 testing items below scope that would not otherwise be tested based on
their amount or the assessed risk
 varying the timing of the audit procedures
 performing audit procedures on an unannounced basis
 in multi-location audits, varying the location or the nature, timing, and
extent of audit procedures at related locations or components from period
to period

8.37 To identify financial statement level risks, the audit team uses their
understanding of the entity and its environment to assess the presence of certain
indicators that Horizon calls “risk indicators”.

8.38 To identify assertion-level risks, the audit team carefully considers the
information gathered in obtaining an understanding of the entity and its environment to
identify the matters that could impact the financial statements. Once these “matters” are
identified, the audit team can identify the risks that the matters pose and the assertions
where those risks reside.

Risk Indicators

8.39 The risk indicators are conditions, events or characteristics of the entity and its
environment. They reveal the extent to which incentives, opportunities or circumstances
exist that could cause the financial statements to be materially misstated. The audit
team evaluates the applicability of the indicators to demonstrate their understanding of
the entity and to identify matters that could impact the financial statements. Risk
indicators are included in Voyager.

8.40 The risk indicators should not be evaluated until the audit team has a thorough
understanding of the entity and its environment. The risk indicators reflect the audit
team’s knowledge that was obtained by performing the risk assessment procedures.

8.41 Voyager analyzes the audit team’s applicability assessment of the indicators
and suggests matters that could impact the financial statements (see next section). The
audit team ultimately must determine whether the matters impact the financial
statements and if so, where they would manifest themselves.

8.42 The risk indicators are divided into the categories to which they relate. Most
categories contain several indicators. The applicability of any one indicator may or may
not generate a matter. The categories are:
 business practices
 economic
 external
 going concern
 skills
 management
 nature of transactions
 operating
 ownership
 lifestyle
 reporting pressures
 workplace
 bribery and corruption

8.43 It should be emphasized that the audit team is evaluating applicability of the
risk indicators. The risk indicators are not an individual evaluation of audit risk, and it is
important for the audit team to keep this perspective in mind as they evaluate them.

8.44 If the audit team believes that an indicator is singularly important enough that
a matter should be generated, but Voyager does not suggest one, they should manually
add the relevant matter.
Matters

8.45 The audit team summarizes the information learned and identified during the
performance of the risk assessment procedures and the evaluation of the risk indicators
by identifying “matters.” Horizon uses the term “matters” to describe the items identified
by the audit team while performing the risk assessment procedures that may have an
impact on the financial statements.

8.46 The audit team should carefully consider each matter to determine whether it
could impact the financial statements. Matters that do not impact the financial
statements need not be considered further; however, the audit team should document
their reasoning.

8.47 For the remaining matters, the audit team should carefully consider what
impact each matter could have on the financial statements. A matter can affect a single
transaction cycle within the financial statements or it could affect several cycles. For
example, the matter “Inventory activities core to operations” likely affects only the
inventory cycle whereas the matter “Inadequate skills of personnel may increase
likelihood of errors” may affect several cycles.

8.48 Matters may be suggested by Voyager based on the documentation entered

by the audit team as they perform risk assessment procedures or matters may be
identified by the audit team.

8.49 Matters suggested by Voyager come from several places, including those
suggested based on:
 the entity’s industry
 an evaluation of the design of entity-level controls
 the presence of certain risk indicators
 the client acceptance process
 the presence of certain revenue indicators
 certain characteristics of the entity

8.50 Matters related to the entity’s industry are linked to risks at the assertion level.
For example, for a commercial entity these matters relate to cycles in the financial
statements such as revenues and inventory. For a depository institution, they relate to
cycles such as loans and deposits. The audit team can accept these risks, deselect
those that do not apply or link the matter to additional risks.

8.51 The matters generated based on the design of entity-level controls are the
result of a very high-level evaluation. Since these matters also relate to control
deficiencies, they are separately evaluated on the Summary of Control Deficiencies.
However, because these particular matters are so pervasive and could cause
misstatements in the financial statements, their effect on the financial statements should
be considered. These matters include:
 lack of segregation of duties
  lack of management oversight
 lack of supervision over business units
 lack of monitoring related party activities
 weak governance controls

The audit team must determine whether these matters could impact the financial
statements and, if so, link them to the appropriate risks that could cause a material
misstatement.

8.52 The existence of risk indicators may result in matters being suggested (the
evaluation of the risk indicators was discussed in the previous section of this Chapter).
Again, the audit team must determine whether these matters could impact the financial
statements and, if so, link them to the risks that could cause a material misstatement. If
the audit team believes that an indicator is singularly important enough that a matter
should be generated, but Voyager does not suggest one, they should manually add the
relevant matter.

8.53 Indicators are also evaluated in the client acceptance process and in
documenting the nature of the entity’s revenue sources.

8.54 When a Voyager file is created for a new client, the audit team should import
the information gathered in the client acceptance tool. This import process is important
for all new clients because it passes information gathered during client acceptance to
Voyager. For a few clients, there could be circumstances identified that might have an
impact on the audit. These include, among others:
 resignation of the prior auditor
 regulatory investigations
 communication of internal control deficiencies
These circumstances are identified and vetted during the client acceptance process and
when the judgment is made to accept the client, the Voyager import process
incorporates the information into the Voyager file such that the audit team considers
them in performing risk assessment procedures.

8.55 In documenting the nature of revenue sources, matters may be suggested.

These include contract revenues and revenues that include multi-deliverables. The audit
team is also able to enter additional matters directly in Voyager’s Revenues Tool. Refer
to Chapter 18 for additional details on using the Revenues Tool.

8.56 In documenting the understanding of the entity and its environment, certain
characteristics of the entity may be identified that generate a matter. For example, if the
entity has foreign operations a matter will be generated. The audit team must determine
whether these matters could impact the financial statements and if so, link them to the
appropriate risks that could cause a material misstatement.

8.57 Finally, matters may be identified by the audit team as they perform the risk
assessment procedures. These matters can be entered into the summary and linked to
the risks that could cause a material misstatement.
Evaluating the Likelihood that Assertion-Level Risks Could Cause a
Material Misstatement
8.58 As previously discussed, matters are the bridge between the information
gathered by the audit team in obtaining an understanding of the entity and its
environment to the financial statement assertions and the financial statement risks that
could cause material misstatements.

8.59 Matters themselves are not the end objective. Matters are simply the way
Horizon connects the information obtained about the entity and its environment to
financial statement risks. The ultimate objective is to identify the risks that could cause
the financial statements to be materially misstated.

Linking Matters to Financial Statement Risks

8.60 Voyager provides the audit team with the ability to link matters to the financial
statement risks. With the matter highlighted, Voyager displays all of the audit cycles
identified by the audit team as significant, that is, cycles that contain accounts or
disclosure amounts that are quanititatively or qualitatively material to the financial
statements, as described further below. Within each significant cycle, the financial
statement risks are grouped by the relevant assertion to which they apply. As
mentioned earlier, at this point the audit team can accept these risks, deselect those
that do not apply or link the matter to additional risks.

Significant Cycles

8.61 Horizon utilizes the cycle approach in designing an audit program. This
permits consideration of the interrelationships throughout the financial statements and
disclosures, such as among income and expense accounts and corresponding balance
sheet accounts in designing an audit strategy.

8.62 The Horizon methodology requires audit procedures to be performed on

accounts within significant cycles. A significant cycle is one that contains accounts or
disclosures that are quantitatively or qualitatively material to the financial statements.
Quantitative materiality and tolerable error are judgments made by the audit team.
Accordingly, a cycle would be significant if any accounts or disclosures within the cycle
are greater than tolerable error. Qualitatively material accounts may not be large, but
they represent a risk due to other factors such as related party implications, complexity
or the relative importance of the account to users of the financial statements or
regulators.

8.63 Horizon does not require the same level of audit effort for every account or
disclosure amount in a significant cycle. Each transaction cycle is viewed in terms of the
financial statement assertions.
Assertions

8.64 The financial statement assertions were discussed in Chapter 1 and articulate
the representations of management that are embodied in the financial statements.
Horizon uses the following assertions:
 existence or occurrence
 completeness
 cut-off
 rights and obligations
 valuation or allocation (gross and net)
 presentation and disclosure

8.65 Not every assertion is relevant to every transaction cycle. For example,
valuation is not usually a relevant assertion in the cash cycle. Also, not every assertion
is an audit concern. For example, existence for a building. In this example, existence
may be relevant, but little audit effort may be required to verify existence.

8.66 For assertions relevant to a transaction cycle, Horizon includes specific risks,
grouped within the relevant assertion where they could manifest themselves. The audit
team selects the risks and identifies where the misstatements could occur in the
financial statements by asking “what could go wrong”. Audit teams should add risks to
Voyager when risks are not already in Voyager.

Financial Statement Risks

8.67 The financial statement risks generally fall into four broad categories. These
are:
 accounting errors
 financial reporting errors
 fraud
 going concern

8.68 Professional standards require audit teams to identify risks that could cause
the financial statements to be materially misstated and to respond appropriately to those
risks. Significant risks are associated with an elevated level of inherent risk and other
characteristics discussed later in this chapter.

8.69 While it is helpful to think of risks in such broad terms, it is difficult to focus
audit effort at this level. Accordingly, Horizon further breaks down these broad risks into
specific risks at the financial statement assertion level. This allows Horizon to suggest
an appropriate response when a risk is identified by the audit team.

8.70 Many of the specific assertion-level risks are common to entities in the same
industry and will be present in most audits. These include risks such as:
 recorded receivables not valid
 allowance for loan losses not adequate
  inventory quantities not valid
 inventory prices not valid
 payables understated or not recorded in correct period
 fair value measurements not correct
 intangible asset allowances not adequate

8.71 Some specific assertion-level risks may not apply to every entity. The audit
team should select these risks only when the circumstances of the engagement cause
these items to be an audit concern. These risks may include:
 bill and hold revenue not valid
 share-based obligations understated
 theft perpetuated through payments to fictitious employees
 deferred tax assets not realizable

8.72 Most of the specific risks included in Horizon are clear. The use of risk terms
such as “understated,” “not correct,” “not adequate,” and “not realizable” are commonly
used in auditing literature. Horizon uses the term “not valid” to describe circumstances
where the population being tested may include items that should not be there. This
could be because a transaction was recorded in error, a price was not updated, or a
quantity overstated.

8.73 It is important that the audit team identify all assertion-level risks that could be
the cause of a material misstatement in order to design an appropriate audit response
to those risks. This importance requires the audit partner and manager to actively
participate in the risk assessment process.

Determining Identified Risks with Higher Likelihood of Material

Misstatement

8.74 Horizon is designed to focus audit effort on assertions that pose the greatest
risk. This requires the audit team to first identify the specific risks within an assertion
that could cause a material misstatement, which was discussed in the previous section.
Next, because the same degree of risk of material misstatement does not necessarily
apply to all the identified risks within an assertion, the audit team must make a judgment
about the likelihood that each risk could cause a material misstatement. Accordingly,
Horizon categorizes risks as those that are reasonably possible, those that are
significant and those that are not reasonably possible.

8.75 A risk is “reasonably possible” when the likelihood of it occurring is more than
remote. When the audit team believes that a material misstatement is not very likely in a
particular account, then the associated risks are remote (not reasonably possible).

8.76 Risk of misstatement is implicit in all financial statements and therefore every
audit will have risks that are reasonably possible. Designating a risk as reasonably
possible does not mean that the audit team expects to find material errors or fraud.
However, it does cause the audit plan to reflect the possibility that material errors or
fraud could be present.

8.77 Significant risks are those reasonably possible risks that have a higher risk of
material misstatement and require special audit consideration.
Illustrative guidance
Stable entities with assets, liabilities, and transactions that are not complex will
have few risks, perhaps only one, that rise to the level of being a significant
risk. Conversely, dynamic entities engaging in complex activities may have a
number of significant risks. Further, some events, such as a far reaching new
accounting standard, may give rise to a significant risk that affects most audit
engagements performed by the firm.

8.78 At this point in the audit process the audit team has identified the financial
statement risks that could cause a material misstatement and separated them into three
categories:
 those where the risk of material misstatement is reasonably possible
(more likely)
 those where the risk of material misstatement is significant (most likely)
 those where the risk of material misstatement is not reasonably possible
(less likely)

8.79 To determine whether a particular risk is reasonably possible or not

reasonably possible, it might be helpful to think about the attributes of financial
statement risks. The key attributes that affect this determination are summarized in the
following table:
Reasonably Possible Risks Not Reasonably Possible Risks
Inherent risk of the related Inherent risk of the related assertion is
assertion is NOT low low
Substantive procedures could Substantive procedures would not
vary by applying a controls- vary significantly, regardless of control
testing strategy testing

Ordinarily risks affecting assertions with low inherent risk would not be deemed
reasonably possible of causing a material misstatement. Also, management typically
establishs more precise controls over routine processes where material misstatements
are more likely. However, depending on the complexity or sophistication of the entity,
management may not establish more precise controls over non-routine complex
transactions and audit teams should consider those situations when making their risk
assessments. When the audit team finds numerous controls addressing a particular
risk, this usually indicates that the risk is reasonably possible. Finally, the substantive
response for some risks may not vary significantly regardless of the number of controls
established by management or whether such controls are tested by the audit team.

8.80 It is fundamental to the Horizon approach to identify financial statement risks

that could cause a material misstatement and to judge these risks as either being
reasonably possible or not reasonably possible. As discussed in the next section, these
assessments directly impact how the audit team responds to the identified risks, which
is why it is so important to assess them correctly.

Responding to Assertion-Level Risks

8.81 To properly respond to identified risks, the audit team should assign audit
team members to higher risk areas based on their level of knowledge, experience, and
ability.

8.82 As the audit progresses, the audit team should modify the nature, timing, and
extent of planned procedures if pervasive changes are noted. Examples of pervasive
changes include:
 significantly deteriorating market conditions at period end
 identification of an inappropriate tone at the top
 widespread internal control findings that affect numerous significant cycles

Reasonably Possible Risks

8.83 Because a reasonably possible risk is one where the risk of a material
misstatement is more than remote, the audit team must design a response that will
identify material misstatements, if present. Horizon suggests the appropriate response
based on a combined risk assessment that is determined by:
 the intended reliance on internal controls
 the assessment of inherent risk for the related assertion

Activities-Level Internal Controls

8.84 Management establishes internal controls to address the risks of a material

misstatement. The audit team must understand these controls for reasonably possible
risks. Chapter 9 describes the Horizon approach to understanding controls.

8.85 After the audit team understands the internal controls established by
management, they must decide whether the audit strategy for a particular risk will
include an expectation that the controls operate effectively.

8.86 For each risk, Horizon provides for three levels of control reliance. These are:
 tests of key controls establish that controls operate effectively (high
reliance)
 walkthrough tests support that controls are designed effectively and
implemented as designed (some reliance)
 controls are missing, not designed effectively, not implemented, or not
operating effectively (no reliance)
8.87 When controls are designed effectively and are implemented, it is often more
efficient to test such controls than develop an audit approach where the response is
totally substantive. Also, testing controls often results in a more effective response.
Finally, tests of controls may be required in the circumstance such as in performing
integrated audits and when the audit team identifies one or more risks where it is not not
possible or practicable to obtain sufficient appropriate audit evidence from substantive
procedures only.

8.88 Chapter 10 describes the Horizon approach to testing the operating

effectiveness of internal controls. Chapter 25 describes the Horizon approach to
performing integrated audits.

Inherent Risk

8.89 Inherent risk is defined in the standards as the susceptibility of a relevant

assertion to a misstatement that could be material, either individually or when
aggregated with other misstatements, assuming that there are no related controls. In
Horizon, inherent risk is assessed for assertions that contain reasonably possible risks.
Inherent risk is assessed as High, Medium or Low.

8.90 Inherent risk is greater for some assertions than for others. For example, cash
transactions are generally more susceptible to theft than certain raw materials
inventories. Complex calculations are more likely to be materially misstated than simple
calculations. Accounts consisting of amounts derived from accounting estimates will
have greater risk than accounts consisting of relatively routine, factual data.

8.91 For reasonably possible risks, audit teams will ordinarily assess inherent risk
as being either medium or high. Reasonably possible risks with high inherent risk are
the strongest candidates for also being significant risks. Partners should be involved in
making the determination of whether a reasonably possible risk is also a significant risk.

8.92 The audit team is required to document their reasoning for the inherent risk
assessment. Voyager includes inherent risk indicators that can be selected by the audit
team to support their assessment on inherent risk. This provides sufficient support for
the inherent risk assessment. The audit team may choose not to use the inherent risk
indicators as their documentation and if they make this choice, they should document
the basis of their assessment by placing a short memorandum in the text box provided
in Voyager.

8.93 The assertion-level inherent risk indicators relate to:

 misstatements identified by the audit team in prior audits
 difficulties experienced in performing prior audits
 unexplained relationships identified in performing planning analytics
 negative trends identified in performing planning analytics
 accounts associated with the assertion include large monetary amounts
 a cycle associated with the assertion processes high volumes of
transactions
  proper accounting requires specialized skills
 the characteristics of the accounts associated with the assertion involve
complex accounting matters or significant judgments or estimates
 accounts associated with the assertion that involve significant, numerous
or questionable related party transactions
 accounts associated with the assertion, particularly those accounts with
potential for fraudulent financial reporting
 accounts associated with the assertion comprised of assets with the
potential for misappropriation
 recent changes in the processing of transactions or accounts associated
with the assertion
 recent accounting changes regarding the accounts associated with the
assertion

Significant Risks

8.94 As noted previously, significant risks are associated with an elevated level of
inherent risk and other characteristics such as the following:
 whether the risk is a risk of fraud
 whether the risk is related to recent significant economic, accounting or
other developments and, therefore, require specific attention
 the complexity of transactions
 whether the risk involves significant transactions with related parties
 the degree of subjectivity in the measurement of financial information
related to the risk, especially those measurements involving a wide range
of estimation uncertainty
 whether the risk involves significant transactions that are outside the
normal course of business for the entity or that otherwise appear to be
unusual

8.95 To identify significant risks, the audit team should start by considering the
reasonably possible risks that have high inherent risk. Those are the risks that are the
strongest candidates for also being significant risks. Sometimes, comparing all of the
reasonably possible risks to each other will help audit teams identify which ones are
also significant risks.

8.96 Entity-level risks (such as risks associated with a business combination, which
affect multiple cycles and assertions) could be significant risks.

8.97 Significant risks often relate to material, non-routine transactions or judgmental

matters. Non-routine transactions are transactions that are unusual, due to either size or
nature, and that, therefore, occur infrequently. Judgmental matters may include the
development of accounting estimates for which there is a significant estimation
uncertainty. Routine, non-complex transactions that are subject to systematic
processing are less likely to give rise to significant risks.
8.98 Given the characteristics of a significant risk, it is not expected that there will
be many significant risks in a typical audit. As the audit grows in size, complexity or risk,
however, the audit team might anticipate the number of significant risks to increase
accordingly.

8.99 Non-routine, complex related party transactions may rise to a significant risk.
These may include:
 Transactions not consistent with normal market conditions (e.g.,
inflated/reduced pricing structures used, unusual terms such as extended
payment terms or odd rights of return generally not extended to
customers, circular arrangements requiring commitment to repurchase, no
consideration is exchanged)
 Using business intermediaries for transactions when it doesn’t seem
necessary (e.g., using offshore entities with less rigorous corporate
governance structures, laws or regulations)
 Unusual borrowing/lending arrangements (e.g., interest free, no fixed
repayment terms, insufficient collateral requirements, lack of assessment
of ability to repay
 Guarantee or guarantor relationships outside the normal course of
business

8.100 Significant risks require special audit consideration; this means

 understanding internal controls related to the risk sufficient to design an
appropriate response, and
 performing substantive procedures that are specifically responsive to the
risk

8.101 For audit performed under PCAOB standards, tests of details are required in
responding to significant risks. For audits performed under International Auditing
Standards (and domestic standards that are based on the ISAs), either (1) tests of
controls or (2) tests of details are required in responding to significant risks. If the
response is tests of controls, some form of substantive testing is still required for the
relevant accounts.

8.102 The development and execution of responses to significant risks requires

substantial partner and manager involvement. Engagement partners and managers
should review the audit plan to determine that the appropriate control understanding,
tests of controls (if any) and substantive procedures will be performed for those risks
that are deemed to be significant risks. The quality control reviewer (where applicable)
will also be required to review and sign-off on the approach and audit conclusions
related to these risks.

8.103 The result of Voyager’s risk assessment process is an audit program that
suggests procedures that respond to the assessed risk. These procedures are the
starting point from which the audit team judges whether the response is appropriate in
the circumstances. When dealing with significant risks, the critical aspect of the audit
team’s judgment is to determine whether the tests of details are robust enough in light
of the increased risk of material misstatement. An appropriate response to a significant
risk may also include using external or internal experts, assigning the work to senior
team members, performing external confirmation procedures, and performing audit
procedures closer to period end, among others.

Not Reasonably Possible Risks

8.104 Horizon requires an audit response for all significant cycles. The audit team
may judge that a transaction cycle has no reasonably possible risks even though it may
contain material monetary amounts.

8.105 When the risk of material misstatement is not reasonably possible, substantive
procedures alone are appropriate to reduce the risk of a material misstatement to an
acceptably low level. Also, the substantive procedures performed in response to not
reasonably possible risks are ordinarily less extensive than those procedures required
for reasonably possible risks. For example, the risk of material misstatement for the risk
“capital asset activity not valid” may be addressed by scanning additions to identify
large and unusual additions to vouch whereas whereas sampling the entire population
of additions might be appropriate if the risk was reasonably possible.

Fraud

Overview

8.106 The term “fraud” refers to intentional acts of one or more individuals among
management, those charged with governance, employees or third parties involving the
use of the deception that result in a material misstatement of financial statements. In
assessing risks, the audit team needs to be alert to the possibility of fraud. The audit
team should plan and perform the audit to determine that the financial statements are
free of material errors, including those due to fraud. Further, the audit team should
consider whether factors are present that could indicate fraud. This involves considering
where in the business or in the financial statements fraud could be occurring. Horizon
includes the fraud risk factors in the inherent risk indicators discussed above. When
fraud risks are identified, the audit team should always designate them as being both
reasonably possible and significant risks.Audit procedures should be designed to obtain
reasonable assurance that material fraud, if any, will be identified. Such procedures
should include obtaining an understanding of how fraud could be perpetrated,
performing a walkthrough of the controls implemented to mitigate fraud, and tailoring an
appropriate substantive audit response.

8.107 Three conditions are normally present when fraud occurs:

 management or employees have an incentive or are under pressure,
which provides a reason to commit fraud.
  circumstances exist – for example, the absence of controls, ineffective
controls, or the ability of management to override controls – that provide
an opportunity for a fraud to be perpetrated.
 those involved are able to rationalize committing a fraudulent act, such as
having an attitude, character, or set of ethical values that allow them to
knowingly and intentionally commit an act of fraud.

These three conditions are known as the fraud triangle and all three elements are
present in frauds. While the auditor cannot read minds to evaluate the rationalization or
attitude of the individual(s) committing the fraud, the incentives or pressures and
opportunities are often red flags that could indicate fraud.

8.108 For audit purposes, two types of misstatements are relevant when considering
fraud: misstatements arising from fraudulent financial reporting and misstatements
arising from misappropriation of assets.

8.109 Fraudulent financial reporting may be accomplished by the following:

 manipulation, falsification or alteration of records or documents
 misrepresentation in or intentional omission from the financial statements
of events, transactions, or other significant information
 intentional misapplication of accounting principles relating to amounts,
classification, manner of presentation, or disclosure

8.110 Misappropriation of assets may be accomplished by the following:

 embezzling funds
 stealing assets
 causing the entity to pay for goods or services that have not been received

Revenue Recognition
8.111 Audit standards presume that there is a risk of material misstatement due to
fraud relating to revenue recognition. Consequently, this risk would also be a significant
risk. The risk of fraud within revenue recognition generally depends on the incentive
and/or the pressure on management to achieve financial results. Audit teams consider
items such as management compensation arrangements (such as, stock options,
bonuses based on EBITDA or net income) and potential sources of pressure (such as,
potential debt refinancing, expectations of private equity owners, operations that may be
discontinued without improved operations, reductions in workforce due to poor
operations).

8.112 Audit standards require the audit team to design and perform further audit
procedures whose nature, timing and extent are specifically responsive to the assessed
risk of material misstatement due to fraud, which would typically come through the form
of tests of controls and/or tests of details. In developing the response, the audit team
considers all evidence obtained related to the cycle. Such items include journal entry
testing related to the revenue cycle, tests of controls within revenue, detail transaction
testing, cut-off testing, accounts receivable confirmations and additional evidence
obtained from corroborating management explanations. The nature of the procedures
will vary based upon these results and the nature of the entity.

8.113 [Tailor this paragraph to reflect your consultation process]For audits performed
under PCAOB standards and irrespective of whether controls are being tested, the
ability to overcome this fraud risk on public companies is considered extremely rare and
should be considered only upon consultation with the NPPD. Audit teams should
perform test of details as a response to the presumed fraud risk within revenue
recognition for these engagements. Refer to Chapter 11 for guidance when substantive
analytics are used as the principal substantive test for occurrence of revenue
transactions in accordance with firm standards.

8.114 International auditing standards allow for situations where the presumption of
revenue recognition as a fraud risk may be overcome, for example in a private company
where the pressures and incentives to misstate revenue or receivables often associated
with fraud in public companies do not exist, and where revenue transactions have
straight forward revenue recognition, such as billing upon shipment, resulting in a clear
and consistent accounting treatment. In such circumstances, the audit team might
conclude the risks are not a significant risk requiring special audit consideration. Audit
teams should clearly document their considerations in how the presumptive fraud risk
was overcome. Where the presumption of fraud in revenue recognition cannot be
overcome, Voyager includes procedures to address the presumed fraud risk with
respect to revenue recognition. For audits of issuer entities, we believe it would be
extremely rare for the presumption of revenue recognition as a fraud risk to be
overcome

Obtaining Information to Identify Fraud Risks

8.115 Certain information should be obtained and evaluated to assess fraud risks,
such as:
 considering the presence of one or more of the fraud risk factors. These
factors are classified according to the conditions that are always present in
frauds: incentives to perpetrate fraud, opportunity to carry out the fraud,
and rationalization to justify the fraudulent action
 inquiring of management and others within the entity (including those
charged with governance, internal auditors, and others, such as in-house
legal counsel and lower-level employees) to obtain their views about the
risks of fraud and how they are addressed
 inquiring of internal auditors about whether management has satisfactorily
responded to findings resulting from their procedures and whether they
have knowledge of any fraud or suspected fraud
 considering any unusual or unexpected relationships that have been
identified in performing analytical procedures. Analytical procedures for
revenues are required while planning the audit, as well as through the end
of the reporting period, on every engagement.
  considering information obtained from:
– discussions among audit team members
– procedures relating to the acceptance and continuance (re-
acceptance) of clients and engagements
– reviews of interim financial statements
– other risk assessment procedures

8.116 This information should enhance the audit team’s ability to identify areas
(assertions, accounts, classes of transactions or disclosures) where fraud could occur
and to develop an appropriate response. This identification process includes
considering the type, significance, pervasiveness, and likelihood of the risk of fraud.

Evaluating Programs and Controls That Address Fraud Risks

8.117 As previously indicated, fraud risks are always significant risks, which require
the audit team to understand and evaluate the design and implementation of controls as
well as performing substantive procedures that respond to the risk appropriately.

8.118 As part of understanding internal control sufficient to plan the audit, the audit
team should evaluate whether entity programs and controls that address identified risks
of fraud have been suitably designed and placed in operation. The audit team then
considers whether these programs and controls mitigate or exacerbate the identified
risks before responding to those risks.

8.119 The risk of management override is always present and requires

consideration, especially when understanding internal control (see Chapter 9) and
journal entry testing guidance.

8.120 [Tailor this paragraph to reflect your consultation policy]The results of audit
tests may indicate fraud or the audit team’s risk assessment may indicate high risk of
fraudulent financial reporting or misappropriation of assets. In such cases, the audit
team should consider withdrawing from the engagement and communicating the
reasons for withdrawal to those charged with governance. The appropriate course of
action depends on the diligence and cooperation of senior management and those
charged with governance in investigating the circumstances and taking appropriate
action. Because of the variety of circumstances that may arise, it is not possible to
describe definitively when withdrawal is appropriate. Discussion with the NPPD should
occur when these circumstances arise. The NPPD will determine the need to consult
with RRLA.

Consideration of Laws and Regulations

8.121 Knowledge of the business includes obtaining an understanding of the legal
and regulatory framework applicable to both the entity and the industry. The audit team
should also obtain a clear understanding of how the entity is complying with the
framework.
8.122 When planning and performing audit procedures and in evaluating and
reporting the results thereof, the audit team should recognize that non-compliance with
laws and regulations may affect the financial statements.

8.123 Procedures to help identify instances of non-compliance include:

 making inquiries to management if they are aware of any breach of laws
or regulations that could have a material effect on the financial statements
 inspecting correspondence with the relevant licensing or regulatory
authorities

8.124 The audit team should obtain written representations from management that
all known actual or possible non-compliance is disclosed.

8.125 If the audit team becomes aware of possible non-compliance they should
obtain a sufficient understanding of the issues to assess its effect on the financial
statements. This may include consulting with outside professional advisors. They should
also document their findings and discuss them with management.

Illegal Acts by Clients

8.126 Professional standards distinguish between noncompliance with laws and

regulations (commonly known as illegal acts) that may have a direct effect on an entity’s
financial statements and those that may have an indirect effect. For example, some tax
laws have a direct effect on the amount and classification of amounts in the financial
statements, while occupational health and safety and environmental laws generally
have an indirect effect.

8.127 Bribery and other types of corruption are generally considered illegal acts that
normally have an indirect effect on the determination of financial statement amounts.
New laws, such as the U.K. Bribery Act, along with enhanced enforcement of existing
laws, such as the U.S. Foreign Corrupt Practices Act (FCPA), add to the risks of
violation and the related costs of any violations, increasing the potential to materially
affect the financial statements. In addition, many other countries have or will be
adopting variations of these Acts. Depending on the applicable laws that prohibit such
activities, the entity may be responsible not only for acts of its officers and employees
but also for acts of its agents, such as sales representatives in foreign jurisdictions.

8.128 The audit team’s responsibility to detect and report misstatements resulting
from illegal acts having a direct and material effect on the determination of financial
statement amounts is the same as for errors and fraud.

8.129 Other illegal acts are those that may have an indirect financial statement
effect. Entities may be affected by many laws or regulations (e.g., securities trading,
occupational safety and health, environmental protection) which generally relate more to
operations than to financial and accounting matters, and their financial statement effect
is indirect (e.g., normally, the need to disclose a contingent liability). Ordinarily, the audit
team does not have sufficient basis for recognizing possible violations of such laws and
regulations. Even when violations of such laws and regulations can have a material
financial statement effect, the audit team may not become aware of such illegal acts
unless they are informed by the client or they find evidence of an investigation
concerning legality in the client's accounting records normally subjected to audit
procedures.

Assessing and Responding to Bribery and Corruption Risks

8.130 With the globalization of business activities, the increased use of third-parties
to conduct business, and a growing global focus on prevention and prosecution of
bribery and corruption, audit teams need to have a greater focus on financial reporting
risks that may arise from violations of bribery and corruption laws that apply to an
entity’s operations. The presence of one or more bribery and corruption risk indicators
may elevate the risk of material misstatements, possibly through efforts to conceal such
matters particularly when the illegal acts are occurring at a specific subsidiary. Risks of
material misstatement may include:
 Financial reporting of illegal acts may be materially misstated (e.g.,
miscoding payments)
 Contingent liabilities for material fines, penalties, and litigation are not
properly accrued
 Material contingent liabilities are not properly disclosed

8.131 As part of understanding the entity’s entity level controls, the audit team gains
an understanding of the company’s anti-corruption compliance programs and related
risks. Based on this understanding, the audit teams can assess the risk of illegal acts
considering the entity’s industry, local business practices, cultural norms, and the
maturity and robustness of the local regulatory environment. The audit team documents
their understanding of these factors through the selection of applicable risk indicators in
Voyager.

8.132 Entities that do not exhibit any of the risk indicators identified in Voyager will
not require an audit response. However, those entities that have one or more risk
indicators may have an elevated risk of violations of the applicable laws and the
engagement team should determine an appropriate response. Voyager includes the
following risk assessment procedures in Setting the Audit Strategy that guide the audit
team in assessing the level of risk that such activities may occur and to react
appropriately when the risks are potentially material.

8.133 [Tailor this paragraph to reflect your consultation policy]Based on the

assessed risk, the audit team may need to tailor in additional audit procedures. Audit
procedures performed for other purposes may also bring possible illegal acts to the
audit team’s attention, such as evaluating legal letter responses that indicate contingent
liabilities that could be related to potential illegal acts. If the audit team becomes aware
of such matters, the team should determine whether an illegal act may have occurred
and its financial statement implications. If a potential illegal act is identified, firm policy
requires the audit team to consult with the NPPD and firm forensic specialists to
determine the appropriate course of action.

8.134 As with other evaluations of internal control design and operation, the need for
internal control is based on the potential for material misstatements of the financial
statements and not on the existence of actual financial reporting errors. Entities should
have processes and controls in place to identify, evaluate and, as needed, report in the
financial statements the costs of illegal acts and material loss contingencies such as
may arise from violations of laws and regulations.

Shadow Audit Investigations

8.135 In situations when the company has identified a potential illegal act and has
begun an investigation supervised by those charged with governance or a regulatory
investigation, the firm would ordinarily monitor the investigation (termed a “shadow audit
investigation”). This would ordinarily involve firm forensic specialists and often could
result in a significant impact on the company’s operations (for example when the target
of the investigation may be someone in senior management, the fines, penalties and
other financial reporting consequences may be material, or the impact of public
disclosure may be significant).

8.136 [Include this paragraph if your firm perform audits of SEC issuers and tailor the
content to reflect your consultation policy]The audit team should discuss with the audit
or special investigating committee the need for the audit team to shadow and obtain the
results of the investigation in order to complete the audit and, if the organization is a
U.S. SEC issuer, comply with Section 10A of the Securities Exchange Act of 1934. The
audit team should consult with the NPPD and RRLA with respect to the need for:
 A representation letter from the audit or special investigation committee at
the conclusion of the investigation
 Consideration of the possible impact of a delay in filing financial
information with regulatory agencies, creditors, and others
 Other appropriate actions

Discussion Among Audit Team Members

8.137 Fundamental to the risk assessment process is the meeting of the audit team
to discuss the risk assessments (brainstorming session). Active participants should
include the lead partner, along with all key members of the audit team, which could
include the IT specialists, valuation specialists and tax personnel. The discussion
participants also could include members of the audit team that may operate in different
offices, including GTIL member firms and other auditors. The quality control reviewer
may attend this meeting, but is not part of the engagement team. Less experienced staff
members may also be invited to attend to aid in their professional development and to
assist them in gaining a better understanding of the entity.
8.138 The audit team should complete the necessary risk assessment procedures
before tailoring the audit programs, setting scopes, and performing significant
substantive procedures or tests of controls. The risk assessment process is ongoing
and as such, the audit team considers risks throughout the performance of the entire
engagement. The risk assessment process does not end merely because the audit
team finished a formal risk assessment meeting. If additional risks are noted in other
stages of the audit, the audit team addresses them by developing an appropriate
response.

8.139 The objectives of the discussion are for audit team members to identify:
 the potential for material misstatements resulting from fraud or error in the
specific areas assigned to them
 where management override of internal controls could occur
 how management could perpetrate and conceal fraudulent financial
reporting
 what, if any, material misstatements exist related to identified related
parties and related party activities
 how journal entries and other adjustments could be used to manipulate
the financial reporting process
 how accounting estimates could result in material misstatements in the
financial statements
 how the results of the audit procedures in one area may affect other
aspects of the audit
 the necessary audit response (including tests of controls, as appropriate,
and substantive procedures) to address the risks identified

8.140 During the meeting, the lead partner should emphasize the importance of
maintaining professional skepticism during all phases of the audit. The culmination of
this risk assessment process including this meeting is the development of the overall
audit approach.

The Approved Audit Plan

8.141 The partner will review the Voyager file tailoring and agree that the programs
appropriately respond to the financial statement risks identified during risk assessment.
If a quality control reviewer required on the audit, then the quality control reviewer will
also review the planning and agree with the audit strategy. These agreements are
evidenced by a signoff in Voyager.

8.142 The nature and extent of communicating the audit plan will vary, depending on
the circumstances. At a minimum, the plan should be communicated to all staff
assigned to the audit to the extent that they are affected and should include the
information necessary to enable such personnel to have an appropriate understanding
of their individual role in the audit.
8.143 The overall audit plan should be discussed with management and those
charge with governance to ensure that the audit team will obtain appropriate assistance
and that expectations are in line with the plan. The management also should be aware
of the anticipated timetable.

Exhibit 8.1 – Procedures to Address Identified Bribery and

Corruption Risk Indicators
The following procedures may be appropriate for audit engagements having one or
more of the risk indicators present or may also be elements of a shadow investigation if
the company has initiated an investigation of a potential illegal act. The nature, timing,
and extent of procedures to be performed are based on the assessed risk of material
misstatement. The audit team should ordinarily discuss the procedures with the PSP
and involve forensic personnel in the performance of these procedures as needed.

 analyzing contracts with third party agents and intermediaries to determine

if there is language and clauses to address bribery and corruption risks
– analyzing and testing the vendor approval and setup process,
including:
– vendor background checks or analysis of approval and setup
– review of current Office of Foreign Assets Control (OFAC) and
Department of Commerce listing of restricted and sanctioned entities
and comparison to the entity’s vendors
 testing payments or transactions in the identified high risk general ledger
accounts and geographic locations for indications of potential violations of
laws, regulations, and policies, such as:
– disbursement journal
– cash accounts, including petty cash and wire transfers
– charitable contributions
– travel & entertainment
 conducting extended audit procedures of suspect transactions or
activities, including:
– analysis of financial records and supporting documentation
– employee interviews
– email and document review
– tracing misappropriated or concealed assets due to potential fraudulent
activity
– identifying suspect transactions, documents, or other files within the
entity’s electronics records including, computer hard drives, server
data, emails, and other documents
– evaluating management and audit committee responses to elevated
risks
 reviewing documents related to any outside investigations, including:
– “Hot documents” and other select documents identified from the email
and document review, including key word search terms
– interview memos or downloads (to the extent able, FVS may request to
sit in on interviews)
– final or preliminary reports prepared and approved by those charged
with governance, outside counsel, or the forensic investigation team
– remediation plans prepared by outside counsel and the forensic
investigation team
Chapter Nine - Understanding Internal Control
Summary

This Chapter discusses another key aspect of Horizon - understanding and

documenting an entity’s internal control as part of risk assessment procedures. In
addition to matters discussed in Chapter 8, understanding internal control is essential in
assessing risk of material misstatements, whether due to error or fraud.

Introduction
9.01 To develop an appropriate audit plan (one that reduces the audit risk to an
appropriate level), the audit team must understand the entity being audited and the
environment in which it operates, including its internal control. The audit team uses this
understanding of internal control to:
 identify the types of misstatements that may be present
 evaluate the internal control deficiencies that may increase risk of material
misstatement
 design internal control testing strategies and substantive audit procedures

9.02 Internal control is a process, effected by an entity's management, employees,

other personnel and those charged with governance that is designed to achieve three
objectives: effective and efficient operations, reliable financial reporting, and compliance
with laws and regulations. Establishing and maintaining effective internal control is an
important management responsibility and requires continuing management supervision
to monitor that controls are operating as intended and appropriately modified as
needed.

9.03 The Horizon approach to understanding, documenting, and evaluating internal

control includes:
 performing risk assessment procedures to determine the extent of internal
control documentation needed
 obtaining and documenting an understanding of entity-level controls
 obtaining and documenting an understanding of activities-level controls for
very important and somewhat important processes associated with
reasonably possible risks
 determining whether these controls are designed effectively and
implemented
 determining an intended control reliance strategy for each reasonably
possible risk
 identifying key controls (those controls that the audit team intends to test
for operating effectiveness as a basis for supporting the intended control
reliance)
  testing the operating effectiveness of those key controls
This process enables the audit team to achieve their intended control reliance strategy
for each reasonably possible risk, identify other areas of risk and tailor the substantive
audit program in Voyager.

9.04 Voyager is designed to implement Horizon’s internal control methodology and

enables the audit team to focus on internal controls that address reasonably possible
risks. Voyager assists the audit team in understanding the entity’s controls pertinent to
reliable financial reporting. More specifically, Voyager assists the audit team as they:
 obtain an understanding of the processes that impact financial reporting
 obtain and document an understanding of the controls within such
processes that prevent or detect errors, including fraud
 assess the effectiveness of the design of those controls
 perform tests of controls to evaluate their operating effectiveness
 identify potential control “gaps,” operating deficiencies, and other
weaknesses or advisory comments

9.05 This Chapter focuses on the firm’s policies and procedures for obtaining and
documenting an understanding of the entity’s internal control. Such understanding is
ordinarily gained through:
 previous experience with the entity (in continuing client relationships)
 inquiries of appropriate management, supervisory, and other personnel
 tracing transactions through processes and controls (i.e., walkthroughs)
 inspecting documents and records
 observing control activities and operations

Internal Control Framework

9.06 Internal control can be defined in a number of ways. Various groups
comprised of experts that follow due process have developed internal control
frameworks. Such frameworks establish a common definition of internal control and
provide suitable criteria against which organizations can design and evaluate their
controls.

9.07 The Committee of Sponsoring Organizations of the Treadway Commission

created the most widely accepted framework for evaluating controls over financial
reporting. International auditing standards use COSO to define internal control. Voyager
uses the COSO framework.

9.08 Some legislative and regulatory bodies require an audit report on the
effectiveness of internal control using a framework established through due process by
an appropriate group. The COSO framework is an acceptable framework for this
purpose.
Internal Control Objectives and Components
9.09 COSO defines internal control as a process designed to provide reasonable
assurance regarding the achievement of objectives in the following categories:
 reliability of financial reporting
 effectiveness and efficiency of operations
 compliance with applicable laws and regulations

9.10 There is a direct relationship between the objectives, which are what an entity
strives to achieve, and internal control components, which represent what is needed to
achieve the objectives. COSO identified the following five interrelated internal control
components:
 control environment – sets the tone of an organization, influencing the
control consciousness of its people; the foundation for all other
components of internal control, providing discipline and structure
 risk assessment – the entity's identification and analysis of relevant risks
to achievement of its objectives, forming a basis for determining how the
risks should be managed
 control activities – the policies and procedures that help ensure that
management directives are carried out
 information and communication systems – support the identification,
capture, and exchange of information in a form and time frame that enable
people to carry out their responsibilities
 monitoring – a process that assesses the quality of internal control
performance over time

9.11 Voyager uses the COSO definition of internal control, including these five
interrelated components. Accordingly, Voyager focuses on controls at both the entity
and operations level. In Voyager, entity-level controls are sometimes referred to as
governance controls, and operations-level controls are referred to as activities-level
controls. Each entity and activities-level control is linked to a COSO component.

Entity-Level Controls
9.12 Governance is the term used to describe the role of persons entrusted with the
supervision, control, and direction of an entity. Those charged with governance
ordinarily are accountable for ensuring that the entity achieves its objectives and also
for the process of financial reporting and reporting to interested parties. Governance
controls are the foundation of all other controls and are applicable to all entities,
regardless of size. Voyager refers to governance controls as entity-level controls.

9.13 In Voyager, entity-level controls are organized by the following activities:

 control environment
 monitoring
  information and communication
 information technology (IT)
 financial reporting

9.14 Monitoring includes risk assessment and monitoring risk activities. Information
technology is separated from information and communication to enable the audit team
to obtain a more focused understanding of controls over systems and applications.

Control Environment

9.15 The control environment sets the tone of an organization, influencing the
control consciousness of its people. It is the foundation for effective internal control,
providing discipline and structure. The control environment primarily includes:
 Communication and enforcement of integrity and ethical values – The
effectiveness of controls cannot rise above the integrity and ethical values
of the people who create, administer, and monitor them. Integrity and
ethical values are essential elements of the control environment which
influence the design, administration, and monitoring of other components.
Integrity and ethical behavior is the product of the entity’s ethical and
behavioral standards, how they are communicated, and how they are
reinforced in practice. They include management’s actions to remove or
reduce incentives and temptations that might prompt people to engage in
dishonest, illegal, or unethical acts. They also include the communication
of entity values and behavioral standards to people through policy
statements and codes of conduct and by example.
 Commitment to competence – Competence is the knowledge and skills
necessary to accomplish tasks that define the individual’s job.
Commitment to competence includes management’s consideration of the
competence levels for particular jobs and how those levels translate into
requisite skills and knowledge.
 Participation by those charged with governance – An entity’s control
consciousness is influenced significantly by those charged with
governance. Attributes of those charged with governance include
independence from management, their experience and stature, the extent
of their involvement and scrutiny of activities, the appropriateness of their
actions, the information they receive, the degree to which difficult
questions are raised and pursued with management and their interaction
with internal and external audit teams.
 Management’s philosophy and operating style – Management’s
philosophy and operating style encompass a broad range of
characteristics. Such characteristics may include management’s (a)
approach to taking and monitoring business risks, (b) attitudes and actions
toward financial reporting, for example, conservative or aggressive
selection from available alternative accounting principles and
conscientiousness and conservatism with which accounting estimates are
 developed, and (c) attitudes toward information processing and
accounting functions and people.
 Organizational structure – An entity’s organizational structure provides the
framework within which its activities for achieving entity-wide objectives
are planned, executed, controlled, and reviewed. Authority and
responsibility and appropriate lines of reporting are critical elements of an
organizational structure. An entity develops an organizational structure
suited to its needs. The appropriateness of an entity’s organizational
structure depends, in part, on its size and the nature of its activities.
 Assignment of authority and responsibility – This factor includes how
authority and responsibility for operating activities are assigned and how
reporting relationships and authorization hierarchies are established. It
also includes policies relating to appropriate business practices,
knowledge and experience of key people, and resources provided for
carrying out duties. In addition, it includes policies and communications
directed at ensuring that all people understand the entity’s objectives,
know how their individual actions interrelate and contribute to those
objectives, and recognize how and for what they will be held accountable.
 Human resource policies and practices – Human resource policies and
practices relate to recruitment, orientation, training, evaluating, counseling,
promoting, compensating, and remedial actions. For example, standards
for recruiting the most qualified individuals, with emphasis on educational
background, prior work experience, past accomplishments, and evidence
of integrity and ethical behavior, demonstrate an entity’s commitment to
competent and trustworthy people. Training policies that communicate
prospective roles and responsibilities and include practices such as
training schools and seminars illustrate expected levels of performance
and behavior. Promotions driven by periodic performance appraisals
demonstrate the entity’s commitment to the advancement of qualified
people to higher levels of responsibility.

Monitoring - Risk Assessment

9.16 An entity’s risk assessment process is its process for identifying and
responding to business risks and the results thereof. An entity’s risk assessment
process includes how management identifies risks relevant to the preparation of
financial statements that give a true and fair view (or are presented fairly, in all material
respects) in accordance with the entity’s applicable financial reporting framework,
estimates their significance, assesses the likelihood of their occurrence, and decides
upon actions to manage them. For example, the entity’s risk assessment process may
address how the entity considers the possibility of unrecorded transactions or identifies
and analyzes significant estimates recorded in the financial statements. Risks relevant
to reliable financial reporting also relate to specific events or transactions.

9.17 Risks relevant to financial reporting include external and internal events and
circumstances that may occur and adversely affect an entity’s ability to initiate, record,
process, and report financial data consistent with the assertions of management in the
financial statements. Once risks are identified, management considers their significance
and the likelihood of their occurrence, and determines how the risks will be managed.
Management may initiate plans, programs, or actions to address specific risks or they
may decide to accept a risk because of cost or other considerations. Risks can arise or
change due to circumstances, such as the following:
 changes in operating environment
 new people
 new or revamped information systems
 rapid growth
 new technology
 new business models, products, or activities
 corporate restructurings
 expanded foreign operations
 new accounting pronouncements

Monitoring – Risk Activities

9.18 Monitoring of controls is a process to assess the quality of internal control

performance over time. It involves assessing the design and operation of controls on a
timely basis and taking necessary corrective actions. Monitoring is done to ensure that
controls continue to operate effectively over time. Monitoring of controls is accomplished
through ongoing monitoring activities, separate evaluations, or a combination of the two.

9.19 Ongoing monitoring activities are built into the normal recurring activities of an
entity and include regular management and supervisory activities. Managers of sales,
purchasing, and production at divisional and corporate levels are in touch with
operations and may question reports that differ significantly from their knowledge of
operations.

9.20 In many entities, internal auditors or people performing similar functions

contribute to the monitoring of an entity’s controls through separate evaluations. They
regularly provide information about the functioning of internal control, focusing
considerable attention on evaluating the design and operation of internal control. They
communicate information about strengths and weaknesses and recommendations for
improving internal control.

9.21 Monitoring activities may include using information from communications from
external parties. Customers implicitly corroborate billing data by paying their invoices or
complaining about their charges. In addition, regulators may communicate with the
entity concerning matters that affect the functioning of internal control, for example,
communications concerning examinations by bank regulatory agencies. Also,
management may consider communications relating to internal control from external
parties in performing their monitoring activities.
Information and Communication

9.22 An information system consists of infrastructure (physical and hardware

components), software, people, procedures, and data. Infrastructure and software will
be absent, or have less significance, in systems that are primarily manual.

9.23 The information system relevant to financial reporting objectives, which

includes the financial reporting system, consists of the procedures and records
established to initiate record, process and report entity transactions and to maintain
accountability for the related assets, liabilities and equity. Transactions may be initiated
manually or automatically by programmed procedures. Recording includes identifying
and capturing the relevant information for transactions or events. Processing includes
functions such as edit and validation, calculation, measurement, valuation,
summarization, and reconciliation, whether performed by automated or manual
procedures. Reporting relates to the preparation of financial reports as well as other
information, in electronic or printed format, that the entity uses in measuring and
reviewing the entity’s financial performance and in other functions. The quality of
system-generated information affects management’s ability to make appropriate
decisions in managing and controlling the entity’s activities and to prepare reliable
financial reports.

9.24 Accordingly, an information system encompasses methods and records that:

 identify and record all valid transactions
 describe on a timely basis the transactions in sufficient detail to permit
proper classification of transactions for financial reporting
 measure the value of transactions in a manner that permits recording their
proper monetary value in the financial statements
 determine the period in which transactions occurred to permit recording of
transactions in the proper accounting period
 present properly the transactions and related disclosures in the financial
statements

9.25 Communication involves providing an understanding of individual roles and

responsibilities pertaining to internal control over financial reporting. It includes the
extent to which people understand how their activities in the financial reporting
information system relate to the work of others and the means of reporting exceptions to
an appropriate higher level within the entity. Open communications channels help
ensure that exceptions are reported and acted on.

9.26 Communication takes such forms as policy manuals, accounting and financial
reporting manuals, and memoranda. Communication also can be made electronically,
orally, and through the actions of management.
Information Technology

9.27 Most information systems make extensive use of information technology. IT

can provide more useful and timely information to management by collecting and
processing data faster and enabling more flexible access and reporting. An automated
system is often more complicated and difficult to understand than a manual system. For
example, electronic records may be changed without evidence of the change.

9.28 Voyager focuses on IT general controls and activities-level IT security access

controls. Within Voyager, IT general controls are categorized as follows:
 security administration – managing internal user, remote, and third-party
access and monitoring access to IT systems
 program maintenance – initiating change requests, designing, developing
and configuring program changes and promoting changes to production
 program execution – scheduling batch programs, executing authorized
programs and monitoring execution of programs
 new system implementation – establishing an effective new system
implementation environment, initiating a new system project, defining
system requirements and specifications, designing, developing configuring
and integrating a new system, converting data and implementing and
deploying a new system

9.29 Applicability of each ITGC activity

 security administration – This activity is ordinarily applicable to all entities.
The controls in this activity address the entity’s policies for administering
security, including the control of access to financial reporting applications
and related databases by internal and remote users and authorized third
parties. Refer to Exhibit 9.1 for definitions of the security administration
controls.
 program maintenance – This activity is ordinarily applicable to all entities
regardless of whether they utilize programmers to develop and maintain
applications, license them from third parties or both. The controls in this
activity address the entity’s policies for maintaining financial reporting
applications and databases and ensuring that only authorized versions of
applications are in use.
 program execution – This activity is only relevant to entities whose IT
environment includes batch processing. The controls in this activity
address the entity’s policies for administering batch controls, including
controls that ensure the right programs are executed to completion at the
right times. Audit teams should deselect this activity for entities whose IT
environment does not include batch processing in financial reporting
applications.
 new system implementation – This activity is relevant only to integrated
audits of entities who implemented a new system too late in the year
(typically during the last quarter) to allow the audit team to evaluate the
 operating effectiveness of the new financial reporting controls. Audit teams
should deselect this activity for other audits. The controls in this activity
address how the entity designed, configured, and integrated its new
system and converted the data.

Financial Reporting

9.30 One objective of internal control is to ensure that information generated and
communicated from the various activities of an organization come together to achieve
reliable financial reporting. In Voyager, controls related to the preparation of reliable and
accurate financial statements and regulatory reports are documented in “Financial
Reporting”.

9.31 Activities-level processes and controls initiate, capture, process and record
transactions which culminate in the general ledger. Financial reporting activities take
this information in the general ledger and use it to prepare accurate and reliable
financial statements and regulatory reports. Financial reporting processes include:
 mapping general ledger accounts to financial statement lines
 preparing post-closing trial balances, including top-level journal entries
 consolidating business units
 applying appropriate accounting principles
 preparing financial statements and other regulatory reports

Activities-Level Controls
9.32 Activities-level controls are controls (or control activities) performed at the
process level within a transaction cycle (i.e., controls over the origination, processing,
and recording of transactions). Processes are the action steps that are performed by
every entity when conducting their business. In Voyager, each transaction cycle
consists of activities, and each activity consists of processes. Controls are established
over each process to reduce the possibility of error or fraud.

Limitations of Internal Control

9.33 Internal control does not provide management with conclusive evidence that
objectives are achieved, because of inherent limitations. Such limitations include:
 the potential for mistakes arising from such causes as misunderstanding
of instructions, errors of judgment, and personal carelessness, distraction,
or fatigue
 the possibility that procedures whose effectiveness depends on
segregation of duties can be circumvented by collusion or management
override
  the possibility that procedures designed to assure the execution and
recording of transactions in accordance with management's authorizations
may be ineffective against either fraud or errors perpetrated by
management, or against the estimates and judgments required in the
preparation of financial statements
 the potential for circumventing even the most elaborate security controls

9.34 Any projection of a current evaluation of internal control to future periods is

subject to the risk that the procedures may become inadequate because of changes in
personnel, system software, or other conditions, or the degree of compliance with any
particular control may deteriorate.

9.35 The concept of reasonable, as opposed to absolute, assurance recognizes

that the cost of an internal control policy or procedure should be considered in relation
to the benefits to be derived and also recognizes that the evaluation of the various
pertinent factors necessarily requires estimates and judgments by management.

Economic and Financial Statement Events

9.36 Financial statements may be considered summaries of the economic effects of
exchange transactions between the reporting enterprise and third parties. Such
transactions typically go through a series of processes until they are summarized in the
general ledger and reported in the financial statements. Voyager recognizes four types
of events that can occur within a transaction cycle: boundary, discretionary, internal,
and ledger. Each process within a transaction cycle is assigned to one of these events.

9.37 The boundary event is the point in a transaction cycle where an entity interacts
with a third-party. There are four types of boundary events:
 initiation – transaction is initiated
 movement – goods or services are provided
 recording - transaction is recorded
 consideration – transaction is completed; by receiving or paying the
consideration
In Voyager, all four events are listed as boundary events.

9.38 Discretionary events are economic activities that are initiated internally and are
necessary to allocate revenues, expenses, gains, and losses to the proper accounts
and periods. Discretionary events are judgmental in nature. Examples of such events
include:
 adjusting and recording the provision for inventory obsolescence
 adjusting and recording inventory balances after a physical count
 calculating and recording depreciation charges
 calculating and recording the provision for bad debts
9.39 Internal events are intermediate activities that process data and information
between the boundary and ledger events. Examples of internal events include
maintaining the customer master file, entering receiving information, and recording
receipts in a subsystem.

9.40 Finally, ledger events are activities that record transactions in the general
ledger. Examples of such events include recording investments, income, and receipts in
the general ledger.

Processes and Controls

9.41 Processes, whether automated or manual, can introduce errors into the
accounting system. These errors can be intentional or unintentional. Controls, on the
other hand, are needed to ensure that all the relevant economic events are captured
and are established over processes to prevent and detect such errors. For example,
most businesses have the process “collect cash from customers (receive payments)”.
Controls implemented over this process should ensure that all cash collected is properly
recorded and deposited in the entity’s bank account. Such controls may include
segregating the cash collection activity from the recording activity, performing
reconciliations and following up on identified exceptions.

9.42 No one person should be responsible for processing a complete transaction.

In Voyager, the function or person performing a particular process or control is captured
and evaluated for proper segregation of duties - an important internal control element in
Horizon.

Control Objectives
9.43 Each activities-level control is assigned to a control objective. Control
objectives are applicable to economic and financial statement events as follows:
Boundary Internal Discretionary Ledger
Control Objective
Event Event Event Event

Authorization   

Completeness and
 
Accuracy

Integrity   

Budgetary 

Reconciliation 

Safeguarding 

9.44 Controls that achieve the authorization objective are designed to ensure that
captured transactions are valid and have the approval of management. This
authorization may be based on a broad policy, for example, when authorization is given
to extend credit to any customer up to a specified limit. This authorization may also be
specific, for example, where further authorization controls are performed for
transactions in excess of the specified limit. Authorization controls occurring during
processing are the same in nature and purpose as those at the boundary; however,
controls at the boundary are normally stronger. For example, authorization of the
extension of credit after the fact is not a very effective control; it may be useful in
detecting potential recoverability problems, but not in preventing or minimizing them.

9.45 Controls that achieve the completeness and accuracy objective are designed
to ensure that all exchanges with third parties are properly captured in the accounting
system and the data captured is complete and accurate. “Completeness controls” are
designed to prevent or detect errors in the number of items or transactions processed,
to guard against the possibility that items accepted by the accounting system are
omitted from processing or are processed more than once. “Accuracy controls” are
designed to prevent or detect discrepancies between items of information and the
corresponding economic facts, to guard against the possibility that incorrect information
is processed.

9.46 Controls that achieve the integrity objective are designed to prevent the
alteration of computer data files and programs, to help ensure that all accepted
transactions remain on file for the proper period, and all captured transactions
accurately update the master files. “Integrity controls” apply to automated components
of the accounting system and include controls such as restricted access to databases.
They do not include controls such as locks restricting access to the computer room.

9.47 Controls that achieve the budgetary objective are designed to aid
management in determining that the entity is operating as expected. For example, if
salaries are a negotiated contract item, management might expect actual salary
expense to match the aggregate contracted amount. If the actual expense is
significantly different, a “budgetary control” may indicate an error in the accounting
system.

9.48 Controls that achieve the reconciliation objective are designed to ensure that
the general ledger account properly reflects the summary of the events recorded in the
accounting system. An example is reconciling a control account to a subsidiary ledger.
Such controls are detective rather than preventive. In Voyager, the completion of a
reconciliation is not a control in and of itself. For example, if the reconciliation is
prepared but the reconciling items are not examined to determine if they are indicative
of an error, no control is provided by the reconciliation.

9.49 Controls that achieve the safeguarding objective are designed to protect
assets. They include procedures and security measures that restrict access to assets to
authorized personnel. These controls are particularly important in the case of valuable,
easily exchangeable, or portable assets.

Control Attributes
9.50 All controls have distinct attributes. However, any given control can fit a
number of different control attributes. The controls built into Voyager are pre-assigned
to certain attributes. Examples of such attributes are:
 COSO component
 control objective
 foundational, operational, or monitoring
 preventive or detective
 automated or manual
 primary (and sometimes secondary) assertion

9.51 The COSO component and control objective attributes are discussed above.
The other attributes are discussed in the following paragraphs. The Control Attributes
report can be generated to identify the controls within a process and their pre-assigned
attributes.

9.52 In addition to the attributes assigned by Voyager, the audit team should
determine and document in Voyager whether the control is a documented or
undocumented control.

Foundational, Operational and Monitoring Controls

9.53 Foundational controls provide an overall context or environment to ensure that

the execution of activities and controls is consistent with management objectives.
Examples of foundational controls include segregation of duties, standard operating
policies and procedures, and controls over entity-level processes.

9.54 Operational controls provide the front line of defense in preventing, detecting,
and correcting errors. Examples of operational controls include following-up on
reconciliations and exception reports, comparing batch totals to predetermined
numbers, performing edits on transaction limits and data and systems access controls.

9.55 Monitoring controls ensure that all other controls are operating as designed.
Examples of monitoring controls include review of business performance metrics,
observation of operational controls, and reperformance of specific controls.

Preventive and Detective Controls

9.56 Preventive versus detective is a distinction based on the timing of the control
application, because both types of controls are designed to discover errors. Preventive
controls, as the name implies, prevent errors from initially being accepted in the books
and records; detective controls expose the errors after their initial recording. Examples
of preventive controls are:
 reperformance of tasks by a second individual prior to recording
 accounting for all items in a batch through the use of batch totals
 edits on invalid or duplicate entries
Examples of detective controls are:
 following up on reconciliations
 following up on exception reports
 performing monitoring activities

9.57 Preventive controls are usually preferred over detective controls, because they
prevent errors from being introduced into a process, as opposed to detecting errors
already introduced. For example, the entity's control system would be better if a
preventive control (such as an edit) required authorization of large sales than if a
detective control (such as follow-up on an exception report) identified transactions
requiring authorization after the occurrence of the event.

9.58 Because of the inherent limitations of internal control, an entity should have an
appropriate mix of preventive and detective controls. While preventive controls are
ordinarily preferable to detective controls, detective controls supplement preventive
controls and further reduce the risk of error. Detective controls also address the risk of
management override and fraud.

Manual and Automated Controls

9.59 People perform manual controls. Their reliability is affected by the possibility of
human errors in judgment or misinterpretation, misunderstanding of the controls to be
performed, carelessness, fatigue, or distraction.

9.60 The operating system or application software performs automated controls.

They enhance the reliability or integrity of data and are inherently more reliable than
manual controls. An example of an automated control is an edit check that prevents
entry of invalid data.

Documented and Undocumented Controls

9.61 Documented controls provide written evidence that they are performed and
are often characteristic of manual controls. Undocumented controls may be effective,
but they can only be tested through inquiry and observation.

9.62 Written evidence, which may take the form of signatures or initials, assists in
the identification of items for testing and only provides indirect evidence that a control
procedure was performed. For example, the person performing the control procedure
might not have performed the procedure effectively because he or she misunderstood
the purpose of the control.

Application and System Controls

9.63 Application controls are automated controls built into application software
(e.g., payroll, accounts receivable, or general ledger software), which may vary from
application to application. Application controls are designed to ensure that all
transactions recorded are authorized, complete, and accurate. For example, a customer
enters a sales order either through a telephone call to a salesperson or by using an
interactive website. However, the sales order software will not process the transaction
unless the customer’s accounts receivable balance is below a specified credit limit.

9.64 System controls (also referred to as IT general controls) are automated

controls that help ensure the continued, proper operation of information systems. Such
controls apply to systems as a whole and are substantially the same regardless of the
application. In Voyager, these are included within entity-level controls under Information
Technology. For example, passwords restricting access to a computer network are
system controls. There are five basic control objectives for system controls over
computer processing:
 reliability of processing controls – provide evidence that computer
applications are properly running, and that:
– the organizational structure and staffing is appropriate for the effective
operation of the information technology department
– there is appropriate segregation of duties between users, programmers
and operators
– unauthorized access to the system is prevented
– the correct versions of data and program files are used in processing
– the operating system facilities are properly implemented
– the use of utility programs is restricted to authorized people
– live implementation of new or amended programs is properly controlled
 integrity of software program controls – provide evidence that processes
and controls implemented within computer programs are not accidentally
modified or deliberately circumvented. They include:
– automated access security
– physical access controls over electronic files
– operational controls over enhancements and amendments to programs
 integrity of electronic data controls – provide evidence that data is
correctly processed and that data maintained by the accounting system is
not accidentally or deliberately modified or corrupted by other means.
They include:
– electronic access security
– physical access controls over electronic media
 continuity of processing controls – provide evidence that computer
hardware and application systems continue to be available for processing
accounting data on a timely basis, and include:
– physical access controls
– backup and business continuity plans
 system and application development and installation controls – provide
evidence that applications are properly designed to incorporate
appropriate controls by the user, and that controls are properly
implemented. This includes:
– development, testing, and documentation of applications developed in-
house
 – acquisition, testing, documentation and implementation of purchased
applications

9.65 Although five basic control objectives have been defined for system controls
over computer processing, there is considerable interdependence between them. For
example, controls to restrict the use of utility programs, such as file editing tools, are not
only relevant to the reliability of processing, but also to the integrity of data and the
integrity of programs. In fact, since such a utility could be used to falsify a log file, it
could be employed to circumvent controls over system amendments. System controls
over computer processing should not therefore, be considered in isolation from each
other, or from the applications.

Obtaining and Documenting an Understanding of Internal Control

9.66 The particular design of the entity’s internal control will vary according to the
size and nature of the business. The applicability and importance of specific elements of
the entity’s internal control should be considered in the context of the entity's:
 size
 organization and ownership characteristics
 nature of business
 diversity and complexity of operations
 methods of processing data
 applicable legal and regulatory requirements

9.67 For example, some companies are organized first by subsidiaries, then by
regions within those subsidiaries. Others are organized first by geographic region, then
by lines of business within those regions. For these types of engagements, the audit
team must determine how the entity’s operations will be segregated for evaluation
purposes.

9.68 The extent of work performed at each location or business unit varies
depending on the entity and the risk of material misstatement. For each individually
important location or business unit, a separate Voyager file should ordinarily be created
and completed. At each location, it is only necessary to document significant transaction
cycles.

9.69 For locations and business units that are not individually important, a separate
Voyager file may not be necessary. However, the audit team should consider whether
an error could occur in one location (or several locations in the aggregate) that may give
rise to a material misstatement for the entity as a whole. In such cases, controls that
prevent or detect such errors should be understood and documented. For example, if a
business unit has complex revenue transactions that may result in a material
misstatement for the entity as a whole, it is reasonable to expect controls in this cycle to
be documented. In this situation, a separate Voyager file should be created to document
the controls over the revenue cycle for that unit.
Understanding Entity-Level and Activities-Level Controls

9.70 Horizon requires the audit team to obtain an understanding sufficient to

identify:
 major classes of transactions in the entity’s operations
 how such transactions are initiated
 significant accounting records, supporting documents and accounts in the
financial statements
 the accounting and financial reporting process, from the initiation of
significant transactions and other events to their inclusion in the financial
statements
 whether the control environment is sufficient to assess directors’ and
management’s attitudes, awareness and actions regarding internal control
and their importance to the entity
 whether the control procedures (or activities) are sufficient to develop the
audit plan

9.71 Accordingly, to obtain such understanding, Horizon requires the audit team to
understand and document:
 all entity-level controls
 activities-level controls associated with risks that are reasonably possible

9.72 Voyager should be used to document this understanding. This process allows
the audit team to understand how the entity
 identifies, assembles, analyzes, classifies, records, and reports
transactions
 maintains the accountability for the related assets and liabilities
 provides information concerning the balances and the transactions as a
basis for producing accurate and reliable financial statements

9.73 A significant cycle is one that contains accounts or disclosure amounts that
are quantitatively or qualitatively material. Audit teams should use tolerable error as the
quantitative measure for materiality. Qualitative factors, such as related party
implications, could make an otherwise immaterial account material, even when it is less
than tolerable error.

9.74 Each process within a significant cycle is evaluated to determine its

importance. While efforts to document and evaluate activities-level controls is focused
on processes associated with reasonably possible risks, documentation of “process
importance” and “who performs” for all processes in a significant cycle demonstrates
that the audit team understands the accounting system and the flow of transactions.

9.75 Through observation and inquiry, the audit team identifies controls. Using
Voyager, the audit team:
 places a check next to those controls that are implemented
  indicates whether the control is documented
 designates the name or function of the person performing the process and
the controls

9.76 Evidence that supports or corroborates processes or controls may only exist at
certain points in time. In this situation, to confirm their understanding, the audit team
might need to perform procedures at varied times during the year.

9.77 The audit team may also choose to document other client information and their
understanding of the entity in Voyager.

Process Importance

9.78 Voyager suggests process importance for all processes in all industries. The
audit team may need to change process importance when the suggestion is not
appropriate for the specific client situation. It is essential to assess process importance
correctly as this determination may affect the nature, timing and extent of other audit
procedures. Audit teams should carefully evaluate the process and consider the
relevance of the process factors. The more factors that are relevant, the more important
a process is likely to be. Voyager requires audit teams to document their rationale for
changing a preset process importance determination.

9.79 There are three possible assessments:

 very important
 somewhat important
 not important

9.80 To assist the audit team in the determination of process importance, Voyager
contains factors for the audit team to consider. These factors are grouped into four
categories:
 materiality – large monetary amounts, high volume of transactions, and
impact on disclosures
 complexity – specialized skills required, potential for introduction of errors,
and complex accounting, judgments or estimates
 fraud and related party transactions – potential for fraudulent financial
reporting and misappropriation of assets and significant related party
transactions
 recent changes – in the business processes or in accounting principles or
practices

9.81 The audit team should document controls for the very important and
somewhat important processes. For not important processes, documentation of the
controls is not required.
Assistance of IT Specialists

9.82 Members of the audit team should have sufficient background and experience
to review most electronic systems. However, complex systems require the assistance of
an IT specialist. The application programs and databases used by an entity often
provide the first clue on the complexity of the system. Examples of software applications
commonly found in a complex IT environment are PeopleSoft and SAP. Examples of
relational databases commonly used in complex IT environment are Oracle and DB2.
The IT Profile tool in Voyager assists teams in determining whether an IT system is
complex.

9.83 The audit team is responsible for capturing the information in the IT Profile
correctly. This includes entering details regarding significant applications used by the
entity to process information related to financial reporting processes. Once this
information is entered, the team evaluates complexity by considering the applicability of
the IT complexity factors for each application. If any of the applications are complex, the
audit team should then add an IT specialist to the team. The IT specialist then reviews
the IT Profile documentation to appropriately determine the extent of his or her
involvement. In addition, the audit team can include an IT specialist if they deem
necessary even if the applications are not accessed as complex.

9.84 When an IT specialist is added to the audit team, his or her initial responsibility
is to participate in the risk assessment process, including the discussion among the
audit team members to brainstorm about risks, including fraud and where things could
go wrong. Due to the complex nature of IT systems, the IT specialist will normally be a
partner or manager who will assist the audit team in identifying IT-related risks. Based
on the specifics of the client and the risks identified, the audit team and the IT specialist
will then determine the extent of the IT specialist’s further involvement. This includes
assigning the appropriate IT specialist to perform the work and deciding what role he or
she will perform in documenting and testing IT controls for the audit.

9.85 The IT specialist is considered part of the audit team. As such, he or she
should document his or her work using Voyager. In addition, the IT specialist should
adhere to all professional and firm standards.

9.86 The audit team cannot “audit around” the computer, delegate responsibility for
technology risk assessments to others, or delegate responsibility to an IT specialist to
determine the correct audit judgments. The audit team should have the requisite skills to
understand and complete the IT profile and general IT environment as set out in
Voyager. That is not to say that an IT specialist will not be needed to assist with that
process, but when an IT specialist participates on the audit as a member of the audit
team, it is still incumbent on the rest of the audit team to understand and concur with the
work that the specialist performs.

9.87 Understanding the IT environment is essential to enable the audit team to

assess risks properly and to design a focused audit strategy. Generally, it is the in-
charge accountant or someone with adequate skills and experience that should make
the appropriate inquiries of management and IT personnel and complete Voyager. The
in-charge accountant should consider accompanying the IT specialist as he or she
makes inquiries and observations to understand the IT environment. The audit team,
including the IT specialist, is responsible for understanding the entity’s IT environment,
making final decisions regarding risk and properly tailoring the engagement program.

Performing Walkthroughs

9.88 The objectives of a walkthrough are to:

 Verify and update the understanding of internal control. For example, an
audit team may gather the information necessary to document their
understanding for a new client principally through inquiry and observation
with reference to the entity’s procedures manuals. This understanding
may be verified by walking through one or more transactions for a
transaction cycle. The audit team performs walkthrough tests to update
and verify this understanding in a similar manner in subsequent years;
however, as a matter of efficiency, instead of first updating the
understanding for any changes and later walking through transactions, the
audit team may consider performing the walkthrough tests at the same
time they make the inquiries and observations necessary to update their
understanding.
 Verify controls are implemented. When determining whether controls are
implemented, the audit team should also consider the effectiveness of the
design of the control in preventing or detecting errors or fraud.
Identification of ineffective control procedures at this time will help avoid
performing tests of controls that do not function well enough to justify
lower control risk assessments.

9.89 Walkthroughs should be performed for processes associated with reasonably

possible risks. Walkthroughs may be performed in other areas; however, they are not
required.

9.90 When performing a walkthrough, the audit team ordinarily traces transactions
through the transaction cycle beginning with the documentation resulting from a
boundary event, such as the issuance of a receiving report, and, while observing the
operation of identified controls, they follow the transaction through the system until it is
ultimately summarized and recorded in the client's general ledger.

9.91 When there has been a change to the system, for example, a software
upgrade, the audit team may consider selecting transactions occurring before and after
the change to walk through the system, particularly if, in the software upgrade example,
the entity does not have specific system controls for testing new versions of software
before they are implemented.

9.92 Using Voyager, the audit team documents the transactions selected for a
walkthrough, the pertinent accounting system attributes, the controls that were
observed, and describes the responses to inquiries made of client personnel. Significant
or unusual matters coming to our attention during the walkthrough should be noted.

Using the Work of Others

9.93 The audit team should refer to management’s documentation as they build the
documentation in Voyager. Leveraging the work of others will make the process of
capturing the controls more efficient.

9.94 Certain entity-level controls present unique challenges because of their

subjective nature, for example the control environment. Determining whether these
subjective governance controls are implemented requires judgment. Accordingly, the
audit team should exercise appropriate professional skepticism and form their own
conclusions with respect to the documentation and implementation of these controls.

Applicability to Small Entities

9.95 In many entities the number of people involved in the processes and controls
is small and owners are involved in many aspects of the day-to-day management. The
Horizon approach is the same regardless of the size of the business. The fact that an
organization does not have many employees and may be dominated by the owner-
manager does not necessarily mean that the organization does not have effective
internal control.

9.96 In such organizations, effective internal control procedures are often carried
out by owner-managers as part of their overall direction and management of the
business. In general, the better an owner-manager understands the purposes of
financial reporting, and the greater the attention directed to the entity’s internal control,
the more likely the audit team might find it appropriate to lower control risk assessments
and perform tests of controls. However, the audit team should consider the possibility
that the owner-manager might override controls or be "overly involved" in control
activities. For example, insistence that all correspondence go to his or her desk first, or
extensive owner-manager involvement with basic control functions (for example,
monthly bank reconciliations or the systematic matching of receiving reports and
purchase orders with vendor invoices) might indicate potential override of controls.

Entity-Level Controls and the Small Entity

9.97 As discussed previously, Voyager identifies five elements of governance:

control environment; monitoring (comprised of risk assessment and monitoring risk
activities); information and communication; information technology and financial
reporting.

9.98 Small entities may implement the control environment elements differently
than larger entities. For example, small entities might not have a written code of conduct
but, instead, develop a culture that emphasizes the importance of integrity and ethical
behavior through oral communication and by management example. Similarly, the
board of directors or those charged with governance in small entities may not include an
independent or outside member.

9.99 The basic concepts of the entity’s risk assessment process are usually present
in every entity, regardless of size, but the risk assessment process is likely to be less
formal and less structured in small entities than in larger ones. All entities have
established financial reporting objectives, but they may be recognized implicitly rather
than explicitly in small entities. Management may be able to learn about risks related to
these objectives through direct personal involvement with employees and outside
parties.

9.100 Ongoing monitoring activities of small entities are more likely to be informal
and are typically performed as a part of the overall management of the entity’s
operations. Management’s close involvement in operations often will identify significant
variances from expectations and inaccuracies in financial data.

9.101 Communication may be less formal and easier to achieve in a small entity than
in a larger entity due to the small entity’s size and fewer levels as well as management’s
greater visibility and availability.

9.102 Information systems and related business processes relevant to financial

reporting in small entities are likely to be less formal than in larger entities, but their role
is just as significant. Small entities with active management involvement may not need
extensive descriptions of accounting procedures, sophisticated accounting records, or
written policies.

9.103 The concepts underlying control procedures in small entities are likely to be
similar to those in larger entities, but the formality with which they operate varies. An
appropriate segregation of duties often appears to present difficulties in small entities.
However, even companies that have only a few employees may be able to assign their
responsibilities to segregate those duties that are most essential to protect assets.

Very Small Entities

9.104 A “very small entity” flag is included in Voyager for entities that meet the
definition below. Selecting this flag turns off all of Voyager’s internal control evaluation
tools, which places the responsibility for evaluating design effectiveness entirely upon
the audit team. The definition of a very small entity was adopted for the purpose of
achieving consistency throughout the GTI member firms.

Definition of a Very Small Entity

9.105 A “very small entity” is one that employs very few people (for example, less
than 10 full time equivalents) in the entire organization. Very small entities typically have
only one or two distinct sources of revenue. The number of transactions within each
revenue source is small. Their transactions lack complexity.
9.106 A very small entity is not:
 a company traded on a stock exchange
 an entity with publicly traded debt
 a transnational entity
 an entity subject to significant regulation
 an entity where the audit approach includes tests of operating
effectiveness of internal control

9.107 The entity may not be a very small entity when:

 governance includes external individuals (e.g., an audit committee or
equivalent) or
 there are one or more absentee owners, including limited partners

9.108 By designating an entity to be very small, the audit team assumes additional
responsibility in identifying activities-level deficiencies in internal control. For example,
for very small entities, Voyager will not identify potential segregation of duties issues. In
this situation, the audit team will manually add this finding to Voyager’s Design
Effectiveness tool, evaluate its severity, and design an appropriate response to the risk.

9.109 Examples of very small entities include:

 a single site retail store
 an investment company that holds a few residential or commercial real
estate rental buildings

Designating a Client as a Very Small Entity

9.110 [Tailor the following paragraph to suit the policies and practice of your firm]
When the audit team believes that a client meets the definition of a very small entity,
they should consult with the office PSP and obtain his or her approval. Once the PSP’s
approval is obtained, the audit team can choose the very small entity option.
Exhibit 9.1 - Glossary of IT Security Administration Controls
E01 IT general controls include the following activities: security administration,
program maintenance, program execution, and new system implementation. The
security administration activity includes the following processes:
 establish effective security environment
 manage internal user access
 manage remote and third-party access
 monitor access to IT systems

E02 The following definitions apply to these processes and related controls within
the security administration activity.

Establish Effective Security Environment

The controls in the establish effective security environment process address the need for
management to establish security policies and procedures to protect the entity’s programs
and data. These programs and data are the source of the information used for financial
reporting. The nature and extent of these policies and procedures and the methods used to
implement them will vary with the size of the entity and its security requirements.

Policies and Management must understand and evaluate security risks, and
procedures for the develop and enforce a written policy that clearly states the
administration of standards and procedures to be followed. These policies should
security are be communicated in an effective manner such as through a staff
documented, handbook or Intranet web page.
approved and
communicated

Security policies are The effectiveness of security policies requires that they be
acknowledged and communicated periodically to all employees, who formally
documented acknowledge their understanding of (1) the importance of
periodically by all protecting the organization's information assets, (2) security
employees policies and procedures (e.g., using and protecting passwords)
and (3) the potential consequences for violation of security
policies and procedures. Periodic acknowledgement can be
documented in writing, such as in connection with the periodic
changing of passwords.

Security policies are As a condition of employment, management should require new

acknowledged and hires to read and acknowledge in writing their understanding of
documented by new security policies and procedures. (See also discussion of "Security
employees upon hire policies are acknowledged and documented periodically by all
employees.")
Personnel The security administration function is primarily responsible for
responsible for the granting, changing and revoking security access rights to
administration of company data and assets as per the security policy. As a result,
security have the individuals that perform this function require a high level of
appropriate skills and access to the various operating systems, applications, and
experience databases. This level of access is typically referred to as
“administrator rights”. Due to the capabilities of this level of
access, the number of individuals with administrator rights should
be limited to people whose duties are such that they have an
absolute need for administrator level access. The more people
that have administrator rights, the more difficult it becomes to
achieve accountability, protect data and segregate duties.

Personnel The security administration function facilitates access to

responsible for the information assets by users to perform their jobs. In addition to
administration of this operational responsibility, the security administration function
security are properly serves as a critical instrument of control. Both of these
supervised responsibilities require that the security administration function
operate in an environment that promotes objectivity and the
freedom to act in the best interests of the company without undue
influence. Accordingly, the security administration function should
be positioned within the organization to enable access to senior
levels of IT and business management. In many organizations,
the head of the security administration function is the Chief
Security Officer or reports to the Chief Security Officer. Like any
other important business function, members of the security
administration function should be properly trained and supervised
in a manner that promotes objectivity, independence of action and
effectiveness of job performance.

Commercially The variety and volume of information assets, sources of access

available software and access channels creates risks that are difficult to manage
tools are used to without the use of commercially available tools and controls.
facilitate the These tools and other technology-based controls enable the
enforcement of automated application of business rules to restrict access to
access rules and to information assets in accordance with legitimate business need as
monitor access well as to identify unauthorized access attempts and patterns of
access that required follow-up. Commercially available tools can
automate and control the process of the granting of access,
enforce the periodic changing of passwords, terminate access
rights, and other user administration activities that might otherwise
overwhelm exclusively manual processes. Certain tools can also
be configured to monitor and trace accesses to sensitive
information assets to facilitate informed actions by security
management.

Position of security (See discussion of "Personnel responsible for the administration

administration of security are properly supervised.")
function within the
organization
promotes objectivity

Duties of security Segregation of duties is one of the most important internal

personnel do not controls. To achieve appropriate segregation of duties,
include performing administrator rights should not be assigned to people who are
financial reporting involved in the financial reporting process.
processes or
controls
Duties of security In addition to not being involved in the financial reporting process,
personnel do not different people should perform programming and IT
include programming management. The following describes each of these functions:
or IT management
- Programming: involves the development of applications for
the entity.
- IT Management: typically, the duties of IT Management
include the development of technology strategies, strategic
business plans and policies and standards.

Management A person’s responsibilities within the organization frequently

periodically assesses change over time. Thus, management should perform periodic
IT security reviews of user profiles and assignments to groups to maintain the
vulnerability segregation of duties established when an employee was first
setup on the system. Such a review also helps to ensure
compliance with security policies. Executing this control may
include a review of network operating system access, application
access, and database access.

Manage Internal User Access

The controls in the manage internal user access process address the need for management
to use security techniques to protect the integrity of application program and data files that
are used in financial reporting. These procedures also enforce segregation of duties.
In any system, there are three potential ways to access data. First, is through the operating
system (for example, with using Windows Explorer to access files on a network). Second, is
the application program (for example, accessing your bank account using Internet banking or
accessing the general ledger program that records journal entries). Third, is by directly
accessing the files (or the database) that contain the information (for example, with a
database program like SQL Server or a utility program provided by the application vendor).
Ideally, an entity’s system will facilitate having a single set of policies and procedures that
administer access rights.

Access rights of The access rights of all users of information assets (e.g., business
users and IT process, IT, executive management) should be defined,
personnel are documented and approved by appropriate managers. For
documented and example, the access rights of an employee in the accounts
approved by payable department should be specified by his or her supervisor,
appropriate members who is in a position to understand and prevent potential conflicts
of management with incompatible duties. Business process managers who are
responsible for the identification and authorization of employees'
access rights should not be able to directly enable those access
rights in the system.
User and group Information owners establish an individual’s access rights to
profiles used to programs and data. Typically, this is accomplished by managing
control the level of access rights at a group level and assigning individuals to a
access to data group. For example, the sales staff group has access to the sales
order program and data. John Jones is a member of the sales
staff group. Thus, John Jones has access to the sales order
program and data.
Access rights can also be controlled with user profiles. For
example, John Jones may also have responsibility to maintain the
sales successes section of the company’s Intranet. His user
profile would allow him to have access rights to the network folder
containing these files.
Controlling access is key to establishing and enforcing
segregation of duties.

Computers are Security controls (user profiles and menu restrictions) protect the
configured to prevent completeness and accuracy of information by managing access to
the bypassing of the programs and/or access to the underlying data files.
approved user
profiles and menu
restrictions

Updates to user The security administration group serves as a control buffer

profiles and menus between users and systems. Authorized user managers are
on the system responsible for specifying, documenting, and approving the
restricted to IT access rights of users within their respective chains of command.
security personnel Allowing user managers to directly enable access right decisions
in the system represents a conflict.

User id and password A user identification (ID) provides the computer system with the
required to logon name of the user. The associated password validates the user’s
identity claim.

User ids required to A unique user identification (ID) is necessary to establish

be unique individual accountability.

System requires There is a risk of compromising accountability, segregation of

passwords to be duties, and data by user passwords becoming known to others.
changed periodically Periodically changing passwords is one technique to control this
risk. Virtually all computer operating systems and computer
application programs provide administrators with the ability to
make appropriate settings. Good practice is to require passwords
to be changed between every 30 to 60 days.

Minimum lengths There is a risk of compromising accountability, segregation of

established for duties, and data by user passwords becoming known to others.
passwords The shorter the password the easier it is for others to guess and
the easier it is to be cracked by a utility program. Virtually all
computer operating systems and computer application programs
provide administrators with the ability to make appropriate
settings. Good practice is to require passwords to be at least 6
characters in length.
Passwords hidden There is a risk of compromising accountability, segregation of
during system logon duties, and data by user passwords becoming known to others.
Displaying passwords during logon is one way that this could
happen. Virtually all computer operating systems and computer
application programs provide the ability to hide the password
during logon.

Passwords are As with any other data, passwords are stored in a file on the
encrypted computer system. Encryption scrambles the content of the file to
prevent it from being read by utility programs. Most computer
operating systems and application programs provide for this
ability.

Users required to An explicit policy that requires users to maintain confidentiality of

keep passwords passwords sets an appropriate tone regarding accountability,
confidential segregation of duties, and protection of data. Users should avoid
displaying passwords by paper notes and other such means.

Dictionaries prevent There is a risk of compromising accountability, segregation of

use of common duties, and data by user passwords becoming known to others.
words as passwords The more common the password, the easier it is for others to
guess and the easier it is to be cracked by a utility program. Most
computer operating systems and computer application programs
provide administrators with the ability to make appropriate settings
to prevent the use of common words as passwords. Good practice
would include using this feature.

System security There is a risk of compromising accountability, segregation of

enforces use of duties, and data by user passwords becoming known to others.
complex passwords The simpler the password, the easier it is for others to guess and
the easier it is to be cracked by a utility program. Most computer
operating systems and computer application programs provide
administrators with the ability to make appropriate settings to
enforce the use of complex passwords. Rules for complex
passwords vary from system to system, but frequently using this
feature requires the user to include a mixture of upper and lower
case characters, numbers, and special characters (such as @ or
# or $ or %) when designating their passwords. Good practice
would include using this feature.

System locks out There is a risk of compromising accountability, segregation of

users after a duties, and data by user passwords becoming known to others.
reasonable number Guessing passwords frequently involves making multiple system
of unauthorized entry access attempts either manually or by using a password cracker
attempts utility program. Risk increases in proportion to the number of
unsuccessful logons that the system allows. Virtually all computer
operating systems and computer application programs provide
administrators with the ability to make appropriate settings. Good
practice would lock out a user after 3 or so unsuccessful access
attempts.
Hardware devices Controlling access with passwords has several limitations.
used for Decreasing costs are facilitating the replacement of passwords
authentication with hardware authentication devices. An example is a finger print
reader that authenticates by matching thumbprints. Another
example is a digital hardware token (usually provided as a key
chain) that is synchronized with a centralized server. The token
and the server generate a 12-digit password every 20 seconds.
To control costs, some entities implement these devices only for
those users that access the system remotely (for example,
through the Internet or by dial-up).

Digital certificates Because of the inherent limitations of controlling access with

used for passwords, many entities use a second level of authentication.
authentication For example, to gain access to the system, users not only have to
have a unique ID and validated password, but they also have to
be using an authorized computer. One way to accomplish this
objective is to place a file on the user’s computer called a digital
certificate. Upon logon, a server verifies the validity of the
certificate before allowing access to the system. Good practice
would include second level authentication, but there are
associated costs. Many entities use this technique for both
internal and external access, as unauthorized access to the
system could be gained via the Internet or with a network
connection in a meeting room.

System automatically There is a risk of compromising accountability, segregation of

logs off users after a duties, and data by a user accessing the system with another
period of inactivity user’s identity. The longer the system allows idle activity, the
greater the risk. Virtually all computer operating systems and
computer application programs provide administrators with the
ability to make appropriate settings. Frequently, this control is
placed into practice by using screen saver password settings.
Good practice would require a user to log back on after 30
minutes or so of inactivity.

Access rights of People that have left the entity could potentially continue to have
terminated access to programs and data if they are not removed from the
employees are system. Common practices include first disabling the person’s
disabled on a timely account to allow time for IT people to retrieve such things as
basis stored email. Accounts are removed at a later date.

The security Automatic notification of personnel changes (e.g., terminations,

administration department changes) promotes more timely action by the security
function is administration function to terminate or modify employee access
automatically notified rights. While the access of terminated employees can typically
by human resources occur without further input from HR or managers, automated
of employee notification of changes in employee responsibilities can alert both
terminations and the security administration function and user management to
work status changes define and authorize changes to access rights on a more timely
that impact access basis. Manual notification is less reliable and frequently less timely
changes that impact than automatic notification.
access rights
The number of Due to the accidental or deliberate damage that could occur with
people with inappropriate administrator access, the number of individuals with
administrator rights administrator rights should be limited to only those people who
is limited have an absolute need. The more people that have access, the
appropriately more difficult it is to achieve accountability, protect data integrity,
and segregate duties.

Access to and use of A common characteristic of data altering utilities (including special
data altering utilities purpose scripts or programs) is their ability to make changes to
are restricted, logged data without creating an audit trail. Additionally, if the change
and approved process using utilities is not well-controlled, errors may occur and
not be detected on a timely basis. A fundamental control principle
is changes to data should be made only through the use of
business application functions performed by authorized personnel.
Application software typically provides an array of controls over
data entry, processing and posting, including the creation of audit
trails. The frequent use of data altering utilities may indicate
application software problems that cannot be prevented or
corrected through use of routine application functions. System
utilities, such as those that can change data, are necessary tools
to the administration of systems.

Manage Remote and Third-Party Access

The controls in the manager remote and third party access process address the need for
management to use security techniques to protect the integrity of application program and
data files that are used in financial reporting from remote users or outside parties.

Remote access A user account is an entry point into the system. The more user
restricted to persons accounts, the more ways an unauthorized user could potentially
who need it gain system access. Restricting external access to the system to
only those users that need this capability reduces the number of
potential entry points, thereby reducing risk. Virtually all computer
operating systems provide administrators with the ability to make
appropriate settings. Good practice would include using this
feature.

Users are identified Authentication, for example through a user ID and password,
and authenticated establishes accountability, enforces segregation of duties, and
before remote access protects data. Virtually all computer operating systems provide
is granted administrators with the ability to make appropriate settings. This
practice is essential.

Hardware devices Controlling access with passwords has several limitations.

used for remote Decreasing costs are facilitating the replacement of passwords
authentication with hardware authentication devices. An example is a finger print
reader that authenticates by matching thumbprints. Another
example is a digital hardware token (usually provided as a key
chain) that is synchronized with a centralized server. The token
and the server generate a 12 digit password every 20 seconds. To
control costs, some entities implement these devices only for
those users that access the system remotely (for example,
through the Internet or by dial-up).
Digital certificates Because of the inherent limitations of controlling access with
used for remote passwords, many entities use a second level of authentication.
authentication For example, to gain access to the system, users not only have to
have a unique ID and validated password, but they also have to
be using an authorized computer. One way to accomplish this
objective is to place a file on the user’s computer called a digital
certificate. Upon logon, a centralized server verifies the validity of
the certificate before allowing access to the system. Good practice
would include second level authentication, but there are
associated costs. Many entities use this technique for both
internal and external access, as unauthorized access to the
system could be gained via the Internet or with a network
connection in a meeting room.

Number of access An Internet connection or a remote access phone line is examples

points limited of access points. Each access point needs to be controlled and
managed. For example, each connection to the Internet requires
appropriate protection with a firewall. Access threats change
frequently, and firewall settings need on-going management. The
more access points a network has, the more ways an
unauthorized user could potentially gain system access.
Controlling the number of access points allows the IT group to
focus their control activities and thereby reduce the risk of
unauthorized access.

Transmitted Unless control techniques are used, information that is transmitted

information is from the network to the user via the Internet can be viewed or
protected (VPN, copied by others.
https)
Using secure transmission mode (https in the Internet browser) is
one way to protect transmitted information. Here, data is
encrypted before leaving the network and then decrypted upon
receipt. This technique is not difficult or expensive to implement,
but the encryption does add overhead to the transmission. This
performance impact causes most entities to be selective in the
information that is transferred in secure mode.
Using a virtual private network (VPN) is another way to protect
transmitted information. Here, a combination of techniques and
protocols are used to create a virtual private tunnel through the
public Internet. Information flows through the tunnel with a very
high degree of protection. VPNs do have associated costs, but
their use is emerging as a best practice, as they provide both
increased security and speed over alternatives such as dial-up
connections.
Properly configured Digital network connections provide for multiple communication
firewalls are used at “layers”, “ports”, and “protocols.” Each piece has a specific
all external access purpose, and without them, data communication would not occur.
points However, people have figured out ways to use these pieces for
other, less reputable, purposes. The result is that there are
dozens of ways that a person could use a single unprotected
Internet connection to gain unauthorized access to the network.
The technology used to protect networks and data from these
threats is called a firewall. Firewalls can take many shapes and
forms. They can be single purpose hardware devices,
multipurpose hardware devices, dedicated servers running firewall
software, or firewall software running on individual computers. IT
people configure the firewall to allow specified activity and not
allow others.
Internet security is a technical and dynamic subject. Firewall
developers have to keep pace with an increasing number of
threats, and therefore, frequently provide their customers with
updates and upgrades. An entity reduces the risk by acquiring and
implementing the upgrades.
The frequency of upgrade depends on the nature of the entity’s
Internet activity. For example, an entity where Internet activity is
restricted to web browsing needs less frequent upgrades than an
entity that has significant e-commerce activity.

Intrusion detection Intrusion detection software monitors network activity and firewall
system used logs for specific events and patterns that may indicate
unauthorized access. IT people are automatically notified of
suspicious events and this allows for quick follow-up and
resolution. No control system is foolproof and intrusion detection
minimizes damage if a security breach occurs.
Good practice would include using an intrusion detection system
as their use is much more effective than a human review of logs.
However, there are associated costs, and an entity must weigh
the cost of the control with the reduced risk that it provides.
Intrusion detection is a common practice in entities that have
significant e-commerce activity. As costs decrease, their use will
spread.
Periodic intrusion Intrusion testing (also called penetration testing) involves trying to
testing circumvent the entity’s security controls. Intrusion testing is very
technical and the entities that use this technique usually
periodically hire outside consultants.
Intrusion testing typically involves using dozens of software tools
to probe and identify potential weaknesses in firewall and server
settings. These tools identify potential weaknesses and provide
ideas for the creative tester to use to gain system access. Testing
is usually done both from outside the network to address Internet
threats and inside the network to address user threats.
Periodically performing intrusion testing provides for an evaluation
of the entity’s security controls. This review could result in
changing firewall settings, upgrades, and changes to the
network’s configuration.
Good practice would include periodic intrusion testing, as it does
provide a good test of the operating effectiveness of the security
controls. However, there are associated costs, and an entity must
weigh the cost of the testing with the reduced risk that it provides.
Intrusion testing is a common practice in entities that have
significant e-commerce activity.

Network zones Network zones or DMZs are a configuration technique designed to

protect data segment and protect the different information assets of an entity.
Zones are usually created by placing servers that contain specific
information assets between two different firewalls.
For example, an entity needs to send email to others via the
Internet. To accomplish this objective, they configure a server
specifically for this one function and connected it to two firewalls.
One firewall provides the needed connection to the Internet and
protects the Internet mail server from external threats. The second
firewall is placed between the Internet mail server and the rest of
the entity’s network. The Internet mail server resides in a zone. A
breach of the first firewall only exposes the mail messages
residing on the Internet mail server. The unauthorized user has to
circumvent a second firewall to gain access to other information
such as the entity’s financial data files.
Network zones are most frequently used to protect data from
external threats, but they can be used to protect data from internal
threats as well.
Good practice would include some zones. There are costs
involved, but only small entities would consider the increased
costs to be prohibitive.

Anti-virus software Generally, Windows-based technologies (i.e., programs such as

protects servers and Windows Office, operating systems such as Windows NT and XT)
workstations are vulnerable to computer viruses. Clients and servers using
Windows software should be protected by commercially-available
anti-virus products, such as those marketed by McAfee and
Norton. The administration of anti-virus software should include
periodic updating of virus definitions and related protections made
available by anti-virus product vendors. When used in connection
with other control techniques, such as network filters and firewalls,
anti-virus software can be effective in the prevention of data and
software corruption that can impair the integrity of financial
reporting.
Monitor Access to IT Systems

The controls in the monitor access to IT systems address the need for management to
monitor access rights and the activities of users.

User and IT Periodic review of employee access rights complements those

personnel access controls that are designed to define and authorize employees’
rights are periodically access rights at the time they are hired, terminated, or change job
reviewed and responsibilities. Periodic management review and confirmation of
approved by the appropriateness of each employee’s access rights also
management provides opportunities to evaluate the effectiveness of ongoing
controls to keep employees’ access rights in sync with their
employment and job responsibility status.

Unauthorized access Employees and third-parties may attempt to access information

attempts are logged, assets for which they are not authorized. Unsuccessful attempts
investigated and may represent innocent mistakes (e.g., the user has forgotten his
follow-up actions or her password), or they may represent malicious efforts by
documented unauthorized personnel. Commercially-available tools are used by
security administration groups to identify and report unsuccessful
attempts that by their nature or frequency require follow-up. Tools
used to monitor access can be configured to alert security
administration personnel according to business rules that are
defined by management (e.g., number of unsuccessful accesses
within a defined period of time, any attempted access to
particularly sensitive information assets). Access attempts and
other defined access patterns should be reported and followed-up
with their disposition documented.
Chapter Ten - Evaluating the Design and Operating
Effectiveness of Internal Control
Summary

Chapter 9 defined internal control and discussed Horizon’s requirements to understand

and document an entity’s internal control as part of the risk assessment procedures
using Voyager. This Chapter describes how to use that understanding to evaluate the
design and operating effectiveness of internal control.

Introduction
10.01 As discussed in Chapter 9, Horizon requires the audit team to obtain and
document an understanding of an entity’s internal control sufficient to assess the risk of
material misstatement, whether due to error or fraud. This understanding also assists
the audit team in determining the extent they intend to rely on controls for each
reasonably possible risk. This intended internal control reliance and the inherent risk
assessment, determines the nature, timing, and extent of substantive procedures
performed in response to a particular risk.

10.02 Control risk is the risk that a material misstatement will not be prevented or
detected on a timely basis by an entity’s internal controls. It is a function of the design
and operating effectiveness of internal control. Assessing control risk is the process of
evaluating the effectiveness of internal control in preventing or detecting material
misstatements. The lower the assessed level of control risk, the greater the assurance
needed from tests of controls and the greater the potential reduction in our substantive
audit procedures.

10.03 Voyager provides the audit team a means of evaluating the design and
operating effectiveness of an entity’s internal control. When evaluating design
effectiveness, the audit team considers any findings identified by Voyager. This
evaluation assists the audit team in determining the extent they can rely on controls to
respond to the identified risks. Voyager then aids the audit team in designing and
performing tests of key controls. Such tests are performed to determine whether internal
control is operating effectively. If operating effectively, the audit team achieved their
intended control reliance and can reduce the extent of the substantive procedures in
response to the reasonably possible risks.

10.04 When entity and activities-level controls are designed effectively, Horizon
encourages the audit team to test the operating effectiveness of key controls related to
reasonably possible risks. Audit teams may still be able to test controls over some risks
in an assertion even if the controls over any one risk are not designed effectively. This
outcome is possible because the intended control reliance is assessed for each
reasonably possible risk, not at the assertion level.
10.05 While the risk standards stop short of mandating tests of controls, they do
require the audit team to include testing internal controls as part of the audit strategy,
where appropriate. Accordingly, when controls appear to be designed effectively and
the walkthrough provides evidence that controls are implemented, the audit team should
ordinarily test those controls.

10.06 For example, in a small business, deficiencies in controls may preclude

reliance on the operating effectiveness of those controls for any risk associated with the
inventory-completeness assertion. However, the audit team believes internal controls
over the year-end inventory count may be designed effectively and implemented. In this
case, a control testing approach over the risk “Inventory quantities not valid” is effective
and efficient.

10.07 Another example is loans in a financial institution. A bank may implement

extensive controls over its loan origination process at the boundary. These controls are
instrumental in determining that loan transactions are valid and preventing fraudulent
loans from being recorded. In this situation, the audit team’s response would ordinarily
be to test the controls to establish that they operate effectively. Such an approach is
more effective than performing substantive procedures to determine whether loan
transactions are valid.

10.08 The audit team should not test controls when:

 a material weakness at the entity-level affects the operation of controls
at the activities-level related to a particular risk
 activities-level controls related to a particular risk are not designed
effectively (i.e., a material weakness exists)
 activities-level controls are unlikely to be operating effectively
 tests of operating effectiveness would be inefficient

10.09 When deciding not to test controls, the audit team should consider whether
sufficient audit evidence to respond to the risk can be obtained from substantive audit
procedures alone. For example, where significant information is transmitted, processed,
maintained, or accessed electronically, it may not be possible to reduce audit risk to an
acceptable level by performing only substantive procedures. In this situation, very large
volumes of transactions may reduce the effectiveness of substantive procedures or the
execution of the substantive procedures may directly depend on the completeness and
accuracy of computer reports.

10.10 Horizon requires the audit team to go beyond obtaining an understanding of

internal control and test certain controls for operating effectiveness where substantive
procedures alone would not be effective. Where such controls are not designed
effectively, the audit team should determine whether there is a scope limitation.

Evaluating Design Effectiveness

10.11 As discussed in Chapter 9, the audit team is required to obtain and document
an understanding of entity-level and activities-level controls. Activities-level controls
must be documented for very important and somewhat important processes associated
with reasonably possible risks. After these controls are understood and documented,
the audit team should evaluate their design effectiveness. Design effectiveness relates
to whether the appropriate controls are implemented to prevent and detect errors or
fraud.

10.12 It is important to evaluate the design effectiveness of both entity-level and

activities-level controls. Entity-level controls typically have a pervasive effect on a
number of account balances or transaction classes, and may therefore affect many
assertions. Conversely, activities-level controls directly affect the assertions relating to a
particular account balance or class of transactions. For example, certain controls over
inventory observation relate directly to the existence assertion for inventory, but to no
other assertions.

10.13 If entity-level controls are not designed effectively, the audit team must
evaluate the underlying deficiency to determine whether it is a material weakness. If it
is, they must then determine whether it directly affects the design or operation of
activities-level controls related to any reasonably possible risk. If so, it is not possible to
obtain assurance from tests of activities-level controls to reduce the substantive
procedures for the affected risks. However, if the audit team determines that the entity-
level deficiency does not directly affect design or operation of activities-level controls
related to any of the reasonably possible risks; it may be possible to rely on controls for
the reasonably possible risks by testing the operating effectiveness of key activities-
level controls associated with them. It is important for the audit team to document their
judgments in these circumstances. This documentation would ordinarily be included
with the documentation of the evaluation of the severity of the entity-level control
deficiency.

10.14 When entity-level control deficiencies are identified, the audit team should
consider whether such deficiencies could generate misstatements in the financial
statements. If so, substantive audit procedures should be designed to respond to the
risks identified. This action is necessary regardless of whether the audit team
determines that activities-level controls are not affected by the deficiencies.

10.15 For example, the audit team evaluated the accounting systems that initiate,
process, and record revenue transactions and concluded that the controls are designed
effectively. They tested key controls with passing results thereby achieving the intended
control reliance. The audit team also identified deficiencies at the entity-level in the
financial reporting processes, but concluded the deficiencies did not impact the
operation of controls at the activities-level. However, the audit team designed
substantive audit procedures to address the risk of management override in financial
reporting once all of the revenue activity was compiled into the general ledger.

10.16 Voyager assists the audit team to evaluate design effectiveness by identifying
findings. It is the audit team’s responsibility to determine whether the findings identified
are valid and if so, assess their severity (control deficiencies, significant deficiencies or
material weaknesses), individually and in the aggregate.

10.17 The following factors are considered by Voyager in evaluating design

effectiveness:
 missing controls
 incompatible duties (i.e., lack of segregation of duties)
 inappropriate mix of controls (e.g., lack of monitoring controls, too many
undocumented controls)
 missing security access controls (i.e., restricting access to data and
programs to appropriate people)

Segregation of Duties

10.18 Segregation of duties is arguably the most important internal control. No one
person should be responsible for the processing of a complete transaction. Segregation
of duties is accomplished by assigning various processes and controls to different
personnel.

10.19 In automated environments, appropriate segregation of duties may exist from

the assignment of duties, but can be nullified if the entity fails to enforce the policies
through appropriate security access controls. The absence of security access controls
could result in unauthorized individuals having access to programs and data.

10.20 Voyager aids the audit team with the identification of potential incompatible
duties. In Voyager, each activities-level process is mapped to a specific duty (initiation,
authorization, recording, reporting, and custody). Each function (e.g., controller, CEO,
payroll staff) is further mapped to one or more of these duties.

10.21 When documenting who performs a process or control in Voyager, the audit
team documents the function or the title of the individual. Voyager then uses the above
mappings and the information input by the audit team to evaluate incompatible duties in
two ways. Voyager adds these items as findings to the Design Effectiveness –
Activities-Level Controls tool as follows:
 roles not compatible with process (for example, if a function/individual
assigned to an authorization duty performs a process assigned to an
initiation duty)
 both the process and control are performed by the same role/person
(for example, if a function/ individual performing the process also
performs a control within the process)

Additional Considerations in Evaluating Findings

10.22 While Voyager will identify findings, the audit team is ultimately responsible for
evaluating such findings and determining whether there are additional deficiencies not
identified by Voyager. The following are additional considerations to assist the audit
team in evaluating and concluding on design effectiveness:
 operating controls that exist without a related monitoring control may be
indicative of a control environment without appropriate oversight
 missing foundational controls may be indicative of an environment
where operating and monitoring controls cannot operate effectively
 a lack of preventive controls may indicate too much reliance on
detective controls to identify errors or fraudulent transactions
 a lack of detective controls may indicate too much reliance on
preventive controls. While preventive controls are ordinarily preferable
to detective controls, when detective controls are absent, the audit team
should evaluate the risk of management override and fraud.
 missing automated controls may lead to an increased risk of human
error and may result in inefficient operations; where IT general controls
have weaknesses, the strength of the preventive human controls
becomes more important

10.23 Missing controls that address specific risks should be evaluated in relation to
the other controls that address the same risk. An overall lack of controls related to a
control objective in one process linked to a reasonably possible risk is indicative of a
deficiency in internal control over financial reporting.

Determining Intended Control Reliance

10.24 The audit team determines the extent to which they intend to rely on controls
for each of the reasonably possible risks. The audit team should make this
determination based on the design effectiveness of entity-level and activities-level
controls. Audit teams should document the intended control reliance in the Assertion-
Level Risk Assessment tool in Voyager.

10.25 While a substantive approach only is possible, performing tests of controls

often enhances the cost-effectiveness of the audit approach. When there are controls
relating to reasonably possible risks that, if effective, would justify changing the nature,
timing and extent of substantive audit procedures, audit teams should change the
intended control reliance to “Tests of controls will be performed to verify that controls
operate effectively,” designate the controls as “key,” and then perform the tests of the
key controls. Conversely, if material weaknesses that directly affect the reasonably
possible risks are identified, tests of controls should not be performed.

10.26 Automated processing may necessitate testing controls for certain reasonably
possible risks. For example, in an automated environment, the lack of a traditional audit
trail might make a reasonably possible risk difficult or impossible to test substantively
without verifying that effective internal controls exists.
10.27 Consideration should be given to the time of year when the various tests will
be performed. Tests of control have some flexibility as to when they can be performed
and it is typical to perform them when staffs have increased availability.

Extent of Testing to Support the Intended Control Reliance

10.28 Professional standards require tests of controls to support a low control risk
assessment.

10.29 Control deficiencies at the entity level should be carefully evaluated to

determine whether the reasonably possible risks are directly impacted. For example, IT
general control deficiencies should be evaluated to determine whether they impact the
operating effectiveness of automated controls at the activities level.

10.30 When the audit team concludes that control deficiencies at the entity level do
not impact the effective operation of activities-level controls associated with reasonably
possible risks, it is permissible to test and rely on activities-level controls. However,
additional documentation and testing may be required to determine that the control
deficiencies do not impact the operation of the activities-level controls. In the above
example, the audit team would determine whether the IT general control deficiencies
affected the operating effectiveness of the automated control by considering whether
the nature, timing and extent of control tests performed should be modified.

10.31 In addition, as discussed previously, the audit team should also design
substantive audit procedures to respond to the risks posed by the entity-level control
deficiencies.

10.32 Testing entity-level controls is not required to rely on controls for the
reasonably possible risks.

10.33 To rely on controls for a reasonably possible risk, the activities-level controls
related to that risk must be designed effectively, implemented and operating effectively.
Design effectiveness and implementation were discussed in Chapter 9. Operating
effectiveness is established by performing tests of controls.

10.34 Testing the operating effectiveness of activities-level controls involves

selecting key controls and determining the types of tests to be performed. Activities-
level controls are tested in every very important process and testing should be
considered in somewhat important processes. Because tests of activities-level controls
are used to reduce the nature, timing and extent of substantive testing, it is essential
that very important processes are identified correctly and that the extent of testing the
controls properly matches the reliance placed upon the controls.

Identifying Key Controls

10.35 Key controls are those controls that the audit team selects to test for operating
effectiveness. The audit team should use the Key Controls tool in Voyager to select the
key controls at the activities level. The audit team should select key controls in every
very important process and should consider selecting key controls in somewhat
important processes related to each reasonably possible risk.

10.36 Not all controls that are implemented within a process are designated as key
(and therefore tested). In considering which controls are key, the control(s) should:
 address the same risk(s) as the substantive audit procedures whose
scope will be reduced if the controls are operating effectively. For
example, many entities have effective control procedures around the
periodic counting of inventory. These control procedures directly reduce
the likelihood of errors in the existence of recorded items. Accordingly,
substantive procedures can be reduced (observation of inventories) by
testing these controls.
 be designed to prevent or detect material misstatements in specific
financial statement risks (the controls that accomplish this will vary
depending on the nature of the business)
 be capable of being tested by examining documentary evidence,
through inquiry and observation, sampling, reperformance, or the use of
computer-assisted audit techniques
 contain the appropriate attributes (automated versus manual,
preventative versus detective, operational versus foundational,
documented versus undocumented) to provide the most efficient and
effective test

10.37 Not all controls for a process within a transaction cycle that are implemented
and pertinent to a given objective need to be tested. If there are two or more
overlapping controls, any one of which alone satisfies the control objective, it is
necessary to test only one. Accordingly, the audit team should usually select the control
that is the most cost-effective to test.

10.38 Further, a particular control may relate to several risks within a cycle. This
control procedure would be subject to one series of tests of controls that would provide
evidence as to the operation of that control for all the related risks. The tests of controls
are not repeated for each risk.

10.39 The audit team should document whether a control is key in Voyager by
selecting the “Key Controls” icon in the Key Controls tool. This tool lists all of the
controls for reasonably possible risks.

Security Access Controls

10.40 Audit teams capture entity-level security access controls in the “Information
Technology” section of the entity-level controls within Voyager. These controls should
be evaluated carefully because IT security administration not only applies to entity-level
activities and controls, (e.g., network or database access) but also apply to accessing
information at the activities-level.

10.41 When relevant, audit teams also capture activities-level security access
controls within important and very important processes. For example, the control
“Security access controls restrict access to appropriate people” is commonly
implemented in activities-level processes that capture information.

10.42 In one or more processes, the audit team may judge security access as a key
control. Identifying key security access controls is the same as identifying other key
controls at the activities-level. The audit team selects “Security access controls restrict
access to appropriate people” in the Key Controls tool to identify them as key controls
for testing. When identifying this control as key, audit teams should select Inquiry &
Observation as the nature of the test. Selecting Inquiry & Observation will direct the
audit team to the tests of control approach described below.

10.43 Voyager’s approach to testing key security access controls differs from other
key controls at the activities level. When security access controls are key, audit teams
will find the corresponding tests of controls within the entity-level “Tests of IT General
Controls” audit program. The “Tests of Activities-Level Controls” audit programs will not
contain test procedures for any of the activity-level security access controls.

10.44 To be clear, the audit team should not tailor security access control tests
within the activities-level tests of controls. Adding these tests will result in duplicated
efforts and inefficiencies.

10.45 This approach to testing key security access controls reflects how entities
administer these controls. While security access controls operate at both the entity and
activities level, entities typically do not distinguish between these levels in their security
setup and maintenance processes.

Testing the Operating Effectiveness of Key Controls

10.46 In determining operating effectiveness, the audit team is concerned with many
factors (e.g., how the control was applied, whether the control was performed
throughout the period, did the right person perform the control, etc.). Voyager aids the
audit team in designing and performing tests of key controls to determine their operating
effectiveness. The tests of controls to be applied are matters of professional judgment.

10.47 The type of test will vary based on the nature of the control, whether the
control is documented or undocumented, and the judgment of the audit team. The
following types of tests are available in Voyager for the audit team to evaluate operating
effectiveness:
 inquiry and observation
 sampling
 reperformance
  computer-assisted auditing techniques (CAAT)
 management – reperform
 management – review only
 service auditor

10.48 The nature of the control (documented or undocumented) is one of the factors
that determines the type of testing that can be applied to the control. For example,
although sampling allows the audit team to test the effective operation of a control over
an extended period of time, it can only be used if a control is documented.

10.49 For a manual, undocumented control, the audit team can only perform inquiry
and observation tests to obtain evidence that the control operated effectively throughout
the period of reliance. An intended control reliance of “Tests of controls will be
performed to verify that controls operate effectively” cannot be achieved by testing only
manual undocumented controls using inquiry and observation.

10.50 Automated controls depend on IT general controls for reliability, consistency,

continuity, accuracy and documentation that they operated effectively throughout the
period. Before testing automated activities-level controls, the audit team should evaluate
the IT general controls to confirm they are implemented and effectively designed. For
example, to rely on a programmed edit control (an operational control), the audit team
should be satisfied that IT general controls were implemented throughout the period.
When IT general controls such as testing software updates are not effective, the edit
control may also be ineffective or may not have operated throughout the period. Also,
ineffective security access controls may mean that data was changed without being
subject to the edit control programmed into the application.

10.51 For manual, documented controls, the audit team can choose the most
appropriate test in the circumstance. Since controls that operate frequently require more
testing, the most effective way to test these controls is to employ sampling. Audit teams
should use the sampling components within Voyager to determine the sample size.
Conversely, controls that operate infrequently require less testing. In these
circumstances the audit team ordinarily employs reperformance. The following table
provides testing guidelines for manual, documented controls. Audit teams should
determine the exact sample size using the calculator within Voyager as the number of
tests may vary:
Somewhat
Type of test to important Very important
Control frequency employ processes processes
Every transaction Sampling 10 25
Daily Sampling 10 25
Weekly Reperformance 3 5
Monthly Reperformance 2 2
Quarterly Reperformance 1 2
Annually Reperformance 1 1
10.52 After the type of test is selected in Voyager, the audit team should review the
testing plan. The tests are located under the Responses to Assessed Risks section of
the Navigation Bar. When the testing method appears in parenthesis, this indicates that
there are no control testing procedures for that type of test. This is ordinarily because
this testing method would not be performed for that control. If the audit team believes
that is the appropriate way to test the control, they must manually create the test
procedures. For efficiency purposes, the audit team ordinarily selects another test type
that is available.

10.53 As noted above, key controls are not tested for security access controls at the
activities-level. Rather these controls are all tested in a general program “Tests of IT
General Controls.”

10.54 In obtaining an understanding of internal control and in evaluating design

effectiveness, the audit team should have made inquiries, observed the performance of
internal control, and performed walkthroughs. Some of these procedures may qualify as
tests of controls, but may not provide sufficient evidence to evaluate operating
effectiveness. Accordingly, prior to tailoring the tests of controls, the audit team should
consider the procedures performed and the additional tests required to evaluate
operating effectiveness.

Inquiry and Observation

10.55 When performing inquiry and observation procedures, the audit team
assesses performance of the control through inquiry of appropriate entity personnel and
through observation of the application of the control. In Voyager, the details of the tests
of controls performed using inquiry and observation often include reperformance. In
doing so, the audit team assesses the correctness of the information subject to the
control by inspecting the pertinent data, documents, reports, or electronic files.

10.56 When performing inquiry and observation, the audit team ordinarily considers:
 what control procedures are normally operated
 has the control been in operation throughout the period
 is the control consistently applied, including confirming with others that
the control procedure is applied consistently and effectively
 what alternative procedures operate in other circumstances (e.g.,
holidays and sickness)
 have the control procedures identified any errors
 how and when are the errors corrected
 circumstances that might cause the control to fail, be overridden, or be
ineffective
 rights and security levels for personnel using automated systems
 whether breaches of the segregation are likely or common

10.57 For manual controls, observation and inquiry procedures are usually carried
out only once during the year, provided there are no conflicting observations (e.g.,
observing that a control is not being performed or that documents subject to the control
are erroneous). In such instances, further observations or inquiries (or other tests of
controls) are necessary in considering the effectiveness of the key control in question.

10.58 By executing the Tests of IT General Controls program in Voyager, the audit
team obtains evidence that automated controls operated throughout the period. This
allows the test of operating effectiveness of automated controls at the activities level to
focus on a point in time. However, care should be taken when major software changes
or upgrades occurred during the year, which may require the automated controls to be
tested before and after the change.

Sampling

10.59 Sampling is a testing method used to test the operating effectiveness of

documented manual controls. Sampling is generally not applicable for testing a control
that is performed monthly or at regular periodic intervals (for example, various
reconciliations) because of the small number of times the control is performed during
the period. Further, sampling will rarely be the appropriate testing methodology when
applying tests to automated controls, due to the inherent consistency of computer
processing.

10.60 When sampling is used, the work performed on each sample item covers both
control performance and the correctness of the information subject to the control.
Control performance is tested by reviewing the documentation, and correctness of the
information is tested by reperforming the control procedure. Voyager assists in
determining the sample size based on the intended control reliance and the planned
timing of substantive procedures (at or near balance sheet date, within 2 months of the
balance sheet date, or more than 2 months prior to the balance sheet date).

10.61 A test of controls sample is a form of attribute testing. The audit team tests the
specific attribute of whether the control was properly applied. The audit team should
carefully define an “error” or “deviation” for such testing purposes, before performing the
test. To be acceptable, the sample should be designed to be representative of the
population being tested and therefore chosen bias-free.

10.62 Chapter 14 discusses the application of the Grant Thornton Sampling Plan to
tests of controls.

Reperformance

10.63 When reperformance is used as a testing method, the audit team executes (or
reperforms) the control to test control performance. In other words, the audit team
selects items that the control was applied to and reperforms the control to determine
whether it was operating effectively. In Voyager, reperformance is a testing method
ordinarily applicable to manual controls that operate on an infrequent basis. For
example, reperformance may be used to test the operating effectiveness of monthly
bank reconciliations. Such tests may have the following aspects:
 ascertaining whether twelve timely reconciliations were performed
 testing or reviewing certain of the reconciling items
 testing at least one reconciliation to determine how the control was
performed and the correctness of the information subject to the control,
including appropriate follow-up of amounts in the reconciliation

10.64 Reperformance is also included in inquiry and observation, sampling, and

CAAT procedures.

Computer Assisted Auditing Techniques

10.65 In an automated environment, CAATs can be used to test controls. CAAT

procedures vary, but always involve interrogating electronic data using IDEA. In
Voyager, there are two types of CAAT procedures available to the audit team.

10.66 One such procedure involves using IDEA to extract a population subject to the
control procedure. For example, if the entity implemented a control that the CEO
approves all transactions over $100,000, a population of transactions over $100,000
can be extracted from the electronic file of all transactions using IDEA. The audit team
can then use the extracted population to select items to test the control procedure.
Another example would be a control over employees entered in the payroll application.
Using IDEA, the audit team can extract, from an electronic file of employees at the end
of the period, a population of new hires by identifying those individuals with hire dates
during the period tested. The audit team can then test the control procedure using items
selected from the extraction.

10.67 A second use involves using IDEA to obtain indirect evidence of operating
effectiveness. For example, an edit control can prevent a transaction from being
processed if certain fields are not completed. In this example, an electronic file of all
transactions can be evaluated by IDEA. IDEA can determine whether any required
fields do not contain data. If all required fields contain data, the test provides indirect
evidence and the audit team can infer that the control was operating effectively.

10.68 The benefits of using CAATs in performing tests of controls will be maximized
if computer audit tools are used to assist in the execution of substantive procedures.
The use of CAATs for individual audit tests, whether tests of controls or substantive
tests, may not be cost effective. However, when several audit tests relating to one or
more audit areas are aggregated, utilization of CAATs is generally quite economical. In
addition, the benefit can also be maximized when CAATs are used from year to year.
For instance, files from the prior audit year can be merged with files from the current
audit year to identify changes or new items. This comparison may assist in narrowing
the population to which substantive procedures would be applied.
Management – Reperform and Management – Review Only

10.69 These test types are only available in integrated audits. This is because in an
integrated audit, management often performs tests of its financial reporting controls to
support their assertion to the public about the effectiveness of internal controls. As
discussed in Chapter 25, the audit team can select these test types when the work of
management, internal auditors and other employees of the entity will be used. The
“Management - Reperform” and “Management - Review Only” options provide the
appropriate test procedures for these circumstances.

10.70 These test types are not available in non-integrated audits. For these audits,
internal control testing by management, if performed at all, is likely done to monitor the
effectiveness of internal control over activities beyond financial reporting and is often
performed by internal auditors. As described in Chapter 18, the audit team may be able
to use the work of internal auditors to change the extent of direct testing performed by
the audit team. In these circumstances, the audit team selects key controls, the test
type to be employed (e.g., sampling), and then evaluates the extent of direct testing to
perform. When internal auditors work under the direct supervision of the audit team, the
procedures in the tests of controls audit program would be performed by the internal
auditors. For example, the audit team identified a key control that operated frequently
and accordingly selected sampling as the appropriate test type. The tests of controls
audit program included procedures to apply to a sample of 25 items. Because the same
procedures were performed by internal auditors on a sample of at least 25 items that
they selected, the audit team reviewed their work and reperformed 3 (or 10%) of the
control tests. In addition, because professional standards require the audit team to
perform some direct testing, the audit team selected an additional 5 items not tested by
internal auditors and directly performed the test procedures (note – the audit team
determined that the work of internal auditors together with direct testing 5 controls and
reperforming 3 controls, 8 out of 30, provided enough evidence to conclude the control
operated effectively). In another example, management provided some of their internal
audit staff to assist the audit team. Since the internal auditors worked under the direct
supervision of the audit team, the internal auditors performed the test procedures on 25
items selected by the audit team as if they were members of the audit team.

10.71 In an integrated audit, when key controls were tested by internal auditors or
consultants hired by the entity, among others, the audit team may use their work in
some circumstances. Most importantly, individuals performing the work should be
competent and objective. The audit team makes and documents this judgment before
using the work of others. In making this judgment, the audit team considers the
following factors:
 pervasiveness of the control
 degree of judgment involved in evaluating operating effectiveness
 potential for management override
 the materiality of the account or disclosure, risk of material
misstatement, and the level of judgment or estimation required in the
account or disclosure
10.72 By selecting the “Management - Reperform” testing option in Voyager for a
particular key control, the audit program will contain procedures for the audit team to
evaluate the work of others by testing the work. These procedures include evaluating
the test’s design, the results achieved and reperforming a selection of the tests
performed by others (ordinarily two to three items).

10.73 By selecting the “Management – Review Only” testing option in Voyager for a
key control, the audit program will contain procedures for the audit team to evaluate the
work of others, but none of the procedures include reperformance. The audit team will
obtain the work of others and evaluate the test’s design and the results achieved. This
option is best suited as a response for not reasonably possible risks. Audit teams can
perform less testing than for reasonably possible risks because of the reduced risk.

Service Auditors

10.74 Similar to the discussion above, when a key control is tested by a service
auditor, as evidenced by a service auditor report, the audit team may use this work
when appropriate. To execute this strategy, the audit team selects “Service auditor” in
Voyager and procedures will be added to the test of controls program to evaluate the
work of the service auditor.

10.75 More discussion is provided below on using the work of internal auditors and
service auditors.

Timing Considerations

10.76 Because the results of tests of controls affect the nature, timing, and extent of
substantive procedures relating to reasonably possible risks, the tests of controls should
be completed and evaluated before starting substantive testing.

10.77 In many cases, tests of controls provide an opportunity to accelerate audit

work before year-end by reducing substantive procedures performed after year-end and
allowing for a more efficient audit strategy. In determining the nature and extent of tests
to perform, consider:
 the risks identified
 the ways the entity manages those risks
 the nature of the transactions and account items involved (for example,
significant nonroutine transactions, controls over accounts or processes
with a high degree of subjectivity or judgment)
 the options for related substantive tests
If the entity implemented many controls over the risks identified and the possible
substantive procedures allow for performing audit procedures ahead of year-end, a
controls-based audit strategy should be considered.
10.78 In a non-integrated audit, the timing of the related substantive audit
procedures affects the sample size used to test controls. The further from year-end the
audit team performs the related substantive testing, the larger the control testing sample
size. This increased testing applies because the population of controls subjected to the
sampling test would be selected from the period through the interim date. The sample
size penalty does not apply to integrated audits because of the requirement to test
controls through the “as of” date (year-end). Even if internal control changed during the
remaining period, additional control testing is not necessary for a non-integrated audit.

Concluding on Tests of Controls

10.79 After performing tests of controls, the audit team should determine whether or
not the results provide sufficient evidence that the tested controls operate effectively to
achieve the intended control reliance. The audit team documents the assessment in
Voyager. Then, Voyager sets the control risk to the appropriate assessment.

10.80 When a test of a key control fails, the audit team may determine that the
control over the process is ineffective and the intended control reliance cannot be
achieved for the particular risk. Alternatively, the audit team may select and test
“compensating” controls, if applicable (see below).

10.81 The audit team should evaluate all deviations to determine their cause, even
when the overall test results support the intended control reliance. This evaluation
should consider whether the deviation indicates the presence of more significant issues
such as a pervasive control failure, fraud or override of controls. The effect of the
deviation is not mitigated even when it is isolated to a specific type of transaction, a
specific time period, or to a specific employee.

10.82 When sampling procedures are performed, Voyager determines whether the
intended control reliance is achieved based on the sample size examined and the
deviations identified. If the audit team discovers a deviation in applying a procedure
other than sampling (and was unable to identify and test the operating effectiveness of
another control(s) that achieved the same objective), the audit team would not be able
to rely on controls for that particular risk.

10.83 Although the main objective of tests of controls is to search for deviations in
the application of the controls being performed rather than monetary errors, any
monetary errors encountered should be carefully assessed as to their nature, cause and
likely or possible extent.

10.84 The audit team documents whether the intended control risk was achieved in
Voyager. All significant internal control deficiencies identified should be reported to the
appropriate level of management as soon as practical.

Special Topics on Internal Control

Service Organizations

Overview

10.85 A service organization provides services to an entity (“user” or “user

organization”) that are a part of that user’s information system relevant to financial
reporting. Service organizations include, but are not limited to:
 bank trust departments that service assets for employee benefit plans
or others
 mortgage or loan servicing organizations
 technology centers that process transactions and related data
 organizations that develop, provide, and maintain software

10.86 Audit teams obtain an understanding of internal controls at a service

organization when the services provided by a service organization are associated with
reasonably possible risks. In addition, when the controls performed at the service
organization are key controls, the audit team needs to examine evidence that the
controls being relied upon operated effectively. Typically, this evidence is obtained by
examining a service auditor’s report.

10.87 Service organizations may engage auditors (service auditors) to document

and evaluate their internal control to assist the auditors of user organizations (user
auditors) in performing an audit of the financial statements of the user organization.
User auditors use service auditor reports to understand controls operated by the service
organization and, if applicable, as evidence that such controls operated effectively.
When service auditor reports are not available, the user auditor needs obtains
information through other means (discussed below).

Significance of the Service Organization’s Controls

10.88 In addition to being associated with reasonably possible risks, the significance
of the service organization controls to the audit depends on the materiality of
transactions processed by the service organization and the degree of interaction
between the service organization’s activities and the user entity’s activities.

10.89 Service organizations that process transactions that are both quantitatively
and qualitatively immaterial are not relevant to the audit.

10.90 The degree of interaction between a service organization and a user

organization is typically higher when the user organization initiates transactions and the
service organization does the processing. For example, high interaction is often the
situation when entities outsource their payroll activities. In high interaction situations, the
user organization is more likely to implement internal controls over those transactions
and rely less (or not rely at all) on the controls at the service organization.
10.91 In high interaction situations, the audit team frequently can obtain an
understanding the internal controls affecting reasonably possible risks by making
inquiries, observations and performing walkthroughs of such transactions at the user
organization. In this situation, the service organization is not significant to the audit and
it is not necessary obtain and evaluate a service auditor’s report or to visit the service
organization.

10.92 When the audit team determines it is not necessary to understand the controls
at a service organization, the user organization’s controls over financial reporting that
prevent or detect errors that might be introduced at the service organization should be
documented. In addition, the judgments made regarding the user organization’s controls
and the rationale for determining it is unnecessary to gain an understanding of the
service organization’s controls should be documented.

10.93 In other situations, the interaction between the service organization and the
user organization is low. Low interaction typically occurs when the service organization
initiates, executes, and processes the user entity’s transactions. An example is loan
servicing at a financial institution. The service organization collects the payments,
processes the transactions and performs the accounting. A periodic report is provided to
the user organization for recording amounts in the general ledger. In these situations,
the user organization is likely relying on controls at the service organization. When
controls at the service organization prevent or detect errors in financial reporting at the
user organization, the audit team should understand such controls and determine
whether they are implemented and designed effectively.

10.94 When a service organization is significant to the audit and the service
organization engages a service auditor to document and evaluate the design
effectiveness of controls that affect user organizations, the audit team should obtain and
evaluate such reports. If a service auditor report is not available or if the service audit
report is not suitable for the audit team’s purposes, they should gain an understanding
of internal control at the service organization sufficient to plan and perform the audit.
This process is described further in the following sections.

Procedures When a Service Organization is Used

Understanding the Service Organization Activities

10.95 The audit team should understand the activities performed by the service
organization and how the entity interacts with the service organization. This
understanding should be documented and include:
 the activities outsourced to the service organization
 the transaction cycles affected
 the significance of the outsourced activities
 the degree of interaction between the service and user organizations
 the controls affecting the financial reporting, which prevent or detect
potential errors arising from the outsourced activities
  where such controls reside (entity or service organization)

10.96 The audit team’s understanding of the entity’s activities and processes
outsourced to service organizations and the controls it relies upon to prevent or detect
errors arising from outsourcing activities (whether the controls are implemented at the
entity or the service organization) is documented in Voyager.

Determining the Degree of Interaction

10.97 Once the audit team understands the nature of the outsourced activities and
the processes that are performed by the service organization, an understanding of the
controls necessary to plan and perform the audit can begin. When the outsourced
activities cannot introduce a material misstatement of the financial statements, there is
no need to perform further procedures with respect to the service organization.
However, when such activities could introduce material errors, the audit team should
determine the degree of interaction between the entity and the service organization.

10.98 As discussed previously, the degree of interaction usually determines whether

a user organization establishes controls over the outsourced activities. The greater the
interaction, the greater need for controls at the user organization. Conversely, when the
degree of interaction is low, the user organization is more likely to rely on controls at the
service organization and is less likely to establish controls for itself.

10.99 The audit team should be able to evaluate the degree of interaction from the
understanding they obtained about service organization activities. Their understanding
of the degree of interaction helps them determine the controls needed at the user
organization and the service organization.

Controls at the Service Organization

10.100 In low interaction situations, user organizations rely on the service

organization to establish effective controls that prevent or detect errors from affecting
the entity’s financial reporting. In these circumstances, the audit team obtains an
understanding and documents the controls that the service organization implemented in
very important and somewhat important processes.

10.101 To obtain this understanding the audit team has limited choices. Information
may be available in user manuals, system overviews, technical manuals, contracts
between the user and the service organization, and reports from internal audit teams or
regulatory authorities. The audit team can also visit the service organization and inquire
and observe the internal controls that are required to be documented. However, the
preferred approach is for the service organization to engage a service auditor to report
on controls that affect user organizations. The audit team can then use the service
auditor report as a basis to document their understanding in Voyager. If the service
auditor has tested such controls, the audit team can determine whether such tests
support the intended control reliance for the appropriate risks.
Concluding on Control Effectiveness

10.102 Once the audit team understands and documents the controls over the
activities outsourced to a service organization, whether such controls reside at the user
organization or the service organization, they can determine whether such controls are
designed effectively and how they affect the audit.

Evaluating a Service Auditor’s Report

10.103 Service auditors are engaged by a service organization to evaluate the design
effectiveness of the controls at the service organization. Normally, the service auditor’s
engagement also includes testing the operating effectiveness of controls through a
specified period. The following summarizes the two types of reports issued by service
auditors:
 Report on Design Effectiveness, which covers (1) whether controls
were suitably designed to achieve specified control objectives, and (2)
whether the controls were placed in operation as of a specific date. This
type of report is useful in obtaining an understanding of controls but is
not useful as evidence that controls operated effectively through the
period.
 Report on Both Design and Operating Effectiveness, which includes the
content above and also expresses an opinion on whether the controls
operated effectively through the specified period to achieve the control
objective. This type of report is useful in obtaining an understanding
and may provide a basis for reliance on controls at the service
organization. To rely on the controls, the audit team will need to
examine the tests of key controls performed by the service auditor to
determine whether the tests provide sufficient appropriate evidence for
the purpose of the audit.

10.104 The audit team should read the entire service organization report to determine
if there are any identified instances of noncompliance with the service organization's
controls in either: (a) the service auditors report or (b) within the body of the document
where the results of testing are described. If the service auditor's report identifies
instances of noncompliance with the service organization's controls, the audit team
should consider the effect of the findings on the intended level of control reliance for the
audit. As a result of the instances of noncompliance, the audit team may decide to
perform additional tests at the service organization or, if possible, perform additional
audit procedures at the user organization.

10.105 In certain situations, the audit team may conclude that no additional tests or
audit procedures are required even if the report identifies noncompliance because the
noncompliance: (a) does not relate to a reasonably possible risk or (b) does not relate to
a control that the audit team would consider to be key (c) the service auditor or audit
team tested other controls and determined that they are operating effectively or (d) the
deviation rate relative to the extent of testing was acceptable.
10.106 Where instances of noncompliance are identified, the audit team should enter
them in Voyager’s Design Effectiveness tool and evaluate their severity.

10.107 Finally, service organization reports may include a list of controls that should
be implemented at the user organization. The audit team should consider whether such
user controls relate to reasonably possible risks and whether they were implemented by
the user organization. If such controls are necessary to address reasonably possible
risks and are not implemented, the audit team should enter them in Voyager’s Design
Effectiveness tool and evaluate their severity.

10.108 When the service audit report covers a different reporting period than the
entity’s fiscal year, the audit team should make inquiries of the service organization or
its auditors to determine whether there were changes in the service organization's
controls during the period not covered by the report. If the period not covered is
significant, or there have been changes in the controls, the audit team should gain an
understanding of the service organization's controls relating to the period not covered by
the report. The period covered by the service auditor's report should ordinarily be within
six months of the entity’s reporting period to provide a basis for control reliance. When
the audit team determines that it is appropriate to rely on a service auditor’s work that is
outside six months of the entity’s reporting period, their judgments should be
documented.

10.109 When the service organization report does not cover all of the processes
performed for the entity (for example, the report might cover custody processes, but not
initiation or recording processes) or when the report does not cover activities performed
by a sub-service organization, the audit team should obtain an understanding of the
controls related to the very important and somewhat important processes not covered in
the report. The audit team should also obtain a copy of the sub-service organization's
report, if one was issued.

10.110 Where the entity does not obtain and review copies of the service auditor’s
report, the audit team should evaluate the impact of this deficiency on design
effectiveness. Monitoring service auditor reports are an important entity-level control
over managing third party services.

Information on Service Organization Not Available

10.111 When information is inadequate to obtain a sufficient understanding of the

service organization's controls to plan the audit, the audit team should request
assistance from entity personnel to:
 permit access to service organization personnel to determine
appropriate controls are implemented, or
 request a service auditor be engaged to perform such procedures
Potentially, these circumstances can result in a scope limitation.
Using Voyager

10.112 Voyager is pre-populated with transaction cycles, processes, and controls.

When significant financial reporting functions are outsourced, the audit team should
select “Significant financial reporting functions are outsourced to service providers” in
the Organization Structure tool. Voyager will then add the Service Providers tab at the
bottom of the Organization Structure tool. Here, the audit team should document the
significant service providers along with the services that they provide. The services
section includes fields to document the cycle the service is performed in, degree of
interaction, and information about the service auditor report.

10.113 The audit team documents the processes outsourced to the service
organization in the Accounting System tool. In assigning who performs the process, the
applicable service organization should be selected. The controls performed at the
service organization should be captured and the service organization assigned as
performing the controls.

10.114 Processes established by the entity over the data sent to and received from a
service organization (high interaction with the service organization) may need to be
added to a transaction cycle. The “Employee Compensation” transaction cycle already
has these processes available. User controls over such processes should be
documented.

Examples

High Interaction Situation - Payroll

10.115 When certain payroll activities are outsourced, typically, the processing and
record preparation activities are outsourced to a service organization, but the user
organization retains responsibility for maintaining the employee information, capturing
time and disbursing the cash. Because the interaction between the two entities is high,
the user organization should have controls over the processes of sending data to and
receiving processed data from the service organization.

10.116 The audit team should document the user organization’s controls over the
processes mentioned above. In addition, the audit team should determine whether
these controls eliminate the need to document controls in the processes performed by
the service organization. If so, the audit team should indicate that controls will not be
documented for such processes and document how such judgments were determined.

10.117 Frequently, there will be some very important and somewhat important
processes where the audit team will determine that controls need to be understood and
documented. This might be true for a process such as “generate payroll tax returns”
where the user organization relies on the service organization for correct reporting and
has few controls in-house to determine their accuracy and completeness. For such
processes, the audit team should understand and document the controls that are
implemented. This information will be found in service auditor reports or should be
obtained as previously discussed.

Low Interaction Situation - Investments

10.118 A low interaction example is outsourced investment activities. It is common for

service organizations in such circumstances to handle most aspects of these
transactions. They initiate, process, maintain accounting records and retain custody for
investments. Often, monthly or quarterly reports are provided to the user organization
for purposes of adjusting the accounting records.

10.119 The outsourced processes and controls are documented in Voyager. Process
importance is determined and the audit team assigns the “service bureau” function to
who performs the process. In very important and somewhat important processes,
controls are documented. The service auditor report may provide the necessary
information or the audit team may use one of the other alternatives sources previously
discussed.

10.120 The user organization typically would have foundational and monitoring
controls over outsourced processes that the audit team should document. The user
organization typically would not have many operating controls over such activities and
therefore it is likely our documentation will focus on controls at the service organization.

10.121 The audit team should use this understanding of the service organization as
part of the overall information used to identify and respond to risks. Responses to
identified risks could include using a low control risk assessment and obtaining
evidence that controls operated effectively by examining a service auditor’s report.
Responses to identified risk would also include substantive procedures. In this example,
low interaction situation – investments, the audit team can consider the following
substantive procedures:
 inspecting documentation at the user organization supporting the
transactions undertaken by the service organization
 inspecting documentation at the service organization if such access is
agreed upon between the user organization and the service
organization
 confirming the balances and/or transactions directly with the service
organization if the user organization maintains records of such
transactions that the audit team can compare with the confirmation
 performing analytical procedures on the reports from the service
organization

Using prior audit evidence about operating effectiveness

Overview

10.122 International Standards on Auditing (ISAs) permit, in certain circumstances, an

auditor to use audit evidence about the operating effectiveness of controls obtained in
previous audits where the auditor performs audit procedures to establish the continuing
relevance of such audit evidence.

Determining whether it is appropriate to use prior audit evidence

10.123 The ISAs do not permit the engagement team to use prior audit evidence
about operating effectiveness for controls over a significant risk. If the engagement
team plans to rely on controls for a significant risk, the engagement team is required to
test those controls in the current period.

10.124 In addition to the requirements of the ISAs, it is not appropriate to use prior
audit evidence about operating effectiveness for manual controls that are not formally
documented.

10.125 The ISAs require the engagement team to consider the following in
determining (a) whether it is appropriate to use audit evidence about the operating
effectiveness of controls obtained in previous audits, and if so, (b) the length of the time
period that may elapse before retesting a specific control:
 The effectiveness of other elements of internal control, including the
control environment, the entity’s monitoring of controls, and the entity’s
risk assessment process;
 The risks arising from the characteristics of the control, including
whether it is manual or automated;
 The effectiveness of information technology general controls (ITGCs);
 The effectiveness of the control and its application by the entity,
including the nature and extent of deviations in the application of the
control noted in previous audits, and whether there have been
personnel changes that significantly affect the application of the control;
 Whether the lack of a change in a particular control poses a risk due to
changing circumstances; and
 The inherent risk of material misstatement and the extent of reliance on
the control.

10.126 The ability to use audit evidence about the operating effectiveness of controls
obtained in previous audits does not apply to controls tested for operating effectiveness
by:
 a predecessor auditor;
 a service auditor (ISA 402, Audit Considerations Relating to an Entity
Using a Service Organization, applies when using a service auditor’s
report as audit evidence that controls at a service organization are
operating effectively); or
  the internal audit function.

Establishing the continued relevance of prior audit evidence

10.127 If the engagement team plans to use audit evidence from a previous audit,
about the operating effectiveness of specific controls, the ISAs require the engagement
team to establish the continuing relevance of that evidence by obtaining audit evidence
about whether significant changes in those controls have occurred subsequent to the
previous audit. The engagement team is required to obtain this evidence by performing
inquiry combined with observation or inspection.

10.128 If there have been changes that affect the continuing relevance of the audit
evidence from the previous audit, the engagement team is required to test the specific
control on which they intend to rely in the current period.

10.129 If there have not been such changes, the ISAs require the engagement team
to test the specific control at least once in every third audit. The engagement team is
also required to test some controls every audit. Testing some controls every audit
avoids the possibility of testing all the controls on which the engagement team intends
to rely in a single audit period with no testing of controls in the subsequent two audit
periods.

10.130 In determining how to test some controls in every audit, the engagement team
may, for example, choose an approach whereby some controls within all cycles are
tested in every audit, or an approach whereby all controls related to an entire cycle are
tested on a rotational basis. The appropriate approach is based on engagement team
judgment taking into consideration any changes in controls.

10.131 As indicated above, a consideration in determining whether it is appropriate to

use audit evidence about the operating effectiveness of controls obtained in previous
audits includes whether the lack of a change in a particular control poses a risk due to
changing circumstances. For example, changes in the volume or nature of transactions
might adversely affect control design or operating effectiveness. Thus, prior to obtaining
audit evidence about whether significant changes in a control have occurred, it is
important for the engagement team to consider whether the specific control continues to
be a key control in the current period.

10.132 Changes may affect the relevance of the audit evidence obtained in previous
audits such that the engagement team may no longer rely on prior audit evidence about
operating effectiveness. Not all changes, however, affect the relevance of prior audit
evidence. For example, changes in a system that enable the entity to receive a new
report probably do not affect the relevance of audit evidence related to a different report
from a prior audit that will continue to be used. On the other hand, a change that causes
data to be accumulated or calculated differently does affect the relevance of prior audit
evidence. Changes in controls may relate to:
 Who performs or by what means the control is performed
  Frequency with which the control is performed
 Precision with which the control is performed
 Information used to perform the control, such as information in reports
 Documentation of the performance of the control

10.133 A walkthrough assists the engagement team with verifying that their prior
understanding of the process flow and related controls is accurate and that controls
continue to be implemented as designed. For automated controls, which are generally
not subject to human error, the nature and extent of the audit evidence also may
depend on the strength of the entity’s program change controls, including the availability
and reliability of reports of the compilation dates of the programs placed in production.

10.134 Both automated and manual controls may be dependent upon the integrity of
related files, tables, data, and parameters (e.g., an automated application for calculating
interest income might be dependent on the continued integrity of a rate table used by
the automated calculation or a user review of exception reports might be dependent on
the accuracy of information in such report). The engagement team is required to
determine whether a control being relied upon for operating effectiveness is dependent
upon other controls, and if so, whether it is necessary to obtain audit evidence
supporting the effective operation of such other controls (in this case, such other
controls are also key controls). This alert also applies to such other controls, and
therefore, changes in these controls are also taken into consideration. For instance, it
may only be necessary to test the other control in the current period if a change only
relates to such other control.

Retesting specific controls

10.135 Once the engagement team determines that it is appropriate to use audit
evidence about the operating effectiveness of controls obtained in previous audits and
establishes the continued relevance of that evidence, the engagement team needs to
determine the length of the time period that may elapse before retesting a specific
control. Determining such time period is a matter of professional judgment.

10.136 The following table provides a list of factors that may lead the engagement
team to retest a specific control more or less frequently. The existence of one or more of
these factors does not always signify that a control needs to be tested more or less
frequently. Considering these factors in determining the appropriateness of using prior
audit evidence about operating effectiveness and the length of the time period that may
elapse before retesting a specific control is a matter of the engagement team’s
professional judgment based on the specific circumstances.
Factor Test more frequently Test less frequently

Nature of the control – Manual control – Automated control

Automated control – Underlying application is not stable – Underlying application is stable (i.e.,
(i.e., there are many changes from there are few changes from period to
period to period) period)
 Factor Test more frequently Test less frequently
– Report of the compilation dates of – Report of the compilation dates of
the programs placed in production the programs placed in production is
is not available or is not reliable available and reliable

Manual, documented – Control performed less frequently – Control performed more frequently
control
– More complex control involving – Less complex control involving less
more subjectivity or judgment subjectivity or judgment
– Less competent personnel – More competent personnel
performing the control performing the control
Other elements of internal – Significant deficiency in entity-level – No significant deficiency in entity-
control controls affecting the operation of level controls, particularly the control
the control, particularly the control environment
environment
– No significant deficiency in ITGCs
– Significant deficiency in ITGCs
– No significant deficiency in other
affecting the operation of the control
controls upon which the control relies
– Significant deficiency in other
– No significant deficiency in
controls upon which the control relies
monitoring of the control
– Significant deficiency in monitoring
of the control or less competent
personnel performing such
monitoring
Persuasiveness of audit More persuasive audit evidence Less persuasive audit evidence
evidence sought from
– Control addresses a higher inherent – Control addresses a lower inherent
operating effectiveness
risk risk
– Substantive procedures alone are not – Control addresses a single risk
sufficient – Control is not the only key control
– Control addresses multiple risks – No misstatements identified in
– Control is the only key control previous audits
– Misstatements identified in previous – No control deviations or deficiencies
audits noted in previous audits
– Control deviations or deficiencies
noted in previous audits

Using prior audit evidence within Voyager

10.137 In Voyager 2015, a new control test type, Prior Period Evidence, was added
as an option to select when testing controls. This test type is selected in the Key
controls tool when the engagement team plans to use audit evidence about the
operating effectiveness of controls obtained in previous audits. When selecting this test
type, specific audit procedures in the Responses to Assessed Risks section will require
the engagement team to (a) establish the continued relevance of prior audit evidence
(including the required inquiry and observation or inspection procedures), and (b)
document their considerations related to the appropriateness of using prior audit
evidence about operating effectiveness.
Documentation

10.138 The ISAs require the engagement team to include in the audit documentation
the conclusions reached about relying on the operating effectiveness of controls
obtained in previous audits. Such documentation may include:
 The factors considered related to the appropriateness of using prior
audit evidence about operating effectiveness and the length of the time
period that may elapse before retesting a specific control.
 The procedures performed to establish the continued relevance of prior
audit evidence.
 The conclusions reached about whether significant changes in the
controls have occurred subsequent to the previous audit.
 In addition to the audit documentation requirements of the ISAs, the
engagement team copies documentation related to the tests of
operating effectiveness performed in a previous audit and includes it in
the current audit.

10.139 Engagement teams should also track when the controls were last tested so
that the controls are tested at least once in every third audit and the controls that are to
be tested in every audit.

Performing extended tests of controls

Overview

10.140 Engagement teams may decide to test controls more extensively (i.e.,
increase the test of controls sample size) to further reduce the sample size used to
perform tests of details. This is consistent with the audit risk model, whereby more
control reliance can be placed on the operating effectiveness of controls, achieving a
lower risk level in designing the sample for tests of details. Entities in which this
approach may be effective and efficient may include those that are capital intensive
(e.g., deposit taking or lending institutions).

10.141 This new control reliance option is called “extended tests of controls” and is
selected from the Assertion Level Risk Assessment tool in Voyager 2015. When
performing extended tests of controls, the engagement team identifies controls that are
to be tested (i.e., key controls) and those controls are tested more extensively.
Extended tests of controls do not require the engagement team to select additional
controls to test.

10.142 The following table provides an example of the sample sizes for tests of
controls; engagement teams determine the exact sample sizes using the sample size
calculator in Voyager.
Extended tests Tests
of controls of controls
 Example of sample size for manual, documented
controls operating more than daily when no deviation 45 25
expected

10.143 Performing extended tests of controls is optional and determining what is the
most effective and efficient response to an identified and assessed risk is a matter of
professional judgment. The following table provides an example of the impact on tests
of details when performing extended tests of controls; engagement teams determine the
exact sample sizes using the sample size calculator in Voyager (or a listed entity,
inherent risk is high, no other evidence obtained, and expected error is 10% of tolerable
error).
1
Examples of sample size for tests of details

Extended tests of Tests of

controls performed controls performed

Population is 50x tolerable error 39 63

Population is 100x tolerable error 77 126

Population is 500x tolerable error 384 626

Population is 1000x tolerable error 768 1,252

Evaluating Control Deficiencies

10.144 It is not necessary to have identified an audit adjustment to conclude that a
control deficiency exists. The definition of a control deficiency is based on whether there
is a reasonable possibility that the company’s controls will fail to prevent or detect a
misstatement of an account balance or disclosure in the normal course of business. In
evaluating control deficiencies the audit team focuses on what could happen and not
what has happened. A deficiency in internal control exists when a control is missing or
an existing control is unable to prevent or detect and correct a misstatement on a timely
basis.

10.145 The audit team should determine whether risk factors affect whether there is a
reasonable possibility that a control deficiency or a combination of control deficiencies
could cause a misstatement. The risk factors include:
 the nature of the financial statement accounts, disclosures and
assertions involved
 the susceptibility of the related asset or liability to loss or fraud

1
For a listed entity, inherent risk is high, no other evidence obtained, and expected error is 10% of tolerable error.
  the subjectivity, complexity, or extent of judgment required to determine
the amount involved
 the interaction of the deficiencies
 the possible future consequences of the deficiency
 past experience

10.146 Control deficiencies, or a combination of deficiencies, that could fail to prevent

or detect a material misstatement of the financial statements should always be
considered material weaknesses. For other control deficiencies, judgment is required to
determine whether they should be categorized as significant deficiencies. Significant
deficiencies are less severe than a material weakness, but important enough to merit
attention of those charged with governance. The audit team should document findings
less severe than significant deficiencies as deficiencies. These findings do not warrant
discussion with those charged with governance, but the control deficiencies apply to the
entity. The audit team should only use the invalid assessment if the finding does not
apply. Audit teams should exercise caution when assessing findings as invalid because
they often apply to the entity.

10.147 To assist audit teams in exercising this judgment, the firm has developed three
charts. The three charts cover the following situations:
 Activities-level control deficiencies
 IT general control deficiencies
 Entity-level control deficiencies

10.148 All deficiencies need to be evaluated individually and in the aggregate.

10.149 Evaluating the aggregate effect of activities-level deficiencies, involves

considering the deficiencies’ effect on the risk. The existence of multiple control
deficiencies related to the same risk increases the likelihood of misstatement occurring.

10.150 Evaluating the aggregate effect of entity-level deficiencies involves considering

the deficiencies’ effect COSO component. Aggregating by COSO component is
judgmental. However, due to the integrated nature of the COSO framework, control
deficiencies in other COSO components (for example, control activities) may indicate
that a significant deficiency or material weakness exists in the control environment or
monitoring components. Likewise, deficiencies in other components may also indicate a
significant deficiency or material weakness in the risk assessment component.

Evaluating Activities-Level Control Deficiencies

10.151 Voyager assists the audit team in assessing and documenting control findings
at the activity level. The tool is included in the Design Effectiveness Activities-Level. The
tool uses this underlying chart for evaluating activities-level control deficiencies:
 Is the potential magnitude less than material to
annual or interim financial statements?
Yes
No

Are there complementary or redundant controls that

were tested and evaluated that achieve the same Yes
control objective?

No

Are there compensating controls that were Is the matter important enough to
tested and evaluated that reduce the merit attention by those responsible
magnitude of a misstatement of annual or Yes for oversight of financial reporting? No Deficiency
interim financial statements to less than
material?
No Yes

Does the evaluation of risk factors result in a Would a prudent official conclude that
judgment that there is not a reasonable the deficiency is a material weakness
possibility that controls will fail to prevent or considering both annual and interim Significant
Yes No
detect a material misstatement of annual or financial statements? Deficiency
interim financial statements?

No

Material
Yes
Weakness

10.152 An unmitigated deficient control that results in a control objective not being
met related to a significant account or disclosure generally results in at least a
significant deficiency.

10.153 When considering whether the magnitude of the misstatement could be

material, the audit team considers “gross exposure” – the worst case estimate of the
magnitude of the misstatement (e.g., financial statement amount or value of
transactions) exposed to the deficiency in the current and future periods.

10.154 In addition to the above factors, the audit team should consider the following
qualitative matters when evaluating whether a control deficiency is a significant
deficiency or a material weakness:
 The nature, timing, and extent of tests required to reduce risk. The
severity of an identified control deficiency is usually reflected in the
amount of testing deemed necessary by the audit team to reduce risk.
 The overall control environment. The overall control environment and
management attitude regarding internal control is an important factor. A
deficiency in a specified area would be considered much more
significant when the control environment is weak (for example,
incompetent personnel, general understaffing, high employee turnover,
liquidity problems, lack of written policies and procedures, lack of top
management concern about controls, etc.) than when the environment
is strong and well-controlled due to established policies, documented
 procedures, competent personnel, adequate training, proper
supervision and prompt follow-up.
 Nature of the identified control deficiencies. Control deficiencies may be
categorized as relating to either a preventive type control or detective
type control. Sometimes, preventive type control deficiencies may be
offset by properly designed and operating detective controls. For
example, if a company, having deficient internal controls with regard to
tracking inventory quantities always takes a physical inventory at the
end of each quarter (i.e., each reporting period); this preventive control
deficiency is mitigated by the detective control. However, detective
controls are seldom as effective as preventive controls. In a well-
controlled company, there are usually effective, system-based controls
in place to control misstatements at or near the start of information
flows. If a company does not implement the right controls at the start of
the flow, it may be difficult to find and fix misstatements later.
Accordingly, deficiencies in system-based preventive type controls
often represent significant deficiencies or material weaknesses in
situations where detective controls would not timely detect
misstatements.
 Changes in company practices and procedures. The extent of recent
changes, if any, in the entity’s accounting procedures or business
practices is yet another factor to consider. For example, significant
changes in operations, personnel, procedures or accounting systems
not only increase the potential for material misstatements in the
processing of transactions, but also reduce the chances for detection
when controls are generally weak. Conversely, even in a situation in
which some control deficiencies are present, if there have been no
changes in processing routines or business practices, the probability
that material misstatements could occur and go undetected may not be
as great as in the former situation.

10.155 When determining whether other controls, that if effective, can limit the
severity of deficiencies, the audit team considers:
 complementary controls – function together as a group to achieve the
same objective (controls within the same process that operate together,
but are often less precise); to be effective, they should not allow the
same error
 redundant controls – achieve the same objective as other controls (they
prevent or detect the same errors as other controls within the same
process)
 compensating controls – operate at a level of precision to prevent or
detect a misstatement that is more than inconsequential or material, as
applicable (these should be operational or activities level monitoring
controls, ordinarily within the same process, that operate at the same
level of precision)
10.156 These controls do not reduce the gross exposure; however, they mitigate and
limit the severity of the deficiency. In addition, they do not eliminate the deficiency in its
entirety.

10.157 The audit team’s assessments, including all conclusions and judgments in
applying the control deficiency evaluation framework, should be documented in
Voyager. The Design Effectiveness Activities-Level Controls tool guides the audit team
through the process. The Voyager documentation should include the following:
 analysis of exposure and how it supports categorizing an error as a
significant deficiency or deficiency
 how qualitative factors limit an otherwise material weakness to a
significant deficiency
 prudent official considerations
 consultations on material weaknesses
 how compensating controls limit a deficiency from being either a
significant deficiency or a material weakness, including clearly
identifying the specific controls.
 how complementary or redundant controls limit a deficiency from being
either a significant deficiency or a material weakness, including clearly
identifying the specific controls

Evaluating IT General Control Deficiencies

10.158 The chart for evaluating IT general control deficiencies is as follows:

 Box 1. Are there complementary or redundant
ITGCs that were tested and evaluated that achieve
the same control objective?
Yes

No

Box 2. Are there control deficiencies at the

application level evaluated in Chart 2 that are related No
to or caused by the ITGC deficiency?

Yes

Box 5. Is the matter important

Box 3. Are the control deficiencies at the application
enough to merit attention by those
level related to or caused by the ITGC deficiency No No Deficiency
responsible for oversight of
classified as a material No
weakness?
financial reporting?

Yes
Yes

Box 5. Would a prudent official

conclude that the deficiency is a
Material Significant
Yes material weakness considering No
Weakness Deficiency
both annual and interim financial
statements?

10.159 IT general controls include security administration, program maintenance,

program execution and new system implementation. These four domains are evaluated
within Voyager under “Information Technology” in the Design Effectiveness Entity-Level
Controls tool.

10.160 IT general control deficiencies do not directly result in misstatements.

However, misstatements may result from ineffective application controls. Accordingly, if
there are no application control deficiencies, then an IT general control deficiency alone
will not ordinarily result in a material weakness. IT general control deficiencies are
categorized the same as the application deficiencies to which they relate.

10.161 To limit a IT general control finding to a deficiency, one of the following

conditions should be met:
 there are complementary or redundant IT general controls that were
tested and evaluated that achieve the same control objective (extremely
rare)
 there were no signficiant deficiencies or material weaknesses at the
application level evaluated using the activities-level control deficiencies
chart that are related to or caused by IT general control deficiencies
 the control deficiencies at the application level related to or caused by
IT general control deficiencies are only classified as a deficiency
  the audit team does not believe the deficiency merits the attention of
those charged with governance

10.162 In addition to the conditions above, the audit team should consider additional
factors (e.g., nature and significance, pervasiveness, complexity of the systems,
proximity of control to applications, susceptibility to fraud, cause and frequency of
known exceptions, increased risk evidenced by history of misstatements, etc.) to
determine whether the finding can be limited to a deficiency.

10.163 It is not necessary to contemplate the likelihood that an effective application

control could, in a subsequent period, become ineffective because of the deficient IT
general control. This applies only to the evaluation of IT general control deficiencies.

10.164 All other deficiencies are classified as either significant deficiencies or material
weaknesses, depending on the classification of the control deficiencies at the
application level related to or caused by IT general control deficiencies. The audit team
should also consider whether a prudent official would conclude that deficiencies
evaluated by the audit team as significant deficiencies are instead material weaknesses.

Evaluating Entity-Level (Other than IT General Controls) Deficiencies

10.165 The chart for evaluating entity-level control deficiencies is as follows:

 Box 1. Is the deficiency an indication of a material
weakness?

No

Box 2. Are there complementary

No or redundant
programs or controls or compensating controls that
were tested and evaluated that result in a judgment
Yes
Yes that the deficient control will not fail to prevent or
detect a material misstatement of annual or interim
financial statements?

No

Box 3. Does the evaluation of risk factors result in a Box 4. Is the matter
judgment that there is not a reasonable possibility important enough to merit
that controls will fail to prevent or detect a material Yes attention by those No Deficiency
misstatement of annual or interim financial responsible for oversight
statements? of financial reporting?

Yes
No

Box 5. Would a prudent

official conclude that the
Material deficiency is a material Significant
Yes No
Weakness weakness considering Deficiency
both annual and interim
financial statements?

10.166 When evaluating entity-level control deficiencies, the audit team determines
whether the identified deficiencies are indicators of a material weakness. While such
indicators are a matter of judgment, if those responsible for the entity’s governance do
not exercise oversight over financial reporting, this is a strong indicator of a material
weakness (see below for further discussion).

10.167 If the deficiency is not related to the oversight by those charged with
governance, it can be limited to a deficiency when:
 complementary or redundant programs or controls or compensating
controls (within the same component or another component) that were
tested and evaluated resulted in a judgment that the deficient control is
limited to a deficiency, or
 considering risk factors (see discussion of risk factors above), the
likelihood that the control deficiency would contribute to a misstatement
of annual or interim financial statements is remote (not reasonably
possible).

10.168 To be limited to deficiency, the audit team would also need to determine that
the finding merits the attention of those charged with governance. If so, then the
deficiency is at least a significant deficiency. The audit team then determines whether a
prudent official would believe that it is a material weakness.

10.169 If there are multiple deficiencies within an internal control component, the audit
team should determine if they aggregate to a significant deficiency or material
weakness.

Indicators of a Material Weakness

10.170 Each of the following should be regarded as at least a significant deficiency.

They are also a strong indicator of a material weakness in internal control over financial
reporting:
 identification of fraud, whether material or not, on the part of senior
management
 restatement of previously issued financial statements to reflect the
correction of a material misstatement
 identification by the audit team of a material misstatement in the
financial statements that the audit team concludes would not have been
detected by the entity’s internal control structure
 ineffective oversight by the entity’s audit committee or others charged
with governance over the entity’s financial reporting and internal control
over financial reporting

10.171 In addition, audit teams need to carefully consider whether the discovery of a
non-trivial misstatement is a significant deficiency or a material weakness. In making
this judgment, the audit team not only considers the nature and extent of the discovered
misstatement but also considers what could go wrong as the result of the underlying
deficiency. For example, was the amount of the discovered misstatement less than a
material amount because of other controls or compensating controls that mitigated the
underlying deficiency? Or could the misstatement have exceeded materiality if the
transaction or transactions exposed to the deficiency were larger? The former situation
would be evaluated as a significant deficiency because the presence of the other or
compensating controls were designed effectively and implemented to limit the severity.
The latter situation would be evaluated as a material weakness because the potential
exposure to the deficiency is material and controls would not have prevented or
detected a material misstatement.

Relationship to the Foreign Corrupt Practices Act

10.172 [Include the paragraphs in this section if your firm audits US SEC registrants
Tailor the consultation process to reflect your policies] The Foreign Corrupt Practices
Act of 1977 (FCPA) requires public companies to:
 make and keep books, records, and accounts in reasonable detail that
accurately and fairly reflect the transactions of the issuer
  devise and maintain a system of internal control sufficient to provide
reasonable assurance that:
– transactions are executed in accordance with management’s general
or specific authorization
– transactions are recorded as necessary to permit preparation of
financial statements in conformity with GAAP or any other criteria
applicable to such statements and to maintain accountability for assets
– access to assets is permitted only in accordance with management’s
general or specific authorization
– the recorded accountability for assets is compared with the existing
assets at reasonable intervals and appropriate action is taken with
respect to any differences.

10.173 U.S. Companies or individuals that knowingly circumvent, fail to implement a

system of internal control, or falsify books, records or accounts violate the FCPA and
are subject to criminal action and SEC injunction.

10.174 When management fails to appropriately address a material weakness,

including failure or unwillingness to correct a previously identified material weakness in
a timely manner, it may be indicative of a violation of the FCPA. As such, in consultation
with the NPPD and RRLA, the audit team should consider whether it has a reporting
responsibility to management and others under The Private Securities Litigation Reform
Act of 1995 (codified as Section 10A of the Securities Exchange Act). See Chapter 26.

10.175 Section 10A requires, among other things, that the audit team report certain
uncorrected likely illegal acts of an SEC registrant to the registrant’s board of directors
and, in some circumstances, directly to the SEC. A determination of whether an illegal
act has occurred is a legal matter and management’s responsibility (see Chapter 26).
Accordingly, the audit team may advise the company to consult with their legal counsel
as to whether the matter is in fact a violation of the FCPA and to communicate with the
audit team in writing any remedial steps the company and the Board are taking, or
propose to take, concerning these matters. The NPPD and RRLA will provide guidance
as appropriate in each situation. Therefore, it is essential that such consultation occur
immediately.
Chapter Eleven - Analytical Procedures
Summary

This Chapter discusses when and how analytical procedures should be used during the
audit.

Introduction
11.01 “Analytical procedures” is the term applied to a variety of techniques used by the
audit team to study plausible relationships, financial and non-financial, between
both internal and external data. Analytical procedures can be used to help
identify possible material misstatements by indicating whether account balances
and relationships appear reasonable in relation to expectations developed from
past results, expected results, or other trends.

11.02 Examples of analytical procedures include a:

– comparison of the changes in a given account balance, item, or element
over prior accounting periods with expectations for the current period
– comparison of financial information with anticipated results (for example,
budgets and other prospective information)
– study of the relationship between account balances over time or among
entities in a given industry
– comparison of simple computations or a series of computations, which
develop an estimate for a given account balance, item, or element
(reasonableness tests)
– study of the relationship of financial information with non-financial
information

11.03 The basic premise underlying the application of analytical procedures is that
relationships between data may reasonably be expected to exist and to continue
in the absence of known conditions to the contrary. Particular conditions that can
cause variations in these relationships include unusual transactions or events,
accounting changes, business changes, random fluctuations or misstatements.

11.04 Analytical procedures are used to:

– obtain an understanding of the entity and its environment
– assess risks to determine the nature, timing and extent of audit
procedures
– assist in the identification of material fraud
– evaluate risk that the entity may not be able to continue as a going
concern
– effectively and efficiently respond to risks
– corroborate conclusions formed
 – assist in arriving at the overall conclusion as to the reasonableness of the
financial statements

Uses of Analytical Procedures

11.05 The type of analytical procedure used and the response to the results of those
procedures will vary depending on purpose for which they are performed.
Analytical procedures are used as the following types of procedures:
– risk assessment
– substantive
– concluding

Risk Assessment Procedures

11.06 Analytical procedures are required by professional standards to be completed as

part of the risk assessment process. As risk assessment procedures, analytical
procedures assist in:
– understanding the client’s business
– understanding the client’s present financial position
– identifying risks
– identifying unusual transactions and amounts, including those related to
fraud
– developing expectations for period-end values and ratios
These procedures assist the audit team in assessing risks of material
misstatement to determine the nature, timing and extent of further audit
procedures necessary.

11.07 To accomplish this objective, various analytical techniques are used to examine
financial liquidity and the entity’s ability to continue as a going concern as well as
to identify specific risks, accounts, transaction cycles, subsidiaries, divisions, or
locations requiring audit attention because of unusual relationships (those
outside the audit team’s expectations).

11.08 During the risk assessment phase, analytical procedures are usually focused on
account balances aggregated at the financial statement level and relationships
between account balances. Accordingly, trend and ratio analysis are the most
common analytical methods used. Although corroboration of the management’s
explanations of fluctuations is not ordinarily required, significant fluctuations or
anomalies should be documented, along with the audit team’s planned response
(how items identified will be addressed by further audit procedures).

11.09 In performing analytical procedures as part of assessing risks, the audit team
considers:
 – significant events that occurred during the year that could affect gross
profit (e.g., changes in pricing, costs, volumes, etc.). For service
businesses, consider direct costs as a percentage of sales.
– the relationship of significant financial statement items (e.g., payroll,
selling expense, etc.) with respect to sales/production that changed during
the period
– changes in credit practices or customer profiles during the year. Consider
the effect credit granting and collection experiences may have on
expected aging and turnover of accounts receivable.
– changes in the expected monetary value of inventory and inventory
turnover. Consider whether these trends indicate an increased risk of
inventory obsolescence.
– difficulty experienced by the entity in meeting its short-term and long-term
obligations as payments become due and satisfying loan covenant
requirements
– whether unusual relationships exist in revenue accounts that may indicate
fraudulent financial reporting
– how financial statements are expected to change because of significant
events or other matters, including:
– economic, legislative or industry changes
– major expansion or closure of plants, divisions, etc.
– changes in product lines
– significant financing
– loss of a major supplier or customer

11.10 In addition, these considerations should be reflected in the inherent risk indicator
applicability assessments and when assessing inherent risk at the assertion
level. Professional standards require documentation of the assessed risks as a
result of these risk assessment procedures and how the audit team responds to
those risks in performing the audit (e.g., procedures in the audit program).

11.11 When comprehensive financial data is not available, the audit team should
perform whatever planning analytical procedures are useful. For example, review
of the gross profit margin, days sales in accounts receivable, current ratio,
inventory turnover, and the acid test ratio will aid in our understanding of the
entity necessary to assess risks and direct audit attention to those areas of risk.

Substantive Procedures

11.12 As substantive procedures, analytical procedures provide evidence about one or

more assertions related to account balances or classes of transactions. At this
stage, analytical procedures provide all or a portion of the evidence required to
respond to a risk. Voyager suggests different types of analytical procedures
depending on the achieved control reliance and the assessed inherent risk.

11.13 Substantive analytical procedures may be appropriate when:

 – the balance involves a large volume of transactions that are predictable
over time. In this case, there is evidence to support the completeness,
accuracy, and occurrence of transactions.
– additional evidence is necessary to support evidence obtained from
performing tests of details
– they provide support relating to several different assertions
– potential misstatements may not be apparent from detailed tests (e.g.,
completeness of sales)
– the risk of misstatement is such that analytical procedures alone provide
sufficient evidence that a material misstatement is not likely
– reliable data is available to perform relevant analytical procedures,
including disaggregated information
– the amount can be reasonably predicted

11.14 In contrast to the use of analytical procedures as risk assessment procedures,

those applied as substantive procedures involve more extensive data gathering,
analysis, and evaluation. These tests tend to be more well-defined and structured
and the judgments involved are more objective than the analytical procedures
performed during risk assessment.

11.15 When an analytical procedure is used as the principal substantive test for a risk,
the audit team should document the following:
– the expectation and the factors considered in its development
– results of the comparison between the expectation and the entity’s
recorded amount
– any additional auditing procedures performed in response to significant
unexpected differences and the results of those procedures
– any corroborating evidence obtained to support any large or unusual
variances between expectations

11.16 As part of the auditor’s responsibility to detect material fraud, substantive

analytical procedures should be performed to identify material fraud related to
revenue recognition. An example of such an analytical procedure is a
comparison of sales volume, as determined from recorded revenue amounts,
with production capacity. An excess of sales volume over production capacity
may be indicative of recording fictitious sales. Another example is trend analysis
of revenues by month and sales returns by month which may indicate
undisclosed side agreements with customers to return goods. The procedures
may be performed at an interim date and updated through the end of the
reporting period.

Concluding Procedures
11.17 Analytical procedures are required at the concluding stage of the audit. The
procedures used are often similar to the ones used as risk assessment
procedures, but at this stage their objective is to assess whether (1) there are
 significant fluctuations or unusual items in the audited financial statements that
were not sufficiently explained and (2) the financial statements and disclosures
are consistent with the results of the audit procedures performed and the audit
team’s understanding of the entity and its environment. For example, changes in
cash, receivables, inventory and payables might have appeared reasonable
when audited individually, but in combination, they result in a significant working
capital fluctuation that was not fully explained. Accordingly, analytical procedures
can help provide assurance that the financial statements make sense.

11.18 Analytical procedures as risk assessment procedures and as concluding

procedures should consider financial liquidity, and the expectation of remaining a
going concern, when such risk is present. Typical ratios used are the:
– acid test ratio
– current ratio
– debt to equity
– interest coverage ratio
– other key performance indicators, as appropriate
Various other measures of identifying increasing distress have been developed,
based on the measure of a total of various financial statement ratios. These can
also be useful as indicators of going concern problems.

11.19 In concluding the audit, the audit team reads the final financial statements
(including disclosures) and considers:
– the adequacy of the audit evidence gathered with respect to unusual or
unexpected balances identified in performing risk assessment procedures
or during the course of the audit
– unusual or unexpected balances or relationships that were not previously
identified
– whether the current year's financial statements are comparable to the prior
year, considering the understanding of the entity and its environment
This final review integrates the results of all the audit work performed and gives
added support that there is a low risk of the financial statements being materially
misstated because of undetected misstatements.

Other Considerations

11.20 All understanding of the entity and its environment, including risk assessments,
should factor into the audit team’s design of analytical procedures. This has
staffing implications. Such work cannot be delegated to a team member who
does not have an understanding of the entity and business in which the entity
operates.

11.21 The personal experience and knowledge of the entity and the entity's business
and of the key indicators of that business often enable the audit team to develop
and apply more informal procedures. The effectiveness of analytical procedures
 relates to the audit team’s ability to detect potential misstatements, and well-
conceived informal procedures can be very effective, especially in smaller
entities.

11.22 The reliability of data for audit purposes may be influenced by a number of
factors, including whether:
– the data is obtained from independent sources outside the entity, or from
client sources
– information provided by client personnel are independent of those who are
responsible for the amount being audited
– the data was developed under a reliable system with adequate internal
control
In practice, data developed outside the accounting function (for example, by
sales personnel) can provide independent information, because the compiler has
different motivations than the accounting staff.

11.23 Some accounts are more predictable than others. Relationships involving income
statement accounts are usually more predictable than those for balance sheet
amounts. The former represent transactions over a period of time; the latter
represent amounts at a point in time, which are residual effects of those
transactions. Therefore, analytical procedures tend to be directed to the income
statement.

11.24 In performing analytical procedures, the most useful and valid results are usually
obtained when the analysis is performed using disaggregated data (i.e., analyses
of sales by product line, etc.). Similarly, applying analytical procedures to
consolidated financial statements may not be as effective or efficient as applying
the same procedures to individual subsidiaries or divisions.

Performing Analytical Procedures

11.25 Performing analytical procedures is a process that consists of four phases that
are discussed further in the following paragraphs:
– expectation formation
– identification
– investigation
– evaluation

The Expectation-Formation Phase

11.26 Forming an expectation is the most important part of the analytical review
process. To form an expectation, the audit team uses one of the expectation
methods that include:
– trend analysis
 – ratio analysis
– reasonableness tests
– regression analysis

Trend Analysis

11.27 Trend analysis compares balances in a single account or financial statement line
to prior periods, budgeted amounts or industry data. Although trend analysis can
be used as a substantive test, it is typically more useful as a risk assessment
procedure or a concluding procedure, where lower levels of precision are
acceptable.

11.28 Trend analysis is relatively easy to perform and the audit team is not required to
form an explicit expectation. With trend analysis, it is presumed that the balances
should be comparable with the prior periods or with the industry average; and
therefore, expectations are implicit.

11.29 Trend analysis can be as simple as comparing last year’s account balance to the
current year balance. In this example, the implicit expectation is the prior year
amount. It is not necessary to document the expectation when using trend
analysis because it is implicit.

11.30 The number of years used in the trend analysis is a function of the stability of
operations. The more stable the entity’s operations over time, the more
predictable the relationships and the more appropriate is the use of multiple
years in identifying trends. It is important to understand the volatility of the entity’s
environment related to the amounts being tested. For example, except in
situations in which the environment has remained stable relative to the prior year,
using only the prior-year balance as the expectation may reduce the
effectiveness of analytical procedures to identify potential high-risk areas. In fact,
using only the prior-year balance without considering whether it is the most
appropriate expectation can lead to a bias toward accepting the current data that
has not been subject to auditing procedures as fairly stated, even when they are
misstated. Accordingly, audit teams should apply their understanding of the
business and changes that have occurred in it since the previous period when
evaluating the results of the trend analysis.

11.31 Trend analysis typically produces the most effective results when performed on
disaggregated data, because aggregate level analyses are relatively imprecise.
Trend analysis is less effective in situations where the entity experienced
significant operating or accounting changes during any of the periods being
analyzed. It is also less effective in detecting situations where amounts should
have changed and did not.

11.32 The effectiveness of using budgeted data depends on the rigor and
appropriateness of the client’s budgeting process. If, for example, budgets are
prepared on an overly optimistic basis, the budget value will not represent the
 most probable expected results. Also, budgets are set before economic events
occur and expectations developed a year ago may not have appropriately
accounted for the environmental events that occurred during the year. Therefore,
the audit team should obtain an understanding of the budgeting procedures
before utilizing budgets or forecasts as their expectations.

Ratio Analysis

11.33 Ratio analysis involves comparing:

– relationships between financial statement accounts (e.g., sales divided by
accounts receivable)
– an account with nonfinancial data (e.g., rent income divided by units
available for rent)
– relationships between entities operating within the same industry
Ratio analysis on account balances is useful for those relationships expected to
be stable (over time) or comparable (across entities in the same industry or
locations in the same entity). Once a ratio is determined, it is compared with the
ratio for prior periods or others in the same industry during the same period.

11.34 The use of financial ratios as substantive procedures may have limitations:
– ratios assume that all elements of financial information are completely
variable and do not recognize the fixed or semi-variable nature of certain
items. For example, ratios based upon sales fail to recognize that
expenses such as rent or interest are either fixed or vary with factors other
than sales
– the possible bias or lack of comparability of industry data, due to different
accounting methods, product lines, etc.
– external factors (e.g., labor strikes, changes in regulations) and internal
factors (e.g., changes in product mix, pricing strategies, subsidiary
entities) can cause distortions
– ratios can be easily misinterpreted. For example, by assuming a simple
linear relationship, a current ratio of 1.0 may be considered "twice as bad"
as a ratio of 2.0, when actually, it is many times worse

11.35 Notwithstanding these concerns, ratio analysis can be an important indicator of

potential financial statement problems. For example, financial ratio analysis can
be used to identify possible aging problems for accounts receivable, inventory,
and accounts payable.

11.36 Accordingly, the audit team should exercise caution in the use of ratios, but also
recognize that financial ratio analysis can be a useful audit tool. Because the
relationships underlying various important ratios tend to be relatively stable, such
ratios can be valuable indicators of distorted financial information.
11.37 As with trend analysis, the expectation for ratio analysis is implicit. The
expectation is the compared item (i.e., prior year ratio). Because it is implicit, the
audit team need not document the expectation when performing ratio analysis.

Reasonableness Tests

11.38 Reasonableness tests involve developing an independent expectation based on

financial and nonfinancial data, frequently by a computation or series of
computations using the audit team's knowledge of the entity and its business.
Reasonableness tests provide the opportunity for tailoring the test to include all
relevant factors that may explain fluctuations. Therefore, it is potentially the most
powerful and well-focused test.

11.39 Because income statement accounts tend to be more predictable than balance
sheet amounts, reasonableness tests are best suited to income statement
balances. Possible applications include payroll expense, sales commissions,
payroll taxes, depreciation and amortization expense, rent income, rent expense,
investment income and interest expense.

11.40 Further, reasonableness tests can be sufficiently precise to provide the principal
evidence for a particular risk.

11.41 One example of a reasonableness test is using the number of employees hired
and terminated, the timing of pay changes and the effect of vacation and sick
days to develop a model that could predict the change in payroll expense from
the previous year(s) to the current period. Another example is estimating interest
expense using the average balance of debt outstanding, the average interest rate
and the average time outstanding during the period.

11.42 When performing reasonableness tests, the independent amount or ratio

computed by the audit team is the audit team’s expectation. Therefore, the
computed amount is the audit team’s documentation of the expectation.

Regression Analysis

11.43 Regression analysis uses statistical models to quantify the audit team’s
expectation in monetary terms, with measurable risk and precision levels. For
example, an expectation for sales may be developed based on management’s
sales forecast, commission expense, and changes in advertising expenditures.

11.44 Regression analysis is similar to reasonableness testing in that there is an

explicit prediction using the audit team’s understanding of the factors that affect
the account balances to develop a model of the account balance. The model is
most effective when the data are disaggregated and are from an accounting
system with effective internal controls.
Selecting an Expectation Method

11.45 The effectiveness of the method used is a function of three factors related to the
precision with which the expectation is developed. The factors are the:
– nature of the account or risk
– reliability of the data
– inherent precision of the expectation method used

11.46 When considering the nature of the account or risk, the audit team considers
whether:
– the amount is determined subjectively
– significant events occurred during the period that would impact the
precision of the test
– other events or changes impact the comparability of balances between
periods
– the stability of the environment (did events occur that lead the audit team
to believe that previous relationships between data no longer exist)

11.47 The reliability of data used in the analysis is an important factor in determining
the effectiveness of the analytical procedure. The following factors help the audit
team determine the reliability of data:
More precise Less precise
Disaggregated data Financial statement-level data
External data Internal data
Strong internal control Weak internal control
Non-financial data Financial data
Audited data Unaudited data

11.48 When the entity operates in a stable environment, the audit team can use
previous years’ data to develop an expected value for a given ratio. For example,
the audit team could analyze the change in a ratio over the previous four audited
years by adding to the prior year's ratio the average change in the ratio over the
previous four years. For example, if last year's current ratio (current assets to
current liabilities) is 1.31 and the average change in the ratio is +0.03, then the
expected ratio, in the absence of unusual activity, would be 1.34. If the entity’s
environment is not stable, emphasis should be placed on more recent data and
events.

11.49 If only two prior years of audited information are available, the average change
should be based on the change between those two years, unless that change is
believed not to be representative. If no prior year audited information is available,
the expectation should be developed based on the audit team’s understanding of
the entity and its environment.
11.50 The audit team should select the expectation method by considering the level of
assurance required by the procedure. Determining which type of expectation
method is a matter of professional judgment. Trend analysis generally provides
the least precision because it does not consider the factors that affect the
account (e.g., product mix). Regression analysis, in contrast, is the most precise
because it measures precision mathematically. Ratio analysis and
reasonableness tests fall somewhere in between; however, reasonableness tests
are ordinarily more precise because they involve the formation of explicit
expectations.

11.51 The audit team may identify risks where the risk of material misstatement is so
low that analytical procedures alone will provide an appropriate response to the
risks identified. When an analytical procedure is used as the primary substantive
test of a risk, the audit team should document all of the following:
– the expectation, unless it is apparent from the documentation of the work
performed, and factors considered in its development
– results of the comparison to recorded amounts or ratios developed from
recorded amounts
– additional auditing procedures performed in response to the significant
unexpected differences arising from the analytical procedure and the
results of such other procedures
– corroborating evidence obtained to support unexpected variances

The Identification Phase

11.52 The identification phase begins by comparing the audit team’s expected value
with the recorded value. Since the audit team developed the expectation with a
particular materiality threshold in mind, the differences between the expected
value and the recorded value should be compared to that threshold.

11.53 As a reminder, Horizon requires that tolerable error be used to drive the scope of
audit procedures. Tolerable error is defined as 60% of materiality (see Chapter
7). Horizon allows tolerable error to be lowered for a particular test if, in the audit
team’s judgment, a lower threshold is appropriate. In those situations, the lower
tolerable error should be documented together with the factors the audit team
considered in lowering tolerable error.

11.54 The identification phase includes identifying deviations when fluctuations that
were expected did not occur. For example, sales in the current period have
grown in line with previous trends, but a larger increase was expected because
of the introduction of a new product line.

11.55 Acceptance ranges help the audit team to decide whether further investigation is
necessary. The wider the acceptance range, the less confidence the audit team
has that the procedure is effective in detecting material misstatements. However,
narrowing the acceptance range too much to improve the effectiveness of the
 procedure may result in unnecessarily investigating immaterial fluctuations and
over auditing.

11.56 Determining an appropriate acceptance range is a matter of judgment. It may be

tempting to simplify this judgment by using standard practices such as
investigating deviations greater than 10% from the previous year’s balance.
However, this approach frequently results in focusing too much attention on small
or low-risk accounts and unnecessary audit work, and could detract attention
away from larger or higher risk accounts that may be more sensitive to much
smaller fluctuations.

11.57 Acceptance ranges can be expressed on monetary amounts or a percentage.

Tolerable error is the starting point in developing acceptance ranges. For ratios,
one way of calculating the acceptance range is by determining the effect that an
error of the amount of tolerable error in one of the components would have on
the ratio under review.

11.58 When the expectation and amounts recorded are not comparable, the audit team
should reconsider the validity of the expectation. For example, was there a
change in the entity or its environment that was not reflected in the expected
amount? Was a variable cost model applied to fixed cost items?

The Investigation Phase

11.59 In the investigation phase, the audit team considers the possible explanations for
the differences. The greater the precision of the procedure, the greater the
likelihood that the difference between the expectation and the recorded amount
is due to a misstatement rather than other causes. When the precision of the
procedure is less, the greater the likelihood that the difference between the
expected amount and the recorded amount is due to causes such as using
imprecise or less reliable data.

11.60 If the audit team believes the difference is more likely due to factors related to the
precision of the expectation, they should consider whether a more precise
expectation can be developed cost-effectively. If so, the audit team should
perform the more precise procedure.

11.61 The audit team may believe the expectation is sufficiently precise and determine
that the difference could indicate a misstatement. If so, the audit team uses their
understanding of the entity and its environment to identify likely causes of the
difference and identify plausible explanations.

11.62 Plausible explanations usually relate to changes in the business and unusual
events or transactions. In evaluating the plausibility of explanations for
differences, the audit team considers the consistency of the explanation with their
understanding of the entity and its environment and the audit evidence obtained
in other areas. The plausibility of the explanation may also be evaluated by:
 – management and board reports containing explanations of significant
variances between budgeted and actual results
– review of minutes of those charged with governance
– information on unusual events occurring in prior years

11.63 When the analytical procedure serves as a primary substantive procedure, the
audit team should corroborate explanations for significant differences by
obtaining sufficient audit evidence. The evidence should be of the same quality
as evidence supporting tests of details. To corroborate an explanation, one or
more of the following techniques may be used:
– inquire of persons outside the entity (e.g., confirm discounts with a major
supplier or agree changes in security valuations to exchange prices or
published reports)
– inquire of independent persons inside the organization (e.g., corroborate
an explanation received from the controller with the marketing director)
– consider evidence from other auditing procedures (e.g., those performed
on the data used to develop an expectation)
– examine supporting evidence (e.g., if the increase in cost of sales was
represented as the result of an unusually large sales contract, the audit
team could examine the sales contract)

11.64 Particular attention should be given to explanations that appear contradictory to

other evidence or that do not seem to make sense in light of the surrounding
circumstances. In many of the documented cases of the profession's past audit
failures, auditors were aware of significant unusual fluctuations in the financial
statements being audited, but accepted client explanations without evaluation or
verification. Accordingly, the importance of subjecting client explanations to
professional skepticism, analysis, verification and appropriately documenting the
work performed cannot be overemphasized.

The Evaluation Phase

11.65 When an analytical procedure provides evidence that an account may be

misstated, further procedures should be applied to determine the amount of the
misstatement. If the audit team performs a very precise analytical procedure and
uses it to develop a range of acceptable values, an audit difference is identified if
the actual value (recorded amount) falls outside the acceptance range. The
difference between the actual value and the nearest acceptable value in an
acceptance range usually is the amount of the audit difference. To illustrate: if an
entity’s depreciation provision is being tested for reasonableness by using a
precise analytical procedure to estimate the provision based upon asset
balances and depreciation rates, the amount recorded by the entity should be
compared to the acceptance range developed by the audit team. If the predicted
provision is $500,000, the audit team might establish an acceptance range at
$475,000 to $525,000. Accordingly, if the recorded amount is $440,000, the audit
team should consider the audit difference to be $35,000; the difference between
 the recorded amount and the nearest acceptable value in the range. If the
recorded amount falls within the acceptance range (e.g., $480,000 in this
example), there would be no audit difference.

11.66 As a reminder, audit differences should be added to the Summary of Unrecorded

Misstatements. In addition, misstatements identified by the audit team are direct
evidence that the internal controls failed to prevent an error. The audit team
should identify the underlying control deficiency, add it to the appropriate Design
Effectiveness tool in Voyager, and evaluate its severity. As discussed in Chapter
10, a misstatement is at least a significant deficiency and a strong indicator of a
material weakness.

Recommended Analytical Techniques

Comparison of Account Balances

11.67 Perhaps the most fundamental analytical procedure is comparison of account

balances with those of a comparable period (e.g., with previous months or
quarters, or with the prior year). In making such comparisons, the audit team
should not be concerned with items not considered significant to the financial
statements. In some circumstances, comparisons of interim (quarterly or
monthly) balances to prior year may be useful. In general, the more detailed the
basis of comparison, the more likely that significant fluctuations or unusual items
will be identified.

Ratios to Sales

11.68 Because many revenue and expense accounts tend to bear a direct relationship
to sales, the comparison of ratios to sales from period to period can be useful.
Such comparisons affect various risks. For example, variations in the returns and
allowances ratio may indicate problems with the existence of recorded sales. Not
all revenue and expense items would be expected to bear a stable relationship
with sales, (for example administrative expenses) so the comparisons should be
made with forethought.

Reasonableness Tests of Account Balances

11.69 Certain analytical procedures give such a high level of assurance that they can
be used to provide all the necessary evidence for a particular risk. The most
common examples of this type of test are reasonableness tests of an account
balance or class of transaction. This is a particularly efficient procedure.

11.70 This type of reasonableness test is used to estimate the total of an account
balance or class of transactions either by determining in total from independent
confirmation or computing from independent information. For this test to be
 effective there needs to be a stable relationship between the factors and the data
used needs to be reliable. The extent to which an analysis actually provides proof
of the amount depends on its precision. Examples of areas where this test may
be appropriate include:
– sales commissions
– depreciation
– salaries
– sales and production amounts
– payroll taxes
– interest income and expenses
– rental income and expense

Comparisons with Other Related Accounts

11.71 Certain revenue and expense accounts are closely related to particular asset
accounts, or to other expense accounts, so that the relationship between
accounts is meaningful and can be usefully compared over time. This is a form of
ratio analysis.

11.72 Examples of the relationship of income and expense accounts to assets include:
– investment income to average investments
– interest expense to average debt
– depreciation expense to depreciable assets
It may be necessary to apply certain of these tests on a more detailed basis and
to disaggregate the expense and related asset (for example, where certain
investments have substantially different returns than others or where the mix of
the depreciation categories of assets has significantly changed).

11.73 Another type of comparison useful for certain expense accounts is the ratio of
such expenses to other related expense accounts (for example, payroll taxes to
payroll expense). These ratios have stable, predictable patterns and significant
deviations not resulting from changes in tax rates or management benefit policies
might indicate a potential accounting error.

Comparisons Based on Non-Accounting Data

11.74 For audit purposes, other information generated by the client, but from outside
the accounting system (e.g., production statistics, units purchased, number of
employees) may have greater value and reliability than material produced from
within the accounting records (for example, in reviewing sales, consideration
might be given to production records and delivery charges). In a retail entity,
comparisons might be made to sales per employee and sales per departmental
square foot. The independence from the accounting function of the person
compiling the data may give that data added credibility.
Use of Industry Statistics

11.75 In most audit situations, extensive reliance on comparison with published

industry financial ratios or similar data as a means of identifying possible
misstatements in the financial statements is not appropriate. This is because the
differences between the client's financial information or method of compiling such
information, and the reported industry results may be so great that audit
comparisons may be invalid or may require excessive work to identify the
reasons for fluctuations. Also, the client's circumstances are unique and may not
reflect the industry norm.

11.76 In certain industries, however, various well-known, non-financial statistics are

widely used to measure or compare financial performance. For example, in the
real estate industry, using the cost per foot statistics for similar types of
construction in the same geographical area might test the reasonableness of
construction costs. Similarly, department store sales can be tested by reference
to industry data for sales per square meter, etc. Such data can be most
appropriate for analytical purposes.

Commonly Used Financial Ratios

11.77 Financial analysts commonly use the following financial ratios. Audit teams will
not investigate all of them on most audits, although the liquidity ratios and gross
margin ratio are useful for most audits. The insights given by these and some
other ratios are as follows:
 Liquidity ratios:
– the current ratio identifies working capital shortages or going concern
problems
– the quick or acid test ratio is a more conservative measure of liquidity and
gives an indication of the company's ability to pay short-term obligations
without liquidating inventory
 Profitability ratios:
– gross margin (profit) measures the rate of return on sales that can be
compared with previous periods and industry norms
– the operating margin measures operating profitability and the extent it can
pay operating expenses from net sales
– return on total assets measures the income generated by the assets
utilized
– return on equity indicates the rate of return to shareholders
 Leverage or solvency ratios:
– debt to equity measures the extent the entity finances its operations from
long-term debt versus equity
 – fixed assets to long-term debt shows the extent to which long-term
financing is used for fixed assets
– times interest earned shows the degree that earnings can decrease and
still allow the entity to make its interest payments
 Activity ratios:
– the number of days sales in accounts receivable (debtor days) indicates
potential cash flow and working capital problems, or bad debt
considerations
inventory turnover highlights overstocking of inventory and slow moving or
obsolete items
average age of inventory shows the number of days of inventory held at
the end of the period. It may also highlight overstocking of inventory, or
unusual purchase transactions at the end of the period
receivable turnover provides an approximate measure of how many times
per year receivables are collected. If the turnover rate is low, the longer
the period of time receivables are held and the less likely they will be
collected
Description Formula

Liquidity Ratios
Current ratio Current assets/current liabilities
Acid test Quick assets/current liabilities
Days sales in receivables Accounts receivable/(credit sales/360 days)
Inventory turnover Cost of sales/average inventory
Working capital to total assets (Current assets – current liabilities)/total assets
Movement of Current Assets
Receivable turnover Credit sales/average accounts receivables
Average days to collect 360 days/receivable turnover
Days sales in inventory Ending inventory/(cost of goods sold / 360
days)
Operating cycle Average days to collect + average days to sell
Leverage or Solvency Ratios
Debt to equity Total liabilities/shareholders equity
Long-term debt to equity Long-term debt/shareholders equity
Fixed assets to equity (Fixed assets – accumulated
depreciation)/shareholders equity
Times interest earned Income before interest and taxes/interest
expense
Creditors equity to total assets Total liabilities/total assets
Fixed assets to long-term debt (Fixed assets – accumulated
depreciation)/long-term debt
Profitability ratios
Return on total assets (Net earnings + interest expense x (1 – tax
rate))/average total assets
Return on equity Net earnings/average shareholders’ equity
Gross margin Gross profit/total sales
Operating margin Operating income/total sales
Pretax income to sales Pretax income/total sales
Net earnings to sales Net earnings/total sales
Asset Utilization Ratios
Sales to cash Total sales/cash
Sales to accounts receivable Total sales/accounts receivable
Sales to inventories Total sales/inventories
Sales to working capital Total sales/working capital
Sales to fixed assets Sales/(fixed assets – accumulated
depreciation)
Sales to other assets Sales/other assets
Sales to total assets Sales/total assets
Market Measures
Price to earnings ratio Market price per share/(net earnings/number
of common shares)
Dividend yield Dividends per share/market price per share
Dividend payout ratio Dividends per share/earnings per share
Exhibit 11.1 - Practical Applications
E01 This exhibit includes practical applications for performing analytical procedures
on an engagement. In almost every cycle, Voyager already includes analytical
procedures. Therefore, this exhibit does not list the procedures, rather it gives practical
considerations the audit team should follow when performing analytics. Each
engagement varies due to the client’s operations, industry, and environmental factors.
As a result, audit teams may need to further tailor any procedures for the specific
situation.

Interest Expense Reasonableness Test

E02 Reasonableness tests are often the most powerful and precise way to test
interest expense. The audit team computes an expected estimate and then compares
this expectation to the company’s account balance.

E03 There are some practical considerations for performing a reasonableness test
over interest expense. To perform such a test, the audit team obtains a calculation of
the average loan balance from the client. This calculation should be disaggregated by
month or quarter, as appropriate. The audit team then should test the validity of the
underlying data. This testing varies depending on the company’s records, but in most
cases is possible by tracing the data to audited general ledger or sub-ledger detail.

E04 Next, the audit team obtains the applicable interest rate for the interest
expense calculation from the source loan agreement or the prior year workpapers.
Then, the audit team should determine the actual interest rate of the period from an
independent source. If the rate is not verified, the remaining analytical procedures are
invalid.

E05 The final step is to recalculate the interest expense using the average loan
balance and the verified interest rate. The result is the audit team’s expectation of the
interest expense balance. The audit team compares the expectation and the balance. If
there are any differences, the audit team should investigate them, including obtaining
corroborating evidence, and asking probing questions.

Revenue Trend Analysis

E06 Professional standards require the audit team to presume that improper
revenue recognition is a fraud risk that must be addressed. An effective way to respond
to this risk is to perform trend analysis analytics.

E07 To perform these procedures, the audit team should first determine the proper
data to analyze. The more disaggregated the data, the greater the test’s precision.
Examples of ways to disaggregate revenue data are by month, product line, domestic
versus foreign, or all of the above. Then, the auditor should test the data’s validity. The
analytical procedures will not be effective if the underlying data is skewed, fabricated, or
inapplicable. To test the validity of data, the audit team should either test controls
involved in the preparation of the data (in most cases this is already done as a response
to other risks) or test the schedules themselves by selecting items to verify.

E08 The team should then develop and document expectations for the current year
balances. When trend analysis is used as a risk assessment procedure, it is not
necessary to document the audit team’s expectations because the implicit expectation
is that the distribution of amounts between periods will remain constant (i.e., the audit
team’s expectation is that the current period trend will follow the prior period trend).
When trend analysis is used as a substantive procedure, the audit team should
document its expectations.

E09 The audit team should next document the comparison between the
expectation and the entity’s recorded amount. If this comparison isolates unexpected
anomalies, the audit team should perform and document the additional auditing
procedures performed and the results of those procedures.

E10 Remember, the objective of this test is to overcome the presumption of the risk
of fraud in revenue recognition. As a result, the audit team should corroborate
management’s explanations of anomalies with supporting documentation. This evidence
should be as specific as any other support obtained when performing revenue
procedures. Further, the audit team should also address all of the anomalies noted. For
example, only verifying items above a set scope or range is not sufficient. Testing a
portion of the items identified will not sufficiently support the assumption that fraud is not
present.
Chapter Twelve – Tests of Details
Summary

This Chapter discusses tests of details as substantive audit procedures and how they
are built into Voyager. This Chapter also provides guidance on when and how these
tests are performed in an audit.

Introduction
12.01 Tests of details are substantive audit procedures designed to identify the
correctness of the related account balances. Voyager suggests substantive procedures
based on the audit team’s risk assessments, including the determination of reasonably
possible risks and the intended control reliance. The procedures suggested ordinarily
include tests of details in addition to substantive analytical procedures. The decision
whether to use tests of details and which tests to apply may include considerations such
as:
 the risk of material misstatement
 whether the tests would likely provide the needed evidence for the
pertinent risks
 the costs and benefits of using tests of details versus applying other
procedures, such as analytical procedures
 the costs and benefits of performing tests of controls to achieve the
intended control reliance
Since the selection of procedures must be based on the facts and circumstances of the
specific engagement, the audit team should tailor the procedures suggested by Voyager
to the engagement.

Methods of Testing Details

12.02 The methods used to test details are:
 sampling
 one hundred percent (100%) examination
 tests of high value items (individually significant)
 identification and examination of key items

12.03 For a particular account balance, the audit team might use more than one of
these testing methods. For example, the audit team could decide to test high value
items and identify risk areas within the remaining population for further testing.
12.04 Tests of details are performed using examination, observation or confirmation
procedures. Although tests of details may be used to test any risk, they are rarely used
to test risks associated with presentation and disclosure.

Sampling

12.05 Sampling procedures are used to test details by applying the audit procedures
to the individual items selected. Because the items examined in a sample are
representative of the total population, the audit team is able to project the sample
results to the total population. This is not the case with other tests of details, where the
audit team selects items according to specific criteria that may not be representative of
the whole population. Thus, the results cannot be projected to the total population,
although the audit team does form a conclusion about the examined items.

One Hundred Percent (100%) Examination

12.06 In some circumstances, it is appropriate to examine the entire population

(100%), such as when:
 the population consists of a small number of items
 the audit team is not willing to accept the sampling risk, perhaps due to
significant concerns about the area
 when CAATs can be used to test the population

12.07 100% examination undoubtedly provides the strongest audit evidence for risks
associated with assertions such as valuation, existence and rights and obligations, but
is not feasible or cost effective in most audit situations. Therefore, other methods of
testing details, such as sampling or those discussed below are usually applied.

Tests of High Value Items (Individually Significant)

12.08 In certain situations, the audit team may test high value items (other than in
connection with sampling). In Horizon, “individually significant” is the term used to
describe high value items.

12.09 When testing a population that includes individually significant items, the audit
team is separating the population into two populations: one comprised of individually
significant items and the other comprised of items less than individually significant.
Detailed audit procedures will be performed on 100% of the population of individually
significant items. The population of items less than individually significant must also be
considered for testing. The nature and extent of testing should respond to the risks
present.

12.10 Ordinarily, the response is a combination of tests of controls and substantive

analytical procedures. However, in some circumstances, the risk of material
misstatement and the value of the untested population are low and no further testing is
necessary. In other circumstances, the risk of material misstatements is so high that
control tests and analytical procedures alone do not provide sufficient evidence and
additional substantive procedures must be performed.

12.11 The appropriate response is always a matter of judgment, but the audit team
can only conclude on the population tested. Therefore, if the appropriate response is to
perform no audit procedures on the items in the population that are less than
individually significant, the audit team can only conclude on the population of
individually significant items.

12.12 When the population to be tested is available in electronic form, the use of
IDEA is recommended to identify the individually significant items to be tested.

12.13 Individually significant items should be tested often in conjunction with testing
other key items discussed in the next section. Moreover, it may be efficient to extend
tests of significant items to include additional items that may be large, but not
individually significant if this will provide evidence about a sizeable portion of the total
population.

12.14 For example, suppose for a population totaling $500,000, there are two
individually significant items (defined as those over $100,000) totaling $250,000. If there
were three additional items over $50,000 totaling $200,000, it would clearly be efficient
to test all five. If the value of the remaining items is less than tolerable error and
presents no significant risks, the audit team may decide to base audit conclusions on
testing 90% of a population's value.

Determining Individually Significant Items

12.15 For many entities, it is appropriate to use tolerable error to determine

individually significant items. This is consistent with the concept of determining an
amount to use as a scoping mechanism. By using tolerable error as this scoping
amount, the audit team achieves a high level of assurance that misstatements above
this amount will be detected. However, for some entities, using this amount may result
in the audit team performing audit procedures on a large portion of the population.

Individually Significant Amounts Greater than Tolerable Error

12.16 For capital-intensive entities such as those engaged in banking,

telecommunications, and real estate, items comprising certain balance sheet accounts
can be so large in relation to tolerable error that virtually all items in a population would
be selected if tolerable error were used to define the individually significant items. For
these situations, it is appropriate to consider defining individually significant relative to
the population rather than in terms of tolerable error.

12.17 The objective of any audit strategy is to obtain reasonable assurance that
material misstatements, if present, will be detected. Defining individually significant as
an amount greater than tolerable error means that there may be items in the population
greater than materiality that are not selected for detailed substantive testing. Therefore,
the audit team must determine that this strategy appropriately responds to the risks in
the population and satisfies the objective of obtaining reasonable assurance.

12.18 The risks in a given population will vary from client to client and industry to
industry. For example, a bank establishes internal controls around the existence
assertion of commercial loans to enforce management’s policies and objectives.
Typically, these controls operate on all loans regardless of size. Therefore, testing the
operating effectiveness of the controls provides the audit team with a basis to use an
individually significant amount that exceeds tolerable error. If a bank did not have such
controls that operate on every transaction or they did not operate effectively, the audit
team would not use the audit strategy described above because they cannot obtain
reasonable assurance that all loans exist.

12.19 To define individually significant relative to the population (at an amount

greater than tolerable error), IDEA must be used. This is done as follows:
 segregate the population into discrete pools of related items (for example,
in a depository institution segregate the loan portfolio into related pools of
loans such as commercial, commercial real estate, credit card, residential
real estate and installment)
 for each pool, determine the average balance and the standard deviation
and stratify the population into eight to ten layers (see example in Exhibit
12.1)
 define individually significant – ordinarily the average balance plus an
amount between one and two standard deviations

12.20 It is vital that the population be comprised of related items with similar
characteristics. Items are related when they share common attributes or characteristics
such as the type of loan. If, for example, a population of all loans in a bank were used,
two undesirable outcomes would transpire. First, it would be unlikely that consumer,
credit card, and other lower balance loans would be subjected to any substantive
testing. Second, the lower balance loans would pull the average balance down and
result in selecting even more of the commercial and other higher balance loans for
substantive testing. The objective of this alternative method of determining individually
significant is to define that amount which allows stratification of high monetary amounts
relative to the population. When multiple or disparate populations are included, the
method will not work.

12.21 After the population is defined, stratify it into layers. Ordinarily, no more than
ten strata are required to analyze the composition of the population. Divide the largest
item in the population by one less than the required number of strata to determine the
interval.

12.22 After the population is stratified, the audit team can use the data to define an
individually significant amount. Remember, this is the amount above which all items will
be tested so it should not be set so low that a large number of items will be selected,
nor should individually significant be set at an amount that exceeds the average balance
in the population plus two standard deviations. Ordinarily, the amount will fall
somewhere between the average balance of the population plus one standard deviation
and the average balance of the population plus two deviations.

Identification and Examination of Key Items

12.23 The audit team may also identify key items (items with qualitative
characteristics, such as those that are unusual, prone to error, or have other identified
risks). Key items also may include items that are large in amount, but not necessarily
individually significant. The identification and examination of these key items provide
important audit evidence, frequently in conjunction with other audit tests. For example,
in Horizon, the low risk strategy usually calls for the application of this procedure, in
conjunction with appropriate analytical procedures and tests of individually significant
items.

12.24 Testing key items is routinely performed in audits. In relation to the important
audit evidence provided, it costs relatively little to identify items that have risk or appear
unusual and to test them. In Horizon, scanning is the term used to describe the process
used to identify key items.

12.25 To assure the effectiveness of this procedure, the audit team should define the
key items during the risk assessment process. Further, the audit team member, who
reviews the client's records to identify the key items for testing, should be suitably
experienced and understand the entity and its environment. An inexperienced staff
member may select inappropriate items for testing or fail to identify items that should be
tested.

12.26 As discussed above, judgment is needed to identify key items. For example,
an item might be selected for testing for reasons such as the following:
 susceptibility to misstatement
 the size of the item is larger or smaller than expected
 lack of activity for a lengthy period
 it involves a related party
 it is inconsistent with known information about the entity
 it appears outside the usual scope of the business
 it comes at or near year-end

12.27 The underlying records are usually available in electronic form, therefore, use
of CAATs with IDEA is strongly recommended to help identify items to be tested.

12.28 Once key items are identified, they should be adequately tested. Inquiries of
client personnel without obtaining supporting evidence are inadequate to justify reliance
on the procedure. However, scrutiny of the population, with a determination that no key
items were identified may form a basis for reliance, if the procedure is appropriately
documented.
Choosing Between Sampling and Other Testing Methods

12.29 The following guidance may be helpful to the audit team in considering the
adequacy or appropriateness of the tests suggested by Voyager:
 Where a large amount of a population's value consists of only a few items,
testing those items and reviewing the rest against expectations, perhaps
testing some, will often provide as much audit reliance as a sample and
will cost less than a sample.
 For reasonably possible risks where controls will not be tested or control
tests have failed, statistical sampling is the preferred response because it
provides a supportable estimate of error.
 There may be other situations influenced by the audit team's view of the
likelihood of errors, such as when the entity focuses attention only on
major accounts. For example, if the entity has four major customers, and
keeps these under scrutiny, while paying significantly less attention to the
rest, the audit team may be concerned about errors in the smaller
accounts and wish to use direct testing to address the risk of misstatement
in the smaller accounts, rather than restrict testing to the major customers.
 When the sample size is small, other tests of details or substantive
analytical procedures should be considered, because the reliability of the
results of small samples is questionable.
 If the sample size is very large, the decision to sample should be
reconsidered to determine if there is a more efficient way to obtain the
necessary audit evidence (e.g., CAATs). If the audit team decides that the
sampling is appropriate, the sample size calculator inputs should be
reexamined to ensure that a sample is not being selected based on
incorrect inputs or assumptions.

Extent of Audit Evidence Required

12.30 The extent to which the audit team places reliance on audit evidence derived
from tests of details varies according to the circumstances. In general, it is a function of
the:
 effectiveness of the particular procedure, and
 scope of the procedure (i.e., the number and monetary value of the items
examined)

12.31 The effectiveness of the procedure increases with the:

 audit team's understanding of the entity and its environment
 relevance and reliability of the audit evidence provided
 extent to which it covers the population being audited

12.32 When considering the extent of audit evidence required to support risks
associated with the valuation – gross assertion, the number of items examined is
usually less relevant than the monetary value of the items examined. Tests of higher
proportions of a population's value provide greater assurance with respect to the
valuation assertion, and can often be designed to give greater assurance as to
existence and ownership rights as well. Therefore, depending on assessed risks, audit
team typically use either monetary unit sampling (which focuses on high value items
automatically) or high values when selecting items to test.

12.33 In Horizon, tolerable error is the precision measure for the application of audit
procedures.

12.34 Misstatements found while testing details should be added to the Summary of
Unrecorded Misstatements. The audit team should consider the implications of any
misstatements on risk assessments (inherent risk, control reliance, and fraud) and
whether the results of the tests imply the likelihood of additional misstatements in
unexamined portion of the population. If so, risk assessments should be reevaluated,
audit programs modified and additional testing performed.

12.35 In addition, misstatements identified by the audit team are direct evidence that
the internal controls failed to prevent an error. The audit team should identify the
underlying control deficiency, add it to the appropriate Design Effectiveness tool in
Voyager, and evaluate its severity. As discussed in Chapter 10, a misstatement is at
least a significant deficiency and a strong indicator of a material weakness.
Exhibit 12.1 - Using IDEA to Define Individually Significant Items
E01 This exhibit includes an example of how to determine individually significant
greater than tolerable error. It demonstrates how the power of IDEA can be used to
perform these procedures very quickly with minimal effort.

Obtain the data in electronic format

E02 The entity is a depository institution and the portfolio of loans was obtained in
Excel format. The data in Excel appears as follows:

E03 To interrogate this data with IDEA, it will first be necessary to reorganize the
data. Notice that the heading is more than one line at the top of the file – it is easiest to
import files into IDEA with only one line. The first three lines of the spreadsheet can be
deleted in Excel itself. After this is done, the file appears as follows:
E04 It is also necessary to remove any totals or subtotals before importing the file
into IDEA. Note the totals of the “Net Balance” and “Accrued Int” fields are
$130,538,040 and $830,713, respectively. These totals should be deleted.

Import the data into IDEA

E05 Using IDEA’s import assistant, the data file can be imported into IDEA. The
first item under the File menu is the Import Assistant. Select this option and “Import to
IDEA”. The Import Assistant interface opens:
E06 This is an Excel file, so we can highlight “Microsoft Excel”. Browse to find the
reformatted Excel file. Click “First row is field names” and click OK.

E07 IDEA imports the data, which appears as follows:

E08 Now the data is ready to interrogate using the power of IDEA. In most
circumstances, we would go to “Field Statistics” at this point and finish our task of
defining individually significant. However, for this entity, we still have some work to do to
get the data organized for our use. We can review the field statistics to learn more
information about the data. Click on “Field Statistics” to review field statistics for
selected numeric fields.
E09 Verify the total of the “Net Balance” field is $130,538,040 that agrees to the
total of the original Excel file. If we review the field statistics for the “Net Balance”
population, we notice significant negative balances, which are skewing the statistics. A
quick inquiry of the client and a scan of the data identify the problem. Many customers
are listed several times as they have more than one loan and payments are sometimes
reflected as a line item rather than a reduction of the loan. We can summarize the data
by customer and solve this problem. To do this, click on the Menu item “Analysis”. Then
click on “Summarization” from the drop down menu that appears. The following
interface appears:
E10 Select “Short Name” as the field to summarize. Next, select “Net Balance” as
the numeric field to total. Click the “Fields” button to select the fields that we want to see
in the summarization. “Short Name” and “Net Balance” are enough as we are only
interested for this demonstration in defining individually significant items.

E11 When we click “OK”, IDEA will create a summarization of the data, which
appears as follows:
E12 Now when we click on “Field Statistics” we see the following statistics:
E13 Note the total of the “Net Balance” field is still $130,538,040 but now there are
no negative balances. The data is summarized in a form that is very usable to us in
defining individually significant. IDEA has totaled the population and determined that the
individual items range from $1,750 to $6,000,000. The average amount is $672,876.
The standard deviation is $1,105,629. Now we can stratify this data and use this
information to define individually significant.

Stratify the data into 8 to 10 layers

E14 IDEA easily performs this task for us. Begin by clicking on the Menu item
“Analysis.” Then click on “Stratification” from the drop down menus that appear. This
opens the following interface:
E15 We need to tell IDEA how we want to stratify the data. As previously
mentioned, determine the interval by dividing the largest item in the population by one
less than the number of strata required. Remember that $6,000,000 is the largest item
in the population and the number of strata required is ten. The calculated interval is
$666,667 so we will round to $650,000 to use as the interval. When we specify this
amount, we can click in the lower and upper limit columns to automatically populate
each stratum. This appears as follows:
E16 From this information, IDEA produces the table below. We can now move to
the final step and define individually significant.
Define individually significant

E17 As previously mentioned, ordinarily the amount defined as individually

significant will fall between one and two standard deviations plus the average amount.
Remember from the field stats that the average balance is $672,876 and the standard
deviation is $1,105,629. Thus, individually significant should fall between $1,778,505
and $2,884,134.

E18 From our stratification, the logical break point appears to be $2,600,000.
Defining individually significant at this amount will result in performing detailed
substantive procedures on 17 loans that total $61,949,375.

E19 The population of loans below $2,600,000 would be audited using a

combination of tests of controls and less detailed substantive procedures. These
substantive procedures might include other analysis performed with IDEA (unusual loan
terms or interest rates, no recent payment history, etc.) and testing the accuracy of the
identified items.
Chapter Thirteen - Audit Confirmations
Summary

This Chapter describes the confirmation process in an audit and provides firm policies
for using confirmations as audit evidence.

Overview
13.01 Confirmation is a procedure used to obtain audit evidence from third parties.
The confirmation process includes obtaining and evaluating audit evidence though a
representation of information or an existing condition directly from a third party in
response to a request for information about a particular item addressing a financial
statement risk. Because confirmations are ordinarily obtained in writing and directly from
sources outside the audited entity, they are highly persuasive as audit evidence.

Types of Confirmations

13.02 Confirmations can be used to obtain information about:

 accounts receivable
 litigation, claims, and assessments
 bank account balances and other information from bankers
 notes receivable
 inventory
 consigned inventory
 investment securities
 property title deeds held by third parties for safe custody or as security
 market values
 life insurance policies
 insurance arrangements
 deposits
 accounts payable
 debt arrangements
 pension and actuarial information
 actual and contingent liabilities
 existence of certain conditions, such as side agreements

13.03 In deciding whether to obtain confirmations as audit evidence, the audit team
must consider the entity and its environment, the ability and willingness of third parties
to respond to the request and prior year experience. Because confirmations can be
costly to obtain, they are not used in every applicable situation. Instead, the audit team
may look to other audit procedures that will provide sufficient audit evidence at a lower
cost.

13.04 Information from prior audits, such as response rates and inaccurate
information on returned confirmations, may be considered in determining the
effectiveness and efficiency of using confirmation procedures. For example, the audit
team may consider obtaining audit evidence from other sources if the response rates to
properly designed confirmation requests were poor in prior audits.

Relationship of Confirmation Procedures to Risk Assessment

13.05 In Horizon, confirmation procedures are suggested in most audits. The audit
team's risk assessment procedures determine the extent that confirmations are used to
obtain evidence to appropriately respond to a risk. Because confirmation provides
strong, direct third-party evidence, more extensive confirmation procedures are likely to
be used in addition to (or instead of) tests directed to internal documents or inquiries as
the combined risk assessments increase (e.g., confirmation procedures will more likely
be used to respond to reasonably possible risks than not reasonably possible risks).

Assertions Addressed by Confirmations

13.06 Although properly designed confirmations may address risks associated with
any one or all of the financial statement assertions, the information obtained may not be
equally relevant or reliable for all assertions. For example, it may be more effective to
use accounts receivable confirmations as a response to risks associated with the
existence/occurrence assertion than for the valuation-net assertion, where it is
impractical to ask the customer to provide information regarding their ability to repay the
amount due.

The Confirmation Process

13.07 The confirmation process includes various phases:
 designing the request
 sending the request
 obtaining the responses
 evaluating the results

Designing the Request

13.08 Because confirmation requests should be tailored to meet specific audit

objectives, the audit team should consider the assertions being addressed and the
factors that are likely to affect the reliability of the evidence obtained from them. Those
factors include the:
 form of the request (positive or negative)
  design of the request
 prior experience with the entity or with similar audits
 nature of the information being confirmed and the type of information they
can readily confirm
 intended respondent

Positive Requests

13.09 Positive confirmation requests, which provide audit evidence only if responses
are received from recipients, may be designed to ask recipients to either:
 indicate whether they agree with information in the request, or
 fill in a balance or provide other information on a blank form
The blank form of confirmation request mitigates the risk that a recipient may sign and
return a request with unverified information (something the auditor cannot detect).
However, because of the additional effort of completing blank form confirmations, they
may have lower response rates and result in the audit team performing additional
alternative procedures.

Negative Requests

13.10 Negative confirmation requests ask recipients to respond only if they disagree
with the information. Implicit in the use of negative confirmations is the assumption that
the addressee received the confirmation request and agreed with the information
shown. Negative requests may reduce audit risk to an acceptable level if all of the
following are true:
 assessed risk of misstatement is low
 there are many small balances involved
 a substantial number of errors are not expected
 there is no reason to believe that recipients will not consider the requests

Electronic Requests

13.11 Electronic confirmations (e.g., those received electronically including facsimile

and email) may reduce response time, but they present additional risks, including non-
authentic sources, compromised integrity of information, and unauthorized respondents.
The audit team can still use electronic confirmations as reliable evidence as long as the
process is secure or the response is authenticated through other procedures.

13.12 When the audit team delivers confirmation requests electronically, they should
perform procedures to determine that the requests will reach the intended recipients.
Examples of such procedures include testing the validity of the email addresses the
entity provided or contacting the recipients on a test basis to verify that the confirmation
request was received.
13.13 When confirmations are received electronically, the audit team should perform
procedures to verify the respondent was authentic and authorized to provide the
information. The use of encryption, electronic digital signatures, and procedures to
verify website authenticity provide evidence that the confirmation is legitimate when it’s
received through email. Alternatively, the audit team could contact the respondents
directly to verify the validity of the confirmation or request the sender to mail the original
confirmation. This alternative should always be used to verify facsimile confirmation
responses.

13.14 Occasionally, a system that facilitates the electronic confirmation process may
be established by the client or a third party. If the audit team intends to use this system
they should verify the system is secure and includes controls that ensure the
confirmations received are reliable and valid. An assurance trust services report or
another auditor’s report on the system would assist the audit team in assessing the
design and operating effectiveness of the controls. The report should address the risks
discussed above. If these risks are not adequately addressed in the report, the audit
team should perform procedures to address those risks.

13.15 The audit team is sometimes able to directly access information held by a third
party concerning an account balance. For example, using the entity’s personal
identification number, the audit team may be able to make an on-line inquiry about an
entity’s bank account balance. While such procedures may provide competent evidence
concerning that information, it does not meet the definition of confirmation, as an active
response from the third party is required. Accordingly, an on-line inquiry of the third
party's database using management’s credentials does not constitute a response and
instead constitutes an alternative procedure. Such a procedure does not fulfill the audit
team’s confirmation responsibilities under generally accepted auditing standards.

13.16 The audit team is only able to consider direct access to information held by a
third party as a confirmation when the third party provides the audit team with the
necessary credentials (e.g., access code, user name with a password, secure website
rights) to access the information. For example, using a personal identification number
provided directly from the bank to the audit team, the audit team may be able to confirm
an entity’s bank balance information on the bank’s secure site.

Capital Confirmation

13.17 Over one hundred national, regional, and local depository institutions in the
United States no longer reply to paper confirmation requests. Rather, they have
engaged a third-party, Capital Confirmation, to act as an intermediary between
themselves and accounting firms. An intermediary, such as Capital Confirmation,
performs their role by creating a secure link between the accounting firm and the bank.
The auditor enters the confirmation information into the intermediary’s secure site and
the intermediary sends the request to the bank without interference. Likewise, because
the process is automated, the requested confirmation is transmitted back to the
accounting firm without interference. Capital Confirmation utilizes encryption and digital
signatures to protect data and confidentiality.
13.18 This electronic form of confirmation is acceptable and the firm encourages its
use. The response time is quicker and more efficient. Auditors can access the
confirmation response on-line thus eliminating any risk of losing the paper response in
the mail or in the mailroom. In addition, this provides greater protection against fraud as
all participants in the confirmation process are independently validated by the Capital
Confirmation. This form of confirmation meets the requirements for valid confirmation
procedure.

Nature of Information Being Confirmed

13.19 The respondents' ability to confirm the type of information requested should be
considered in designing confirmation requests, because the nature of the information
being confirmed may directly affect the appropriateness of the evidence obtained and
the response rate. For example, an entity’s customer may be unable to confirm a
balance because the customer’s accounting system operates on an open invoice basis,
but he or she may be able to confirm specific transactions. An understanding of the
substance of the entity’s arrangements and transactions with third parties is an
important factor in determining the information to be confirmed.

13.20 The audit team should also consider confirming the terms of unusual or
complex agreements or transactions, in addition to confirming the amounts because
such transactions may be associated with high levels of risk (e.g., a large and unusual
sales transaction at year-end). In addition, if there is a risk that there may be significant
oral modifications to an agreement; the existence of such modifications might be
confirmed in addition to the terms of the agreement.

13.21 The audit team should presume that there is a risk of material misstatement
due to fraud relating to revenue recognition. Therefore, the audit team should carefully
evaluate the appropriateness of the client's accounting for revenue transactions and the
need to confirm the terms of transactions and the absence of any side agreements.

13.22 The necessity of confirming terms of transactions and the absence of side
agreements increases when any of the following characteristics are encountered:
 significant sales or volume of sales at or near the end of the reporting
period
 use of non-standard contracts or contract clauses
 use of letters of authorization in lieu of signed contracts or agreements
 altered dates on contracts or shipping documents. (The audit team should
consider the possibility of fraud.)
 concurrent agreements or "linked" contracts and transactions
 lack of evidence of customer acceptance
 existence of bill-and-hold transactions
 existence of extended payment terms or non-standard installment
receivables
 accounting/finance department's lack of involvement in sales transactions
or in the monitoring of arrangements with distributors
  unusual volume of sales to distributors/retailers
 sales, other than sales of software, with commitments for future upgrades
 sales where significant uncertainties and/or obligations to the seller exist
 sales to value-added-resellers and distributors lacking financial strength
 increasing receivables from a customer, which may be an indicator of the
customers' perceptions of the payment terms (e.g., payments not due until
resale to end users)
 aggressive accounting policies or practices (e.g., tone at the top regarding
pressures for revenue and earnings)

Respondents

13.23 Confirmation requests should be directed to parties that are knowledgeable

about the information being confirmed. For example, an entity’s banking arrangements,
such as a loan covenant waiver, should be confirmed with an official at the bank who is
knowledgeable about the waiver and is authorized to respond to the request.

13.24 In designing confirmation requests and evaluating the results, including

whether additional procedures are necessary, the audit team should also consider
reliability of the audit evidence obtained from the respondent. Reliability is affected by
the respondents' competence, knowledge, motivation, ability or willingness to respond,
and objectivity. In certain circumstances, such as when there is a significant, unusual
year-end transaction that materially affects the financial statements or a respondent
economically dependent or related to the entity, the audit team should consider whether
there is a sufficient basis for concluding that a particular recipient's response can be
expected to provide meaningful and appropriate evidence and whether the respondent
may be motivated to provide and inaccurate response.

13.25 Confirmation requests ordinarily include management’s authorization to the

respondent to disclose the information to the audit team. Respondents may be more
willing to respond to a confirmation request containing management’s authorization, and
in some cases may be unable to respond unless the request contains management’s
authorization.

Sending the Request

Controlling the Confirmation Process

13.26 At all times, the audit team should maintain control over the process of
selecting items to be confirmed, preparing and sending requests, and receiving
responses to the requests. By maintaining control over confirmation requests and
responses, including communicating directly with the intended recipients, the audit team
minimizes the possibility that confirmation requests will be intercepted and altered, thus
biasing the results.
Management Request Not to Confirm

13.27 When the audit team seeks to confirm certain balances or other information,
and management requests the audit team not to do so, the audit team should consider
whether there are valid grounds for such a request and obtain evidence to support the
validity of management’s requests. If the audit team agrees to management’s request
not to seek external confirmation regarding a particular matter, alternative procedures
should be applied to obtain sufficient appropriate evidence regarding that matter. There
might be valid reasons for management’s request, such as items in dispute or a client
not wishing to call a credit balance to a customer's attention. If management makes
such a request, the audit team should consider including a schedule of the accounts,
including the reasons for the request not to confirm, in the management representation
letter. A separate letter from the entity may also be obtained. When considering the
reasons provided by management, the audit team should use the appropriate level of
skepticism and consider whether their request raises concerns about management’s
integrity, including the existence of fraud or errors.

13.28 Further, when the audit team does not accept the validity of management’s
request and is prevented from confirming the requested information, the scope of the
audit is limited and the effect of the limitation on the audit report should be considered.

Obtaining the Responses

13.29 If a response is received by other than a written communication mailed to the

firm, additional evidence may be required to support the validity of the response, such
as verifying by telephone with the purported sender the source and contents of a
response received by fax or electronically.

13.30 A verbal response to an original confirmation is equivalent to a nonresponse.

The audit team should request a written response if the recipient replies verbally.
Receiving written responses are particularly important when dealing with attorney
responses as a verbal conversation with an attorney is not a direct confirmation.

13.31 Non-replies to positive confirmations should be followed with second and

sometimes third requests. In situations where a call by the audit team to the recipient
prompts the response, a verification call is usually not necessary.

Alternative Procedures for Nonresponses

13.32 Alternative procedures should be applied to nonresponses to positive

confirmations. Alternative procedures vary according to the account and assertion
examined, but should provide audit evidence that the confirmation was intended to
provide. For example, to obtain evidence about the existence of accounts receivable,
alternative procedures might include examination of subsequent cash receipts or third-
party shipping documents, while alternative procedures to provide evidence about
completeness of accounts payable might include an examination of subsequent
disbursements.
13.33 The nature and extent of the procedures selected will also depend on the
assessed risk of material misstatement, the nature of the account balance or other
information the audit team attempted to confirm, and the availability of audit evidence.
Since evidence obtained through confirmation often is more persuasive than internal
evidence, the audit team may need to perform a combination of alternative procedures.

Evaluating Restrictions

13.34 The audit team should review in detail, the entire response to find any
restrictions. Some restrictive language does not invalidate the confirmation. When
respondents include boilerplate disclaimers of liability (e.g., information is supplied
without liability or warranty, reply is solely for the purpose of the audit, etc.), the audit
team can still rely on the confirmation.

13.35 Some confirmations may include restrictive language regarding the

completeness or accuracy of the information (e.g., information is not guaranteed to be
accurate nor current, the recipient may not rely upon the information, etc.). The audit
team cannot rely on confirmations with these sorts of restrictions. These types of
restrictions will cause the audit team to perform further procedures to obtain additional
information from the respondent or perform alternative testing over the confirmed item.

Evaluating Exceptions

13.36 Entity personnel may investigate exceptions if the audit team supervises the
activity and subsequently inspects the evidence supporting their explanation of
differences. The audit team should maintain control over the confirmations by
maintaining the original confirmation reply and providing the entity personnel with a
copy or other record of the reply.

13.37 The audit team should consider the cause and frequency of exceptions
reported by the respondents. Exceptions may indicate a misstatement and/or internal
control deficiency or inappropriate risk assessments. This may change the nature,
timing, and extent of audit procedures necessary to determine the financial statements
are not materially misstated.

Negative Confirmations

13.38 The audit team should investigate and determine the effects on the audit of
relevant information provided in responses to negative confirmations. If an investigation
of negative responses indicating errors in the amounts confirmed reveals a pattern of
errors, it may be necessary to reconsider risk assessments and the effect on planned
audit procedures.

13.39 Returned negative confirmations may provide evidence addressing the

financial statement risks. However, unreturned negative confirmations ordinarily provide
less reliable audit evidence. Therefore, additional substantive procedures may be
required when using negative confirmations.

Evaluating the Results

13.40 When all differences are resolved (alternative procedures completed,

misstatements identified, etc.), the audit team should evaluate the combined evidence
provided by confirmations and the alternative procedures to determine whether
sufficient evidence has been obtained about all applicable assertions. As part of that
evaluation, the audit team should consider:
 the reliability of the confirmations and alternative procedures (especially
those from related parties)
 the nature of exceptions, including their quantitative and qualitative
implications
 evidence obtained by other procedures
 whether additional audit evidence is necessary
If the evidence provided by confirmations, alternative procedures, and other procedures
is not sufficient, the audit team should select additional items for confirmations or extend
other tests, such as tests of details or analytical procedures. If the evidence provided by
confirmations is not reliable, the audit team should reevaluate the risk assessments,
including the risk of fraud.

Practical Guidance
13.41 Audit teams should consider the following practical guidance:
 the confirmation process should be under their control at all times - from
selection through return receipt (see Controlling the Confirmation Process)
 requests from management not to mail specific confirmations should be
brought to the audit manager's attention; these requests should be
carefully considered (see Management Request Not to Confirm)
 the addresses should be scanned; unusual addresses, including
significant confirmations being sent to post office boxes should be
investigated
 care should be exercised if requested to direct confirmations representing
significant amounts or transactions to specified individuals who might not
be known to us or identified in supporting documentation (e.g., a bank
employee other than the loan officer normally involved in the entity’s
affairs, a person other than the account executive named on a brokerage
statements). Such requests should be treated with appropriate skepticism.
 appropriate skepticism should also be exercised when a large portion of
the responses are received by fax or electronically

13.42 Confirmation procedures may represent a substantial portion of audit time.

Accordingly, the following can enhance both audit effectiveness and efficiency:
  a control list of confirmation requests should be maintained. Word
processing files should be retained to print additional copies for second
requests.
 ensure that mailing envelopes bear the GT office’s return address
 have the return envelopes marked in the lower left-hand corner with a
symbol readily identifiable by mailroom personnel (initials, initials of client,
assignment number, or some other recognizable code)
 make certain that firm personnel mail all confirmations personally

13.43 [Tailor the following paragraph to suit the practice of your country] Illustrative
confirmation letters are located in GEL under Practice Aids > Confirmation Letters. The
letters may be tailored to fit the circumstances of a particular client, but the content of
the sample letters should be followed.

13.44 Entity personnel can be used to:

 prepare confirmation requests
 assist in readying confirmation requests for mailing
 facilitate our examination of differences and non-responses:
 list and accumulate data
 reconcile book and reported amounts for our follow up and examination
 accumulate shipping documents, subsequent remittance advices and
other documents, for our inspection

13.45 In Voyager, confirmations returned with exceptions should be scanned and

embedded into the engagement file and also retained in the paper file. For efficiency
purposes, confirmations received without exception should be retained only in the paper
file instead of being scanned and embedded in the electronic file.

Confirmation of Accounts Receivable

13.46 Auditing standards require confirmation of accounts receivable and establish a

presumption that must be overcome. As a presumption, it is not sufficient to merely
assert that, for example, the use of confirmations would be ineffective. Rather it is
necessary to provide evidence sufficient to overcome the presumption.

13.47 A decision not to confirm accounts receivable must be documented. This

documentation should include a thorough assessment of the reasons underlying that
conclusion, and should make a compelling case that use of confirmations would truly be
ineffective (if that is the reason) and not merely inconvenient. The following are potential
situations where accounts receivable might not be confirmed:
 accounts receivable are immaterial to the financial statements
 using confirmations would be ineffective
 the combined assessed level of inherent and intended control reliance is
low for the applicable financial statement assertions
13.48 In addition, when confirmation procedures are not used because the audit
team concludes they would be ineffective, a larger number of items should be tested
using alternative procedures than would have otherwise been tested through
confirmation.

Confirmation of Accounts Payable

13.49 Confirmation with major suppliers, including those with small or zero balances,
can substantially contribute to establishing the completeness of accounts payable. In
addition, confirmation of accounts payable can prove to be an effective procedure in the
detection of "round-trip" or "linked" transactions.

13.50 "Round-trip" or "linked" transactions occur when an entity enters into a

seemingly valid sales transaction with a customer but sends all or some of the sales
proceeds back to the customer in another seemingly valid purchase transaction, often
affecting a different accounting period. For those entities in which round-tripping has
been identified as a risk, the audit team should consider confirming balances for those
major customers and/or suppliers in which the company both received revenue and
made purchases during the year.

13.51 Situations that may present risks where the appropriate response may be
confirmation of accounts payable include:
 internal controls over payables and cash disbursements are weak,
creating a greater risk of unprocessed and unrecorded vendor invoices
 industry practices create a higher risk of unrecorded liabilities and/or
inappropriate accounting (e.g., internet entities, software companies, real
estate, energy, telecommunications)
 complex business transactions that create an environment where
unrecorded accounts might exist (e.g., business combinations, royalty
deals)

13.52 In the following situations, the audit team should consider testing supporting
payments made to suppliers subsequent to the confirmation date to identify items that
should have been accrued as payable at the confirmation date, but were not when:
 statements are not available from non-replying suppliers
 suppliers with unusually large or unusually small balances were not
included with the suppliers subject to confirmation

Confirmation of Litigation and Claims

13.53 When the audit team identifies a risk of material misstatement related to
litigation or claims, the audit team should directly communicate with the entity’s legal
counsel. A letter, prepared by management and mailed by the audit team, should
request the lawyer to communicate directly with the audit team.
13.54 If management refuses to give permission to communicate with its legal
counsel, this would be a scope limitation and ordinarily result in a qualified opinion or
disclaimer of opinion.

Confirmations Sent Prior to the Balance Sheet Date

13.55 When supported by risk assessments, the audit team may confirm accounts or
transactions prior to the balance sheet date. If confirmations are done at an interim
date, the audit team should obtain sufficient appropriate audit evidence that transactions
relevant to the assertion in the intervening period are not materially misstated.
Chapter Fourteen - Sampling
Summary

This Chapter explains the basic concepts of sampling and gives specific guidance on
the application of sampling when used in substantive testing. It also provides guidance
for when and how to apply attribute sampling.

Introduction
14.01 Audit sampling is the application of audit procedures to less than 100% of the
population comprising an account balance or class of transactions to evaluate
evidence as to the overall correctness of account balances or classes of
transactions. In Horizon, the term “sampling” implies the use of the Grant
Thornton Sampling Plan. The principles of GTSP are incorporated into Voyager’s
sampling component.

14.02 ISA 530, Audit Sampling states that, when using audit sampling, the objective of
the auditor is to provide a reasonable basis to draw conclusions about the
population from which the sample is selected. ISA 530 does not specify the
methods or factors the auditor uses when determining an appropriate sample
size or selecting a sample of items for testing from a population. To provide
consistency, GTIL developed GTSP.

14.03 The objectives of GTSP are to:

 attain effective and efficient audit samples
 document the considerations that determine sample sizes
 evaluate sample results
 facilitate compliance with professional standards

14.04 GTSP is a unique approach to audit sampling, a comprehensive and systematic

plan that focuses directly on the assessment of audit risk and integrates
statistical theory with the use of audit judgment. The plan provides for the
translation of subjective audit judgments into quantitative terms for the following
key features:
 materiality and tolerable error
 inherent risk
 control reliance
 evidence from other related substantive procedures, including
analytical procedures
 expected aggregate error in the population
14.05 Sometimes, the appropriate response to the risks in an account balance or class
of transactions is such that high-value or key-item testing appropriately responds
to the risks present.
High-value testing or testing individually significant items is examining 100
percent of the items above a certain monetary unit amount. This is not sampling
as the audit team is actually dividing the population (account balance or class of
transactions) into two populations, one of which is tested 100% and the other is
tested by other means or not tested at all. In this approach, the high-value
population that the audit team tests represents a high proportion of the total
account balance so that the monetary unit amount of the untested population
represents a lower risk of material misstatement. The risk of material
misstatement in the untested population can be further reduced by performing
other less detailed, substantive procedures such as analytical procedures.
Alternatively, the risk of a material error in the untested items may be sufficiently
low to warrant no further testing.
Key-item testing involves identifying items with qualitative characteristics
(unusual, prone to error, or other identified risks), comprising a balance or class
of transactions that, in the audit team’s judgment should be tested. Key items
also may include large dollar items, but may not be individually significant. Again,
this is not sampling as the audit team is separating the total population into two
smaller populations, high-value and key items. Examples of these qualitative
considerations include:
 transactions or balances that are subject to a high degree of management
involvement
 transactions or balances that are not in the ordinary course of business,
especially with related parties
 balances with unexpectedly low activity for an extended period of time (e.g.,
slow-moving items in inventories and old outstanding receivables)
 suspicious or unusual items and apparent deviations from normal operations
 significant year-end transactions or adjustments
The selection of key items in a population may be simplified by using IDEA.
Defining what will constitute a key item should be determined by the audit team
during risk assessments.

Sampling Risk

14.06 Sampling risk arises from the possibility that a test applied to a sample will result
in a conclusion that differs from the conclusion that would be reached if all units
in the population were examined. That is, a particular sample may contain
proportionally more or fewer monetary errors than exist in the population.
Sampling risk increases as the sample size decreases.

14.07 Two aspects of sampling risk are of concern when performing substantive tests
of details:
  Risk of Incorrect Acceptance is the risk that the sample supports the
conclusion that the population is not materially misstated even though, in fact,
the population is materially misstated
 Risk of Incorrect Rejection is the risk that the sample supports the conclusion
that the population is materially misstated even though it is not

14.08 Sampling risk is determined and controlled in a statistical sample. Although

sampling risk is not quantified for a nonstatistical sample, the extent of such risk
is reduced by representative selection and by stratification.

Nonsampling Risk

14.09 Nonsampling risk includes all aspects of audit risk that are not due to sampling.
Nonsampling risk includes the possibility of selecting audit procedures that are
not appropriate for the audit objective (e.g., confirming recorded receivables
cannot be expected to detect unrecorded receivables). Nonsampling risk also
includes the possibility that the audit team fails to recognize errors in documents
examined. This failure will make the procedure ineffective, even if all items are
examined.

Plan the Test

14.10 To properly plan and select a sample for testing, the audit team should:
 decide whether sampling is the correct strategy
 analyze the population
 understand sampling test objective
 define an error
 determine the population to test
 identify individually significant and other key items in the population
 define sampling unit
 determine the sample selection method
 estimate expected aggregate error

Decide Whether Sampling is the Correct Strategy

14.11 Horizon does not require sampling, but it is suggested as the testing strategy for
a number of reasonably possible risks where a low-risk audit strategy could not
be achieved. The audit team should decide whether sampling is the most
effective or cost-effective audit approach. Conditions to be considered in deciding
whether to use sampling include:
 Whether the contemplated audit procedures are effective when applied on a
test basis – Some audit procedures are not ordinarily applied to a sample. For
example, because the power of analytical procedures is derived from
 analyzing all the data and their relationships, sampling is not generally used
when applying analytical techniques.
 The cost-benefit relationship – Audit procedures that provide a relatively high
degree of evidence at relatively low cost are frequently applied on a more
extensive basis than a representative sample. Sampling should generally be
avoided whenever such procedures are available (e.g., significant coverage
by examining large monetary values or unusual items based on quantitative
or qualitative characteristics, applying analytical procedures, or a combination
of both such approaches). IDEA is an excellent tool for analyzing populations
and identifying unusual items. For example, we might recompute depreciation
expense 100% with IDEA, since extensive evidence is provided at relatively
low audit cost.
 The potential for material error – Horizon does not recommend sampling in
situations when the risk of potential material errors is less likely. These
situations include reasonably possible risks where controls were tested
effective and inherent risk is medium or not reasonably possible risks. These
risks can be audited more effectively and efficiently by applying less invasive
substantive procedures or utilizing analytical procedures.

14.12 Sampling is ordinarily preferred for a population made up of a large number of

individually insignificant amounts that, in the aggregate, are material to the
financial statements (e.g., trade accounts receivable). This is especially true if the
account in question is a balance sheet account. Additional factors that might
indicate that sampling is appropriate are:
 the potential risk of a material misstatement in a population is not low
 internal control weaknesses exist
 it is necessary to develop an estimate of the account balance or class of
transactions instead of testing an existing balance (e.g., determining the value
of inventory because the inventory prices for individual items are not updated
throughout the year)

14.13 Horizon suggests sampling as a testing strategy based on the risks present
rather than the composition of the population. As a result, there may be instances
when Voyager includes a sampling procedure, but sampling may not be the best
testing strategy. For example, a high risk, material balance may include very few
large items. In this instance, selecting the large items for testing may be a more
effective and efficient strategy (assuming the total of untested items do not
exceed tolerable error).

14.14 Alternatively, Horizon does not suggest sampling as the testing strategy in lower
risk areas. Generally, it would not be appropriate to add a sampling procedure to
test balances below materiality. Things to consider before adding a sampling
procedure:
 Risk assessments – Audit teams should consider whether their risk
assessments are appropriate. If audit teams believe they need to perform
 additional procedures, this may indicate that the risk is actually higher than
their initial risk assessment.
 Control reliance – Review the controls tested to determine whether the
correct controls were tested or whether the controls were precise enough to
prevent or detect the misstatement.
 Unusual transactions – Determine whether the risk relates to only a small
number of unusual transactions or to the entire population. It would not be
effective to test the entire population when the risk only relates to specific,
unusual transactions. Examine the population for key or unusual items to be
tested.

14.15 Sampling may be used as a substantive test or for testing key controls,
depending on whether the audit team is attempting to evaluate an amount in a
balance or class of transactions or the operating effectiveness of identified key
controls.

Analyze the Population

14.16 It is important to analyze the population prior to sampling. Through analyzing the
population, the engagement team may determine there are multiple
subpopulations that have different risk characteristics that may need to be
considered separate populations. Separating the population into subpopulations
minimizes the variability of the population. For example, items that are clear
outliers (or key), due to their high monetary value or qualitative criteria, are
normally tested separately as they may not be representative of the population.

14.17 In cases of extreme variability the engagement team may need to consider
whether the population should be segregated into multiple subpopulations to
reduce the variability.

14.18 IDEA’s field statistics feature is a useful tool in analyzing the population.

Understand Sampling Test Objective

14.19 The objective of a sampling procedure differs depending on whether the
procedure is a substantive procedure or a test of controls. The objective of a
substantive procedure is to gather evidence about an assertion. The objective of
a test of controls is to gather evidence relating to the operating effectiveness of
internal controls. Sample design is a function of test objective. Therefore, when
sampling the audit team should identify the objective of the test in order to
determine the appropriate sample design. Ordinarily, samples designed as tests
of controls do not provide sufficient evidence to reach a meaningful monetary
(substantive) conclusion.

14.20 The following are examples of test objectives:

Test Objective
 Confirmation of receivables Determine whether the accounts receivable exist
and the sales occurred
Inventory test counts Determine whether the quantities are accurate
and exist
Inventory price tests Determine whether the recorded amount is correct
(is it priced correctly?)

Define an Error

Substantive Samples

14.21 Errors should be defined by the audit team during the design of the sampling
application. An error (intentional or unintentional) is a matter that causes a
misstatement in the financial statements and can involve:
 unintentional mistakes or omission of amounts in an account balance or class
of transactions, including mathematical or clerical mistakes in the underlying
records and accounting data from which the financial statements were
prepared
 mistakes in the application of accounting principles
 oversight or misinterpretation of facts that existed at the time the financial
statements were prepared
 intentional omissions

14.22 The following are examples of errors:

Test Errors
Confirmation of receivables Customer disputes the recorded balance
Quantities per records do not match
Inventory test counts
quantities on hand
Incorrect inventory prices or improper
Inventory price tests
accounting

Tests of Controls Samples

14.23 Tests of controls deviations should be defined during the design of the sampling
application. The purpose of a test of controls is to gather evidence about the
operating effectiveness of a control. Therefore, all deviations are considered
significant to the sample, regardless of the amount involved in a particular
transaction. A deviation in this context is an occurrence where a control was not
applied correctly whether or not a quantitative error has occurred. Deviations
may result from factors such as:
 human error caused by fatigue, carelessness, misunderstanding of
instructions, etc.
 changes in personnel, with consequent unfamiliarity with procedures
 periodic fluctuations in the volume of transactions
Determine the Population to Test

14.24 A population is all the items from which a sample is taken and about which the
sample provides information. Since any conclusion based on a sample can only
be extended to the population from which it was selected, it is important that the
population be defined as precisely as possible. The audit objective should also
be considered when defining the population. For example, if the characteristic
being tested were inventory purchases, it would not be efficient to define the
population as all vouchers in the voucher register (purchase journal), because
that population would include many items unrelated to inventory.

14.25 The following are examples of populations:

Test Population
Confirmation of receivables Accounts receivable as of the confirmation date
Inventory test counts Inventory recorded as of the observation date
Inventory price tests Inventory recorded as of the testing date

14.26 Because an item erroneously excluded from a population to be sampled cannot

be selected for testing, supplementary procedures should be performed to
assure that the sampled population is complete (population completeness tests).
Other audit procedures will often provide assurance about population
completeness. Examples of such other procedures are:
 totaling the population and agreeing the balance to the general ledger
 testing for unrecorded transactions and balances (e.g., search for unrecorded
liabilities or unrecorded sales)

14.27 For an unpriced population, such as shipping reports, completeness may often
be tested by reviewing the numerical sequence of prenumbered documents.
Similarly, completeness of inventory quantities may be tested by observing
controls during inventory observation procedures.

14.28 Sometimes a population should be divided into several subpopulations.

Examples follow for a substantive test and for a test of controls:
Substantive Tests – confirmation of retail receivables that includes both normal
credit and installment receivables. To maximize the response rate, the audit team
might confirm individual invoices outstanding for credit receivables and
outstanding balances for installment receivables.
Tests of Controls – If management represents that a control procedure was in
operation during the period for all locations except one, the test of controls
population may properly exclude that location, and a valid test of controls
conclusion may be reached on the remaining locations. Additional procedures
might be necessary to reach an audit conclusion on the location without the
control.
14.29 For certain audit objectives, items may be selected from a population other than
the one to which the conclusion relates. For example, an understatement
resulting from omitted items will not be detected by sampling recorded items. An
appropriate sampling approach for detecting understatement errors is to select a
sample from a reciprocal population that might include the omitted items. For
example, a sample of entries in the repairs and maintenance account can help
determine the understatement of fixed asset additions. The repairs and
maintenance relative to fixed asset is a reciprocal population. If fixed assets are
understated, the account that is usually overstated is repairs and maintenance.
Testing repairs and maintenance for overstatement correspondingly tests fixed
assets for understatements.

Identify Individually Significant and Other Key Items in the Population

14.30 The audit team may decide to individually examine certain items in a population.
These items would be excluded from the population to be sampled and examined
separately. The identification of these key items might be based on a monetary
amount or qualitative considerations.
Monetary Cutoff – The determination of individually significant items based on
a monetary cutoff is required for all nonstatistical substantive samples. The level
of the monetary cutoff is a matter of audit judgment; however, it should not
ordinarily exceed tolerable error. For example, if the population consists of a
large quantity of small monetary amounts, a general guideline is to consider all
items larger than tolerable error as individually significant, however, any value
less than or equal to this amount may be used.
Qualitative Considerations – Key items may also warrant audit attention,
regardless of their size. Examples of these qualitative considerations or key
items are:
 transactions or balances that are subject to a high degree of management
involvement
 transactions or balances with a high probability of error
 transactions or balances that are not in the ordinary course of business
 related party transactions
 balances with no activity for an extended period of time (for example, slow
moving items in inventory and old receivable balances)
 suspicious or unusual items, and apparent deviations from the norm
 significant year-end transactions

Define Sampling Unit

14.31 A sampling unit is any of the individual items that constitute the population. The
sampling unit should be defined in advance since the selection of the items, the
extent or time required to audit the sample items selected, and the evaluation of
the result will depend on the unit selected.
 Substantive Sampling – The sampling unit for a substantive sample may be any
element, provided that the total value of all such elements equals the total value
of the balance or class of transactions being audited. If, for example, the audit
objective is to verify the total balance of accounts receivable by confirmation, any
of the following could be specified as the sampling unit:
 total customer balances (the usual method when using confirmations)
 open invoices (which may be more productive than account balances if
customers are unable to confirm total balances and may be more efficient
because of a reduction in the time required to perform alternative procedures
on nonresponding accounts)
 line items on open invoices (may be appropriate in the case of very complex
invoicing procedures)
Selection of the sampling unit should be based on considerations of
convenience, economy and effectiveness, because sampling results do not
depend on the level of aggregation in the sampling unit. Preference among the
alternatives should be based on information available or the information most
likely to elicit a response.
Tests of Controls – The sampling unit should be defined in light of the control
procedure to be tested. For example, if the sample is designed to test the control
procedure over proper authorization of cash disbursements (documented by an
officer initialing a voucher), the voucher might be the sampling unit and the
presence or absence of evidence of proper authorization is the control procedure
being tested. However, if each item on a voucher has a documented control
feature, the line item may be the sampling unit and several sampling units may
be on one voucher.

Determine the Sample Selection Method

14.32 A sample should be selected so that it can be expected to be representative of

the population (i.e., the characteristics of the sample should not be expected to
differ from those of the population for any reason other than sampling risk). The
following are representative selection methods:
 haphazard sampling (the sample is selected from the entire population with
no attempt to either include or exclude any sampling unit)
 monetary unit sampling (also known as probability proportional to size
sampling. This method is used for statistical samples)
 systematic sampling (every nth item)

14.33 For a substantive sample, the population is normally stratified (monetary unit
sampling automatically stratifies the population). Representative sampling should
be used in each stratum.
Estimate Expected Aggregate Error

14.34 Voyager’s default value for the expected aggregate error is ten percent of
tolerable error. It is important for engagement teams to consider whether the
starting point of 10% requires modification. In making this judgment, factors that
may positively or negatively affect the expected number and size of errors
include:
 the results of other procedures already performed on the same population
 the nature of the population (e.g., whether it is comprised of routine
transactions or transactions that involve judgement)
 historical experience when auditing the same population of items
 changes in the entity’s environment or changes in the entity’s accounting
processes since the prior audit

14.35 As expected misstatement is increased, engagement teams need to consider

whether sampling remains appropriate or if management should be asked to
rework the population before it is tested.

14.36 Care needs to be taken before setting the expected aggregate error to zero.
Taking this approach means that a single identified misstatement, even if very
small, increases the likelihood of the sample not meeting the desired precision.
The consequence is that when expected aggregate error is set at zero and an
error is identified in one or more sample items the sample will not achieve the
objectives the engagement team will need to perform additional audit work.

Substantive Sampling
14.37 Samples for performing substantive tests of detail are designed to gather
evidence about the assertions contained in account balances or class of
transactions, and are often used to provide primary audit evidence. In turn, the
size of the sample is a chief element governing the strength of the sample. GTSP
combines the following factors in determining sample sizes for nonstatistical and
statistical samples using the model known as Monetary Unit Sampling.
 inherent risk assessment – as this risk decreases, sample size decreases
 control reliance – as reliance increases, sample size decreases
 materiality and tolerable error – as these amounts increase, the sample size
decreases
 population size – as the magnitude of the population to be sampled (as
expressed in monetary units) increases, sample size increases
 assurance provided from analytical procedures and other related substantive
audit procedures – as the evidence from these audit procedures increases,
sample size decreases (less evidence is necessary from the sampling
procedure)
 frequency and magnitude of expected errors – as the frequency and
magnitude of expected errors increase, sample size should increase
  stratification – as the range of values in the population to be sampled
(variability) decreases, the size of the sample decreases. Stratification
reduces population variability by segmenting a population into two or more
groups

14.38 The following summarizes the above discussion:

Factors Influencing

Larger Smaller
Sample Sizes Sample Sizes
Inherent risk Higher Lower
Control reliance Less More
Materiality and tolerable error Smaller Larger
Population size Larger Smaller
Evidence provided by related substantive
procedures (other detailed tests or analytical Less More
procedures)
Frequency and magnitude of expected errors Increased Decreased
Larger range Smaller range
Stratification
of values of values

Sampling Methods

14.39 There are two methods of audit sampling: nonstatistical and statistical. Both
require judgment in planning, performing, and evaluating the sample and both
methods are acceptable. The only difference between the approaches is that
statistical sampling allows the audit team to objectively measure the sampling
risk. Sampling risk cannot be measured in a nonstatistical sample.

14.40 The use of statistical sampling is encouraged even when the sample size for a
statistical and non-statistical sample is the same. Statistical sampling provides
the engagement team with useful information on whether the sample achieved
the desired results and uses probability theory to evaluate results of the sample.

14.41 When designing nonstatistical or statistical samples, the same considerations

apply (see above). For example, in both methods test objectives, population,
sampling unit, definition of errors, audit procedures, acceptable risk, and
materiality and tolerable error are defined.

Stratification

14.42 Stratification is the process of dividing the population to be sampled into two or
more subpopulations or strata. A portion of the sample is then allocated to each
of the strata. The purpose of stratification is to reduce the variability of the
population to be sampled and thereby reduce the required sample size.
14.43 Since unstratified samples are considerably less effective than stratified samples
in reducing sampling risk, GTSP requires the computed non-stratified sample
size to be increased by fifty percent. However, where our primary audit concern
is understatement instead of overstatement (for example, deposit liabilities in a
financial institution) the stratification concept is not relevant. GTSP therefore
does not double the computed non-stratified sample size.

14.44 For some unpriced populations, stratification by monetary amount is not possible.
In these circumstances, the population can be stratified based on some
alternative criterion that is expected to correspond to the value of sampling units.
For example, if an entity deals in products with similar prices, inventory can be
stratified based on quantities. If there is a wide disparity in the price of products,
stratification may be based on the type of product. Such forms of stratification
may be useful in, for example, inventory observation procedures.

14.45 Stratification can be accomplished in a number of ways. For nonstatistical

samples, dividing the population to be sampled into two strata is ordinarily the
most cost-effective. Horizon recommends that the boundary between the two
strata be the average value of the population to be sampled. The upper stratum
is all items greater than the average value and the lower stratum is all sampling
items less than the average value. If more than two strata are desired, statistical
sampling will probably be more cost-effective. The recommended allocation of
the sample size between the two strata is as follows:
Recommended Allocation of Sample Size

Upper Stratum 2/3

Lower Stratum 1/3

14.46 Any nonstatistical sampling plan that does not follow the foregoing guidelines
should be considered unstratified. for purposes of determining sample size.

14.47 Occasionally, audit teams will encounter situations where all sampling units in a
population have the same value (for example, subscriptions receivable). If little or
no variability exists in the value of the items in the population to be sampled, an
unstratified sample should be used, and the sample size need not be doubled
since the purpose of stratification is to reduce variability. However, audit teams
should exercise caution when deciding that a population’s monetary
characteristics are homogenous and therefore do not need to be stratified. Using
the subscriptions receivables as an example, the subscription term for which the
receivables exist can vary, for example, from one to three years. In this situation,
the population may not be homogenous.
Other Sampling Considerations

Partner/Manager Involvement in Computing Sample Sizes

14.48 The sampling component in Voyager determines sample sizes used by the audit
team based on a number of key judgments. Therefore, it is important that the
partner or manager review the judgments before the audit team selects sample
items and performs tests. Those judgments include:
 materiality and tolerable error (appropriately adjusted for multiple locations)
 individually significant and key qualitative items
 population value
 inherent risk assessment
 intended control reliance
 expected aggregate error
 procedures that audit team relies on to reduce sample size
 whether the computed sample size makes sense and provides for sufficient
audit evidence

Negative Confirmations
14.49 In addition to the above considerations, generally, sample sizes should be
increased when negative confirmations are used. The sample size calculated by
GTSP assumes that positive confirmations are used. However, negative
confirmations may be used in situations in which the risk of material
misstatement is low (i.e., medium inherent risk and intended control reliance is to
test controls), individual account balances are small and there is no reason to
believe the persons receiving the requests are unlikely to give them
consideration. Negative requests should not be used for statistical samples,
except as permitted for financial institutions, or for sample items in a non-
statistical sample that are individually significant. GTSP gives recognition to the
inherently weaker nature of negative confirmation evidence by increasing the
sample size by a factor of 1.7.

Difficulty in Determining Sample Size

14.50 It is not always possible to compute the sample size before selecting the sample.
For example, when testing the existence assertion for inventory by taking
inventory test counts, an extended inventory listing may not be available.
Therefore, the audit team should judgmentally select a number of items for test
counts (for example, items can be selected based on last year’s inventory listing
or the latest inventory listing, adjusted for known changes in the business).
Selecting more items than necessary at this time would not necessarily be more
costly since the audit team is already on-site. If the audit team selects fewer
items to test count than necessary, alternative procedures will have to be
performed at a later date. If significantly more test counts than necessary are
 taken, a subsample equal to the calculated sample size may be used for later
procedures such as tracing test counts into priced summaries.

Variation from Computed Sample Size

14.51 Should a difference of 10% or less occur between the actual sample taken and
the computed sample size, the reason for the different sample size should be
documented in the workpapers. This 10% tolerance allows for circumstances in
which selection of a sample of a precise size is difficult. For example, the number
of sampling units in the population to be sampled might be misjudged in taking a
systematic sample, resulting in the actual sample varying from the calculated
sample.

14.52 Should a difference of more than 10% occur between the actual sample taken
and the computed sample size, the sample design requirements are not met and
accordingly the audit team should assess the effect on the audit program. For
example, further selections could be performed or other tests or analytical
procedures could provide sufficient audit evidence.

Preventing Unduly Large Sample Sizes

14.53 The major factors that determine sample size are the risk decisions (inherent risk
assessments and control reliance determinations), the extent of reliance on
related substantive tests, and the monetary value of the population to be tested
in relation to tolerable error. To maximize sampling efficiency, each of these
should be carefully considered. In addition, the audit team should carefully
identify the population to be sampled and the definition of the sampling unit. For
example, if a receivable population is a significant portion of total assets, the
sampling plan will direct a significant portion of the audit effort to this population
by producing a relatively large sample size. When this occurs:
 First, identify high-monetary unit items or key items for 100% examination and
remove their aggregate monetary value from the population to be sampled.
The audit team should then consider the audit risk associated with the revised
population and determine if sampling is still necessary on the remaining
population.
 If sampling is still deemed appropriate, the sample size will be smaller
because the monetary value of the revised population will be smaller.
However, if the sample size appears too large, the audit team should consider
whether stratification in a nonstatistical sample can be used, and whether the
extent of reliance on other substantive tests is appropriate. If the audit team
does not take appropriate credit for such items, the sample size will be
unnecessarily large.
 When dealing with a very large sample size, the audit team should determine
whether additional work to permit reliance on controls or increasing evidence
 from related substantive procedures would be more than offset by the
consequent reduction in sample size.
 Next, the audit team should consider redefining the sampling unit as
something other than the entire balance, such as open invoices, specific
transactions, etc. This does not reduce the number of sampling units to be
examined but does reduce the amounts that need to be examined and
therefore, the overall audit effort.
 Alternatively, sampling may be appropriate for only a portion of the
population. For example, if receivables consist of wholesale and retail
customers, the audit team might use a different audit strategy on each class
of receivables. High-monetary unit testing might be appropriate for wholesale
receivables and sampling for the individually smaller retail receivables. If retail
customers are a significantly smaller portion of the total receivable population,
the sample size will decrease significantly.
When sampling is properly applied, sample sizes that experienced auditors will
perceive as reasonable should be generated. Accordingly, anytime the planned
sample size appears unduly large, considerations such as the foregoing should
be revisited.

Very Small Samples

14.54 When GTSP computes a very small sample size, the use of sampling should be
reconsidered. In such instances, sufficient audit evidence can usually be
obtained by applying or extending other procedures. For example, when the
population consists of only a relatively few items (30 to 40), the audit team can
scan the population for unusual items. Similarly, analytical procedures can be
used to test interest income rather than a sampling procedure that compares
recorded amounts to the related note or bond holdings.

14.55 Sampling should not be used if the computed sample size is less than five (5)
items. Small samples are often unrepresentative, misleading and unreliable; if
the calculated sample size is very small, it is usually preferable to eliminate the
sample entirely by placing increased reliance on nonsampling procedures such
as scanning for unusual items or applying analytical procedures. Alternatively, it
may be cost effective to reduce the application of other related substantive
procedures and increase the substantive sample size.

Extent of Reliance on Evidence from Analytical and Other Substantive

Procedures

14.56 To the extent the audit team can rely on evidence from analytical and other
substantive procedures within the same cycle, sample sizes can be reduced. The
following are guidelines for audit teams to consider when determining how much
reliance to place on those procedures.
Analytical Procedures

14.57 Assessments of reliance on analytical procedures are usually situation-specific

and it is difficult to enumerate general guidelines. However, the assessment to
select None is relatively easy. No reliance implies that the audit team will apply
no analytical procedures related to the particular assertions being tested or that
the evidence to be derived from any such procedures should be given no weight
in determining sample size reductions. This is often not the case as Horizon
recommends analytical procedures in most all assertions.

14.58 On the other hand, the distinctions between Limited, Moderate and Significant
reliance on analytical procedures are not as clear and such judgments are more
complex. In making these assessments, the appropriate degree of reliance on
analytical procedures as a source of audit evidence generally depends on:
 the predictability of the relationships related to an assertion - analytical
procedures tend to be more effective for income statement accounts than for
balance sheet accounts because they are more predictable
 the level of detail used to develop expectations - to be highly effective,
analytical procedures should be performed at a level of detail that will provide
a high level of precision

14.59 For example, when reducing sample sizes used to test the existence of accounts
receivable, the audit team may perform detailed revenue analytics, directed
toward determining the existence of recorded sales (therefore indirectly, the
receivables). Even when the data is disaggregated (by location, product type,
months and units) and there is sufficient testing of exceptions and anomalies,
such a procedure will generally not support more than Limited or Moderate
evidence of the existence of accounts receivable because it is focused on the
income statement.

14.60 Multiplying the average sale price of a client's products by the total number of
units sold will provide an estimate of sales, but not be sufficiently precise. This
type of analytical procedure would ordinarily not support more than Limited
evidence. To improve the precision of the estimate, the audit team should break
the client's products down into product lines and perform the same calculation
using the corresponding averages and units sold by product line. Thus, this
improved, more precise analytical procedure may provide Moderate evidence.

14.61 To place Significant reliance on analytical procedures, the audit team will
ordinarily be required to supplement the analytical procedures suggested by
Voyager. As such, this option should be carefully weighed if the audit team
intends to place more than Moderate reliance on evidence provided by analytical
procedures.

14.62 In summary, the extent of sample size reductions based on analytical procedures
should have a direct link to the effectiveness of the analytical procedure in
detecting the same errors as the test being performed on the sample items.
Other Tests of Details

14.63 The reference to "other substantive procedures" does not solely refer to
analytical procedures, but includes other tests of details within the same cycle
that provide evidence as to the monetary correctness of a financial statement
assertion. For example, if subsequent cash receipts are examined in conjunction
with the determination of the reasonableness of the valuation-net assertion for
receivables, the audit team should “take credit” for the fact that this procedure
also provides strong evidence as to the existence of accounts receivable - the
same assertion being tested by the accounts receivable sample.

14.64 Although evidence from other substantive procedures can be obtained from any
procedure within the same cycle, it is important to remember that the procedure
has to provide appropriate evidence to the assertion being tested. To illustrate,
assume the audit team is testing the existence of accounts receivable. Some
common tests of detail in other assertions that may provide evidence about the
existence of accounts receivable are:
 cut-off tests
 scanning customer records to identify unusual information such as duplicate
addresses, P.O. boxes, credit terms
 testing subsequent cash receipts in conjunction with the determination of the
reasonableness of the valuation net assertion for revenue

14.65 Similar to the assessment of reliance on evidence provided by analytical

procedures, the assessment of reliance on other substantive procedures can be
difficult. There are no specific guidelines that enumerate what constitutes
Limited, Moderate or Significant reliance. It would not be appropriate to place
more than Limited or Moderate reliance on the examples listed above. Similar to
analytical procedures, for an audit team to place Significant reliance on other
substantive procedures, they typically would have to perform procedures in
addition to the procedures suggested by Voyager relating to the assertion being
tested.

Timing of Sample Size Calculations

14.66 Many times, sample sizes are determined well before the analytical procedures
and substantive tests are executed. When placing reliance on evidence provided
by analytical procedures and other substantive procedures, it is important to
remember to execute the procedures as they were intended when the sample
sizes were calculated. If these analytical procedures and other substantive
procedures are not performed or fail, the calculated sample size will be
insufficient.
Application of Sampling to Liability Accounts

14.67 Substantive sampling procedures are very good at detecting overstatement

errors, but are more difficult to apply in detecting understatements.
Understatement is typically assessed as the risk associated with liability accounts
and, therefore, sampling is generally not used to test the associated assertions.
Instead, analytical procedures or tests of detail other than sampling are used on
a selective basis (e.g., all accounts or transactions over a given monetary
amount, all items or all significant items entered after the cutoff date or some
other relevant basis of activity).

14.68 If the audit team determines that sampling is appropriate, then a sampling plan
should be used, with particular attention directed to the population of interest.
The population of interest when testing liabilities will often be a reciprocal
population. For example, the applicable population for applying sampling to
confirmations of accounts payable should be vendor activity or subsequent
disbursements. For sample size determination, an estimate of the account
balance being tested should be used. This estimate may be based on the
reciprocal population as well as other factors. For example, if a client generally
pays its accounts payable in 45 days, then the total of subsequent disbursements
for 45 days subsequent to year end may be an appropriate estimate of the
accounts payable balance at year end.

Confirmation Level Specified by Regulatory Authority

14.69 In certain specialized industries, regulatory guidelines specify the total number of
accounts to which confirmation requests must be sent. Since these confirmation
levels are usually higher than would otherwise be required by GTSP, follow-up of
all exceptions and nonresponding accounts could result in burdensome,
excessive and inefficient audit efforts. In these cases, select a confirmation
sample in conformity with regulatory guidelines and also select, in advance, a
subsample of sufficient size to gain audit satisfaction with respect to total
receivables as if the remainder of the confirmations were not being requested.
This subsample should be followed up to conclusion while the other confirmation
requests need not be (although any monetary exceptions received should be
projected to the entire population and investigated). The evaluation of total
receivables should be based on the subsample modified for any inconsistent or
contradictory results obtained from the remainder of the sample. If this approach
is used, the workpapers should indicate that the accounts outside the subsample
do not contradict the results of the subsample and do not require additional
follow-up to support the opinion.

Nonstatistical Sampling
14.70 Nonstatistical sample items should be selected in such a way that the sample,
within each stratum, is intended to be representative of the population sampled
 and the selection method should be appropriately documented. In certain cases,
the population strata may be estimated because of the conditions under which
sampling takes place. An example is inventory test counts; the audit team often
estimates values and attempts to select items to the upper strata.

14.71 Selecting a non-statistical sample must be systematic (using an interval) or

random (using a random number table or the “Random” function in a tool like
IDEA) or haphazard (without following a structured technique and avoiding any
conscious bias or predictability). It is never appropriate to sample by selecting
items that are readily available or significant.

14.72 Each sample item should be examined to determine whether any of the
predefined error types exist. Any items that the audit team is unable to examine
should be treated as errors for the purposes of sample evaluation. The audit
team should carefully evaluate the reasons for any unexamined items, and the
implications of any reasons given.

Evaluate Sample Results

14.73 When evaluating sample results, the audit team should consider both quantitative
and qualitative aspects of errors identified.

14.74 [Tailor this paragraph to reflect your monetary units]To quantitatively consider
errors, the audit team evaluates the difference between the estimated audited
value of the population and recorded amounts tested. The difference between
these values is the basis of the projected error for the population. For example, in
testing the valuation-gross assertion of inventory, assume that the recorded
amount on the client's books is $600,000. As a result of the sample, the audit
team estimates the inventory to be $450,000. Considering all available evidence,
they must make a judgment as to whether the projected error of $150,000 is so
large as to require an adjustment of the book value of inventory. To determine
projected error, monetary differences between the audited value and the
recorded value of the sampling units examined, together with any items that
could not be examined, are projected to the population sampled.

14.75 An audit difference usually arises when the audit team does not agree with either
the amount or classification of a recorded balance or transaction. In addition, if
the audit team is unable to locate some sample items and they are unable to
obtain assurance by alternative procedures, the unexamined items should be
assumed to be errors.

14.76 If a substantive sample contains no monetary errors, the audit team may
reasonably conclude that the sampled population is materially correct.

14.77 The qualitative aspects of errors should be considered in addition to the

frequency and amounts of monetary errors. When errors or deviations are
 identified during testing, the audit team should consider the magnitude and
nature of the error or deviation and whether:
 they indicate potential fraud
 they indicate an internal control deficiency
 more audit evidence is required

14.78 Audit differences found in a nonstatistical substantive sample should be

projected to the population from which the sample was drawn (stratum by
stratum in a stratified sample).

14.79 When audit differences occur in negative confirmation requests, the projection of
misstatement(s) is the same as when positive confirmations are used. However,
the audit team should use the difference method of projection.

14.80 Total projected error should be considered in deciding whether to accept the
account balance as materially correct or to extend the substantive test to obtain a
more precise estimate of the aggregate error in the account.

14.81 When using nonstatistical sampling, the audit team evaluates the sampling
results against the expected aggregate error. If the projected error exceeds the
expected aggregate error, the sample has effectively failed to achieve its planned
precision and the audit team cannot conclude that the balance is not materially
misstated. The audit team must extend substantive procedures to determine
whether the balance is materially misstated.

14.82 In the above situation, one response may be to increase the substantive sample
size. It may often be impractical to increase the sample size for confirmations
upon discovery of larger than anticipated errors. On the other hand, sample sizes
for procedures such as vouching can often be increased upon discovery of
unanticipated errors. If the sample size is not revised, additional evidence as to
the aggregate error might be obtained through the application of other
substantive audit procedures.

14.83 If the projected error resulting from a nonstatistical sample is greater than
tolerable error, the audit team has obtained evidence that the balance may be
materially misstated. The substantive work performed on the population tested
should be extended to help support or disprove the conclusion of the sample.

14.84 The excess of total projected error over the amount, if any, adjusted by the client
should be added to the Summary of Unrecorded Misstatements and evaluated.
In this evaluation, the audit team may conclude that the entity’s statements are
materially misstated and need to be corrected in order to issue an unmodified
opinion. For nonstatistical samples, because sampling risk is unknown,
adjustments to the financial statements should not be made based solely on the
projected error. Instead, the client should perform sufficient additional work to
quantify the misstatement and the audit team should test this work appropriately.
Isolated Errors

14.85 Errors discovered during a sampling application should be projected to the

population from which the sample was selected. Designating an error as isolated
is rarely appropriate. Any such determination must be verified through additional
testing and thoroughly documented.

Documentation

14.86 A properly completed set of sampling workpapers is adequate documentation of

the substantive sample size, its relationship to the assessed level of inherent risk,
reliance on controls and other related substantive procedures, and for the
required projection of errors and unexamined items.

14.87 The workpapers should also indicate audit work performed (including the items
tested) and the sample findings (including information on monetary errors as well
as tests of control deviations in sample items).

Statistical Sampling
14.88 The principles of sampling are discussed above. All of this guidance is applicable
to statistical sampling. The following paragraphs give guidance on the
computation, selection and evaluation of statistical samples, and should be read
in conjunction with the aforementioned paragraphs of this Chapter.

14.89 The firm strongly encourages using IDEA when working with statistical samples.
Using IDEA automates the sample selection process using a defined sampling
interval (discussed below).

Determining Sample Size

14.90 The objective of sample design is to determine a sample size sufficient to result
in a sampling error that does not exceed the preliminary estimate of tolerable
error. GTSP uses Monetary Unit Sampling (MUS) to select sample items. MUS
has two advantages:
 automatic stratification
 ease of use on both manual and computerized records

Individually Significant Items

14.91 The sample selection technique associated with MUS is known as Probability
Proportional to Size (PPS) sampling. This technique accomplishes automatic
stratification and automatically determines the value ceiling for individually
significant items.
14.92 This technique automatically selects every item with a value greater than, or
equal to, the sampling interval. Items identified as key based on qualitative
considerations, and removed from the adjusted population, should be added to
the total items to be examined.

Sample Selection

14.93 Zero balances in a population will not have any chance of selection and they will
need to be segregated if it is necessary to apply separate audit procedures to
them.

14.94 Negative balances should also be segregated because their inclusion can
adversely affect the selection probabilities of the positive items in the population.
If we wish to include negative balances in the sampled population (they may be
immaterial), the sample should be based on the absolute value of the negative
items (e.g., the absolute value of -20.00 is 20.00).

14.95 To select the items to test, the audit team should select every nth monetary unit,
where n is the sampling interval, using a random starting point. The most efficient
way to do this is to use IDEA. IDEA determines the random starting point and
systematically selects each item based on the sampling interval. The sampling
interval is determined in the Voyager sample size calculator.

Sample Evaluation

14.96 The evaluation process is directed towards evaluating the three components of
sample results:
 known error (i.e., the actual error found in the sample items)
 projected error (i.e., the best estimate of the true error in the population value,
as derived from the sample)
 sampling error (i.e., error in the population that might not be detected due to
sampling being used, as opposed to 100% verification)

14.97 Known error and projected error are common elements of both statistical and
nonstatistical samples. However, the use of statistical sampling enables sampling
error to be measured.

Implications of Errors Found

14.98 Voyager displays statistical information in the sample evaluator to support the
audit team’s decision on whether the sample results provide sufficient
appropriate audit evidence. Voyager’s evaluation of the sample results provides
a best estimate of (a) the true population value and (b) the maximum amount of
misstatement in the population. The difference between the best estimate of the
population and the book value of the population is the projected error. The
 projected error is the most likely amount of misstatement in the population. The
best estimate of the maximum amount of misstatement in the population (i.e., the
upper precision limit on errors) is a measure of whether the audit team obtained
sufficient audit evidence that the population is not materially misstated. When the
upper precision limit on errors is less than tolerable error, the audit team obtained
sufficient audit evidence that the population is not materially misstated.

14.99 Consider an example where the sample evaluation results achieve the planned
level of risk and precision:
Population value 8,527,419

Aggregate risk level 11.8519%

Upper precision limit on errors 306,766.58

Projected error 36,971.35

Adjusted upper precision limit on errors 269,795.23

Tolerable error 280,000

14.100 Since the adjusted upper precision limit on errors is less than materiality,
the audit team has obtained sufficient appropriate audit evidence that the
balance is not materially misstated. The audit team still needs to post and
evaluate the projected error of 36,971 on the Summary of Unrecorded
Misstatements.

14.101 Consider an example where the sample evaluation results do not achieve
the planned level of risk and precision:
Population value 8,527,419

Aggregate risk level 11.8519%

Upper precision limit on errors 448,277.85

Projected error 67,700.79

Adjusted upper precision limit on errors 380,577.06

Tolerable error 280,000

14.102 Since the adjusted upper precision limit on errors is greater than tolerable
error, the audit team has obtained evidence that the balance may be materially
misstated. Additional procedures are ordinarily necessary to determine a better
estimate of the maximum amount of misstatement in the population. Posting the
projected error of 67,701 to the Summary of Unrecorded Misstatements does not
eliminate the need to obtain additional audit evidence.

14.103 When the adjusted upper precision limit on errors is greater than tolerable
error, the audit team chooses one of the following three alternatives:
 accept the achieved level of risk and precision
  reaudit the population after the client reperforms the accounting process and
identifies and corrects all errors
 perform additional procedures directed towards the same financial statement
risk to better quantify the error and reduce the risk of a material misstatement

Accept the Achieved Level of Risk and Precision

14.104 When the adjusted upper precision limit on errors exceeds tolerable error
by less than 10% of tolerable error, audit teams may accept the achieved level of
risk and precision without performing additional procedures. The audit team must
post the projected error to the Summary of Unrecorded Misstatements. For
example, if the adjusted upper precision limit on errors is 280,577 and tolerable
error is 280,000, the adjusted precision limit on error only exceeds tolerable error
by 577, or less than 1%. The firm will accept this amount of imprecision.

Reaudit a Corrected Population

14.105 When the adjusted upper precision limit on errors exceeds tolerable error
by more than 10%, the sample results do not provide sufficient audit evidence
that the population is not materially misstated. An investigation of the cause of
errors may lead the audit team to conclude that the results are representative of
the population. Audit teams should exercise caution before concluding the results
are not representative as additional testing will frequently confirm the initial
sample results.

14.106 When the sample results are representative, it is evident that there are
significant issues and the client should rework the population. Audit teams would
then retest the corrected population by selecting a new sample and performing
the tests on that sample. The projected error from the previous sample should
not be posted to the Summary of Unrecorded Misstatements. Rather, the
projected error from the new sample would be posted and evaluated.

Perform Additional Procedures

14.107 As mentioned above, audit teams should exercise caution before

concluding that additional testing will provide different results. Often, the
additional procedures will only confirm the original sample results. However,
when the investigation of the cause of errors leads the audit team to conclude
that the results are not representative of the population, the audit team may
determine that it is possible to obtain sufficient audit evidence by performing
additional audit procedures. For example, the investigation of the cause of the
errors determined that controls broke down in one location and therefore the
errors are not representative of the entire population.

14.108 When the audit team determines that the sample results do not represent
the population, additional substantive tests directed towards the same financial
 statement risk are performed to better quantify the error and reduce the risk of a
material misstatement.

14.109 The additional tests may include:

 increasing the sample size to improve the estimate of the maximum amount
of misstatement in the population (in this situation, the results of the original
sample cannot be ignored and therefore the sample size must be increased
by an integer multiple – at least double the original sample size)
 segmenting the population and focusing the additional testing on the items
affected by the cause of the errors

14.110 When the sample size is increased, the additional sample results should
be combined with the initial sample results and evaluated together as one
combined sample. If the evaluation of the combined sample results in the
adjusted upper precision limit on errors not exceeding tolerable error, the audit
team has obtained sufficient appropriate audit evidence that the balance is not
materially misstated. The projected error from the combined sample should be
posted and evaluated on the Summary of Unrecorded Misstatements.

14.111 If the audit team is able to identify the cause of the errors they may be
able to segment the population and direct increased testing to a certain type of
transaction or balance. The additional audit procedures are determined by the
size and nature of this population. Ideally, the segmented population would be
small enough to avoid further sampling.

14.112 For example, assume that the testing identified three errors that caused
the sample results to fail. The audit team determined that all three errors resulted
from the same underlying cause. Further, they determined that only 38 of these
items occurred in the population. In this example, the audit team extracted the 38
items and performed additional tests to identify the magnitude of the error. This
amount was determined to be more than trivial but immaterial and therefore the
audit team posted the known error, instead of the projected error, to the
Summary of Unrecorded Misstatements.

14.113 If the audit team is able to link some, but not all, errors to a single cause,
segmenting the population and directing increased testing to a certain type of
transaction or balance may not be successful in sufficiently reducing the risk of
material misstatement.

14.114 For example, assume that the testing identified five errors that caused the
sample results to fail. The audit team determined that two errors resulted from
the same underlying cause and three errors resulted from other reasons. Tests
on the segmented population resulted in the same outcome described above.
However, there are still three errors that need to be evaluated as they are
representative of the error rate that exists in the remaining population. The
remaining population should be re-evaluated with the three errors (the two errors
and the segmented population would be removed from this evaluation). If the
 new evaluation results in an adjusted upper precision limit on errors that is less
than tolerable error, the new projected error would be posted to the Summary of
Unrecorded Misstatements along with the known error identified in the
segmented population. However, if the new evaluation results in an adjusted
upper precision limit on errors that exceeds tolerable error, additional procedures
would still need to be performed.

14.115 Before taking an approach that segments the population, audit teams
should determine that the segmenting process still achieves the original sample
design requirements. As discussed under “Variation from Computed Sample
Size”, the sample design requirements are not met when a difference of more
than 10% occurs between the actual sample taken and the computed sample
size. Therefore, in the example above if the computed sample size was 24;
removing three items would result in a sample size that is not sufficient.

14.116 In summary, determining that the sample results do not represent the
population ordinarily requires: (a) strong evidence that the cause of the errors
was really identified (b) most and perhaps all detected errors resulted from a
single cause and (c) the number of errors to be small enough so that their
removal does not cause an insufficient sample size. Therefore, audit teams
should carefully evaluate the likelihood that pursuing this approach will result in
sufficient evidence that a material misstatement does not exist.

Attribute Sampling

General

14.117 Attribute sampling is used to reach a conclusion about a population in

terms of rate of occurrence. Each deviation from a defined attribute is given
equal weight in the sample evaluation, regardless of the monetary amount of the
transactions.

14.118 The attestation standards offer opportunities for audit teams to provide
assurance on subject matter related to the occurrence of certain attributes in a
population. For example, a vendor may agree to pay certain advertising costs for
a customer and desires assurance that advertising invoices submitted meet the
appropriate criteria. Accountants may provide such assurance if they could
become satisfied that the invoices presented to the vendor meet the appropriate
criteria. Sampling may be a useful procedure to apply in such a circumstance.
Alternatively, an accountant providing assurance on whether a schedule of
investments is presented accurately would likely perform tests other than
sampling. To enable the firm to perform attestation engagements that require
sampling, an attribute sampling methodology was developed.

14.119 An audit team may apply attribute sampling in the following

circumstances:
  tests of controls in a financial statement audit
 tests of multiple attributes that collectively represent the subject matter of the
attestation opinion
 other engagements where the attribute represents the subject matter

Tests of Controls in a Financial Statement Audit

General

14.120 In conjunction with financial statement audits, the audit team often
performs tests of controls to place reliance on controls and modify the nature,
timing or extent of detailed substantive procedures. The objective of such tests is
to provide support for the intended control reliance for a particular risk. In a
financial statement audit, substantive procedures are also performed and
together these two types of tests (substantive and control) support the level of
audit risk that the audit team accepts. Therefore, when sampling is used to test
internal control to support a level of control risk for reliance thereon, the table
below should be used to determine sample sizes.

14.121 It is important for the engagement team to consider testing the operating
effectiveness of controls when developing their audit approach. Testing controls
is encouraged when such an approach is more effective or efficient or is
necessary because substantive procedures alone will not provide sufficient
appropriate audit evidence.

Sample Size

14.122 A sample size of 25 items is the starting point when performing tests of
controls. This sample size is appropriate because the test results from the control
tests are not the sole source of evidence for the assertion. Substantive tests are
always performed in addition to the control tests and often more than one control
is tested.

14.123 The timing of the related substantive procedures affects the sample size
(the further away from year end the substantive procedures are performed, the
larger the sample size). Controls should be tested through the date of the
performance of the substantive procedures because the controls provide support
for the balances as at that date. When substantive procedures are not performed
at year end, a higher degree of precision is required from the control tests.
Therefore, sample sizes are increased the further away from year end the
substantive procedures are performed. This feature is part of the Voyager’s test
of controls sample size calculator.
Sample Selection

14.124 When sampling procedures will be performed, the sample items should be
selected so that they are representative of the entire population. Stratification of
the population is not appropriate in a test of controls sample.

Examination

14.125 Each sampling unit selected should be examined for evidence of both
operation and effectiveness. An initial on a document may be evidence of
operation. Evidence of effectiveness may be obtained by reperforming the control
feature or by other methods such as reviewing the disposition of errors detected
by the control feature.

14.126 Sampling units that cannot be examined are considered to be deviations.

The audit team should also consider the reasons for the inability to examine the
items. For example, the audit team may be unable to apply planned procedures
to certain items because supporting documentation is missing, in which case
they would need to consider the implications on the reliance on controls.
Depending on the particular circumstances, they may also need to consider
matters such as the extent of reliance that they can place on management
representations, and effect on the audit report.

Evaluation

14.127 After examining the sample units, the total number of deviations should be
evaluated. If the number of deviations equals or is less than the acceptable
number of deviations for the sample size indicated in the table below, the sample
supports the intended control reliance. In addition, there may be circumstances
when, despite discovery of a small number of deviations, the audit team
continues to believe that the preliminary intended control reliance assessment is
warranted. In this event, the audit team needs to increase the original sample
size, aggregate the original and additional sample sizes and results, and
evaluate the combined results.

14.128 As deviations are found, the audit team should reconsider the likelihood
that further testing will provide evidence that the control operated effectively
throughout the period. However, if three deviations are found in a sample, the
audit team should discontinue testing because the sample size would grow to a
very large number. When other controls that achieve the same control objective
are implemented, the audit team may test these controls. If these tests are
successful, the audit team could rely on this control. If there are no other
controls implemented, the audit team should conclude that the control is not
operating effectively and cannot be relied upon.
14.129 The following table outlines the sample size/control deviation acceptance
rate (assuming substantive procedures are performed at or near the balance
sheet date):
Acceptable
Sample Size
Deviations
25 0
42 1
58 2

14.130 Voyager’s sample calculator includes a feature that adjusts sample sizes
based on the number of items in the population. Sample sizes are adjusted
downward for populations with a smaller number of items. Therefore, Voyager’s
sample size calculator may differ slightly from the above table but still meet the
firm’s required precision for attribute samples.

14.131 When deviations are found, the audit team should consider the qualitative
aspects of the deviations, including:
 nature and cause of the deviations
 possible relationship of the deviations to other phases of the audit.
 whether the deviations are indicative of an internal control deficiency

14.132 The audit team should investigate any deviations that suggest the
possibility that fraudulent, illegal or questionable events occurred. In any event,
the audit team should report the deviations in the internal control letter.

Tests of Multiple Attributes that Collectively Represent the Subject Matter

14.133 In engagements where multiple attributes collectively represent the

subject matter, the audit opinion is not based on any one attribute. Rather, the
attributes are evaluated collectively to determine whether the objective of the
attributes collectively is met. In these engagements, the subject matter may be
expressed in a variety of ways (e.g., effectiveness of controls in achieving the
control objectives in a service organization audit or compliance with regulatory
requirements in a benefit plan audit).

14.134 The following table lists the sample sizes that should be used for these
engagements. The sample sizes are based on a 90 percent confidence level that
the maximum occurrence rate of errors in the population will not exceed 10
percent and that no errors will be detected.
Minimum sample size
Size of Population No deviations One deviation Two deviations
0 – 100 N/A* N/A* N/A*
101 – 500 23 35 45
 > 500 25 40 60

* For populations with fewer than 100 items, it is more efficient to use
reperformance rather than sampling. The firm recommends testing 10 percent of
the population when using reperformance (for example, for a population of 50, 5
items would be tested).

14.135 Voyager’s attribute sampling calculator may be used to calculate these

sample sizes by selecting Tests of Employee Benefit Plan Participant Data or
Other (when Testing provides primary evidence for assertion is not selected).

Other Attribute Samples

14.136 For engagements where a single attribute is the subject matter of the
opinion, a larger sample is required to gather sufficient assurance on which to
base the audit opinion. For example, a vendor agrees to pay certain advertising
costs of a customer when those costs meet the vendor’s criteria. The vendor
desires assurance from an auditor that the invoices meet specified criteria. Since
the opinion will be based on a single attribute, a sample size of 50 items is
required (assuming the population is between 101 and 500). If a deviation is
discovered, the audit team must increase the sample size to the amount in the
table and find no further deviations to conclude that the invoices paid comply with
the specified criteria.

14.137 The following table should be used for such engagements:

Minimum sample size
Two
Size of Population No deviations One deviation deviations
0 – 100 N/A* N/A* N/A*
101 – 500 50 80 100
> 500 60 90 120

14.138 Voyager’s attribute sampling calculator may be used to calculate sample

sizes in these instances by selecting Other (when Testing provides primary
evidence for assertion is selected).
Exhibit 14.1 - Evaluation of a MUS Sample
E01 The evaluation is done in two stages:
 determining the sampling error to ascertain whether the sample is acceptable
 determining the projected error

E02 MUS divides the population into two major components which will be projected
separately:
 individually significant items (i.e., items whose monetary value is greater than
or equal to the sampling interval), which are examined 100%
 the sampled population

Determining Sampling Error

E03 Under the MUS evaluation approach, sampling error usually consists of two
components: Basic Precision and Precision Gap Widener (PGW). If no errors
are detected in the sampled population, the measure of sampling error is known
as Basic Precision (the minimum sampling error resulting from the sample as a
result of not having examined all items). As errors are detected, the measure of
sampling error is increased for each such error. This increase is known as the
Precision Gap Widener (PGW). Thus:
Sampling Error = Basic Precision + PGW

E04 Basic Precision is the overstatement that could exist (at a given risk level) even if
no errors were found in the sample. Therefore, the factor used to calculate Basic
Precision (the Basic Precision Factor) will be based solely on the combination of
risk related factors. Thus:
Basic Precision = Sampling Interval x Basic Precision Factor

E05 PGW is the amount by which Basic Precision increases as errors are discovered
in the sampled population. To calculate the PGW, individual errors in the
sampled population are ranked according to the size of their percentage
difference (tainting) where:
Percentage Difference = (Book Value - Audited Value)/Book Value

E06 For example, a $100 error in a sample item of $500 is a 20% difference and is
ranked higher than a $200 error in a sample item of $2,000, which is a 10%
difference. After the errors have been ranked, each projected error (see below) is
multiplied by the corresponding PGW factor; the largest projected error times the
largest PGW factor; the next largest projected error time the next largest PGW
factor etc., where:
 Projected Error = Percentage Difference x Sampling Interval

E07 The total Sampling Error can thus be calculated from the Basic Precision and the
PGW, and the result compared with tolerable error. In Voyager, the Sampling
Error is called the Upper Precision Limit on Errors.

Determining the Projected Error

E08 The total projected error is equal to the actual error in the individually significant
items (i.e., the book value less the audited value), plus the sum of the projected
error can be calculated using the formula above (i.e., percentage difference times
sampling interval).

E09 The projected error is calculated individually from each sample interval.
Examples of error projections follow:
Item 1 Item 2 Item 3

Book value 275,000 220,000 7,000

Audit value 270,000 180,000 700
Difference 5,000 40,000 6,300
Percentage difference * 18.18% 90.00%
Sampling interval 250,000 250,000 250,000
Projected error 5,000 45,450 225,000

* Items equal to or greater than the sampling interval, individually significant

items and qualitative key items are not extrapolated to the population.

E10 Any projected error for which no adjustment is made should be carried forward to
the Summary of Unrecorded Misstatements.

E11 As discussed earlier, substantive sampling procedures are designed to detect

overstatement and are generally not applied to liability accounts. The same is
true for understatements in asset accounts. Examples of projected errors for
understatements follow:
Item 1 Item 2 Item 3

Book value 270,000 180,000 700

Audit value 275,000 220,000 7,000
Difference (5,000) (40,000) (6,300)
Percentage difference * 22.22% 900.00%
Sampling interval 250,000 250,000 250,000
Projected error (5,000) (55,550) (225,000,000)
 * Items equal to or greater than the sampling interval, individually significant
items and qualitative key items are not extrapolated to the population.

E12 Since the risk in asset accounts is generally that the balance is overstated,
significant understatements will rarely occur. Therefore, audit teams should
exercise caution when evaluating the results of sampling procedures when the
errors discovered include understatements. The ability to have a tainting
percentage greater than 100% (such as the 900% in Item 3 above) could
inappropriately skew the calculation of the projected error. When
understatements are discovered in the sample results, audit teams should
address the risk of understatement by applying additional substantive procedures
to address this risk.
Chapter Fifteen - Audit Documentation
Summary

This Chapter discusses firm policies regarding sufficiency and adequacy of audit
documentation necessary to support audit conclusions. This Chapter also discusses the
conditions under which the firm will grant workpaper access to third parties.

Introduction
15.01 This Chapter discusses requirements to prepare and maintain workpapers (also
referred to as audit documentation), the form and content of which should be designed
to meet the circumstances of the particular engagement. The information contained in
the workpapers is the principal product of the work and support for the conclusions
reached by the audit team.

15.02 The term “workpapers” is used in the generic sense. Workpapers may be in the
form of data stored on paper, film, or other electronic media. Indeed, with the use of
Voyager almost all of the workpapers assembled to support the audit opinion will be in
electronic form. Care should be taken to protect hard-copy workpapers and all
electronic files from damage and unauthorized use through appropriate archival and
backup procedures.

15.03 Documentation considerations are noted throughout the audit programs and in
this Manual, where appropriate. In Voyager, workpaper documentation can be stored
within the engagement file and referenced directly to the audit procedure.

Workpaper Documentation

Functions and Nature of Workpapers

15.04 The principal functions of workpapers are to:

 aid the planning, performance, and supervision of the audit
 record the work performed in obtaining the audit evidence, including any
significant problems encountered and how they were resolved
 record the conclusions reached in support of the auditor’s report
 facilitate the review process
 demonstrate adherence to professional standards and procedures

15.05 Audit documentation also provides a basis for reviewing the quality of the work
performed as it is the written evidence supporting the audit team’s conclusions. As
such, it is critical that audit documentation:
  clearly demonstrates that the work was in fact performed
 contains sufficient information to enable an experienced auditor to:
– understand the nature, timing, extent, and results of the procedures
performed, evidence obtained, and conclusions reached
– determine who performed the work and the date the work was
completed, as well as the person who reviewed the work and the date
and extent of their review
– demonstrates that the engagement complied with professional
standards, including justification for any departures

15.06 Documentation standards are now based on the principle “the failure to
document work performed indicates that the work was not performed.” Oral
explanations, as opposed to documented work or actions, do not provide persuasive
evidence that procedures were performed. Accordingly, the work performed by the audit
team must be adequately documented to qualify as audit evidence.

Content

15.07 Workpapers, in general, include documentation such as audit programs,

analyses, memoranda, confirmations and representations, abstracts of documents, and
schedules prepared or obtained by the audit team. The audit team should strive to
create and maintain workpapers in electronic media to the greatest extent possible.
Similarly, the audit team should insist management provide schedules, reconciliations,
and other documents in electronic form. The audit team should consider the situation a
risk when management cannot provide electronic documentation.

15.08 The firm does not encourage large paper files or electronic references that simply
contain copies of client’s records that do not represent audit evidence. Where the audit
team is unable to test client records with a CAAT using IDEA, it is not ordinarily
necessary to retain voluminous copies of client records or schedules, such as accounts
receivable or inventory listings. If such schedules were annotated to contain evidence of
procedures or the results of such procedures, copies of the pertinent pages should be
retained in hard copy. In most cases, copies of client's electronic records should be
retained for use in subsequent years.

15.09 The quantity, type, and content of workpapers vary with the circumstances, but
they should be sufficient to:
 determine the relevant audit work performed
 support the audit report
 leave no significant points unresolved

15.10 Workpapers should be sufficiently complete to enable an experienced auditor to

ascertain that the work performed supports the conclusions reached. The workpapers
should "stand alone" and not require supplementary oral explanations. The workpapers
should include only matters that are relevant to the engagement.
15.11 Although the quantity, type and content of workpapers vary with the
circumstances, they should generally demonstrate that:
 the work was actually performed
 applicable professional standards and firm policies were followed
 an understanding of the entity’s environment, including its internal control,
was obtained
 the auditor responded to identified risks of material misstatements
 the work was adequately planned and supervised
 appropriate tests of controls were performed to support the intended
control reliance
 any exceptions and unusual matters discovered while performing the audit
procedures were resolved and treated; discussions to settle these matters
should be adequately documented
 the accounting records agree or reconcile to the financial statements
being audited
 the evidence obtained and procedures applied provide sufficient evidence
to support a reasonable basis for the opinion

15.12 In addition, the workpapers should be sufficient to enable team members with
supervision and review responsibilities to understand the nature, timing, extent, and
results of the auditing procedures performed and determine the team member(s) who
performed and reviewed the work.

15.13 At a minimum, and keeping in mind that workpapers may include electronic files,
the completed workpapers for each engagement file should contain:
 an engagement letter
 extracts or copies of significant contracts or agreements used by the audit
team to evaluate the accounting for significant transactions
 a Summary of Unrecorded Misstatements and an evaluation of the
materiality of these amounts, individually and in total, in relation to the
financial statements
 memoranda concerning significant aspects of the audit, consultation with
others and any changes made during the audit to the audit plan (Summary
of Significant Matters)
 other information demonstrating that the requirements noted above have
been met
 documentation to support that the firm’s review policies were met
 the client representation letter
 a copy of the financial statements and report issued

15.14 Audit teams must constantly strive to improve audit documentation. Each team
member should make certain that the workpapers adequately document the work
performed, the judgments made, and conclusions reached. Moreover, team members in
supervisory and review capacities are expected to ensure that the work performed is
adequately documented. On the other hand, care should be taken to see that
workpapers do not include documentation that is not relevant to the procedures
performed or the conclusions reached.

Memoranda
15.15 Audit workpapers consist mainly of audit programs, risk assessment procedures,
schedules and analysis of quantitative information about the client’s financial accounts.
However, it will often be necessary to supplement this information with memoranda to
document and describe audit considerations, such as unusual matters, research into
appropriate accounting principles, discussions with others, inquiries made, client
personnel involved, tests resulting from inquiries, description of conditions observed and
conclusions reached. These memoranda (sometimes referred to as narratives or
commentaries) are an important part of the workpapers. They are the link between the
procedures performed and the expression of professional judgment exercised in arriving
at conclusions.

15.16 Each memorandum should be relevant, concise, and have a clear objective that
must be fulfilled. In the rare instance that the objective cannot be readily understood
from the workpaper file itself; the workpaper file should contain a written explanation of
its purpose. Separate memoranda are ordinarily prepared for each pertinent subject.

15.17 Lengthy memoranda should be prepared in separate word processing files and
attached directly to procedures. Voyager’s “memo” feature should be used to document
shorter memos and comments. The in-charge accountant and the manager share the
responsibility to make certain that appropriate memoranda are prepared and that the
conclusions reached support the audit report.

15.18 General areas requiring memoranda include, but are not limited to, the following:
 results of risk assessment procedures, including the meeting of the audit
team
 significant aspects of the engagement or of a particular segment of the
audit
 major decisions, including planned procedures not performed and
additional procedures performed
 significant or unusual accounting and auditing matters, and any
substantive consultations with others
 comments about the application of specific accounting principles, in
particular where the propriety of the principle is in question - these should
include specific reference to authoritative support
 judgmental situations requiring consideration of modification of the
standard audit report, whether or not the report was modified
 decisions made about items considered immaterial, when such materiality
judgment is not obvious
15.19 Memoranda that evaluate the reasonableness of accounts or state conclusions
should be referenced to the factual situations developed in supporting workpapers.
Guidelines for determining content are as follows:
 the criteria applied should be stated
 the author should be comfortable that the judgment being supported is the
correct one in the circumstances
 information should be to the point - excessive use of descriptive adjectives
and adverbs should be avoided
 memoranda should speak to the positive not the negative and support the
decision made - contrary views or interpretations should be addressed
only to demonstrate their inapplicability
 audit conclusions should be based on the evidence - accounting
conclusions should be documented with specific references to
authoritative support and general terms, such as "conservatism,"
"consistency," etc. should not ordinarily be used as the basis for
conclusions
 the logic and results of relevant procedures followed to arrive at
conclusions should be described - mere repetition of the audit program
steps is not efficient, or sufficient
 memoranda that address or discuss unsatisfactory records, control
deficiencies or misstatements should clearly state what additional audit
procedures were followed, how the audit team was ultimately satisfied,
and how the matter will be treated in the report, if applicable

Practical Guidance
15.20 The engagement workpapers represent the primary documentation of the work
performed. Therefore, in addition to their importance as audit evidence, the workpapers
should be as clear and precise as possible. It is also important that the workpapers be
prepared as efficiently as possible. The following guidance is intended to help the audit
team accomplish this objective.

15.21 Workpapers prepared by the audit team should be in electronic form using
applications such as Microsoft Excel or Microsoft Word. This allows the audit team to
attach these electronic workpapers directly into Voyager. Voyager provides the ability to
combine most of the necessary documentation within the audit program. The “memo”
feature should be used to the extent possible to eliminate the need to insert electronic
files into the engagement file.

15.22 It is inevitable that some workpapers will be received in paper form, for example,
contracts and agreements. Clients should be encouraged to prepare schedules and
other documentation for the audit team in electronic format. Where the computer
applications used by a client do not match the applications being used by the audit
team, instructions should be given to save the file generically so that its contents can be
read by other applications.
15.23 Every workpaper, including those prepared by the client, should clearly present
the procedures performed in sufficient detail for an experienced accountant to
understand the nature, timing and extent of the audit procedures, their results and
evidence obtained.

15.24 In addition, the audit team should take steps to determine that the following are
considered:
 completed and initialed audit program steps are supported with proper
documentation – signing-off an audit step is not always appropriate audit
evidence
 each interim conclusion reached is not required to be documented;
however, final conclusions for every audit procedure should be
documented, if not readily apparent
 not every conversation needs to be documented; however, inquiries
should be documented when they are important to a particular procedure
 matters documented in a central repository, such as staff training and
independence should be referenced in the audit program
 more reliable, objective evidence may be required depending on the
nature of the test and the objective of the procedure – generally, the
higher the risk of material misstatement, the more reliable and objective
evidence and documentation will be needed
 accounting estimates require greater judgment and therefore, more
extensive documentation should be present

15.25 When preparing audit documentation, the audit team should follow these
guidelines and, as applicable, request the client to follow them as well.

 utilize TBeam, the client's personnel or the automated capabilities of IDEA

as much as possible to prepare various schedules, analyses and
statements:
 trial balances, lead schedules, and consolidating data
 analyses of accounts
 financial statements (including notes) and tax returns
 use the memo feature whenever feasible as this can increase efficiency
over references
 use correct grammar, spelling, and punctuation:
 spell the names of individuals and organizations correctly
 when appropriate, identify the titles of persons referred to
 see to it that the workpapers clearly indicate the:
 extent of audit tests
 basis on which items were selected for audit
 sources of any data referred to (e.g., designated ledger account, etc.)
 if the workpaper was prepared by the client’s personnel, indicate so by
selecting the “Prepared By Client” icon - in some instances, it may be
 desirable to indicate the name of the client’s employee who prepared the
workpaper
 see to it that the workpapers are appropriately traced and agreed and
cross-referenced to one another
 designate cross-references to other related workpapers
 agree the final amounts to the applicable lead schedule or trial balance
 make certain the final lead schedule amounts agree with the trial balance
and financial statements
 trace all trial balance amounts to the financial statements – all
combinations should be clearly indicated
 cross-reference adjusting journal entries and reclassification entries to
supporting workpapers
 summarize and excerpt very long documents (e.g., debt agreements and
board minutes) rather than including the entire document in the
workpapers
 when preparing workpaper conclusions, differentiate between facts,
opinions and explanations received from the client's personnel - do not
use negative or derogatory terms to characterize the client’s personnel or
procedures
 commentaries of continuing importance and workpapers for account
balances which do not vary (e.g., capital stock, goodwill, etc.) should be
designated as such using the permanent icon
 prior to the documentation completion date, discard non-evidential
material that will not be part of the final audit documentation, or is not
required to be retained by law or professional standards
 return workpapers to the proper storage facility and archive electronic
workpapers promptly and in accordance with firm policy after the report
release date

15.26 When preparing audit documentation, the audit team should not make these
mistakes.
 follow previous audit workpapers blindly
 prepare separate analyses of income and expense accounts when such
accounts can be more effectively covered in conjunction with analyses of
related balance sheet items (e.g., bad debt expense and allowance for
bad debts)
 prepare schedules or analyses that can be prepared by the client
 prepare schedules or analyses of accounts where no procedures are
necessary to be performed, or spend time on unimportant analyses solely
because they were prepared by client personnel
 leave open points or questions in the workpapers
 make detailed transcripts of accounts
 use terms that are not sufficiently descriptive such as "pertinent data"
 repeat the scope of work on the workpaper when it is clearly stated in the
audit program. It is sufficient to indicate that the procedure was carried
 out, noting any changes, and cross-referencing the workpaper to the
program
 use white correction tape on paper-based workpapers to change
information, or use post-it notes for open points or other purposes
 leave superseded schedules or include items of no further value in the
workpapers
 attach every client document reviewed to the workpaper
 make the workpapers available to anyone outside the firm unless the
firm’s prescribed authorization procedures have been followed
 leave workpapers, computer files, or confidential client documents
unattended. When leaving for lunch or the night, all electronic files
(including Voyager) should be backed up, all files (including paper
workpapers) should be appropriately secured, and client documents
returned for safekeeping.
 do not use factory settings (e.g., 0-0-0) or other obvious lock combinations
on briefcases, locks, or computer security settings
 maintain "private files”

Finalizing the Audit Documentation

15.27 Audit teams should document the results of the procedures performed on a
timely basis throughout the course of the engagement. In doing so, the audit team must
obtain sufficient, appropriate audit evidence to support the opinion prior to the release of
the auditors’ report. Professional standards provide audit teams with a period of time
from the date of the audit report, which ordinarily is in close proximity to the report
release date, to assemble and archive the final documentation, referred to as the
documentation assembly period. International standards allow a 60-day documentation
assembly period, but in some jurisdictions it is less. For example, in the US the
documentation assembly period is 45 days. During the documentation assembly period,
audit teams may:
 complete the documentation and assemble evidence previously obtained,
discussed, and agreed with the relevant team members before the report
date
 perform routine assembling procedures, such as deleting or discarding
superseded documentation and sorting, collating, and cross-referencing
final workpapers
 obtaining final sign-offs in the file
 replace copies of confirmations that were previously faxed or emailed with
the original documents

15.28 Audit teams may not use the documentation assembly period to complete their
work or obtain new evidence. Both the Voyager and paper files should be archived and
securely stored within the documentation assembly period. These archived workpapers
support our audit report and should not be changed subsequent to the archival date.
Changes to Audit Documentation
15.29 [Tailor this paragraph to reflect your consultation policies] Audit teams should not
perform additional audit procedures after the date of the audit report. If additional audit
evidence is obtained, the audit team should consult with the PSP and NPPD as this is
an indication that the audit team should not have released the report. After the
documentation assembly period, any changes to the audit documentation should be
logged including who made the change and the reason for the change. Additionally,
these changes must be approved in the Post Report Log by someone other than the
preparer, usually the person responsible for the audit. The report date should be
entered in Voyager on the day the report is dated. This enables Voyager to track
changes made to the audit documentation after the documentation assembly period.
Failure to enter the report release date in Voyager or entering the date after changes
are made to the file could subject the firm and the audit team to sanctions.

15.30 [Tailor the sentence on unlocking the file to reflect the practice of your firm] Once
the audit is complete and the files are archived, the documentation should not be
changed without the performingthe procedures described in the previous paragraph. In
addition, no documentation should be discarded after the archiving of the engagement
file. In the rare circumstances that the audit documentation must be changed, the
National Office will provide the audit team with approval and instructions to unlock the
archived file. The audit team can then access the file and make the necessary changes.

15.31 When changes to the audit documentation occur outside of Voyager such as
paper files, the audit team is responsible for clearly documenting (1) the specific
changes made after the report date, (2) the reasons for the changes and (3) obtaining
approval for making such changes.

Non-evidential Matter
15.32 During the course of an audit, tentative workpapers, reviewers' notes, drafts of
reports, and other such data are prepared to facilitate completion of the engagement.
Such materials are frequently not evidential matter; and accordingly, should be
discarded after making the appropriate notations and modifications in the workpapers.
Removal of review notes from the file on completion is automatically accomplished by
Voyager.

Lead Schedules

15.33 A lead schedule is ordinarily prepared for each major account balance in the
financial statements. TBeam easily produces lead schedules and integrates them with
Voyager. The schedule, together with any supporting workpapers, should show:
 the accounts that comprise the financial statement amount
 adjustments to the trial balance amount (thus reconciling that figure to the
final figure)
  comparative amounts for the preceding period

15.34 An explanation of significant variations from the previous period’s amounts

apparent from the face of the lead schedule may also be included on the lead schedule,
although they may be elsewhere in the workpapers.

Workpaper Indexing
15.35 To facilitate reference to and retrieval of information, all paper-based workpapers
should bear a reference appropriate to the firm’s standard indexing system.

Other Files

15.36 Firms may maintain other types of files, depending on local custom and need.
These include, but are not limited to, tax files, which would contain copies of tax returns
(and support if the firm prepares the returns) and report files, which would contain
copies of reports issued.

Ownership Considerations

General

15.37 The audit workpapers (whether paper or electronic) are the property of the firm
(not the client) and should ordinarily never be out of the audit team’s control. Clients or
others may request copies of workpapers. The audit team should be mindful that the
workpapers are used to support the audit report and may be taken out of context and
used against the firm if a dispute arises. Accordingly, all such requests (other than
routine exchanges of data and account analyses in the course of an engagement) are to
be referred to the lead partner.

Client Records

15.38 Client records include any original accounting or other records, including
photocopies of such records, that the firm obtains from a client, and any accounting or
other records that the firm was engaged to prepare for the client, such as tax accruals,
account reconciliations and tax returns.

15.39 Audit workpapers are not to be used as a substitute for the client's financial
accounting records. In some cases, however, the audit team may prepare schedules
during the course of the audit (“supporting records”), such as depreciation schedules
that the client desires to use as a basis for recording a journal entry or in support of a
general ledger amounts. These may, to some extent, contain data that should properly
be reflected in the client's records, but which for convenience, have not been duplicated
therein, with the result that the client's records are incomplete.
Custody

15.40 Since the workpapers provide the primary support for the audit report, their
security is important. When paper workpapers are removed from their filing location or
the electronic files are copied from the network, the audit team is responsible for the
workpapers until they are returned. Such policies are particularly important when using
Voyager and policies regarding backup, security, and check-in/check-out must be
observed.

15.41 When not actively being used, paper workpapers should be returned to their
storage location. Under no circumstances are workpapers to be left in the client's office
between phases of the audit. Workpapers should not be left unattended at the client’s
offices.

15.42 In addition, laptops, paper files, documents, or equipment should not be left in
unattended automobiles or any other place. Also, workpapers should not be stored at
home any more than an absolute minimum amount of time.

15.43 As a reminder, the costs incurred by the firm if a computer or workpapers are lost
or stolen are significant. In such situations, considerable time is required to recreate or
retrieve files and workpapers, as well as time spent by legal counsel and national office
personnel dealing with the audit team, client management, audit committees, and
oversight bodies. Also, client personnel will likely be required to spend additional time
dealing with the issue of recreating documentation.

15.44 In addition, trust is a key element to the firm’s relationships with its clients. The
need for this trust is based upon the type of services we provide. Most other service
providers are not provided the type of access to confidential and sensitive information
that we are given. In recognition of this trust and the access to confidential information,
the profession has implemented standards requiring members of the professional to
maintain client confidentiality. When workpapers are lost, our client’s trust in us can be
lost as well.

15.45 [Tailor the following paragraph to suit the policies of your firm] When workpapers
or files are lost, the lead partner should notify the PSP and NPPD to determine the
appropriate course of action.

Workpaper Access by Outside Parties - General

15.46 [Tailor this paragraph to reflect your consultation policies] As a general policy, the
firm does not permit access to its workpapers to parties outside the firm, including
clients, except in certain circumstances. Generally, the workpapers are the clearest
evidence of the audit team’s work and the appropriate retention of such workpapers is
necessary to protect the firm's position in the event of subsequent inquiry. The firm
believes that the workpapers contain trade secrets and confidential, and sometimes
privileged, information reflecting judgments made during the course of the work
performed. The firm, therefore, makes workpapers available for scrutiny by outside
parties only in limited circumstances, such as those discussed below. These include:
 access by another accounting firm
 access by regulators
 in response to subpoenas
 examinations of income tax returns
 inspections by peers and oversight bodies
[Tailor the following paragraph to suit the policies of your firm] The approval of the lead
partner should be obtained before access is provided and any copies are released, and
the lead partner should consult with the NPPD and RRLA as firm policy requires. The
lead partner should notify the NPPD (except for routine successor auditor requests)
when access will be provided.

15.47 In addition to audits of financial statements, the guidance in this section applies
to other types of engagements, such as compilation and review engagements, special
reports, and attestation engagements.

15.48 When questioned by clients or others regarding why the firm does not
automatically make workpapers available, the following explanation may be offered:
 there may be statements in the workpapers made for audit purposes that
could be taken out of context - for example, workpapers may contain
documentation for audit purposes that clients may not want a third party to
have access to in a situation that may not be able to be controlled
 the professions code of ethics requires the audit team and the firm to
maintain client confidentiality
 the firm owns the workpapers, not the client - the workpapers contain
proprietary information, trade secrets, and confidential, sometimes
privileged information; therefore, firm policies permit access to workpapers
only in certain limited instances

Incomplete Audit
15.49 [Tailor this paragraph to reflect your consultation policies and location of forms
and letters] In certain circumstances, such as when a client is selling all or a portion of
its business, it may be in client’s best interest for the other accounting firm engaged to
perform due diligence procedures for the acquirer or financing entity to review audit
workpapers prior to the issuance of the audit report. Among other matters, this better
protects the firm’s client against the acquirer or financing entity later claiming
misunderstanding (or disagreement) with respect to the client’s accounting policies and
methods. If, after consultation with the NPPD, access will be permitted prior to audit
completion, the illustrative letter reflecting the “in process circumstance” located in the
GEL, under Letters, Forms and Templates > Access and Termination Letters, may be
used. Generally, no workpaper copies will be provided. In the rare instance in which the
firm agrees to provide copies of client-prepared workpapers, these copies will be
provided only after the audit is completed.

Control Over Workpapers Made Available

15.50 When the firm agrees to make workpapers available, in order to ensure the
continued integrity of the workpapers and the confidentiality of client information, control
over the workpapers should be maintained at all times. The individuals reviewing the
workpapers should be accompanied by a member of our staff or outside counsel staff,
as appropriate.

Guest Access and Voyager

15.51 Voyager has a guest access mode feature for files archived using version 1.05
and later that is useful in managing the situation where workpaper access by outside
parties is required. The audit team creates a guest access in Voyager’s main screen.
Instructions for creating a guest package are located in the Voyager help system under
“Completing and archiving a Voyager file.” If the file has not been archived, follow the
instructions provided in the following paragraph.

15.52 Audit teams should exercise caution when guests request access to workpapers
that are not archived. Depending upon the circumstances, audit teams can provide
access by:
 allowing guests to review the file using a GT computer
 projecting the file onto a screen for the guest to view while the auditor
moves through the file
 printing any of the requested documents
 copying the Voyager file and deleting any items the guest should not view
Regardless of the method used, after the guest completes the review, the audit team
should discard the files created for the guest’s review.

Workpaper Access by Another Accounting Firm

15.53 There are a number of situations where the firm may be requested to provide
workpaper access to another accounting firm. Although the professional literature does
not require this, firms frequently do so as a professional courtesy, or as a business
courtesy to a former (or, in some cases a continuing) client. Perhaps the most common
such situations are:
 when requested by a successor auditor
 another firm will “reaudit” financial statements the firm previously audited
 the acquisition of all or part of a client's business (discussed below)

15.54 [Tailor this paragraph to reflect the location of your forms and letters] In such
instances, letters from the acquiring company (or former client) and the other
(successor) accounting firm, such as those illustrated in GEL under Letters, Forms and
Templates > Access and Termination Letters, should be obtained. These letters help to
protect the firm and acknowledge that the workpapers are to be used only for the
specific purposes set forth. Among other matters, such letters help clarify the following:
 the confidentiality of the workpapers
 workpapers that will not be made available
 our audit was not intended for the benefit of the acquirer
 an acquirer's need to perform other "due diligence" procedures
 certain indemnification, hold harmless, and other protection provisions for
the firm
 retention period of copies of workpapers provided to successor auditors
 preventing successor auditors from inappropriately using our audit
documentation as audit evidence
 need for firm personnel to review the subsequent Form 10-K of a former
SEC client and receipt of a "comfort letter" from the successor auditor and
an updated representation letter from the former client
 need for the firm to have adequate timing allowed for the foregoing review
 fee arrangements

15.55 [Tailor this paragraph to reflect your consultation policies] Access to workpapers
should not ordinarily be permitted unless letters, substantially in the form suggested by
the illustrated letters are obtained. If there are questions about access or difficulties
encountered in obtaining such letters, the NPPD should be consulted.

15.56 [Tailor this paragraph to reflect your consultation policies] The firm would be
willing to provide similar letters when requested to do so, provided that such letters are
similar or less restrictive. Any requests for more restrictive language should be brought
to the immediate attention of the NPPD and RRLA. Because any such letter places
certain restrictions upon future actions of the firm, copies of any such letters should be
forwarded to the NPPD and RRLA.

Workpaper Access by Successor Auditors

Successor Auditor Considerations

15.57 [Tailor this paragraph to reflect your policies]When the firm is succeeded as
auditors by another accounting firm, the audit team should usually make themselves
available to consult with the successor auditor and permit the other firm to review the
workpapers subject to the following conditions:
 an access letter should be obtained from the former client, substantially in
the form illustrated in Letters, Forms and Templates > Access and
Termination Letters and acknowledged by the successor auditor
 the review can only be conducted with the approval of the lead partner.
When the lead partner concludes that the firm will not permit the review of
 our workpapers due to unusual circumstances such as impending,
threatened, or potential litigation, disciplinary proceedings, or other
conditions, the PSP and NPPD should be consulted. In these
circumstances, the audit team should clearly state that the response is
limited.
 there should be agreement in writing as to which workpapers are available
for review and which the firm will permit to be copied
 communications and workpaper access should be limited solely to the
successor auditor who has accepted the engagement (unless suitable fee
arrangements were made with the former client for communications when
more than one auditor is considering accepting an engagement)
 the review should be conducted in firm offices during regular working
hours
 a representative of the firm should always be present during the
workpaper review
 no workpapers may be removed from a firm office under any
circumstances
 generally, fees should be paid before any review of workpapers is
permitted

15.58 When the firm agrees to provide workpaper access, such access would usually
be limited to matters that another accountant, as successor auditor, might need for
purposes of planning their subsequent engagement. Generally, the firm would allow
workpapers, such as the following, to be reviewed:
 factual information about the client that is available in the client’s
accounting records and related files, but is more readily accessible from
the workpapers (PBCs) - this might include information necessary to
understand a client’s internal control, analyses of accounts, information
relating to commitments and contingencies, and other information about
the client
 documentation of the audit team’s understanding of the entity’s internal
control (including walkthroughs and the Summary of Control Deficiencies )
 information concerning risk assessments and key issues including related
memoranda
 audit programs and memoranda documenting audit procedures
 analyses performed on judgmental areas such as bad debt reserves,
inventory reserves, worker’s compensation accruals, etc.
 analytical procedures
 information about substantive tests and their results, including the
Summary of Unrecorded Misstatements and the Summary of Significant
Matters
 information and conclusions solely for use in support of the auditors’ report
(this would include information about judgmental audit conclusions,
particularly those that are separate and apart from conclusions about the
results of audit procedures) - for example, documentation supporting the
 going concern assumption, when the results of audit procedures indicate
there could be substantial doubt about the client’s ability to continue as a
going concern

15.59 [Tailor this paragraph to reflect your country’s laws and regulations] The following
information would generally not be provided:
 administrative matters, such as time and budget analyses, billing
information, engagement letters, and interoffice or intraoffice
correspondence
 comments for consideration in the following year
 information about bank regulatory examinations
 letters from attorneys (as many letters contain language that prohibits us
from providing this information to others)
 tax accrual workpapers, tax return preparation workpapers, or copies of
related tax filings unless the client expressly consents to the waiver of its
privilege under the Internal Revenue Code

15.60 [Tailor this paragraph to reflect your country’s laws and regulations] Management
must specifically consent to either waive or not waive its “Taxpayer Confidentiality
Privilege” under Internal Revenue Code (IRC) §7525. Because of ambiguities in the
interpretation of IRC §7525, the firm will not make workpapers prepared in connection
with the preparation and filing of any tax return available, including tax accrual
workpapers, if a client does not waive its privilege. Additionally, if privilege is not waived,
all questions regarding tax matters should be referred to client personnel.

15.61 When requested to provide photocopies of workpapers, such photocopies would

be limited to factual information about the client that was specifically requested and is
available in the client’s accounting records and related files, but is more readily
accessible from the workpapers (PBCs). This might include information necessary to
understand a client’s internal control, analyses of accounts, information relating to
commitments and contingencies and other information about the client. Generally, the
firm will not provide electronic copies of our workpapers. When providing photocopies of
workpapers, the audit team should follow the guidance described below.

Workpaper Access – Acquisitions, Financings, Investment or Lending

Situations
15.62 In an acquisition, financing, investment or lending situation, the firm may be
requested to provide workpaper access to another accounting firm (i.e., the third party’s
accounting firm). The firm may also be requested to provide access to the third party’s
internal auditors or other internal personnel. The following discusses the firm’s policies
and procedures for providing workpaper access to such individuals.

15.63 [Tailor the last sentence to reflect the location of your letters and forms] When
requested to provide access to audit workpapers in an acquisition, financing,
investment, or lending situation, the audit team should obtain the client’s permission
prior to providing such access. The audit team should also obtain an acknowledgment
from the third party, as to their understanding of the terms of our providing such access.
Illustrative letters are located in GEL under Letters, Forms and Templates > Access and
Termination Letters.

Access by Another Accounting Firm

15.64 When requested, workpaper access may be provided to another accounting firm,
such as the acquirer’s or lender’s accounting firm. When the firm agrees to provide such
access in an acquisition, financing, investment, or lending situation, it would usually be
limited to matters that another accountant might need for purposes of planning their
engagement or due diligence procedures.

15.65 Accordingly, similar to a successor auditor situation, the firm would ordinarily
make the following workpapers available to the accounting firm for review:
 factual information about the client that is available in the client’s
accounting records and related files, but is more readily accessible from
our workpapers, such as client-prepared workpapers (PBCs) - this might
include information necessary to understand a client’s internal control,
analyses of accounts, information relating to commitments and
contingencies and other information about the client
 documentation of the audit team’s understanding of the company’s
internal control (including walkthroughs and the Summary of Control
Deficiencies )
 information concerning the audit team’s risk assessments, key issues, and
other planning memoranda and procedures
 analyses performed on judgmental areas such as bad debt reserves,
inventory reserves, worker’s compensation accruals, etc.
 analytical procedures
 audit programs and memoranda documenting audit procedures
 information about substantive tests and their results, including the
Summary of Unrecorded Misstatements and the Summary of Significant
Matters
 information and conclusions solely for use in support of the auditors’ report
- this would include information about judgmental audit conclusions,
particularly those that are separate and apart from conclusions about the
results of audit procedures, for example, documentation supporting the
going concern assumption when the results of audit procedures indicate
there could be substantial doubt about the client’s ability to continue as a
going concern

15.66 The following information should not be provided to another accounting firm or
others performing due diligence procedures:
  administrative matters, such as time and budget analyses, billing
information, engagement letters, and interoffice correspondence
 comments for consideration in the following year
 information about bank regulatory examinations, as well any copy of
examinations retained in the special current file
 letters from attorneys (as many letters contain language that prohibit us
from providing this information to others)
 tax accrual workpapers, tax return preparation workpapers, or copies of
related tax filings unless the client expressly consents to the waiver of its
privilege under the Internal Revenue Code

Access by Internal Auditors or Other Personnel

15.67 In certain situations, the firm may be requested to provide workpaper access to
the third party’s (e.g., acquirer’s or lender’s) internal auditors or other internal personnel.
Permitting access to such individuals is not the same as permitting another accounting
firm (such as a successor firm) access to review our workpapers. Another accounting
firm is familiar with the nature of audit workpapers and how they may be used and has
similar interests in upholding the terms of the workpaper access letters they sign. These
factors are not present when the third party’s internal personnel want to review audit
workpapers. Also, access by such internal personnel creates potential liability for the
firm that might not otherwise be present.

15.68 [Tailor this paragraph to reflect your consultation policies] Therefore, access to
audit workpapers by such individuals should ordinarily not be provided. If the lead
partner believes that access should be provided, the lead partner should consult with
the NPPD and RRLA. The lead partner should be prepared to discuss the reasons why
such a request should be granted, which would include having an understanding of the
requesting individuals’ audit and accounting backgrounds. Granting access to such
individuals is expected to be rare.

15.69 If the firm decides to grant workpaper access to a third party’s internal personnel,
access would only be provided to those workpapers that contain factual information
about the client that is available in the client’s accounting records and related files, but
is more readily accessible from our workpapers, such as client-prepared workpapers
(PBCs). This might include information necessary to understand a client’s internal
control, analyses of accounts, information relating to commitments and contingencies
and other information about the client.

Photocopies

15.70 [Tailor this paragraph to reflect your consultation policies] Photocopies of audit
workpapers ordinarily should not be provided in an acquisition, financing, investment, or
lending situation. Any such requests should be discussed with the NPPD. In the rare
instance where the firm agrees to provide photocopies, such photocopies should strictly
be limited to factual information about the client that was specifically requested and is
available in the client’s accounting records and related files, but is more readily
accessible from our workpapers, such as client-prepared workpapers (PBCs). This
might include information necessary to understand a client’s internal control, analyses of
accounts, information relating to commitments and contingencies and other information
about the client. When providing photocopies of workpapers, the audit team should
follow the guidance described below.

Workpaper Access by Law, Regulation or Contract

Access by Regulators

15.71 The firm might also be requested or required to provide access to or photocopies
of workpapers to regulators. For this purpose, a regulator includes Federal, state, and
local government officials or their designee with legal oversight authority over the entity
being audited. On occasion, this request (or demand) from a regulator will be a
precursor to, or otherwise connected with, an inquiry into potential violations of law or
other wrongdoing by a client, its management, the firm, or others. The guidance
provided above is not applicable to those situations or to requests by regulators, third
party inspections of the firm, proceedings related to alleged ethics violations, and
responses to subpoenas.

15.72 When law, regulation, or audit contract requires the firm to provide a regulator
with access to workpapers, the client's (or former client's) approval should be obtained
in writing. This should be obtained through an appropriate authorization in the
engagement letter.

15.73 [Tailor this paragraph to reflect your consultation policies and location of your
forms and letters] When requested (but not required by law, regulation, or audit
contract) to provide regulatory access to audit workpapers, the NPPD should be notified
as soon as possible. The NPPD will in turn consult with RRLA. Upon approval of the
access request, an authorization letter should be received from the client (see the
illustrative letter in GEL under Letters, Forms, and Templates > Access and Termination
Letters).

15.74 [Tailor this paragraph to reflect your consultation policies] If the client refuses to
authorize workpaper access, the NPPD should be consulted, who in turn, will consult
with RRLA.

15.75 [Tailor this paragraph to reflect the location of your forms and letters] Tailor the
last sentence to reflect your environment.] To avoid any misunderstanding, upon
approval of the access request, the audit team should submit a letter (as illustrated in
GEL under Letters, Forms and Templates > Access and Termination Letters) to the
regulatory agency prior to allowing any regulatory access to the workpapers. Note: This
letter may not be appropriate in all circumstances. Additional tailoring may be required
for a regulatory agency review in circumstances where the workpapers are prepared
under Government Auditing Standards, Office of Management and Budget Circular A-
133, or other attestation standards for compliance.

Subpoenas

15.76 [Tailor this paragraph to reflect your consultation policies] In the event of
litigation, regulatory investigations, etc., audit workpapers may be subject to subpoena.
In the event the workpapers are subpoenaed, either by a governmental agency or in
connection with civil litigation, the NPPD and RRLA should be immediately notified.
Once subject to subpoena, the workpapers usually must be produced intact and may
not be changed, except as instructed by counsel. When workpapers are subpoenaed,
the workpapers ordinarily should be photocopied or microfilmed before being released
from the firm’s possession or other appropriate action taken as directed by RRLA.

15.77 [Tailor this paragraph to reflect your approval process]It is imperative that the
original workpapers not be altered in any way. No information may be added, discarded,
or changed on the original workpapers regardless of its location, relevance, or its
content. Any additions or other changes to the original workpapers must be:
 approved by the NPSG
 made on a photocopy of the original workpaper
 filed in a clearly labeled supplemental file, which will be part of the firm’s
submission in response to the subpoena

Examinations of Income Tax Returns

15.78 [Tailor this paragraph to reflect your tax policies]The firm cooperates with
revenue agents conducting routine examinations of client income tax returns. Generally,
workpapers are not volunteered to the revenue agent, and those submitted to the agent
are limited in scope to the particular question raised. In all instances, the firm insists that
the workpapers be made available only upon written authorization of the client or in
response to a subpoena. The Tax Manual contains additional policies related to the
examination of workpapers by the Internal Revenue Service. See also client waiver of
taxpayer privilege discussed above.

Peer Review

15.79 [Tailor the paragraphs in this section to reflect your firm’s approach to your
country’s peer review requirement, if any] The firm is periodically subjected to a Peer
Review. As a part of the peer review process, the firm makes certain workpapers
available to the independent accounting firm engaged to conduct the peer review.

15.80 Many Federal and State regulatory agencies (including State Boards of
Accountancy) have instituted a peer or quality review requirement. The AICPA Peer
Review Division has attempted in all instances to have that regulatory agency accept
the firm’s peer review report in satisfaction of the agency’s quality/peer review
requirement, and most agencies have accepted this.

15.81 In the event a particular office receives a request to submit to a Federal or State
regulatory agency quality review, the office should determine if the firm's last peer
review report will be accepted in lieu of any separate requirement. (This request may be
for a workpaper review or a "report" review of issued financial statements.) If the agency
will not accept the peer review report, the NMP NPSG should be immediately contacted.

15.82 If it is determined that the firm will have to submit workpapers and/or reports for
review to satisfy the particular requirements, the NMP NPSG should be contacted, who
will arrange for a review of such documents prior to submission to the agency.

Providing Photocopies
15.83 [Tailor this paragraph for reference to regulations and your consultation policy]
When requested or required by law, regulation, or contract to provide photocopies, the
audit team should:
 provide copies of only those specific portions of workpapers that were
requested, preferably only for requests made during the course of an on-
site review - care should be taken to cover other items such as audit tick
marks, tick mark legends, and judgments and conclusions to prevent such
items from being photocopied and photocopies of audit programs,
memoranda describing audit procedures and other workpapers,
particularly those containing information and conclusions solely for use in
support of the auditors’ report, should not be provided
 consider statutory privacy requirements, such as identification of certain
individuals in Federal and state awards or grants, payroll and personnel
information, depository information, personal financial information,
insurance claims, and medical and health reimbursements, where we
have additional constraints on third party access
 follow the guidance above if requested to provide copies to another
accounting firm
 consider making and retaining a copy of what was provided with a notation
of the person’s name and date
 label all workpaper copies: “CONFIDENTIAL.” Copies should be
transmitted with a cover letter requesting confidential treatment and note
that secondary distribution is not permitted without the firm’s written
approval. The following is an example of the appropriate cover letter:
 These workpapers are submitted as CONFIDENTIAL. The workpapers constitute and
reflect work performed or information obtained by Grant Thornton LLP in its capacity as
independent auditors for (name of client). We believe that the documents contain
confidential commercial and financial information of our firm and (name of client) that may
be privileged and confidential, and we expressly reserve all rights with respect to
disclosures to third parties. (Add the following sentence when workpapers are provided to
regulators: Accordingly, we claim confidential treatment under the Freedom of Information
Act and all other applicable provisions of law and regulation.) Before any disclosure of
these documents is permitted, including any parts or copies of them (to other governmental
agencies), please provide notice to (insert name, address, and telephone number of lead
partner or his or her representatives).

 consult the NPPD or RRLA if the request appears to be antagonistic or for

a purpose other than stated

15.84 Time and budget records should not be provided, unless required.
Chapter Sixteen - Consultations

[Chapter 16 tailoring comments:

ISQC1 requires firms to establish policies and procedures designed to provide it

with reasonable assurance that:
(a) Appropriate consultation takes place on difficult or contentious matters;
(b) Sufficient resources are available to enable appropriate consultation to
take place;
(c) The nature and scope of such consultations are documented; and
(d) Conclusions resulting from consultations are documented and
implemented.

Chapter 16 is how member firms that use VIS meet these requirements. Member
firms not using VIS should use the following paragraphs as a detailed illustrative
example of policies and procedures that satisfy IFAC’s requirement. Member
firms not using VIS likely will have to tailor most of the following paragraphs to
reflect the way the firm has addressed the consultation requirement of ISQC1.

Pay particular attention to tailor the following elements to reflect your policies,
processes and positions:

 The matters on which you expect consultation to occur

 The means of documenting consultations
 Who you expect to be consulted (numerous references to PSPs and
NPPD, etc.)

Please consult the document titled “Appendix E - Commonly Used

Acronyms.docx” for the meaning of the various positions discussed in this
chapter.]

Summary

This Chapter discusses the audit team’s responsibilities regarding consultations and
professional disagreements. The firm’s consultation process, Consultation Protocol, and
policies requiring consultation on certain accounting and audit matters are also
discussed.
Consultation Responsibilities

Management Responsibilities

16.01 It is the management’s responsibility to determine the appropriate accounting

for a transaction and the audit team should have a clear understanding of
management’s conclusions. Management should provide the audit team with
documentation that sets out their conclusion and the basis for that conclusion.

Lead Partner Responsibilities

16.02 [Tailor this paragraph to reflect your process]The lead partner is responsible
for researching, documenting and concluding on consultation matters, communicating
with the PSP prior to the audit team members contacting the National Office, ensuring
all those involved in the consultation process have the necessary facts and understand
the issues, and involving all appropriate individuals in resolving matters, including the
quality control reviewer. The lead partner, with assistance from the PSP and the quality
control reviewer, is also responsible for reviewing the consultation documentation prior
to any National Office review.

National Office Responsibilities

16.03 [Tailor this paragraph to reflect your process]The NPPD is responsible for
providing timely technical assistance to the audit team and identifying additional subject
matter specialists to involve in the consultation matter, as necessary. The National
Office, including the NPPD, is responsible for providing timely technical assistance and
review of matters, as well as timely documentation of approvals (electronic sign-off) in
the Consultation tool.

Consultation With Respect to Significant or Unusual Matters

16.04 Firm policies require consultation about significant or unusual audit,
accounting, or financial reporting matters, including those that require specialized
knowledge in complex areas of authoritative literature (“consultation matters”). Even
though consultation may not be required for a specific issue, the lead partner is
encouraged to consult on any matter and should not feel compelled to reach a final
conclusion without consulting others in the firm.

16.05 [Tailor this paragraph to reflect your process]Consultations may involve the
lead partner, quality control reviewer, PSP, NPPD, and others in the National Office.
The Consultation Protocol explains the procedures an audit team should follow to
document and resolve consultation matters.

16.06 [Tailor this paragraph to reflect your process and policies]There are various
matters when a discussion with the NPPD is expected; including:
  allegations or indications of possible fraud, improper conduct,
whistleblowers, illegal actions, or similar matters with respect to client
owners, significant shareholders, officers, or directors
 other material fraud (e.g., small embezzlements or petty theft by
employees would not ordinarily require a consultation whereas fictitious
loans created by a loan officer likely would)
 materiality determinations for audits of public companies performed under
PCAOB standards based on a benchmark or measurement percentage of
anything other than 5% of earnings before taxes
 indications of possible litigation which might involve allegations pertaining
to the client's financial statements or services performed by the firm
 circumstances where there is substantial doubt about an entity’s ability to
continue as a going concern (Chapter 21 describes these circumstances)
 financial statement restatements or potential restatements (potential
restatements require notification as discussed further in Chapter 19)
 audits conducted under foreign standards
 related party transactions which are unusual or whose business purpose
is unclear
 accounting for significant or complex business combinations, including
those situations where there is a question as to whether a transaction
constitutes a business combination
 complex real estate sales, such as where the seller retains an obligation to
support the operations of the property sold
 intricate consolidation situations, such as when there are majority-owned
unconsolidated subsidiaries
 regulatory investigations or inquiries (other than routine IRS examinations
or similar routine matters)
 the recording of significant deferred tax debits (net of any valuation
allowance) that are expected to be recovered based on (a) future taxable
income, exclusive of reversing temporary differences or (b) tax planning
strategies (although consultation on other engagements is encouraged)
 issues about the propriety of capitalizing or deferring various costs, if the
engagement is subject to a quality control review (although consultation
on other engagements is encouraged)
After the audit team has discussed these matters with the NPPD, the NPPD will
determine what further actions are necessary. These may include documentation of a
formal consultation, further involvement of the NPPD or the involvement of others, such
as RRLA. Appendix C contains a full list of all topics requiring consultation and/or
notification with the NPPD and/or National Office.

The Consultation Process

16.07 The key steps and responsibilities in consulting on significant matters include
the following and are discussed in detail in the Consultation Protocol:
  identify the issue
 perform initial research
 determine the appropriate individuals for consultation
 conclude and document the consultation record
 obtain final approval(s) prior to the report release date
 document the matter in the workpapers

Required Use of Consultation

16.08 [Tailor this paragraph to reflect your process]Firm policies and professional
standards require documentation of consultation matters. Firm policies also require
professionals to use the firm’s Consultation tool (or Consultation) to document
significant consultations with the National Office. As a result, a consultation with the
National Office will not be deemed to have taken place unless the consultation is
complete and documented using Consultation. In addition, agreement by those
consulted in the National Office will not be deemed to have taken place until approvals
are signed off in Consultation. Therefore, to comply with professional standards and firm
policies for documenting and concluding on consultation matters, it is critical that audit
teams follow the guidelines in the Consultation Protocol, including the use of
Consultation.

16.09 Consultation is not intended for documenting the resolution of routine

questions, communications with quality control reviewers, or other similar discussions
that occur on an engagement. When a question arises as to whether a consultation
matter should be documented using the tool, the person being consulted will
make the determination.

16.10 [Tailor this paragraph to reflect your process]It is always permissible, as well
as encouraged, to use Consultation to document consultations on other matters.
However, if the tool is not used to document consultations for matters other than those
discussed with representatives of the National Office, it remains the lead partner’s
responsibility to ensure necessary documentation is prepared and included in the
workpapers, regardless of the documentation and approval method used.

Using Consultation

16.11 Consultation is accessed through VIS Tracking. This tool allows audit teams to
document, monitor, and approve consultation matters. Because the tool is contained
within VIS Tracking, VIS places the approved consultation report within the associated
Voyager file. For a detailed explanation on the use of Consultation, refer to the help
system built into VIS Tracking.

16.12 Consultation is flexible and allows a consultation matter to be initiated within a

new consultation record created in the tool or by in a Microsoft Word document that can
later be inserted into the tool. Either way, individuals in the consultation process can
share the Word file and make edits until the document is finalized.

16.13 Contracts and other legal documents integral to the consultation can be
temporarily attached to a consultation record. However, these documents belong with
the audit documentation in the Voyager file so upon final approval, Voyager will transfer
the final consultation report along with any other documents that were attached to the
consultation record into the Voyager file. This feature is intended for documents that
support the consultation results that are not otherwise available, such as support for a
complex calculation in a Microsoft Excel file. Documents that can be viewed elsewhere
such as professional standards references should not be inserted into the consultation
record.

16.14 Approvers of a consultation matter sign off electronically through Consultation.

As mentioned, an approved consultation report is transferred into the associated
Voyager file.

16.15 In addition to gathering basic information about the entity and the consultation
matter, Consultation:
 provides a standard template for documenting consultations
 formalizes documentation so that all parties to the consultation have a
consistent understanding of the facts related to the consultation matter
 creates email notification messages to the appropriate individuals
indicating that their approval is needed
 provides for automated signoffs
 generates and transmits a report to Voyager

16.16 [Tailor this paragraph to reflect your process]As discussed in the Consultation
Protocol, the lead partner is responsible for communicating with the reviewer and, as
necessary, with the PSP and/or quality control reviewer, NPSG personnel, and subject
matter specialists. To formalize this process, Consultation contains notifications and
sign-offs for the “Consultation Team.” The “Consultation Team” should always include
the following individuals:
 Lead partner
 Preparer – individual (other than the lead partner) who is actively involved
in documenting the consultation matter. Often this is the manager
assigned to the audit team.
 Approver – individual primarily responsible for concurring with the
judgments and conclusions reached. Ordinarily, this is an individual in the
NPSG with whom the consultation occurs.
 PSP
 NPPD

16.17 In addition, the following individuals may be added to the Consultation Team:
 Quality control reviewer
  Subject matter specialist (SMS) – industry experts, independence experts
or others involved in the consultation matter

16.18 [Tailor this paragraph to reflect your process]The approver is responsible for
deciding whether to require formal sign-offs by the quality control reviewer, PSP, NPPD,
or SMS. For those members of the Consultation Team not required to sign-off on a
matter, the approver may designate these individuals to receive email notifications when
a matter is ready for final sign-off and when the matter receives final approval.

16.19 Each consultation matter must be independently documented and approved;

therefore, multiple matters should not be entered into a single consultation file, nor
should an existing consultation be used in lieu of documenting a new consultation
matter.

16.20 Consultations that are in Draft or Awaiting Approval status are not complete.
Until all approvals are obtained and the status becomes Approved, the consultation and
conclusions drawn are not to be relied upon by the client or referred to in the audit work
papers.

16.21 Once the Consultation Team is in agreement with the conclusions

documented in the record, the lead partner is required to follow the position approved. If
the Consultation Team and the lead partner are not in agreement on a conclusion, the
lead partner should follow the firm’s existing policies for dispute resolution.

16.22 The lead partner should verify that all of the reviewers approved the
consultation matter on or before the audit report date and the consultation report is
included in the Voyager file prior to archiving.

Consultation Team

16.23 [Tailor this paragraph to reflect your titles and roles]Each consultation record
contains involves a Consultation Team. The lead partner determines team member
involvement. The Consultation Team includes the following roles and responsibilities:
 Preparer – recording the consultation matter within the tool. Ordinarily, this
is the manager, but it can be any member of the audit team. The preparer
should document the fact pattern and initial research and conclusions in
the Consultation tool prior to engaging in substantive discussions about a
particular matter. This ensures the Consultation Team has the same
understanding needed to reach a conclusion. This role is required for
every record.
 Approver – reviewing and consenting to the consultation conclusion.
Normally, this team member is either the PSP or NPPD. This role is
required for every record.
 Engagement partner – see above. This role is required for every record.
 Quality control reviewer – understanding the record as part of engagement
responsibilities. This role should be added whenever a quality control
 reviewer is assigned to an engagement. When applicable, the partner
determines whether approval or notification-only is appropriate.
 Subject matter specialist (SMS) – reviewing the record because of
professional expertise in any areas such as industry specialization,
independence, accounting, or auditing. Individuals in the National Office
(e.g., APCG) usually serve in this role. This role should be added to a
record whenever an individual not already included in the consultation
team is needed to provide professional expertise. When they are added to
the team, the partner will determine whether approval or notification-only
is appropriate.
 PSP – reviewing the record as part of the local office professional
standards responsibilities. This individual should be added to every
record. The lead partner will determine whether approval or notification-
only is appropriate. Additionally, the PSP can decide to become more
involved and request to sign-off a record if they determine the risks
warrant greater involvement.
 NPPD – reviewing the record as part of the regional professional
standards responsibilities. This individual should be added to every
record. The lead partner will determine whether approval or notification-
only is appropriate. Additionally, the NPPD can decide to become more
involved and request to sign-off a record if they determine the risks
warrant greater involvement.

16.24 [Tailor this paragraph to reflect your titles and roles]The partner is responsible
for deciding whether to require formal sign-offs by the quality control reviewer, PSP,
NPPD, or SMS. For those members of the Consultation Team not required to sign-off
on a matter, the approver may designate these individuals to receive email notifications
when a matter is ready for final sign-off and when the matter receives final approval.
When notification-only is assigned, the team member is not responsible for formally
reviewing the documentation or agreeing with the conclusion. Instead, notification only
allows PSPs and NPPDs to see the engagements with issues and those involved.

Professional Disagreements and Concerns

16.25 [Tailor this paragraph to reflect your process]Questions and concerns relating
to accounting principles, auditing and reporting and independence of partners and staff
are ordinarily resolved on a timely basis within the office and appropriately documented.
For example, a professional disagreement between the quality control reviewer and
others on the audit team is ordinarily resolved by discussion between the lead partner
and the PSP. On the infrequent occasion, when they may continue to disagree, the
OMP should be consulted and obtain the parties' acceptance of a final firm position. In
rare cases, the OMP may be unable to obtain the parties' acceptance of a firm position
and, in such situations, the NPPD should be consulted. If the lead partner is the OMP or
the OMP's background and experience is in an area other than audit, the NPPD should
be consulted.
16.26 [Tailor this paragraph to reflect your process]When personnel are concerned
that matters that might be material to the financial statements, to the firm's
independence or to the professional performance of an engagement have not been
addressed in a forthright professional manner, similar principles should be applied. For
example, concerns by any member of an audit team should be brought to the attention
of the appropriate supervisory level within the team. Any concerns or disagreements,
which are not resolved, should be appropriately documented. If the member's concerns
have not been satisfied, they should then be brought to the attention of the OMP and
the NPPD.

16.27 [Tailor this paragraph to reflect your process]The firm encourages, expects,
and requires all partners and staff to communicate freely on all professional matters,
(concerns related to assurance services, independence, etc.) with personnel authorized
to act on such information. Moreover, partners and staff should feel free to directly
contact the NMP NPSG concerning such matters. It is understood that any such
communications with senior firm personnel will not prejudice the individual's
professional development.

16.28 [Tailor this paragraph to reflect your process]When personnel are concerned
that matters of significance to any other engagement, such as tax compliance or
consulting, have not been addressed in a forthright professional manner, similar
principles should be applied. This policy applies to all personnel regardless of discipline
or position within the firm. For example, concerns by any tax professional on a tax
position taken by the firm on a taxpayer’s return should be brought to the attention of
the appropriate supervisory level within the office, such as the tax department head.
Any concerns or disagreements that are not resolved should be appropriately
documented. If the professional's concerns have not been satisfied, they should then be
brought to the attention of the OMP and the NPPD. Other members of firm management
may subsequently be consulted to resolve such matters.

16.29 In summary, areas of professional disagreement or concern are to be

identified and resolved. This is an important aspect of the firm's system of quality
assurance.

Exhibit 16.1 - Consultation Protocol

[Tailor this Exhibit to reflect your protocol]

Overview

General

E01 The firm’s existing policies require consultation about significant or unusual
audit, accounting, or financial reporting matters including those that require specialized
knowledge in complex areas of authoritative literature (“consultation matters”).
Consultations about such matters may involve PSPs, NPPDs, or others in the National
Office. Even though consultation with the National Office may not be required for a
specific issue, the lead partner should not feel compelled to reach a conclusion on a
significant or unusual matter without consulting others in the firm.

E02 This protocol explains the procedures an audit team should follow to document
and resolve consultation matters.

E03 Documentation of significant consultations, whether involving the National

Office or not, is required by our firm policies and professional standards. Also, firm
policies require use of the Consultation tool to document significant consultations with
the National Office. As a result, under our policies, such a consultation will not be
deemed to have taken place unless the consultation is complete and documented in the
consultation database; agreement by those consulted will not be deemed to have taken
place until approvals are signed off. Therefore, to comply with professional standards
and with firm policies for documenting and concluding on consultation matters, it is
critical that audit teams follow the guidelines in this protocol.

E04 The responsibility for researching, concluding, and documenting a consultation

matter rests with the lead partner, who may involve other members of the audit team.
Preliminary discussions with the National Office, for guidance concerning what
authoritative literature may apply, are appropriate and encouraged. The audit team is
expected to perform initial research on the resolution of each matter and, as
appropriate, consult with others (including the quality control reviewer, when one is
assigned to the engagement) in reaching their ultimate conclusion.

Lead Partner Responsibilities

E05 The lead partner is responsible for:

 documenting and concluding on consultation matters
 communicating with the PSP prior to the audit team members consulting
with the National Office
 ensuring all those involved in the consultation process have the necessary
facts and understand the issues
 involving all appropriate individuals in resolving matters, including the PSP
and quality control reviewer
 the lead partner, with assistance from the PSP/quality control reviewer, is
also responsible for reviewing the consultation documentation prior to any
National Office review

National Office Responsibilities

E06 For consultations with the National Office, the NPPD should be contacted first.
The NPPD is responsible for providing timely technical assistance to the audit team and
identifying additional subject matter specialists to involve in the consultation matter as
necessary. The National Office, including the NPPD, is responsible for providing timely
technical assistance and review of matters, as well as timely documentation of
approvals (electronic sign-off) in the consultation database.

E07 Generally, National Office personnel will communicate their availability to

discuss client issues shortly after receiving the request, usually within one business day.
The priority level of individual consultations is based on business and risk management
issues, as well as the completeness of the information provided.

The Consultation Protocol

E08 The key steps in consulting on such matters include the following:
 identify the issue
 perform initial research
 determine the appropriate individuals for consultation
 conclude and document the consultation
 obtain final approval(s)
 document the matter in the workpapers

Identify the Issue

E09 The audit team is responsible for identifying issues, including the relevant facts
and circumstances. The economics of and reasons for the transaction should also be
considered. The audit team is in the best position to determine the relevant facts and
circumstances. Those should be reduced to writing and verified prior to significant
discussions regarding the application of the authoritative literature.

Perform Initial Research

E10 The audit team should perform the initial research, including reviewing the
appropriate authoritative literature and relevant firm guidance. All audit personnel have
access to the professional standards through the GEL and the ARM. In researching
accounting matters, the audit implications should be considered. Preliminary
discussions with the National Office for guidance concerning what authoritative literature
may apply are appropriate and encouraged, but no conclusions will be reached without
review of a written submission of the facts and analysis. The audit team should compile
relevant facts and obtain supporting documents (contracts, authoritative literature, etc.)
about the matter, as necessary. It is management’s responsibility to determine the
appropriate accounting for a transaction and the audit team should have a clear
understanding of management’s conclusions and document this information.
Management should provide the audit team with documentation that sets forth
management’s conclusion and the basis for their conclusion. Once the audit team has
identified an issue and performed the initial research, the consultation process should
begin with discussions with the PSP. Ideally, the audit team will reach a preliminary
conclusion during the course of performing the initial research.
E11 The partner is responsible for reviewing all documentation and discussing the
matter with the PSP/quality control reviewer prior to the audit team consulting with the
National Office. In addition, the individuals responsible for the engagement, including
the PSP andquality control reviewer, should remain involved in resolving the matter
through its final conclusion, as deemed appropriate.

Determine the Appropriate Individuals for Consultation

E12 If additional consultation is required or considered necessary, the audit team

should first consult with the NPPD, who will determine the appropriate individuals to
involve in the consultation. The audit team should open a record in the consultation
database at this time, if one was not already opened. An audit team member should
enter all relevant information in the consultation database, including excerpts of
contracts, agreements, or other pertinent documents, and transmit it to the consultation
database. This allows all persons involved in the consultation matter to view the
information and provide comment.

E13 Consultation with a member of the Accounting Principles Consulting Group or

other subject matter specialist following the requirements of this protocol is encouraged
and, in several situations, may be required before reaching a conclusion on an issue
involving complex areas of the authoritative literature.

Conclude and Document the Consultation

E14 The audit team should document the consultation and the conclusions
reached using the consultation database and notify all those that were involved in the
consultation so that they can review the conclusions and the necessary approvals of the
final conclusions can be obtained. The documentation should also include information,
that the engagement team has identified relating to significant findings or issues, which
is inconsistent with or contradicts the final conclusions, and the procedures performed in
response to this information. It is important to note that the lead partner assumes
responsibility for the completeness and accuracy of the facts included in the
consultation as he/she is in the best position to do so. The approval by National Office is
subject to the completeness and accuracy of the facts presented, as different facts
might lead to different conclusions.

E15 Once agreement on the conclusion is reached, the individual(s) being

consulted should document their approval in the consultation database. Once a
conclusion is reached and approved, that conclusion becomes the firm’s position on the
issue and it should not be characterized to clients or others as being solely the
conclusion of a particular individual.
Obtain Final Approval(s)

E16 The audit team is responsible for obtaining all necessary approvals (electronic
sign-offs) on the matter. The issue is not resolved until all approvals are completed in
the database, verbal approval is not acceptable.

Document the Matter in the Workpapers

E17 Once electronic approvals are obtained, the audit team should attach the
approved consultation report in the Voyager file. Audit teams should not rely on a record
in the Consultation tool to serve as audit documentation.

Deviations from the Consultation Protocol

E18 At times, it may not be possible to follow the specific order prescribed above.
For example, if it is determined that the office’s NPPD should be consulted and that
NPPD is not available, another NPPD or National Office member may be consulted. If
this occurs, the audit team is responsible for following up with the office’s NPPD.

E19 Also, in certain circumstances, a member of the National Office may be

contacted on a matter that is not yet documented in the consultation database. During
the course of the conversation, the parties may determine the issue involves a
consultation matter that should be documented in the consultation database. Although
the responsibility for documenting a consultation matter remains with the lead partner,
the National Office member may enter the basic information in the database and notify
the individual responsible for documenting the consultation. However, the audit team
should not rely on the National Office for entering matters in the consultation database.

E20 Disagreements that arise on the application of professional standards between

the parties to the consultation require consultation with successive levels of National
Office leadership. If the disagreement is not resolved prior to consultation with the NMP
NPSG, he or she will make the final determination as to the firm’s position on the
application of professional standards. Specific provisions of the firm’s documentation
policy may be applicable in the case of disagreements on the application of professional
standards.

Conclusion

E21 In summary, until a consultation with the National Office is documented and
approved using the firm’s Consultation tool, conclusions reached through the
consultation process are tentative. Therefore, it is paramount for all parties involved in
the consultation to follow the guidance as set forth in this protocol.
Chapter Seventeen - Related Party Transactions
Summary

This Chapter highlights key portions of the relevant auditing pronouncements and calls
attention to the firm's policies, Voyager audit program steps, and other materials that
discuss identifying related parties and auditing related party and unusual transactions.

Introduction
17.01 Professional standards require the audit team to perform specific audit
procedures to obtain evidence regarding management’s identification, proper
accounting for and disclosure of, related parties and related party transactions. These
procedures are required even if the audit team has no reason to suspect that related
parties or related party transactions exist. Professional standards also require the audit
team to remain alert, during the course of the audit, to the possible existence of material
related party transactions that could affect the financial statements.

17.02 Related party transactions may be difficult to identify. As a result, auditing related
parties requires a thorough understanding of the entity and its internal control, the
nature of related party transactions, and auditing techniques used to audit such
relationships and transactions.

17.03 The identification of related parties and transactions with related parties is
important because:
 accounting standards require disclosure of material related party transactions and
certain control relationships
 there is a risk of material misstatement if related party transactions are improperly
recorded
 fraudulent financial reporting and misappropriation of assets are often perpetrated
using an undisclosed related party (e.g., frauds involving hidden affiliations and
relationships of which the audit team was unaware)
 the reliance that the audit team can place on audit evidence obtained from related
parties may be less than evidence obtained from unrelated third parties

Definition of a Related Party

17.04 Parties are considered related when one has power, through ownership,
contractual right, family relationship, or otherwise, to directly or indirectly control or
significantly influence the other party. Parties also are related when they are under the
common control or significant influence of a third party.

17.05 The definition of a related party is very broad and includes:

 management; including the board of directors, executive officers, and other persons
with policy-making authority
 owners
 subsidiaries
 affiliates
 investments in entities accounted for using the equity method
 trusts for the benefit of employees (e.g., pension and profit sharing trusts) that are
managed by or under the trustees of management
 parties who can significantly influence the enterprise
 any other person or entity who is able to control or significantly influence
management or operating policies of the reporting entity, or of the other party to a
transaction, so that the transaction may have been consummated on a different
basis than might have resulted had each party been free to pursue its own separate
interests (i.e., the transaction prevents one or more of the transacting parties from
fully pursuing its own separate interests – this includes related parties that are not
affiliated through common ownership, as well as parties, which are so affiliated, but
not consolidated or accounted for on the equity basis)

17.06 The definition encompasses members of the immediate family of principal

owners and management, including spouses, parents, children, any residents of the
individual's household, brothers and sisters and their spouses. Other relatives also may
be related parties if it appears that the relationship influenced the transaction. For
example, a loan to a cousin of an owner at an unrealistically low interest rate might
indicate influence.

17.07 A control relationship may exist in situations where there is common ownership
or management regardless of whether there is a direct affiliate relationship. Entities in
the same line of business may, by virtue of common control, generate different results
than those that might occur if they were autonomous because of the ability to increase
or decrease one another's volume of business.

Accounting Framework
17.08 [Tailor the following sentence to include reference to your domestic GAAP]
International accounting standards and US GAAP require that material related party
transactions and relationships (other than compensation arrangements, expense
allowances and similar items in the ordinary course of business) be disclosed. These
disclosures should include the nature of relationships, including certain control
relationships, descriptions and details regarding transactions, changes in terms from
prior periods, and balances due to or from related entities. The accounting standards do
not require that transactions with related parties be accounted for differently than
transactions with non-related parties.

17.09 By definition, related party transactions are not arm's length, even though their
terms and conditions may appear to be so. Accordingly, the audit team should be aware
that such transactions might be motivated by the desire to create a particular
appearance, rather than to reflect economic substance. Transactions should be
accounted for in accordance with their substance rather than their form.

Related Party Transactions

17.10 Examples of related party transactions may include, but are not limited to:
 transactions between a parent company and its subsidiaries
 subsidiaries of a common parent
 affiliates
 an enterprise and its owners or management
 an enterprise and a special purpose entity
Certain specific types of related party transactions are discussed in more detail below.

Routine Transactions Between Known Affiliates

17.11 This category deals with the many normal and routine transactions between
affiliated entities (e.g., product purchases and sales, intercompany insurance
arrangements, management fees, corporate overhead allocations, participations,
arrangements to share income taxes among members of a consolidated group, etc.).
These activities usually are reflected in a company's internal reporting system in a
manner that provides information for audit consideration, and for elimination in
consolidation.

17.12 In auditing this type of related party transaction, the audit team’s work is made
easier because the relationships and purposes of the entities usually are readily
discernible from the corporate structure. Moreover, the audit team ordinarily sees all
sides of the transaction because the audit usually includes all the entities that may be
involved.

Variable Interest Entities

17.13 Entities may use various structures to accomplish certain business objectives,
such as financing, liquidity, leasing equipment or facilities, or carrying out research and
development activities. Often these structures are limited purpose or single-purpose
entities, whose legal form may vary. The activities of such entities are ordinarily
governed by their formation documents and other contracts or arrangements entered
into at their inception.

17.14 VIEs are enterprises that either do not have sufficient equity at risk to finance
their activities without additional subordinated financial support from other parties, or
have equity investors that do not have the characteristics of a controlling financial
interest.
17.15 [Tailor the last sentence in the following paragraph to reflect your firm’s policies]
Because of the significant accounting and auditing issues associated with such entities,
the audit team should be alert to the possibility of their existence or creation. When such
an arrangement is identified, the audit team should understand the ownership structure
and the significant terms of the transactions between the audit client and the VIE, as
well as whether management’s conclusions regarding consolidation to determine
whether it complies with GAAP. Because of the potential complexity of such entities and
the contingent liability they may create for clients involved in such arrangements, the
audit team should consider consulting with the NPPD regarding the appropriateness of
the accounting and disclosures.

17.16 The audit team also may need to perform additional procedures to understand
the nature of the arrangements and to determine whether the arrangements involve any
related parties, especially if it is outside the entity’s normal course of business. The
following procedures could be considered:
 inquiring of the issuer of loans or investments held or the primary obligor of debt
guarantees issued whether a VIE may be involved
 inquiring about the nature and terms of such arrangements, including structured
financial arrangements
 reviewing documents and agreements related to significant transactions with such
entities
 inquiring about modifications to existing arrangements

17.17 If such arrangements and transactions are determined to be related party

transactions, the audit team should consider the guidance in this Chapter and obtain
evidence as to the appropriate accounting and disclosure.

17.18 If the audit team does not have access to the other entity’s books and records,
for example, because another firm audits it or because their client does not own the
requisite equity interest to demand access, the audit team should consider performing
additional procedures, focusing on the amount of outside equity investment. The audit
team needs to consider whether there is a scope limitation on the audit if it is not
possible to determine whether the entity followed GAAP by either examining the entity’s
records or through confirmations with other investors, the other auditors or other third
parties.

17.19 For entities involved in such arrangements, the audit team should tailor the
management representation letter to include representations on critical issues and
assumptions related to the VIE, including confirmation that the entity has provided us all
relevant information and documents and that there are no side agreements that would
materially affect the accounting.

Unusual Transactions
17.20 Transactions that are unusual, either by their nature or in their impact on the
financial statements, should be given increased scrutiny. Disclosures of the nature and
effect of such transactions often are significant to an understanding of financial position
and operating results. Moreover, although the participants may be related parties, one
party often is outside the consolidated group, or the statements being presented may be
those of a separate entity. Thus, the identification and understanding of such
transactions may require an added measure of professional skepticism and judgment.

Risk Indicators
17.21 Principal shareholders or management can execute transactions that improperly
inflate earnings by masking their economic substance or distorting reported results
through lack of disclosure, or defraud the company by transferring funds to a
intermediate related party and ultimately to the perpetrators. The audit team should be
alert to indicators of potential related party issues that may require special attention
when performing the audit. Specific risk indicators that might indicate there is a potential
for undisclosed related party transactions include:
 significant potential for material fraud (based on the results of the risk assessment
procedures and discussions regarding fraud among the audit team)
 complex corporate structure (e.g., numerous or unusual legal entities, managerial
lines of authority, or contractual arrangements without apparent business purpose),
including restrictions on the disclosure of ownership or the identity of shareholders
 difficulty in determining the organization or individual(s) that control(s) an off-balance
sheet entity
 significant bank accounts or subsidiary or branch operations in tax-haven
jurisdictions for which there appears to be no clear business purpose
 entities not audited by the firm that conduct material intercompany transactions
 transactions either (1) lacking an apparent logical business purpose (e.g., services
or goods purchased from a party at little or no cost to the company), (2) having
abnormal terms (e.g., unusual prices, such as purchases of assets at prices in
excess of fair market value or payments for services at inflated prices; guarantees;
interest rates such as borrowing or lending on an interest-free basis or at a rate of
interest significantly above or below market rates; repayment schedules such as
making loans with no scheduled repayment terms), or (3) processed in an unusual
manner
 agreements under which one party pays expenses on behalf of another party
 unusual, complex, unique, or material transactions, particularly close to quarter or
year-end
 circular arrangements between related parties or utilization of related parties to
mitigate market risks
 significant transactions (either in volume or amount) with certain customers or
suppliers for no apparent business reason
 sales of marketable securities, by a principal owner of a company, at a significant
discount from quoted market prices to a large customer of the company
 unrecorded transactions, such as receipt or provision of management services at no
charge
 sales with a commitment to repurchase that, if known, would preclude recognition of
all or part of the revenue; sales without substance, including funding the other party
to the transaction so that the sales price is fully remitted; and sales at below market
rates to an unnecessary “middle man” related party, who in turn sells to the ultimate
customer at a higher price with the related party (and ultimately its principals)
retaining the difference
 selling real estate at a price that differs significantly from its appraised value or sale
of land with arranged financing
 loans to parties that do not possess the ability to repay, loans advanced apparently
for a valid business purpose and later written off as uncollectible, or advanced
company funds that are subsequently transferred to a debtor and used to repay what
would otherwise be an uncollectible loan or receivable
 exchanging property for similar property in a non-monetary transaction
 identification of an unidentified related party or inadequate disclosure (e.g., the
nature of the related party relationship is not adequately described; omission of the
terms and dollar amounts of related party transactions; failure to disclose related
party pledges of financial support that help mitigate doubt about going concern)

Auditing Related Parties

17.22 In accordance with professional standards, audit procedures are directed toward
determining that transactions and relationships are properly accounted for and
disclosed in terms that communicate their substance and effect.

17.23 Voyager includes procedures to identify and verify related parties and related
party and unusual transactions. These procedures and other firm materials, designed to
direct audit attention to possible related party transactions and affiliations, are discussed
below.

Risk Assessment Procedures

17.24 An audit cannot be expected to provide assurance that all related party
transactions will be discovered. However, the audit team should plan and perform the
audit with an awareness that material related party transactions and relationships might
exist that could affect the financial statements. In determining the scope of work to be
performed with respect to possible related party transactions, the audit team should:
 obtain an understanding of management responsibilities and the relationship of each
component to the total entity
 consider the adequacy of controls over management activities, including those over
authorizing and recording related party transactions
 consider the business purpose served by the various components of the entity,
including their relationship to one another and to the total entity
Normally, the business structure and operating style are based on management’s
abilities, tax and legal considerations, geographic location, and the entity’s products.
The audit team should be alert to a business or organizational structure that appears to
be designed to obscure related party transactions.

17.25 During risk assessment procedures, consideration should be given to whether

conditions are present which may be conducive to management, major stockholders, or
other related party involvement in transactions that are material to the financial
statements. For example, risk assessment procedures require a discussion with other
firm personnel who have performed non-audit services (such as consulting or tax) to
identify related parties.

17.26 The risk assessment process and documentation of the audit team’s
understanding of the entity and its internal controls help to focus on these
considerations.

17.27 Changes in a client’s business strategy or the existence of complex audit issues
may indicate higher audit risk and trigger quality control considerations, such as
assignment of personnel, competencies required by the partner, the need for
consultation, and quality control review requirements.

Identification of Related Parties and Related Party Transactions

17.28 Various procedures in Voyager are designed to help identify the existence of
previously unknown related party relationships and transactions. Certain of these
procedures are also performed to satisfy other audit objectives and, for this purpose,
require being alert to relationships and transactions that should be further considered or
investigated. Other procedures are specifically designed to identify related parties and
related party transactions.

17.29 In the absence of evidence to the contrary, “transactions with related parties
should not be assumed to be outside of the ordinary course of business.” Nevertheless,
the audit team should be aware of the possibility that transactions with related parties
may have been primarily motivated by the following similar conditions:
 lack of sufficient working capital or credit to continue the business
 a continued favorable earnings record to support or enhance the value of the entity’s
stock
 an overly optimistic earnings forecast, including the ability to meet analysts’
expectations in order to support the value of the entity’s stock
 concentrations or dependence on a single or relatively few products, customers,
suppliers, or transactions
 declining industry characterized by a large number of business failures
 excess capacity
 significant litigation, especially litigation between management and shareholders
 significant obsolescence dangers because the company is in a high-technology
industry
Verification of Related Party Transactions

17.30 After the audit team has identified related party transactions, appropriate
verification procedures should be performed to obtain sufficient evidence to support our
understanding of their substance and business purpose and to support the presentation
and disclosure assertions. The audit team should test, beyond inquiry of management,
material related party transactions. Procedures to consider include examination of
pertinent documents; determining whether the appropriate officials approved the
transactions; and confirming or otherwise determining the transferability and value of
collateral.

17.31 Firm policy requires representations of management concerning related party

transactions. However, unsupported management representations do not constitute
sufficient audit evidence. Accordingly, representations as to the purpose, nature and
extent of related party transactions, and as to their effect on the financial statements,
are to be corroborated by appropriate auditing procedures. Representations about a
related party transaction should not imply that the related party transactions were
consummated on terms equivalent to those that prevail in arm’s-length transactions
unless such representations can be substantiated. Representations prefaced with a
phrase such as “Management believes that” or “It is the Company’s belief that” do not
change management’s responsibility to substantiate the representation.

Consideration of Fraud

17.32 The key to identifying potential related parties and related party transactions that
management does not disclose is simply being alert to that possibility. As mentioned
previously, related party transactions may be motivated by other than ordinary business
considerations, such as fraud. The audit team may conclude that related party
transactions are a potential source for material misstatement when considering fraud
risk factors related to an entity’s operating characteristics and financial stability. The
following factors may lead to such a conclusion:
 significant related party transactions not in the ordinary course of business or with
related parties that are unaudited or audited by another firm
 significant unusual or complex transactions, especially if near the end of the
reporting period, with difficult substance-over-form issues
 complex business practices that enable management to mask the economic
substance of a business transaction
 significant bank accounts or subsidiary or branch operations located in a tax-haven
jurisdiction for no apparent business reason
 overly complex organizational structure involving numerous or unusual legal entities,
managerial lines of authority, or contractual arrangements having no apparent
business purpose
 difficulty determining the organization or individuals that control an off-balance sheet
entity
17.33 If a decision is made to tailor audit procedures based on the audit team’s
consideration of fraud risk factors, the following are procedures that may be performed
to help identify potential related party transactions:
 review material cash disbursements, advances, and investments to consider
whether the entity disbursed funds to a related entity
 discuss with individuals outside the firm who have provided professional services to
the client, including predecessor auditors and lawyers, regarding their knowledge
about the principal parties to material transactions
 review regulatory filings to determine the names of additional related parties and for
other businesses in which directors and officers occupy directorship or management
positions
 request searches by the firm’s Investigative Research Group for information about
the company, key members of management or other suspected related parties or
parties to material transactions

Related Parties the Firm Does Not Audit

17.34 Particular care should be taken when dealing with related parties the firm does
not audit because the audit team does not have the knowledge of the business or
operations of such related parties that they would have if they were the auditors.

Accepting Engagements

17.35 Careful consideration should be given to accepting any audit client where it is
known that the entity is related to another entity, which is either unaudited or audited
under questionable circumstances (e.g., significant scope limitations, questions as to
the professional reputation and independence of the other auditors, financial statements
that appear questionable upon their face, etc.). In the limited circumstances when the
firm is willing to accept such an engagement, the potential client must understand that
the audit team will perform various tests and procedures, such as those discussed in
the following paragraph.

Additional Procedures

17.36 When the firm does not audit a parent, subsidiary, affiliate, investee, investor,
joint venture or other related entity, the audit team should evaluate the scope of work. In
such situations, particularly where there are numerous or significant transactions
between the entities the firm is to audit and the related party, the true substance of the
transactions may not be determinable by the performance of normal auditing
procedures.

17.37 The many variations of this kind of situation make it difficult to develop specific
rules. Depending upon the circumstances, consideration should be given to tailoring the
audit program for additional procedures such as:
 scanning the financial statements and/or records
 speaking to their management, auditors, and others
 inspecting various invoices, contracts, or documents
 developing other tests and procedures as necessary in the circumstances

17.38 The objectives should be to:

 understand the business purpose of the transactions
 determine whether they are accounted for in accordance with their substance

Other Auditors

17.39 The work of component auditors is used frequently in situations involving group
audits. Similarly, the work of other auditors also may be utilized to gain an
understanding of, and to audit transactions involving related entities not included in the
financial statements on which the group auditor will report.

Revenue Recognition
17.40 The audit team needs to exercise additional professional skepticism in situations
involving revenue recognition from large or unusual related party transactions. Such
situations include transactions materializing near the end of an accounting period,
involving circumstances where substantial portions of the purchase price remain unpaid,
or where the seller, in effect, still controls the asset it sold. Be alert to circular
indications, such as the seller's concurrent obligation to purchase goods or services, or
provide other benefits to the buyer.

Collectibility

17.41 Collectibility of related party receivables should be evaluated with care.

Remember that the audit team cannot accept representations of assured collectibility
("It's a big company," "He's an extremely wealthy man," etc.) without corroborating
evidence. Loans and advances to a related company or individual are sometimes
indicative of financial difficulties by these parties. Consider whether there are circular
implications, such as the related party's ability to repay being dependent upon the entity
the firm is auditing (e.g., continued cash receipts from, the sale of all or part of its
interest in). If collectibility is uncertain, related considerations, such as continued accrual
of interest, should be addressed. In addition, the forgiveness of debt by a related party
generally should be considered a capital transaction, not income or expense for
financial statement or tax purposes.

Disclosure Emphasis

17.42 Professional standards focus on disclosure, since disclosure is frequently a key

determination of whether a user of the financial statements is sufficiently alerted to the
presence of such transactions and relationships and their possible effects on the
financial statements. Accordingly, particular care and attention should be directed to the
transparency and adequacy of the disclosure of related party transactions and
relationships. Such disclosure should be as complete as possible and written clearly
and carefully.

Procedures in Response to Identified Risks

17.43 The audit team may conclude that additional procedures should be performed to
address identified risks when:
 management's explanations or the audit team’s understanding of the transactions
are unclear
 management personnel provide inconsistent explanations for the same transaction
 management's explanations are inconsistent with the audit team’s understanding or
with explanations received from others
 the audit team believes that the financial statements may be materially misstated or
identifies a significant unusual transaction

17.44 In such circumstances, the audit team may encounter transactions where the
other party may be a concealed related entity. Therefore, the audit team should gain
some understanding of the other party to the transaction, beyond merely knowing the
name, for significant transactions where the circumstances appear unusual, such as:
 a substantial loan from an unknown lender
 the sale of properties or subsidiaries to unfamiliar entities
 unusually complex agreements or transactions, which may be tied to other
agreements or transactions

17.45 Accordingly, the audit team may consider it necessary to tailor the audit program
(for example, determine the circumstances which precluded our being informed,
conduct special inquiries, obtain credit reports) to discover the names of principal
officers and shareholders, to determine whether or not there is a relationship between
the entity being audited and the other transacting party. Specific procedures may
include:
 confirming transaction amounts and terms, including guarantees
 inspecting evidence held by other parties to the transactions
 discussing significant information with intermediaries, such as banks, guarantors,
agents, or attorneys
 if there is concern that a material customer, supplier, or other business partner may
lack substance, seeking information sources such as financial publications, trade
journals, and credit agencies
 obtaining information about the financial capability of other parties to the transaction
if there are material uncollected balances, guarantees, and other obligations
Concluding Procedures
17.46 The audit team should not consider the audit complete until they have examined
sufficient audit evidence to understand the business purpose and economic effects of
material and unusual related party transactions and are satisfied with the disclosures,
including their support.

17.47 If necessary to our understanding, persons having specialized knowledge in the

relevant field of expertise should be consulted. Our workpapers should evidence that
this objective is met and should contain appropriate commentaries documenting that
understanding and the pertinent factors considered.

17.48 [Tailor the following paragraph for the consultation practice and policy in your
firm] The audit team should document the existence of related parties or related party
transactions, findings or issues that they believe are significant, actions taken to
address those issues (including any additional evidence obtained and consultations with
the NPPD and others), and the basis for final conclusions reached.

Determination of Equivalency
17.49 Professional standards do not instruct the audit team to determine whether
related party transactions were on an "arm's-length" basis, because the relationship
indicates that the parties do not act with complete independence. However, for some
transactions (sales or purchases of publicly traded securities, items appearing in printed
catalogs, etc.), the audit team may be able to determine the difference, if any, between
normal market terms and those contracted between the related parties. In these
circumstances, such determination is generally necessary to an understanding of the
transaction and its effect on the financial statements.

17.50 However, for many transactions, determining whether they would have occurred
between independent parties (and on what terms), involves conjecture which is not
susceptible to audit evaluation. In these instances, the firm’s responsibility is to ensure
clear disclosure of the transactions and their impact on the financial statements.

17.51 Because it is ordinarily difficult to obtain sufficient audit evidence concerning

equivalency representations, the notes to the financial statements ordinarily should
avoid such representations. However, if the client insists that the notes represent that
the transactions were consummated at terms that would have existed between an
unrelated party the audit team should satisfy themselves that the representation is
appropriate.
Auditing Intercompany Transactions

Group Audits

17.52 In performing group audits, the group auditor provides information for the
component auditors to help them identify related parties and to understand the purpose
and scope of the activities they are to audit. Accordingly, instructions to component
auditors should include a listing of subsidiaries, affiliates, and other known related
parties with whom the entity may transact business.

17.53 These instructions, or other communications, should also encompass:

 a description of the types of related party transactions expected to be encountered in
the unit under audit and the basis of pricing or other terms
 a description of the business purpose of the subsidiary, affiliate, division, or branch
to be audited
 suggested audit procedures for testing intercompany transactions (including, where
practicable, testing the basis for pricing, such as cost, cost plus a fixed percentage
or approximate market price to an independent third party) and balances

17.54 Such communications will help provide appropriate coordination, while permitting
the audit to proceed on an "exception basis." That is, audit procedures will contemplate
coverage of routine transactions with identified related parties, whereas transactions
dealing with unusual matters, or with related parties not so identified, are subjected to
additional audit procedures.

17.55 Naturally, the extent of such communications should take into consideration past
communications, the company's internal reporting system and data such as manuals,
procedures, and other available information within the company. In many cases, items
such as the nature of transactions and the basis of pricing will be evident and duplicate
supplemental information will not be necessary.

Scope of Testing
17.56 The scope of testing intercompany transactions and balances is a matter of
professional judgment, involving considerations such as the magnitude and nature of
the transactions and balances, and our specific reporting responsibilities. For example,
when separate subsidiary or affiliate financial statements reflecting such transactions
and balances are to be reported on independently, more extensive procedures are
required. However, the extent of testing will be greatly reduced for transactions that are
eliminated in consolidation, when only consolidated statements are presented.

17.57 Audit work should be coordinated with component auditors, such as arranging for
the performance of cut-off tests as of concurrent dates. In the rare instances when such
tests are performed at different dates, a review of intercompany transactions during the
intervening periods may be necessary. Similar procedures should be applied when an
affiliated company is being included or accounted for in the consolidated financial
statements as of a date different from the year end of the reporting entity.

Reporting Considerations
17.58 The following paragraphs discuss special reporting considerations that may
arise.

17.59 Separate Reporting - Dependent Entities - There should be a valid business

purpose for reporting on the separate financial statements of an entity whose financial
capability is dependent upon, or whose operations are closely related to or intertwined
with, another entity (e.g., a holding company dependent on its only operating subsidiary
to satisfy debt incurred by the holding company's purchase of the subsidiary's stock).
Even if the audit team is satisfied that separate reporting is appropriate in the
circumstances, the audit team should proceed with caution and should require
appropriate disclosure of the relationship. In the preceding holding company example,
the debt structure of the parent should be disclosed in the separate financial statements
of the subsidiary, and additional considerations may apply.

17.60 Client Equivalency Representations - In situations where the audit team is unable
to substantiate client equivalency representations, the report should describe this scope
limitation and the opinion should be appropriately modified (qualified or disclaimed). If
the audit team concludes that the representation is misleading or inaccurate, the audit
team should insist that it be corrected. If the client refuses to do so, the audit team
would issue a qualified or adverse opinion due to a departure from GAAP, depending on
materiality and pervasiveness.

17.61 [Tailor the following paragraph to reflect your consultation policies and practices]
Report Modification and/or Explanatory Paragraph - The NPPD should be consulted in
any instance where consideration is being given to modifying our standard report
because of matters involving related party transactions or relationships, including the
rare situations where it is intended to include an explanatory paragraph.
Chapter Eighteen - Important Auditing Topics
Summary

This Chapter discusses a variety of important auditing topics that are not covered in
other Chapters of this manual. The discussion here is not exhaustive because these
topics are covered thoroughly in professional standards and the Horizon audit
programs. The discussion is limited to firm policy considerations and aspects of topics
that the firm considers especially important. Accordingly, this Chapter is not a substitute
for the professional standards and firm personnel are responsible for understanding the
requirements therein.

Introduction
18.01 This Chapter is organized by topic as follows:
 professional skepticism
 performing audit procedures before period end
 inventory observation and summarization
 cycle inventory counting
 initial audits
 work of internal auditors
 client prepared documents containing the firm’s audit report
 auditing fair values
 using the work of an expert
 loan waiver letters
 repurchase and reverse repurchase transactions
 subsequent discovery of facts
 consideration of omitted audit procedures after the report date
 researching an accounting or auditing issue
 association with financial information
 termination letters
 other risk management considerations
 dealing with legal matters
 serving clients in bankruptcy
 risks relating to revenue
 total transaction testing engagement type

Professional Skepticism
18.02 When planning and performing a financial statement audit, sufficient appropriate
evidence is obtained about whether the financial statements are free from
material misstatement. Although most misstatements occur due to unintentional
 mistakes (errors), they also result from employee embezzlement or deliberate
management manipulation (fraud), or from the commission of an illegal act.

18.03 Accordingly, an audit should be conducted with professional skepticism.

Professional skepticism is an attitude that includes a questioning mind and a
critical assessment of audit evidence. Although audit team members should not
assume that client management and personnel are dishonest, neither should
they unquestioningly assume honesty. Rather, each audit team member must
critically assess, with a questioning mind, the validity of evidence obtained and
be alert to evidence that contradicts or brings into question the reliability of
documents or representations by management.

Areas Where Misstatements are More Likely

18.04 Groups from within the auditing profession periodically review past audit failures
to identify recurring areas where auditors did not identify misstatements, whether
caused by error or fraud. There are a variety of reasons that these areas prove
difficult to audit, but the leading cause cited is a lack of appropriate professional
skepticism. One such group stated in its report:
“Engagement teams must understand not only the accounting and auditing
issues, but also the risks and nature of the business and the economic reality of
its transactions…A key ingredient...is an engagement team that is broadly trained
and of sufficient experience to relate seemingly unrelated items. The overall
reality check appears to be a missing test in some of the recent audit failures.
One cannot develop guidelines for a "smell test.”

18.05 Another group published a research report on fraud in which they noted that in
most instances:
 financial statement frauds generally involved more than one fiscal
period
 most of the frauds involved the misstatement of financial statements
(rather than misappropriation of assets)
 methods typically used to perpetrate the fraud generally involved the
overstatement of assets, improper revenue recognition, and/or
understatement of expenses/liabilities

18.06 The following audit problems were specifically identified:

 failure to gather sufficient audit evidence
 failure to exercise due professional care
 lack of sufficient professional skepticism
 failure to properly interpret or apply GAAP
 failure to properly design audit programs and plan the engagement
 over reliance on inquiry as a form of evidence
 failure to obtain adequate evidence related to the evaluation of
significant management estimates
  failure to confirm accounts receivable
 failure to recognize and disclose key related parties
 lack of independence
 failure to properly supervise and review the engagement

18.07 The resulting implications and conclusions of the study include the following:
 auditors should pay particular attention to the audit risks associated
with smaller entities
 auditors should carefully assess management integrity
 auditors should carefully assess oversight of those charged with
governance
 lack of sufficient understanding of accounting and financial reporting
matters
 infrequent meetings
 high instances of changes in auditors and development stage
companies may be “red flags”
 auditors should be especially alert to the unique risks posed at the
beginning of a client relationship
 be especially vigilant in planning and performing the first few audits
 conduct rigorous communications with predecessor auditors about
management integrity issues and control environment issues
 consider the risk associated with former partners and employees of the
accounting firm being employed by the client

18.08 Many of the most common areas of material financial statement misstatement
and the related warning indicators are overlooked. Audit team members are
expected to have a thorough understanding of the matters discussed below and
to give consideration to them when carrying out their assigned responsibilities.

18.09 The following warning indicators are not intended as a complete list. They do,
however, include many of the most common situations that could give rise to
material misstatements.

[Tailor the following examples to reflect your firm’s consultation policies and
procedures]
Warning Indicator Exercising Skepticism
The use of very aggressive The use of such principles may be indicative of a
accounting principles or practices management overly concerned with the portrayal
in audit areas such as revenue (rather than the reality) of favorable financial results.
recognition, capitalization and Audit teams should ensure that any such principle (or
deferral of costs, long-lived asset practice) is acceptable under GAAP and that they have
impairment, restructuring and other appropriately documented the entity's rationale for its
reserves, depreciation and use and the basis for their conclusion. In addition, audit
amortization, etc. teams should be aware that management's
aggressiveness may also affect other audit areas, such
as those involving the use of estimates. Particular
skepticism is called for if aggressive principles or
practices are being applied in more than one area.
The audit team should view these matters from a
businessperson's perspective, and not behave like a
"green eyeshade" accountant. For the financial
statements to "present fairly," they should make overall
business sense and not merely fit within a mechanistic
definition of acceptable accounting principles.
Also, and this applies equally to any of the following
indicators, if the audit team concludes it is likely that
management is not acting in good faith, the NPPD
should be consulted immediately. GAAS was not
designed to uncover the machinations of a dishonest
management and: therefore, the firm will usually resign.

Warning Indicator Exercising Skepticism

Inappropriate Revenue All such transactions should be examined and the
Recognition audit team should be satisfied that they are properly
Large or unusual transactions accounted for, being alert to conditions such as those
occurring shortly before the end discussed in the following indicator.
of an important period; e.g. the A pattern of such transactions may have the same
balance sheet date, quarterly negative management implications as the previous
reporting periods, etc. indicator.
Shipping products before a sale is Such transactions may come to the audit team’s
completed, or indications that attention as a result of cut-off procedures, accounts
customers are not obligated to pay receivable confirmations, or inventory observation.
for shipments. They should satisfy themselves as to the appropriate
Bill and hold transactions or other accounting treatment after scrutinizing the underlying
indications that sales are recognized documentation, contacting the customers directly, if
in advance of shipment. necessary. The audit team should inquire about any
additional transactions of this nature and consider
procedures to extend their search for such
transactions. If the audit team becomes aware of bill
and hold transactions, they should compare the terms
of the transactions to the requirements specified by
GAAP.
Percentage of completion Depending on the nature of the questions, the audit
accounting where there are team should consider the propriety of the income
uncertainties about the bona fides recognized or of the use of this accounting method
(or binding nature) of the underlying (and document such considerations). (In some
contract, or questions about the instances, the audit team should consider obtaining a
reliability of the pertinent cost legal opinion.) If it is determined that the method is
records. acceptable, consideration should be given to the
income recognized for the particular contract(s) in
question, ensuring that the judgments are reasonable
and supported by appropriate audit evidence.
Unrecorded sales returns and This may come to the audit team’s attention in
allowances or provisions that conjunction with accounts receivable confirmations,
appear low in relation to past cut-off testing, or other procedures. The audit team
experience or our knowledge of the should obtain an explanation and consider expansion
business. of confirmation procedures (possibly contacting
customers by phone) and out of (or subsequent) period
tests to search for additional transactions.

Warning Indicator Exercising Skepticism

Adequacy of Allowance for Management should be asked to explain this, in
Uncollectible Receivables writing, and to provide supporting audit evidence. The
Current provisions or allowances audit team should also examine this evidence and
that seem low in relation to past apply procedures such as intensive analytical
experience or current business comparisons, and review of subsequent period
conditions. payments.

Large past due receivable The audit team should ensure that workpapers
balances, or large receivables document their understanding of the debtor and the
from related parties or sources reasons for non-payment. In addition, they should
unfamiliar to the audit team. obtain appropriate evidential matter with respect to the
collectability of such receivables.
Receivables whose collectability All such transactions should be scrutinized.
is dependent upon funds or Consideration should be given to whether classification
continued patronage to be as a receivable is appropriate (and as to the propriety
provided by the entity (circular of recognizing any profits based on such transactions).
transactions).

Warning Indicator Exercising Skepticism

Inventory Overstatement The audit team should trace such items back to
Unusually large quantities of applicable test counts or notations of such counts, if
high cost items in the summarized available. (If not covered by the inventory test counts,
inventory. the audit team should consider the reason.) If the
quantities are derived from other sources, the audit
team should scrutinize the underlying documents, and
obtain explanations as to the business reasons for
such quantities. In some situations, the audit team
might wish to test such quantities by considering sales
(in addition to examining purchasing or manufacturing
records in conjunction with pricing tests), or by current
observation coupled with examination of subsequent
period sales.
Unclear or ineffective cut-off The audit team should perform procedures such as
procedures or indications of expanding cut-off tests and review of subsequent
possible inclusion in inventory of period entries or obtaining confirmation from major
merchandise sold or for which suppliers.
purchases are not recorded.
Little or no write-downs or Products the audit team believes are impacted by
provisions for obsolescence, such changes should be compared to recent and
where there have been changes in subsequent period sales activity, explanations should
product lines or technology or rapid be obtained from management, and available
declines in sales or markets. documentation (correspondence, sales returns, etc.)
should be examined.
 Questionable procedures for Additional pricing tests should be performed,
determining or aggregating management should be asked to justify any
inventory costs or indications that questionable determinations that could have a
erroneous or unsupportable costs significant effect, etc.
were applied.

Warning Indicator Exercising Skepticism

Understand Costs and Expenses The audit team would usually perform procedures
Failure to record or accrue such as extending out of (or subsequent) period tests,
significant invoices obtaining accounts payable confirmations, etc.

Improper or insufficiently Client policies concerning such capitalization and

supported capitalization of costs deferrals should be documented and client records
or deferral of administrative or supporting such amounts should be audited.
advertising costs (Allocations of labor and other costs between amounts
to be capitalized and amounts to be expensed should
be supported by contemporaneous records.) The audit
team should examine the client's support for these
positions with an understanding that the burden of
proof rests with the client.
Unusually slow depreciation of The audit team should obtain explanations for such
fixed assets or lengthy policies, preferably in writing, and satisfy themselves
amortization periods. (For that they are reasonable in the circumstances.
example, a computer leasing
company using a 15-year life for
operating leases.)

Warning Indicator Exercising Skepticism

Related Party Transactions or All such transactions and balances should be
Balances scrutinized. In some instances, the audit team may
Significant transactions or wish to perform procedures with respect to the related
amounts which appear unusual or party's records. Collectability of any such receivables
whose purpose is unclear, or that is to be supported by appropriate audit evidence. See
involve related entities we do not additional considerations on related party
audit. transactions in Chapter 17.

Warning Indicator Exercising Skepticism

Allowance for Loan Losses The ALL for financial institutions represents a
Inadequate documentation or significant estimate and must be prepared in
methodology for determining the accordance with regulatory guidance and GAAP. The
adequacy of the allowance for responsibility for assuring compliance with the
loan and lease losses in guidance rests with management, the audit committee,
accordance with GAAP. and the board of directors. The responsibility of
independent auditors is to review the written support
maintained by management and to test and conclude
on the reasonableness of management’s judgments
and assumptions utilized in the ALL process.

18.10 As part of the risk assessment process and throughout the audit, partners,
managers, and in-charge accountants should direct appropriate attention to the
foregoing matters themselves, and ensure that less experienced staff working in
the pertinent areas are familiar with them. Many (indeed, perhaps most), errors
and fraud can only be detected by examining the underlying detailed records
(invoices, correspondence, shipping documents, etc.) - work that is often
 performed by staff accountants. Therefore, it is essential that all team members
understand the importance of the work they are assigned and the potential
significance of the matters discussed in this section.

Performing Audit Procedures Before Period End

General Considerations

18.11 This section provides guidance concerning the performance of significant

substantive procedures at interim dates, including the updating procedures
generally required in such circumstances.

18.12 Reasons to perform audit procedures before period end might include:
 management’s desire to release financial statements or net earnings
soon after period end
 discovering problems as early as possible to allow maximum time for
consideration
 obtaining more effective utilization of audit staff by distributing
workload more evenly during the year

18.13 The extent to which the timing of substantive procedures may be accelerated is
determined primarily by the adequacy of the audit response to effectively identify
and address any material misstatements in the financial statements. Horizon
focuses on risk identification and the development of an appropriate audit
response. Audit response is a matter of the audit team’s professional judgment.
For risks that have a higher likelihood of material misstatement, the audit team
would ordinarily respond by performing the work at or near year end. However,
performing procedures at an interim date for risks that have a high likelihood of
material misstatement is not precluded, but in these circumstances the audit
team must perform sufficient audit procedures at year end to be satisfied that a
material misstatement does not exist.

18.14 Factors to consider in determining whether to perform audit procedures before

period end include:
 audit risk that the area may cause a material misstatement in the
financial statements
 significance of the amounts
 strength of internal controls
 comparability of accounts at the date tested with expectations at the
balance sheet date
 nature of the specific procedures and their interrelationship with other
substantive procedures
 relative cost-effectiveness of alternative procedures
18.15 When determining whether or not to perform procedures before period end, the
audit team should also consider the extent of rollforward procedures required and
their impact upon total audit time. Audit teams should note the following:
 updating substantive procedures through period end, by testing a client
prepared rollforward of the account balance from the interim date to
period end, are ordinarily required and additional substantive
procedures at period end may also be necessary, depending on the
applicable audit strategy
 for non-integrated audits, sample sizes for tests of controls are larger
when substantive audit procedures are accelerated

Conducive Characteristics and Accounts

18.16 Characteristics that lend themselves most readily to accelerating the timing of
substantive audit procedures include:
 stable or predictable periodic balances
 low levels of activity
 effective internal control
 effective internal reporting system

18.17 Areas such as the following, which are comparable at different dates and whose
composition tends to be predictable, are particularly suitable for accelerating the
timing of substantive audit procedures:
 additions to, and retirements and depreciation of, property, plant and
equipment
 additions to and reductions of long-term debt
 activity in investment accounts
 deferred charges
 changes in equity capital, including stock options

18.18 Procedures directed towards the income statement can almost always be
initiated at interim dates. These procedures, which generally should span the
entire period under audit, are carried out up to an interim date and subsequently
extended through the balance sheet date.

18.19 In accelerating procedures, consideration should be given to testing related

areas as of the same date to reduce risk and provide for greater audit efficiency.
Examples to consider:
 in multi-office or multi-location engagements, the coordination of
procedures applied to the examination of related party transactions
and balances
 relationships among accounts associated with reasonably possible
risks
  maintaining temporary audit control over readily negotiable assets and
simultaneously testing such assets and cash on hand and in financial
institutions, loans, and other related items

18.20 Foreign or domestic affiliates frequently are audited as of a date before period
end. The period-end amounts are then subjected to a review of significant ending
balances and interim transactions. The earlier auditing of the operations of multi-
location clients is encouraged.

Effect on Audit Risk - Acceleration of Inventory Testing

18.21 Decisions about the date of observing a client's inventory taking are dependent
on the nature of the inventory, anticipated inventory activity, and the adequacy
and reliability of related controls and records. The same decision making
process, as with any other cycle, should be followed when determining the
nature, timing, and extent of audit procedures for the inventory cycle. Audit teams
do not need to follow a customary approach where, for example, substantive
procedures are performed at period end. Rather teams should develop the most
efficient and effective response to the assessed risks.

18.22 For example, audit teams could observe inventory at an interim date (instead of
period end) using a strategy that does not test controls. Another option is to
recognize that professional standards require audit teams to understand the
internal controls and determine whether they are implemented. Using inquiry and
observation to test controls over the physical count is a small incremental step
that will improve effectiveness and efficiency.

18.23 Inadequate data or other circumstances may prevent rollforward procedures to

be sufficiently accurate as to provide audit evidence that a material misstatement
does not exist in period-end inventory balances. In this situation, the inventory
should be observed at or near the balance sheet date. This situation does not
necessarily require that the client perform a full physical count at period end. The
audit team can perform test counts at or near end whether the client performs a
full physical count or not.

18.24 For example, if inventories are observed at an interim date where perpetual
records are not maintained, the client should either take an additional physical at
period end or construct period-end inventory quantities. The latter is usually
feasible only in a non-complex, single location inventory or when there is very
little inventory activity between the interim date and the balance sheet date.

18.25 Regardless of the strategy employed, the audit team performs procedures to test
the rollforward of the balances tested at interim to period end. When testing the
rollforward, the audit team normally obtains a listing of the quantities on hand at
the interim audit date and at period end. The audit team tests the listings by
agreeing the monthly sales, purchases and other adjustments to the underlying
books and records.
18.26 For the rollforward test to be effective, the manner in which the client relieves
inventory for sales must be understood and evaluated. In addition, gross margin
estimates applied to sales during the rollforward period ordinarily are not
sufficiently accurate to prevent a material misstatement in the period-end
balance. Therefore, the client needs to establish a means of accounting for the
cost of each inventory item that can be used in valuing the period-end inventory
balances.

18.27 When the client’s accounting system can only provide the rollforward information
in monetary amounts instead of quantities, the audit team should determine
whether the rollforward in monetary amounts is reliable and supported by the
books and records. The audit team tests that the quantities relating to the
monetary amounts by performing rollforward procedures on a selection of
quantities (e.g., the items observed at the physical count).

18.28 Normally, using sampling to select items to test is not an effective or efficient
approach. Instead, the audit team identifies items to test by considering risk
characteristics such as:
 high value
 quantities that increased significantly since interim
 not on hand at interim
 not on hand at period end

18.29 For the high value items selected, the audit team should ask the client to provide
relevant purchase invoices and sales documents. For the unusual items
selected, the audit team should inquire of appropriate client personnel about the
unusual changes and corroborate their replies.

18.30 Since the cutoff for the receipt and shipment of inventory affects both payables
and receivables, it is ordinarily appropriate to carry out the audit work related to
such accounts as of the same date as the inventory observation.

Inventory Observation and Summarization

18.31 This section provides guidance concerning procedures applicable to the
observation and summarization of inventories.

General Considerations
18.32 When performing an inventory observation, the following considerations apply:
 the planned extent of testing is a minimum (the audit team should react
to the circumstances and, if necessary, extend testing until they are
satisfied with the overall accuracy of the client's counts)
 the objective of observing the inventory is to achieve audit satisfaction
as to the accuracy of the client's inventory count (the client will have to
 recount items and, where warranted, entire sections of inventory when
the audit team identifies mistakes in the count)
 the audit team should bear in mind the importance of testing counts
made by each of the client's counting teams, if there is more than one
such team in the location being observed

Voyager and the Inventory Observation Process

18.33 The objective of attending the client’s physical inventory count is to obtain
evidence that physical quantities of inventory are accurate. The primary audit
procedure performed is test counting, but other procedures also provide
evidence such as observing the operation of the internal controls established by
the client to achieve accurate counts.

18.34 The number of items to test count is always a matter of professional judgment,
but Voyager provides two strategies to employ:
 a lower risk strategy when the client establishes effective controls that
are tested by the audit team
 a higher risk strategy when the client’s controls are not effective or the
audit team does not test their effectiveness
Regardless of the strategy used, the audit team should always consider observing the
client’s physical inventory.

Lower-Risk Strategy for Selecting Items to Count

18.35 Virtually all of the firm’s clients establish effective internal controls over the
inventory – existence assertion. As a result, the audit team can very likely test
these controls to achieve an optimal audit strategy. This strategy involves not
only fewer items to test count, but allows the audit team to select the items using
high value and judgmental methods, rather than sampling. Testing fewer items
has a compound effect on efficiency - less time spent test counting and less time
following up on these items in the final inventory compilation.

18.36 The effort required to achieve the lower risk strategy is often not incremental
because audit teams already obtain an understanding of the controls established
by their clients over physical inventory counts and likely observe the operation of
the controls while they observe the counting process. More likely, the lower risk
strategy simply takes credit for work and information the audit team typically
performs and gathers, but otherwise may not recognize or document.

18.37 Testing controls requires the audit team to first conclude that the related controls
are designed effectively to prevent a material misstatement from occurring. When
controls are designed effectively, audit teams then identify the key controls that
they will test to determine operating effectiveness.

18.38 Some common client controls for testing consideration are:

  policies and procedures of the inventory count
 count verification procedures
 procedures to identify items counted (ensure completeness) and
eliminate the risk of duplicated counts
 variance investigation procedures

18.39 Inquiry and observation is the method used to test the controls over achieving an
accurate inventory count. These controls operate at the time of the physical
count. Therefore, to test controls, the audit team needs to be present during the
counting process. It is not possible to observe the operation of these controls
after the count process is complete.

18.40 The audit team must understand the client’s controls and determine whether they
are designed effectively. The audit team should arrive while the count is in
process to observe the count procedures, including controls over (a) accuracy of
the quantity counted (b) determining that items are only counted once, and (c)
determining that all items are counted (e.g., tag controls). In most cases, the
observation of these controls requires the audit team to stay to the end of the
count.

18.41 In addition to testing the selected controls using inquiry and observation, the
audit team should select all individually significant items and a judgmental
selection of at least 25 additional items with values beneath individually
significant. These items should be test counted and later agreed to the client’s
final inventory summary. This approach essentially divides the inventory into two
strata (items above and below the individually significant value) and ensures that
items from both strata are tested.

18.42 Additionally, the audit team should assess the effectiveness of the tested controls
subsequent to the inventory observation, especially the client's count control
documentation, to establish that there were no significant modifications to the
observation results subsequent to the actual event.

Higher-Risk Strategy for Selecting Items to Count

18.43 When the audit team does not test the operating effectiveness of controls, they
must use sampling to select items for testing.

18.44 Audit teams should use the sampling component in Voyager to determine the
number of items to test count. Sampling is further discussed in Chapter 14.

Testing the Summarized Inventory Quantities

18.45 Under either approach, the client’s final summarization of quantities should be
tested by agreeing the items test counted into the summary. While these tests
may seem like a separate series of procedures, it may also be viewed as the
 closure of the inventory observation, since it is the process that provides
assurance that the inventory units counted are those included in the final
inventory. The approach for testing the summarization of the inventory quantities
is generally determined by the client's procedures, which usually involve either
tag controls or count sheets.
 When tags are used, the client usually (sometime after the inventory
count) prepares a listing of the inventory tag numbers and quantities
that the audit team compares to the list of used and unused tag
numbers obtained at the conclusion of the inventory observation.
Sometimes the audit team’s observation test counts or count notations
(or a sample thereof) are also traced to this schedule, which is then
(via IDEA) used to audit the inventory summarization.
 When the client uses inventory count sheets and does not have tag
controls, it is usually helpful to make copies of the count sheets to later
help verify the quantities included in the inventory summarization.
Copies of client count sheets that the audit team did not obtain during
their inventory observation should not be relied upon in auditing the
inventory summary unless they have audited them by determining their
completeness, tracing in their test counts or notations.

18.46 Regardless of the client's method, the following considerations pertain to testing
the summarized inventory quantities:
 Counts tested during the observation should be traced to the
summarized inventories.
 If copies of inventory tags, count sheets, or comparable electronic
data, were retained by the audit team at the end of the inventory
observation, it is often most efficient to test the summarized inventory
and trace the quantities back to such retained records. This procedure
usually provides the best evidence that inventory quantities are not
overstated. Completeness of the summarization is usually audited by
tracing several items in the opposite direction, by analytical
procedures, or by some combination thereof.
 If such data was not retained, the audit team would usually trace the
counts or notations made at the time of the observation to summarized
inventory quantities. This procedure provides strong evidence that the
summarized quantities are not understated. To provide additional
evidence with respect to overstatement, the audit team should perform
appropriate analytical procedures and should scan the summarized
inventory (or use IDEA to select specified items) and investigate
significant items not covered by counts or notations.
 In performing any of the substantive sampling procedures referred to in
this paragraph, all errors detected are to be projected.

18.47 Often, the audit team attempts to combine testing of the summarized quantities
and of the inventory pricing in a single sampling procedure. However, when a
 statistical sample is not used for testing quantities, but could be used for pricing,
it will often be more efficient to utilize separate samples for such purposes.

18.48 In summary, the optimal procedures for a given audit will depend on the nature of
the client's inventory, the client's counting and summarization procedures and the
pertinent inherent and control risk considerations.

Cycle Inventory Counting

18.49 Because of technology (such as the use of enterprise database applications), an
increasing number of clients are maintaining their inventory quantities
perpetually. To ensure accuracy of these perpetual systems, clients establish
controls and often these include cycle count programs that are conducted
throughout the year.

18.50 To be effective, a cycle inventory count program should include the following
elements:
 counts should be conducted at specified points in time (e.g., daily,
every Tuesday, the first day of each month)
 the entire inventory should be covered over the specified period (e.g.,
the fiscal year, each quarter)
 high monetary items should be counted more frequently than lower
monetary items
 inventory coverage should be in proportion to the frequency of the
counts (e.g., daily counts might cover on a small portion of the
inventory each day, while monthly count plans would have to include a
larger portion of the inventory)
 documentation should be maintained specifying when the count was
conducted including items counted, results obtained, and remediation
efforts

18.51 The audit team is not concerned about whether inventory quantities exist at
various points during the period; rather they are concerned about whether
inventory quantities exist at the financial statement date. The principles
discussed in the previous section, which focused on situations where the client’s
internal controls operate at the date of the physical inventory count, also apply to
situations where the client’s internal controls operate throughout the period (i.e.,
cycle counts).

18.52 The previous section discussed using inquiry and observation to test the internal
controls because the audit team is present at the time the controls operate. To
test controls that operate throughout the period, the firm’s control testing policies
apply – meaning that inquiry and observation alone is not sufficient to test the
effectiveness of these controls.
18.53 Often, clients decide that because of the strength and effectiveness of their cycle
count controls, a physical inventory is not necessary at period end. The audit
team should use judgment in determining whether to require a physical count.
Whether the audit team tests the client’s cycle count controls or not, the audit
team must verify that physical inventory quantities exist at period end. The test
strategy related to the cycle controls determines how many items to test at period
end.

Lower-Risk Strategy for Selecting Items to Count

18.54 To employ a lower-risk strategy for selecting items to test count, the audit team
must first be satisfied that the client’s cycle count controls are designed
effectively and are implemented. The elements discussed above should be
evaluated in reaching this judgment. When controls are designed effectively,
audit teams then identify the key controls that they will test to determine
operating effectiveness.

18.55 Some common client controls for testing consideration are:

 policies and procedures of the cycle counts
 count verification procedures
 procedures to identify items counted (ensure completeness) and
eliminate the risk of duplicated counts
 variance investigation procedures
 controls in the inventory receiving activity
 controls in the revenue sales order or invoicing activities

18.56 Because cycle count controls operate throughout the period, the audit team’s
testing must cover the same period. Inquiry and observation alone do not provide
sufficient evidence to achieve the intended control reliance. The following should
be considered in designing tests of controls:
 verifying that the client’s cycle count policies are sufficient (e.g., every
item covered over the period, high value items counted more
frequently, count teams understand how to address errors)
 ensuring that every count has sufficient documentation (e.g., items
counted, results, who performed the test)

18.57 To test cycle count controls, the audit team ordinarily would determine the extent
of testing by using attribute sampling. When the population of cycle counts is too
small for sampling, reperformance may be used to determine the number of cycle
counts to select for testing. Ordinarily, when the population is less than 100,
reperforming 10% of the number of instances in the population is sufficient to
support a conclusion on whether a control operates effectively. Chapters 10 and
14 of this Manual provide further discussion on this topic.
18.58 Executing the test of controls involves two parts. First, for each item, the audit
team examines the entity’s documentation to determine whether the policies and
procedures were followed. Second, the audit team satisfies themselves that the
documentation and client counts are satisfactory by reperforming the controls for
some of the cycle counts selected for testing. For cycle counts, reperforming the
control involves observing and counting the physical inventory at the time of the
cycle count. Therefore, this test requires planning as the test needs to be
performed during the audit period when the cycle count process is performed
(i.e., they cannot be executed at the end of the period after all the cycle counts
are completed). The number of counts to reperform is a matter of judgment, but
ordinarily 10% of the total number of counts selected for testing is a sufficient
number of test items to reperform.

18.59 To illustrate this guidance consider two situations. In the first situation, the client
performs cycle counts one per week. In the second situation, the client performs
cycle counts every day. The following table illustrates the result of applying the
above guidance to each of these situations.
Situation 1 2
Technique used Reperformance Attribute sampling
Extent of testing At least 5
(examination of client’s 25
documentation) (52 cycle counts times 10%)

Extent of cycle counts to At least 1 At least 3

observe and reperform (5 tests times 10%) (25 tests times 10%)

18.60 When the cycle count tests achieve the intended reliance, the audit team can
execute the lower-risk strategy at period end. As stated previously, this strategy
calls for the audit team to select all individually significant items and a judgmental
selection of at least 25 additional items beneath individually significant. These
items should be test counted and later agreed to the client’s final inventory
summary.

Period End Physical Inventory Count by Client

18.61 If the test counts at period end prove to be accurate, then there is no need to
require the client to physically count the entire inventory. However, when the
population must be rejected because of projected errors, the client will have to
rework the population and conduct a physical count. This risk is always present
when clients choose not to conduct a period end physical count.

18.62 When a physical inventory count is required, the audit team should retest the
counted population using the higher-risk strategy since controls were not
effective. Obviously, this is not a desired state and could lead to unpleasantness
if the client was not expecting this outcome. Therefore, it is important for the audit
team to communicate the risks of not performing a physical inventory count to
management to properly prepare them for the possibility that a count will be
 required if the audit team’s testing cannot verify that inventory counts are
accurate.

Initial Audits

Objective
18.63 The term "initial audit" refers to the firm’s first audit of an entity's financial
statements, whether or not another firm audited the prior period financial
statements.

18.64 An objective of an initial audit is to gain sufficient audit understanding concerning

the prior financial statements to support an opinion on the current period financial
statements. In this context, the propriety of the accounting principles used in the
previous period is particularly important because:
 professional standards require the auditors’ report to identify those
circumstances in which GAAP is not consistently applied
 results of operations for the current period are directly dependent on
the fairness of presentation of the prior year-end balance sheet
 prior period financial statements may be presented for comparative
purposes in a document containing the auditors’ report

Communications with Management

18.65 Good communication between management and the auditor is always a

necessity. However, it is particularly important in an initial audit because
communication is the basis for gaining an understanding of the entity’s business,
as well establishing a good working relationship in a new environment. In the
early stages of an audit, many inquiries are made of management and client
personnel. The manner in which these inquiries are made, whether of individuals
or in meetings, will influence future relationships. The following general
considerations frequently contribute to a positive impression:
 interview the right person about the right subject - one who is
knowledgeable and can provide a relatively thorough understanding of
the operations and potential problem areas having audit implications
 avoid omissions and duplications in deciding how many interviews are
required
 avoid mere verbal exchanges that tend to waste time; rather, design
conferences to elicit information about specific topics
 listen to responses and keep in mind that an interview may produce
unexpected information important to the audit
 avoid structuring an interview to such a degree that the person being
interviewed is precluded from volunteering pertinent information
18.66 While the audit team is interested in learning about the client, their personnel
have similar interests in learning about the firm and, more particularly, the firm’s
audit approach. Within professional limits, the client should be kept informed of
the audit team’s overall approach and informational needs. In doing so, criticism
and misunderstandings resulting from comparisons with the predecessor auditor
often can be reduced by:
 accommodating the client's work preferences to the extent practicable
 communicating with top management about the scope of the audit, the
responsibilities of the firm and the client's staff
 minimizing unnecessary administrative time by the in-charge
accountant by having the client appoint an engagement liaison with
sufficient authority to "get things done"
 planning essential elements of the audit, including timetables and
assignments, with the client to obtain maximum efficiency and to
minimize disruption in the client's routine
 minimizing the number and duration of interruptions of client staff

Audit Procedures
18.67 Entities whose financial statements had not been audited before ordinarily
require additional procedures to be performed. These procedures are also
generally applicable where the prior period financial statements were audited by
another firm.

18.68 The procedures in this section emphasize certain elements that take on greater
importance in an initial audit. The procedures should be completed
contemporaneously with the related procedures in Voyager to the extent
practicable, to ensure audit economies and efficiencies. Therefore, effective
planning is essential to ensure an effective audit approach within a reasonable
time limit. The following planning considerations contribute significantly to these
objectives:
 determine the sequence in which audit procedures are to be performed
to ensure the best use of time – for both the audit team and the client's
staff
 request background information and documents from the client for the
permanent and other files well in advance of fieldwork
 defer reviewing the predecessor auditor's workpapers until such time
as sufficient information and knowledge about the entity has been
obtained to formulate specific inquiries and to focus the review on
critical areas
 combine tests of opening balances and current period transactions,
where feasible
Work of Internal Auditors

Obtaining an Understanding of the Internal Audit Function

18.69 As part of the risk assessment process, the audit team considers the work of
internal auditors to understand their impact at the entity and the audit
engagement, if any. The audit team obtains an understanding of the internal
audit function as part of the understanding of internal control over financial
reporting, whether or not the internal auditor’s work will be “used” to modify our
audit procedures.

18.70 This understanding should be sufficient to:

 identify internal audit activities that are relevant to the audit and their
effect (if any) on our audit procedures
 identify and assess the risks of material misstatement of the financial
statements and to design and perform further audit procedures

18.71 If the audit team believes that internal audit activities are not relevant to the audit,
no further consideration of the internal audit function is required. If the audit team
believes that such activities are relevant to risk assessments and audit
procedures, then they should perform an assessment of the internal audit
function in light of the intended effect of internal audit work on the audit.

Effect of the Internal Auditors’ Work

18.72 Internal audit work may affect the nature, timing and extent of the audit,
including:
 procedures to obtain an understanding of the entity’s internal control
 procedures to assess inherent and control risk
 substantive procedures

18.73 Evidence obtained through direct personal knowledge (e.g., physical

examination, observation, computation, etc.) is generally more persuasive than
information obtained indirectly. We should perform procedures to obtain sufficient
evidence to support our audit report, even though such procedures may be
affected by internal audit work. Judgments about assessments of intended
control reliance and inherent risk, the materiality of misstatements, the sufficiency
of tests performed, the evaluation of significant accounting estimates, and other
matters affecting the audit report should always be our decisions.

18.74 In making judgments about the extent of the effect of internal audit work on our
procedures, consideration should be given to the:
 materiality of financial statement amounts
 intended control reliance and inherent risk assessments related to
these financial statement amounts
  degree of subjectivity involved in evaluating audit evidence gathered in
support of the assertions

18.75 As the materiality of the financial statement amounts and either risk assessments
or the degree of subjectivity increase, the need for us to perform tests of the
assertions increases. Conversely, as these factors decrease, the need for
auditors to perform tests of the assertions decreases.

18.76 For assertions related to material financial statement amounts where intended
control reliance is walkthroughs, inherent risk, or the degree of subjectivity is
high, the consideration of internal auditors alone cannot eliminate our need to
test those assertions directly. Examples of these assertions include:
 valuation of assets and liabilities involving significant accounting
estimates
 existence and disclosure of related party transactions, contingencies,
uncertainties and subsequent events

18.77 In converse situations, direct testing of assertions already tested by internal

auditors may not be necessary. Examples of these assertions include the
existence of cash, prepaid assets, and fixed asset additions.

Assessing the Internal Audit Function

18.78 If the audit team believes that internal audit activities are relevant to their risk
assessments and audit procedures, then they should perform an assessment of
the internal audit function in light of the intended effect of internal audit. This
assessment influences the audit team’s judgment about the use of internal audit
in making risk assessments and modifying the nature, timing and extent of further
external audit procedures.

18.79 This assessment primarily focuses on (a) the extent to which the internal audit
function’s organizational status and relevant policies and procedures support the
objectivity of the internal auditors, (b) the level of competence of the internal audit
function and (c) Whether the internal audit function applies a systematic and
disciplined approach, including quality control. Accordingly, the important criteria
in assessing internal audit are as follows:
 The organizational status and relevant policies and procedures support
the objectivity of the internal auditors and the level of competence of
the function
 the function’s organizational status, authority and accountability of the
function supports the ability of the function to be free from bias, conflict
of interest or undue influence of others
 the function is free of any conflicting responsibilities, for example,
having managerial or operational duties or responsibilities that are
outside of the internal audit function
 those charged with governance oversee employment decisions for the
internal audit function and the head of internal audit
 head of internal audit reports to those charged with governance
 internal audit has direct access and reports regularly to those charged
with governance
 there are no constraints or restriction place on the function and internal
audit can communicate fully with the external auditor
 internal auditors are members of relevant professional bodies and their
memberships obligate their compliance with relevant professional
standards relating to objectivity, or whether the entity’s policies achieve
the same objectives
 scope of function
 the nature and extent of internal audit assignments (broad audit
coverage)
 how management acts on internal audit recommendations and how
this is evidenced
 policies prohibiting internal auditors from auditing areas where (a)
relatives are employed in important or audit-sensitive positions, or (b)
they were recently assigned or are scheduled to be assigned on
completion of responsibilities in the internal audit function
 the function as a whole acquired and maintains the knowledge and
skills necessary to enable assigned tasks to be performed diligently
and in accordance with applicable professional standards. Factors that
may affect the audit team’s determination of competence include:
 the function is adequately and appropriately resourced relative to the
size of the entity and the nature of its operations
 established policies for hiring, training and assigning internal auditors
to internal audit engagements
 internal auditors have adequate technical training and proficiency in
auditing, for example the internal auditors’ possession of a relevant
professional designation, education, experience and continuing
education
 internal auditors possess the required knowledge and skills in such
areas as financial reporting, the applicable financial reporting
framework and industry-specific knowledge
 internal auditors are members of relevant professional bodies and their
memberships obligate their compliance with relevant professional
standards relating to competence and continuing professional
development

 Application of a Systematic and Disciplined Approach
 The existence, adequacy and use of documented internal audit
procedures or guidance covering such areas as risk assessments,
work programs, documentation and reporting, the nature and extent of
which is commensurate with the size and circumstances of the entity
  Whether the internal audit function has appropriate quality control
policies and procedures, for example, such as those policies and
procedures used by the member firmi that would be applicable to an
internal audit function (such as those relating to leadership, human
resources and engagement performance) or quality control
requirements in standards set by the relevant professional bodies for
internal auditors. Such bodies may also establish other appropriate
requirements such as conducting periodic external quality
assessments.
 quality of workpaper documentation, reports, and recommendations

18.80 Objectivity and competence may be viewed as a continuum. The more the
internal audit function’s organizational status and relevant policies and
procedures adequately support the objectivity of the internal auditors and the
higher the level of competence of the function, the more likely the external
auditor may make use of the work of the function and in more areas. However,
an organizational status and relevant policies and procedures that provide strong
support for the objectivity of the internal auditors cannot compensate for the lack
of sufficient competence of the internal audit function. Equally, a high level of
competence of the internal audit function cannot compensate for an
organizational status and policies and procedures that do not adequately support
the objectivity of the internal auditors.

Circumstances When Work of the Internal Audit Function Cannot Be Used

18.81 The engagement team’s evaluation of whether the internal audit function’s
organizational status and relevant policies and procedures adequately support
the objectivity of the internal auditors, the level of competence of the internal
audit function, and whether it applies a systematic and disciplined approach may
indicate that the risks to the quality of the work of the function are too significant
and therefore it is not appropriate to use any of the work of the function as audit
evidence.

18.82 Considering the factors in the above paragraphs individually and in aggregate is
important because an individual factor is often not sufficient to conclude that the
work of the internal audit function cannot be used for purposes of the audit. For
example, the internal audit function’s organizational status is particularly
important in evaluating threats to the objectivity of the internal auditors. If the
internal audit function reports to management, this would be considered a
significant threat to the function’s objectivity unless other factors collectively
provide sufficient safeguards to reduce the threat to an acceptable level.

18.83 A self-review threat exists when the firm accepts an engagement to provide
internal audit services to an audit client, and the results of those services will be
used in conducting the audit. This is because of the possibility that the
engagement team will use the results of the internal audit service without
 properly evaluating those results or without exercising the same level of
professional skepticism as would be exercised when the internal audit work is
performed by individuals who are not members of the firm. Applicable codes of
ethics discuss the prohibitions that apply in certain circumstances and the
safeguards that can be applied to reduce the threats to an acceptable level in
other circumstances.

Determining the Nature and Extent of Work of the Internal Audit Function
that Can Be Used

18.84 The engagement team determines whether the work of the internal audit function
can be used for purposes of the audit by evaluating the following:

 The extent to which the internal audit function’s organizational status

and relevant policies and procedures support the objectivity of the
internal auditors

 The level of competence of the internal audit function; and

 Whether the internal audit function applies a systematic and disciplined

approach, including quality control.

18.85 The external auditor shall not use the work of the internal audit function if the
external auditor determines that:

 The function’s organizational status and relevant policies and

procedures do not adequately support the objectivity of internal
auditors;

 The function lacks sufficient competence; or

 The function does not apply a systematic and disciplined approach,

including quality control.

18.86 Once the engagement team has determined that the work of the internal audit
function can be used, a first consideration is whether the planned nature and
scope of the work of the internal audit function performed, or is planned to be
performed, is relevant to the overall audit strategy and audit plan.

18.87 Examples of work of the internal audit function that can be used include the
following:

 Testing of the operating effectiveness of controls.

 Substantive procedures involving limited judgment.

 Observations of inventory counts.

  Tracing transactions through the information system relevant to
financial reporting.

 Testing of compliance with regulatory requirements.

 In some circumstances, audits or reviews of the financial information of

subsidiaries that are not significant components to the group (where
this does not conflict with the requirements of ISA 600).

18.88 The determination of the planned nature and extent of use of the work of the
internal audit function will be influenced by the engagement team’s evaluation of
the extent to which the internal audit function’s organizational status and relevant
policies and procedures adequately support the objectivity of the internal auditors
and the level of competence of the internal audit function (discussed above). In
addition, the amount of judgment needed in planning, performing and evaluating
such work and the assessed risk of material misstatement at the assertion level
are inputs to the external auditor’s determination. Further, as discussed above,
there are circumstances in which the engagement team cannot use the work of
the internal audit function for purpose of the audit.

18.89 The engagement team makes all significant judgments in the audit and, to
prevent undue use of the work of the internal audit function, uses less of the work
of the function and perform more of the work directly in the following situations:

 The more judgment is involved in planning and performing relevant

audit procedures and evaluating the audit evidence gathered

 The higher the assessed risk of material misstatement at the assertion

level, with special consideration given to risks identified as significant

 The less the internal audit function’s organizational status and relevant
policies and procedures adequately support the objectivity of the
internal auditors; and

 The lower the level of competence of the internal audit function.

18.90 In principle, the greater the judgment needed to be exercised in planning and
performing the audit procedures and evaluating the audit evidence, the more the
engagement team will need to perform procedures directly because using the
work of the internal audit function alone will not provide sufficient appropriate
audit evidence.

18.91 The engagement team also evaluates whether, in aggregate, using the work of
the internal audit function to the extent planned would still result in the external
auditor being sufficiently involved in the audit, given the firm’s sole responsibility
for the audit opinion expressed.
18.92 The engagement team also provides those charged with governance how the
team plans to use the work of the internal audit function.

Using the Work of the Internal Audit Function

18.93 If the engagement team plans to use the work of internal auditors, the team
reads the reports of the internal audit function relating to the work of the function
that the external auditor plans to use to obtain an understanding of the nature
and extent of audit procedures it performed and the related findings. The
engagement team also discusses and coordinates activities with the function. It
may be efficient to coordinate this work by:
 holding periodic meetings
 scheduling audit work
 obtaining access to internal audit workpapers
 reviewing internal audit reports
 discussing possible accounting and auditing issues

18.94 The engagement team needs to perform sufficient audit procedures on the body
of work of the internal audit function as a whole that the team plans to use to
determine its adequacy for purposes of the audit. Such procedures need to result
in sufficient and appropriate evidence to evaluate whether:

 The work of the function was properly planned, performed, supervised,

reviewed and documented;

 Sufficient appropriate evidence had been obtained to enable the

function to draw reasonable conclusions; and

 Conclusions reached are appropriate in the circumstances and the

reports prepared by the function are consistent with the results of the
work performed

18.95 In principle, the nature and extent of the engagement team’s audit procedures is
determined and is responsive to the external auditor’s evaluation of (a) The
amount of judgment involved, (b) The assessed risk of material misstatement, (c)
The extent to which the internal audit function’s organizational status and
relevant policies and procedures support the objectivity of the internal auditors,
and the level of competence of the function.

18.96 In developing these procedures, the engagement team may conside such factors
as whether the internal auditors’:
 scope of work is appropriate to meet the objectives
 audit programs are adequate
 workpapers adequately document work performed, including evidence
of supervision and review
  conclusions are appropriate in the circumstances
 reports are consistent with the results of the work performed
 exceptions or unusual matters disclosed by internal audit are properly
resolved

18.97 In all cases the engagement team’s audit procedures will include reperformance
of some of the work completed by the internal audit function. The engagement
team may test the work performed by the internal audit function by examining:
 some of the controls, transactions, or balances examined by internal
auditors
 similar controls, transactions, or balances not actually examined by
internal auditors

18.98 The results of these tests should be compared to the results of the internal audit
work. The extent of the tests will depend on the circumstances and should be
sufficient to evaluate the overall quality and effectiveness of the internal audit
work under consideration.

18.99 Upon completing the review and testing of the work performed by the internal
audit function, the engagement team evaluate whether the external auditor’s
conclusions regarding the internal audit function in paragraph 15 of this ISA and
the determination of the nature and extent of use of the work of the function for
purposes of the audit in paragraphs 18–19 of this ISA remain appropriate.

Determining Whether Internal Auditors Can Be Used to Provide Direct

Assistance

18.100 The engagement team or the firm may be prohibited by law or regulation
from obtaining direct assistance from internal auditors. If so, the paragraphs in
this manual addressing direct assistance do not apply.

18.101 If the audit plan includes using internal auditors to provide direct
assistance on the audit, the engagement team first evaluates the existence and
significance of threats to objectivity and the level of competence of the internal
auditors who will be providing such assistance by making inquiry of the internal
auditors regarding interests and relationships that may create a threat to their
objectivity.

18.102 The engagement team cannot use an internal auditor to provide direct
assistance if:

 There are significant threats to the objectivity of the internal auditor, or

 The internal auditor lacks sufficient competence to perform the

proposed work.
Determining the Nature and Extent of Work that Can Be Assigned to
Internal Auditors Providing Direct Assistance

18.103 In determining the nature and extent of work that may be assigned to
internal auditors and the nature, timing and extent of direction, supervision and
review that is appropriate in the circumstances, the engagement team considers:

 The amount of judgment involved in: (i) Planning and performing relevant
audit procedures; and (ii) Evaluating the audit evidence gathered;

 The assessed risk of material misstatement; and

 The external auditor’s evaluation of the existence and significance of

threats to the objectivity and level of competence of the internal auditors
who will be providing such assistance.

18.104 The engagement team cannot use internal auditors to provide direct
assistance to perform procedures that:

 Involve making significant judgments in the audit;

 Relate to higher assessed risks of material misstatement where the

judgment required in performing the relevant audit procedures or
evaluating the audit evidence gathered is more than limited;

 Relate to work with which the internal auditors have been involved and
which has already been, or will be, reported to management or those
charged with governance by the internal audit function; or

 Relate to decisions the engagement team makes regarding the internal

audit function and the use of its work or direct assistance.

18.105 The engagement team communicates the nature and extent of the
planned use of internal auditors to provide direct assistance to those charged
with governance so as to reach a mutual understanding that such use is not
excessive in the circumstances.

18.106 The engagement evaluates whether, in aggregate, using internal auditors

to provide direct assistance to the extent planned, together with the planned use
of the work of the internal audit function, would result in the engagement team
being sufficiently involved in the audit, given the firm’s sole responsibility for the
audit opinion expressed.

18.107

 





18.108



18.109

Using Internal Auditors to Provide Direct Assistance

18.110 Prior to using internal auditors to provide direct assistance the

engagement team obtains written representation from both an appropriate
authorized representative of the entity and from internal audit. The representation
from the entity confirms that the internal auditors will be allowed to follow the
engagement team’s instructions, and that the entity will not intervene in the work
the internal auditor performs for the team. The representation from the internal
auditors confirms that they will keep confidential specific matters as instructed by
the external auditor and inform the external auditor of any threat to their
objectivity.

18.111 The nature, timing and extent of direction, supervision, and review of the
internal auditors providing direct assistance is responsive to the engagement
team reflects the fact that the internal auditors are not independent of the entity
and is responsive to the outcome of the evaluation of the factors of the internal
auditors’ objectivity and competence (as discussed above). The direction
provided to internal auditors include such matters, informing them of their
responsibilities, objectives of the procedures they will perform and matters that
may affect the nature, timing and extent of audit procedures (e.g., possible
accounting and auditing issues). The engagement team’s review procedures
include checking back to the underlying audit evidence for some of the work
performed by the internal auditors. The direction, supervision and review by the
engagement team of the work performed by the internal auditors needs to be
sufficient in order for the team to be satisfied that the internal auditors have
obtained sufficient appropriate audit evidence to support the conclusions based
on that work. Finally, the direction, supervision and review by the team of the
work performed by the internal auditors needs to be sufficient in order for the
team to be satisfied that the internal auditors have obtained sufficient appropriate
audit evidence to support the conclusions based on that work.

18.112
Client Prepared Documents Containing the Firm’s Report
18.113 [Tailor the following paragraph for reference to your applicable regulations
and standards] Frequently, the firm’s reports appear in client prepared
documents that also contain other information, such as annual reports to
stockholders, the public, or regulatory agencies, and Forms 10-K and similar
reports filed under the Securities Exchange Act of 1934. Professional standards
state that the auditor should read the other information to determine whether it is
consistent with the information in the financial statements. Corroboration or other
procedures are not required.

18.114 [Tailor the following paragraph to reflect your environment] Information in

electronic sites that include annual reports to shareholders, financial statements
and other financial information may also include press releases, product
information, and promotional material. Electronic sites include public computer
networks, such as the Internet, an electronic bulletin board, the SEC’s EDGAR
system, or similar electronic venues. Since electronic sites are means of
distributing information and are not “documents,” as that term is used in the
professional standards, auditors are not required to read information contained in
electronic sites or to consider the consistency of other information in electronic
sites with the original documents.

18.115 Guidance on the reporting requirements with respect to information

included in client-prepared documents and the auditors’ responsibilities for
supplementary information included in auditor-submitted documents are included
in Chapter 21.

Material Inconsistencies with Financial Statements

18.116 [Tailor the following paragraph for your policies and practices] If, as a
result of reading the other information, the audit team concludes that it is
materially inconsistent with the financial statements, they should determine
whether the financial statements, the firm’s report, or both require revision. If the
audit team concludes that no revisions to the report or the financial statements
are necessary, they should request the client to revise the other information.
Should the client refuse to make the necessary revision, the lead partner should
notify the NPPD and RRLA, who together with the lead partner and PSP, will
consider other actions, such as revising the firm’s report to include an
explanatory paragraph describing the material inconsistency, withholding the use
of the firm’s report in the document, and withdrawing from the engagement.

Material Misstatements of Fact

18.117 [Tailor the following paragraph for your policies and practices]
Alternatively, the audit team may become aware of information that appears to
be a material misstatement of fact that is not a material inconsistency. If the lead
 partner concludes that he or she has a valid basis for concern, he or she should
propose that the client consult with some other party whose advice might be
useful to the client, such as the client's legal counsel. If the matter is not
satisfactorily resolved, the lead partner should immediately notify the NPPD and
RRLA, who together with the lead partner and PSP, will consider other actions,
such as notifying the client in writing of the firm’s views concerning the
information.

Auditing Fair Values

18.118 The increased use of fair value information in financial reporting along with
the difficulty of measuring fair values of some assets and liabilities create
challenges for management and the audit team. Valuations that involve
significant estimation uncertainty require greater levels of support from
management and greater auditor effort.

18.119 Management must have solid evidence that supports their valuation
assertion, including, when appropriate, involvement of external valuation experts.
Management should also have internal controls over the valuation processes
involved in financial reporting.

18.120 An understanding of the entity’s positions subject to fair value (i.e., the
asset, liability, equity instrument, or other financial reporting assertion) enables
the audit team to:

 evaluate the adequacy of the evidence provided by management

 determine appropriate audit testing (both control and substantive

testing)

18.121 The understanding includes the process management used to determine a

fair value estimate, including the method and assumptions, internal controls and
whether they used an expert. The audit team uses the collective understanding
of positions, processes and people to make judgments about the nature of the
audit work that will be appropriate in the circumstances, including whether and
which valuation specialists or experts should be used. It is very important that the
workpapers reflect this understanding and the basis for the audit team’s
judgments.

Valuation Risk

18.122 Valuation risk has two major components: materiality and estimation
uncertainty. The first component determines whether a position is in scope. As
with other financial statement items, the audit team uses tolerable error to
determine whether a position is in scope. The second component drives the
nature, timing, and extent of audit procedures and related audit evidence.
18.123 A position might be a single security or it may be a group of similar
securities. A position is in scope when it is significant, either individually or in
combination with other positions. Evidence supporting fair values of significant
positions should be provided by management and be audited.

18.124 Estimation uncertainty varies based on the nature of the position. Fair
values for some positions are readily available as the fair value estimate is based
on active markets. Other positions may be rarely, if ever, traded and the fair
value must be estimated. In this situation, the inputs, assumptions and model
increase estimation uncertainty. Uncertainty may also result from the infrequency
of trades, the wide dispersion of trade prices, or both. The content of this Chapter
focuses on providing guidance on auditing estimation uncertainty.

18.125 The degree of estimation uncertainty determines the evidence

management provides to support significant fair values. For management to
provide adequate evidence, it may be necessary for management to obtain the
assistance of a valuation expert. For the auditor to perform adequate testing, it
may also be necessary for the auditor to obtain the assistance of a valuation
expert or internal specialist.

Management’s Fair Value Responsibilities

18.126 Management is responsible for deploying processes (including internal

controls) and people that will result in appropriate fair value measurements and
disclosures in their financial statements. Inadequate processes, people, or
documentation indicate material weaknesses that may affect our ability to
conduct an audit. For example, management may have very little knowledge of
the source of the valuation information, such as when fair value estimates are
provided by third-party sources, or only a vague understanding of the valuation
methods employed and assumptions used. Another example might be that
management derives such values internally; however, the persons performing
the valuations have little or no expertise or objectivity with respect to valuing the
positions.

18.127 Auditors have a responsibility to require that management provide

sufficient, relevant, competent evidence in support of their financial statement
assertions. If management fails in their responsibility with respect to a significant
position, the audit team should assess the impact on the audit approach. The
outcome of this assessment ordinarily results in the audit team needing to adopt
the approach of developing an independent estimate of the value. In addition, the
audit team should evaluate the internal control deficiency (which may be
material) and the potential scope limitation. Audit teams should not attempt to fill
the gap by performing the fair value accounting process on behalf of
management.
18.128 When management fails to provide appropriate evidence, the lead partner,
after consulting with appropriate firm personnel, should communicate directly
with management and, if needed, those charged with governance.

18.129 If the position is such that information needed to effectively estimate fair
value is not available to management and the audit team, there is likely a scope
limitation that should be evaluated for materiality and the severity of the impact
on or assessment of internal controls and the firm’s opinion on the financial
statements.

Audit Evidence Considerations

18.130 The nature and extent of evidence needed in support of valuations varies
with estimation uncertainty. Accordingly, the audit team should adjust their
expectations of management and the nature and extent of the evidence to reflect
estimation uncertainty.

18.131 Voyager’s suggested audit procedures may address a balance that

contains multiple positions with different characteristics. Therefore, the audit
team’s application of those suggested procedures should include tailoring and
executing the procedures to reflect the circumstances.

18.132 The evidence management provides varies based on the estimation

uncertainty of the position. Similarly, the tailoring of audit procedures reflects the
position and the evidence provided by management. For example,
management’s evidence with respect to actively traded securities will be different
than the evidence needed to support non-actively traded securities or securities
with embedded derivatives. The positions in the latter cases are more complex
as are the methods, assumptions and expertise needed to value them.

18.133 Estimation uncertainty for a position depends on the characteristics of the

position being valued and the nature of the markets for the position. There is a
continuum of values for estimation uncertainty ranging from lower to higher risk.
In considering estimation uncertainty, it is useful to think of positions as falling
into one of the following three levels:
 Securities that trade in active markets (Level 1) – The position being
valued is traded in active markets such that the fair value can be
“looked up” in independent sources. The availability of observable
market prices would make the use of specialists (and consideration of
their methods and assumptions) unnecessary for determining current
values.
 Investments priced using quotes from market makers or derived from
similar instruments (Level 2) – Quotes for market prices may be
obtainable from broker-dealers who make a market in the security or
other position. These quotes are based on a consideration of a
combination of recent transactions in the same or similar securities, or
 direct current quotes from market makers in the security. Estimation
uncertainty for these positions is increased as valuing these positions
requires some expertise in extrapolation of fair value estimates from
broker quotes and/or quoted transaction information.
 Investments priced with models or similar techniques (includes
alternative investments) (Level 3) – Some securities and other
positions (including alternative investments) do not trade in active
markets and accordingly, must be valued using estimates. Estimation
uncertainty for these positions is increased by (a) the complexity of the
terms of the position, (b) the uncertainty of the future behavior of the
factors that influence the position’s value (such as future interest rates,
default rates, and recovery rates) and (c) assumptions about future
market conditions. Valuation of these positions requires substantial
expertise to identify inputs, make appropriate assumptions and
selecting a valid valuation model.

18.134 When evaluating a portfolio, the audit team uses their knowledge of the
varying degrees of estimation uncertainty of the positions to determine the
evidence and controls required, the need for assistance from experts, and the
nature and extent of audit procedures required in the circumstances.

Evaluating the Evidence

18.135 Audit teams may be faced with the situation where they have significant
doubts on the adequacy of evidence provided by management. Doubts could
arise from such factors as:
 inappropriate methodology
 lack of objectivity
 lack of specificity
 unsupported assumptions

18.136 For example, even when management includes personnel with relevant
valuation expertise and information on which to base a valuation, the audit team
could have a reasonable concern as to whether those persons are sufficiently
objective and the assumptions used are unbiased. In this situation it may be
appropriate to request that management involve third-party experts in their
valuation process.

18.137 The higher a position’s estimation uncertainty, the more the entity needs
to use processes with a high degree of objectivity and people with appropriate
expertise. One or both of these requirements may be missing with respect to any
significant fair value estimate.
 Expertise – The audit team, supported by firm valuation specialists,
should assess whether the people performing valuations for
management (including both internal and third parties) have the
 necessary expertise and competence (including appropriate models
and necessary data). If the entity’s process lacks appropriate
expertise, the audit team should request that management obtain the
resources and assistance needed, including involving third-party
experts.
 Objectivity – The audit team, supported by firm valuation specialists,
should make an assessment as to whether significant inputs to the
valuation process are biased. Concerns over bias could arise from the
selection of (a) comparable transactions or other input data or (b)
assumptions. For example, the firm valuation specialist may have a
concern that a cap rate, market multiple, or some other assumption or
input does not reflect current market conditions. If management’s
inputs and assumptions appear to be biased and management is
unwilling to remove the bias, the audit team should request that
management obtain the assistance of objective third-party experts.

Management’s third-party expert

18.138 Management’s use of third-party experts to value positions with higher

estimation uncertainty is not an automatic requirement. The audit team, including
firm specialists, may conclude that their documented understanding of the
process and controls demonstrates that management used appropriate expertise
and sufficient objectivity in developing their fair value estimates. In this situation,
management does not need the additional assistance of third-party experts.

18.139 The audit team, supported by firm valuation specialists, if applicable, may
conclude that management’s support for fair value determinations lacks
appropriate methodology, objectivity, specificity, and support for assumptions
used to estimate values. When this is the case, the audit team will often need to
insist that management revise their approach and/or involve a third-party expert.
While developing our own estimate of the value is an acceptable audit approach,
it does not address the issue that management cannot appropriately produce
their financial statements.

18.140 In situations where the audit team requests management to involve third-
party experts in their valuation process, the audit team should assess the third-
party experts for competence and objectivity. Additionally, the use of a third-party
expert by management does not change the audit team’s responsibilities to
understand the assumptions and methodologies used by management’s expert.
The audit team should assess these items at the team level, which often will
include a meeting with the third-party expert to discuss their approach. An
assessment that the assigned team has the requisite skill and experience solely
based on the fact that management engaged a reputable, national firm is not a
sufficient assessment and does not establish that the expert understands the
need for a fair value estimate in accordance with GAAP and our documentation
expectations.
18.141 Third-party expert assistance to management may take different forms.
Examples include:
 engaging an expert to give a valuation opinion for an annual
impairment test
 engaging an expert to value a portion of the portfolio at each interim
and annual reporting date in a manner such that the substantial
majority of the portfolio is valued by the external specialist over the
course of each 12-month period
 using an expert to give negative assurances on the methods and
assumptions being used by the internal valuation experts at each
reporting date
 using different approaches on different positions, depending on the
position’s estimation uncertainty and frequency of financial reporting
There are many different ways for management to involve reputable outside experts to
increase expertise and objectivity and enhance methods, assumptions and
documentation.

Required Documentation and Consultation

18.142 During the risk assessment process, the audit team documents their
consideration of the expertise and objectivity employed by management to
estimate the fair value of significant positions. This documentation includes the
audit team’s:
 understanding of the nature of the positions
 knowledge of the methods and assumptions used by management (or
management’s expert) in the valuation process
 evaluation of management’s valuation processes and controls (are
they appropriate for the positions held?)
 conclusion on both the adequacy of expertise and objectivity involved
(is expertise appropriate, have they changed from the preceding period
and is there bias? )
 conclusion as to whether management needs to engage an external
valuation expert

18.143 The team should clearly document its audit response related to significant
fair value risks. Audit teams should not perform and document procedures
related to more than one approach for a single position, such as obtaining an
understanding and performing some testing of management’s process, methods,
and assumptions, and also developing independent estimates for certain fair
value positions. The workpapers should be clear and complete in regards to our
audit approach, work performed, and relevant conclusions. Reviewers should
find that the workpapers contain one clear approach, completely performed.

18.144 [Tailor the following paragraph to reflect your consultation policies In

addition, for material] In addition, for positions with higher estimation uncertainty,
 the audit team needs to consult with the PSP on whether management needs to
engage an external valuation expert to assist in developing a fair value estimate.
The consultation needs to be documented in the consultation database and
should include the following:
 a summary of the positions meeting the material and higher valuation
risk criteria
 the audit team’s determination of whether management needs to
engage an external valuation expert
 an audit response to address each of the material, higher risk fair value
positions identified
The NPPD should be involved as needed for consideration of more difficult situations.

Developing a Response

18.145 It is worthwhile to repeat that management has the responsibility to

prepare fair value estimates and that engaging our own specialists to obtain
values does not compensate for a deficiency in evidence provided by
management. The audit team’s ability to design and perform an effective audit
depends on the adequacy of evidence provided by management and their
experts. Unless management fulfills their responsibility, the audit team cannot
fulfill their responsibility, and thus would have a serious engagement continuation
and scope limitation reporting issue that would need to be addressed.

18.146 The audit team can only design and perform appropriate tests when they
understand:
 the estimation uncertainties associated with significant positions
 the evidence that will be provided by management, and
 the process used by management to develop fair value estimates,
including associated internal controls

18.147 For example, audit teams need to understand the positions in an

investment portfolio and how management obtained their fair value estimates
before assessing whether a pricing expert, such as Harvest Investment
(Harvest), is an effective and efficient response to risk.

18.148 Understanding and evaluating estimation uncertainties begins with

understanding the different types of positions held by the client. This requires
disaggregating line items and disclosures as needed to identify positions with
differing characteristics. The three fair value levels will help audit teams
understand these uncertainties and the requisite experience and expertise
needed to respond to risk.

18.149 For example, a response to estimation uncertainties associated with

positions traded in active markets (Level 1) could include agreeing the price to
readily available quotes as published by a reliable provider, such as The Wall
 Street Journal. A response to estimation uncertainties associated with positions
that have no ready market (Level 3) requires testing the validity of the valuation
model and the appropriateness of inputs and assumptions and therefore will
require specialized skills in the application and evaluation of these techniques.

18.150 In the investment cycle, Voyager includes several risks in the valuation-net
assertion (e.g., “Fair value measurements of investments priced using quotes
from market makers or derived from similar instruments not correct”). When any
of these risks are applicable, the audit team determines whether it is “reasonably
possible” or “not reasonably possible” of causing a material misstatement. If the
risk is reasonably possible, inherent risk must also be assessed for the valuation-
net assertion.

18.151 Fair values established in an active market with quoted prices would
generally be evaluated as not reasonably possible of causing a material
misstatement because the estimation uncertainty is lower and the inherent risk of
a material error occurring due to valuation is low. However, if the entity fails to
establish reasonable processes to obtain fair values, this risk may become
reasonably possible. To assess this risk as “not reasonably possible,” the audit
team should document how the processes established by the entity address this
risk.

18.152 For other types of securities and positions, this risk would almost always
be reasonably possible. Inherent risk would be assessed at medium or high due
to higher estimation uncertainty. Complexity of the entity’s portfolio is a primary
factor in determining inherent risk.

18.153 The audit team uses the Accounting System tool to document the
processes established by the entity to address fair value risk. The primary
processes in Voyager related to this risk are “Capturing fair value information”
and “Recording fair values.” In general, the audit team gains an understanding of
how management:
 decides which securities to purchase
 gathers information about the securities to enable them to evaluate
risk, monitor performance, and obtain fair values
 determines that fair values and related disclosures, including leveling
determinations, are reasonable and supported by appropriate methods
and assumptions
The audit team’s understanding of the entity’s portfolio, how the entity performs these
processes, and who performs them are key factors in obtaining the understanding
necessary to evaluate estimation uncertainty.

18.154 When testing internal control is necessary or appropriate, the audit team’s
testing should address control activities related to the differing significant
positions. Even when management relies on an outside reputable valuation
expert to estimate fair values, management needs controls over that outsourced
 process. Controls should address the selection and engagement of a valuation
expert, the accuracy and completeness of data used by the expert, consistency
of methods and assumptions, and management’s review, approval, and use of
the valuation report. Other valuation processes will require different control
activities.

18.155 For fair value risks that are reasonably possible, the audit team
documents their understanding of controls over important processes. As with
other reasonably possible risks, the documentation includes capturing the
controls established by management, determining whether they are implemented
and evaluating design effectiveness.

18.156 Relevant controls are those related to validating the source of fair value
inputs and establishing comprehensive policies for valuations. The entity may
(and likely will) have different controls over the different positions in their
portfolio. It is not necessary to duplicate processes to capture these controls in
Voyager. Rather, the description boxes can be used to clearly describe these
situations.

18.157 The content of the description box should reflect the details of the
methods and assumptions, including reasons for changes in methods and
assumptions from those used in the preceding period.

18.158 Control deficiencies in this area frequently rise to the level of material
weaknesses.

18.159 Once the audit team has an understanding of the estimation uncertainties
and the quality of management’s evidence, they are in a position to design an
appropriate response.

18.160 Substantive testing may involve one of the following approaches:

 testing management’s process - including the significant assumptions,
the valuation model, and the underlying data
 developing an independent fair value estimates - for corroborative
purposes (commonly the case with the involvement of Harvest or the
firm’s pricing group)
 reviewing subsequent events and transactions
Subsequent events may provide useful information that validates or calls into question
the results of applying one of the other approaches, it is rarely used as the principal
approach when auditing the fair value of securities.

18.161 The objective of testing management’s process and developing an

independent estimate is not determining fair values for the client. Instead the
audit team (which may include valuation specialists) is testing management’s fair
value estimates. Differences of opinion in methods and assumptions are
common for positions with higher estimation uncertainty. Not all differences in
 higher-risk valuations are errors. The auditor’s understanding of the position
being valued (assisted as appropriate by the auditor’s specialist) and the reasons
for the valuation difference are the basis for evaluating the acceptable level of
uncertainty involved in estimating the value of a position.

18.162 A valuation difference is an error when management’s fair value estimate

falls outside an acceptable range or involves multiple valuations that individually
fall within an acceptable range, but are biased in a particular direction that
exceeds tolerable error, in the aggregate.

18.163 [Tailor the examples in this paragraph to reflect resources available in

your environment]The audit team’s understanding of the position being valued
(aided as needed, by the audit team’s specialist) and the reasons for any
valuation difference are the basis for evaluating the acceptable level of
uncertainty involved in estimating the value of a position. The purpose of
involving experts and specialists such as Harvest, the NYPG, or the VSG in the
audit is to aid the audit team in evaluating whether management’s valuation is
within a reasonable range of values.

18.164 Judgment is required to determine a reasonable range. This judgment will

differ from security to security and will narrow and widen in proportion to
valuation uncertainty. For example, a Level 1 security would have a tighter
reasonable range than a Level 2 security that trades infrequently. In all cases,
the reasonable range cannot exceed tolerable error. For example, if the price of
an agency bond that is obtained from the pricing specialist is within 5% of the
client’s price, the audit team may conclude that the difference is within a
reasonable range based on the inputs and related uncertainties used to value
that security.

18.165 The audit team would not conclude that a difference between
management’s fair value estimate and the audit team’s independent fair value
estimate is a misstatement when the difference falls within the reasonable range
determined by the audit team. However, a difference outside the reasonable
range suggests that management’s fair value estimate may be misstated and
thus, more persuasive evidence would be needed to support management’s fair
value estimate. The audit team should start by discussing the matter with
management and the pricing expert, if applicable, to get a better understanding
of the underlying differences. If management cannot provide further evidence to
support their fair value estimate, the sum of the differences should be included
and evaluated on the Summary of Unrecorded Misstatements.

18.166 The audit team’s valuation specialist or expert may conclude that
management’s (or their expert’s) methodology or its application is seriously
deficient. This finding does not necessarily provide evidence that management’s
fair value estimate is misstated. Therefore, the audit team should not
automatically propose an adjustment. Rather, the audit team should ask
 management to resolve the finding by providing further evidence to support their
fair value estimate.

Testing Management’s Process

18.167 In certain instances, testing management’s process is an appropriate

response when auditing fair values of material positions. This approach requires
the audit team to understand and assess management’s process for determining
fair values of its securities portfolio for the purpose of testing that process to
determine whether it provides reasonable results. This approach can be effective
when management established a robust process for estimating fair values of its
securities. A robust process usually includes the entity employing knowledgeable
investment personnel who understand the portfolio and its valuation risks.

18.168 Developing an independent fair value estimate by using a pricing expert

may be a more efficient way to audit fair values; thus, this approach is built into
Voyager rather than testing management’s process. Accordingly, when an audit
team chooses to test management’s process for some or all of the securities in
the portfolio, the audit team should tailor the Voyager file accordingly.

18.169 The extent of testing will vary with the composition and related valuation
risk of the portfolio. When the portfolio consists of a large number of different
types of securities, sampling may be the most efficient method to select items for
testing. A portfolio is typically comprised of groups of securities that are priced
using the same method and thus, selecting one or two items from each group
may be sufficient. Judgment is required and the audit team should document
their conclusions about how they determined the number and nature of items to
test.

Developing an Independent Fair Value Estimate

18.170 This approach requires the audit team to develop a fair value estimate by
obtaining fair values from a pricing expert that is independent of a company or by
independently computing the fair value estimate. This approach can be effective
and efficient, especially when:
 The entity obtains its fair values from brokers who sold the client the
security or from another third-party pricing service (that is,
management does not have in-house pricing expertise).
 The portfolio can be priced based on frequent or even infrequent
trades or broker quotes.
 The portfolio includes complex or hard-to-value securities and the audit
team believes management may not be able to provide sufficient
details of the underlying methods and assumptions for those values
without third-party assistance.
 It is more efficient to independently estimate values than to assess and
test management’s (or their pricing expert’s) process.
18.171 [Tailor the list to reflect the resources available. Note that the services of
Harvest Investment are available to all member firms]The underpinning of this
approach is that the audit team obtains or develops fair values for the securities
in the portfolio independently of the entity and compares the audit team’s results
with management’s fair value estimates. Applying this approach varies somewhat
depending on who obtains or develops the fair values. There are four possibilities
for an audit team to consider, and some or all of them may be used on any
engagement. The fair value estimate can be developed by any of the following:
 audit team
 Valuation Services Group
 Harvest Investments
 other firm pricing specialists
As discussed above, the appropriate choice is determined by the audit team’s
understanding of the composition of the portfolio, the valuation risks involved,
management’s processes and controls, and knowledge obtained in prior period audits.
This understanding enables the audit team to determine the most effective and efficient
pricing alternative to use for the various segments of the portfolio.

18.172 Voyager describes the procedures to follow when developing independent

fair value estimates. Such procedures are broken down by the methods used by
management in developing their fair values and include:
 securities traded in active markets (Level 1)
 securities priced by obtaining quotes from market makers or using
similar instruments (Level 2)
 securities in inactive markets or other alternative investments (Level 3)

18.173 [Tailor the examples to reflect the resources available]Ordinarily, the audit
team can obtain reliable values for the first two classifications fairly quickly from
Harvest or firm pricing specialists. Occasionally, Harvest or firm pricing
specialists may be unable to obtain prices for certain securities (for example,
those containing embedded derivatives or requiring inputs that cannot be
verified). In these cases, the report from the expert or specialist will clearly
identify these securities. The audit team should re-evaluate the risk related to the
unpriced securities and the procedures used by the client to estimate their value.
Often this will require involvement of one of the VSG specialists. The audit team,
with assistance from the VSG, will need to develop alternate procedures, which
could include modeling or other valuation techniques, to test the client’s fair value
for those securities. Voyager includes audit steps for hard-to-value investments
(such as those where trading data is not available or sufficient to provide an
appropriate fair value), and directs the audit team to assess risk characteristics
(for example, measurement uncertainty, size, and complexity) in deciding which
securities to test.

18.174 The audit team should understand and document the methods and
assumptions used by the expert. However, the relevance of these matters varies
 with the valuation risk. At one extreme, for U.S. Treasuries and other actively
traded positions (that is, Level 1 securities), documentation of the source for the
pricing information suffices because the matter of valuation methods and
assumptions is not relevant to values determined by obtaining the value from
published sources. At the other extreme, for non-traded unique positions where
the prices are derived from models or calculations, the audit team’s
understanding of the methods and assumptions is critical. These methods and
assumptions need to be understood and documented in significant detail, and the
reasons for any changes in the methods and assumptions used in the preceding
period must be known and evaluated.

18.175 Management’s process and supporting data should include an

assessment and classification of the securities according to the level of inputs
into the fair value estimate as Level 1, 2, or 3. Audit teams should document their
understanding of management’s process and review support for the
classifications in which the investments are categorized. Although some level
classifications may appear self-evident, audit teams should be satisfied the
documentation appropriately supports such classifications. In most
circumstances, if the audit team has obtained sufficient evidence to support the
valuation assertion, they should have sufficient evidence to support the client’s
leveling disclosures.

The Audit Team

18.176 In applying the approach where fair values will be tested by the audit
team, the audit team assumes responsibility for testing fair values without the
assistance of a pricing specialist or expert. Accordingly, this approach is
appropriate only when the risk of material misstatement due to valuation risk is
low, such as where the securities actively trade on an exchange (that is, Level 1
securities). The audit team tests fair values of those securities by agreeing them
to readily available quotes as published by reliable providers such as The Wall
Street Journal.

18.177 Free Internet sites sponsored by companies such as MSN Money, Yahoo!
Finance, or Google Finance reflect quotes purchased from other providers.
Those sites contain disclaimers as to the reliability of the information and how
this information can be used. Accordingly, the firm recommends using published
quotes in The Wall Street Journal or the Financial Times as these quotes are
obtained directly from the exchanges.

Valuation Services Group

[Include and tailor this section if your firm has a valuation services group]

18.178 The firm’s VSG provides a full range of valuation services for clients, and
also participates as valuable team members on audit where material accounts or
 disclosures are measured at fair value and the measurement processes used to
determine the fair value is inherently complex. Examples include stock
compensation, goodwill and other intangible assets, and investment securities.

18.179 Several offices have VSG personnel who are experienced in pricing
securities. These offices include New York, Philadelphia, Boston, Chicago,
Charlotte, Seattle, Dallas, San Francisco, and Los Angeles. VSG securities
pricing experts serve as valuable resources to audit teams. The audit team can
consult with these individuals to discuss pricing matters, help decide the
appropriate audit approach, and involve them in testing during the audit. The
roles of VSG personnel differ depending on the approach used by the audit team
(that is, whether the audit team intends to develop an independent estimate of
fair value to compare to management’s estimate or whether the audit team plans
to evaluate and test management’s process for determining fair value
measurements).

18.180 VSG pricing specialists have access to databases of securities prices that
the firm licenses from service providers such as Bloomberg and Interactive Data
Corporation, among others. This enables the VSG to obtain prices for securities
that are traded frequently or infrequently as well as securities whose prices are
derived or calculated using inputs, typically obtained from brokers. For the latter
types of securities, VSG specialists can assist the audit team in evaluating the
reasonableness of the models and inputs and the fair value leveling
categorizations.

18.181 The VSG can also assist with the audits of clients who have portfolios of
alternative investments and other hard-to-value securities such as investments in
hedge funds, private equity funds, and venture capital investments.

18.182 Although VSG specialists can be used in most audits support situation,
there are certain situations where it may be more efficient to use an alternate
specialist. VSG resources are limited; therefore, it is ordinarily more effective to
use them to assist with portfolios that include hard-to-value securities, including
securities that cannot be valued by other pricing specialists. They can also assist
audit teams with their interactions with clients who have sophisticated valuation
personnel or who use third-party experts. For clients that have large portfolios of
securities that trade in active markets, even if infrequently, but do not employ
valuation experts (for example, a bank, certain not-for-profit entities, and
investment funds), it is ordinarily more effective and efficient to use one of the
other pricing experts.

Valuation Expert’s Role on an Audit

18.183 The firm has established guidelines for audits where a firm valuation
specialist is expected to provide assistance to the audit team, or participate as a
member of the audit team. A firm valuation specialist should be added to the
audit team when the entity has material assets, liabilities, equity instruments or
 disclosures that are determined using fair value measurements and the reliability
of the measurement process used to determine fair values is inherently complex
due to any of the following circumstances:
 the length of the forecast period
 the number of significant and complex assumptions associated with
the process
 a higher degree of subjectivity associated with the assumptions
 a higher degree of subjectivity associated with the factors used in the
process
 lack of objective data when highly subjective factors are used

18.184 When a firm valuation specialist is added to the audit team, their initial
responsibility is to participate in the risk assessment process, including the
discussion among the audit team members to brainstorm about risks and where
things could go wrong, including the risk of fraud. This will normally be a partner
or manager who will assist the audit team in identifying valuation-related risks.
Based on the specifics of the client and the risks identified, the specialist will then
determine whether further involvement is necessary, the extent of such
involvement, the appropriate specialist who will be assigned to perform the work
and what role they will perform in the audit.

18.185 [Include and tailor if your firm has a valuation services group]Firm
valuation specialists also assist on the engagement when the NYPG finds the
securities are hard-to-value or the pricing results indicate that there may be
significant differences as compared to the client’s prices. The VSG typically
develops prices for these securities and is available to discuss these prices with
the audit team. The VSG uses pricing service providers to obtain prices. Many
times the prices they obtain are based on calculations or derived from models.
For these securities, the VSG will also assist the audit team in understanding the
inputs used to price the securities.

18.186 The audit team, including the firm valuation specialist, is responsible for
documenting in Voyager, as appropriate, the following:
 the objectives and scope of the firm valuation specialist’s work
 the methods and assumptions used
 a comparison of methods and assumptions used with those used in the
preceding period
 the appropriateness of using their work for the intended purpose
 their findings

18.187 The documentation will reflect the nature of the involvement of the firm
valuation specialist. For example, if the firm valuation specialist is not performing
a stand-alone valuation, but is assisting the audit team in evaluating
management’s valuation, the consideration of “methods and assumptions” will
relate to the methods and assumptions employed by management and/or their
specialists.
18.188 A conclusion that the approach taken by management resulted in a fair
value estimate that is within a reasonable range of values means that no amount
or difference would be considered an error in need of posting to the Summary of
Unrecorded Misstatements. When management’s fair value estimate is not within
a reasonable range of values, the audit team discusses the situation with
management as a better understanding of the underlying differences may be
needed before the difference is considered an error to be posted to the Summary
of Unrecorded Misstatements.

Harvest Investments

18.189 The firm has substantial experience with using the services of Harvest
Investments (Harvest) and has confidence in their abilities and the reporting they
provide. Harvest evaluates the individual securities in a client’s portfolio and
provides independent, unbiased valuations. In addition, Harvest flags securities
with particular risk such as those containing derivatives and credit issues. Audit
teams use Harvest’s work to evaluate whether the client’s estimated fair values
are reasonable and whether there are securities with particular risks.

18.190 [Tailor to reflect your firm’s policy]Audit teams serving banks are required
to use Harvest. In addition, teams who audit employee benefit plans, not-for-
profit entities, and other entities with significant investment portfolios, especially
when the portfolio includes securities with complex terms or alternative
investments, are also encouraged to use Harvest Investments when the fair
value measurement risks in their client’s investment securities portfolio are
significant.

Qualifications of Harvest

18.191 [Tailor this paragraph to reflect the location of the documentation]

Because Harvest is an expert, as defined by the professional standards, the audit
team should complete the procedures in “Qualification of Experts.” The firm
maintains documentation of Harvest’s qualifications and reputation so that each
audit team does not have to separately perform these procedures. This
documentation is maintained in a file named “Harvest Qualifications” which is
located in GEL under Letters, Forms and Templates > Harvest Investments. The
audit team should include this document in the Voyager file to evidence that
Harvest is a qualified expert.

Harvest Pricing Methodologies

18.192 Harvest does not price any securities; rather they obtain prices from
industry participants, traders who actually design and trade the specific securities
being priced. In this way, Harvest can provide prices for most securities whether
they are actively traded, infrequently traded, or hard-to-value.
18.193 For securities traded in active markets, Harvest subscribes to data
services that originate with equity exchanges. For investments priced using
quotes from market makers or derived from similar instruments that trade “by
appointment” or very infrequently, Harvest establishes relationships with traders
who work with the same or similar securities. The traders provide the price for a
specific security, together with all the inputs they would consider in pricing it.
Harvest evaluates these prices and inputs. For investments priced with models or
similar techniques (including alternative investments), Harvest can sometimes
provide valuations when they involve securities that trade only infrequently or
when the instrument being priced represents an interest in a portfolio of
securities that Harvest can price. For securities in this category that are classified
as such due to lack of liquidity, Harvest uses observable market inputs.

18.194 Harvest maintains a document (“Harvest Pricing Methodologies”) that

describes the pricing methodology it uses for a variety of securities. The
information generally provides the audit team with a sufficient understanding of
Harvest’s methodologies for securities traded in active markets and investments
priced using quotes from market makers or derived from similar instruments. The
audit team must read the document to gain a general understanding of the
methodologies and assumptions that Harvest uses. The audit team should also
confirm that all the instruments in the client’s portfolio are addressed in it. This
document should be attached to the Voyager file in “Work of Experts” to evidence
our understanding. Audit teams should exercise due professional care when
verifying that the securities in the client’s portfolio are covered by the Harvest
pricing document. If securities in these categories are not covered by the Harvest
pricing document, use the guidance in the following paragraph.

18.195 For investments priced with models or similar techniques (including

alternative investments), a sufficient understanding of Harvest’s pricing
methodology will ordinarily only be obtained through reading the Harvest report
and inquiring of Harvest personnel. These inquiries and our understanding of the
Harvest pricing methodology for these securities should be documented.

Information Provided to Harvest

18.196 Audit teams obtain the portfolio information (client fair value information,
CUSIP number, description, purchase date, cost, market value, interest rate,
maturity, etc.) from the client and submit it directly to Harvest. Before submitting
this information to Harvest, the audit team should verify the completeness of the
information provided by the client. The team should also confirm the
completeness and accuracy of the information returned from Harvest to
determine that Harvest provided values for the appropriate instruments.

Results Delivered by Harvest

18.197 Harvest provides the audit team with a report including:

  type of security (e.g., municipal bonds, mortgage pass-through
securities, and collateralized mortgage-backed securities)
 descriptions of the methodology used to price each category of
security included in the report (e.g., observable trade, discounted cash
flow model, and option-adjusted discounted cash flow model)
 significant assumptions and inputs used for the largest security in each
category whose prices were determined using a method other than an
observable trade
 Harvest security price and value
 their assessment of whether the price variance falls outside an
acceptable range
 their determination of the ASC 820, Fair Value Measurements and
Disclosures, input levels
 “Transparency details” which includes their evaluation of the risk
associated with each security (high, medium, or low) and the factors
involved, including:
– liquidity risk
– complex structure
– loss of principal risk (credit risk)
– inherently leveraged structure
– underlying holdings
– other factors
 definitions for terms used in the report

18.198 Audit teams should then review and document their understanding of the
reasonableness of the methods and assumptions provided by Harvest for the
items selected. The firm has asked Harvest to select and provide inputs for the
largest holding in each category of securities. The audit team may believe
additional testing is necessary and if so, they should select and communicate the
additional selections to Harvest. The additional selections might include new
securities included in the portfolio for which the audit team may not be familiar.
Harvest will not select items for the audit team.

18.199 Harvest reports their judgment as to which input level each security should
be categorized. The audit team can leverage this information as they perform
their testing of the appropriateness of the categories. The audit team should read
the entire Harvest report and compare the fair values in Harvest’s report to the
client’s fair values. If the audit team determines that there are differences in fair
values that require follow-up, they should discuss these differences with Harvest
to obtain an understanding of how Harvest arrived at their conclusions, and then
discuss these matters with management to resolve the differences.

18.200 The audit team is responsible for documenting their assessment of the
information provided by Harvest. It is never acceptable to obtain the Harvest
report and attach it to Voyager without performing and documenting additional
procedures related to the audit team’s review of the report.
18.201 Harvest’s quality control processes require that their personnel investigate
all significant differences and confirm that the methods and assumptions they
used are reasonable before they release their report to the audit team. Therefore,
instances where Harvest might provide incorrect values to the audit team should
be rare and the audit team should be confident in presenting Harvest’s valuation
results, including their methods and assumptions, to client personnel so that
significant differences, if any, can be resolved. The audit team should include
Harvest’s report in the engagement file and reference it to the related audit
procedures in the “Work of Experts” audit program. The audit team should also
document their conclusions and the work performed to resolve significant issues
and findings.

18.202 [Tailor the following paragraph to reflect your consultation policies] The
combination of these procedures will ordinarily provide a sufficient basis to
support the use of the fair values provided by Harvest in establishing the
reasonableness of management’s fair value estimate. In the rare instances when
significant differences in values arise and the audit team is not able to resolve the
difference with the client, the audit team should discuss the client’s position with
Harvest and consult with the PSP. If the audit team believes it is appropriate to
accept a client’s valuation that is contrary to the information provided by Harvest,
the audit team is required to consult with the NPPD.
[Tailor this section to reflect your firm’s pricing group, if any]

New York Pricing Group

18.203 The firm’s NYPG may be used to obtain fair value information for some
securities. They have access to a variety of trade information for securities and
derivatives. The work of the NYPG is subject to the firm’s quality control
procedures. This means the audit team can use the NYPG without having to
document or inquire about their skills and competencies to perform valuations.
When the audit team has an understanding of the positions being valued, the
position’s related estimation uncertainties, and management has provided
adequate valuation evidence, they have a reasonable and sufficient basis to use
the workpapers provided by the NYPG as a test of management’s values.

18.204 The NYPG has limited resources and is not designed to serve every audit
client in the firm that requires investment securities pricing support. The firm
recommends that audit teams consider the NYPG only for clients in the financial
services industry who have well-defined valuation policies and practices and
employ knowledgeable valuation support staff.

18.205 When the NYPG is used, the audit team provides the information about
the portfolio to the NYPG using the spreadsheet template developed by the
NYPG for this purpose. The NYPG will price the securities using data licensed
from pricing provider such as Bloomberg, insert the prices into the spreadsheet
template, and return it to the team. While the NYPG will contact the audit team
 when information provided is incomplete or inaccurate, this group is highly
automated and organized to provide quick turnaround. Teams should review
should review the portfolios prior to submitting to ensure that they are only
submitting Level 1 and Level 2 securities. It is also helpful to group the securities
by type to facilitate the review and ensure that only the appropriate types of
securities are being submitted to the NYPG. Any questions regarding the types of
securities being submitted should be discussed with the NYPG in advance of
submission. The NYPG does not have the personnel to rerun securities multiple
times so it is important that audit teams provide accurate and fully complete
information the first time.

18.206 Some of the securities priced by Bloomberg, and most of the securities
priced by IDC, are derived from various broker quotes or calculated using
models. Ordinarily, for such securities, it is necessary for the audit team to
understand the methods, assumptions, and inputs used to be in a position to
evaluate the reasonableness of the resulting price. Rather than do this on a
security-by-security basis, the firm has determined that it will perform due
diligence procedures to evaluate the pricing methodologies used by Bloomberg
and IDC on the relevant categories of investments that our audit teams will likely
encounter. Audit teams can rely on the firm’s due diligence procedures when the
securities in the investment portfolio being priced fall into one of these
categories. For other securities not included in the national validation process,
that audit team will need to involve the VSG.

18.207 The audit team can use the NYPG, when appropriate, because the firm
has tested the accuracy of the prices provided by the pricing experts used by the
NYPG. Testing consisted of identifying categories of securities, selecting CUSIPs
within those categories, and getting behind the methods, assumptions, and
inputs used to price the securities. The firm is satisfied that the prices provided
are accurate within a reasonable range. Audit teams using the NYPG must
document that:
 The CUSIPs sent to the NYPG fall into the categories tested by the
firm (these categories will be included in the supplemental guidance
described below).
 The input levels were proper considering the pricing methodology.

18.208 For investments not included in the firm testing process, the audit team
should discuss with the NYPG the need for documenting the team’s review of the
methods and assumptions for pricing those securities. It is usually necessary to
involve a VSG specialist to assist the team with the evaluation of the
reasonableness for those securities.

18.209 The NYPG may be unable to obtain market prices for certain securities
(for example, those with prices not published by any pricing service). In these
cases, the NYPG will communicate this fact to the audit team. A New York VSG
specialist will contact the audit team to determine whether the audit team would
 like the VSG specialist to price the security. The audit team should re-evaluate
the risk related to these items and the procedures used by the client to estimate
their value. Based on that assessment, the team or appropriate specialists
should design, perform, and document audit procedures to test the client’s
valuation.

18.210 The workpapers provided by the NYPG become part of the audit
documentation. The preparer of the NYPG workpapers and date of the work
should be included in the audit documentation, and the normal engagement
review processes apply.

Assistance of External Valuation Experts

18.211 The audit team may need to engage an external valuation expert,
including an actuary, when the position being valued does not fall within the
abilities of Harvest or the firm internal specialists. As with other valuation
resources there are prerequisites to success. The audit team must first have an
understanding of the position being valued and its estimation uncertainty, and
have obtained adequate valuation evidence from management before seeking
the assistance of the expert. For each instance of engaging the assistance of an
external valuation specialist, the audit team completes the expert procedures in
Voyager.

Using the Work of an Expert

General Considerations

18.212 An expert is a person with special skill or knowledge in a particular field

other than accounting or auditing, such as:
 actuaries
 appraisers and other valuation experts
 attorneys
 engineers
 environmental consultants
 geologists
An attorney may be engaged as an expert in situations other than to provide services to
a client concerning litigation, claims, or assessments (e.g., interpreting the provisions of
a contractual agreement or determining whether a transaction meets the isolation
criteria for a transfer of financial assets).

18.213 The audit team may encounter complex or subjective matters potentially
material to the financial statements that require special skills or knowledge and
may require using the work of an expert to obtain sufficient audit evidence. For
example, the use of an expert should be considered in matters involving:
  valuation issues (such as appraised valuations of property and stock
options)
 fair value determinations
 the determination of physical characteristics relating to the quantity and
condition of assets (such as mineral reserves)
 the determination of amounts derived by using specialized techniques
or methods (such as actuarial calculations)
 whether a transfer of financial assets has met the isolation criteria
 the interpretation of technical requirements, regulations and
agreements (such as legal determinations as to whether or not a
contract is binding or an engineer determining whether or not technical
specifications have been met)

18.214 When an expert is engaged, the audit team should complete the
“Qualification of Experts” and “Work of Experts” programs. When more than one
expert is engaged, the audit team should duplicate these programs and complete
them for each expert engaged or employed by management or by the audit team.
These programs are not intended for use with respect to firm specialists who are
members of the audit team.

18.215 [Tailor the following paragraph to reflect the location of your

documentation] The audit team uses the “Qualification of Experts” program to
document the qualifications and competence of each expert. When this program
is used to document Harvest’s qualifications, the audit team should use the
“Harvest Qualifications” document located in GEL under Letters, Forms and
Templates > Harvest Investments.

18.216 The “Work of Experts” program addresses the risks associated with using
an expert in areas that require specialized knowledge or skills. Once the audit
team establishes that the expert has the requisite knowledge and skills to
perform the service, the audit team should be satisfied that the results produced
by the expert achieve the intended purpose. This program contains the
procedures to assist the audit team in determining whether the expert’s results
are satisfactory.

Effect on the Auditors’ Report

18.217 If there is a material difference between the expert's conclusions and the
assertions in the financial statements, the lead partner or manager should
discuss the differences with the expert and determine the additional audit
procedures, as appropriate. If the matter is not resolved, the audit team will
ordinarily conclude that the report should be qualified or disclaim an opinion
because of a scope limitation.

18.218 [Tailor the following paragraph to reflect your consultation policies]

Alternatively, if the audit team concludes that the assertions in the financial
 statements are not in conformity with GAAP, a qualified or adverse opinion
should be issued. An adverse opinion requires approval of the NPPD.

18.219 The audit team should not refer to the work or findings of an expert in the
audit report. However, if the report is modified, the audit team may refer to and
identify the expert if it will help to provide a clearer understanding of the matter.

Loan Waiver Letters

18.220 Occasionally, the balance sheet classification of a debt obligation might
depend on whether or not an obligation is callable by the lender within a one-year
time frame, either by the direct terms of the debt agreement or because of
violations of covenants by the borrower.

18.221 The audit team should request the client to obtain a waiver letter from the
lender if either:
 management wishes to classify these types of obligations as long-term
if they otherwise may be considered to be current, or
 the nature of the audit report depends on a lender's forbearance

For example, if such a letter were not obtained, the audit team would consider an
explanatory paragraph for the entity’s ability to continue as a going concern.

18.222 When evaluating the appropriateness of the waiver letter, the audit team
should consider the following:
 when the violation refers to a balance sheet ratio or amount (e.g.,
current ratio, stockholders' equity, etc.) the waiver letter should
ordinarily unconditionally waive the loan covenant violations for a
period more than one year from the balance sheet date
 wording such as "the violation of the current ratio is waived at
December 31, 20X1" or "does not presently intend to enforce rights
under the agreement" is not acceptable, since the violation would
reoccur on January 1, 20X2, or present intentions can change
 similarly, a waiver through some date in the subsequent year when it is
likely the entity will again be in violation would also be unacceptable
 when a violation refers to an item such as additions to fixed assets, the
waiver need not go beyond the balance sheet date, unless it is known
that a violation has occurred after that date

18.223 Situations may arise where loans structured as demand loans carry an
extended payment term if demand is not made. If the client wishes to classify
such debt as noncurrent, the audit team should ordinarily request that the client
obtain a letter from the lender stating that the demand covenant will not be
exercised within one year from the balance sheet date. Language such as "does
not intend to exercise the demand feature" is not acceptable since the lender's
 intent may change at any time. Letters containing language that explains the
lender will only exercise the demand feature if some reasonable objective event
occurs (such as an objective event of default defined by the agreement) may be
acceptable if the letter meets certain tests specified in the accounting literature.

Repurchase and Reverse Repurchase Transactions

[Include this section if relevant and tailor to reflect your consultation policies]

18.224 The purpose of this section is to highlight certain of the risks involved in
repurchase and reverse repurchase transactions involving US Government
securities and to address pertinent audit considerations.

18.225 Viewed from the standpoint of the dealer, a repurchase agreement

("repo") is not structured as a transfer of financial assets, but as a form of
collateralized borrowing. Customers (frequently municipalities, school districts,
etc.) with excess short-term funds agree to lend money to the dealer, with the
loans to be collateralized by various types of US Government securities (usually
made available to the dealer by the "reverse repo" transactions described below).
The customer ordinarily either takes possession of the collateral, transfers it to a
third party trustee, or expects it to be held by the dealer for the customer's benefit
during the term of the loan.

18.226 In a reverse repurchase arrangement ("reverse repo"), the dealer "buys"

US Government securities from the customer (usually a financial institution),
pursuant to an agreement to "resell" them (or similar US Government securities)
to the customer at a later date. In substance, the customer has borrowed money
(provided to the dealer primarily by the "repo" lenders), and furnished US
Government securities as collateral (the collateral provided to the "repo" lenders
on the other side of the arrangement). Generally, the reverse repo agreements
do not meet the criteria for recording a transaction as a transfer or
extinguishment. Ordinarily, the dealer advances only an agreed upon percentage
of the market value of the collateral at the time the loan is made, with the
difference ("margin") representing the dealer's protection in the event increasing
interest rates cause the collateral to decline in value.

18.227 Some lenders involved in "repo" transactions have experienced losses

because they did not perfect the collateral, i.e., they did not take possession of
the collateral themselves or ensure that it was held segregated for their account
by a reputable financial institution.

18.228 The "reverse repo" situation is more complex because the arrangements
concerning the status of the collateral may vary widely and it is often difficult to
determine to whom and against what loans the securities have ultimately been
pledged. A dealer may "collateralize" more than one lender with the same
security. In addition, a dealer may borrow more (against the securities provided
 by the borrowers) from its "repo" lenders than the amounts advanced to its
"reverse repo" (financial institutions) borrowers. Thus, the "reverse repo"
borrower's "margin" in the securities is exposed to loss and, if the dealer is
insolvent, claims by the lenders (or others) could wipe out the margin. Therefore,
the greater the borrower's margin the greater the potential exposure to loss.

18.229 However, the losses to be recognized by the financial institution "reverse

repo" borrower may exceed such amounts. For one thing, the market value of the
securities at the time of the "reverse-repo" transactions may be less than the
financial institution's carrying amount of such securities. (Financial institution
accounting does not require recognition of such losses at that time.) For another,
increasing interest rates may cause the securities to lose further value during the
period the "reverse-repo" transaction is open.

18.230 When auditing "repo" or "reverse repo" transactions that might be material
to the client's financial statements, particular attention should be directed to the
foregoing matters. Accordingly, in a "repo" situation:
 the arrangement itself should be confirmed with the dealer, and
 the status of the collateral should be determined, ordinarily by:
 inspection (if the client has possession) or
 confirmation with a third party (not the dealer or an affiliate of the
dealer) financial institution

18.231 Any ambiguity or lack of clarity in the confirmation response should be

followed up immediately. If there is any doubt as to the status of the collateral,
the client should be informed immediately and consideration should be given to
factors such as the reputation and credit standing of the dealer, the materiality of
the possible loss to the financial statements being reported on, etc.

18.232 Similar considerations apply in "reverse repo" situations although the

status of the securities may be particularly difficult to assess. Accordingly, where
the arrangement is not with a primary dealer, special work, either by the audit
team, or by the auditors for the dealer and/or holders of the collateral, should be
considered. If there appear to be any problems with the status of collateral or if
any special work is contemplated, the NPPD should be consulted.

Subsequent Discovery of Facts

Procedures When Facts Are Subsequently Discovered

18.233 [Tailor the following paragraph for your consultation policies] The audit
team may become aware of significant information relating to financial
statements previously reported on by the firm that was not known to them at the
time of the report, and which is of such a nature and from such a source that they
would have investigated it had it come to their attention during the course of the
 audit. This may occur during the succeeding year's engagement or any other
time subsequent to the issuance of the report. Any such situations should be
brought to the attention of the lead partner, who, in turn, should immediately
consult with the PSP and the NPPD.

18.234 The guidance in this section is equally applicable for a review

engagement.

18.235 To determine whether the information is reliable and whether the facts
existed at the date of the report, the audit team should ordinarily discuss the
matter with the client, at whatever management level is deemed appropriate,
including the board of directors or its audit committee, and request their
cooperation in whatever investigation may be necessary. Client cooperation in
such matters is usually imperative.

18.236 [Tailor the following paragraph for your consulation policies] The NPPD
will immediately notify the NMP NPSG.

18.237 [Tailor the following paragraph for your policies and practicesWhen the
subsequently discovered information is found to be both reliable and to have
existed at the date of the report, the following actions are taken:
 If the effect on the financial statements or on the report of such
information can promptly be determined, as soon as practicable,
restated financial statements should be issued, describing the reasons
for revision in a note that is referenced in the report. Ordinarily, only
the most recently issued audited financial statements need to be
restated.
 If issuance of financial statements for the subsequent period is
imminent, appropriate disclosure of the revision should ordinarily be
made in the subsequent financial statements
 If the effect on the financial statements of such information cannot be
determined without a prolonged investigation, and it appears that the
information would require a revision of the statements, the client
should notify persons who are known to be relying or who are likely to
rely on the financial statements and the related report that they should
not be relied upon, and that any restated financial statements and
auditors’ report will be issued upon completion of an investigation. If
applicable, the client should be advised to discuss with the SEC, stock
exchanges, and appropriate regulatory agencies the disclosure to be
made or other measures to be taken in the circumstances.
 The NPPD, NMP NPSG, and RRLA should be consulted to determine
the steps necessary to satisfy the firm that the client has made the
disclosure specified above

18.238 Timing is very important when the audit team has reason to believe there
are persons currently relying, or likely to rely, on the financial statements and
 who would attach importance to the additional information. In these
circumstances, such matters must be acted upon promptly.

18.239 [Tailor the following paragraph for your policies and practices] Before the
firm releases any suggested additional disclosures and/or restated financial
statements, such material should be approved by RRLA, the NMP NPSG, and
the NPPD.

18.240 [Tailor the following paragraph for your policies and practices] If client
management refuses to make the disclosures as required and it becomes
necessary to notify the board of directors, a letter should be prepared setting
forth:
 notification that the firm’s report must no longer be relied upon
 the effect of such information on the previously issued financial
statements, if known
 the recommended disclosure procedures
 the fact that management has refused to make such disclosure
 the fact that, unless management cooperates, the firm will be forced to
disclose such information to persons known to have received, and
consequently presumed to be relying on, such statements
 The NMP NPSG and RRLA should approve the letter. It is then mailed
to each member of the board of directors by registered or certified mail,
return receipt requested.

18.241 [Tailor the following paragraph for your policies and practices] If the
entity’s board of directors persists in its refusal to make the necessary disclosure,
the lead partner should immediately advise the NPPD who, in consultation with
the NMP NPSG, and the RRLA, determines the next steps to be taken.

Procedures When the Previous Financial Statements Were Audited by

Another Firm
18.242 [Tailor the following paragraph for your policies and practices] In the
course of an initial audit, the audit team may become aware of material
misstatements of the financial statements that were audited by another firm. The
NPPD should be notified in such a circumstance, prior to any notification of the
predecessor auditors. The NPPD will then determine the appropriate action to be
taken.

Consideration of Omitted Audit Procedures after the Report Date

18.243 [Tailor the following paragraph for references to your applicable standards]
Once the firm issues its report, the audit team has no responsibility to
retrospectively review their work. However, subsequent to the release of the
report, it may come to the audit team’s attention that one or more significant audit
 procedures considered necessary at the time of the audit, in the circumstances
then existing, were omitted. This might occur in a post issuance review such as
an audit standards review, peer review, or when reviewing the workpapers to
plan the subsequent year's audit.

18.244 A variety of conditions might be encountered and the period of time during
which the audit team considers whether this section applies and then takes the
necessary actions may be important, including whether they believe there are
persons currently relying, or likely to rely on the firm’s report.

18.245 [Tailor the following paragraph for your policies and practices] Generally,
before concluding that a significant audit procedure has been omitted, the
importance of the omitted procedure should be assessed to the audit team’s
present ability to support the previously expressed opinion by considering the
following:
 reviewing the workpapers
 discussing the circumstances with engagement personnel and others
 re-evaluating the overall scope of the audit to determine if results of
other procedures that were applied may tend to compensate for the
one omitted or make its omission less important. Subsequent audits
may provide audit evidence in support of the previously expressed
opinion
The NPPD should be consulted before performing these procedures.

18.246 [Tailor the following paragraph for your policies and practices] If the lead
partner, in consultation with the PSP and the NPPD, concludes that a significant
procedure has been omitted that cannot be compensated for by other procedures
and that there are persons currently relying, or likely to rely, on our report, the
audit team should promptly undertake to apply a satisfactory procedure that
would provide a basis for the opinion. If the audit team is unable to perform a
satisfactory procedure, or if the results of these procedures indicate that the
report should have been modified, the NMP NPSG and RRLA should be
immediately informed to determine an appropriate course of action.

Researching an Accounting or Auditing Issue

18.247 The accounting and auditing research process is comprised of steps
presented in the following figure. Although much of the figure self-explanatory,
Steps 3 and 6 are discussed below.
 The Research Process

Step 1
Assemble the Facts

Step 2
Identify the Issues

Step 3
Review applicable literature and
current applications:
 professional pronouncements
 other relevant literature
 if pertinent, survey practice

Step 4
Evaluate results and identify
alternatives

Consult,
Step 5 as
Develop conclusions required

Use Consultation
Step 6 application
Document process and results

Figure 18-1

Reviewing the Literature

18.248 Once the issues are adequately identified, the researcher is ready to
proceed with the next step, which encompasses a detailed review of the relevant
authoritative accounting or auditing literature, and if pertinent, a survey of present
 practices. In performing this step, the researcher should be familiar with the
various sources that might apply.

18.249 [Tailor the following paragraph to suit your policies and practices] There
are a number of research tools that can facilitate this search, most notably, GEL
and ARM. In using GEL and ARM, a list of keywords is essential to accessing the
relevant literature. As discussed below, an incisive recitation of the issues will
help generate such key words.

18.250 [Tailor the following paragraph as appropriate to your jursidication] The

FASB announced that the FASB Accounting Standards Codification
(Codification) is the sole source of nongovernmental U.S. GAAP, other than SEC
guidance. The Codification reorganizes, but does not change prior GAAP.
Literature not included in the Codification will be considered nonauthoritative.

18.251 [Tailor the following paragraph for reference to your applicable standards
and your firm’s policies and procedures] Although not officially recognized as a
source of GAAP, the views of the SEC about appropriate accounting and
disclosure for SEC registrants are located in Regulations S-X and S-K and
Financial Reporting Releases. Accordingly, in matters pertaining to SEC
registrants, these sources are to be considered, and followed when applicable.

18.252 In searching the Codification, the scope of any topics that might be
applicable should be briefly perused. Time should not be spent in a detailed
review of topics that are not applicable to the pertinent issues. However, topics
that do not specifically address the issue, but are related to it, should not be
ignored.

18.253 In some instances, industry practices (e.g., the financial statements or

footnote disclosures of other entities) can serve as a guide. The appropriateness
of relying on such practices or other secondary sources as the basis for an
accounting treatment depends on the relevance of the source to the particular
circumstances, the specificity of the guidance, and the general recognition of the
issuer or author as an authority.

18.254 If there are no official pronouncements or secondary sources providing

guidance concerning the accounting principles to be applied with respect to a
particular transaction or event, it may be possible to report its substance by using
an established accounting principle that appears appropriate by analogy. In
cases where there appears to be no analogous literature, the researcher should
develop a theoretical resolution of the issue based upon a logical analysis of the
factors involved, including an assessment of the substance of the transaction and
economic consequences of the various alternatives. In practice, a clear solution
is frequently not readily apparent. Therefore, professional judgment is a key
element in the research process.
18.255 [Tailor the following paragraph for reference to your applicable standards]
We should have sufficient knowledge of the standards (accounting or auditing
and related professional practice standards) to identify those that are applicable
to an audit engagement and should be prepared to justify departures from such
standards.

18.256 [Tailor the following paragraph for reference to your applicable standards]
The researcher should also be aware of interpretative publications (i.e., auditing
interpretations of the SASs, auditing guidance included in the AICPA Audit and
Accounting Guides, and the AICPA auditing Statements of Position) applicable to
an audit. If the audit team does not apply an applicable interpretative publication,
they should be prepared to explain how they complied with the SAS’s (or
PCAOB’s auditing and related professional practice standards) provisions
addressed by the applicable interpretative publication. Other auditing publications
(e.g., articles in the Journal of Accountancy, The CPA Letter, and other
professional journals, continuing professional education materials, text and guide
books, audit programs and checklists, and other auditing publications from state
CPA societies and other organizations and individuals) may assist the audit team
in applying the standards but have no authoritative status. The audit team is not
required to consider them nor are they expected to be aware of the full body of
other auditing publications. In considering whether another auditing publication is
appropriate for use in an audit engagement, the audit team may consider the
degree to which the publication is recognized as being helpful in understanding
and applying the standards and the degree to which the issuer or author is
recognized as an authority in auditing matters. In certain engagements, the audit
team will be required to comply with other auditing requirements, in addition to
those promulgated by the AICPA (e.g., Government Auditing Standards or SEC
rules and regulations).

Documentation

18.257 The research process culminates with the development of appropriate

documentation, most often a formal research memorandum. The following
discussion provides guidance concerning such documentation.

Research Memorandum

18.258 [Tailor the following paragraph for reference to your applicable standards
and your policies and practices] The research document usually takes the form
of an interoffice memorandum addressed to the files, not to the client or to a third
party. It should be in the name of the audit team member (usually the partner or
manager) who is considered the principal author (often the originator or reviewer,
rather than the researcher). When the memorandum responds to a question
raised by the client, a copy should be transmitted to the client accompanied by a
cover letter. (If the research is to be the basis for consultation with members of
 the NPSG, it should be documented using the firm’s Consultation software in
accordance with firm policy.

Maximize Clarity

18.259 In drafting, care should be taken by the audit team to ensure the
memorandum is as concise and grammatically correct as possible, bearing in
mind that persons scrutinizing it later (in a lawsuit, regulatory investigation, etc.)
may tend to form judgments about (or attempt to characterize) their work based
on the memorandum's clarity and appearance, and not solely on our conclusions.
Accordingly, wherever possible, use short sentences, short, unambiguous words
and terminology consistent with the independent auditor's role and image. The
audit team should not refer to client management or personnel by their first
names and avoid colorful adjectives, gratuitous characterizations, flamboyant
descriptions, etc. The objective should be maximum clarity and the portrayal of
professional competence and objectivity, not literary style.

Use of Analytical Style

18.260 To further uniformity and to help facilitate review, formal research

memoranda should usually be written in an analytical style, and consist of the
following four sections:
 the audit team’s understanding of the facts
 question(s) to be answered
 conclusion(s)
 discussion

The Audit Team’s Understanding of the Facts

This Section is particularly important, as further analyses and conclusions are based
upon such understanding. The material should be drafted so that the issues to be
addressed are clearly identifiable. A clear, concise recitation of the background and the
issues is perhaps the most important step in the research process.
In framing this Section, it is important to ensure that the memorandum does not portray
as factual, information or events which were relayed to the audit team by the client (or
others), but which they have not audited.

Question(s) to be Answered
The specific questions or issues to be answered should be spelled out as clearly and
concisely as possible. Since key words aid in reference identification (particularly when
using GEL, or another computer research tool), failure to appropriately frame the
issue(s) can cause one to overlook important sources.

Conclusion(s)
Since the conclusion’s purpose is to permit the reader to discern the answer(s) without
having to read the supporting technical discussion, conclusions should be clearly and
precisely stated. The audit team would generally make reference to any qualifications
and contingencies that affect the validity of their conclusion, but the professional
literature or other authoritative support for their views should be addressed in the
memorandum's Discussion Section. Such citations should usually be avoided in the
Conclusion Section.

Discussion
This is frequently the lengthiest portion of the memorandum and contains the reasoning
and analysis. If dealing with an auditing issue, it should focus on the weight of evidence.
If an accounting issue, the discussion should include references to the pertinent
professional literature or other authoritative support, and present the rationale for the
audit team’s conclusions. General terms, such as "conservatism," "consistency," etc.
may be used to support their conclusions but should not ordinarily form the primary
basis for such conclusions.
Contrary views or interpretations should usually be briefly addressed to document that
they have been given due professional consideration. However, the discussion of such
alternatives should ordinarily be limited to demonstrating their inapplicability. The
emphasis of this section of the memorandum should be positive and focus on
marshalling the arguments that support our conclusion(s).
If this section of the memorandum is lengthy, it may be helpful to use paragraph or
section captions. If more than one question is posed, each related portion of the
Conclusion and Discussion Sections should usually be correspondingly referenced.

Review Considerations

18.261 [Tailor the following paragraph to suit your consultation policies and
practices] Since such memoranda address issues which are important to the
audit, they should be reviewed by the manager, lead partner and, if applicable,
by the quality control reviewer. (Also, as appropriate, there should be
consultation with the NPPD.) In practice, it is often best to leave such
memoranda in draft form until such reviews have been completed.

Transmittal to Clients

18.262 When such memoranda are to be transmitted to clients, a brief transmittal

cover letter should be used, such as:

Enclosed is a memorandum addressing the questions you raised concerning income

recognition with respect to the recent transaction with ABC Company.

18.263 [Tailor the following paragraph for references to your applicable standards
and regulations] The cover letter should not ordinarily attempt to summarize or
 paraphrase the conclusions reached in the memorandum. However, the letter
may quote the conclusion, or if it is lengthy, refer to the page where it appears.
When appropriate, caveats such as the following should be included:
 when the conclusion(s) are dependent on facts the audit team has not
yet verified, a statement that the conclusion(s) relate only to the audit
team’s understanding of the facts recited in the memorandum, that
they have not independently verified these facts, and that if the actual
facts prove to be different, the conclusion does not apply
 when the situation involves points that are unsettled, or may involve
judgment by the SEC staff, a statement that the conclusions are based
on the audit team’s interpretation of the professional literature (or SEC
regulations) and that another knowledgeable party (such as the SEC
staff) might reach a different conclusion

Association with Financial Information

Basic Guidelines
18.264 The firm is associated with financial statements whenever the audit team:
 consents to the use of the firm’s name in a report, document, or written
communication containing the statements
 submit statements the firm has prepared (or assisted in preparing) to
the client or others, even if the firm's name does not appear on the
statements

18.265 Based on the foregoing, the firm may be associated with financial
statements of public or nonpublic entities.

18.266 [Tailor the following paragraph for reference to your applicable standards]
When the firm is associated with the financial statements (audited or unaudited)
of a public entity or the audited financial statements of a nonpublic entity, it is
guided by the PCAOB’s and AICPA's auditing and other related professional
practice standards and by the sections of this Manual applicable to such
engagements.

18.267 [Tailor the following paragraph for reference to your applicable standards]
When the firm is associated with unaudited financial statements of a nonpublic
entity, it is guided by the AICPA's accounting and review standards.

Typing Services

18.268 [Tailor the following paragraph for reference to your applicable standards
and to suit your policies and procedures] The audit team should refrain from
accommodation typing or reproduction of client-prepared financial information on
 plain paper. Clients should be encouraged to allow the audit team to at least do
sufficient work so that they can be properly associated with the financial
statements and issue, as appropriate, a compilation report or an unaudited
disclaimer of opinion.

Less Than Complete Financial Statements

18.269 Whenever the audit team is asked to report on less than the customary
complete financial statement package, particular attention should be directed to
various "common sense" considerations, such as the purpose for which financial
information is to be used, the parties likely to be relying on such information,
whether the information to be reported appears appropriate for such purposes,
and the like.

18.270 The firm's policy requires the audit team to perform procedures with
respect to other financial statements even though they may be engaged to report
on only one of the basic financial statements (e.g., balance sheet or statement of
earnings only). If asked to report on the audit or review of a statement of
earnings only, the audit team should ordinarily perform procedures of equal
scope with respect to the balance sheet. If asked to report on a balance sheet
only, the audit team should ordinarily perform procedures with respect to the
statement of earnings at least equal to the scope of a review engagement.

Termination Letters
18.271 [Tailor the following paragraph to suit your policies and procedures] The
firm believes that it is advantageous to send clients who have terminated its audit
services a letter that sets forth the requirements for any future services that it
may be asked to provide. The letter is in addition to the client access letters in
GEL under Letters, Forms and Templates > Access and Termination Letters. The
letter may be sent by regular mail and no acknowledgment is necessary. A copy
should be placed in the latest year’s audit workpaper file.
 For SEC clients, this letter is to be sent in addition to the written
communication when the client-auditor relationship has ceased and the
Form 8-K requirements. See illustrative Form 8-K letters and the
notification to client letter in GEL under Letters, Forms and Templates
> Form 8-K Letters.
 For FDICIA institutions, there are regulatory notification requirements
similar to those for SEC clients. Each depository institution is required
to file a notice of the resignation or dismissal of an independent public
accountant with the FDIC and the appropriate federal banking agency.
The notice should set forth in reasonable detail, the reasons for the
resignation or dismissal. In such situations, the firm is also required to
file a notice stating whether it agrees with the assertions by the
 institution in their notice. The notices must be filed within 15 days of
the termination or dismissal.

Other Risk Management Considerations

Recommending Investment Opportunities and Providing Investment Advice

18.272 [Tailor the following paragraph to suit your consultation policies and
procedures] The firm does not directly recommend the purchase or sale of
stocks, bonds or any other investment(s). Therefore, clients should be directed to
consult with an investment advisor with respect to any such matters. Further, the
firm does not directly recommend, determine whether the investment is bona
fide, or act as "purchaser representative" with respect to any investments. All
questions regarding such issues should be directed to the PIC Ethics.

Recommendations to Clients Regarding Banks and Attorneys

18.273 In the course of work done for clients, firm personnel are sometimes
asked to recommend the names of lawyers or banks. Although personal
experiences may cause firm personnel to favor certain law firms or banking
institutions, any request of this type should be handled with discretion. There is a
considerable difference between recommending a lawyer to a client who does
not have a regular connection with a law firm and recommending a lawyer when
it means that another law firm will lose its client.

18.274 [Tailor the following paragraph to suit your policies and procedures] In
general, the following policy is to be followed:
 Firm personnel should ordinarily not initiate recommendations for
changes of lawyers or banks.
 If a client being served by a lawyer or banker expresses dissatisfaction
and asks for a recommendation, the client should be urged to first
express their dissatisfaction directly to the lawyer or banker. Ordinarily,
firm personnel should not communicate client dissatisfaction directly to
the lawyer or banker to report the dissatisfaction.
 If the client wants a recommendation for banks or lawyers, firm
personnel may offer to arrange introductions. The OMP should always
be consulted before such referrals are made so that such referrals are
integrated with the office's overall practice development efforts to the
maximum possible extent.

Privity and Privity Letters

18.275 Many recent court decisions have reaffirmed the doctrine of privity, i.e.,
the direct relationship between parties to a contract. In jurisdictions that follow
 this doctrine, certain prerequisites must be satisfied before accountants may be
held liable in negligence to parties who are not in privity who claim reliance to
their detriment on inaccurate financial reports: (1) the accountants must have
been aware that the financial reports were to be used for a particular purpose or
purposes; (2) in the furtherance of which a known party was intended to rely and
(3) there must have been some conduct on the part of the accountants linking
them to that party, that evidence the accountant's understanding of such reliance.

18.276 Privity should be considered when the firm is asked to send financial
statements directly to lending institutions, creditors, prospective investors, etc.
and in connection with other matters. For example, the firm periodically receives
requests to address its report both to the client and to a third party. The firm will
invariably decline to address reports to persons other than its client.

18.277 [Tailor the following paragraph to suit your consultation policies and
procedures] Increasingly, to establish privity, lenders and others have been
requesting the firm to acknowledge specific purposes for which its report is to be
used and specific reliance by the institution, provide comfort letters in
unwarranted circumstances, etc. The proposed language in many such requests
is excessively broad and exposes the firm to expanded liability. In general, the
firm does not issue letters attempting to establish a privity relationship between
the firm and a third party. If the firm does agree to issue such letters, the contents
will be determined on a case-by-case basis and will only be in a form acceptable
to the firm. Accordingly, all requests for such letters should be reported
immediately to the NPPD and to RRLA.

18.278 [Tailor the following paragraph to suit your consultation policies and
procedures] On occasion, the firm might receive a letter from a third party stating
that such third party intends to "rely" on financial statements reported upon by
the firm. These letters should be considered as attempts to establish privity and
should be immediately referred to the NPPD and to RRLA. No letters should be
issued on the partner’s own determination.

Dealing with Legal Matters

18.279 [Tailor the following paragraph to suit your consultation policies and
procedures] Potential legal matters involving auditing matters should be directed
to the NPPD. The manner in which various legal questions will be referred and
reviewed is summarized by category in this section.

Improper Use of Firm Name or Audit Report

18.280 [Tailor the following paragraph to suit your consultation policies and
procedures] On occasion, clients, their attorneys, public relations counsel, or
other representatives may use the firm name in a manner in which it does not
approve. In addition, there may be an unauthorized modification or improper use
 of a report that contains its audit report. The seriousness of cases will vary and
each must be handled on an individual basis. The NPPD should be advised of
any such situations. Specific procedures are as follows:
 consult RRLA to protect the firm's interests
 notify the client that we consider the use of the firm’s name or report
improper or unauthorized. Such notification is in writing or oral, as the
circumstances dictate. In some cases, notification to all directors of the
client will be made.
 retrieve and destroy material containing the unauthorized use of the
firm’s name to the maximum extent possible
 advise governmental regulatory and other authorities if filings are
involved, of the circumstances, our position with regard thereto, and
the firm’s action

Reporting Potential Litigation

18.281 [Tailor the following paragraph to suit your consultation policies and
procedures] Matters that have the potential of becoming the subject of litigation
must be recognized at an early date if the firm is to control its potential legal
liability. Accordingly, all matters relating to assurance services with legal potential
should be immediately referred to the NPPD and to RRLA.

18.282 [Tailor the following paragraph to suit your consultation policies and
procedures] It is not possible to identify every event that should result in a
request for guidance from the NPPD or RRLA. However, the following client
situations are examples:
 receipt of a subpoena for testimony and/or the production of records
 bankruptcy or threatened bankruptcy
 SEC or other regulatory agency investigation
 grand jury or IRS criminal investigation
 fraud, illegal acts, errors, or misrepresentations by client management
 litigation or threatened litigation against the client or its management
by stockholders or creditors
 (non-routine) contact by Inspector General, FBI agents, or attorneys
 intentional disregard of accounting standards by management
Such matters should be referred to RRLA regardless of the nature of the firm's
engagement (i.e., assurance services, tax or consulting).

18.283 [Tailor the following paragraph to suit your consultation policies and
procedures] When any such information comes to the attention of firm
personnel, the lead partner should immediately:
 notify the OMP, NPPD, and RRLA
  personally scan the workpapers to ensure they are in good order and
in compliance with firm policy. Any questions about such workpapers
should be referred to the NPPD.

18.284 [Tailor the following paragraph to suit your consultation policies and
procedures] In the event litigation involving the firm is commenced, RRLA will
select outside counsel and will consult with the NMP NPSG, NMP Audit Services,
and the Chief Executive Officer, as appropriate. Outside counsel will then be
responsible for notifying and keeping RRLA up to date.

Response to Subpoenas

18.285 [Tailor the following paragraph to suit your consultation policies and
procedures and references to applicable standards] The firm regards the
issuance of a subpoena and requests from regulators for testimony of firm
personnel and/or production of records or workpapers as a serious matter.
Subpoenas and requests from regulators raise questions of confidentiality under
the AICPA Code of Professional Conduct, PCAOB standards, and ownership and
privilege concerning workpapers under state laws, and the rights of individuals
and the firm. Accordingly, immediately upon receipt of any subpoena or request
from a regulator, the NPPD and RRLA are to be notified and their instructions
requested on how to proceed.

18.286 [Tailor the following paragraph to suit your consultation policies and
procedures]When counsel advises that the subpoena or regulatory request
should be complied with, every reasonable effort should be made to locate and
assemble any documents or other materials that are called for. When the
materials are assembled, RRLA should be notified. Naturally, counsel should be
consulted with respect to any questions about the coverage of the subpoena or
scope of the request.

Preparation for Depositions or Testimony

18.287 [Tailor the following paragraph to suit your consultation policies and
procedures ]Firm personnel may occasionally be requested or required (usually
by subpoena) to furnish depositions or testify in connection with a trial, hearing or
regulatory investigation. All such matters must be cleared through RRLA, who
will assure that personnel are appropriately prepared and represented by RRLA
or outside legal counsel if necessary.

Serving as Expert Witness

18.288 [Tailor the following paragraph to suit your consultation policies and
procedures]RRLA should be consulted before a partner or an employee may
serve as expert witness in a lawsuit. Advance approval of the NMP NPSG and
NPPD should be obtained for any assignment to provide expert testimony
 against another CPA firm, as well as any assignment on the proper application of
GAAS or GAAP. If the matter will involve the use of tax and/or entrepreneurial
consulting experts of the firm, the NPPD will consult others within the firm as
appropriate.

18.289 The firm will accept such assignments only after it has been determined
that:
 the qualifications of the individual chosen to testify cannot be
reasonably challenged
 the subject matter of the litigation creates no significant potential for
conflicts with other clients of the firm
 providing the service requested is consistent with the firm’s concepts of
integrity, public service and professional standards

Expert Assistance in Lawsuits Involving Other Firms

18.290 The firm is occasionally requested to provide expert assistance, other than
as an expert witness, to attorneys for the plaintiffs or defendants in existing or
threatened lawsuits against other firms. These types of engagements have many
conflicting implications with regard to the public welfare, as well as the welfare of
the profession.

18.291 [Tailor the following paragraph to suit your consultation policies and
procedures] The policy of the firm is to consider each potential engagement
individually, considering both the issues involved and the availability of qualified
partners and staff necessary for the engagement. RRLA must approve all
engagements in advance. If the matter will involve the use of tax and/or
entrepreneurial consulting experts of the firm, the NPPD and/or RRLA will consult
others within the firm as appropriate.

18.292 A signed engagement letter should be obtained from the client clearly
setting forth the terms of payment for the firm’s services and that it will act solely
as independent appraisers of the quality of the professional work performed and
will not be advocates for the plaintiff or defendant. The letter should further state
that the firm will give due consideration to the impact of hindsight in its
evaluation.

Fee Justification and Collection Letters

18.293 The firm prefers not to send letters to clients justifying bills for services. If
a fee problem is expected, the matter should be discussed with the client before
billing, either in a telephone conversation or, preferably, in a personal meeting.
Alternatively, the billing can be hand-delivered to the client and discussed at that
time. The only circumstances in which a letter of justification should be written
are if the client, after a personal discussion, asks for such a letter for their files.
18.294 [Tailor the following paragraph to suit your consultation policies and
procedures] Normally, a collection letter should not be written to a client unless
the firm either has terminated or expects to terminate relations with the client. A
client who is delinquent in payment of bills should be contacted by telephone or
in person to determine the reason for non-payment. This procedure offers an
opportunity to determine whether a complaint exists and, if possible, to resolve it.
If personal contact results are unsatisfactory and the client services partner
decides that further action is necessary, the matter should be referred to the
OMP for a decision on how to proceed. If the OMP then feels that the situation
must be reduced to writing, he or she may authorize such a letter.

Use of Collection Agencies

18.295 [Tailor the following paragraph to suit your policies and procedures] The
OMP must approve the use of collection agencies to collect delinquent fees.
Normally, permission to use a collection agency will not be granted by the OMP
in any of the following situations:
 there is reason to believe the client may raise a counterclaim to our bill
 the financial condition of the client will not allow for payment
 there is a reasonable dispute or concern over the value or quality of
the services rendered
 business relationships will be adversely affected
 other circumstances indicate that the cost and risk of collection are
disproportionate to the anticipated benefits
When an account is turned over to a collection agency, there must be a clear
understanding that the agency will not file suit against the client and that the firm will
neither advance expenses, nor incur any costs other than the agreed collection fee.

18.296 [Tailor the following paragraph to suit your policies and procedures] On
occasion, the OMP may prefer to use outside legal counsel for a collection effort
with the understanding that such counsel will not file suit. In such situations, the
OMP may hire local legal counsel for the same purpose as a collection agency
might be used subject to the same conditions on approving such action as stated
above. If it is expected that a suit may eventually be instituted, the procedures
discussed in Legal Actions Against Clients or Former Clients are applicable,
including approval by the RMP and RRLA.

18.297 [Tailor the following letter to suit your policies, addresses, currency, etc.]
Illustrative Collection Letter

January 20, 20X1

Mr. John W. Brown, President

Client Products, Inc.
700 Eighth Street
Centerville, Illinois 10010
 Dear Mr. Brown:

Reluctantly, we feel compelled again to call your attention to the age and amount of your
indebtedness to us. Our unpaid charges for services rendered to your company total
$______ and cover work done as long ago as __________.

We have discussed this matter with you on a number of occasions and have suggested
alternative methods of payment, including the possibility of monthly installments. Since we
have not been able to work out a satisfactory payment plan with you, we can no longer
continue to perform services for you until this matter is resolved. We urge you to contact us
to schedule a meeting to discuss definite payment arrangements.

Very truly yours,

GRANT THORNTON LLP (typed)

GT Partner

Legal Actions Against Clients or Former Clients

18.298 [Tailor paragraphs 270 to 273 to suit your consultation policies and
procedures] Ordinarily, we do not institute legal actions against clients or former
clients. The time required and the expense involved in pursuing such matters
does not justify litigation unless the amount due the firm is unusually large. In
addition, there is always the chance that legal action will result in a countersuit,
whether or not justified.

18.299 If the OMP believes that litigation should be filed against a client or former
client, he or she should obtain the advance approval of the RMP. To obtain
approval, the OMP should send a memorandum to the RMP containing or
attaching the following:
 the engagement letter
 the last issued report or other pertinent result of the firm’s work
 statements of account, open invoices, and a schedule showing the
amounts (and dates) of billings and payments
 substantive correspondence, if any, relating to the unpaid fees and any
internal memoranda
 a concise summary of:
 collection efforts to date
 the reasons the engagement personnel believe payment has not been
made (including whether the client has commented adversely on the
quality of the firm’s services)
 the potential impact on other relationships (e.g., attorneys, banks,
referral source, etc.)
18.300 If it appears to the RMP that litigation should be commenced, he or she
reviews the matter with RRLA. If they agree, the RMP and RRLA work with the
OMP on selection of counsel.

18.301 Outside legal fees in collection matters will be charged to the operating
office involved. The office will also be charged with all costs incurred in
connection with countersuits, including settlement costs.

Serving Clients in Bankruptcy

[Tailor the following paragraphs and Exhibit to suit your policies and procedures]

18.302 Situations may arise when clients of the firm seek protection under the
U.S. Bankruptcy Code (the Code). Generally, the various jurisdictions
consistently apply the Federal bankruptcy laws and related rules. However, slight
differences in application arise in the different Federal circuits. Accordingly,
partners should consult with RRLA and applicable line of business professional
standards professionals, such as Tax Practice Policy & Quality or the NPSG, for
assistance with any questions that arise throughout the client acceptance or
client continuance process.

18.303 In such situations, existing client acceptance and continuation policies

apply. In addition, prior to agreeing to provide services to any entity or individual
that has filed for bankruptcy protection; the partner should consult with the OMP,
NPPD and RRLA, as necessary.

18.304 When an existing client files for bankruptcy protection, the firm’s client
continuation policies should be followed, which generally require consultation as
outlined above.

18.305 When a publicly held client files for bankruptcy protection, the partner, in
conjunction with the NPPD and RRLA, should also consult with the NMP NPSG
and the NMP Audit Services prior to agreeing to proceed or continue with
services.

18.306 Once a client has sought protections under the Code, the client’s
governing board, audit committee, and management, the bankruptcy court and
the assigned U.S. Trustee (Trustee) must approve any engagement letter,
including all appendices thereto, for any entity (the “Debtor”) that files for
bankruptcy protection. The bankruptcy court and Trustee must specifically
approve each of our professional services, even if the Debtor engaged us before
the bankruptcy filing. Additional services or extension of services, including
addenda to the original terms, contract extensions, or additional procedures to
fulfill the terms of the original engagement, must be specifically approved as well.
Absent such approval, our fees for our services may be denied. In addition, fees
 paid to us shortly before the bankruptcy filings are subject to bankruptcy court
scrutiny and we may be requested to return such fees.

18.307 In order to obtain bankruptcy court approval for an engagement, the

Debtor or the Committee of Unsecured Creditors (Creditors’ Committee) must
submit an “Application for Employment of Professionals” (Application) to the
bankruptcy court requesting permission to engage us for specific services. An
“Affidavit of Disinterestedness” (Affidavit) submitted by an authorized firm
representative must accompany the Debtor or Committee’s Application. The
firm’s Affidavit must disclose all relationships with, and all conflicts of interests or
potential conflicts of interest with, any of the following:
 debtor and its related entities, including the shareholders, officers,
directors, or affiliates
 creditors’ committee members and other known creditors
 other parties-in-interest in the bankruptcy
 legal counsel and other professionals representing any of the parties-
in-interest in the bankruptcy

18.308 The Affidavit’s completeness and integrity is extremely important. The

failure to disclose any relationships, conflicts of interest, or potential conflicts may
result in the denial of our fees or denial of our requests for reimbursement for
expenses. The RRLA should review the Affidavit prior to its submission and will
designate a partner or principal to be the firm’s authorized representative.

18.309 Each GTI member firm is a separate and independent legal entity. If an
engagement for a Debtor or Creditors’ Committee requires the services of
another GTI member firm, including the use of one of their employees, the
bankruptcy court requires that Grant Thornton LLP obtain specific prior approval.
Each GTI member firm used on an engagement for a client that has filed for
bankruptcy protection is required to also submit an Affidavit for approval. Prior to
assigning an individual from another GTI member firm to an engagement for a
Debtor or Creditors’ Committee, consult with the RRLA.

18.310 RRLA designed resource tools to assist engagement teams involved with
companies in bankruptcy. These tools are located on the RRLA site on GTUS.

Risks relating to revenue

18.311 The identification and assessment of the inherent risk of material
misstatement in revenue, whether due to fraud or error, is based on the
engagement team’s understanding of each revenue stream, including its
characteristics (recorded in the Voyager Revenue tool as “attributes”). For
example, if an entity has sold products being shipped directly from a third party
manufacturer to its customers (drop-shipments), the risk that revenue is not
recorded in the correct period may result from management’s misunderstanding
of how to properly account for these sales (a risk of error) or from management
 intentionally recording revenue in advance to depict a more favorable picture of
the financial statement (a risk of fraud). Determining whether a risk relates more
to error or to fraud is a matter of professional judgment, taking into account any
identified fraud risk factors (as further discussed below).

Risk of fraud in revenue

18.312 To assist in the identification of fraud risks in revenue, the engagement

team refers to their understanding of the entity and its environment and
determines whether there are any events or conditions identified that may
indicate an incentive or pressure to commit fraud or provide an opportunity to
commit fraud (referred to as “fraud risk factors” in ISA 240). Based on the
presumption that there are risks of fraud in revenue recognition, the engagement
team evaluates which types of revenue (referred to as Streams in Voyager),
revenue transactions or assertions give rise to such fraud risk. Discussing the
“who, what, where, when and how” related to fraud may also be helpful in
identifying fraud risk. Certain engagement teams incorrectly believe it is always
the Existence/Occurrence assertion that gives rise to fraud risk in revenue. While
it may be the case for many entities, it is certainly not a default, and other
assertions may be more susceptible to fraud. Below are examples of how
management may perpetrate fraud in assertions other than
Existence/Occurrence:

 Management not recording sales to minimize reported earnings for tax-

motivated reasons (Completeness)
 Management inflating sales by forcing more products through a
distribution channel than the channel is capable of selling (sometimes
referred to as “channel stuffing”) (Cutoff)
 Management providing preferential terms to customers for personal
gains or in accordance with side arrangements (Valuation-gross)
 Management recording transactions even though the sales involved
unresolved contingencies (Valuation-net)
 Management underestimating the allowance for doubtful accounts to
conceal the increased credit risk resulting from operational decisions
made (Valuation-net)
 Management derecognizing receivables sold to a third party
commercial financial company (factoring) although they do not qualify
for derecognition (Rights/Obligations)

18.313 In instances, which are expected to be rare, where no fraud risk factors
are identified, the engagement team may conclude that the presumption of fraud
in revenue recognition is not applicable (i.e. rebuttable). When the entity has a
weak control environment, it is less likely to be appropriate to rebut the
presumption due to the increased opportunities for management to commit fraud.
 Concluding that the presumption may be rebutted is a matter of professional
judgment, the engagement team is required to include in the audit documentation
the reasons for that conclusion. This documentation may:

 Address each revenue stream separately, specifically addressing the

reasons supporting the rebuttal for the relevant assertions applicable to
each stream.
 • Indicate how the engagement team has corroborated the absence
of management incentives, pressures and opportunities to commit
fraud in revenue (e.g., through the review of compensation, debt,
shareholder or other agreements; inquiry alone is not sufficient).

Risk of error in revenue

18.314 Obtaining an understanding of the entity’s revenue streams and related

characteristics (or attributes) may result in the engagement team identifying a
risk (or risks) of material misstatement due to error. When a risk of material
misstatement at the assertion level is identified, the engagement team is required
to design and perform audit procedures that are appropriate in the circumstances
for the purpose of obtaining sufficient appropriate audit evidence.

18.315 Audit evidence that is sufficient regarding an account balance may also be
sufficient for the related class of transactions or disclosures (or vice-versa). For
example, the evidence obtained regarding the cutoff of transactions for a revenue
stream may also be sufficient for the cutoff of the related receivables. As it
relates to the occurrence of revenue transactions, determining the sufficiency of
audit evidence may be affected by factors such as the assessment of inherent
risk, whether the operating effectiveness of controls is tested, and the other
relevant audit evidence obtained, including when testing the Existence assertion
(e.g., testing accounts receivables).

Total Transaction Testing engagement type

Applicability of the TTT program

18.316 International Standards on Auditing (ISA) require the auditor to design and
perform audit procedures to obtain sufficient appropriate audit evidence to be
able to draw reasonable conclusions on which to base the auditor’s opinion.
When an entity’s activities are limited, an audit approach that tests every
transaction may be more effective and efficient. The TTT program is designed to
be used in such situations.

18.317 Examples of entities where the TTT program may be appropriate include:
  newly formed companies
 companies created for a specific purpose (e.g., for the purpose of
owning specific assets, such as copyrights, or receiving income, such
as from royalties)
 companies that have stopped their operations but continue to exist
(dormant companies)
 non-consolidated financial statements of holding companies
 small entities with few transactions

18.318 The TTT program is based on the principle that 100% of the transactions
will be audited using tests of details at period-end. To use the TTT program, all
transactions recorded in the accounting records or presented and disclosed in
the financial statements need to be audited. Some transactions may be clearly
inconsequential, and misstatements related thereto would not have a material
effect, individually or in the aggregate, on the financial statements as a whole.
Thus, the total (absolute value) of transactions that are not subject to tests of
details must be less than trivial (that is, does not exceed 5% of materiality).

18.319 The TTT program is not intended to be used in the following situations,
without appropriate modification:

 the entity uses a service organization (ISA 402, Audit Considerations

Relating to an Entity Using a Service Organization)
 the entity has complex accounting estimates or estimates with higher
estimation uncertainty (ISA 540, Auditing Accounting Estimates,
Including Fair Value Accounting Estimates, and Related Disclosures)
 audits of group financial statements (ISA 600, Special Considerations
– Audits of Group Financial Statements (Including the Work of
Component Auditors). However, an entity to which the TTT program
applies may be part of a group; its use in this circumstance may be
dependent on the group engagement team’s instructions.
 the auditor intends to use the entity’s internal audit function (ISA 610,
Using the Work of Internal Auditors)

Understanding of processes and controls

18.320 The TTT program requires an understanding of processes used by the

entity to capture transactions and record them completely and accurately. Such
understanding may assist the engagement team in designing tests of details or
procedures to determine that all transactions were recorded. The extent of such
understanding is based on auditor judgment.

18.321 The TTT program presumes that no reliance will be placed on either the
design or operating effectiveness of controls. Using their understanding of the
entity’s processes, the engagement team determines whether there are any
controls relevant to the audit that need to be understood.
Substantive procedures

18.322 It is the engagement team’s responsibility to determine, based on the

nature of the transaction, the substantive procedures to perform and whether
those procedures are sufficient and appropriate in the circumstances. Such
procedures will involve tests of details. The use of substantive analytical
procedures or sampling is not appropriate.

18.323 The substantive procedures in the TTT program contain suggested

inquiries and tests of details. These suggested procedures are a starting point
and they address certain account balances, classes of transactions and
disclosures often found in financial statements. The engagement team is
responsible for tailoring these procedures based on this entity’s circumstances,
including modifying or removing unnecessary suggested procedures and adding
procedures when appropriate.

18.324 Procedures need to include testing all recorded journal entries and other
adjustments. Such testing includes inspecting support for the journal entry and
inquiring of individuals involved in the financial reporting process about
inappropriate or unusual activity relating to the processing of journal entries and
adjustments.

Financial reporting framework considerations

18.325 Procedures need to include testing all recorded journal entries and other
adjustments. Such testing includes inspecting support for the journal entry and
inquiring of individuals involved in the financial reporting process about
inappropriate or unusual activity relating to the processing of journal entries and
adjustments.

18.326 Additional tailoring of the TTT program may be necessary for audits of
financial statements prepared in accordance with a special purpose framework
(ISA 800, Special Considerations – Audits of Financial Statements Prepared in
Accordance With Special Purpose Frameworks) or for audits of single financial
statements or elements, accounts or items of a financial statement (ISA 805,
Special Considerations – Audits of Single Financial Statements and Specific
Elements, Accounts or Items of a Financial Statement).

Management questionnaire

MANAGEMENT QUESTIONNAIRE
1. Related Parties: Please provide information regarding:
 the identity of the entity’s related parties, including changes from the prior period
 the nature of the relationships between the entity and these related parties
 whether the entity entered into any transactions with these related parties during the
period and, if so, the type and purpose of the transaction
 the controls established to identify, account for, and disclose related party relationships
and transactions and authorize and approve significant transactions and arrangements
with related parties and transactions outside the normal course of business.
2. Transactions outside the entity’s normal course of business: Please provide
information regarding significant transactions outside the entity’s normal course of business
(including the nature of the transactions) and indicate whether related parties were
involved.
3. Litigation and Claims: Please provide information regarding any litigation and claims.
Where applicable, please indicate whether others within the entity, including in-house legal
counsel, were consulted.
4. Compliance with Laws and Regulations: Please provide information regarding:
 how the entity determines its compliance with the applicable legal and regulatory
framework
 whether the entity is in compliance with laws and regulations that have a direct effect on
the determination of material amounts and disclosures and other laws and regulations
that may have a material effect on the financial statements
 correspondence with relevant licensing or regulatory authorities, if any
5. Fraud: Please provide information regarding management’s:
 assessment of the risk that the financial statements may be materially misstated due to
fraud, including the nature, extent and frequency of such assessments
 process for identifying and responding to the risks of fraud, including any specific risks
identified or that have been brought to management’s attention or classes of
transactions, account balances, or disclosures for which a risk of fraud is likely to exist
 knowledge of any actual, suspected or alleged fraud.
 communication, if any, to those charged with governance regarding processes for
identifying and responding to the risks of fraud
 communications, if any, to employees regarding management’s views on business
practices and ethical behavior
6. Going Concern: Please provide information regarding your assessment or basis for the
use of the going concern assumption (and basis of accounting) and whether there are
events or conditions that exist that may cast significant doubt on the entity’s ability to
continue as a going concern (including beyond the period of assessment, which should be
at least 12 months from the date of the financial statements).
7. Subsequent Events: Please provide information regarding:
 procedures established to identify subsequent events
 whether subsequent events have occurred which may affect the financial statements,
including informing us of matters discussed at stockholders’ and directors’ meetings held
through the date of the auditor’s report for which minutes are not yet available

Responses provided by: Date completed:

i
Member firm policy and procedures are based on International Standard on Quality Control (ISQC) 1,
Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance
and Related Services Engagements ISA 610 Using the Work of Internal Auditors refers to ISQC 1and the
engagement team may refer to that standard for futher guidance.
Chapter Nineteen - Audit Quality Processes
Summary

This Chapter discusses the quality control processes established by the firm, including
the review process. The review process is an integral part of applying due professional
care, and its importance cannot be overemphasized. Every financial reporting
engagement, regardless of its nature or size, is subject to appropriate review.

Introduction
19.01 [Tailor the last sentence to reflect your firm’s structure] Quality assurance
procedures for each engagement include review procedures performed by members of
the audit team as well as the assignment of a quality control reviewer, when
appropriate. Quality control reviewers are assigned to an audit based on an assessment
of the skills of the engagement team and the risk to the firm of performing the
engagement. Additionally, the firm designates operating office personnel responsible for
oversight of all engagements, including the assignment of quality control reviewers and
professional development of audit staff. National Office personnel are responsible for
enhancing audit quality by providing technical assistance and other resources to
operating offices.

General Requirements
19.02 Review procedures are an integral part of applying due professional care and
demonstrating that the audit team was properly supervised. Therefore, every audit,
regardless of its nature or size, is subject to review (including work performed by the
partner), and the review procedures must be adequately documented to provide
evidence of their completion.

19.03 Responsibility for an engagement extends to every person who contributes to the
final result; however, the partner is fully responsible for each engagement that he or she
manages. Because of the nature of the firm’s services, errors of principle or detail may
enter into the work at any point. For this reason, each audit is reviewed, and the review
is documented in the workpapers.

19.04 Generally, a more senior person should review the work performed by each
member of the audit team.

19.05 [Tailor the last sentence to reflect the title of the person that assigns reviewers in
your firm] The individuals performing each level of review are expected to have the
background and training requisite to accomplish the objectives of such review. An
individual’s background and training should be considered not only by the PSP, who is
responsible for designating such reviewers, but also by partners and staff performing
the review function.

Levels of Review

19.06 The review process for audit engagements is a related interdependent process
with five distinct engagement positions, as follows:
 in-charge accountant
 manager
 lead partner
 tax specialist
 quality control reviewer, if applicable
Each function has its distinct purpose, and the individuals performing the review should
not be comforted by the fact that their work will, in turn, be reviewed. Specific
responsibilities that should be completed at each level of review before a report is
released are described below.

Evidence of Review

19.07 Each level of review should be evidenced by:

 initialing or signing individual audit program procedures, workpapers, or
other documentation (such as the Report Guide Sheet)
 completing the applicable review programs in Voyager
 complying with quality control review policies

Approval and Notification Requirements

19.08 [Tailor the following paragraph to reflect your firm’s approval and notification
requirements] Certain matters require consultation with or notification to appropriate
NPSG personnel. These are indexed in Appendix C. The workpapers should document
the required notifications. Significant consultations should be documented in
accordance with the firm’s Consultation Protocol.

Quality Control Review Model

19.09 The firm requires all attestation engagements to be evaluated for risk and a
determination made regarding the necessity of quality control review. The firm’s Quality
Control Review Model is based on both engagement and engagement team risks as
depicted below.
 Complex Audit

1 Public
entities

Unacceptable Manage Risk

Risk
2
5 Acceptable Cost

Lesser Skills or
3 Greater Skills or
Experience Experience
Engagement Team Continuum

Manage Risk 2 4
Normally
3

Engagement Continuum
Unacceptable
Cost
Acceptable Cost

No Review

Compilation

Risk Continuums in the Quality Control Review Model

19.10 Risk is inherent in all financial reporting engagements. To assist in evaluating the
potential risk in an engagement, the firm developed a quality control review model. Two
risk continuums form the core of this model: the engagement continuum and the
engagement team continuum.

Engagement Continuum

19.11 The engagement continuum measures the risk characteristics inherent in each
engagement. At the lowest extreme are those engagements with virtually no risk to the
firm. These would include engagements such as compilations of financial statements. At
the highest extreme of this continuum are the most complex and risky engagements,
such as companies undergoing initial public offerings and those engaging in certain
activities, such as the securitization of financial assets. All of the firm’s clients can be
placed along this continuum. For example, a closely-held nonpublic client with no debt
might be placed on the lower segment of this continuum, while a first-year nonpublic
client with significant debt might be placed somewhere along the upper portion of this
continuum.

Engagement Team Continuum

19.12 The engagement team continuum measures the skills and experience of the lead
partner and the manager in relation to a specific engagement. While the technical
abilities of individual partners and managers vary significantly, equally important are
factors such as industry knowledge, familiarity with the engagement and prior
experience. For example, on an audit of a public company in a particular industry, an
engagement team with significant experience with public clients and specific industry
knowledge would be charted along the right side of this continuum. A lesser skilled
engagement team with little experience in the industry would be charted along the left
side of the continuum.

Blending the Two Continuums

19.13 Every financial reporting engagement will be charted along these two
continuums, which will determine the EPF. This is a critical process because the EPF
determines whether a quality control reviewer will be added to an engagement to
manage risk to an acceptably low level.

Optimal Review Continuum

19.14 The optimal review continuum represents the ideal balance of engagement risk
and resources committed to the engagement. The optimal review continuum, which is
the firm’s desired state for all attest engagements, runs diagonally between the
engagement risk continuum and the engagement team continuum. Threats to the firm
may exist when engagements fall to the left of the optimal balance continuum.
Conversely, there are sufficient safeguards to protect the firm when engagements fall to
the right of the optimal balance. Engagements on the left side of the optimal balance
either have too few resources (lesser skilled or inexperienced engagement team) to
manage the engagement risk or the engagement risk is sufficient to warrant additional
resources. An engagement on the right side of the optimal balance does not cause
unwarranted risk to the firm due to the low risk involved in the engagement or the highly
skilled resources assigned to the engagement.

Analyzing the Model

EPF of “5” Represents Unacceptable Risk

19.15 The upper left quadrant (EPF of “5”) represents unacceptable risk to the firm. The
firm will not serve clients in this quadrant; therefore, the EPF must be lowered to an
acceptable EPF or we must resign from the engagement. If the firm chooses to continue
to serve the client, the risk can be reduced by either changing the partner and/or
manager or by assigning additional resources to the engagement.

EPF of “4” Represents Unacceptable Costs

19.16 Conversely, the lower right quadrant (EPF of “4”) represents excess costs for the
risks involved and; therefore, lowers profits. Ideally, the engagement will not be in this
quadrant, except by design, such as utilizing idle resources during non-peak periods or
for training purposes.
Other EPF Factors Represent Acceptable Risks and Costs

19.17 Most of the firm’s engagements will fall in either the upper right quadrant or the
lower left quadrant. When the engagement is on the left side of the optimal balance
continuum, the firm must manage this risk by enhancing the engagement team
(effectively shifting the engagement to the right on the engagement team continuum).
Assigning a quality control reviewer to the engagement team is the most efficient way to
shift the continuum.

19.18 Engagements that fall on the right side of the optimal balance already have
sufficient resources to manage the risks of the engagement. In this circumstance, the
engagement team does not need to be enhanced (i.e., no quality control reviewer is
required to be assigned to the engagement team).

19.19 Because a quality control review is mandated for all public entities by the
standards and in some instances, laws or regulations, the quality control review model
acknowledges that these engagements will always have an EPF of “1.” Accordingly, a
horizontal line representing public entities is added to the upper engagement risk
continuum. Conversely, a point can be reached where the engagement and audit risks
are so low (because of the skills of the engagement team) that enhancing an
engagement team with a quality control reviewer becomes inefficient. Therefore, a
horizontal line is added to recognize this fact.

Borderline Judgments

19.20 To recognize that judgment is inherent in the process of assigning an EPF to

financial reporting engagements using this model, a zone is shaded along the optimal
review continuum. Engagements that fall into this shaded zone could arguably belong in
a different category. Although engagements in the shaded zone may result in an
additional level of review, additional risk to the firm will be avoided.

NPPD Involvement

19.21 [Tailor this paragraph to reflect your firm’s policies] The NPPD may request that
a quality control reviewer be added to any engagement based upon notification of
certain transactions, events, or reports being issued. The NPPD has the authority to
become involved in an engagement and perform whatever review procedures he or she
deems necessary, including serving as the quality control reviewer. Also, the NPPD
may designate certain engagements to require his or her sign-off prior to release.

Changing Circumstances

19.22 [Tailor the last sentence to reflect your firm’s titles] The engagement team must
be alert to identify changing circumstances that require modification of the EPF
classification. These characteristics could cause the EPF category to change. When
these occur, the engagement team should consult with the PSP to determine the
appropriate resolution.

Engagement Profile Factors

19.23 As visually depicted in the Quality Control Review Model, the firm has
established the following five EPF classifications:

EPF Risk Profile Required Review

1 Professional standards or other external Quality control reviewer assigned to

circumstances mandate a quality control engagement team
review
2 Safeguards not adequate to reduce threats Quality control reviewer added to engagement
team
3 Adequate safeguards to reduce threats Engagement team solely responsible for
engagement quality
4 Adequate safeguards but normally Engagement team solely responsible for
unacceptable costs engagement quality; resource deployment
should be reconsidered
5 Unacceptable Modify engagement team or resign

EPF of “1”

19.24 [Tailor paragraph 24 through 27 to refer to an appropriate regulator]EPF of “1”

applies to all clients where a quality control review is mandated by:
 professional standards
 laws or regulations
 a regulatory body (e.g., a consent order with the SEC)

19.25 EPF 1 engagements include:

 public entities as defined in Chapter 3
 broker-dealers
 investment advisors required to register with the SEC

19.26 All EPF “1” engagements should assign an audit partner to fulfill the lead partner
role. Likewise, the quality control reviewer must also be an audit partner.

19.27 When the public flag is selected in versions of Voyager prior to version 3.0, the
file is automatically tailored to include, among others, interim review programs and
regulatory procedures required of public companies. Audit teams should consider this
for an entity that meets the definition of a public company, but does not periodically file
financial information with a securities regulator (e.g., SEC) because significant direct
tailoring of the file will be required to remove the unnecessary items. Accordingly, in
versions of Voyager prior to version 3.0, the audit team should not select the public flag
when the entity:
  does not file interim financial information with its securities regulator, but
trades infrequently through broker transactions (e.g., over the counter and
pink sheet companies)
 issues public debt, but does not file with the SEC (e.g., state and local
governments or conduit bond obligors)
 is a subsidiary or significant investee of a public company
Entities that meet the definition of a public entity, but do not select the public company
flag in accordance with the preceding instructions should set EPF at “2” and assign a
partner to perform the quality control review.

EPF of “2”

19.28 [Tailor to refer to appropriate examples and regulators]EPF 2 engagements are

those that do not provide adequate safeguards to reduce threats. Therefore, a quality
control reviewer should be assigned to the engagement. The firm determined that the
following engagements warrant a quality control reviewer:
 audit or review engagements where the role of lead partner is assigned to
a person that is not a partner (this includes, for example, those rare
situations when the individual performing the lead partner role on an audit
engagement is a senior manager or manager)
 those rare situations in which a partner from another line of business, such
as tax, BAS or consulting, acts as the lead partner on an audit or review
engagement
 audit or review engagements subject to regulatory access and review,
such as OMB A-133 and benefit plan audits
 audit engagements where the individual acting as the lead partner is new
to the firm (one year or less), or is a newly-promoted partner

19.29 Depository institutions to which SEC independence rules apply, must assign a
partner to serve as the quality control reviewer. Also, as discussed above, a partner
should be assigned as the quality control reviewer for engagements that meet the
definition of a public company but do not select the public company flag in versions of
Voyager prior to version 3.0.

EPF of “3”

19.30 EPF 3 engagements are those having engagement characteristics that provide
adequate safeguards to reduce threats to an acceptable level. A quality control reviewer
does not need to be assigned to these engagements.

EPF of “4”

19.31 [Tailor to reflect your consultation practice]EPF 4 engagements include

engagements with characteristics that normally result in unacceptable costs for the risk
involved. Although, no quality control reviewer is required to be assigned to the
engagement, an EPF of “4” classification indicates that the resources assigned to the
engagement are out of balance with regard to the engagement risks (e.g., very senior
experienced individuals assigned to a lower engagement risk client). These
engagements require APL involvement to properly balance the firm’s resources and to
move the client into an EPF of “3” classification.

EPF of “5”

19.32 [Tailor to reflect your consultation policy]EPF 5 engagements have unacceptable

risk. Client continuance and staffing must be addressed prior to performing the
engagement. Certain engagements may be moved from EPF of “5” to another quadrant
simply by enhancing or modifying the engagement team. The risks may still be
significant, but they can be sufficiently managed by the new enhanced engagement
team. Other clients possess characteristics that cannot be sufficiently safeguarded by
assigning a stronger engagement team. However, an EPF of “5” situation cannot be
resolved by assigning a quality control reviewer to the engagement. For example, a
quality control reviewer cannot mitigate the risk of an inexperienced engagement team.
If the engagement team cannot be realigned to adequately address the challenges of
EPF of “5” clients, we should consider withdrawing from the engagement after
consultation with the NPPD.

The Process for Determining the Appropriate Engagement Profile Factors

19.33 The cornerstone of the firm’s quality control review policy is the EPF
determination. The lead partner is in the best position to make the initial assessment of
the risk along these continuums. The effectiveness of the firm’s quality control review
policies relies upon properly evaluating the risks of the engagement and the skills of the
engagement team. Annually, in Voyager, each lead partner assigns an EPF to each
audit and review engagement. The EPF assigned determines whether a quality control
reviewer is assigned to the engagement.

19.34 [Tailor the following paragraph to reflect your firm’s policies, titles, etc.] Prior to
the completion of the audit, events may occur that may necessitate professional
standards notification, such as a public offering or private placement of securities, not
originally contemplated in our original engagement. Based on these new matters, the
NPPD has the discretion to add a quality control reviewer to the engagement.

Additional Quality Control Review Assignment Considerations

Group Audits

19.35 The group auditor is ultimately responsible for the entire audit, including work
completed by component auditors. However, this fact does not discharge component
auditors from their quality control responsibilities. Component auditors are responsible
for conducting all levels of review discussed in this Chapter. Unless instructed
otherwise, this responsibility includes review of workpapers by a manager or partner
prior to submission to the group auditor. This review should be performed even if the
component auditor work consists of inventory observation or other routine audit
procedures.

19.36 If another arrangement is desired, the group auditor should notify the component
auditor of the review process that will be performed. For example if the group auditor
assumes full responsibility for performing the tax department review and, if applicable,
the quality control review, it should notify the component auditors involved of the
decision.

19.37 When all levels of review are performed by the component auditor, the
component office’s designated partner or manager should determine that appropriate
consideration was given to matters that may affect the consolidation of accounts in the
financial statements, financial statement disclosures, or audit procedures applicable to
the overall group audit. If there are any such matters, the group auditor and any other
component auditors involved should be informed.

19.38 Refer to Chapter 24 for additional guidance on group audits.

Engagements Where the OMP or the RMP Is the Lead Partner

19.39 [Tailor to reflect your policies]For engagements where the OMP or the RMP is
the lead partner:
 the firm's quality control review procedures discussed in this Chapter
apply. The NPPD will review the EPF and, if applicable, the assignment of
the quality control reviewer on these engagements. Generally, the quality
control reviewer, if applicable, should be an audit partner. Any significant
matters arising from the review by the in-charge, manager, tax department
or, if applicable, the quality control reviewer, are to be discussed with the
PSP and the NPPD.
 any professional disagreements and concerns relating to such
engagements must be resolved to the satisfaction of the quality control
reviewer, if such a reviewer is assigned, and the PSP or referred to the
NPPD
 after issuance, a copy of the financial statements and auditor’s report
should be sent to the NPPD

Accounting and Attestation Engagements Other Than Audits

19.40 The levels of review and, to the extent applicable, the other review policies and
procedures referred to in this Chapter also apply to:
 unaudited financial statements of public entities when the firm is
associated with such statements or perform an interim review
  special reports, which may include correspondence containing financial
data (whether audit, review, compilation, tax or consulting) (see Chapter
31)
 attestation engagements

19.41 [Tailor to reflect your consultation policies]Whether a quality control review is

performed for these engagements depends upon the nature of the engagement, as
follows:
 Attestation engagements – A quality control review is required for
examination, review, and agreed-upon procedures (AUP) engagements.
Because of the nature of attest engagements and the resultant reports
may vary widely, consideration should be given to consulting the NPPD
about such engagements and reports.
 Litigation support engagements – The results of litigation support
assignments may be reported to a client (typically a law firm) in a variety
of ways, ranging from a formal written report to expert witness or other
oral testimony. Regardless of the means of reporting, findings (including
appropriate workpapers) should be reviewed by the PSP or designee.
When no written report is to be provided, the lead partner should discuss
the intended oral report or testimony with the PSP and include in the
workpapers a commentary concerning the matters discussed.

EPF Assessment

Organization Structure

Company Information in Engagement Summary

19.42 [Tailor the following paragraph to reflect your firm’s practices, policies, titles, etc.]
The primary source of data in EPF is from the Organization Structure tool in Voyager.
The EPF assessment is automated in Voyager, which transmits the pertinent data to a
database named VIS. To maximize the use of VIS and to eliminate errors, the
Organization Structure tool within Voyager must be accurately completed or updated. In
addition, the parent and subsidiary and/or division information, if applicable, in
Organization Structure must also be completed. The following protocols must be
followed:
 the entity’s legal name should be used. For benefit plans, use the plan’s
name and not the name of the plan sponsor.
 use the Import functionality to add the engagement team. When incorrect
email addresses are transmitted, EPF is unable to send email notifications
to the lead partner.
 the primary industry code (NAICS code) must be completed. The NAICS
code is available through a Voyager look-up option.
 verify the correctness of engagement dates prior to transmission.
Engagement teams should be diligent in reviewing Organization Structure and
correcting errors prior to transmission.

Engagement Profile

19.43 The audit program “Engagement Profile Factor” is located in the Preaudit
Activities section of Voyager. The audit partner (or manager if an audit partner has not
been assigned) responsible for the engagement should review the EPF in Voyager prior
to transmission. The lead partner may coordinate the completion of the EPF in Voyager
with other audit team members; however, the lead partner must assume full
responsibility for the EPF assessment.

Engagement Team Risk Continuum

19.44 As previously discussed under “Risk Continuums in the Quality Control Review
Model,” the engagement team risk continuum measures the skills and experience of the
lead partner and the manager in relation to a specific engagement. For multi-location
engagements, the lead partner may need to consider the relevant skills and experience
of other partners and managers assigned. Therefore, the lead partner considers the
relative strength of the engagement team by evaluating:
 whether there is a new partner or new manager
 the engagement team’s experience with the client’s industry
 other relevant audit experience of the engagement team

Engagement Risk Continuum

19.45 [Tailor the following paragraph to reflect your country’s regulations] The
engagement risk continuum measures the risk characteristics inherent in the
engagement. Therefore, the lead partner considers whether the client has:
 been a continuing client of the firm for less than five years
 capital raising activities planned within eighteen months, such as
significant lending or debt refinancing with a new lender, public offerings of
stock or debt, or private placements
 significant domestic business components not audited by the firm
 significant foreign operations not audited by a GTI member firm
 regulatory oversight by one or more state or Federal agencies and the
extent of that oversight, including OMB A-133 engagements and
employee benefit plans
 economic health of the client’s industry is declining

Suggested EPF

19.46 The EPF tool evaluates the indicators selected on the engagement team and
engagement risk continuums and suggests an EPF using the quality control review
model. The suggested EPF can be modified if the lead partner believes that another
EPF is more appropriate. However, the lead partner must document the reasons for
overriding the suggested EPF. When the EPF requires that a quality control reviewer be
assigned to the engagement, appropriate quality control review procedures are
automatically tailored into the engagement file.

EPF Assessment Approval

PSP Review and Approval

19.47 [Tailor paragraphs 32 to 35 to reflect your firm’s policies and practices]The PSP
should access the VIS database to review the EPF assessments and either approve or
reject them. The PSP is a key party in the process of evaluating the risks associated
with every financial reporting engagement. For engagements requiring quality control
review, the PSP is responsible for assigning the quality control reviewer. If the PSP
disagrees with the EPF assessment, he or she should resolve any differences with the
lead partner. Based on how these differences are resolved with the PSP, the lead
partner may need to modify the EPF assessment in Voyager. Any changes to the
Organization Structure, EPF factors, or assessments must be made in Voyager and re-
transmitted to the VIS database. The revised information or EPF assessment will
automatically overwrite any existing engagement data and will clear any previous
approvals.

19.48 The PSP should promptly approve the EPF calculation determined by the
engagement team and transmitted to the VIS database. To assist in the EPF approval
process, monthly reminder emails will be sent to the PSP when EPF records remain
unapproved.

NPPD and OMP Review

19.49 Based upon the review of the EPF assessment and discussions with the PSP
and OMP during the annual office visit, the NPPD will designate engagements that
require review by the NPPD or their designee prior to the release of the report.
Primarily, the NPPD or their designee’s involvement will entail consulting with the
engagement team, understanding the resolution of significant matters, ensuring that
significant matters are properly documented and reviewing the report. Generally, in
applying the NPPD review policies, the NPPD will not perform a detailed workpaper
review, but may elect to do so according to the engagement risk and other
circumstances. The NPPD may also elect to serve as the quality control reviewer.

Lead Partner Responsibilities

19.50 The lead partner is responsible for notifying the PSP of changes in the
engagement team or engagement risk continuums that affect the initial EPF
assessment and for making the appropriate changes in the EPF assessment in
Voyager. Such changes may arise because of personnel losses, reallocation of clients
to new engagement personnel, or a client press release or other determination to raise
capital through a private placement or initial public offering. Any change to the EPF
assessment in an engagement file should be transmitted to the firm’s VIS database.
The revised information or EPF assessment will automatically overwrite any existing
engagement data, clear any previous approvals and begin the approval process anew.

Engagement Review Responsibilities

19.51 To comply with professional standards, audit documentation must contain
sufficient information to enable an experienced auditor having no previous connection
with the engagement to determine who reviewed the work and the date of such review.
Therefore, it is expected that audit team members will document their review by
initialing individual workpapers and/or procedures. While Voyager only requires one
reviewer to sign-off on workpapers and memos attached to the audit file; other
reviewers should also sign off the workpapers as evidence of their review. In summary,
workpapers should contain the sign-offs of every team member who reviewed them.

19.52 While the review process is integral to supervising the audit, it is not a substitute
for ongoing partner/manager interaction with the audit team and management. Further,
reviewing audit documentation at the end of the audit, or reviewing at a time or place
separate from the audit team is not efficient. Therefore, partner and manager reviews
should be done in the field, as the audit progresses.

In-Charge Accountant Review

General

19.53 The responsibilities of the in-charge accountant, who generally will be a senior
associate or an experienced associate, as described in Chapter 2, include the adequacy
of the work of all personnel assisting in the audit. Concurrent review by the in-charge
accountant takes place throughout fieldwork as a part of supervision and training. The
in-charge accountant's review should encompass the procedures described in this
section before submitting the report and workpapers for review by the manager and
partner.

Audit Documentation

19.54 The in-charge accountant is responsible for performing the review procedures
described in the applicable review program in Voyager.

19.55 In performing the workpaper review, the in-charge accountant determines that:
 paper and electronic workpapers are prepared with the reviewer in mind
 the scope of work defined in the respective sections of Voyager was
carried out and that any significant matters or problems noted were
 properly considered, resolved and documented as evidenced by sign off of
the last step in each cycle
 adequate audit evidence was obtained to provide a reasonable basis for
our auditor’s report, in accordance with GAAS
 commentaries were prepared that appropriately document:
 major decisions
 audit judgments, such as the propriety of the accounting treatment
accorded to significant transactions, valuation of assets and liabilities, and
the determination of whether items are material
 how audit differences or unusual matters identified during the audit were
resolved
 characteristics of the entity's accounting policies and procedures that
affect the nature, timing, and extent of audit procedures to be applied
 judgments concerning significant estimates, such as the sufficiency of
allowances or percentage of completion and other matters pertaining to
contract accounting
 additional audit procedures that were applied as a result of conclusions
which imply unsatisfactory situations, how the auditor was ultimately
satisfied, and how the matter was treated in the financial statements
 appropriate authoritative professional literature supporting the basis for
conclusions
 [Tailor to reflect your practice] results of significant consultations within the
office, NPSG personnel, or industry specialists
 the work was completed in accordance with the audit plan and the
workpapers completed in accordance with Chapter 15
 each lead schedule and the audit program were reviewed, including
commentaries and supporting analyses, evidencing such review by
initialing and dating workpapers prepared by assistants
 the Summary of Significant Matters is prepared
 all points and questions raised in the workpapers were resolved

Financial Statements and Auditor’s Report

19.56 The in-charge accountant should review the financial statements and auditor’s
report to determine that they are in conformity with professional standards and the firm's
policies and procedures.

Evidence of In-Charge Approval

19.57 The in-charge accountant signs the appropriate Voyager program only after
being satisfied that all comments developed during this review were disposed of,
appropriate revisions were made to the workpapers, our audit documentation is
complete and it is appropriate for the firm to issue the report.
Manager Review

General

19.58 As discussed in Chapter 2, the manager assists the partner by controlling and
supervising the audit. The manager determines that the workpapers are complete and
support the auditor’s report, and reviews the work performed by the in-charge
accountant.

19.59 When a manager is not assigned, the partner should perform the review
procedures described in this section. Even if a manager was assigned, the partner may
choose to perform procedures discussed in this section.

19.60 The manager should periodically visit the client's offices during the course of the
audit to review the audit's progress and the manager review should take place in the
field. This permits questions to be more easily resolved and audit procedures to be
modified, when necessary.

Manager Review Procedures

19.61 [Tailor the following paragraph to reflect your firm’s policies and practices] The
manager is responsible for performing the review procedures described in the
applicable review program contained in Voyager. In addition, the audit manager (and
audit partner, if there are significant issues or if income taxes are a significant account
under the PCAOB standards) must review the audit documentation for income tax
accounts. Both the audit and quality control review partners must review the
documentation prepared by the tax specialist.

Evidence of Manager Approval

19.62 The manager's signature on the applicable review program acknowledges

approval of the workpapers, permanent files, financial statements and auditor’s report.
However, the manager should also sign off on workpapers that he or she reviews. If a
senior manager or manager is acting as the partner on the engagement, the manager
should sign the "Engagement Partner" line on the Report Guide Sheet and follow the
partner guidance in the applicable review program.

Lead Partner Review

General

19.63 The lead partner has the ultimate responsibility for the performance of the audit.
The nature of this responsibility is discussed in Chapter 2 and includes overall
responsibility for the team members' review of the work performed. The partner's
knowledge of the client's business provides an informed basis for assessing risk,
appraising the adequacy of audit procedures, and the adherence to proper accounting
principles. The partner is also responsible for compliance with applicable governmental
or regulatory requirements.

19.64 An audit partner must fulfill the lead partner role for every assurance
engagement, unless specifically permitted by other firm policies. For example, an
appropriately licensed accountant, who is a partner in advisory services and has the
requisite skills and knowledge, may serve as the lead partner on an audit of service
organization controls.

Lead Partner Review Procedures

19.65 The partner review should take place in the field. It is also desirable that the
partner visit the client's offices periodically during the course of the audit to review
progress and to determine that all issues raised are resolved.

19.66 The lead partner is responsible for performing the review procedures described
in the applicable review program contained in Voyager.

19.67 [Tailor the following paragraph to reflect your firm’s policies and practices] If
there are significant issues or if income taxes are a significant account (under the
PCAOB) standards, the audit partner must review the income tax workpapers, including
documentation prepared by the tax specialist.

Evidence of Lead Partner Approval

19.68 The lead partner's signature on the review program acknowledges approval of
the workpapers and permanent files. However, the partner should also sign off on all
workpapers that he or she reviews. The lead partner's signature on the Report Guide
Sheet acknowledges approval of the financial statements and auditor’s report. The lead
partner should not sign the Report Guide Sheet until first completing the procedures
called for by the applicable review program.

Tax Specialist Review

19.69 Income taxes are ordinarily material to the financial statements of commercial
and other entities. Because of the complexities of the tax laws and their effect on
current professional pronouncements, the tax specialist and the partner share the
responsibility for approving income tax amounts and disclosures in financial statements.

19.70 [Tailor the following paragraph to reflect your firm’s policies and practices] Firm
policy requires tax specialist reviews (preferably in the field) for all audit engagements,
except governmental entities and certain employee benefit plans.

19.71 Evidence of review and approval of tax-related workpapers, permanent file and
financial statements by the tax specialist is provided by completing and signing the “Tax
Specialist Review” program in Voyager. The tax specialist signs this program after being
satisfied that:
  all workpaper and permanent file review comments were satisfactorily
resolved
 the tax presentations in the financial statements are in conformity with
professional standards and the firm's policies and procedures

19.72 [Tailor the following paragraph to reflect your firm’s policies and practices] A
review by a tax compensation specialist is required for an employee benefit plan audit
that has significant or unusual issues or a plan that is:
 a multi-employer plan
 filing a Form 11-K
 terminating
 a delinquent filer
 undergoing a regulatory inquiry, examination or investigation

Shared Audit Services and Tax Department Responsibilities

19.73 Audit teams should have sufficient knowledge of tax matters to enable them to
audit the tax accruals and financial statement disclosures. Tax specialists performing
tax reviews should be aware of auditing and accounting concepts, as well as regulatory
requirements.

19.74 The partner or manager should ensure that any significant tax matters, affecting
either current, deferred or future taxes, should be brought to the attention of the tax
reviewer. The tax reviewer reviews the financial statements from a tax viewpoint,
considers tax planning opportunities and possible pitfalls and ensures that these are
discussed with the lead partner and/or manager.

19.75 The tax review and the quality control review, if required, should be coordinated
to ensure that the firm's review objectives are met. In doing so, the reviewers should
have a clear understanding of the differences between treatment of items in the
determination of pretax accounting income and of taxable income. Only through such
understanding, can there be a correct classification of the taxes estimated to be payable
and the tax effects of timing and permanent differences and operating losses that are
the components of income tax expense.

19.76 Each tax reviewer is expected to have a sufficient knowledge of accounting for
income taxes to meet the firm's objectives for review of the income tax accruals and
related expenses.

Tax Review Documentation

19.77 [Tailor the paragraphs 77 to 81 to reflect your firm’s policies and practices] A
senior tax professional (tax services partner, senior manager, or manager) should
document significant income tax matters in a memo (sometimes referred to as a
Summary Tax Accrual Review Memorandum) on every SEC audit engagement. A
memo may also be prepared on other audit engagements when the tax specialist
believes there are significant income tax matters. This documentation is included in the
“Tax Specialist Review” program in Voyager.

19.78 The primary purpose of the memo is to focus the audit team’s attention on
significant or unusual tax issues. The memo is neither intended to be a complete
summary of all audit procedures performed, nor a restatement of the risk assessment or
other planning documentation. However, the memo should document the procedures
performed to address significant or unusual tax matters, the evidence obtained and the
basis for the conclusions reached. The memo should be signed off by the senior tax
professional, reviewed, and signed off by appropriate audit professionals on the audit
team and included in the audit workpapers.

19.79 Each of the matters included in the memo, to the extent applicable, should be
cross-referenced to/from the tax accrual workpapers.

19.80 Ordinarily, the audit manager reviews the memo and, with the assistance of the
senior tax professional, determines the matters to include in the Summary of Significant
Matters.

Workpaper Access to Third Parties

19.81 Because the memo and other tax workpapers contain information related directly
to tax positions, potential claims of privilege or other aspects of tax confidentiality or
issue sensitivity are a concern. Therefore, when the audit team is uncertain about
allowing access to these workpapers to a successor auditor or others, the NPPD should
be consulted. The NPPD will involve Tax Practice Policy & Quality, RRLA or others, as
appropriate.

Clearance of Points Raised

19.82 [Tailor the reference to Appendix D to reflect the location of your firm’s retention
policies] All review points that have a bearing on the financial statements or the
auditor’s report (including those of the tax reviewer) should be satisfactorily cleared prior
to the date of the audit report. All outstanding points lists, superseded schedules, and
workpapers prepared on a tentative or draft basis should be removed from the audit
workpaper files and discarded, except where specifically required to be retained in
accordance with the firm’s Record Retention Policy in the Appendix D. For risk
management reasons, audit teams should not maintain any such items in personal files.

19.83 Care should be taken to ensure that:

 the relevant workpaper pertaining to the initial review comment was
annotated with the evidence required
 each reviewer is satisfied with the clearance of points
Quality Control Review Policies and Procedures

General

19.84 [Tailor the following paragraph to reflect the person in your firm that is
responsible for assigning quality control reviewers] When a quality control review is
required, the PSP should assign the individual who will perform the review. Quality
control reviewers should:
 be skilled in the relevant industry and specialized industry practices
 possess knowledge of the relevant accounting and auditing standards
 be proficient in applicable regulatory reporting rules and other
requirements for the client
 understand relevant firm policies, procedures and tools related to the
client and its industry

19.85 [Tailor to reflect your consultation policy]The assignment of a quality control

reviewer does not alleviate the responsibilities of the partner or any other members of
the audit team; however, the quality control reviewer should be available to the audit
team during the course of the engagement to discuss issues, including the resolution of
significant matters. In addition, whenever possible, the audit team should discuss
significant matters with the quality control reviewer prior to consultation with the NPPD
or outside parties.

19.86 A quality control reviewer may not act as the primary contact with client
management, or otherwise assume the responsibilities of the client services partner or
the lead partner. Although a client may contact the quality control reviewer with respect
to matters requiring immediate attention when the lead partner is not available because
of illness, extended travel or other reasons, the quality control reviewer should advise
the lead partner of the facts and circumstances so that the lead partner can review the
matter and take full responsibility for its resolution.

19.87 Additionally, the quality control reviewer may not have responsibility for the audit
of any significant operations, divisions, benefit plans, or affiliated or related entities, nor
may the client services partner serve as quality control reviewer.

19.88 The scope of the quality control review will vary in accordance with the type of
engagement, the engagement risk category assigned, and the policies discussed in this
section. This function is performed in each office by an individual with appropriate
background and experience in accordance with established quality assurance policies.
The quality control review is intended to be a quality control measure calling for an
additional level of review and accordingly, does not eliminate the requirement for
appropriate review by the lead partner.

19.89 The quality control review should be completed before the date of the auditor
report.
Quality Control Review Partner for Listed Entity Engagements

19.90 For listed entity engagements, the quality control reviewer, who must be a
partner, is also referred to as a quality control review partner (see Chapter 26). The
quality control review partner should be knowledgeable of relevant specialized industry
practices, as well as applicable rules and regulations. The quality control review partner
should sign the Voyager “Quality Control Review” program and the Report Guide Sheet.
In all cases, the quality control review partner review should be completed before the
date of the audit report.

19.91 Responsibility for the overall performance of the quality control review of a listed
entity engagement may not be delegated and remains the responsibility of the quality
control review partner. The quality control review partner’s responsibility is to perform an
objective review of significant auditing, accounting, and financial reporting matters and
to conclude, based on all the relevant facts and circumstances of which he or she has
knowledge, that no matters that have come to his or her attention that would cause him
or her to believe that the client’s financial statements covered by our auditor’s report are
not in conformity, in all material respects, with the applicable financial reporting
framework or that the audit was not conducted in accordance with auditing standards.
Further, the quality control review partner’s responsibility is to provide additional
assurance to the firm that audit risk has been reduced to an acceptably low level.

Acceptance for Review

19.92 Upon receipt, the quality control reviewer should scan the submitted workpapers
to determine whether, on their face, they appear to be acceptable. If there are obvious
omissions, the workpapers should be returned to the engagement team for completion.

Scope of Review

19.93 [Tailor the titles in the following paragraph to reflect your policies and procedures]
Determining the scope of a quality control review depends on the nature and risk
characteristics of the engagement and requires the exercise of professional judgment
based upon the facts and circumstances. Quality control review procedures may be
expanded as deemed necessary by the PSP or at the request of the lead partner, OMP,
or the NPPD. However, the nature and scope of any expanded review procedures
performed is always at the discretion of the quality control reviewer.

19.94 The scope of the quality control review includes reviewing draft financial
statements, the audit report and relevant documentation. To determine the extent of the
documentation to be reviewed, the quality control reviewer should obtain a draft of the
financial statements and discuss the engagement with the partner and/or manager. The
discussion should provide information regarding the following:
 areas with significant auditing, accounting, and financial reporting matters,
including the adoption of new accounting standards
 unusual auditing, accounting, and financial reporting matters
  audit procedures and conclusions related to high-risk transactions and
account balances
 the existence of significant, unresolved matters

19.95 With this information, the quality control reviewer should have the necessary
information to determine the significant areas of the audit and the workpapers where his
or her attention will be focused. At a minimum, quality control reviewers should review
and sign-off (as evidence of their review):
 the audit plan and risk assessment workpapers – it may also be
appropriate to review Voyager tailoring logs
 Summary of Significant Matters and the related workpapers – if the audit
team raises issues that are not included in the SSM, the quality control
reviewer should request the audit team to revise their documentation
 audit adjustments
 Summary of Unrecorded Misstatements, including missing disclosures
 Summary of Control Deficiencies, including documentation of the audit
team’s evaluations of the severity of deficiencies in the Design
Effectiveness tools
 important tax workpapers and memos
 Financial Statement Disclosure Questionnaire
 key workpapers (based on the discussion with the partner and manager)
and any other significant areas selected by the reviewer. This may include
key workpapers related to reasonably possible risks, procedures
performed in response to specific risks, workpapers supporting financial
statement amounts or disclosures or summaries related to the internal
control audit. Ordinarily, these areas and the related workpapers will be
identified in the SSM.
 “Quality Control Review” program

19.96 [Tailor the first point to reflect your titles and policies] In addition, the quality
control reviewer should fulfill his or her responsibilities by:
 performing the timely review of the audit plan for first year audits of SEC
engagements and for clients designated for NPPD involvement. This
timely review is to be documented by signing the related audit program
procedure and should be completed before the start of substantive
fieldwork.
 confirming with the lead partner that there are no significant unresolved
matters
 review significant areas of the audit and related workpapers (see below)
 concurring with the resolution proposed by the audit team of any
significant matters not previously identified that came to the quality control
reviewer’s attention
 reading the auditor’s report and the financial statements to determine that
they comply with professional standards and firm policies
19.97 In addition, audited financial statements to be included in prospectuses, offering
circulars, proxy or information statements, and certain reports filed with regulatory
authorities, require compliance with specific regulations and instructions. Accordingly,
prior to their filing or release, the financial statements and reports with which the firm will
be associated should be reviewed by a quality control review partner.

19.98 [Tailor the last sentence to reflect your policies and practices] Other than the
workpapers necessary to complete the quality control review responsibilities, the firm
does not expect that the quality control reviewer will perform detailed reviews of other
workpapers. The responsibility for gathering sufficient evidential matter and sufficient
documentation to support the audit opinion rests with the partner, with the assistance of
other team members. In circumstances where the quality control reviewer believes it is
necessary to perform a detailed review of other workpapers, the situation should be
brought to the attention of the OMP, PSP, and NPPD.

Audit Team Responsibilities for Quality Control Review

19.99 During the course of the quality control review, comments on the adequacy of the
workpapers may be developed, and questions or suggestions related to the financial
statements and auditor’s report may be raised. The partner is responsible for
determining that the workpapers and the report reflect all modifications to resolve such
issues.

19.100 The partner is responsible for ensuring that the workpapers are complete
and meet the firm and profession’s standards of quality. In so doing, the lead partner
confirms that accounting, auditing, or reporting questions that may arise are researched
and resolved. Within the context of the policies set forth herein, the quality control
reviewer has the responsibility to review and concur with the resolution of any such
issues.

19.101 [Tailor the following paragraph to reflect your policies and procedures]
The quality control reviewer should feel free to discuss conclusions on significant
matters with the NPPD if he or she believes it appropriate to do so. Where differences
of opinion as to the proper conclusion exist between the quality control reviewer and
partner, the PSP is consulted. If the lead partner is the OMP, the NPPD is consulted.
See Chapter 16 on professional disagreements. The quality control reviewer and lead
partner should also consult the NPPD if outside parties were previously consulted and
the quality control reviewer believes facts were not brought to the outside party’s
attention that might change their conclusions on the matter.

Evidence of Quality Control Reviewer Approval

19.102 The quality control reviewer's sign-off on individual workpapers and their
signature on the Quality Control Review program acknowledge approval of the
workpapers and permanent files. The quality control reviewer's signature on the Report
Guide Sheet acknowledges approval of the financial statements and auditor’s report.
The quality control reviewer should not sign the Report Guide Sheet until first
completing the necessary procedures.

Rotation of Quality Control Reviewers

19.103 [Tailor to reflect your policies]Quality control reviewers for audit

engagements of SEC clients, registered investment advisors, broker-dealers and
FDICIA reporting institutions are required to be rotated every five years. Refer to the
Independence and Ethics Manual in GEL for the specific rotation requirements.
[Tailor the heading and paragraphs 104 to 110 to reflect your policies, procedures,
regulations, titles, etc.]

NPPD Involvement

General

19.104 Certain engagements may entail knowledge of regulatory requirements,

involve a higher degree of public interest, and/or potential claims of reliance. The NPPD
should be notified of such engagements and may choose to become involved in some
capacity. This typically involves a discussion of how significant accounting, auditing, and
reporting matters are resolved, but could involve a review of the documentation of such
matters. Ultimately, the NPPD and other members of the NPSG serve to:
 make high-level professional expertise available to operating offices and
partners as needed
 help protect the firm from the substantial liability that can be incurred in
connection with certain engagements
 minimize the costs to our clients in connection with these frequently
complex and technical engagements by bringing to bear additional skills
and experience
 enhance the firm's professional reputation in the eyes of the SEC and the
entire financial community

Applicability

19.105 Each year during the annual office visit, the OMP, PSP, and the NPPD will
discuss clients within the office and decide which engagements warrant NPPD
involvement. The decision on involvement and the extent of involvement is subjective
and takes into consideration engagement risks, including the:
 entity’s ability to continue as a going concern
 entity’s ability to produce reliable financial reports
 management’s ability to make reliable estimates
  significance of revenue recognition, impairment, financial assets and
liability transfers (including securitizations), employee compensation,
equity, or derivative financial instrument issues
 significance of in-process research and development costs charged to
operations
 significance of restructuring or merger-related charges during the last
three years
 significance of related party transactions
 significance of transactions occurring at period end
 restatements made by the entity for other than a change in accounting
principles required by adoption of a generally accepted accounting
principle
 the complexity of the information technology systems used in financial
reporting applications
 management characteristics, including aggressive accounting methods
and reporting practices, compensation, stock awards and options, or
bonuses impacted by results of operations, history of litigation against
professional service firms
 entity's relationship with regulatory agencies
 former firm partner, principal, senior manager or manager who is currently
an officer, director, or employee who has the ability to significantly
influence operations

19.106 The NPPD will typically get involved when historical or prospective
financial statements which the firm is associated with are to be included in:
 filings pursuant to the Federal securities laws involving the initial
registration of an entity (or going private), the raising of funds or exchange
of securities
 the initial audit of an SEC client
 any other financing or equity document, including, but not limited to:
 general use prospective financial statements
 intrastate offerings
 exempt offerings under Regulation A or D

19.107 Further, notification to the NPPD using the PSN Form is required in the
situations noted below, including both historical and prospective financial statements.
These notifications should be made before acceptance of the engagement, with the
exception of “Large footings” engagements. To demonstrate compliance with firm
policies, the PSN Form should be included in the engagement workpapers.
Engagement characteristics
 reports on financial statements of an entity planning to go public, but has
no impending securities offering
 NPPD involvement is requested by the PSP or lead partner
  entities requesting a report on the effectiveness of internal control over
financial reporting for the first time (see Chapter 25)
 engagements to consult on the application of accounting principles (AU
625/SAS 50) where the firm is not the auditor (see Chapter 31)
 report on the examination or review of Management’s Discussion &
Analysis (MD&A) (see Chapter 30)
 privately-held entity requesting an audit performed in accordance with
standards issued by the PCAOB, the IASB, or a non-US jurisdiction
 engagements involving contingent fees or commissions for an assurance
client
Large footings
 large footings - financial statements with assets of $250 million or more or
revenues of $100 million or more, (excluding governmental entities and
agencies). Note: this notification may occur during the annual NPPD office
visit or through approval in the Client Acceptance database, rather than a
separate filing of the PSN Form.
Securities offering or other filings of SEC or other registration statements
 securities offering or other filings of SEC or other registration statements
where our report is included in or incorporated by reference in an offering
of securities or debt, including private, not-for-profit, governmental, and
intrastate offerings or a registration document filed with the SEC,
including:
o blue-sky filings
o private offering circulars or memoranda, such as tax shelter
offerings
o foreign securities offerings
o reports pursuant to the Investment Advisers Act of 1940
o local governmental securities offerings
 other circumstances where we are requested to provide a letter
acknowledging the use of our report, related to an offering or registration
statement
Sale or acquisition engagement
 engagements when we are requested to provide services in connection
with business combination and other situations involving a sale or
acquisition
 because of the extent of risk involved, the firm ordinarily will not accept a
review engagement in these situations. In other words, we will either audit,
compile, or perform agreed-upon procedures. This policy is intended to
require notification for all financial reports with which we are associated in
sale or acquisition situations (i.e., audits, reviews, compilations, agreed-
upon procedures, prospective reporting, due diligence engagements).

19.108 The PSN Form is also required in the following situations:

  when we become aware of a proposed restatement (prior period
adjustment) of financial statements or financial information, other than the
adoption of a new accounting standard
 proposed amendments to Form 10-K or 10-Q that are unrelated to the
financial statements or financial information, including:
– a deficiency in the filing, such as amending management’s internal
control certification
– a material subsequent event
 broker-dealer reports and stock exchange questionnaires

19.109 The NPPD will generally become involved in all Registrations under the
Securities Act of 1933 as follows:
1
1933 Securities Act Registrations Required At NPPD Discretion
Form S-1 (New Money) X
(Evergreen) X
Form S-3 (New Money) X
(Secondary) X
(Evergreen/Stock Purchase) X
Form S-4 (Merger and Acquisition) X
2
Form S-6 (Initial) X
(Annual Updates) X
Form S-8 X
Form S-11 (Raising Money) X
Notes:
1
Filings for foreign private issuers (i.e., the "F" series) should generally be reviewed by a GTUS
audit partner as coordinated by PIC SEC.
2
When this pertains to a series of similar filings, only the first in the series would usually be
reviewed. Thereafter, the review of offerings would be at the discretion of the NPPD.

19.110 The lead partner, PSP or OMP are encouraged to request the involvement
of the NPPD if they believe the circumstances so warrant. Moreover, the NPPD is
authorized to become involved in any engagement as he or she deems appropriate. In
certain situations, the NPPD may choose to perform the quality control review.

Procedures to Be Followed by the Operating Office

[Tailor the following paragraphs to reflect your policies and practices]

19.111 As soon as we are engaged to undertake an assignment of the nature

discussed in this section, the lead partner is to notify the NPPD and the PSP. The PSN
Form should ordinarily be used for such notifications. When reasonably determinable,
an expected timetable of critical events should accompany the appropriate forms.

19.112 If the client services partner or lead partner deem it desirable to invite
another partner who has broader SEC experience to meet with the client or to provide
guidance in a specialized part of our practice, a request for such assistance should be
included in the notification.
19.113 PSN Forms should be accompanied by the client's most recent financial
statements (or, if financial statements are not available, a copy of the tax return or a
recent trial balance) as an indication of size and financial condition. A copy of any
pertinent agreements (e.g., acquisition agreement, draft underwriting agreements, etc.)
should be sent with such forms, when applicable.
Securities engagement notifications that relate to a new SEC client should be
accompanied by a copy of the most recent filing to register securities under Federal or
state securities acts or the offering document used in reliance upon an exemption
thereof.

Final Report Issuance

19.114 [Tailor the following paragraph to reflect your policies, practices and titles]
The engagement team is responsible for the quality of the report. However, the PSP
should adopt reasonable policies to ensure the quality of reports issued, which could
include designating a pre-release report read by an audit partner or manager who is not
a member of the engagement team. However, the person performing this pre-release
report read is not assuming any quality assurance responsibilities and will not sign the
Report Guide Sheet as having any responsibility for the quality of the report. Therefore,
the engagement team must understand that any such procedures do not alleviate their
responsibilities.

19.115 Prior to releasing the report, the engagement team considers whether the:
 report and financial statements, on their face, appear appropriate
 amounts that lend themselves to comparison are consistent
 identification of the financial statements and organization of the overall
report are proper (e.g., page numbers are correct, financial statements
contain appropriate legends, or other necessary identification, such as the
proper labeling of "unaudited" information)
 notes to financial statements are properly referenced
 obvious typographical or clerical errors have been corrected

Mechanical Accuracy
19.116 The lead partner (or manager, if one is assigned) is usually responsible for
ensuring that the mechanical accuracy procedures set forth in the applicable review
programs are performed. When the "mechanical accuracy" review procedures have
been performed at the direction of the manager, the manager's signature on the
Voyager review program acknowledges responsibility for the satisfactory performance
of such procedures.
Other Information Relating to Auditor’s Report

19.117 Chapter 18 discusses the audit team’s responsibilities for other

information in documents containing audited financial statements. The procedures
performed (e.g., reading such documents to ascertain that they do not contain material
inconsistencies or misstatements of fact) are ordinarily under the direction of the
manager.

19.118 Our reading of such other information should ordinarily be documented in

the workpapers. This documentation might be accomplished by including the cover
sheet of drafts of the other information in the workpapers, appropriately initialed and
dated by the reader of such information.

Report Preparation and Processing

19.119 [Tailor the following paragraph for your regulations and titles] For
engagements subject to SEC independence rules, the company’s management should
maintain control of the financial statement preparation process; and therefore, we
should not type the financial statements, schedules, or notes. However, we may provide
assistance in formatting the document and provide word processing templates.
Consultation with the NPPD is required if the company’s audit committee wishes to
engage our administrative personnel to type the financial statements, schedules, or
notes. For engagements not subject to SEC independence rules, refer to Chapter 6 for
guidance on performing nonattest services.

19.120 The end product of our work, the reports or “deliverables” that are
delivered to the client, should ordinarily be prepared in accordance with firm policies set
forth in this Manual. For purposes of this Chapter, this product is referred to as the
report. Early determination of the report format, disclosure requirements, and review by
the lead partner with the client is necessary to avoid undue delay at the end of the
engagement. For similar reasons, unusual items should be brought to the attention of
the PSP as soon as possible.

19.121 Preliminary report drafts should be submitted early in the engagement so

that the engagement team, the quality control reviewer, if assigned, and the client can
resolve questions of disclosure and format prior to the report delivery date.

Prevention of Errors

19.122 When preparing reports, headings, captions, descriptions, and amounts

should be clearly and legibly drafted. Proper names of persons, companies, trusts,
estates, and securities should be complete and correct as to the proper spelling and
precise title.
19.123 Prior to its submission to the word processing department, the manager
and/or the partner should read a draft of the report to ascertain that inconsistencies and
unwarranted repetitions have been eliminated.

19.124 The following procedures should be followed:

 all amounts in the report are checked to the source workpapers by a
second person
 a second person checks the footings of all statements and schedules
included in the report even though they have been copied from
workpapers or prior reports
Regardless of the method of report preparation, any corrections made to the report draft
should be rechecked to determine that any errors noted have been corrected.
[Tailor the following section to reflect your country’s monetary unit]

Whole-Dollar Reporting

19.125 Financial statement amounts (with the exception of per share data) should
be rounded to the nearest dollar. Consideration should also be given to rounding off to
the nearest "thousands of dollars" in published reports and the reports of larger clients.
If this procedure is being followed for the first time, the lead partner should ensure the
client's approval has been obtained.

Report Processing

19.126 The report processing phase of an engagement is a vital aspect of the

firm's operations. Two important considerations relating to the processing are that:
appropriate control is maintained over the quality of work performed
systems and procedures are efficient and result in meeting deadlines

Report Guide Sheet

19.127 [Tailor to reflect your practice]The Report Guide Sheet reflects the quality
control review policies. The Report Guide Sheet should be completed and bound with
the office copy of all reports or letters (e.g. audit committee communications,
independence certifications under Independence Standards Board Statement 1,
management letters, and other similar letters) that are manually signed with the firm’s
name or bear a conformed firm signature.

Engagement Information

19.128 [Tailor the following paragraph to reflect your firm’s policies and practices]
Based on the EPF assessment, the engagement team will indicate on the Report Guide
Sheet whether a quality control reviewer is necessary. Likewise, the engagement team
should indicate whether the NPPD has selected the engagement for his or her
involvement and whether a pre-release report read is required. The partner or manager
releasing the report can then determine whether all appropriate levels of review are
completed and signed off prior to release of the report and that the pre-release report
read, if required, has been completed.

Hold Items

19.129 Certain items (typically legal confirmations and representation letters) are
necessary as workpaper documentation, and should be received before our report is
released. Such items are listed on the Report Guide Sheet. Since these items are not
expected to affect any amounts or disclosures in the report, processing can be
commenced with appropriate "holds" against release until all such items are cleared.
The lead partner is responsible for clearing all hold items and should confirm that a
member of the engagement team initials the “Cleared By” column on the Report Guide
Sheet. Although the quality control reviewer, if assigned, should be satisfied with the
clearing of the hold items, the quality control reviewer is not required to initial the
clearance of hold items.

Report Processing

19.130 [Tailor the following paragraph to reflect your firm’s policies and practices]
An office may use the report processing information and production information on the
second page of the guide sheet or may elect to use other supplemental word
processing sheets to facilitate the tracking of word processing and proofing
responsibilities. The firm does not require report processing signatures. However, the
PSP in each office is responsible for establishing report processing controls that will
reasonably ensure the quality of the report and the archival and retrieval of engagement
report files.

19.131 [Tailor the following paragraph to reference the location of your firm’s
record retention policies] When a report is submitted for processing, all audit
procedures should be complete. Follow-up on completion of workpaper documentation
is the lead partner's responsibility. Incomplete documentation should not be listed as
“hold items” on the Report Guide Sheet. Changes to audit documentation after the
release of the report should be handled in accordance with the firm’s record retention
policies in the appendices.

Pre-Release Report Read

19.132 [Tailor the following paragraph to reflect your firm’s policies and practices]
The firm recommends that a qualified individual perform a final read of the report prior to
its issuance. The purpose of a final read is to have an audit partner or manager perform
a “cold’ reading of the report. The Report Guide Sheet is designed so that the lead
partner must take responsibility for the quality of the report. If the lead partner believes
that a cold report read is not necessary, he or she must indicate that determination on
the Report Guide Sheet.
19.133 Operating offices may adopt additional reasonable policies and
procedures to ensure the quality of reports issued, which could include a pre-issuance
report read by someone who is not a member of the engagement team. In these
instances, the reading is not intended as a quality audit review and does not alleviate
the responsibilities of the lead partner or other team members. Nor does the person
performing the reading assume responsibility of a quality control reviewer. The person
performing this read considers:
 whether the report and financial statements, on their face, appear
appropriate
 the internal consistency of amounts that lend themselves to comparison
 the proper identification of the financial statements and organization of the
overall report (e.g., page numbers are correct, financial statements
contain appropriate legends or other necessary identification, such as
"unaudited")
 whether the notes to financial statements are properly referenced
 whether obvious typographical or clerical errors have been corrected

Report Clearance

19.134 The Report Guide Sheet is signed by the person(s) accepting

responsibility for the engagement. The lead partner (or manager if an audit partner has
not been assigned) will always be required to sign to indicate that he or she has
reviewed the report letter and financial statements or other report and is satisfied that
the engagement team has met firm and professional standards for the engagement.

Final Release

19.135 The final release section of the Report Guide Sheet can be signed by any
partner, senior manager, or manager. The audit partner or manager releasing the report
should determine that all appropriate levels of review are completed and signed off prior
to release of the report. When appropriate levels of review have not been completed
and signed off, such as when the lead partner and/or quality control reviewer, if
applicable, are not in the office when clearance is obtained, the professional authorizing
the final release is responsible for follow-up to ensure that such signatures are entered
as soon as possible, dated as of the date the clearance was given (i.e., not later than
the final release date).

19.136 The audit partner or manager releasing the report also has the
responsibility to determine that all hold items are cleared and the pre-release report
read, if applicable, has been completed.

Filing

19.137 The completed Report Guide Sheet should be filed with the office copy of
the report.
Report Release

General

19.138 The distribution of reports is an integral part of our practice. Due

professional care is directly related to report distribution. No reports should be released
until the Report Guide Sheet is signed and hold items cleared.

19.139 Our auditor’s report and, if typed by our word processing personnel, the
related financial statements are generally issued only to the client who engaged our
services. The unauthorized distribution of a report represents a violation of the
confidential relationship between our firm and the client. Frequently, clients may ask the
audit team to mail copies of their report directly to third parties. This is a practice to be
avoided, since distribution of reports to third parties increases our legal exposure to
such parties (as the firm is then on notice that specific outside interests will use the
reports and will rely on the representations therein). In rare instances, where the firm
assumes this added responsibility, distributions are made by us only upon specific
written instructions from the client, and reference to the client's instructions is included
in the transmittal to the third party (see Report Transmittal Letters below).

Delayed Release

19.140 Clients may request us to furnish additional copies of a previously issued

report. Generally, an effort should be made to have these reports identical in
appearance and date, and; therefore, in the same condition as if the additional copies
had been initially requested and furnished at the same time as the first copies were
delivered. In such circumstances, additional report copies may be delivered without
further investigation or inquiry as to events that may have occurred between the date of
issuance of the initial report and the request for additional copies.

19.141 In some unusual cases, it may not be desirable to deliver additional copies
of a report as there may have been a change in the client's circumstances that has
come to our attention subsequent to the issuance of the original report. A similar
condition exists when the issuance of an original report was delayed beyond a normal
period. In such cases, it may be appropriate to issue a revised report stating that it is
currently submitted under the circumstances or conditions existing at the time of first
issuance, but with an accompanying disclosure relating to the subsequent change.

19.142 Refer to Chapter 21 regarding situations where dual dating of our report is
appropriate.

Report Drafts

19.143 If our word processing personnel type the financial statements, clients
should review and approve a draft of their financial statements and notes before final
release, as the financial statements and representations are those of the client. In
drafts, it is essential that each page of the draft be clearly marked as such. Suitable
language for a rubber stamp for this purpose would be: Preliminary Draft – Subject to
Change. Our name should not be included on such rubber stamps.

19.144 [Tailor the following paragraph to reflect your firm’s policies and practices]
Ordinarily, drafts of our auditor’s report letter will not be included with the financial
statement drafts. After consultation with the PSP, clients may be given drafts of our
auditor’s report letter. The lead partner is responsible for controlling the release of all
drafts.

Report Transmittal Letters

19.145 Effective control over all phases of an engagement includes a record of

the report delivery. A suggested letter, applicable to all financial reporting engagements,
follows.

Pursuant to our engagement letter dated July 21, 20X1, enclosed are 20 copies of the
financial statements of XYZ Company, Inc. and Subsidiaries for the period ended
December 31, 201X. A report letter describing the scope of our work is included with the
financial statements.

Other comments should not be included in the transmittal letter to avoid the possible
implication of modifying our auditor’s report on the financial statements.

19.146 When reports are sent to parties other than the client (the rare instances
previously discussed), we should ordinarily add a paragraph to the transmittal letter to
the client stating that a given number of copies are being delivered to another party or
parties in accordance with instructions received. Where more than one type of report is
being transmitted, each type should be specifically identified. In the letter to the other
party, the letter should state:

In accordance with written instructions of ABC Company on March 15, 201X, we enclose a
copy of the financial statements of ABC Company as of December 31, 201X and the year
then ended.

Firm Distribution of Reports

General

[Tailor the paragraphs 147 through 161 to reflect your firm’s policies and
practices]

19.147 One copy of the printed annual reports of all SEC clients should be sent to
the NPPD.

19.148 One copy of each report on the following types of clients and
engagements should be forwarded to the NPPD:
  audit engagements (including those described in Chapter 31) where:
o a qualified opinion, disclaimer of opinion, or adverse opinion is
expressed (except where such an opinion is common, such as
disclaimers permitted by 29CFR 2520.103-5 of the Department
of Labor’s Rules and Regulations)
o the report has an explanatory paragraph
o the OMP is the lead partner
 SEC engagements (see Chapter 26)
 reports on specified accounts or items (See Chapter 31)
 other reports as, from time to time, may be requested by the NPPD
Report copies necessary for the foregoing purposes should be indicated on the reverse
side of the Report Guide Sheet. It is the responsibility of the PSP to ensure that
appropriate report distribution is made.

19.149 In addition, one copy of a report is generally sent to each office of the firm
that has significant participation in the engagement. Generally, in such cases, an
unbound copy of the consolidated report or printed report will suffice for such
distribution. This generally includes other GTI member firms participating in the
engagement. It does not include other auditors on whose reports we may rely, although
in special circumstances it may be appropriate to send an overall consolidated report to
the other auditor after obtaining the permission of the client. Offices receiving copies of
such reports prepared by other offices should file them with other reports of the office.

Affiliated Clients

19.150 For purposes of this section, the following definitions of "affiliate" and
“control,” as stated in the FASB Codification Master Glossary, apply:
 A party that, directly or indirectly through one or more intermediaries,
controls, is controlled by, or is under common control with an entity.
 The possession, direct or indirect, of the power to direct or cause the
direction of the management and policies of an entity through ownership,
by contract, or otherwise.
These definitions cover many business relationships in addition to that of parent-
subsidiary.

19.151 Where there is an affiliation between one or more clients, the lead partner
responsible for each such engagement provides copies of all reports issued on the
clients to the partners responsible for the other affiliated engagements. Client-printed
reports, proxy statements, and prospectuses are also furnished.

19.152 When an item comes to our attention on one engagement that could have
significance to an affiliated company, such data should be communicated promptly to
the appropriate lead partner. If such communication creates a problem under ethical
rules because of the confidentiality requirement, the NPPD should be consulted.
19.153 Workpapers are made available to other lead partners where the situation
surrounding the work for the affiliates makes this desirable.

19.154 These policies are for the purpose of encouraging communication on

matters affecting affiliates. However, the firm recognizes that lead partners cannot be
expected to have knowledge of all affiliations because of the number of the firm's clients
and the international scope of its practice.

Report and Correspondence Signatures

19.155 All reports issued to clients and correspondence with clients and other
outside parties carry with them the reputation, authority, and responsibility of the firm.
The following policies apply to assurance report and correspondence signatures:

Report Signatures

19.156 Only an audit partner may sign the firm's name to an auditor’s report,
accountant’s review report, or a special report letter. Ordinarily, the lead partner will
sign. If the lead partner is not available, the report should ordinarily be signed by the
PSP.

19.157 For SEC clients, an audit partner must sign all reports, including unaudited
financial statements, review of interim financial information, comfort letters, consents,
etc. As discussed in Chapters 21 and 26, the file copy of reports and consents filed with
the SEC are manually signed, Grant Thornton LLP. (Chapter 26 provides additional
guidance with regard to manual versus typed signatures.)

19.158 Only an audit partner may sign the firm's name to letters providing any
kind of assurances (positive or negative) with respect to financial data (e.g., comfort
letters) or to letters calling for any commitment by the firm (e.g., engagement letters,
consent, or privity letters). Additional guidance on signing the firm's name to
correspondence is provided below.

Use of Signature Stamps and Electronic Signatures

19.159 Offices may choose to use a signature stamp or electronic signature

instead of a manual signature for reports. This is acceptable as long as the PSP
implements policies and controls over the signature stamp to prevent its unauthorized
use and all relevant manual signatures are obtained on the Report Guide Sheet prior to
the report being released.

Correspondence Signatures

19.160 Formal letters such as proposals, engagement letters, or letters of

understanding may only be signed by a partner. A letter covering the transmittal of a
report, a tax return, or similar document is a formal letter and may be signed by a senior
manager or manager provided all appropriate Report Guide Sheet clearance signatures
have been obtained.

19.161 Informal letters include letters of congratulations, letters of transmittal

returning client's material, and letters regarding working arrangements, starting dates
and other non-technical matters. An informal letter may be signed by a partner, senior
manager, or manager. Other employees, with the permission of a partner or manager,
may sign an informal letter.
[Tailor the remaining paragraphs to reflect your practice and structure]

Operating Office Personnel Responsibilities

Office Managing Partner

19.162 The administration of each office is under the direction of an OMP who,
among other matters, is responsible for the office's adherence to the firm's policies and
maintenance of professional excellence. This includes the overall responsibility for
determining that engagements are administered and reports are issued in accordance
with the standards of the profession and the policies and procedures of the firm.

19.163 The OMP is expected to set the tone for the attitude of office partners and
staff toward adherence to professional and firm standards and ensure that an office
carries out its designated quality assurance and other responsibilities. These include:
 client and engagement acceptance and continuation policies, and
approving acceptance of new assurance clients
 compliance with state licensing requirements and state licensing records
on MyGT
 informing personnel of state board and state society rules of professional
conduct and the importance of adhering to them
 regularly informing professional personnel of the names of new clients of
the office and related entities or new situations where independence
should be maintained
 adopting policies, and when necessary, stipulating certain considerations
that require lead partner or manager involvement
 establishing policies for the approval of planned or budgeted write-offs
 establishing a plan for the continued successful growth of the practice of
the office

One Audit Service Partner Offices

19.164 Many of the firm's quality assurance policies and procedures are based
upon concepts of segregation of duties, such as one partner reviewing the work of
another. These concepts may be impossible or highly impractical to implement in any
office with only one audit services partner. In certain situations, firm guidelines prescribe
specific procedures to be followed by offices with a limited number of partners. Where
such specific guidelines are not stated, the NPPD should be consulted regarding the
procedures to be followed.

Professional Standards Partner

19.165 In each office, the OMP designates a partner as the PSP. The PSP is
responsible for monitoring the office's system of quality control for audit services
engagements. Such designation is subject to the advance approval of the NPPD.

19.166 The OMP, the PSP and APL have overall responsibility for certain matters.
The specific delegation of the responsibilities discussed in this section and the means of
carrying them out will vary in each office, depending on factors such as the size of the
office, complexity of the practice, industry service groups, etc.

19.167 In addition to the items described below, the PSP is also responsible for:
 approving acceptance of all new audit clients
 ensuring that copies of reports are sent to the NPPD
 approving any letters required to be issued to regulatory bodies
 ensuring the office’s compliance with the firm’s record retention and
archiving policies
 approving EPF in VIS

Quality Control Review

19.168 The PSP’s most important responsibility is developing and implementing

procedures to ensure that the firm's review policies are appropriately applied. These
include assigning quality control reviewers to specific engagements. Such assignments
should meet the firm’s quality control review criteria, consultation regarding the
resolution of differences that may arise from such reviews, the follow-up of matters
requiring additional attention (concerning specific engagements or the office's general
needs), evaluating the performance of the reviewers and the personnel whose work is
being reviewed, etc. The PSP should also directly perform an appropriate portion of the
quality control reviews. Other reviewers may be assigned to engagements, including:
 assignment of qualified personnel not working directly for the PSP in
difficult or specialized situations. Such assignments should be made
sufficiently in advance.
 where the PSP is the client services partner or the lead partner on an
engagement requiring a quality control review, the OMP should assign a
quality control reviewer

Technical Support

19.169 The PSP provides technical support to audit professionals in the office by:
  providing advice regarding matters such as audit service matters,
acceptance and continuance of clients, and adherence to independence
policies
 determining whether quality control reviewers are required for audit
engagements and assigning quality control reviewers to such
engagements
 reporting to the OMP on any unresolved differences of opinion regarding
audit services
 acting as a liaison with the NPPD

Staff Development and Continuing Education

19.170 In consultation with the APL, the PSP is responsible for:

 assigning appropriate personnel to engagements, considering factors
such as their level of experience and specialized industry expertise
 determining that evaluations of technical proficiency for all audit
professionals are performed on a timely basis, and where personnel are
not meeting the technical performance expectations, ensuring that a
specific improvement program is developed for each individual, including
monitoring implementation of any such program
 actively supporting and participating in assuring appropriate evaluation
and development of the technical proficiency of candidates for
employment and promotion
 advising the APL as to the training needs of audit service personnel
 ensuring the appropriate technical information and the firm's policies are
communicated on a timely basis to partners and staff
 overseeing the maintenance of an audit services library and other
research tools and facilities
 determining that evaluations of technical proficiency for audit services, tax,
and consulting services personnel are performed on a timely basis

Client Service

19.171 In accordance with the firm’s Consultation Protocol, the PSP should be
available for consultation with clients on significant or complex professional questions.
To provide the most effective client service, such consultation should take place when
questions first arise and not after advice has already been communicated to the client or
shortly before a report is to be released.

Audit Efficiency

19.172 The PSP also develops and implements procedures to monitor the
efficient performance of engagements and the exchange of information concerning such
efficiencies within the office.
Practice Growth

19.173 The PSP assists in practice growth by participating in discussions on

complex or new professional standards and requirements with clients, prospective
clients, and at seminars or other similar presentations sponsored by the firm or other
organizations.

19.174 Certain of the quality assurance policies set forth in this Manual presume
that the individuals serving in the role of lead partner and the OMP will be CPAs with an
audit background. However, this may not be the case. In situations where they are not,
and where the firm has not stipulated pertinent procedures, the PSP is expected to
institute appropriate procedures, after consultation with the NPPD.

Audit Practice Leader

19.175 The APL is designated by the OMP and is responsible for:
 driving strategy development and implementation, profitability and growth
for the audit practice
 elevating the GT brand by demonstrating thought leadership and
embracing marketing and sales programs
 promoting collaboration between service lines and industries to provide
high quality client service
 attracting, developing and retaining talent and leaders for the audit
practice
 maintaining a high level of quality control in the audit practice, including
following the firm’s quality control policies

19.176 In addition, the APL is responsible for setting the proper tone of
professional excellence. This includes:
 driving the process of evaluating risk in client acceptance and continuation
matters
 staffing engagements with appropriate personnel to reduce risk (especially
public or other high risk clients)
 overseeing professional training technical accounting, auditing, business
and industry issues
 assuming a leadership role in conforming with professional standards and
firm policies
 promoting a consultative culture in resolving technical issues with the
NPSG
 ensuring timely technical communication to clients
 integrating firm specialists as required by firm policies
World Class Audit Leader

19.177 The APL and PSP designate one or more individuals as World Class Audit
Leaders. Their responsibilities include the following:
 assisting the PSP in utilizing software tools
 functioning as the liaison between the local office staff and NPSG Audit
Methodology Group and IT personnel
 providing local office technical support for audit software tools
 handling local office administration

Continuing Education Administrator

19.178 Each OMP designates a Continuing Education Administrator. The CEA is

responsible for assisting the APL in administering the local office training programs and
facilitating the continuing professional education reporting to the National Office.

National Office Personnel Responsibilities

Regional Managing Partner

19.179 RMPs report to the firm’s COO and are responsible for the management
of the firm's professional services practice in the offices within their regions.

National Professional Practice Director

General Responsibilities

19.180 The NPPDs provide service support by providing audit teams with swift
responses to management concerns. Additionally, the NPPDs provide technical support
as part of the NPSG making them responsible for technical matters relating to
accounting, auditing, and regulatory agencies within their regions.
In general, the NPPDs:
 consult with PSPs, quality control reviewers, lead partners, and others on
matters relating to accounting, auditing, and rules and regulations of
regulatory agencies
 respond to operating office technical inquiries on matters pertaining to
client engagements
 participate in the resolution of certain professional disagreements
 consult with lead partners as to the nature, extent, and need for additional
expertise with specialized industry engagements
 consult with RRLA on technical matters having legal implications or the
potential of becoming the subject of litigation
 approve and, to the extent necessary, participate in contacts with the SEC
  administer the firm's engagement notification and review policies
 scan certain reports and give consideration to post-review
 annually meet with the OMP and PSP to identify high-risk engagements
and to discuss, among other items, whether the following will be subjected
to NPPD involvement (the NPPD will determine the extent of this
involvement on a case-by-case basis):
o financial statements expected to be filed with the SEC
o financial statements reflecting total assets of $60,000,000 or
more or revenues of $30,000,000 or more (except those of
governmental entities)

19.181 Copies of certain reports are required to be sent to the NPPD on a post-
release basis. Selected reports are scanned by the NPPD and significant comments or
suggestions are forwarded to the PSP and pertinent lead partners. Lead partners
should take appropriate action with respect to matters called to their attention.

Assistance to Operating Offices

19.182 The NPPD provides assistance to operating offices and help implement
the firm's accounting and auditing policies. The NPPDs and their assigned regions are
as follows:
Central Dorsey Baskin
Midwest Bert Fox
Northeast Doug Reynolds
Southeast Jeffrey Burgess
West Sam Marcozzi

In the event that the NPPD with responsibility for a particular office is unavailable, any
other NPPD, or other members of the NPSG, may be contacted with respect to matters
that require immediate attention.

19.183 To facilitate communication with the NPPD offices, the following ground
rules should be observed:
 situations regarding regional notification or consultation and other inquiries
should first be directed to the PSP and/or quality control reviewer, if
applicable. Complex issues that warrant further consultation, or those that
require regional notification or consultation, should then be directed to the
appropriate NPPD. Appropriate local office personnel should continue to
be involved.
 call as early as possible, and certainly well before the due date of the
report or before a proposed solution is communicated to the client. It is
difficult to respond adequately when a deadline is imminent.
 consultations should follow the Consultation protocol, which includes:
 a statement of facts documented using the Consultation software
application, including appropriate background and supporting information.
 Identify all research performed at the local level and describe any tentative
conclusions reached to minimize duplication of effort. Exhibits, including
copies of prior years' reports, should be made available to the NPPD,
where appropriate.
 notification of assignment as a timekeeper in CMS, including client and
assignment numbers
 the year-end and expected audit report letter date, if applicable

National Professional Standards Group

General Responsibilities

19.184 NPSG personnel are responsible for:

 establishing policies related to audit and assurance services
 maintaining, updating and/or reviewing assurance service publications
 maintaining and updating the firm's software tools (Voyager masterfiles
and other electronic audit tools)
 providing timely information concerning current assurance service
developments in the areas of accounting, auditing, ethics and
independence, regulatory (SEC) and specialized industries

Audit Practice Review

19.185 The PIC Quality administers the firm's Audit Practice Review. The APR
consists of reviews of operating offices conducted by APR teams comprised of partners,
senior managers, managers, and other selected personnel from offices other than the
office under review.

Technical Research Assistance to Operating Offices

19.186 Firm personnel provide technical assistance in assurance service matters

on request. Resources available for such assistance include a comprehensive library,
data retrieval services, and consultation regarding technical issues and computer
auditing.

19.187 Information Centers, located in New York – Midtown and Chicago, include
professional and technical periodicals, basic assurance service reference works,
textbooks, and other professional and technical publications and materials. Requests for
assistance with the following services should be directed to the marketing department:
 borrowing or copying of articles in AICPA, FASB, GASB, and other
professional publications
 reference services such as search and procurement of library materials
which provide information on companies and industries
 other on-line computer database services
Each operating office can retrieve Dun & Bradstreet reports for credit and financial
information on listed US companies. For further information or technical assistance,
contact the marketing department.

19.188 Data retrieval services – Access to the following database services is

available through the marketing department:
 LEXIS – Legal information
 NEXIS – Full text and abstracts of journals and newspaper articles along
with SEC filings, analyst reports and international information
 NAARS – Accounting literature and annual reports of selected public
companies
 PHINET – Federal tax information VU/TEXT – Full text of national and
international newspapers and wire services
 Corporate Library Board Analyst – information on corporate boards,
directors, compensation, insider trading, shareholder proposals, securities
class action filings, etc.
Operating offices may also subscribe to one or more of these databases, depending on
local needs, by contacting the Executive Office purchasing department (Chicago).
Requests for searches or assistance with searches should be directed to the marketing
department.

19.189 Online research tools – All firm employees can access the News and
Research tab on the firm’s KSource homepage that contains links to the following online
research tools:
 Accounting Research Manager – accounting standards from the major
standards setters and 10-K lookup tool
 Dow Jones Companies & Executives – provide company information and
executive profiles as well as competitive and peer comparisons, etc.
 IBISWorld – comprehensive and up-to-date collection of 700+ industries at
the 5-digit NAICS level

19.190 Background investigations – The firm’s Investigative Research Group

performs background investigation searches on potential new clients and other
investigative projects.

Assurance Services Publications

19.191 This section describes the firm's audit services publications and
procedures for notifying professional personnel of firm policies relating to audit services
matters.
Audit and Assurance Services Manual

19.192 The AASM is distributed electronically via NextPage Solo. The AASM is
available in GEL on audit computers and on KSource. The AASM summarizes firm
policies and procedures and is updated annually.

Firm Bulletins

19.193 The firm issues ASBs and PPBs to update personnel of changes in firm
policies and significant professional and firm accounting, auditing, reporting, or quality
control issues. PPBs contain material relevant to all professional service disciplines.
Bulletin numbers indicate the year and sequence of issue (e.g., 200X-1, 200X-2, etc.).
The primary means of notification that a new bulletin is released is via the firm’s e-mail
system. The firm posts the bulletins to KSource for short-term access and to GEL for
long-term reference.
NDSs are issued to discuss technical matters and authoritative pronouncements that
might also be of interest to clients. Quarterly, an NDS is issued to summarize
authoritative and other professional developments promulgated by standard setters and
other governing bodies during the past quarter. The primary means of notification that a
new NDS is released is via the firm's e-mail system. The firm posts the NDSs to
KSource for short-term access and to GEL for long-term reference. Operating offices
may distribute the external version of NDSs to selected clients.
APFYIs are issued by the NMP Audit Services. These communications are intended to
provide useful information and guidance to audit professionals with notifications of
emerging issues, but do not establish firm policy.
Chapter Twenty – Audit Completion
Summary

This Chapter discusses the concluding and other procedures performed by the audit
team during the closing stages of an audit. Insufficient control over completion
procedures leads to unnecessary work and costs that are difficult to recover. Further, if
this phase is not done well, a high quality audit may not be achieved.

Objectives
20.01 The overall objectives of completion procedures are to determine whether:
 events or transactions occurring subsequent to the balance sheet date
need to be presented in the financial statements
 the representations in the financial statements are in agreement with the
client’s records and the individual items presented are properly classified
and described
 the financial statements contain appropriate disclosures
 the auditor’s report is appropriate

20.02 Secondary objectives are to determine whether:

 decisions were considered at appropriate levels within the audit team and
are appropriately documented
 no “loose ends” remain in our workpapers

20.03 Audit completion procedures are generally performed at the client’s office by, or
under the direction of, the in-charge accountant and should include consideration of:
 minutes of stockholders and directors’ meetings
 responses to attorney inquiry letters
 events occurring subsequent to the balance sheet date
 representations from management
 significance of misstatements, including missing disclosures
 interim financial information
 fairness of presentation (including disclosures) of the financial statements
 final analytical procedures
 sensitive audit issues, including the possibility of fraud or illegal acts
 the client’s ability to continue as a going concern
 internal control deficiencies
 related party transactions
 fraud
 the implications of any identified non-compliance with laws and regulations
 the adequacy of evidence received from an expert
 consistency of all the audit evidence obtained
Approach to Completion Procedures

Timing

20.04 Timing of completion procedures is extremely important. Delays or undue gaps in

performing such procedures almost always cause inefficiencies due to duplication of
work or additional start-up time. Also, delays can involve nonavailability of staff. All of
these conditions increase the costs of delivery.

20.05 Timing is also critical to the final audit evidence-gathering process, and in
particular, the review of events subsequent to the balance sheet date. This review
should be carried out at a date as close to that of our audit report as possible. If
significant delays occur in completing the financial statements, the review may need to
be updated.

20.06 Circumstances causing completion work to be delayed should be documented. If

they are due to the client or to matters beyond our control, we should inform the client
and consider appropriate adjustment of our fees.

Evaluation of Procedures Performed

20.07 The audit team should determine whether the procedures performed adequately
respond to all the risks identified during the risk assessment process and throughout the
audit. In this regard the audit team should determine whether:
 all planned procedures were performed
 adequate documentation exists to support decisions where the audit team
changed planned procedures
Where our planned strategy was contingent upon presumptions to be verified during the
audit (such as acceptable levels of intended control reliance), the audit team should
confirm that those presumptions were verified.

Matters for Partner and Manager Attention

20.08 The in-charge accountant should communicate freely and frequently with the
manager. However, since the manager may not always be available, it may be
convenient for the in-charge to develop a list of matters for the manager’s attention.
Critical issues and decisions that may require early consideration should be brought to
the manager’s attention as soon as possible.

20.09 Most of the detailed work on an audit is performed under the general supervision
of the manager. The manager, in turn, should inform the partner of:
 significant and unusual matters, including the discovery of any fraud,
illegal acts, or significant adjustments to be made to the financial
statements
 preliminary decisions that require partner review and approval
  important decisions that should be made by the partner
 matters to be discussed with the client
 other matters that the partner wishes to be kept informed of (e.g., fee
issues)

20.10 All matters requiring the partner or manager’s attention should be:
 presented with proposed solutions, and the clients view, where applicable
 properly concluded upon in the workpapers

Other Completion Procedures

Journal Entries and Other Adjustments

20.11 As part of every audit, and often as part of concluding procedures, the audit team
should examine selected journal entries and other adjustments for evidence of
misstatements due to fraud. Such testing is required by professional standards because
journal entries are often used to conceal a fraud.

20.12 Frauds perpetrated can be as simple as misstating consolidating trial balances or

making top-level adjustments outside the books and records. Fraudulent journal entries
can be made at any time, but frequently occur at or near the end of a reporting period.

20.13 It is not necessary to test every journal entry made by the entity, including entries
made in the subsidiary ledgers. Rather, the audit team should focus on entries such as
those:
 recorded in the general ledger
 entered on spreadsheets that support the financial statements such as
eliminations and reclassifications

20.14 To effectively identify journal entries to select for testing, the audit team should
begin by obtaining an understanding of the financial reporting process, including:
 policies for recording standard and nonstandard journal entries
 the individuals responsible for making and approving entries
 how the entity records entries
 controls over the journal entry processes
In Voyager, these controls are included in the Financial Reporting cycle within Entity-
Level Controls. The Journal Entries section contains procedures for documenting the
understanding of the entity’s journal entry policies and procedures as well as performing
tests of the journal entries.

20.15 Once the audit team understands the journal entry process and the controls over
it, they are in a position to consider how the entity could use journal entries to conceal
fraud. The audit team uses this understanding to determine the journal entries to identify
and test for appropriateness.
20.16 For the journal entry testing to be valid, it is essential that the population of top-
level entries be complete. Accordingly, the audit team should perform procedures to
verify the completeness of each population of journal entries. Audit teams can easily
test completeness when the client provides the journal entries in an electronic file.

20.17 [Tailor the last sentence to reflect your approach]Clients who use automated
accounting systems should be able to provide an electronic journal entry file. Even if the
system cannot produce an electronic data file, the information is portable into Excel and
other media. The audit team should consider it a high risk factor if a client claims that
they cannot produce such a file or that the file they produce does not contain all the
fields necessary for testing. Audit teams are reminded to apply professional skepticism
in all situations, but especially when a client represents that they are unable to provide
electronic data in a format the audit team can interrogate. These situations should be
discussed with the office PSP before adopting alternative testing methods.

20.18 Since the purpose of testing journal entries is to determine whether the entry was
used to conceal fraud, the audit team should use professional skepticism throughout
journal entry testing, especially when:
 evaluating the journal entry file
 considering whether the entry is valid
 obtaining an understanding of the purpose of the entry
 determining the sufficiency of audit evidence to determine the absence of
fraud (it is not sufficient to verify approval of entries selected for testing or
make inquiries of management without obtaining corroborating evidence)

Testing Journal Entries

20.19 In particular, the audit team considers the following types of entries to scrutinize
for possible fraud:
 accounts with numerous entries where such activity is out of the ordinary
 accounts with large entries where such amounts are out of the ordinary
 preparers who recorded few entries
 entries prepared by persons who ordinarily would not be expected to
prepare entries
 entries with unusual posting date or times
 entries with no description
 entries ending in round numbers

20.20 Typically, teams must analyze large amounts of data to effectively select entries
with the preceding characteristics for testing. It is difficult to perform a robust analysis of
this data manually. Therefore, teams should use IDEA Smart Analyzer on all audit
engagements for journal entry testing (exceptions should be rare). IDEA Smart Analyzer
is an IDEA add-in that facilitates the performance of many basic audit tests through the
use of pre-defined routines to extract and summarize financial data. Like IDEA, IDEA
Smart Analyzer is licensed by GTIL and available to all GTIL member firms.
20.21 IDEA Smart Analyzer allows audit teams to use the power of IDEA to interrogate
large amounts of data without having to separately create the formulas and scripts
required for each client situation. The ability to leverage pre-packaged routines built into
IDEA Smart Analyzer provides the following benefits:
 enhances audit quality by focusing the audit team on the items that matter
 increases the effectiveness of performing audit testing particularly where
large quantities of data and/or transactions need to be analyzed
 enhances consistency from one audit engagement to another
 saves time in developing the required formulas and then testing and
reviewing their accuracy
 reduces the risk that formulas are incorrectly designed resulting in flawed
data retrieval

20.22 IDEA Smart Analyzer includes pre-programmed routines that automate and
simplify the process. These pre-programmed journal entry routines include:
 Journal Entries Posted on Weekends
 Journal Entries Posted on Specific Dates (as defined by the user)
 Journal Entries Posted on Specific Times (as defined by the user)
 Summary of Journal Entries by User
 Journal Entries with Large Amounts (as defined by the user)
 Journal Entries with Rounded Amounts
 Journal Entries with Specific Comments (as defined by the user)
 Summary by Account Number

20.23 To use IDEA Smart Analyzer, audit teams should first identify routines for
execution. There are numerous pre-programmed routines available for use by audit
teams. However, audit teams should use their judgment to determine which ones are
most useful in each client situation. Users should not execute all routines simply
because they are available. Audit teams should assess risks and determine which
routines can best assist them in auditing those risks.

20.24 The second step is to tag the data in the IDEA file so that each field in the routine
corresponds to a field in the file. Refer to Exhibit 20.1 for information about the fields.
Next, users may need to input additional data (e.g., a threshold for large amounts).
IDEA will then generate the results from each routine into a separate IDEA file. Audit
teams can then examine and follow-up on the items extracted as appropriate. Refer to
Exhibit 20.2 for instructions to execute routines using IDEA Smart Analyzer.

20.25 Certain routines result in extractions of specifically identified journal entries, and
other routines result in a summary report that can be reviewed to identify journal entries
that may require further investigation. For example, the Summary by Account Number
routines summarizes each account and the number of journal entries posted to each
account. Audit teams can quickly review this list to identify accounts with numerous
entries where such activity is out of the ordinary. The Summary of Journal Entries by
User report can be used to review a comprehensive list of every individual that posted
journal entries rather than scanning the entire journal entry file to identify the individuals
that posted journal entries. If the audit team determines that the entity’s CEO is posting
journal entries, which in almost all audits should raise a concern, all entries by that
individual can be extracted for further review by the audit team.

20.26 IDEA Smart Analyzer is not a substitute for auditor judgment or knowledge or the
client. For example, the audit team’s knowledge of the client must be utilized to
determine whether using the Journal Entries Posted on Weekends routine would be an
effective way to identify entries to test. If the client’s personnel often work weekends
when closing the period, then this would not be an unusual activity and so this routine
would not be an effective way to identify journal entries for testing.

20.27 Finally, audit teams should not:

 use a sampling approach for selecting journal entries
 increase scopes to avoid testing numerous journal entries
 eliminate testing when journal entry controls are tested
 focus solely on large journal entries

Subsequent Events Review

20.28 The audit team should take reasonable steps to verify that all significant
transactions and events from the balance sheet date to our report date are identified, in
accordance with professional standards.

Types of Subsequent Events

20.29 Subsequent events are events or transactions that occur after the balance sheet
date but before the financial statements are issued or are available to be issued. Two
types of subsequent events require consideration:
 The first type, recognized subsequent events, provides additional
evidence with respect to conditions that existed at the balance sheet date
and affect the estimates inherent in the process of preparation of financial
statements.
 The second type, unrecognized subsequent events, deals with conditions
that arose subsequent to the balance sheet date.

20.30 Recognized subsequent events should be used to evaluate the conditions upon
which estimates were based. The financial statements should be adjusted for any
changes in estimates resulting from the use of such evidence. Identifying events that
require adjustment calls for knowledge of the facts and circumstances and the exercise
of judgment.

20.31 Unrecognized subsequent events ordinarily do not result in adjustment of the

financial statements. However, some of these events may require disclosure to prevent
the financial statements from being misleading, for example:
 changes in capital stock issuances
  purchase of a business
 settlement of litigation when the event giving rise to the claim took place
subsequent to the balance sheet date
 financing transactions
 catastrophic loss of assets, such as the loss of a plant or inventories as a
result of fire or flood or losses on receivables resulting from conditions
arising subsequent to the balance sheet date

20.32 When financial statements are reissued at a later time, events occurring between
the time of original issuance and re-issuance should not result in adjustment unless the
adjustment meets the criteria for a prior period adjustment.

Procedures

20.33 Work in other audit areas will reveal certain subsequent events that should be
documented. Examples of such subsequent events include invoices and statements
received after the balance sheet date; subsequent accounts receivable payments;
notice of customers going into bankruptcy; management charges from other related
companies; notice of interest accrued on loan accounts; and the outcome of long-term
contract work in progress.

20.34 Subsequent events procedures ordinarily include:

 reading the latest available interim financial statements and considering
whether there is information that bears on the financial statements being
audited. In order for the comparison to be meaningful, the interim financial
statements should be prepared on the same basis as that used for the
statements under audit.
 making inquiries of management having responsibility for financial and
accounting matters concerning the current status of contingencies,
amounts included in the financial statements that were accounted for on
the basis of tentative, preliminary or inconclusive data and significant
entity changes or events occurring subsequent to the balance sheet date,
such as changes in capital stock, long-term debt, or working capital, and
whether any unusual adjustments had been made during the period from
the balance-sheet to the auditor’s report date
 reading available minutes of meetings of the stockholders, directors, and
appropriate committees and inquire about matters dealt with at such
meetings where the minutes are not available
 updating inquiries from the client’s legal counsel to a date that is no more
than 7 calendar days before our auditor’s report date
 making such additional inquiries or perform such procedures deemed
necessary to dispose of questions that arose out of carrying out the
subsequent review procedures, inquiries, and discussions

20.35 The audit team should determine whether the audit evidence collected in our
subsequent events review is consistent with the evidence substantiating items such as
accounting estimates, tax provisions, deferred assets and liabilities, the disclosure of
contingent liabilities, etc.

Overview of Financial Statements

20.36 In some engagements, the financial statements are prepared by client personnel,
and in others, the client engages the audit team to assist with drafting the financial
statements. The audit team should always perform an overview of the financial
statements to determine that the format is appropriate, that they appear to be
reasonably comprehensive and are in agreement with the final trial balance and the
supporting workpapers, considering:
 descriptions and amounts in the financial statements
 non-general ledger amounts included in the financial statements or notes
 comments, accounting policies, and other informative matters in the
permanent file or the workpapers
 consistent application of accounting principles
 clerical and mathematical accuracy
 adequacy of workpaper documentation of items considered for financial
statement disclosure

20.37 This financial statement overview differs from analyses conducted as part of
concluding analytical procedures. Analytical procedures include comparisons of figures
and ratios developed from financial and non-financial data derived from expected
results, conducted at various levels of detail. The financial statement overview is a
procedure directed to the impact of the financial statements on the user. This overview
should ordinarily be performed by the engagement partner or manager and is intended
to confirm that the financial statements make good business sense.

Disclosure Questionnaire

20.38 Use of an appropriate disclosure questionnaire is required for all audit

engagements. The Financial Statement Disclosure Questionnaire is available in each
Voyager audit file. However, certain specialized industries may require additional
disclosures. Accordingly, in specialized industries, Voyager’s Financial Statement
Disclosure Questionnaire should be appropriately modified and supplemented, if
necessary, by other current industry checklists published by a recognized source.

20.39 Regardless of the individual assigned to complete the disclosure questionnaire,

the manager and partner are ultimately responsible for evaluating the completeness and
accuracy of the disclosures made by management in the financial statements and
related notes.

Other Information in Documents Containing Financial Statements

20.40 The manager and partner should read the other information included with the
financial statements (e.g., the annual report) to identify material inconsistencies with the
audited financial statements. If, on reading the other information, a material
inconsistency is identified, the partner should determine whether the audited financial
statements or the other information need to be amended.
The audit team should consider the impact on the audit opinion if an amendment is
necessary (in either the financial statements or the other information) and the entity
refuses to make the amendment.

20.41 If a material misstatement of fact is identified, the partner should discuss this with
management and, when the issue cannot be resolved, legal advice or further
appropriate action may be warranted.

Going Concern
20.42 When planning and performing audit procedures, the auditor should consider
whether management’s use of the going concern assumption is appropriate. This
evaluation is made for a period of time of at least, but not limited to, twelve months from
the balance sheet date. Under the going concern assumption, an entity is ordinarily
viewed as continuing in business with neither the intention nor the necessity of
liquidation, or ceasing trading or seeking protection from creditors pursuant to laws or
regulations.

20.43 A delay of issuance of the financial statements does not extend the auditor’s
responsibility to consider the going concern assumption beyond the period of time
discussed in the previous paragraph. Therefore, if a report is issued eleven months
subsequent to the date of the financial statements, professional responsibility for
evaluating the going concern assumption would extend for only one month (assuming
management’s assessment period was not longer than twelve months). However, it may
not be prudent to issue a report without considering the possibility that the entity cannot
continue as a going concern for a very short period following the issuance of the report.

Consideration of Conditions and Events

20.44 The risk that the going concern assumption may no longer be appropriate should
be considered. Indications of risk could come from the financial statement or from other
sources. Examples include:
 financial indications:
– net liability or net current liability position
– fixed-term borrowings approaching maturity without realistic prospects
of renewal or repayment, or excessive reliance on short-term
borrowings to finance long-term assets
– indications of withdrawal of financial support by debtors and other
creditors
– negative operating cash flows indicated by historical or prospective
financial statements
– adverse key financial ratios
 – substantial operating losses or significant deterioration in the value of
assets used to generate cash flows
– arrears or discontinuance of dividends
– inability to pay creditors on due dates
– inability to comply (or difficulty with complying) with the terms of loan
agreements
– change from credit to cash-on-delivery transactions with suppliers
– inability to obtain financing for essential new product development or
other essential investments
 operating indications:
– loss of key management without replacement
– loss of a major market, franchise, license, or principal supplier
– labor difficulties or shortages of important supplies
 other indications:
– non-compliance with capital or other statutory requirements
– pending legal proceedings against the entity that may, if successful,
result in claims that are unlikely to be satisfied by the entity
– changes in legislation or government policy expected to adversely
affect the entity

Consideration of Management’s Plans

20.45 The auditor’s responsibility is to consider the appropriateness of management’s

use of the going concern assumption in the preparation of the financial statements and
to consider whether there are material uncertainties about the entity’s ability to continue
as a going concern that need to be disclosed in the financial statements.

20.46 During the risk assessment procedures, the audit team should have considered
whether there were events or conditions, which might cast significant doubt on the
entity’s ability to continue as a going concern. The audit team should also remain alert
throughout the audit for evidence of events or conditions, which may cast significant
doubt on the entity’s ability to continue as a going concern. If such events or conditions
are identified, the audit team should, in addition to performing the procedures above,
consider whether they affect preliminary risk assessments and the responses to those
risks.

20.47 Examples of procedures performed in the normal course of an audit that may
identify the conditions or events discussed above include:
 analytical procedures
 review of subsequent events
 review of compliance with debt terms and covenants
 reading of the minutes of meetings of stockholders, board of directors, and
important committees of the board
 inquiry of attorneys about litigation, claims, and assessments
 confirmation with related and third parties of the details of arrangements to
provide or maintain financial support
20.48 The audit team should evaluate management’s assessment of the entity’s ability
to continue as a going concern. The same period as that used by management in
making their assessment should be considered. If management’s assessment of the
entity’s ability to continue as a going concern covers less than twelve months from the
balance sheet date, the engagement team should ask management to extend their
assessment period to twelve months from the balance sheet date.

20.49 The audit team should inquire of management as to its knowledge of events or
conditions beyond the period of assessment used by management that may cast
significant doubt on the entity’s ability to continue as a going concern.

20.50 When events or conditions are identified that may cast significant doubt on the
entity’s ability to continue as a going concern the audit team should:
 review management’s plans for future actions based on its going concern
assessment
 gather sufficient appropriate audit evidence to confirm or dispel whether or
not a material uncertainty exists through carrying out procedures
considered necessary, including considering the effect of any plans of
management and other mitigating factors, and
 obtain written representations from management regarding its plans for
future actions

20.51 Procedures that are relevant in this regard may include:

 analyzing and discussing cash flow, profit and other relevant forecasts
with management
 analyzing and discussing the entity’s latest available interim financial
statements
 reviewing the terms of debentures and loan agreements and determining
whether any have been breached
 reading minutes of the meetings of shareholders, the board of directors,
and important committees for reference to financing difficulties
 inquiring of the entity’s lawyer regarding the existence of litigation and
claims and the reasonableness of management’s assessments of their
outcome and the estimate of their financial implications
 confirming the existence, legality and enforceability of arrangements to
provide or maintain financial support with related and third parties and
assessing the financial ability of such parties to provide additional funds
 considering the entity’s plans to deal with unfilled customer orders
 reviewing events after the balance sheet date to identify those that either
mitigate or otherwise affect the entity’s ability to continue as a going
concern

20.52 When analysis of cash flow is a significant factor in considering the future
outcome of events or conditions, the engagement team should:
 consider the reliability of the entity’s system for generating such
information
  consider whether there is adequate support for the assumptions
underlying the analysis
 compare the prospective financial information for recent prior periods with
historical results, and
 compare the prospective financial information for the current period with
results achieved to date

20.53 When the audit team believes that prospective financial information may be
particularly significant to achievement of management’s objectives, they should
ordinarily obtain and read such information and the underlying assumptions and:
 consider the adequacy of support for significant assumptions underlying
such prospective information
 compare prospective financial information in prior periods and for the
current period (if available) with actual results achieved to date

20.54 The audit team would also consider and discuss with management its plans for
future action, such as plans to liquidate assets, borrow money or restructure debt,
reduce or delay expenditures, or increase capital. The audit team also considers
whether any additional facts or information are available since the date on which
management made its assessment. The audit team should then obtain sufficient
appropriate audit evidence that these plans are feasible, are likely to be implemented
and that the outcome of these plans will improve the situation.

Consideration of Financial Statement Effects

20.55 Based on the audit evidence obtained, the audit team should determine if, in its
judgment, a material uncertainty exists relating to events or conditions that alone or in
aggregate, may cast significant doubt on the entity’s ability to continue as a going
concern. A material uncertainty exists when the magnitude of its potential impact is such
that, in the audit team’s judgment, clear disclosure of the nature and implications of the
uncertainty is necessary for the presentation of the financial statements not to be
misleading.

20.56 If the use of the going concern assumption is appropriate, but a material
uncertainty exists, the audit team considers whether the financial statements:
 adequately describe the principal events or conditions that give rise to the
significant doubt on the entity’s ability to continue in operation and
management’s plan to deal with these events or conditions
 state clearly that there is a material uncertainty related to events or
conditions, which may cast significant doubt on the entity’s ability to
continue as a going concern and, therefore, that it may be unable to
realize its assets and discharge its liabilities in the normal course of
business

20.57 If, after evaluating management’s plans, the audit team concludes that there is
substantial doubt about the entity’s ability to continue as a going concern for a
reasonable period of time, they should then consider the firm’s responsibilities under
applicable professional standards. These considerations may include:
 adequacy of disclosure about the entity’s possible inability to continue as a
going concern for a reasonable period of time
 modification of the firm’s report to reflect the audit team’s conclusion
 legal requirements

Disclosures

20.58 Even if the audit team concludes that substantial doubt does not exist, they
should consider the need for disclosure. The financial statements should provide
adequate disclosure with respect to uncertainty about the entity’s ability to continue as a
going concern for a reasonable period of time. Management is responsible for such
disclosure, which might include information such as:
 pertinent conditions and events giving rise to the uncertainty about the
entity’s ability to continue as a going concern for a reasonable period of
time
 the possible effects of such conditions and events
 management’s evaluation of the significance of those conditions and
events and any mitigating factors
 possible discontinuance of operations
 management’s plans (including relevant prospective financial information)
 information about the recoverability or classification of recorded asset
amounts or the amounts or classification of liabilities
Because of its importance, the going concern note should ordinarily follow the
accounting policies note. Care should be exercised to ensure that management’s
assertions about the matter that are not susceptible to audit should be prefaced with a
phrase such as “management believes.”

Evaluating Misstatements

Types of Misstatements

20.59 Misstatements occur when there is a difference between an amount,

classification, presentation, or disclosure and what the audit team determines should be
recorded. There are three types of misstatements: factual, projected, and judgmental.

20.60 Factual misstatements are amounts determined with a high degree of certainty or
no doubt. Examples include mathematical mistakes, the misapplication of accounting
principles (including missing, inadequate or incomplete disclosures), and actual
differences detected as a result of tests of details.

20.61 Projected misstatements are differences calculated by projecting errors

discovered in testing certain items of a population (when the entire population has not
been tested). These amounts result from substantive sampling and include the effects
of both errors detected and unresolved items within the selected sample.

20.62 Judgmental misstatements are differences between the views of management

and the audit team. Examples of differences in judgments include:
 selection of accounting policies
 application of accounting policies
 differences between the recorded value of accounting estimates and the
nearest acceptable value in the audit team’s acceptance range

20.63 Projected and judgmental misstatements should not be categorized as "soft"

misstatements. All three types of misstatements result from the application of audit
procedures and they should all be considered equally severe and valid.

Correcting Misstatements

20.64 Achieving quality financial reporting requires communication among the audit
team, accounting personnel, management and those in the entity charged with
governance. As potential misstatements are identified, the audit team should discuss
them with the appropriate level of management. Management often corrects the
misstatements that are identified, but those that are not corrected must be posted as
passed adjusting journal entries. In addition, the audit team should evaluate the internal
control implications of the misstatements using Voyager’s Design Effectiveness tool as
discussed in Chapter 10.

20.65 Management enhances the quality of their financial reporting by recording all
identified misstatements regardless of the amount. Users of the financial statements
have high expectations regarding quality financial reporting. In discussions regarding
unrecorded misstatements, especially factual ones, the audit team should encourage
management to correct all misstatements.

20.66 In determining whether to correct misstatements, management and those

charged with governance should also consider their effect on future periods. Most
unrecorded misstatements affect both present and future periods and there is a risk that
future periods may be judged at smaller materiality thresholds.

Prior Year Unrecorded Misstatements

20.67 Unrecorded misstatements from prior periods that affect the current period
should be accumulated and evaluated with misstatements discovered during the current
period. However, it is sometimes appropriate for the audit team to exclude prior year
unrecorded misstatements from the current evaluation. For example, this occurs when
events refute judgments made in the prior year such as the subsequent collection of an
outstanding amount that we estimated to be unrecoverable.
Evaluating Unrecorded Misstatements

20.68 Determining whether unrecorded misstatements are material requires the

exercise of considerable professional judgment. The evaluation of the materiality of
misstatements should consider all misstatements, including missing, inadequate, or
incomplete disclosures. In evaluating unrecorded misstatements both individually and in
the aggregate, the audit team considers:
 their nature and cause
 their effect on the financial statements as a whole and on individual
components
 both a quantitative and qualitative perspective
 the potential for further possible misstatements

20.69 Misstatements should be aggregated in a way that enables audit teams to

consider whether, in relation to individual amounts, subtotals, or totals in the financial
statements, they materially misstate the financial statements taken as a whole. The
audit team will not be able to perform such an evaluation by considering materiality to
be a single quantitative value (exclusive reliance on a percentage or numerical
threshold is not appropriate).The audit team evaluates unrecorded misstatements in the
context of what users of the financial statements are most likely to consider important.

20.70 TBeam contains reports to assist the audit team in assessing the unrecorded
misstatements and determining the fairness of the financial statements in all material
respects. Recording the misstatements in TBeam and using the software to produce a
complete schedule can enhance the audit team’s efficiency and effectiveness.

Reassessment of Materiality

20.71 The auditor team typically determines planning materiality based on estimates of
the entity’s financial results, prior to knowing the actual financial results. Before
evaluating uncorrected misstatements, the audit team should consider whether the
materiality used to perform the audit is still appropriate based on actual financial results.

20.72 As the audit progresses, the audit team revises materiality when they become
aware of information that would have caused them to select a different materiality
initially. Examples of circumstances that may require materiality to be adjusted are
discussed in Chapter 7. Most of these examples involve significant changes to the size
of the entity such as the disposal of a segment of the entity since the audit was planned.
Accordingly, at the time uncorrected misstatements are evaluated, it is likely that the
audit team has already reassessed and used a different materiality to complete the
audit work as a result of these situations. However, the entity’s size can also change
significantly when the audit team’s work identifies significant adjustments or areas with
significant estimate uncertainty that would have resulted in them setting a lower
materiality threshold if such matters were known at the time. The audit team should
consider whether the audit work should have been performed using a different tolerable
error and if so, whether additional audit work is required.
20.73 As discussed in Chapter 7, it is not necessary for the audit team to routinely
recalculate materiality when actual results differ from estimates. The reassessment
discussed in this section needs to be performed only when additional facts come to the
audit team's attention that significantly affect the materiality and tolerable error
determined during audit planning.

Nature and Cause of Unrecorded Misstatements

20.74 Misstatements could arise by accident, through misunderstanding, from cover-up

of misappropriated assets or from fraudulent financial reporting (including earnings
management). The quantitative amount of misstatement that the audit team is willing to
accept depends on the nature and cause of the difference. For example, an identified
misstatement arising from management’s failure to record transactions for the purpose
of achieving earnings results would cause differences of quantitatively small amounts to
be material.

20.75 In addition to evaluating the nature and cause of individual unrecorded

misstatements, the audit team also considers whether the type or the trend of the
unrecorded misstatements indicate an attempt to manage earnings. Here the audit team
considers such questions as:
 Do the misstatements regarding accounting estimates indicate a
management bias?
 Is management attempting to manipulate earnings by not correcting
several identified misstatements?
 Do unrecorded misstatements from prior engagements corroborate or
contradict our assessment of management’s intentions?
 Is more than one of these considerations present?

Quantitative Effect on Financial Statements

20.76 When considering the quantitative effect of individual and aggregated unrecorded
misstatements on the financial statements, the audit team evaluates their effect on
items such as earnings, cash flows, financial position and classification, among others.

20.77 There are two common approaches used to quantify errors. Under the “rollover”
approach, the error is quantified as the amount by which the current year income
statement is misstated. The “iron curtain” approach quantifies the error as the
cumulative amount by which the current year balance sheet is misstated.

20.78 Exclusive reliance on an income statement approach can result in an entity

accumulating errors on the balance sheet that may not have been material to any
individual income statement, but which nonetheless, may misstate one or more balance
sheet accounts. Similarly, exclusive reliance on a balance sheet approach can result in
a client disregarding the effects of errors in the current year income statement that
result from the correction of an error existing in previously issued financial statements.
20.79 [The following paragraph describes a SEC policy that is applicable for the audits
of all SEC registrants. You may wish to supplement this policy for your policies for other
listed entities] The SEC staff indicated that registrants should quantify errors using both
a balance sheet and an income statement approach. Thus, the financial statements
would require adjustment when either approach results in quantifying a misstatement
that is material, after considering all relevant quantitative and qualitative factors.

20.80 [The following paragraph describes a SEC policy that is applicable for the audits
of all SEC registrants. You may wish to supplement this policy for your policies for other
listed entities] Therefore, the firm now requires audit teams to use both the rollover and
iron curtain methods to evaluate unrecorded misstatements for public entities. TBeam
contains the Advanced PAJE option that activates reports for the team to evaluate
misstatements with both the iron curtain and rollover methods. Otherwise, audit teams
can use the firm developed Excel template to summarize unrecorded misstatements
using the dual approach.

20.81 [Tailor the following paragraph if your regulations for listed entities differ] For
nonpublic , the firm uses the rollover method to evaluate unrecorded misstatements.
Audit teams can use the report within TBeam for this evaluation.

Qualitative Effect on Financial Statements

20.82 Misstatements of relatively small amounts may be qualitatively but not

quantitatively material. Evaluating the qualitative effect of unrecorded misstatements,
individually and in the aggregate, requires more judgment. Qualitative considerations
include the effect unrecorded misstatements have on:
 the trends of key performance indicators such as earnings, revenues,
equity or ratios
 the entity’s compliance with loan covenants, other contractual
agreements, or regulatory provisions
 changing a loss into a profit (or vice versa)
 management’s compensation
 key accounts such as recurring versus non-recurring or restricted versus
non-restricted items
 meeting owner or financier’s expectations of key performance indicators
(revenue, earnings, etc.)

20.83 Additional qualitative considerations for entities having public accountability may
include the effect that unrecorded misstatements have on:
 segments
 statutory or regulatory reporting requirements
 earning per share
 meeting analyst or other users’ expectations of key performance indicators
(revenue, earnings per share, etc.)
Concluding on the Materiality of Unrecorded Misstatements

20.84 In concluding whether or not the financial statements are fairly presented in all
material respects, the audit team also considers the possibility that other misstatements
exist. In practice, it will frequently be clear that the unrecorded misstatements together
with the possible existence of further misstatements are not material from either a
quantitative or a qualitative perspective. There will be situations where unrecorded
misstatements are approaching amounts that we would consider material or have
exceeded such amounts. In these situations, the audit team should consider performing
additional audit procedures such as:
 encouraging management to make additional corrections
 requesting management to reperform accounting processes and auditing
the results
 performing further testing to better quantify judgmental differences

20.85 After performing the additional procedures just described, if the unrecorded
misstatements are approaching a material amount, the audit team should consider
modifying the audit report. This requires considerable professional judgment, and the
audit team should consult firm personnel with appropriate expertise.

20.86 When unrecorded misstatements are material and the additional procedures do
not resolve the matter, the audit team should communicate to management and those
charged with governance that a modified report cannot be avoided without further
corrections to the financial statements. These corrections must lower the unrecorded
misstatements sufficiently below amounts considered to be material to allow for the
effect of further possible misstatements not discovered during the course of the
engagement.

20.87 The partner should review the Summary of Unrecorded Misstatements to

determine that the judgments exercised were appropriate in the circumstances and the
facts, considerations and conclusions are adequately documented. The unrecorded
misstatements should also be attached to the management representation letter.

20.88 The partner is responsible for discussing all of the audit differences (including
missing, inadequate, or incomplete disclosures) with appropriate client management.
The engagement partner should also document his or her concurrence with the
engagement team’s decision as to whether our report should be modified. The
engagement partner is also responsible for communicating these audit differences with
the client’s audit committee or board of directors.

Client Representations

Comprehensive Representation Letters

20.89 A comprehensive representation letter should be obtained for each audit. A
client’s refusal to sign, or if the audit team is unable to obtain a comprehensive
representation letter, this ordinarily constitutes a limitation on the scope of the audit
sufficient to preclude an unqualified opinion. A representation letter does not diminish
the audit team’s responsibility to gather sufficient audit evidence to support the audit
opinion.

20.90 A representation letter provides:

 confirmation of oral representations made by senior management affecting
the material aspects of a company’s financial statements, certain of which
cannot be substantiated by other audit procedures (e.g., management’s
plans and intentions, etc.). Therefore, the representations should be clear;
there should be no misunderstanding about the information and opinions
to be provided by management. Representations normally relate to:
– matters that may not be recorded in the accounting records, due to
their nature (e.g., identification of related party transactions)
– completeness of recording
– matters requiring management’s judgment
 confirmation that, based upon their detailed knowledge of the business,
management is satisfied with the representations made in the financial
statements

20.91 The representation letter should be appropriately tailored to the circumstances of

the engagement and the nature and basis of presentation of the financial statements.
Items to consider include:
 representations should ordinarily be obtained whenever the financial
statement presentation or accounting treatment depend on the client’s
intent (e.g., the classification of marketable securities or debt)
 care should be taken to ensure that representations are not worded
inappropriately (e.g., “the financial statements have disclosed all related
party transactions,” when none have been disclosed)
 representations should be obtained with regard to internal control,
including additional representations when performing an audit of internal
control
 industry-specific representations should be obtained where necessary or
required

20.92 The draft representation letter should be approved by the engagement partner or
manager before it is presented to the client. Unusual requests to add or remove
representations might require discussions with the client. Such discussions should
ordinarily be conducted by the engagement partner or manager. To evidence that
appropriate consideration has been given to the contents of the letter, the engagement
partner should initial and date the final letter. The quality control reviewer, if any, should
ensure that the engagement partner has initialed the letter.

20.93 Client representations should be signed by members of management who have

primary responsibility for the entity and its financial matters, based on the best of their
knowledge and belief. This is generally the chief executive officer (CEO), the chief
operating officer (COO) and the chief financial officer (CFO). In some situations, the
audit team may determine it necessary to obtain representations from other members of
management. Preferably, one of the signers should be a member of the board of
directors. If the audit team questions the competence, integrity, or ethical values of
management, the audit team should consider these effects on the content of the letter
and in terms of the additional procedures performed.

Dating Considerations

20.94 Management’s representations should be made (and the letter dated), the same
date as the auditor’s report. As a reminder, the auditor’s report should not be dated
before substantially all audit procedures are completed. Procedures are not complete
until a full set of financial statements is prepared and all reviews are completed. We
cannot accept a letter with a date other than the audit report date.

20.95 If the auditor’s report is dual dated, the audit team should ordinarily obtain
additional, written management representations relating to the subsequent event
through the dual date.

Content

20.96 Written representations should be obtained in accordance with professional

standards. Illustrative written representation letters are located in GEL under Grant
Thornton Letter and Forms > Audit Representation Letters.

Confidentiality

20.97 To preserve the confidentiality of representation letters, the following should be

considered:
 letters should be personally submitted to management for signature to
ensure that confidentiality is not breached and answer any questions that
may arise
 in some cases, the client may prefer to discuss highly confidential matters
in separate representation letters rather than in the comprehensive letter.
This is acceptable.

Inappropriate Representations or Caveats

20.98 [Tailor the following paragraph to reflect your firm’s consultation policies and
practices] The letter should be tailored to the applicable client circumstances and any
inappropriate or inapplicable representations reflected in the illustrative letters should be
omitted. For example, representations pertaining to inventory for a financial institution
client would not ordinarily be obtained. Occasionally, clients may request modifications
to the suggested letter. The partner should consult with the PSP prior to accepting such
modifications. However, modifications or caveats that appear to negate the client’s
responsibilities are not acceptable.

Additional Considerations

20.99 The following additional matters should be considered:

 Where an opinion is rendered on consolidated financial statements, the
written representations obtained from the parent company’s management
should specify that they pertain to the consolidated financial statements
and, if applicable, to the separate financial statements of the parent
company.
 There may be occasions where the audit is performed on the financial
statements of a subsidiary, but not those of the parent company; in such
instances, the audit team may wish to obtain representations from senior
management of the parent company concerning matters that affect the
subsidiary. In such circumstances, the illustrative letter should be
appropriately modified.
 Separate representation letters with respect to inventories and liabilities,
as well as letters dealing with other specific matters, may be obtained from
personnel of a branch or division of a company whose financial
statements we are auditing. However, such letters are not a substitute for
the comprehensive representation letter to be obtained from senior
management.
 Certain matters required to be communicated to the client’s audit
committee may be more appropriately communicated by management.
We should obtain written representations, preferably in the comprehensive
representation letter, regarding such matters where:
– management’s communications are not evidenced in writing (e.g.,
submitted in writing or included in the minutes of the audit committee),
or
– we need to communicate these matters to the audit committee
because management has not done so

20.100 To the extent that inclusion of certain matters in the comprehensive

representation letter is needed to obtain appropriate understanding of such matters,
finalizing the representation letter should not be left until the last minute, when the
report is ready to be issued. To minimize misunderstandings and unnecessary delays,
consideration should be given to such matters as the audit progresses and the
information given to the client on a timely basis.

Withdrawal from an Engagement

20.101 Where the audit partner concludes that it is not possible to continue
performing the audit for any reason, and the firm withdraws from the engagement:
  discuss with the appropriate level of management and those charged with
governance that the firm has withdrawn and the reasons for withdrawal
 consider whether there is a professional or legal requirement to report to
the person or persons who made the audit appointment or, in some cases,
to regulatory authorities, that the firm has withdrawn and the reasons for
withdrawal

Attorney Inquiries

General Considerations

20.102 When completing an audit, consideration should be given to the nature

and timeliness of the client’s attorneys’ responses to the audit team’s inquiries. The
audit team may need to request subsequent data when:
 attorney responses are dated seven or more calendar days prior to the
auditors’ report date
 we need to follow up on significant information provided in the attorneys’
letters
 new matters come to our attention for which details are needed
 updated information is needed about matters actively being worked on by
the attorney that may affect financial statement disclosures or our audit
report
 in the instance that the attorney response is dated seven or more calendar
days from the report date and the audit team does not update the
attorney’s response, the audit team should document the reason for not
obtaining an update
The letter of inquiry (shown below) may be used to request subsequent data.

20.103 In some cases, a telephone conversation with the client’s general counsel
and other selected attorneys, whose responses are considered significant by the audit
team, may facilitate the completion of the engagement. Such conversations should
ordinarily be held on or about the audit report date. Significant changes should be
confirmed in writing.

20.104 The inquiries shown below and specific responses in the attorneys’
original letters should be used as an outline for telephone conversations. When
obtaining updated information by telephone, the following information should be
included in the workpapers:
 the audit judgments made in deciding which attorneys to call
 inquiries made of each attorney
 names of the attorneys and a summary of their responses
 dates of the conversations
 effect, if any, that the updated information had on the financial statements
and related disclosures
Limited Attorney Responses

20.105 An attorney may appropriately limit a response to matters to which he or

she has given substantive legal attention or to matters that are considered individually
or collectively material to the financial statements. However, in such circumstances, we
need to reach an understanding with the attorney on the limits of materiality for such
purpose.

20.106 An attorney’s refusal to furnish the information requested in the client’s

letter of inquiry is an audit scope limitation sufficient to preclude an unqualified opinion.
In such instances, we should issue a qualified or disclaimer of opinion.

20.107 The attorney may be unable to form a conclusion with respect to the
likelihood of an unfavorable outcome of pending or threatened litigation or the amount
or range of potential loss. In such instances, we would ordinarily conclude that the
financial statements are affected by an uncertainty concerning the outcome of a future
event that is not susceptible of reasonable estimation. See Chapter 21 for guidance.

20.108 [Tailor the following paragraph to reflect applicable professional

associations and country practices] An attorney’s letter with the following or similar
language in its response to an auditor would not be considered a limited response:

The Company has advised us that, by making the request set forth in its letter to us, the
Company does not intend to waive the attorney - client privilege with respect to any
information which the Company has furnished to us. Moreover, please be advised that our
response to you should not be construed in any way to constitute a waiver of the protection
of the attorney work - product privilege with respect to any of our files involving the
Company.

Such explanatory language about the attorney - client privilege or the attorney work-
product privilege does not result in a limitation on the scope of the audit. This
interpretation is based on the Report by the American Bar Association’s Subcommittee
on Audit Inquiry Responses, which states that the explanatory language is merely an
explicit statement that neither the client nor the attorney intended a waiver.

Request for Subsequent Data

20.109 The following is an illustration of a letter to the client’s attorney requesting

subsequent data:

(Client letterhead)

(current date)
(Name of Attorney)
(Address)
Dear Sir or Madam:
 You have previously furnished our auditors, Grant Thornton LLP, in your letter dated (date
of previous letter), information relative to legal matters existing at (client’s balance sheet
date) and at the date of your reply. Please provide them with any additional information at
the present date with respect to:
1. Whether or not there has been any change in the status of the matters previously
reported upon and whether there has been any change in your views with respect thereto.
2. Pending or Threatened Litigation
(OPTION I)
(Management will prepare a list of new pending or threatened litigation which will
normally include (1) the nature of the litigation, (2) progress of the case to date, (3) how
management is responding or intends to respond to the litigation, and (4) an evaluation of
the likelihood of an unfavorable outcome and an estimate, if one can be made, of the
amount or range of potential loss.)
Please furnish to our auditors any explanation that you consider necessary to supplement
the foregoing information, including an explanation of those matters as to which your views
may differ from those stated and an identification of the omission of any pending or
threatened litigation, claims and assessments or a statement that the list of such matters is
complete.
(OPTION II)
New litigation or lawsuits with respect to which you have been engaged and to which you
have devoted substantial attention. Please furnish details of such litigation or lawsuits in
which the company is involved directly or indirectly, and of any claims asserted against this
company even though legal proceedings have not started, including (1) the nature of the
pending or threatened litigation, (2) the progress of the matter to date, (3) the response
which is being made or which will be made to the matter, and (4) an evaluation of the
likelihood of an unfavorable outcome and an estimate, if one can be made, of the amount or
range of potential loss.
3. Unasserted Claims and Assessments
(If this section is applicable, use same language as in the illustrative letter in Assurance
Letters and Forms).
A business reply envelope is enclosed for your convenience in replying directly to Grant
Thornton LLP, Certified Public Accountants, (insert local office address).
Your prompt reply will be greatly appreciated since we are in the process of preparing our
financial statements and this information is essential to their completion.
Very truly yours,
(Client Company Name)

(Authorized Signature)

Summary of Significant Matters

20.110 Preparation of a Summary of Significant Matters (SSM) program in

Voyager is required for all audit engagements. The purpose of the SSM is to summarize
the significant audit findings or issues identified during the engagement. Significant
audit findings or issues include:
  matters that both are significant and involve issues regarding the
appropriate selection, application and consistency of accounting principles
with regard to the financial statements, including related disclosures. Such
matters often relate to accounting for complex or unusual transactions, or
estimates and uncertainties and the related management assumptions.
 results of auditing procedures that indicate the financial statements or
disclosures could be materially misstated due to error or fraud
 situations where the results of procedures caused the audit team to
significantly change the audit strategy, including risk assessments
 circumstances that cause significant difficulty in applying auditing
procedures we consider necessary
 other findings that could result in modification of our report
The SSM is not a substitute for appropriate workpaper documentation. However, it
should be sufficiently informative to enable a reviewer to understand the nature of the
matter and the rationale for the conclusion. The SSM should be cross-referenced to
relevant workpapers and/or memoranda documenting the analysis of the matter. In
preparing the SSM, the audit team should refer existing documentation in the Voyager
file and not place duplicate or supplemental documentation in the SSM. This approach
aids in understanding the matter, avoids duplicate documentation and reduces the risk
that the Voyager file contains superseded or conflicting documentation.
Exhibit 20.1 – Fields Used in IDEA Smart Analyzer Journal Entry
Rroutines
E01 IDEA Smart Analyzer executes pre-programmed routines based on certain
assumptions about the data in each field. It is critical that audit teams understand the
data included in each of the fields used in these routines in order to understand the
results of these routines. In some cases, it may be necessary to execute certain
routines on the entire journal entry file and extract a subset of this file to execute
additional routines. For example, if the journal entry file contains all general ledger
transactions and all transactions are numbered sequentially, then audit teams should
test the completeness of this file before extracting journal entries for further analysis.

E02 Following is a list of fields that should be included in the journal entry file to
execute the suggested routines as a well a discussion of common issues if the correct
field is not identified when tagging data fields. Each entity’s journal entry file will contain
numerous fields, so audit teams must understand what data is included in each field in
order to properly tag the data for use in IDEA Smart Analyzer’s pre-programmed
routines.

Journal Entry Number

E03 The Journal Entry Number field is used in numerous routines for different
purposes. Users must determine whether this field meets all of these requirements to
determine whether these routines can be executed together using the same fields. IDEA
Smart Analyzer assumes the journal entry number is unique to each entry, that each
line of the journal entry is assigned the same journal entry number, and that the
accounting system assigns consecutive journal entry numbers when posting each entry.
It is used in the Out of Balance Journal Entry routine to group all lines of each journal
entry together to determine whether the journal entry is out of balance. The Journal
Entry Number field is used in the Duplicate Journal Entries routine to determine whether
there are duplicate journal entries. This field is also used in the Missing Journal Entries
routine to determine that the list of journal entries is complete.

Account Number
E04 The Account Number field should contain the general ledger account number.

Amount

E05 The amount for each journal entry line must be in one field. If the file contains
separate debit and credit columns, users should create a virtual field combining debits
and credits into one column with debits represented as positive numbers and credits
represented as negative numbers. The Amount field is used in the Out of Balance
Journal Entries routine and all journal entry lines must aggregate to zero or IDEA Smart
Analyzer will include every journal entry in the Out of Balance Journal Entries extracted
file.
Posted By

E06 The field tagged as the Posted By field should contain the user ID or user
name of the person who posted the journal entry. This field is used to summarize
journal entries by user to identify individuals who rarely post journal entries or
individuals who are not authorized to post journal entries.

Posted Date

E07 There are often several date fields in journal entry files. Most entities “hold the
books open” for several days after period-end to complete closing entries. For calendar
year-end entities, closing entries are often created during the first week of January but
posted in the system as of December 31. The Posted Date field should be the date the
journal entry was entered into the accounting system. This field is used to identify
entries posted on weekends and other specific dates.

Posted Time

E08 Similar to the Posted Date field discussed above, the Posted Time field should
contain the actual time the journal entry was entered into the accounting system. This
field is used to identify journal entries posted at specific times as defined by the user.

Comment

E09 The Comment field should be the field with the client-entered description of the
journal entry. Some journal entry files may contain multiple fields with description or
comment information. In those cases, users may want to execute this routine several
times with different fields tagged as the Comment field.
Exhibit 20.2 – Instructions to execute journal entry routines using
IDEA Smart Analyzer
E10 Import journal entry file(s) into IDEA.

E11 Go to “Analysis” and select “IDEA Smart Analyzer…”

E12 The IDEA Smart Analyzer dialog will appear which lists routines available for
execution. For journal entry analysis, select “General Ledger Analysis.” Click “OK.”
E13 The General Ledger Analysis dialog appears with a list of routines available for
execution. Click on each routine in the upper box to view the fields required for each
routine and a description of the routine in the lower box. Verify that the required fields
are available in the data file. Check the box next to the routine to select it for execution.

E14 For each routine selected, click on “Define Tags.” The Define Tags dialog
appears and defaults to “Display only tags for the routines selected.” Each tag must be
assigned to a field in the data file for the routine to be executed.
E15 After the “Field Name” is selected for each tag, click “OK.”

E16 Some routines require additional input. Select the routine and click “Define
Input” to enter additional information as needed. For example, users must enter a
threshold amount to execute the “Journal Entries with Large Amounts” routine.
E17 Enter data as required for each selected routine. Click “OK.”

E18 IDEA will execute the selected routines and create separate files for each
routine.
Chapter Twenty-One — Reports on Audited Financial
Statements
Summary

This Chapter discusses various matters pertaining to reporting in a financial statement

audit.

Tailoring instructions

Firms operating in countries where the ISAs form the basis for their reporting standards
should include the content of this chapter in their manual. Acceptable tailoring includes
modifying the contact information to reflect domestic consultation policies and modifying
the specific reference to standards where domestic standards use a preface other than
“ISA”.

Firms operating in countries where the ISAs do not form the basis for their reporting
standards should use the content of this chapter as a guide for the content in their
manual. In these cases, the policies and procedures in the firm’s manual should not be
less than the policies and procedures described in this chapter.

Introduction
21.01 This Chapter discusses various matters pertaining to reporting in a financial
statement audit, including:
 the form and content of the standard auditor’s report
 modifications to the opinion (qualified, adverse, or disclaimer)
 emphasis of matter and other matter paragraphs in the auditor’s report
 reporting on summary financial statements

21.02 This Chapter is written in the context of a complete set of financial statements
prepared in accordance with a general purpose framework (a framework designed to
meet the common financial information needs of a wide range of users, such as
International Financial Reporting Standards issued by the International Accounting
Standards Board). Such statements will normally include the balance sheet, the income
statement, statement of changes in equity, and cash flows together with related notes.

21.03 International Standards on Auditing (ISA) 800, Special Considerations – Audits

of Financial Statements Prepared in Accordance with Special Purpose Frameworks,
addresses reports on financial statements prepared in accordance with a special
purpose framework (a framework designed to meet the financial information needs of
specific users, such as the cash or tax basis of accounting). ISA 805, Special
Considerations – Audits of Single Financial Statements and Specific Elements,
Accounts or Items of a Financial Statement, addresses reports on single financial
statements and elements, accounts or items of a financial statement.

Forming an Opinion
21.04 Upon completion of the audit, the audit team must form an opinion on the
financial statements. In doing so, the audit team determines whether the financial
statements are free from material misstatement based on the audit evidence obtained
and considers:
 uncorrected misstatements
 scope limitations
 the qualitative aspects of the company’s accounting practices
 bias in management’s judgments and estimates
 whether disclosures beyond those required by the framework are
necessary for fair presentation, or for the financial statements not to be
misleading

21.05 An unmodified opinion is expressed when the audit team concludes that the
financial statements are prepared in accordance with the framework, and the audit team
obtained sufficient appropriate audit evidence to make such conclusion. When a
material misstatement exists or when there is a scope limitation, the opinion is modified,
as discussed later in this Chapter.

Disclosures

21.06 Disclosures should be adequate to enable intended users to understand the

effect of material transactions and events on the entity’s financial position, financial
performance, and cash flows. Guidelines used in considering the adequacy of
disclosures include:
 information essential for a fair presentation, including the form,
arrangement, and content of the financial statements and related notes,
should be disclosed
 verbosity should not be mistaken for adequate disclosure
 disclosure is not a substitute for proper accounting
 information that is not required to be disclosed in the financial statements
to comply with the applicable framework ordinarily should not be made
available by the audit team without the entity’s consent
 disclosures should generally be limited to factual representations
 information not susceptible to audit verification, such as management’s
opinion or an attorney’s opinion on the outcome of litigation should be
clearly indicated as representations of management or counsel

21.07 When required disclosures are set forth elsewhere in a report to shareholders,
or in a prospectus, proxy statement, or similar document, they should be included in the
financial statements. When the entity declines to disclose data considered essential to a
fair presentation, the audit team should provide the necessary information in the report
and should appropriately modify the opinion.

Firm Letterhead
21.08 Audit reports should be in writing and presented on firm letterhead, except in
situations involving printed reports or on reports accompanying statements filed with a
regulatory agency where letterhead is ordinarily not used.

21.09 Reproduction of the entire report, including the complete letterhead, may be
made if management so requests.

Elements of the Standard Auditor’s Report

21.10 The elements of the standard auditor’s report are prescribed by ISA 700,
Forming an Opinion and Reporting on Financial Statements. The following provides
additional guidance and firm policies related to report form and content. Illustrative
auditor’s reports are also provided.

21.11 Auditor’s reports contain language that has a technical meaning insofar as
establishing the firm’s professional, ethical, and legal responsibilities. Accordingly,
departures from the standard language should not be made without consulting the Head
of Assurance.

21.12 Illustrative standard auditor’s reports are provided in Exhibit 21.1.

Report Title

21.13 The auditor's report should have a title that clearly indicates that it is the report
of an independent auditor. Accordingly, the title Independent Auditor’s Report should be
used whenever possible.

Address and Salutation

21.14 Ordinarily, the auditor's report is addressed to those for whom the report is
prepared, often either to the shareholders or to those charged with governance. Local
law or regulation, however, may specify to whom the auditor's report should be
addressed.

21.15 The report may be addressed as follows:

Corporations Board of Directors
ABC Company
(or if engaged by the stockholders)
Board of Directors and Stockholders
ABC Company
 Partnerships The Partners
ABC Partnership
Mr. A. Client, General Partner
ABC General Partnership
Sole proprietorships Mr. A.B. Client, Proprietor
ABC Company

21.16 Inclusion of the location (such as a city or country) is generally not desirable.
Reports covering the financial statements of subsidiaries should ordinarily be addressed
to the board of directors of the parent company, rather than the subsidiary.

21.17 In addition, salutations such as Ladies and Gentlemen or Dear Sir or Madam
should not be used.

Introduction - Identification of Entity

21.18 The entity name that appears in the auditor’s report should be the exact name
appearing in the entity’s charter and in the financial statements. Names of
unincorporated organizations should be the exact trade or business name. The name of
an individual should contain either a full given name or more than one initial.

21.19 The firm prefers to identify parent-subsidiary relationships in the introductory

paragraph with language such as the following. However, the firm does not insist on
disclosure of the affiliation in the auditor’s report if it is adequately disclosed in the
financial statements or related notes.

(a corporation and wholly-owned subsidiary of ABC Company)

Introduction - Identification of Statements

21.20 The identification of the financial statements in the introductory paragraph of
the auditor’s report should be consistent with the captions on the statements
themselves, and should specify the date and period covered by the financial
statements. The introductory paragraph should refer to each statement and also to the
summary of significant accounting policies and other explanatory notes.

21.21 In printed reports, the auditor’s report should be near the financial statements
on which the firm is reporting. If the audit team believes that a reader may be confused
about which statements in a printed report are covered by the auditor’s report, the report
should refer to the pages of the statements.

Management’s Responsibility

21.22 The report should include a section describing management’s responsibilities.

Such responsibilities should be described as required by professional standards and
local law or regulation. Refer to paragraphs A20 through A23 of ISA 700 when
management’s responsibilities are prescribed by law or regulation.

Auditor’s Responsibility

21.23 The report should also include a section describing the auditor’s
responsibilities as required by professional standards.

Opinion

21.24 Although the introductory paragraph identifies what was audited, the opinion
paragraph should identify the financial statements to which the opinion relates. It is
permissible to name the financial statements in the opinion paragraph; however, where
no confusion will result, the firm prefers using the phrase “referred to above” when
referencing the financial statements.

21.25 A designation such as the accompanying financial statements may not be

sufficiently specific and ordinarily, should not be used.

21.26 Also, the exact name of the entity is used in the opinion paragraph.

21.27 The form of opinion should be consistent with the type of framework used to
prepare the financial statements. A fair presentation framework results in a “presents
fairly” or “gives a true and fair view” opinion, while a compliance framework results in a
“prepared in accordance with” opinion. A compliance framework requires compliance
with the requirements of the framework and does not allow departures from the
framework or acknowledge the need for additional disclosures to achieve fair
presentation.

Report Restrictions

21.28 Auditor’s reports on financial statements prepared in accordance with a

general purpose framework ordinarily are not restricted as to distribution or use.
Depending on the circumstances of the engagement, the audit team may consider it
appropriate to indicate that the auditor’s report is intended solely for specific users. This
may be achieved by restricting the distribution or use of the auditor’s report depending
on the law or regulation of the particular jurisdiction.

21.29 For financial statements prepared in accordance with a general purpose

framework, the Head of Assurance should be consulted before issuing an auditor’s
report that limits its distribution or use to specific users.

Dating

21.30 The date of the auditor’s report should not be earlier than the date on which
the audit team has obtained sufficient appropriate audit evidence to support the opinion.
Ultimately, it is a matter of professional judgment as to when the audit team has
obtained sufficient appropriate audit evidence to support the audit opinion. However, if
the audit partner would not issue the report without performing certain audit procedures,
resolving an issue, or completing a review, the auditor’s report should not be dated until
such items are resolved or completed.

21.31 Sufficient appropriate audit evidence is not obtained until:

 review procedures performed by the partner, manager, and quality control
reviewer are completed and all open points that may affect the financial
statements are cleared. Others within the firm, such as the Head of
Assurance, may also become involved in an engagement and review the
financial statements and workpapers prior to the release of the audit
report. If any of the previously mentioned reviews result in changes to the
financial statements or require the audit team to perform additional audit
procedures, the report date must be revised to the date when the
necessary additional procedures are completed.
 a full set of the entity’s financial statements, including all disclosures, is
prepared, all needed changes and corrections were incorporated, and
management has reviewed and approved them. In some jurisdictions, law
or regulation identifies the individuals or bodies (for example, the
directors) that are responsible for the financial statements and also
specifies the necessary approval process. In such jurisdictions, evidence
of that approval is necessary before dating the report.
 the management representation letter is obtained (see Chapter 20)
 subsequent events procedures are performed through the audit report
date (see Chapter 20)

21.32 These requirements will ordinarily result in a report date that is close to the
report release date (the date the audit team grants the entity permission to use the
auditor’s report).

21.33 Often, financial statements for a series of years are reported on separately for
the individual years, and are later presented in comparative financial statements, as in
the case of regulatory filings. In those instances, the date of the report for the
comparative financial statements should be the date of the most recent report.

Dual Dating

21.34 When facts become known to the auditor after the date of the auditor’s report
and management amends the financial statements, the report may be dual dated. Dual-
dating can only be used if law, regulation, or the financial reporting framework does not
prohibit management from restricting the amendment of the financial statements to the
effects of the subsequent event or events causing that amendment, and management
(or others responsible for approving the financial statements) is not prohibited from
restricting their approval to that amendment.
21.35 The advantage of dual dating is that the firm’s responsibility for events
subsequent to the original date of the auditor’s report is limited to the specific event
referred to in the notes to the financial statements. Dual dating is not to be used as an
excuse for prematurely concluding the audit team’s work and dating the report.

21.36 If the financial statement amendment and the completion of the work
necessary for the audit team to obtain evidence regarding the amendment occur shortly
after the date of the original report, it may be preferable to date the revised report as of
the date of completion of the additional work. In such instances, the audit procedures
relating to subsequent events should be extended to the date of the revised report, and
additional management representation letters should be obtained as of this later date.

21.37 In some instances, there will be too much elapsed time between the date of
the original report and the completion of the work on the additional data to render
practical the general extension of the post balance sheet review. In such cases, the
report would ordinarily be dual-dated (if not prohibited).

21.38 Dual dating should not be used in the following situations:

 delivery of the report is delayed (see Chapter 19)
 information about an event occurring subsequent to the auditor’s report
date is disclosed, but is of a character requiring no further auditing and is
not a required disclosure. Such an event would have no effect on either
the financial statements or the related notes, but would be presented as
an additional informative disclosure, ordinarily in a separate note
captioned: Event (Unaudited) Subsequent to the Date of Auditor’s Report.
If the audit team is considering dual-dating such disclosure, the audit team
should discuss the matter with the Head of Assurance.
 subsequent events result in a change in the financial statements and
footnotes, and the nature of the change is such that the audit team should
perform subsequent review procedures to a later date and use such later
date as the auditor’s report date

21.39 An illustration of the wording for a dual-dated report is as follows:

January 25, 20X3 (except for Note C, as to which the date is February 15, 20X3)
-or-
January 25, 20X3 (except as to Note C, which is as of February 15, 20X3)

21.40 In certain jurisdictions, instead of dual-dating the report as illustrated in the

previous paragraph, an emphasis of matter or other matter paragraph is used to
indicate that the subsequent events procedures were limited to the amendment, as
follows. Emphasis of matter paragraphs are discussed in more detail below.
The following may be used when the financial statements are amended after the auditor’s
report date, but prior to their issuance.
Emphasis of matter
 Without modifying our opinion, we draw attention to Note X to the financial statements,
which describes the destruction of the Company’s Madrid premises on February 15, 20X3
by a flood. We did not perform any audit procedures regarding the financial statements
referred to above after (date of our report, such as January 30, 20X3), except for Note X, as
to which the date is February 15, 20X3.
The following may be used when the financial statements are amended after their issuance.
This illustration satisfies the requirement discussed in the subsequent paragraph.
Other matter
We draw attention to Note X to the financial statements, which describes the restatement of
the Company’s 20X1 financial statements to correct an error (or misstatement). On January
30, 20X2, we originally (previously) reported on the 20X1 financial statements. We did not
perform any audit procedures regarding these financial statements after January 30, 20X2,
except for Note X, as to which the date is February 15, 20X3.

21.41 Regardless of whether the financial statements are dual-dated or brought

forward to a more current date, when the financial statements are amended after their
issuance, the ISAs require the audit team to include an emphasis of matter or other
matter paragraph that refers to the note to the financial statements that discusses the
reasons for the amendment and to the earlier report provided by the firm (paragraph 16
of ISA 560). The following illustrates such an emphasis of matter paragraph. Also refer
to the previous illustration.
Other matter
On February 15, 20X3, we originally (previously) reported on the financial statements
referred to above. This report was issued prior to the discovery of the matters set forth in
Note X to the financial statements, wherein revisions of amounts previously reported as of
December 31, 20X2, and for the year then ended are described.

Other Reporting Responsibilities

21.42 In certain jurisdictions, the audit team may have additional reporting
responsibilities to comply with legal or regulatory requirements. If such reporting is
included in the auditor’s report on the audited financial statements, it should be under
an appropriate heading and included in a separate section of the report following the
report on the financial statements. In addition, the report on the financial statements
should be under the heading: “Report on the (Consolidated) Financial Statements.”

Auditor’s Report Prescribed by Law or Regulation

21.43 In certain jurisdictions, a specific layout or wording of the auditor’s report is

required to comply with law or regulation. In these circumstances, the audit team should
refer to paragraph 43 of ISA 700 for the minimum elements that must be included in the
auditor’s report in order to state that the audit was conducted in accordance with the
ISAs.
Audits Conducted Under Local Auditing Standards and ISAs

21.44 In situations where an audit is conducted in accordance with local auditing

standards and the ISAs, the audit team may indicate this in the auditor’s report,
provided the audit team has complied fully with the relevant ISAs, including the
reporting requirements. When the audit team has not complied with the ISAs or when
ISA reporting requirements differ, the audit team cannot state in the report that the audit
was performed in accordance with the ISAs. ISAs do permit, however, the layout or
wording of the local standards, provided the report includes certain minimum reporting
elements. The audit team should refer to paragraphs 44 and 45 of ISA 700 in these
circumstances.

Supplementary Information

21.45 Management may present with the financial statements supplementary

information that is not required by the applicable financial reporting framework.
Supplementary information that is not covered by the auditor’s opinion on the financial
statements should be clearly differentiated from the audited financial statements, such
as labeling the information as unaudited and including it in a separate section of the
document that contains the audited financial statements.

21.46 If the supplementary information is not clearly differentiated, the audit team
should include an other matter paragraph explaining that the supplementary information
is unaudited. However, if such information is not clearly differentiated and it is an
integral part of the financial statements based on the nature of the information and its
presentation, the information should be subjected to audit procedures as if it were part
of the financial statements. See paragraphs 46 and 47 of ISA 700.

21.47 The following other matter paragraph may be used when the supplementary
information is not clearly differentiated from the financial statements and the information
is not an integral part of the financial statements. Other matter paragraphs are
discussed in more detail below.
Other matter
The (indentify supplementary information) on page XX is presented for purposes of
additional analysis and is not a required part of the financial statements referred to above.
Such information has not been subjected to the auditing procedures applied in the audit of
the financial statements and, accordingly, we express no opinion on it.
The supplementary information should be marked unaudited.

21.48 In some jurisdictions, the audit team may be requested to opine on whether
supplementary information is fairly presented in relation to the financial statements as a
whole.
Close and Signature

21.49 The firm’s reports are signed manually with the member firm’s name. A printed
signature is not permissible, except for certain reports filed with a regulatory agency. In
addition:
 a complimentary close, such as very truly yours, should not be used
 the phrase “Independent Accountants” may be placed under the firm
name when a letterhead is not used, as in certain regulatory reports and
reports drafted for inclusion in printed reports
 only an assurance partner has authority to sign the auditor’s report (see
Chapter 19)
 the jurisdiction or country of the issuing office and the date of the auditor’s
report are shown flush with the left-hand margin below the level of the
manual signature as follows

Athens, Greece
January 25, 20X0

21.50 Where a typed signature is used, a report should be manually signed for the
entity’s files and for the audit workpapers. To indicate that the signature is a typed
signature, the symbol “/s/” can be used, but is not required.

Signing by Other Member Firms

21.51 Audit teams may request the services of other member firms in connection
with signature and “proofing” of registration statements and other filings. When it is
anticipated that such services will be required, the receiving office should be contacted
at the earliest possible time, informed of the situation and the firm’s responsibility, and
furnished drafts of the financial statements together with any pertinent correspondence.
Finally, as the signature date approaches, the engagement partner should make certain
that the signing partner has ample notice of the time and place, an understanding of the
filing and the people involved, and sufficient background information to properly
represent the firm. It is the engagement partner’s responsibility to fully inform the
signing partner. It should be noted that certain member firms have established
“gatekeeping” policies and procedures.

Reissuance of the Auditor’s Report

21.52 Occasionally, management may request additional copies of a previously
issued report. In these instances, the audit team has no responsibility to make further
investigation or inquiry as to events that may have occurred during the period between
the original report date and the release of the additional report. The additional copies
should bear the original report date to avoid any implication that records, transactions or
events after that date were reviewed or audited. These circumstances are distinguished
from the reissuance of a report on the financial statements of a former client.
21.53 If a former client requests the firm to reissue the auditor’s report on prior
period financial statements to be presented comparatively with a subsequent period, the
audit team should consider whether the previous report on such financial statements is
still appropriate. Events subsequent to the date of the report, or the current presentation
of the prior period financial statements might make the previous report inappropriate.
Therefore, the audit team should:
 read the financial statements of the current period
 compare the prior period financial statements on which the firm reported
with the financial statements which will be presented for comparative
purposes
 obtain an updated representation letter from management of the former
client stating (1) whether they are aware of any information that would
cause them to believe that any of their previous representations should be
modified, and (2) whether any events have occurred subsequent to the
balance sheet date of the latest prior-period financial statements reported
on by the firm as the predecessor auditors, and through the date of the
representation letter, that would require adjustment to or disclosure in
those financial statements
 obtain a representation letter from the successor auditors stating whether
their audit disclosed any matters that might, in their opinion, have a
material effect on, or require disclosure in, the financial statements
reported on by the firm (a representation may not be obtainable in certain
jurisdictions)

21.54 The audit team may have additional responsibilities when the reissuance is in
connection with the offering of securities.

21.55 In performing these procedures, the audit team may become aware of matters
or events occurring subsequent to the date of the report on the prior period financial
statements that may affect the previous report. The audit team should then decide
whether additional inquiries or other audit procedures, such as reviewing the
successors’ workpapers, relating to such matters or events are necessary. The
additional inquiries or procedures performed may then provide a basis for determining
whether to revise the report. Also see the section entitled “Subsequent Discovery of
Facts.”

21.56 When the firm reissues a prior period report, the following policies are
applicable:
 if the prior period financial statements are not amended and the report is
reissued without change, the original date of the report should be used
 if the prior period financial statements were amended and the firm will
reissue the auditor’s report
– the audit team should be satisfied as to the propriety of the
amendment
– the reasons for the amendment and the effects on the financial
statements should be described in a note to the financial statements
 – each page of the amended financial statements should be marked as
such (for example: as revised or restated, see Note X)
– the report should be dual-dated or brought forward to a more current
date (see the section entitled “Dating”)
– the report should include an emphasis of matter or other paragraph
referencing the footnote that describes the amendment and the
auditor’s previously issued report (see the section entitled “Dating”)
– if the opinion differs from the opinion previously expressed, the report
should include the substantive reasons for the different opinion in an
other matter paragraph
– reference to the work or report of successor auditors should not be
made in the report

21.57 A predecessor auditor may also request the firm to furnish representations
regarding whether the audit of the current-period financial statements revealed any
matter that might have a material effect on, or require disclosure in, the statements
reported upon by the predecessor. These representations would be provided in
accordance with professional standards and in consideration of local law and regulation.

Subsequent Discovery of Facts

21.58 When the audit team determines that certain material facts existing at the date
of the auditor’s report were not reflected in the financial statements and that those facts
would have an effect on the report, the audit team should advise the entity to make
appropriate disclosures. See Chapter 18.

21.59 If the effect of the subsequently discovered information on the financial

statements or on the report can be promptly determined, disclosure should consist of
issuing a revised auditor’s report and financial statements as soon as practicable. The
Head of Assurance should be consulted. Generally, even though the revisions resulted
from events that had occurred in prior years, only the most recently issued financial
statements would need to be revised.

21.60 When the financial statements are amended, refer to the previous section
entitled “Reissuance of the Auditor’s Report.” When the financial statements are not
amended, refer to ISA 560 for the audit team’s responsibilities to inform management
and those charged with governance and to prevent reliance on the auditor’s report. See
Chapter 18 for specific firm policies.

Comparative Information
21.61 Comparative information includes amounts and disclosures of a prior period
presented together with the current period. Depending on the applicable financial
reporting framework and the jurisdiction, comparative information may be in the form of
corresponding figures or comparative financial statements. Corresponding figures differ
from comparative financial statements in that corresponding figures do not constitute a
complete set of financial statements of the prior period.

21.62 The firm encourages the use of comparative financial statements, except
where misleading inferences may be drawn. When presented, the prior period amounts
should, in fact, be comparative and contain adequate disclosures. Matters of continuing
significance should also be included.

21.63 ISA 710, Comparative Information – Corresponding Figures and Comparative

Financial Statements, addresses the auditor’s responsibilities for corresponding figures
and comparative financial statements. These responsibilities include:
 determining that the comparative information is presented in accordance
with the framework
 agreeing the comparative information with previous presentations, or with
restated amounts
 evaluating the consistency of the entity’s accounting policies between
periods, including the accounting and disclosure of changes in those
policies
 responding appropriately to possible material misstatements in the
comparative information

21.64 During the current audit, the audit team should be alert for the circumstances
or events that may affect the prior period financial statements presented and/or the
adequacy of informative disclosures concerning such statements. The audit team
should consider the effects of such circumstances or events in updating the report on
the prior period financial statements. The term “update” means to re-express a previous
opinion or, depending on the circumstances, to express an opinion different from that
expressed on the financial statements of a prior period. The distinction between an
updated report and a reissued report is that in issuing an updated report, the continuing
auditor considers information that he or she has become aware of during the audit of
the current period financial statements. Also, an updated report is issued in conjunction
with the auditor’s report on the current period financial statements.

21.65 Reporting on corresponding figures differs from reporting on comparative

financial statements. When comparative financial statements are presented, the
auditor’s report should refer to all of the periods presented on which the firm is
expressing an opinion. When corresponding figures are presented, the auditor’s report
does not refer to the corresponding figures, except in the following limited
circumstances described in ISA 710:
 when the prior period is unaudited
 when a modified opinion in the prior period is unresolved
 when a material misstatement exists in the corresponding figures

21.66 ISA 710 provides several illustrative report examples related to comparative
information. It also addresses required other matter paragraphs relating to
corresponding figures and comparative financial statement for the following
circumstances:
 when the prior period is unaudited
 when the prior period is audited by a predecessor auditor
 when the opinion on the prior period comparative financial statements
differs from the opinion previously expressed

Comparative Audited/Unaudited Statements

21.67 Occasionally, an entity may desire to present comparative financial statements

that include prior year audited financial statements and unaudited current year financial
statements. If feasible, the audit team should suggest the entity accept a report with
only the current year statements presented, such as when the current year was
reviewed or compiled. If this is not feasible, the following additional presentations should
be considered:
 each page of the financial statements should clearly be marked “See
accompanying accountant’s report”
 each column heading related to the audited financial statements should be
marked “Audited”
 each column heading related to the unaudited financial statements should
be marked “Unaudited,” “Reviewed,” or “Compiled”
 the heading related to the notes to the financial statements should be
followed by “(Data related to 20X0 is unaudited)”

Reporting on Financial Statements Not Presented Separately

21.68 Modification of the auditor’s report is required when the report is included in a
filing but the financial statements to which the report relates are not presented
separately within such filing (e.g., where a principal auditor refers to the report of
another auditor). In these instances, the auditor’s report should be modified by inserting
parenthetically the phrase “not presented separately herein” after the identification of
the financial statements in the introductory paragraph of the report.

Combination of Practices
21.69 The firm may be requested to reissue reports (generally in connection with
regulatory filings) that were previously issued by firms with whom the firm has since
combined practices. Since, in most instances, the predecessor firm has ceased to exist,
these reissued reports must be signed with the member firm name. The following
policies apply to such situations:
 The workpapers should be reviewed by a technical reviewer designated
by the Head of Assurance prior to reissuance of the report
 In the event that the technical reviewer determines that further fieldwork is
required prior to the reissuance of the report with the firm’s signature, the
 additional work should be undertaken as promptly as possible. In addition,
the client should be advised of the additional fees that will be incurred.
Where additional work is undertaken, the technical reviewer and the Head
of Assurance should be consulted prior to determining whether the
auditor’s report should be updated in whole or in part.

Audits Completed Prior to Combination

21.70 The auditor’s report with the firm’s signature modified to indicate the name of
the predecessor firm should be used in either of the following circumstances:
 the audit team is reissuing the report on behalf of the predecessor firm
(report reissuance)
 the predecessor firm has substantially completed fieldwork procedures
prior to the combination and has not as yet issued an auditor’s report
(original issuance)

21.71 In this situation, the report on a single year set of financial statements should
be signed:
Member Firm Name (manually)
Successor to the practice of
(name of predecessor firm) (typed)
Athens, Greece
February 1, 20X3

21.72 In situations where the merged firm continues to exist, for example when the
firm purchases the practice of another national firm in a specific city, the firm would
ordinarily not assume responsibility for reports previously issued by the predecessor
firm. In these situations, the predecessor firm should be requested to reissue their
report on the prior year. When the predecessor firm substantially completed fieldwork
procedures but has not yet issued a report, the audit team may issue the report,
provided that the firm’s quality control review policies are followed and a determination
was made that all relevant professional requirements were met.

Additional Audits Completed After Combination

21.73 When comparative financial statements include prior period statements that
were audited by a firm with whom the firm has since combined practices, the audit team
should determine whether it is appropriate for the firm to reissue a report or render an
updated report on the prior period financial statements.

21.74 When updating the report on the prior period, the introductory paragraph
would read as follows (except for the situations previously discussed where the firm has
purchased a portion of the practice of another firm).
 We have audited the accompanying (consolidated) financial statements of ABC Company
(and its subsidiaries), which comprise the (consolidated) balance sheet as at (or, of)
December 31, 20X2, and the (consolidated) income statement, statement of changes in
equity and cash flow statement for the year then ended, and a summary of significant
accounting policies and other explanatory information. The (consolidated) financial
statements of the Company as at (or, of) December 31, 20X1, were audited by ABC & Co.,
Chartered Accountants. We have since succeed to the practice of (or combined practices
with) such firm.

21.75 Only the introductory paragraph should be modified. The opinion paragraph
would refer to all periods presented on which our firm and the predecessor firm
reported.

Modifications to the Opinion in the Auditor’s Report

21.76 The following discusses the appropriate form of report when the audit team
concludes that a modification to the opinion on the financial statements is necessary.
Modifications are addressed by ISA 705, Modifications to the Opinion in the
Independent Auditor’s Report. Illustrative reporting examples are provided in Exhibit
21.1, along with specific situations that may require the opinion to be modified in Exhibit
21.2.

21.77 There are three types of modified opinions:

 qualified opinion
 adverse opinion
 disclaimer of opinion

21.78 The type of modified opinion issued depends upon:

 the nature of the matter giving rise to the modification, that is whether
– the financial statements are materially misstated
– the audit team did not obtain sufficient appropriate audit evidence
 the pervasiveness of the effects or possible effects on the financial
statements. Matters are pervasive, if
– they are not confined to specific elements, accounts or items
– if confined, represent or could represent a substantial proportion of the
financial statements
– in relation to disclosures, are fundamental to users’ understanding

21.79 The table below illustrates how the audit team’s judgment about these matters
affects the type of opinion issued.
Audit Team’s Judgment about the Pervasiveness of the Effects
or Possible Effects on the Financial Statements
Nature of Matter Giving
Rise to the Modification Material but Not Pervasive Material and Pervasive
Financial statements are
Qualified opinion Adverse opinion
materially misstated
 Inability to obtain sufficient
appropriate audit evidence Qualified opinion Disclaimer of opinion
(scope limitation)

21.80 In judging whether to issue a qualified opinion or adverse opinion due to a

material misstatement, the audit team should consider such factors as the significance
of the financial statement item to the entity and the effect of the misstatement on the
presentation of other financial statement items and on the financial statements taken as
a whole.

21.81 Firm policy requires consultation with the Head of Assurance any time the
audit team is modifying the opinion in the auditor’s report on the financial statements.

21.82 When the audit team expects to modify the opinion, the audit team should
communicate to those charged with governance the circumstances that led to the
expected modification and the proposed wording of the modification. When emphasis of
matter or other matter paragraphs are used (as described below), the audit team is also
required to communicate the proposed wording to those charged with governance to
provide them with the opportunity to seek additional clarification. Recurring other matter
paragraphs need not be re-communicated.

21.83 If management will not make the necessary revisions to the financial
statements or does not accept the report, as modified, the firm should refuse to be
associated with the financial statements and, if necessary and possible, withdraw from
the engagement. If the firm withdraws from the engagement, before withdrawing the
audit team should communicate to those charged with governance matters about
identified misstatements that would have given rise to a modified opinion.

Scope Limitations

21.84 The audit team is required to obtain sufficient appropriate evidence to afford a
reasonable basis for an opinion on the financial statements under audit. A scope
limitation occurs when sufficient evidential matter does or did exist, but was not
available to the audit team, or the audit team was unable to perform alternative
procedures to obtain the audit evidence needed. Scope limitations, whether imposed by
management or those charged with governance or by circumstances, such as the timing
of the audit team’s work or inadequate accounting records, require the audit team to
qualify or disclaim an opinion.

21.85 If management or those charged with governance impose a scope limitation

that the audit team believes will result in a disclaimer of opinion, the firm should not
accept the engagement, unless required by law or regulation to do so. If management
or those charged with governance impose a scope limitation during the course of the
audit, and the matter is both material and pervasive, the audit team should withdraw,
where practicable or possible under applicable law or regulation.
21.86 Scope limitations imposed by management or those charged with governance
most commonly concern the omission of audit procedures related to matters such as:
 beginning balances in new engagements
 inventory observation
 external confirmations
 branches or subsidiaries
 actuarial valuations for benefit obligations
 examination of securities (or confirmation, if held by an outside custodian)

Basis for modified opinion paragraph

21.87 When issuing a modified opinion:

 the matter giving rise to the modification is described in one or more
paragraphs immediately preceding the opinion paragraph
 the paragraph(s) should be titled “Basis for Qualified Opinion,” “Basis for
Adverse Opinion,” or “Basis for Disclaimer of Opinion”
 the paragraph(s) should disclose all of the substantive reasons for the
modification
 the paragraph(s) should describe any other matters that would have
required a modification to the opinion other than those resulting in the
modified opinion. For example, the basis for modification paragraph(s) in a
disclaimer of opinion should also include a description of any identified
material misstatements that management does not correct.

21.88 The following table provides guidance on the matters to be described in the
basis for modification paragraph(s) depending on the nature of the matter giving rise to
the modification.
Nature of Matter Giving
Basis for Modified Opinion Paragraph
Rise to the Modification
Financial statements are Misstatements of specific amounts
materially misstated  Describe the quantified financial effects (including
quantitative disclosures) on financial position, financial
performance and cash flows, as appropriate
 If it is not practicable to quantify the financial effects, state
that it is not possible to do so.
 Language should not infer that it was the audit team’s
responsibility to quantify the effects
 Language such as “the effects on the financial
statements of….have not been determined” should be
used
 Language such as “it is not possible to determine the
effects…” or “the effects…could not be determined”
should be avoided
Disclosures
 Explain how the disclosures are misstated
 Describe the nature of omitted information
 Include the omitted disclosures when practicable and not
prohibited by law or regulation from doing so
 Discuss the omitted disclosures with those charged with
 governance
In most cases, it should be possible to persuade management
to make all essential disclosures since, if the entity fails to do
so, the auditor’s report will ordinarily include the essential
information. As such, misstatements related to disclosures
should be rare.
Inability to obtain sufficient Describe the reasons for the inability to obtain sufficient
appropriate audit evidence appropriate audit evidence. All substantive reasons giving rise
to the scope limitation should be clearly described.

21.89 The following provides illustrative examples of basis of modified opinion

paragraphs.
For unrecorded deferred income taxes:
As more fully described in Note X to the financial statements, the Company has not
recorded deferred income taxes on installment sales for financial reporting purposes.
(Applicable financial reporting framework) requires such deferred taxes to be recorded. If
the financial statements were corrected for that departure from (applicable financial
reporting framework), current deferred taxes would be increased by $XXX,XXX,
noncurrent deferred taxes would be increased by $XXX,XXX, and retained earnings would
be decreased by $XXX,XXX as of December 31, 20X2, and net income would be
decreased by $XXX, XXX for the year then ended.
For omitted disclosures:
On January 15, 20X2, the Company issued debentures in the amount of $XXX,XXX for the
purpose of financing plant expansion. The debenture agreement restricts the payment of
future cash dividends to earnings after December 31, 20XX. Management did not disclose
that information, which is required to be disclosed in accordance with (applicable financial
reporting framework).

Qualified Opinion
21.90 A qualified opinion is issued in the following circumstances:
 a material misstatement exists, but it is not pervasive
 lack of sufficient appropriate audit evidence (scope limitation), but not
pervasive

21.91 A qualified opinion may be issued only after consultation with the Head of
Assurance.

21.92 When issuing a qualified opinion, the description of the auditor’s responsibility
should refer to the qualified opinion and the opinion paragraph should be titled
“Qualified Opinion,” and should reference the basis for modified opinion paragraph(s).

21.93 Phrases such as “subject to” or “with the foregoing explanation” are not clear
and should not be used. When the modification relates to only one of the statements,
the reference should clearly indicate which statement is qualified; for example, “except
for the effect on the balance sheet of the matter(s) described in the Basis for Qualified
Opinion paragraph.”

21.94 In addition, if there is a scope limitation, the language of the qualification

should indicate that the qualification relates to the possible effects on the financial
statements and not to the scope limitation itself. Accordingly, wording such as “In our
opinion, except for the above-mentioned limitation on the scope of our audit” should not
be used.

21.95 An illustrative qualified opinion for a fair presentation framework is included in

Exhibit 21.1.

Adverse Opinion

21.96 An adverse opinion is only issued when a material misstatement exists and
the effect of the misstatement is pervasive to the financial statements so that an
unqualified opinion is not justified. In such circumstances, a disclaimer of opinion
should not be issued, unless there is a scope limitation. An adverse opinion may be
issued only after consultation with the Head of Assurance.

21.97 An adverse opinion may arise in the following circumstances:

 the misstatement affects a substantial proportion of the financial
statements
 the misstatement is so material that it results in an unfair presentation
 the misstatement relates to omitted disclosures that are fundamental to a
users’ understanding

21.98 When issuing an adverse opinion, the description of the auditor’s responsibility
should refer to the adverse opinion and the opinion paragraph should be titled “Adverse
Opinion,” and should reference the basis for modified opinion paragraph(s).

21.99 An illustrative adverse opinion for a fair presentation framework is included in

Exhibit 21.1.

Disclaimer of Opinion

21.100 A disclaimer of opinion is only issued when the possible effects of undetected
misstatements due to the lack of evidence (a scope limitation) could be both material
and pervasive to the financial statements. A disclaimer of opinion may be issued only
after consultation with the Head of Assurance.

21.101 A disclaimer of opinion may arise in the following circumstances:

 inability to form an opinion on the financial statements as a whole due to
the potential effect on a substantial portion of the financial statements
 inability to form an opinion on the financial statements as a whole due to
the potential effect on multiple financial statement items
  inability to form an opinion as to the fairness of presentation
 in extremely rare circumstances involving multiple uncertainties, inability to
form an opinion due to the potential interaction of the uncertainties and
their possible cumulative effect, even if evidence was obtained for each
individual uncertainty (uncertainties are discussed in more detail below)

21.102 A disclaimer of opinion should not be contradicted by expressions of negative

assurance. For example, the audit team should not include expressions such as
“However, nothing came to our attention that would indicate these financial statements
are not presented fairly.”

21.103 When issuing a disclaimer, the introductory paragraph, the auditor’s

responsibility paragraphs, and the opinion paragraph are modified. An illustrative
disclaimer of opinion for a fair presentation framework is included in Exhibit 21.1.

Piecemeal Opinions

21.104 Piecemeal opinions (an adverse opinion or a disclaimer of opinion on the

financial statements taken as whole and a separate opinion in the same report on a
single financial statement or on one or more specific elements, accounts or items in the
financial statements) are not permitted in any circumstance.

21.105 With approval from the Head of Assurance, the audit team may separately
audit and express a separate opinion on one or more specific elements, accounts or
items provided:
 there is no prohibition in law or regulation from doing so
 the opinion on the financial statements as a whole is not published
together with the opinion on the specific element, account or item
 the specific element, account or item does not constitute a major portion of
the entity’s complete set of financial statements

21.106 A separate opinion on a single financial statement is not permitted when an

adverse opinion or a disclaimer of opinion is issued on the financial statements taken as
a whole. In some circumstances, however, an unqualified opinion may be issued on one
statement, while an adverse opinion or a disclaimer of opinion is issued on the other.
This is referred to as a split-level opinion. For example, in a first year audit engagement,
the audit team may be unable to become satisfied as to the opening inventory or the
company may have inadequate records, which can result in a disclaimer of opinion on
financial performance and cash flows and an unqualified opinion on financial position.
The audit team should consult with the Head of Assurance prior to issuing a split-level
opinion. ISA 510, Initial Audit Engagements – Opening Balances, provides an illustrative
example of such opinion.
Emphasis of Matter and Other Matter Paragraphs
21.107 The following discusses emphasis of matter and other matter paragraphs in
the auditor’s report, as described in ISA 706, Emphasis of Matter Paragraphs and Other
Matter Paragraphs in the Independent Auditor’s report.

21.108 Emphasis of matter and other matter paragraphs provide additional

communication related to the audit. Emphasis of matter paragraphs differ from other
matter paragraphs, as follows:
 emphasis of matter paragraphs refer only to matters disclosed in the
financial statements that are fundamental to users’ understanding of the
statements
 other matter paragraphs refer only to matters relevant to users’
understanding of the audit, the auditor’s responsibilities, or the audit report

21.109 The ISAs require the use of emphasis of matter and other matter paragraphs
in certain circumstances (see Appendix 1 of ISA 706). A widespread use of these
paragraphs, however, diminishes their effectiveness. Accordingly, the firm ordinarily
prefers to avoid using such paragraphs. Unless required by the ISAs, law or regulation,
the audit team should only use these paragraphs after consultation with the Head of
Assurance.

Emphasis of Matter Paragraphs

21.110 Emphasis of matter paragraphs refer only to matters disclosed in the financial
statements that are fundamental to users’ understanding of the statements. Such
paragraphs are not used to qualify the opinion on the financial statements, or to include
disclosures not made by management.

21.111 When the audit team includes an emphasis of matter paragraph in the
auditor’s report, the audit team should:
 include it immediately after the opinion paragraph
 use the heading “Emphasis of Matter,” or other appropriate heading.
 include a reference to the matter and to the related disclosures using the
same terminology that is used in the disclosures
 indicate that the opinion is not modified in respect of the matter
 not reference the emphasis of matter paragraph in the opinion paragraph
and therefore, phrases such as “with the following explanation” should not
be used in the opinion paragraph

21.112 The following illustrates the requirements in the previous paragraph:

Opinion
In our opinion, the financial statements referred to above present fairly, in all material
respects, (or, give a true and fair view of) the financial position of ABC Company as at (or,
of) December 31, 20X1, and (of) its financial performance and its cash flows for the year
 then ended in accordance with (applicable financial reporting framework, such as
International Financial Reporting Standards issued by the International Accounting
Standards Board).
Emphasis of Matter
Without modifying our opinion, we draw attention to Note X to the financial statements,
which describes the uncertainty related to the outcome of the lawsuit filed against the
Company by XYZ Company.

Other Matter Paragraphs

21.113 Other matter paragraphs refer only to matters relevant to users’ understanding
of the audit, the auditor’s responsibilities, or the audit report. Appendix 2 of ISA 706 lists
the circumstances when the ISAs require an other matter paragraph.

21.114 Law, regulation, or generally accepted practice in a jurisdiction may require or

permit the firm to elaborate on matters that provide further explanation about the audit.
Explanations consisting of comments on detailed audit procedures should be limited
solely to situations where such explanations are specifically required. In addition, the
audit team should determine that:
 the wording does not imply that the audit procedures listed were the only
ones performed. To avoid this inference, the procedures should be
introduced by phrases such as:
 our audit included
 as part of our audit
 we present the following summary of our principal audit procedures
 certain phases of our audit are described as follows
 the procedures are stated in a positive manner so as not to imply that they
are exceptions to the scope of the engagement

21.115 When the audit team includes an other matter paragraph in the auditor’s
report, the audit team should:
 include it immediately after the opinion paragraph or any emphasis of
matter paragraph. An other matter paragraph may also be included in a
separate section of the auditor’s report.
 use the heading “Other Matter,” or other appropriate heading
 not reference the other matter paragraph in the opinion paragraph and
therefore, phrases such as “with the following explanation” should not be
used in the opinion paragraph

21.116 The following illustrates the requirements in the previous paragraph:

Opinion
In our opinion, the financial statements referred to above present fairly, in all material
respects, (or, give a true and fair view of) the financial position of ABC Company as at (or,
of) December 31, 20X1, and (of) its financial performance and its cash flows for the year
 then ended in accordance with (applicable financial reporting framework, such as
International Financial Reporting Standards issued by the International Accounting
Standards Board).
Emphasis of Matter
Without modifying our opinion, we draw attention to Note X to the financial statements,
which describes the uncertainty related to the outcome of the lawsuit filed against the
Company by XYZ Company.
Other Matter
We did not audit the Company’s financial statements as of or for the year ended December
31, 20X1, and, accordingly, we do not express an opinion on them.

Specific reporting considerations

Inventory

21.117 When there is a scope limitation with respect to material inventory, the audit
team should determine the importance of the omitted procedures and whether the audit
team can render an opinion on the statements being audited. The following
considerations are generally applicable:
 If observation of material inventory is omitted because of a restriction
imposed by management, the audit team should generally disclaim an
opinion on the financial statements taken as a whole.
 If the audit team was unable to observe the entity’s taking of physical
inventories solely because it was impracticable or impossible to do so:
– the audit team should carefully consider the decision that observation
of physical inventories is impracticable or impossible. Professional
standards require the audit team to make or observe some physical
counts and perform tests of intervening transactions when it was
impossible to attend the counting due to unforeseen circumstances.
– when the audit team is unable to apply other audit procedures to obtain
evidence about the existence of material inventory (or make or observe
some physical counts when unable to attend due to unforeseen
circumstances), the audit team should either qualify or disclaim an
opinion on the financial statements taken as a whole.
 If the firm was asked to audit financial statements covering the current
period for which the firm had observed or made some physical counts of
current inventory and one or more periods for which the firm had not
observed or made some physical counts of prior inventory:
– when the audit team obtains evidence about such prior inventory by
applying other audit procedures, (e.g., tests of prior transactions,
review of the records of prior counts, and/or the application of gross
profit tests), including current inventory, there is no limitation on the
scope of the audit
 – when the audit team is unable to obtain evidence with respect to
beginning inventory, the audit team should either disclaim an opinion
on the statements of earnings, retained earnings, and cash flows or
qualify the opinion thereon, depending on the materiality and
pervasiveness of the amounts involved. See the discussion related to
piecemeal and split-level opinions above. Also see an illustrative report
example in ISA 510.

21.118 Frequently, in an initial audit, there is no predecessor auditor, and the firm may
be asked to audit the balance sheet only when management presents the other financial
statements as “unaudited.” There is no objection to such an engagement, provided the
firm is not aware of any circumstances that might cause financial performance to be
materially misstated. The report should clearly indicate the responsibility the firm is
taking with respect to each of the statements presented. See ISA 800, Special
Considerations – Audits of Single Financial Statements and Specific Elements,
Accounts or Items of a Financial Statement, for guidance on reporting on single financial
statements.

Omission of the Statement of Cash Flows

21.119 On rare occasions, an entity may present financial statements that purport to
present financial position and financial performance but omit the statement of cash
flows. When the statement of cash flows is required by the applicable financial reporting
framework, the audit team should qualify the opinion because of the omission. In some
circumstances, the audit team may determine that an adverse opinion is more
appropriate. It is generally not appropriate to provide the statement in the auditor’s
report.

21.120 The following illustrates revised paragraphs of the auditor’s report when
issuing a qualified opinion on financial statements prepared in accordance with a fair
presentation framework due to the omission of the statement of cash flows:
We have audited the accompanying financial statements of ABC Company, which comprise
the balance sheet as at (or, of) December 31, 20X1, and the income statement and statement
of changes in equity for the year then ended, and a summary of significant accounting
policies and other explanatory information.
Basis for Qualified Opinion
The Company declined to present a statement of cash flows for the year ended December
31, 20X1. Presentation of such statement summarizing cash flows from operations,
investing transactions, and financing transactions along with certain related disclosures is
required by (applicable financial reporting framework).
Qualified Opinion
In our opinion, except for the effects of the matter described in the Basis for Qualified
Opinion paragraph, the financial statements referred to above present fairly, in all material
respects, (or, give a true and fair view of) the financial position of ABC Company as at (or,
 of) December 31, 20X1, and (of) its financial performance for the year then ended in
accordance with (applicable financial reporting framework, such as International Financial
Reporting Standards issued by the International Accounting Standards Board).

Uncertainties

21.121 A matter involving an uncertainty is one that is expected to be resolved at a

future date, at which time conclusive audit evidence concerning its outcome would be
expected to become available. Conclusive evidence concerning the ultimate outcome of
an uncertainty cannot be expected to exist at the time of the audit because the outcome
and related audit evidence are prospective. Accordingly, when an uncertainty exists
which could materially affect the financial statements, the audit team should consider
the nature of the uncertainty and the adequacy of the disclosure of matters involving
risks and uncertainties on the financial statements taken as a whole. Uncertainties
include contingencies, matters related to risks and uncertainties, and those associated
with the going concern assumption.

21.122 Management is responsible for estimating the effect of future events on the
financial statements, or determining that a reasonable estimate cannot be made and
making the required disclosures. Nevertheless, the audit team should not overlook the
need to obtain sufficient documentation and audit evidence to support management’s
assertions about the nature, presentation, and disclosure of the uncertainty.

21.123 When the audit team has not obtained sufficient evidence to support
management’s assertions about the nature of a matter involving an uncertainty and its
presentation or disclosure in the financial statements, the audit team should determine
whether the situation requires:
 a qualified or adverse opinion because of a material misstatement due to
– inadequate disclosure
– inappropriate accounting
– unreasonable estimates
 a qualified or disclaimer of opinion because of a scope limitation

21.124 In practice, disclaimers relating to uncertainties are generally used in

extraordinary circumstances, such as when (a) the uncertainty overshadows the
financial statements taken as a whole, and (b) the possible effects of the uncertainty on
the financial statements is both material and pervasive in terms of the number of
accounts affected, usually resulting in going concern questions. For example, an
uncertainty that is material to financial performance, but not to financial position,
ordinarily would not warrant a disclaimer since the basis of presentation of the financial
statements would not be impaired.

21.125 Uncertainties should not be confused with the monetary amount of estimates
or accruals to which the audit team takes exception. Most normal accounting estimates
and accruals are susceptible to reasonable estimation. Differences between the
company’s recorded estimate and the closest estimate that the audit team believes is
best supported by audit evidence should not be considered uncertainties. Rather, those
differences, if material, should be adjusted. In evaluating the ramifications of such
differences, the audit team should consider the requirements of the applicable financial
reporting framework. Management’s inability to make a reasonable estimate of items
that are normally susceptible to reasonable estimation may signal use of inappropriate
accounting principles. Accordingly, that situation may call for a qualified or adverse
opinion because of a material misstatement.

21.126 In some cases, uncertainties will lead to disclosures of certain significant

estimates. Such disclosures should not be considered a substitute for a qualified or
adverse opinion because of a material misstatement. On the other hand, such
disclosures should not be considered an indication that the estimate is materially
misstated. They are merely an indication that the chance of the estimate changing by a
material amount in the “near term” is more than remote. Auditors obtain reasonable
assurance, not absolute assurance, about whether financial statements are free of
material misstatement. When auditing estimates, the audit team should assess whether
the estimates are reasonable in the circumstances based on the information available.

21.127 Materiality should be considered, quantitatively and qualitatively, in evaluating

the adequacy of disclosure of matters involving risks or uncertainties in the financial
statements in the context of the financial statements taken as a whole. Materiality
considerations are a matter of professional judgment and are influenced by an auditor’s
perception of the needs of a reasonable person using the financial statements.
Materiality judgments involving risks or uncertainties are made in light of surrounding
circumstances. The materiality of reasonably possible losses that may be incurred upon
the resolution of uncertainties should be evaluated both individually and in the
aggregate without regard to the evaluation of materiality of likely misstatement in the
financial statements.

Uncertainties as to Going Concern

21.128 The table below summarizes the reporting requirements based on the going
concern assumption and management’s disclosures thereon.
Conclusion Management disclosures Effect on the audit report
Going concern basis appropriate Adequate disclosure of Unmodified opinion
– no significant doubt uncertainties, as deemed No emphasis of matter
necessary. Even if no paragraph
material uncertainty exists,
disclosures may be
necessary with respect to
uncertainties.
Going concern basis appropriate Adequate disclosures Emphasis of matter paragraph
– significant doubt remains Going concern emphasis of
matter paragraphs are
discussed below
Inadequate disclosures Qualified or adverse opinion
for material misstatement
Audit report should state that
 there is a material uncertainty
that may cast significant doubt
about the entity’s ability to
continue as a going concern
Going concern basis may or may Unlikely to be able to Disclaimer of opinion or
not be appropriate – unable to conclude on adequacy of withdrawal from the
conclude on significant doubt disclosure because of scope engagement due to scope
limitation limitation (lack of evidence or
unique contingencies and
unknown events). A qualified
opinion is ordinarily
inappropriate as the scope
limitation would relate to an
uncertainty that would be both
material and pervasive to the
financial statements.
Going concern basis Liquidation basis appropriate Adverse opinion or withdrawal
inappropriate from the engagement (if the
financial statements are
prepared on a going concern
basis)

21.129 Firm policy requires consultation with the Head of Assurance in the following
situations:
 For public companies, the audit team believes there could be significant
doubt about the entity’s ability to continue as a going concern (see below).
Consultation is required whether or not the audit team concludes that the
auditor’s report should be modified due to a going concern uncertainty.
 For nonpublic companies, the audit team believes there could be
significant doubt about the entity’s ability to continue as a going concern
(see below) but concludes that the auditor’s report should not be modified
due to the going concern uncertainty.
 For all companies, when a previously issued report included a going
concern modification and the audit team concludes that the report may be
reissued without the going concern modification.

21.130 In most situations, the audit team will need to assemble facts and data about
the company’s future operating projections, liquidity needs, and upcoming debt
retirement requirements. Such assessments may or may not indicate the presence of
substantial doubt or the determination that modification of our report is a “close call.”
Consultation with the Head of Assurance in accordance with the above guidance is
expected in heightened risk situations where the audit team plans to perform a detailed
analysis of the entity’s cash flow projections, back log, ability to meet future debt
covenants, etc. to determine if identified liquidity and related risk factors have been
mitigated.

21.131 Consultation with the Head of Assurance would also include situations where
the going concern assumption is inappropriate, situations where the audit team is
unable to obtain the necessary evidence to conclude about the going concern
assumption, and situations where a disclaimer of opinion is being considered.
Reissuing and consenting to the use of our report
21.132 When the firm reissues or consents to the use of the auditor’s report during the
period prior to the next year end of the entity, the audit team is required to consider
subsequent events up through the date of the consent or report reissuance. This would
include considering conditions or events that arise during this subsequent period that
indicate the going concern assumption may not be appropriate. As part of these
subsequent event procedures, the audit team is not required to evaluate whether there
is significant doubt about the entity’s ability to continue as a going concern, unless
conditions or events are identified.

21.133 If a condition or event is identified that leads the audit team to believe that
there is significant doubt about the entity’s ability to continue as a going concern twelve
months from the balance sheet date, additional procedures should be performed to
assess the uncertainty and whether additional disclosures may be needed. If the
financial statements or disclosures are revised, the auditor’s report would be dual-dated
(if not prohibited).

Disclosures

21.134 Management is responsible for adequate disclosure with respect to uncertainty

about the entity’s ability to continue as a going concern for a reasonable period of time
(see Chapter 20.) If the audit team concludes that such disclosures in the financial
statements are inadequate, a misstatement exists, and the audit team should consider
the need for a qualified or adverse opinion.

21.135 Because of its importance, the going concern note to the financial statements
should ordinarily follow the accounting policies note. Management’s assertions
regarding its ability to continue as a going concern that are not susceptible to audit
should be prefaced with a phrase such as management believes. Following is an
illustrative note:
NOTE B – REALIZATION OF ASSETS
The accompanying financial statements have been prepared in accordance with (applicable
financial reporting framework), which contemplate continuation of the company as a going
concern. However, the company has sustained substantial losses from operations in recent
years, and such losses have continued through the unaudited quarter ended March 31,
20X3. In addition, the company has used, rather than provided, cash in its operations.
During the year, the company became delinquent in the payment of approximately
$200,000 of interest on its convertible subordinated debentures (Note D), which constitutes
a condition of default under the indenture agreement. This condition of default could result
in the entire amount of the debentures becoming due and payable, although management
has proposed alternatives to remedy the condition and believes it will be satisfactorily
resolved.
In view of the matters described in the preceding paragraph, recoverability of a major
portion of the recorded asset amounts shown in the accompanying balance sheet is
 dependent upon continued operations of the company, which in turn is dependent upon the
company’s ability to meet its financing requirements on a continuing basis, to maintain
present financing, and to succeed in its future operations. The financial statements do not
include any adjustments relating to the recoverability and classification of recorded asset
amounts or amounts and classification of liabilities that might be necessary should the
company be unable to continue in existence.
Management has taken the following steps to revise its operating and financial
requirements, which it believes are sufficient to provide the company with the ability to
continue in existence: (describe management actions).

Going Concern Emphasis of Matter Paragraphs

21.136 The section entitled “Uncertainties as to Going Concern” discusses reporting

considerations related to the going concern assumption. An emphasis of matter
paragraph is required when the going concern basis of accounting is appropriate and
management’s disclosures are adequate, but significant doubt remains (also see ISA
570, paragraph 19). The following provides illustrative emphasis of matter paragraphs in
such situations:
Illustrative Example for Net Loss
Going Concern
The accompanying financial statements have been prepared assuming that the Company
will continue as a going concern. Without modifying our opinion, we draw attention to
Note X to the financial statements, which indicates that the Company incurred a net loss of
ZZZ during the year ended December 31, 20X1 and, as of that date, the Company’s current
liabilities exceeded its current assets by XXX and its total liabilities exceeded its total assets
by YYY. These conditions, along with other matters as set forth in Note X, indicate the
existence of a material uncertainty that may cast significant doubt about the Company’s
ability to continue as a going concern. Management’s plans in regard to these matters are
also described in Note X. The financial statements do not include any adjustments that
might result from the outcome of this uncertainty.
Illustrative Example for Loss of Sales Volume
Going Concern
The accompanying financial statements have been prepared assuming that the Company
will continue as a going concern. Without modifying our opinion, we draw attention to
Note X to the financial statements, which indicates that the Company has a net working
capital deficiency and has experienced a significant reduction in its sales volume. These
conditions, along with other matters as set forth in Note X, indicate the existence of a
material uncertainty that may cast significant doubt about the Company’s ability to continue
as a going concern. Management’s plans in regard to these matters are also described in
Note X. The financial statements do not include any adjustments that might result from the
outcome of this uncertainty.
Illustrative Example for Default of Debt Covenants
 Going Concern
The accompanying financial statements have been prepared assuming that the Company
will continue as a going concern. Without modifying our opinion, we draw attention to
Note X to the financial statements, which indicates that, as of December 31, 20X2, the
Company was in default of certain debt covenants of its term and revolving credit
agreements. On April 15, 20X3, the Company entered into a new term and revolving credit
agreements maturing on January 1, 20X4, which contain substantially the same restrictive
covenants included in the previous agreements. All defaults existing at April 15, 20X3,
were waived by the lenders through January 1, 20X4. The Company’s business plan for
20X3, which is also described in Note X, contemplates reduced operating losses, obtaining
additional working capital, and the refinancing or restructuring of its bank credit
agreements to long-term arrangements. The Company’s ability to achieve the foregoing
elements of its business, which may be necessary to permit the realization of assets and
satisfaction of liabilities in the ordinary course of business, indicates the existence of a
material uncertainty that may cast significant doubt about the Company’s ability to continue
as a going concern. The financial statements do not include any adjustments that might
result from the outcome of this uncertainty.
Illustrative Example for Undercapitalized Financial Institutions
Going Concern
The accompanying financial statements have been prepared assuming the (Bank) will
continue as a going concern. Without modifying our opinion, we draw attention to Note X
to the financial statements, which indicates that, at December 31, 20X2, the (Bank) did not
meet its capital requirements established by the (name of regulator). The (Bank) also has
suffered recurring losses from operations. A capital plan outlining the (Bank’s) plans for
attaining the required levels of regulatory capital by (date, such as December 31, 20X3) was
required to be submitted to the regulators, but the plan was not accepted. Management is in
the process of revising and modifying the plan to the satisfaction of the regulators. Failure
to meet the capital requirements and interim capital targets acceptable to (name of
regulator) would expose the (Bank) to regulatory sanctions that may include restrictions on
operations and growth, mandatory asset dispositions, and seizure. These matters, among
others discussed more fully in Note X, indicate the existence of a material uncertainty that
may cast significant doubt about the (Bank’s) ability to continue as a going concern. The
ability of the (Bank) to continue as a going concern is dependent on many factors, including
ultimate acceptance of its capital plan. Management’s plans in regard to these matters are
also described in Note X. The financial statements do not include any adjustments that
might result from the outcome of this uncertainty.

21.137 In a going-concern emphasis of matter paragraph, the audit team should not
use conditional language. Examples of inappropriate wording are as follows:
If the Company continues to suffer recurring losses from operations and continues to have a
net capital deficiency, there may be a significant doubt about its ability to continue as a
going concern.
-or-
 The Company has been unable to renegotiate its expiring credit agreements. Unless the
Company is able to obtain financial support, there is significant doubt about its ability to
continue as a going concern.

Reports on Comparative Financial Statements

21.138 The need for an emphasis of matter paragraph regarding a going concern
uncertainty is considered only relative to the current period financial statements being
reported on. A going concern uncertainty that arises in the current period does not imply
that a basis for such uncertainty existed in the prior period and, therefore, it should not
affect the report on prior period financial statements presented on a comparative basis.

21.139 If the report on prior period financial statements included an emphasis of

matter paragraph because of a going concern uncertainty, but that uncertainty was
alleviated in the current period, the prior emphasis of matter paragraph should not be
repeated or referred to in the current report. However, consideration should be given to
the adequacy of disclosures regarding current conditions and events and
management’s plans relative thereto.

Eliminating a Going Concern Paragraph from a Reissued Report

21.140 The audit team may be asked to reissue the report and eliminate the going-
concern emphasis of matter paragraph that appeared in the original report. Such
requests ordinarily occur after the conditions that gave rise to significant doubt about the
entity’s ability to continue as a going concern were resolved. Although the audit team
has no obligation to do so, if management requests the report to be reissued, the
following procedures should be performed when determining whether the going-concern
emphasis of matter paragraph that appeared in the original report may be eliminated:
 audit the event or transaction that prompted the request to reissue the
report
 perform the required subsequent event procedures at or near the date of
reissuance. Depending on the circumstances and the extent of the
procedures that may be necessary, the report may either be dual-dated
(where dual-dating is not prohibited by law or regulation) for the event or
transaction that prompted the request or dated as of a later date. If the
latter, the subsequent events procedures should be performed through the
new date of the auditor’s report. In some situations, it may not be possible
to audit the event or transaction without performing subsequent event
procedures that cover the period after the date of the original auditor’s
report.
 consider the conditions and events that originally gave rise to the
significant doubt, management’s plans, and the effect on the report based
on the conditions and circumstances at the date of reissuance
 perform other procedures deemed necessary in the circumstances
21.141 The Head of Assurance should be consulted in situations when the audit team
concludes the report may be reissued without the going concern emphasis of matter
paragraph.

Reporting on Summary Financial Statements

21.142 An entity may prepare summary financial statements that are derived from
audited financial statements. Summary financial statements contain less detail than the
financial statements. However, they represent the entity’s economic resources or
obligations consistent with the financial statements. Different jurisdictions may use
different terminology to describe such information.

21.143 The firm may be engaged to report on summary financial statements derived
from financial statements audited by the firm. In such circumstances, the audit team
should comply with ISA 810, Engagements to Report on Summary Financial
Statements.

21.144 The audit team should obtain an engagement letter to document the
understanding established with management and, where appropriate, those charged
with governance of the terms of the engagement.

Reporting

21.145 The firm believes the report on the summary financial statements should be
addressed the same as the report on the audited financial statements. If a different
addressee is being considered, the audit team should discuss the matter with the Head
of Assurance.

21.146 The audit team should date the report on the summary financial statements no
earlier than:
 the date the audit team has obtained sufficient appropriate evidence,
including that management and, where appropriate, those charged with
governance have taken responsibility for the summary financial
statements
 the date of the report on the audited financial statements

21.147 The firm prefers that the report on the summary financial statements and the
report on the audited financial statements be dated as of the same date. However, the
report on the summary financial statements may need to be dated as of a later date
when the procedures are completed. Paragraphs 12 and 13 of ISA 810 address the
audit team’s responsibilities in these circumstances.

21.148 ISA 810 includes several illustrative report examples. The audit team should
use the ISA reports, except as follows:
 The firm prefers to use the title: “Independent Auditor’s Report on
Summary Financial Statements”
 Unless otherwise required by law or regulation, the firm prefers to use the
form of opinion: “the summary financial statements are consistent, in all
material respects, with the audited financial statements, in accordance
with (the applied criteria)”
Exhibit 21.1 – Illustrative Standard Auditor’s Reports

E01 The following illustrates a standard auditor’s report when the financial
statements are prepared in accordance with a fair presentation framework.
INDEPENDENT AUDITOR’S REPORT
[Appropriate Addressee]
Report on the Financial Statements1
We have audited the accompanying financial statements of ABC Company, which comprise
the balance sheet as at (or, of) December 31, 20X1, and the income statement, statement of
changes in equity and cash flow statement for the year then ended, and a summary of
significant accounting policies and other explanatory information.
Management’s2 Responsibility for the Financial Statements
Management is responsible for the preparation and fair presentation of these financial
statements (or, for the preparation of financial statements that give a true and fair view) in
accordance with (applicable financial reporting framework, such as International Financial
Reporting Standards issued by the International Accounting Standards Board), and for
such internal control as management determines is necessary to enable the preparation of
financial statements that are free from material misstatement, whether due to fraud or error.
Auditor’s Responsibility
Our responsibility is to express an opinion on these financial statements based on our audit.
We conducted our audit in accordance with International Standards on Auditing. Those
standards require that we comply with ethical requirements and plan and perform the audit
to obtain reasonable assurance about whether the financial statements are free from material
misstatement.
An audit involves performing procedures to obtain audit evidence about the amounts and
disclosures in the financial statements. The procedures selected depend on the auditor’s
judgment, including the assessment of the risks of material misstatement of the financial
statements, whether due to fraud or error. In making those risk assessments, the auditor
considers internal control relevant to the entity’s preparation and fair presentation of the
financial statements (or, preparation of financial statements that give a true and fair view)
in order to design audit procedures that are appropriate in the circumstances, but not for the
purpose of expressing an opinion on the effectiveness of the entity’s internal control.3 An
audit also includes evaluating the appropriateness of accounting policies used and the
reasonableness of accounting estimates made by management, as well as evaluating the
overall presentation of the financial statements.
We believe that the audit evidence we have obtained is sufficient and appropriate to provide
a basis for our audit opinion.
Opinion
In our opinion, the financial statements referred to above present fairly, in all material
respects, (or, give a true and fair view of) the financial position of ABC Company as at (or,
of) December 31, 20X1, and (of) its financial performance and its cash flows for the year
 then ended in accordance with (applicable financial reporting framework, such as
International Financial Reporting Standards issued by the International Accounting
Standards Board).
Report on Other Legal and Regulatory Requirements
[Form and content of this section of the auditor’s report will vary depending on the nature
of the auditor’s other reporting responsibilities.]
Member Firm Name (manually)
Athens, Greece
February 1, 20X3
1 The sub-title “Report on the Financial Statements” is unnecessary when the sub-title
“Report on Other Legal and Regulatory Requirements” is not applicable.
2 Or other term that is appropriate in the context of the legal framework in the particular
jurisdiction.
3 The phrase “but not for the purpose of expressing an opinion on the effectiveness of the
entity’s internal control” should be deleted when the audit team will express an opinion
on the effectiveness of internal control in conjunction with the financial statement audit.

E02 The following illustrates a standard auditor’s report on consolidated financial

statements prepared in accordance with a fair presentation framework.

INDEPENDENT AUDITOR’S REPORT

[Appropriate Addressee]
Report on the Consolidated Financial Statements1
We have audited the accompanying consolidated financial statements of ABC Company
and its subsidiaries, which comprise the consolidated balance sheet as at (or, of) December
31, 20X1, and the consolidated income statement, statement of changes in equity and cash
flow statement for the year then ended, and a summary of significant accounting policies
and other explanatory information.
Management’s2 Responsibility for the Consolidated Financial Statements
Management is responsible for the preparation and fair presentation of these consolidated
financial statements (or, for the preparation of consolidated financial statements that give a
true and fair view) in accordance with (applicable financial reporting framework, such as
International Financial Reporting Standards issued by the International Accounting
Standards Board), and for such internal control as management determines is necessary to
enable the preparation of consolidated financial statements that are free from material
misstatement, whether due to fraud or error.
Auditor’s Responsibility
Our responsibility is to express an opinion on these consolidated financial statements based
on our audit. We conducted our audit in accordance with International Standards on
Auditing. Those standards require that we comply with ethical requirements and plan and
 perform the audit to obtain reasonable assurance about whether the consolidated financial
statements are free from material misstatement.
An audit involves performing procedures to obtain audit evidence about the amounts and
disclosures in the consolidated financial statements. The procedures selected depend on the
auditor’s judgment, including the assessment of the risks of material misstatement of the
consolidated financial statements, whether due to fraud or error. In making those risk
assessments, the auditor considers internal control relevant to the entity’s preparation and
fair presentation of the consolidated financial statements (or, preparation of consolidated
financial statements that give a true and fair view) in order to design audit procedures that
are appropriate in the circumstances, but not for the purpose of expressing an opinion on the
effectiveness of the entity’s internal control.3 An audit also includes evaluating the
appropriateness of accounting policies used and the reasonableness of accounting estimates
made by management, as well as evaluating the overall presentation of the consolidated
financial statements.
We believe that the audit evidence we have obtained is sufficient and appropriate to provide
a basis for our audit opinion.
Opinion
In our opinion, the consolidated financial statements referred to above present fairly, in all
material respects, (or, give a true and fair view of) the financial position of ABC Company
and its subsidiaries as at (or, of) December 31, 20X1, and (of) their financial performance
and its cash flows for the year then ended in accordance with (applicable financial
reporting framework, such as International Financial Reporting Standards issued by the
International Accounting Standards Board).
Report on Other Legal and Regulatory Requirements
[Form and content of this section of the auditor’s report will vary depending on the nature
of the auditor’s other reporting responsibilities.]
Member Firm Name (manually)
Athens, Greece
February 1, 20X3
1 The sub-title “Report on the Consolidated Financial Statements” is unnecessary when the
sub-title “Report on Other Legal and Regulatory Requirements” is not applicable.
2 Or other term that is appropriate in the context of the legal framework in the particular
jurisdiction.
3 The phrase “but not for the purpose of expressing an opinion on the effectiveness of the
entity’s internal control” should be deleted when the audit team will express an opinion
on the effectiveness of internal control in conjunction with the financial statement audit.

E03 The following illustrates a standard auditor’s report when the financial
statements are prepared in accordance with a compliance framework.
INDEPENDENT AUDITOR’S REPORT
[Appropriate Addressee]
Report on the Financial Statements1
We have audited the accompanying financial statements of ABC Company, which comprise
the balance sheet as at (or, of) December 31, 20X1, and the income statement, statement of
changes in equity and cash flow statement for the year then ended, and a summary of
significant accounting policies and other explanatory information.
Management’s2 Responsibility for the Financial Statements
Management is responsible for the preparation of these financial statements in accordance
with (applicable financial reporting framework, such as XYZ Law of Jurisdiction X), and
for such internal control as management determines is necessary to enable the preparation
of financial statements that are free from material misstatement, whether due to fraud or
error.
Auditor’s Responsibility
Our responsibility is to express an opinion on these financial statements based on our audit.
We conducted our audit in accordance with International Standards on Auditing. Those
standards require that we comply with ethical requirements and plan and perform the audit
to obtain reasonable assurance about whether the financial statements are free from material
misstatement.
An audit involves performing procedures to obtain audit evidence about the amounts and
disclosures in the financial statements. The procedures selected depend on the auditor’s
judgment, including the assessment of the risks of material misstatement of the financial
statements, whether due to fraud or error. In making those risk assessments, the auditor
considers internal control relevant to the entity’s preparation of the financial statements in
order to design audit procedures that are appropriate in the circumstances, but not for the
purpose of expressing an opinion on the effectiveness of the entity’s internal control.3 An
audit also includes evaluating the appropriateness of accounting policies used and the
reasonableness of accounting estimates made by management, as well as evaluating the
overall presentation of the financial statements.
We believe that the audit evidence we have obtained is sufficient and appropriate to provide
a basis for our audit opinion.
Opinion
In our opinion, the financial statements of ABC Company for the year ended December 31,
20X1 referred to above are prepared, in all material respects, in accordance with (applicable
financial reporting framework, such as XYZ Law of Jurisdiction X).
Report on Other Legal and Regulatory Requirements
[Form and content of this section of the auditor’s report will vary depending on the nature
of the auditor’s other reporting responsibilities.]
Member Firm Name (manually)
Athens, Greece
February 1, 20X3
 1 The sub-title “Report on the Financial Statements” is unnecessary when the sub-title
“Report on Other Legal and Regulatory Requirements” is not applicable.
2 Or other term that is appropriate in the context of the legal framework in the particular
jurisdiction.
3 The phrase “but not for the purpose of expressing an opinion on the effectiveness of the
entity’s internal control” should be deleted when the audit team will express an opinion
on the effectiveness of internal control in conjunction with the financial statement audit.

Qualified opinion for fair presentation framework

E04 An illustrative qualified opinion for a fair presentation framework follows:

INDEPENDENT AUDITOR’S REPORT
[Appropriate Addressee]
Report on the Financial Statements1
We have audited the accompanying financial statements of ABC Company, which comprise
the balance sheet as at (or, of) December 31, 20X1, and the income statement, statement of
changes in equity and cash flow statement for the year then ended, and a summary of
significant accounting policies and other explanatory information.
Management’s2 Responsibility for the Financial Statements
Management is responsible for the preparation and fair presentation of these financial
statements (or, for the preparation of financial statements that give a true and fair view) in
accordance with (applicable financial reporting framework, such as International Financial
Reporting Standards issued by the International Accounting Standards Board), and for
such internal control as management determines is necessary to enable the preparation of
financial statements that are free from material misstatement, whether due to fraud or error.
Auditor’s Responsibility
Our responsibility is to express an opinion on these financial statements based on our audit.
We conducted our audit in accordance with International Standards on Auditing. Those
standards require that we comply with ethical requirements and plan and perform the audit
to obtain reasonable assurance about whether the financial statements are free from material
misstatement.
An audit involves performing procedures to obtain audit evidence about the amounts and
disclosures in the financial statements. The procedures selected depend on the auditor’s
judgment, including the assessment of the risks of material misstatement of the financial
statements, whether due to fraud or error. In making those risk assessments, the auditor
considers internal control relevant to the entity’s preparation and fair presentation of the
financial statements (or, preparation of financial statements that give a true and fair view)
in order to design audit procedures that are appropriate in the circumstances, but not for the
purpose of expressing an opinion on the effectiveness of the entity’s internal control.3 An
audit also includes evaluating the appropriateness of accounting policies used and the
reasonableness of accounting estimates made by management, as well as evaluating the
overall presentation of the financial statements.
 We believe that the audit evidence we have obtained is sufficient and appropriate to provide
a basis for our qualified audit opinion.
Basis for Qualified Opinion
(Describe the basis for the qualified opinion as indicated in the section entitled “Basis for
Modified Opinion Paragraph.”)
Qualified Opinion
In our opinion, except for the effects (or, if lack of evidence, possible effects) of the matter
described in the Basis for Qualified Opinion paragraph, the financial statements referred to
above present fairly, in all material respects, (or, give a true and fair view of) the financial
position of ABC Company as at (or, of) December 31, 20X1, and (of) its financial
performance and its cash flows for the year then ended in accordance with (applicable
financial reporting framework, such as International Financial Reporting Standards issued
by the International Accounting Standards Board).
Report on Other Legal and Regulatory Requirements
[Form and content of this section of the auditor’s report will vary depending on the nature
of the auditor’s other reporting responsibilities.]
Member Firm Name (manually)
Athens, Greece
February 1, 20X3
1 The sub-title “Report on the Financial Statements” is unnecessary when the sub-title
“Report on Other Legal and Regulatory Requirements” is not applicable.
2 Or other term that is appropriate in the context of the legal framework in the particular
jurisdiction.
3 The phrase “but not for the purpose of expressing an opinion on the effectiveness of the
entity’s internal control” should be deleted when the audit team will express an opinion
on the effectiveness of internal control in conjunction with the financial statement audit.

Adverse opinion for fair presentation framework

E05 An illustrative adverse opinion for a fair presentation framework follows:
INDEPENDENT AUDITOR’S REPORT
[Appropriate Addressee]
Report on the Financial Statements1
We have audited the accompanying financial statements of ABC Company, which comprise
the balance sheet as at (or, of) December 31, 20X1, and the income statement, statement of
changes in equity and cash flow statement for the year then ended, and a summary of
significant accounting policies and other explanatory information.
Management’s2 Responsibility for the Financial Statements
Management is responsible for the preparation and fair presentation of these financial
statements (or, for the preparation of financial statements that give a true and fair view) in
accordance with (applicable financial reporting framework, such as International Financial
Reporting Standards issued by the International Accounting Standards Board), and for
such internal control as management determines is necessary to enable the preparation of
financial statements that are free from material misstatement, whether due to fraud or error.
Auditor’s Responsibility
Our responsibility is to express an opinion on these financial statements based on our audit.
We conducted our audit in accordance with International Standards on Auditing. Those
standards require that we comply with ethical requirements and plan and perform the audit
to obtain reasonable assurance about whether the financial statements are free from material
misstatement.
An audit involves performing procedures to obtain audit evidence about the amounts and
disclosures in the financial statements. The procedures selected depend on the auditor’s
judgment, including the assessment of the risks of material misstatement of the financial
statements, whether due to fraud or error. In making those risk assessments, the auditor
considers internal control relevant to the entity’s preparation and fair presentation of the
financial statements (or, preparation of financial statements that give a true and fair view)
in order to design audit procedures that are appropriate in the circumstances, but not for the
purpose of expressing an opinion on the effectiveness of the entity’s internal control.3 An
audit also includes evaluating the appropriateness of accounting policies used and the
reasonableness of accounting estimates made by management, as well as evaluating the
overall presentation of the financial statements.
We believe that the audit evidence we have obtained is sufficient and appropriate to provide
a basis for our adverse audit opinion.
Basis for Adverse Opinion
(Describe the basis for the adverse opinion as indicated in the section entitled “Basis for
Modified Opinion Paragraph.”)
Adverse Opinion
In our opinion, because of the significance of the matter discussed in the Basis for Adverse
Opinion paragraph, the financial statements referred to above do not present fairly (or, do
not give a true and fair view of) the financial position of ABC Company as at (or, of)
December 31, 20X1, and (of) its financial performance and its cash flows for the year then
ended in accordance with (applicable financial reporting framework, such as International
Financial Reporting Standards issued by the International Accounting Standards Board).
Report on Other Legal and Regulatory Requirements
[Form and content of this section of the auditor’s report will vary depending on the nature
of the auditor’s other reporting responsibilities.]
Member Firm Name (manually)
Athens, Greece
February 1, 20X3
 1 The sub-title “Report on the Financial Statements” is unnecessary when the sub-title
“Report on Other Legal and Regulatory Requirements” is not applicable.
2 Or other term that is appropriate in the context of the legal framework in the particular
jurisdiction.
3 The phrase “but not for the purpose of expressing an opinion on the effectiveness of the
entity’s internal control” should be deleted when the audit team will express an opinion
on the effectiveness of internal control in conjunction with the financial statement audit.

Disclaimer of opinion for fair presentation framework

E06 An illustrative disclaimer of opinion for a fair presentation framework follows:

INDEPENDENT AUDITOR’S REPORT
[Appropriate Addressee]
Report on the Financial Statements1
We were engaged to audit the accompanying financial statements of ABC Company, which
comprise the balance sheet as at (or, of) December 31, 20X1, and the income statement,
statement of changes in equity and cash flow statement for the year then ended, and a
summary of significant accounting policies and other explanatory information.
Management’s2 Responsibility for the Financial Statements
Management is responsible for the preparation and fair presentation of these financial
statements (or, for the preparation of financial statements that give a true and fair view) in
accordance with (applicable financial reporting framework, such as International Financial
Reporting Standards issued by the International Accounting Standards Board), and for
such internal control as management determines is necessary to enable the preparation of
financial statements that are free from material misstatement, whether due to fraud or error.
Auditor’s Responsibility
Our responsibility is to express an opinion on these financial statements based on
conducting the audit in accordance with International Standards on Auditing. Because of
the matter described in the Basis for Disclaimer of Opinion paragraph, however, we were
not able to obtain sufficient appropriate audit evidence to provide a basis for an audit
opinion.
Basis for Disclaimer of Opinion
(Describe the basis for the disclaimer of opinion as indicated in the section entitled “Basis
for Modified Opinion Paragraph.”)
Disclaimer of Opinion
Because of the significance of the matter described in the Basis for Disclaimer of Opinion
paragraph, we have not been able to obtain sufficient appropriate audit evidence to provide
a basis for an audit opinion. Accordingly, we do not express an opinion on the financial
statements referred to above.
Report on Other Legal and Regulatory Requirements
[Form and content of this section of the auditor’s report will vary depending on the nature
of the auditor’s other reporting responsibilities.]
Member Firm Name (manually)
Athens, Greece
February 1, 20X3
1 The sub-title “Report on the Financial Statements” is unnecessary when the sub-title
“Report on Other Legal and Regulatory Requirements” is not applicable.
2 Or other term that is appropriate in the context of the legal framework in the particular
jurisdiction.
Exhibit 21.2 - Matters Requiring Modified Opinions
E07 The following provides a list of matters that may require a modified opinion
under the relevant ISA requirements:
 Conflicts with law or regulation (ISA 210)
– Conflicts exist between financial reporting standards and additional
requirements in law or regulation (paragraph 18)
 Non-compliance with laws or regulations (ISA 250)
– Non-compliance with laws or regulations has material effect on
financial statements and has not been adequately reflected (paragraph
25)
– Audit team precluded by management or those charged with
governance from obtaining evidence to evaluate whether material non-
compliance with laws or regulations has, or is likely to have, occurred
(paragraph 26)
– Audit team unable to determine whether noncompliance with laws or
regulations has occurred because of limitations not imposed by
management or those charged with governance (paragraph 27)
 Service organizations (ISA 402)
– Audit team unable to obtain evidence regarding services provided by a
service organization (paragraph 20)
 Inventory (ISA 501)
– Attendance at physical inventory counting impracticable and evidence
not obtained by alternative audit procedures (paragraph 7)
 Legal letters (ISA 501)
– Management does not authorize communication with external legal
counsel or external legal counsel does not appropriately respond to a
letter of inquiry, and evidence not obtained by alternative audit
procedures (paragraph 11) When the entity refuses to permit a letter of
audit inquiry to legal counsel, the Head of Assurance should be
consulted.
 External confirmations (ISA 505)
– Management refuses to allow the audit team to send a confirmation
request and the request is unreasonable, or the audit team is unable to
obtain evidence from alternative procedures (paragraph 9)
– A response to a positive confirmation request that is necessary to
obtain sufficient appropriate audit evidence is not obtained (paragraph
13)
 Initial audits (ISA 510)
– Inability to obtain sufficient appropriate audit evidence regarding
opening balances (paragraph 10)
– Opening balances contain a material misstatement affecting current
period financial statements (paragraph 11)
– Current period accounting policies not consistently applied in relation
to opening balances in accordance with the applicable financial
reporting framework (paragraph 12)
 – Change in accounting policies not accounted for or presented or
disclosed in accordance with the applicable financial reporting
framework (paragraph 12)
– Predecessor auditor’s opinion on prior period financial statements
contained modification that remains relevant to the current period
(paragraph 13)
 Subsequent events (ISA 560)
– Management does not amend the financial statements for a
subsequent event, and the audit report has not yet been released
(paragraph 13)
 Written representations (ISA 580)
– Written representations not reliable (paragraphs 18 and 20). If there is
sufficient doubt about the integrity of management, a disclaimer of
opinion is required.
 Fair presentation frameworks (ISA 700)
– The financial statements do not achieve fair presentation (paragraph
18) It may be possible for management to include additional
disclosures beyond those required by the framework in order to
achieve fair presentation. Departures from the framework to achieve
fair presentation are expected to be rare and should be discussed with
the Head of Assurance.
 Corresponding figures (ISA 710)
– A qualified, adverse or disclaimer was issued on the prior period and
the matter which gave rise to the modification is unresolved (paragraph
11)
– A material misstatement exists and an unmodified opinion was
previously expressed on the prior period (paragraph 12)
Chapter Twenty-Two - Communicating Internal Control
Matters
Summary

This Chapter discusses the audit team’s communications of internal control matters
identified in an audit or in an interim review.

Overview of Internal Control Communications

22.01 Professional standards and firm policy require the audit team to communicate
to management and those charged with governance certain internal control matters
identified in an audit or in an interim review. These matters include deficiencies,
significant deficiencies, and material weaknesses in internal control over financial
reporting. These communications are required whenever we express or disclaim an
opinion on financial statements.

22.02 Professional standards and the firm also encourage the communication of
other internal control matters, such as recommendations for improvements.

22.03 Communications regarding internal control are of such importance that the
audit team should consider them throughout the engagement. For example, early
communication of a significant deficiency or material weakness allows management to
take corrective action, which may reduce the chance of a misstatement and improve
audit efficiency. Further, the implementation of the firm’s internal control
recommendations may also reduce audit exposure, including the chance of a
misstatement in subsequent years.

Internal Control Deficiencies Defined

22.04 In a financial statement audit or review of interim financial information, the
audit team’s consideration of internal control is limited to enable the audit team to plan
the engagement and determine the nature, timing and extent of procedures to be
performed. Thus, the audit team is not required to search for control deficiencies, but
may become aware of such conditions through their understanding of the entity's
internal control or other procedures. In an audit of internal control, the audit team also
plans and performs the audit to obtain reasonable assurance that no material
weaknesses exist as of the date specified and therefore, will likewise become aware of
control deficiencies.

22.05 Voyager assists the audit team by identifying findings related to the design of
internal controls. The findings, as used in this context, represent areas where controls
that achieve certain objectives are expected but are missing, as well as suggestions or
attention getters that the audit team must evaluate to determine whether they actually
represent deficiencies. The audit team should consider whether the identified findings
are actually deficiencies and whether such findings can aggregate (by same account
balance, disclosure, relevant assertion or component of internal control) to a more
serious deficiency. The audit team also considers whether the deficiencies identified by
Voyager are valid.

22.06 Control deficiencies are categorized as follows:

 deficiency – exists when the design or operation of a control does not
allow management or employees, in the normal course of performing their
assigned functions, to prevent, or detect and correct misstatements on a
timely basis. A deficiency includes missing controls that are necessary to
prevent, or detect and correct misstatements on a timely basis.
 significant deficiency – deficiency, or a combination of deficiencies, that is
less severe than a material weakness, yet important enough to merit
attention by those charged with governance
 material weakness – deficiency, or a combination of deficiencies, such
that there is a reasonable possibility that a material misstatement will not
be prevented, or detected and corrected on a timely basis

22.07 The specific definitions above may slightly differ depending on the applicable
professional standards. However, the audit team will ordinarily reach the same
conclusion regarding the severity of deficiencies, regardless of which standards are
applied. Internal control letters should use the definitions under the professional
standards that apply to the engagement.

Communicating Deficiencies
22.08 Professional standards and firm policy require the audit team to communicate,
in writing, to management and those charged with governance:
 significant deficiencies and material weaknesses identified during a
financial statement audit or review of interim financial information
 significant deficiencies and material weaknesses identified during an
internal control audit; not just those that exist as of the date of
management’s assertion
 deficiencies identified during an internal control audit that have not been
previously communicated in writing by the audit team, internal auditor or
others

22.09 In a financial statement audit, the audit team may believe that some of the
deficiencies identified are of sufficient importance to merit management’s attention. In
these situations, the deficiencies should be communicated to management, if they were
not previously communicated by the audit team, internal auditors, or others. This
communication is not required to be in writing, but should be documented.
22.10 Ineffective oversight by an audit committee or those charged with governance
should be communicated in writing to the board of directors.

Timing of Communication
22.11 [Tailor the following paragraph to refer to the standards applicable to your firm
and the related timing (e.g., 60 instead of 45 days)]For some matters, early
communication to management or those charged with governance may be important.
Accordingly, significant deficiencies and material weaknesses ordinarily should be
communicated shortly after their identification. Nevertheless, the following table
summarizes the form and timing of required communications in a financial statement
audit and an integrated audit.
Type of Financial statement audits under Integrated audits under PCAOB and
deficiency PCAOB and AICPA standards AICPA standards
Significant Written communication to management Written communication to management
deficiency or and those charged with governance: and those charged with governance no
material weakness - Under PCAOB standards, no later than later than report date.
(including report date Ineffective audit committee (or others
unremediated charged with governance) oversight
matters previously - Under AICPA standards, no later than
45 days after report release date should also be communicated in writing
communicated) to the board of directors no later than
Ineffective audit committee (or others 45 days after the report release date.
charged with governance) oversight
should also be communicated in writing
to the board of directors no later than 45
days after the report release date.
Deficiency Verbal communication to management, Written communication to management
of deficiencies the audit team believes and those charged with governance no
are of sufficient importance to merit later than 45 days after report release
management’s attention, no later than date. The written communication need
45 days after report release date. The not include matters previously
communication need not include matters communicated in writing by the audit
previously communicated by the audit team, internal audit, or others.
team, internal audit, or others.
When the communication to
management is in writing , a copy should
be sent to those charged with
governance (at least the audit committee
chairman). The internal control letter
should state that such deficiencies have
been (or will be) communicated
separately.

22.12 [Tailor the following table for the standards and filing applicable to your firm]
For reviews of interim financial information, the following table summarizes the form and
timing of required communications.
Type of Interim review under PCAOB Interim review under AICPA
deficiency standards standards
Significant Communicate verbally to management Communicate verbally to management
deficiency or before Form 10-Q is filed with SEC. before financial statements are filed
material weakness Attempt to make such communication to with regulator or private equity
 audit committee, or at least its chair, exchange (if no associated filing, before
before such filing. If unable to financial statements are issued).
communicate with audit committee Attempt to make such communication
before filing, communicate as soon as to those charged with governance, or at
practicable thereafter to enable the audit least its chair, before such filing (or
committee to take appropriate action. financial statement issuance). If unable
Verbal communication does not absolve to communicate with those charged
responsibility to communicate in writing. with governance before filing (or
financial statement issuance),
communicate as soon as practicable
thereafter to enable those charged with
governance to take appropriate action.
Verbal communication does not
absolve responsibility to communicate
in writing.

22.13 [Tailor the illustration to reflect your applicable standards] The annual
illustrative letter may be used to communicate deficiencies identified during an interim
review. However, in certain circumstances, such as when a deficiency is identified in the
first quarterly review or when the deficiency specifically relates to the interim period, the
illustrative annual letter may be modified as follows:
Modified introductory paragraph:
In connection with our review of (insert name of company, such as ABC Company’s) (the
“Company”) interim financial information as of (insert date, such as March 31, 20XX) and
for (insert period, such as the three-month period then ended), the standards established by
the United States Public Company Accounting Oversight Board (“PCAOB standards”)
[alternatively: American Institute of Certified Public Accountants (“AICPA standards”)]
require that we advise management and the board of directors (if applicable, change to:
audit committee or another equivalent group, such as the board of trustees, the finance
committee, the budget committee, or the owner in an owner-managed enterprise)
(hereinafter referred to as “those charged with governance”) of the following internal
control matters identified during our review.
Modified responsibilities paragraph:
Our responsibility, as prescribed by PCAOB standards (alternatively: AICPA standards), is
to plan and perform our review to provide a basis for communicating whether we are aware
of any material modifications that should be made to the interim financial information for it
to conform with accounting principles generally accepted in the United States of America
(“US GAAP”). A review includes consideration of internal control over financial reporting
(hereinafter referred to as “internal control”) as a basis for identifying the types of potential
material misstatements that may occur in the interim financial information and the
likelihood of their occurrence (for public companies, add the following beginning with the
first quarter after the company’s first annual assessment of internal control: and for
determining whether we have become aware of any material modifications that, in our
judgment, should be made to the disclosures about changes in internal control in order for
management’s quarterly certifications to be accurate and to comply with the requirements
of Section 302 of the Sarbanes-Oxley Act of 2002 and the rules and regulations of the U.S.
Securities and Exchange Commission), but not for the purpose of identifying deficiencies in
internal control or expressing an opinion on the effectiveness of the Company’s internal
control. Accordingly, we express no such opinion on internal control effectiveness.
 Other revisions:
References to the audit in the standard illustrative letters should be changed to refer to the
review. For example:
Our review was also not designed to…

22.14 [Tailor the following to reflect your standards] Depending on the

circumstances, the audit team may also issue a written communication at an interim
date prior to the completion of the audit. In such circumstances, the annual illustrative
letter should be revised to clearly indicate that the audit is incomplete. For example, the
introductory paragraph of the annual illustrative letter for a financial statement audit
under AICPA standards may read as follows. Additional modifications to the illustrative
letter may be necessary.
We began, but have not completed, our audit of (insert name of company, such as ABC
Company’s) (the “Company”) financial statements as of (insert date, such as December 31,
20XX) and for the year then ended. We are providing this letter to advise management and
the board of directors (if applicable, change to: audit committee or another equivalent
group, such as the board of trustees, the finance committee, the budget committee, or the
owner in an owner-managed enterprise) (hereinafter referred to as “those charged with
governance”) of the following internal control matters identified based on our audit
procedures performed through the date of this letter. Because we have not completed our
audit, additional internal control matters may be identified and communicated in
accordance with auditing standards generally accepted in the United States of America
(“US GAAS”) established by the American Institute of Certified Public Accountants.

22.15 The firm also encourages communicating recommendations as to how

management may improve the design or operation of the entity’s internal control.
Written comments on deficiencies and recommendations may be contained in the same
letter or in separate letters.

22.16 Written internal control communications should comply with professional

standards and the firm’s illustrative letters (see Exhibit 22.1 for illustrative letters). The
communications should also:
 include all deficiencies, even if they were identified in a prior engagement
and were previously communicated to management (including matters in
which management responded that the cost of addressing the deficiency
is too great to be justified), unless appropriate corrective actions have
been implemented and such actions verified by the audit team
 include (in the annual internal control letter) known deficiencies over the
preparation of interim financial information (that are not present or
applicable for the preparation of the annual financial statements)

22.17 Refer to professional standards for specific matters to be included in the

communications, as necessary.
Management’s Response
22.18 If management prepares a written response that will be included in a
document containing the internal control letter, the audit team should disclaim an
opinion on such response (see the illustrative letters in Exhibit 22.1 for appropriate
language). In addition, the audit workpapers should include a copy of such response,
which may describe corrective actions taken, the entity’s plans to implement new
controls or certain cost-benefit statements.

22.19 Obtaining an understanding of management’s response to correct previously

identified significant deficiencies and material weaknesses and considering whether the
correction was implemented assists the audit team in planning the audit and
determining the nature, timing and extent of audit procedures in response to an
assessed risk of material misstatement. Such understanding should be documented.

Recommendations and Other Advisory Comments

22.20 As previously stated, the firm encourages communicating recommendations
on improving the entity’s internal control. In addition, the audit team should submit other
advisory comments, whenever possible. These comments are an important aspect of
fulfilling the firm’s commitment to provide clients with outstanding service.

22.21 Refer to Communication of Other Advisory Comments in Exhibit 22.1.

22.22 Comments should be based on the audit team’s understanding of the entity
and its environment. Comments could include:
 applying the audit team’s business experience and expertise to provide
information or constructive advice to help the entity operate more
efficiently
 areas where audit costs might be reduced with greater entity involvement
and cooperation
 suggestions that may reduce the likelihood of misstatements in
subsequent years

22.23 Such comments also protect the firm by providing evidence of matters brought
to the attention of management.

22.24 It is ordinarily more effective and efficient to develop specific comments in a

few areas rather than many comments of a generalized nature. In addition, comments
are usually generated during the normal course of an audit, rather than as a result of a
comprehensive or special study. The budget for each audit should make provisions for
developing, documenting, and communicating such comments.

22.25 [Tailor the following paragraph for examples relevant to your firm] The
participation of both consulting and tax personnel in the development, preparation and
presentation of advisory comments is encouraged. Consulting personnel can provide
insight based on reviews of data processing or other consulting engagements
performed during the year. Tax personnel might assist in preparing comments on such
matters as: evaluating LIFO inventory, installment sales, accelerated depreciation and
other tax deferring elections, maintaining adequate documentation for travel and
entertainment expenses, analyzing the implications of liquidating subsidiaries, and the
effect of proposed tax legislation. For management to receive timely benefit from any
BAS or tax planning comments, it would often be desirable to elicit such comments in
advance of the completion of fieldwork.

22.26 [Tailor the following paragraph to reflect your practices] As an aid in

developing meaningful, practical recommendations and other advisory comments, GEL
includes the CPA’s Guide to Management Letter Comments, published by CCH.

22.27 Recommendations and other advisory comments may be communicated orally

or in writing. When communicating orally, the workpapers should document the date of
the discussion and the attendees. Where more than one written letter will be submitted
(e.g., by division or subsidiary), careful coordination is necessary so that the reports are
compatible and appropriate on an overall basis. Particular attention should be paid to
consistency of style and whether comments made in one letter should also be made in
another. The timing of preparation and submission should be controlled.

22.28 Recommendations and other advisory comments should not be confused with
the required communication of control deficiencies. While recommendations for
improving internal control may be included in the letter communicating deficiencies,
other advisory comments should not be included in this letter. Therefore, other advisory
comments should be communicated in a separate letter addressed to management.
The firm encourages providing a copy of the advisory comment letter to those charged
with governance.

22.29 Professional standards do not address dating advisory comment letters. The
letter should ordinarily carry a current date, with an indication in the letter that the
matters discussed are as of the audit report date (see the illustrative letter in Exhibit
22.1 for appropriate language).

Required Consultation
22.30 [Tailor the following paragraph to reflect your consultation policies] Firm policy
requires consultation with the NPPD when a material weakness, or potential or likely
material weakness, is identified either by the entity or the audit team. The NPPD should
be consulted annually, even if these are “repeat” items and the NPPD has previously
been consulted. Such consultation should be documented.

22.31 [Tailor the following paragraph to reflect the location of your illustrative letters,
relevant standards and your consultation policies] This Chapter provides illustrative
internal control letters under both AICPA and PCAOB standards (see Exhibit 22.1).
Unless otherwise specifically noted, all paragraphs are required. The audit team should
consult with the NPPD when considering eliminating or modifying any required
paragraph.

22.32 [Tailor the following paragraph to reflect your consultation policies] When
communicating material weaknesses to public companies, the NPPD is required to read
the internal control letter before it is issued.

No Material Weakness Letters

22.33 [Tailor the following paragraph to reflect your consultation policies]

Management may ask the audit team to issue a communication stating that no material
weaknesses were identified during the audit. Prior to issuing a “no material weakness”
letter, the audit team should consult with the NPPD. Such a letter is not appropriate for
integrated audits. Also, a no material weakness letter should not be issued at an interim
date as the audit is not complete.

22.34 [Tailor the following paragraph to reflect your consultation policies] If the audit
team obtains NPPD approval to issue a no material weakness letter and one or more
significant deficiencies were identified, the internal control letter should refer to the
significant deficiencies that were communicated and the date of the communication.

22.35 [Tailor the following paragraph to reflect your standards] The following is an
illustrative no material weakness letter for a financial statement audit performed under
AICPA standards:
(Grant Thornton letterhead)
(Current date)
Management and the Board of Directors
(Name of company, such as ABC Company)
(Address of company)
Ladies and Gentlemen:
We are providing this letter in connection with our audit of (insert name of company, such
as ABC Company’s) (the “Company”) financial statements as of (insert date, such as
December 31, 20XX) and for the year then ended, performed in accordance with auditing
standards generally accepted in the United States of America (“US GAAS”) established by
the American Institute of Certified Public Accountants. (Insert the following if the letter is
dated subsequent to the date of our auditor’s report: The matters discussed herein are as of
(insert date of auditor’s report), and we did not update our procedures regarding these
matters since that date to the current date.)
Our responsibility, as prescribed by US GAAS, is to plan and perform our audit to obtain
reasonable assurance about whether the financial statements are free of material
misstatement, whether caused by error or fraud. An audit includes consideration of internal
control over financial reporting (hereinafter referred to as “internal control”) as a basis for
designing audit procedures that are appropriate in the circumstances for the purpose of
expressing our opinion on the financial statements, but not for the purpose of identifying
 deficiencies in internal control or expressing an opinion on the effectiveness of the
Company’s internal control. Accordingly, we express no such opinion on internal control
effectiveness.
A deficiency in internal control exists when the design or operation of a control does not
allow management or employees, in the normal course of performing their assigned
functions, to prevent, or detect and correct misstatements on a timely basis. A material
weakness is a deficiency, or a combination of deficiencies, in internal control, such that
there is a reasonable possibility that a material misstatement of the Company’s financial
statements will not be prevented, or detected and corrected on a timely basis.
Our consideration of internal control would not necessarily identify all deficiencies in
internal control that, individually or in combination, may be material weaknesses. Given
these limitations, during our audit we did not identify any deficiencies in internal control
that we consider to be material weaknesses. However, material weaknesses may exist that
have not been identified.
(Include the following paragraph when significant deficiencies were identified.)
Our audit was also not designed to identify all deficiencies in internal control that,
individually or in combination, may be significant deficiencies. A significant deficiency is a
deficiency, or a combination of deficiencies, in internal control that is less severe than a
material weakness, yet important enough to merit attention by those charged with
governance. We have identified certain deficiencies in internal control that we consider to
be significant deficiencies, and communicated them to management and the board of
directors (if applicable, change to: audit committee or another equivalent group, such as
the board of trustees, the finance committee, the budget committee, or the owner in an
owner-managed enterprise) on (date).
This communication is intended solely for the information and use of management, the
board of directors (if applicable, change to: audit committee or another equivalent group,
such as the board of trustees, the finance committee, the budget committee, or the owner in
an owner-managed enterprise), and others within the Company (and if applicable, identify
any specified regulatory agency) and is not intended to be and should not be used by
anyone other than these specified parties.
Very truly yours,

GRANT THORNTON LLP (manually)

22.36 [Tailor to reflect your consultation policy] When the audit team identified
significant deficiencies, the following language may be included in the standard
illustrative communication as an alternative to issuing a separate no material weakness
letter. Use of this language should also be approved by the NPPD.
None of the identified significant deficiencies are considered to be material weaknesses.
However, material weaknesses may exist that have not been identified.

22.37 Professional standards prohibit communications stating that no significant

deficiencies were identified.
Other Considerations
22.38 When the audit team uses the work of a component auditor, the audit team
should obtain information from the component auditor about deficiencies at the
component level. As group auditor, the audit team should evaluate the severity of such
deficiencies and communicate such matters insofar as they relate to the audit of the
group financial statements. When the component auditor issues a separate audit report
on the component, the component auditor is responsible for communicating deficiencies
related to the component. The illustrative internal control letters below provide language
that should be added to the internal control letter when the audit team, as group auditor,
refers to a component auditor’s audit report on a component.

22.39 Sometimes, a qualified opinion or disclaimer of opinion is issued because of a

scope limitation. In such circumstances, the internal control letter is modified to clearly
communicate the nature of the opinion expressed, including the scope limitation, as
illustrated in the language that follows. When a disclaimer is issued, it will also be
necessary to make additional modifications to the illustrative internal control letters to
indicate that the audit was not completed and an opinion was not expressed.
Because (describe scope limitation), our auditor’s report dated February 23, 200X
contained a (qualified opinion) on the financial statements for the year ended December 31,
200X. It is a possible that additional internal control matters may have been identified had
out audit not been so restricted.

Exhibit 22.1 - Illustrative Letters

[Tailor the illustrations to reflect your professional standards]

Communication of Internal Control Matters (AICPA)

E01 This letter is used in a financial statement audit under AICPA standards. Do
not use this illustrative letter for integrated audits.
(Grant Thornton letterhead)
(Current date; no later than 45 days following the report release date)
Management and the Board of Directors
(Name of company, such as ABC Company)
(Address of company)
Ladies and Gentlemen:
In connection with our audit of (insert name of company, such as ABC Company’s) (the
“Company”) financial statements as of (insert date, such as December 31, 20XX) and for
the year then ended, auditing standards generally accepted in the United States of America
(“US GAAS”) established by the American Institute of Certified Public Accountants
require that we advise management and the board of directors (if applicable, change to:
audit committee or another equivalent group, such as the board of trustees, the finance
committee, the budget committee, or the owner in an owner-managed enterprise)
(hereinafter referred to as “those charged with governance”) of the following internal
control matters identified during our audit.
(Insert the following paragraph when we will refer to a component auditor in our audit
report on the group financial statements.)
The auditors of (name of component subject to audit by other auditors, such as XYZ
Company), (insert relationship to the parent company, such as a wholly owned subsidiary
of ABC Company), are required to separately communicate internal control matters
identified during their audit of (name of component subject to audit by other auditors, such
as XYZ Company). (If applicable, insert: Such internal control matters, insofar as they
relate to our audit of the Company, are included herein solely as reported to us by such
other auditors.)
Our responsibilities
Our responsibility, as prescribed by US GAAS, is to plan and perform our audit to obtain
reasonable assurance about whether the financial statements are free of material
misstatement, whether caused by error or fraud. An audit includes consideration of internal
control over financial reporting (hereinafter referred to as “internal control”) as a basis for
designing audit procedures that are appropriate in the circumstances for the purpose of
expressing our opinion on the financial statements, but not for the purpose of identifying
deficiencies in internal control or expressing an opinion on the effectiveness of the
Company’s internal control. Accordingly, we express no such opinion on internal control
effectiveness.
Identified deficiencies in internal control
We identified the following internal control matters as of the date of this letter that are of
sufficient importance to merit your attention. (If the letter is dated subsequent to the date of
our auditor’s report, replace the previous sentence with the following: We identified the
following internal control matters that are of sufficient importance to merit your attention.
The matters discussed herein are those that we noted as of (insert date of auditor’s report),
and we did not update our procedures regarding these matters since that date to the current
date.)
(Insert the following “Material weaknesses” section only when communicating identified
material weaknesses.)
Material weaknesses
A deficiency in internal control (“control deficiency”) exists when the design or operation
of a control does not allow management or employees, in the normal course of performing
their assigned functions, to prevent, or detect and correct misstatements on a timely basis. A
material weakness is a deficiency, or a combination of deficiencies, in internal control, such
that there is a reasonable possibility that a material misstatement of the Company’s
financial statements will not be prevented, or detected and corrected on a timely basis.
Our consideration of internal control would not necessarily identify all deficiencies in
internal control that, individually or in combination, may be material weaknesses. However,
we consider the following identified control deficiencies to be material weaknesses.
(Describe the material weaknesses and their potential effects on the achievement of the
objectives of the control criteria.)
(Insert the following paragraph when material weaknesses were previously communicated
and have not yet been remediated. This includes material weaknesses communicated at an
interim date or during a previous audit engagement.)
In our letter dated (insert date of our letter), we communicated the following material
weaknesses that have not been remediated.
(Describe the material weaknesses and their potential effects on the achievement of the
objectives of the control criteria.)
(Insert the following “Significant deficiencies” section only when communicating identified
significant deficiencies.)
Significant deficiencies
(Insert the following two paragraphs when communicating significant deficiencies, but not
material weaknesses.)
Our consideration of internal control would not necessarily identify all deficiencies in
internal control that, individually or in combination, may be material weaknesses or
significant deficiencies.
A deficiency in internal control (“control deficiency”) exists when the design or operation
of a control does not allow management or employees, in the normal course of performing
their assigned functions, to prevent, or detect and correct misstatements on a timely basis. A
material weakness is a deficiency, or a combination of deficiencies, in internal control, such
that there is a reasonable possibility that a material misstatement of the Company’s
financial statements will not be prevented, or detected and corrected on a timely basis. A
significant deficiency is a deficiency, or a combination of deficiencies, in internal control
that is less severe than a material weakness, yet important enough to merit attention by
those charged with governance.
(Insert the following paragraph when communicating significant deficiencies and material
weaknesses.)
Our audit was also not designed to identify deficiencies in internal control that, individually
or in combination, may be significant deficiencies. A significant deficiency is a deficiency,
or a combination of deficiencies, in internal control that is less severe than a material
weakness, yet important enough to merit attention by those charged with governance.
Continue with the following:
We consider the following identified control deficiencies to be significant deficiencies.
(Describe the significant deficiencies and their potential effects on the achievement of the
objectives of the control criteria.)
(Insert the following paragraph when significant deficiencies were previously
communicated and have not yet been remediated. This includes significant deficiencies
communicated at an interim date or during a previous audit engagement.)
In our letter dated (insert date of our letter), we communicated the following significant
deficiencies that have not been remediated.
(Describe the significant deficiencies and their potential effects on the achievement of the
objectives of the control criteria.)
(Insert the following “Control deficiencies” section only when communicating identified
control deficiencies. If such matters are communicated separately to management in a
written communication, a copy of the communication should be sent to at least the audit
committee chairman, and this letter should state that such matters were communicated
separately.)
Control deficiencies
(Include the following definition paragraph when only communicating control deficiencies.)
A deficiency in internal control (“control deficiency”) exists when the design or operation
of a control does not allow management or employees, in the normal course of performing
their assigned functions, to prevent, or detect and correct misstatements on a timely basis.
Continue with the following:
We identified the following control deficiencies.
(Describe the control deficiencies and their potential effects on the achievement of the
objectives of the control criteria.)
--or--
(Insert the following sentence, modified as appropriate.)
On (insert date), we communicated to management certain identified control deficiencies.
(Insert the following “Recommendations to strengthen internal control” section when
communicating recommendations for improvements in internal control over financial
reporting. The firm encourages such communications.)
Recommendations to strengthen internal control
We recommend that the Company and those charged with governance consider the
following actions.
(Describe the recommended actions.)
(Insert the following “Company response” section if management issues a written response
to our communication and such response will be included in a document containing our
communication.)
Company response
The Company’s written response to the internal control matters identified herein has not
been subjected to our audit procedures and, accordingly, we express no opinion on it.
***
This communication is intended solely for the information and use of management, those
charged with governance, and others within the Company (and if applicable, identify any
specified regulatory agency) and is not intended to be and should not be used by anyone
other than these specified parties.
Very truly yours,
GRANT THORNTON LLP (manually)
E02 This letter is used in an integrated audit under AICPA standards.
(Grant Thornton letterhead)
(Current date; no later than the audit report date)
Management and the Board of Directors
(Name of company, such as ABC Company)
(Address of company)
Ladies and Gentlemen:
In connection with our audit of (insert name of company, such as ABC Company’s) (the
“Company”) financial statements as of (insert date, such as December 31, 20XX) and for
the year then ended and the Company’s internal control over financial reporting (hereinafter
referred to as “internal control”) as of (insert date, such as December 31, 20XX), the
standards established by the American Institute of Certified Public Accountants (“AICPA
standards”) require that we advise management and the board of directors (if applicable,
change to: audit committee or another equivalent group, such as the board of trustees, the
finance committee, the budget committee, or the owner in an owner-managed enterprise)
(hereinafter referred to as “those charged with governance”) of the following internal
control matters identified during our audit.
(Insert the following paragraph when we will refer to another auditor in our audit report
on the group financial statements.)
The auditors of (name of component subject to audit by other auditors, such as XYZ
Company), (insert relationship to the parent company, such as a wholly owned subsidiary
of ABC Company), are required to separately communicate internal control matters
identified during their audit of (name of component subject to audit by other auditors, such
as XYZ Company). (If applicable, insert: Such internal control matters, insofar as they
relate to our audit of the Company, are included herein solely as reported to us by such
other auditors.)
Our responsibilities
Our responsibility, as prescribed by AICPA standards, is to plan and perform our audit to
obtain reasonable assurance about whether the financial statements are free of material
misstatement, whether caused by error or fraud, and whether effective internal control was
maintained in all material respects (that is, whether material weaknesses exist as of the date
specified in management’s assertion). However, due to the inherent limitations of an audit,
a material weakness may remain undetected. Also, the audit is not designed to identify
deficiencies in internal control that, individually or in combination, are less severe than a
material weakness.
Identified deficiencies in internal control
We identified the following internal control matters as of the date of this letter that are of
sufficient importance to merit your attention.
(Insert the following “Material weaknesses” section only when communicating identified
material weaknesses.)
Material weaknesses
A deficiency in internal control (“control deficiency”) exists when the design or operation
of a control does not allow management or employees, in the normal course of performing
their assigned functions, to prevent, or detect and correct misstatements on a timely basis. A
material weakness is a deficiency, or a combination of deficiencies, in internal control, such
that there is a reasonable possibility that a material misstatement of the Company’s
financial statements will not be prevented, or detected and corrected on a timely basis.
We consider the following identified control deficiencies to be material weaknesses.
(Describe the material weaknesses and their potential effects on the achievement of the
objectives of the control criteria. In addition, if the material weaknesses should have been
disclosed or identified in management’s assessment but were not, state that fact.)
(Insert the following paragraph when material weaknesses were previously communicated
and have not yet been remediated. This includes material weaknesses communicated at an
interim date or during a previous audit engagement.)
In our letter dated (insert date of our letter), we communicated the following material
weaknesses that have not been remediated.
(Describe the material weaknesses and their potential effects on the achievement of the
objectives of the control criteria.)
(Insert the following “Significant deficiencies” section only when communicating identified
significant deficiencies.)
Significant deficiencies
(Insert the following paragraph when communicating significant deficiencies, but not
material weaknesses.)
A deficiency in internal control (“control deficiency”) exists when the design or operation
of a control does not allow management or employees, in the normal course of performing
their assigned functions, to prevent, or detect and correct misstatements on a timely basis. A
material weakness is a deficiency, or a combination of deficiencies, in internal control, such
that there is a reasonable possibility that a material misstatement of the Company’s
financial statements will not be prevented, or detected and corrected on a timely basis. A
significant deficiency is a deficiency, or a combination of deficiencies, in internal control
that is less severe than a material weakness, yet important enough to merit attention by
those charged with governance.
(Insert the following paragraph when communicating significant deficiencies and material
weaknesses.)
A significant deficiency is a deficiency, or a combination of deficiencies, in internal control
that is less severe than a material weakness, yet important enough to merit attention by
those charged with governance.
Continue with the following:
We consider the following identified control deficiencies to be significant deficiencies.
(Describe the significant deficiencies and their potential effects on the achievement of the
objectives of the control criteria.)
(Insert the following paragraph when significant deficiencies were previously
communicated and have not yet been remediated. This includes significant deficiencies
communicated at an interim date or during a previous audit engagement.)
In our letter dated (insert date of our letter), we communicated the following significant
deficiencies that have not been remediated.
(Describe the significant deficiencies and their potential effects on the achievement of the
objectives of the control criteria.)
(Insert the following “Control deficiencies” section only when communicating identified
control deficiencies in conjunction with this letter. Such written communication is required
for an audit of internal control, but is not required to be made in writing before the
issuance of the internal control report. However, the communication must be made no later
than 45 days after the report release date. If such matters are communicated separately to
management, a copy of the communication should be sent to at least the audit committee
chairman, and this letter should state that such matters were communicated separately.)
Control deficiencies
(Include the following definition paragraph when only communicating control deficiencies.)
A deficiency in internal control (“control deficiency”) exists when the design or operation
of a control does not allow management or employees, in the normal course of performing
their assigned functions, to prevent, or detect and correct misstatements on a timely basis.
Continue with the following:
We identified the following control deficiencies.
(Describe the control deficiencies and their potential effects on the achievement of the
control criteria.)
(Alternatively, insert one of the following sentences, modified as appropriate)
We will separately communicate to you identified control deficiencies.
--or--
On (insert date), we communicated to management certain identified control deficiencies.
(Insert the following “Recommendations to strengthen internal control” section when
communicating recommendations for improvements in internal control over financial
reporting. The firm encourages such communications.)
Recommendations to strengthen internal control
We recommend that the Company and those charged with governance consider the
following actions.
(Describe the recommended actions.)
(Insert the following “Company response” section if management issues a written response
to our communication and such response will be included in a document containing our
communication.)
Company response
The Company’s written response to the internal control matters identified herein has not
been subjected to our audit procedures and, accordingly, we express no opinion on it.
 ***
This communication is intended solely for the information and use of management, those
charged with governance, and others within the Company (and if applicable, identify any
specified regulatory agency) and is not intended to be and should not be used by anyone
other than these specified parties.
Very truly yours,
GRANT THORNTON LLP (manually)

E03 This letter is used in an integrated audit under AICPA standards to

communicate to the board of directors our conclusion that the audit committee’s (or
similar subgroups with different names) oversight is ineffective.
(Grant Thornton letterhead)
(Current date; no later than 45 days after the report release date)
Board of Directors
(Name of company, such as ABC Company)
(Address of company)
Ladies and Gentlemen:
In connection with our audit of (insert name of company, such as ABC Company’s) (the
“Company”) financial statements as of (insert date, such as December 31, 20XX) and for
the year then ended and the Company’s internal control over financial reporting as of
(insert date, such as December 31, 20XX), the standards established by the American
Institute of Certified Public Accountants (“AICPA standards”) require that we advise you
of the following matters identified during our audit related to the audit committee’s
oversight of the Company’s external financial reporting and internal control over financial
reporting (hereinafter referred to as “internal control”). (Insert the following if the letter is
dated subsequent to the date of our auditor’s report: The matters discussed herein are those
that we noted as of (insert date of auditor’s report), and we did not update our procedures
regarding these matters since that date to the current date.)
Our responsibilities
Our responsibility, as prescribed by AICPA standards, is to plan and perform our audit to
obtain reasonable assurance about whether the financial statements are free of material
misstatement, whether caused by error or fraud, and whether effective internal control was
maintained in all material respects (that is, whether material weaknesses exist as of the date
specified in management’s assertion). The audit is not designed to detect deficiencies in
internal control that, individually or in combination, are less severe than a material
weakness.
An audit committee plays an important role within a company’s internal control by setting a
positive tone at the top and challenging a company’s activities in the financial arena. The
aspects of an audit committee’s effectiveness that are important may vary considerably with
the circumstances. Our audit included an assessment of the effectiveness of the audit
committee’s oversight of the Company’s external financial reporting and internal control.
Such assessment was performed as a part of our understanding of the control environment
 and monitoring components of internal control and not for the purpose of performing a
separate and distinct evaluation of the audit committee. Accordingly, we do not express an
opinion on the effectiveness of the audit committee’s oversight. However, we are
responsible for communicating to the Board of Directors ineffective oversight by the audit
committee of the company’s external financial reporting and internal control.
Audit committee ineffectiveness
(Describe the ineffectiveness and its effect on the achievement of the internal control
objectives. Such description should include the definitions of significant deficiency and
material weakness, as applicable. It should also refer to any previous communications
where the matter has not been remediated.)
(Insert the following “Recommendations” section when communicating recommendations
for improvements. The firm encourages such communications.)
Recommendations
We recommend that the Company, the audit committee, and the Board of Directors
consider the following actions.
(Describe the recommended actions.)
***
This communication is intended solely for the information and use of the Board of
Directors, audit committee, management, and others within the Company (and if
applicable, identify any specified regulatory agency) and is not intended to be and should
not be used by anyone other than these specified parties.
Very truly yours,
GRANT THORNTON LLP (manually)

Communication of Internal Control Matters (PCAOB)

E04 This letter is used in a financial statement audit under PCAOB standards. Do
not use this illustrative letter for integrated audits.
(Grant Thornton letterhead)
(Current date; no later than the audit report date)
Management and the Audit Committee of the Board of Directors
(Alternatively, if no audit committee exists: Management and the Board of Directors)
(Name of company, such as ABC Company)
(Address of company)
Ladies and Gentlemen:
In connection with our audit of (insert name of company, such as ABC Company’s) (the
“Company”) financial statements as of (insert date, such as December 31, 20XX) and for
the year then ended, the standards established by the United States Public Company
Accounting Oversight Board (“PCAOB standards”) require that we advise management and
the audit committee (if applicable, change to: board of directors) (hereinafter referred to as
“those charged with governance”) of the following internal control matters identified during
our audit.
(Insert the following paragraph when we will refer to a component auditor in our audit
report on the group financial statements.)
The auditors of (name of component subject to audit by other auditors, such as XYZ
Company), (insert relationship to the parent company, such as a wholly owned subsidiary
of ABC Company), are required to separately communicate internal control matters
identified during their audit of (name of component subject to audit by other auditors, such
as XYZ Company). (If applicable, insert: Such internal control matters, insofar as they
relate to our audit of the Company, are included herein solely as reported to us by such
other auditors.)
Our responsibilities
Our responsibility, as prescribed by PCAOB standards, is to plan and perform our audit to
obtain reasonable assurance about whether the financial statements are free of material
misstatement, whether caused by error or fraud. An audit includes consideration of internal
control over financial reporting (hereinafter referred to as “internal control”) as a basis for
designing audit procedures that are appropriate in the circumstances for the purpose of
expressing our opinion on the financial statements, but not for the purpose of identifying
deficiencies in internal control or expressing an opinion on the effectiveness of the
Company’s internal control. Accordingly, we express no such opinion on internal control
effectiveness.
Identified deficiencies in internal control
We identified the following internal control matters as of the date of this letter that are of
sufficient importance to merit your attention.
(Insert the following “Material weaknesses” section only when communicating identified
material weaknesses.)
Material weaknesses
A deficiency in internal control (“control deficiency”) exists when the design or operation
of a control does not allow management or employees, in the normal course of performing
their assigned functions, to prevent or detect misstatements on a timely basis. A material
weakness is a deficiency, or a combination of deficiencies, in internal control over financial
reporting, such that there is a reasonable possibility that a material misstatement of the
Company’s annual or interim financial statements will not be prevented or detected on a
timely basis.
Our consideration of internal control would not necessarily identify all deficiencies in
internal control that, individually or in combination, may be material weaknesses. However,
we consider the following identified control deficiencies to be material weaknesses.
(Describe the material weaknesses and their potential effects on the achievement of the
objectives of the control criteria.)
(Insert the following paragraph when material weaknesses were previously communicated
and have not yet been remediated. This includes material weaknesses communicated at an
interim date or during a previous audit engagement.)
In our letter dated (insert date of our letter), we communicated the following material
weaknesses that have not been remediated.
(Describe the material weaknesses and their potential effects on the achievement of the
objectives of the control criteria.)
(Insert the following “Significant deficiencies” section only when communicating identified
significant deficiencies.)
Significant deficiencies
(Insert the following two paragraphs when communicating significant deficiencies, but not
material weaknesses.)
Our consideration of internal control would not necessarily identify all deficiencies in
internal control that, individually or in combination, may be material weaknesses or
significant deficiencies.
A deficiency in internal control (“control deficiency”) exists when the design or operation
of a control does not allow management or employees, in the normal course of performing
their assigned functions, to prevent or detect misstatements on a timely basis. A material
weakness is a deficiency, or a combination of deficiencies, in internal control over financial
reporting, such that there is a reasonable possibility that a material misstatement of the
Company’s annual or interim financial statements will not be prevented or detected on a
timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in
internal control over financial reporting that is less severe than a material weakness, yet
important enough to merit attention by those responsible for oversight of the company’s
financial reporting (also referred to as those charged with governance).
(Insert the following paragraph when communicating significant deficiencies and material
weaknesses.)
Our audit was also not designed to identify deficiencies in internal control that, individually
or in combination, may be significant deficiencies. A significant deficiency is a deficiency,
or a combination of deficiencies, in internal control over financial reporting that is less
severe than a material weakness, yet important enough to merit attention by those
responsible for oversight of the company’s financial reporting (also referred to as those
charged with governance).
Continue with the following:
We consider the following identified control deficiencies to be significant deficiencies.
(Describe the significant deficiencies and their potential effects on the achievement of the
objectives of the control criteria.)
(Insert the following paragraph when significant deficiencies were previously
communicated and have not yet been remediated. This includes significant deficiencies
communicated at an interim date or during a previous audit engagement.)
In our letter dated (insert date of our letter), we communicated the following significant
deficiencies that have not been remediated.
(Describe the significant deficiencies and their potential effects on the achievement of the
objectives of the control criteria.)
 (Insert the following “Control deficiencies” section only when communicating identified
control deficiencies. If such matters are communicated separately to management, a copy
of the communication should be sent to at least the audit committee chairman, and this
letter should state that such matters were communicated separately.)
Control deficiencies
(Include the following definition paragraph when only communicating control deficiencies.)
A deficiency in internal control (“control deficiency”) exists when the design or operation
of a control does not allow management or employees, in the normal course of performing
their assigned functions, to prevent or detect misstatements on a timely basis.
We identified the following control deficiencies.
(Describe the control deficiencies and their potential effects on the achievement of the
objectives of the control criteria.)
--or--
On (insert date), we communicated to management certain identified control deficiencies.
(Insert the following “Recommendations to strengthen internal control” section when
communicating recommendations for improvements in internal control over financial
reporting. The firm encourages such communications.)
Recommendations to strengthen internal control
We recommend that the Company and those charged with governance consider the
following actions.
(Describe the recommended actions.)
(Insert the following “Company response” section if management issues a written response
to our communication and such response will be included in a document containing our
communication.)
Company response
The Company’s written response to the internal control matters identified herein has not
been subjected to our audit procedures and, accordingly, we express no opinion on it.
***
This communication is intended solely for the information and use of management, those
charged with governance, and others within the Company (and if applicable, identify any
specified regulatory agency) and is not intended to be and should not be used by anyone
other than these specified parties.
Very truly yours,
GRANT THORNTON LLP (manually)

E05 This letter is used in an integrated audit under PCAOB standards.

(Grant Thornton letterhead)
(Current date; no later than the audit report date)
Management and the Audit Committee of the Board of Directors
(Alternatively, if no audit committee exists: Management and the Board of Directors)
(Name of company, such as ABC Company)
(Address of company)
Ladies and Gentlemen:
In connection with our audit of (insert name of company, such as ABC Company’s) (the
“Company”) financial statements as of (insert date, such as December 31, 20XX) and for
the year then ended and the Company’s internal control over financial reporting (hereinafter
referred to as “internal control”) as of (insert date, such as December 31, 20XX), the
standards established by the United States Public Company Accounting Oversight Board
(“PCAOB standards”) require that we advise management and the audit committee (if
applicable, change to: board of directors) (hereinafter referred to as “those charged with
governance”) of the following internal control matters identified during our audit.
(Insert the following paragraph when we will refer to a component auditor in our audit
report on the group financial statements.)
The auditors of (name of component subject to audit by other auditors, such as XYZ
Company), (insert relationship to the parent company, such as a wholly owned subsidiary
of ABC Company), are required to separately communicate internal control matters
identified during their audit of (name of component subject to audit by other auditors, such
as XYZ Company). (If applicable, insert: Such internal control matters, insofar as they
relate to our audit of the Company, are included herein solely as reported to us by such
other auditors.)
Our responsibilities
Our responsibility, as prescribed by PCAOB standards, is to plan and perform our audit to
obtain reasonable assurance about whether the financial statements are free of material
misstatement, whether caused by error or fraud, and whether effective internal control was
maintained in all material respects (that is, whether material weaknesses exist as of the date
specified in management’s assessment). However, due to the inherent limitations of an
audit, a material weakness may remain undetected. Also, the audit is not designed to
identify deficiencies in internal control that, individually or in combination, are less severe
than a material weakness.
Identified deficiencies in internal control
We identified the following internal control matters as of the date of this letter that are of
sufficient importance to merit your attention.
(Insert the following “Material weaknesses” section only when communicating identified
material weaknesses.)
Material weaknesses
A deficiency in internal control (“control deficiency”) exists when the design or operation
of a control does not allow management or employees, in the normal course of performing
their assigned functions, to prevent or detect misstatements on a timely basis. A material
weakness is a deficiency, or a combination of deficiencies, in internal control over financial
reporting, such that there is a reasonable possibility that a material misstatement of the
Company’s annual or interim financial statements will not be prevented or detected on a
timely basis.
We consider the following identified control deficiencies to be material weaknesses.
(Describe the material weaknesses and their potential effects on the achievement of the
objectives of the control criteria. In addition, if the material weaknesses should have been
disclosed or identified in management’s assessment but were not, state that fact.)
(Insert the following paragraph when material weaknesses were previously communicated
and have not yet been remediated. This includes material weaknesses communicated at an
interim date or during a previous audit engagement.)
In our letter dated (insert date of our letter), we communicated the following material
weaknesses that have not been remediated. (Describe the material weaknesses and their
potential effects on the achievement of the objectives of the control criteria.)
(Insert the following “Significant deficiencies” section only when communicating identified
significant deficiencies.)
Significant deficiencies
(Insert the following paragraph when communicating significant deficiencies, but not
material weaknesses.)
A deficiency in internal control (“control deficiency”) exists when the design or operation
of a control does not allow management or employees, in the normal course of performing
their assigned functions, to prevent or detect misstatements on a timely basis. A material
weakness is a deficiency, or a combination of deficiencies, in internal control over financial
reporting, such that there is a reasonable possibility that a material misstatement of the
Company’s annual or interim financial statements will not be prevented or detected on a
timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in
internal control over financial reporting that is less severe than a material weakness, yet
important enough to merit attention by those responsible for oversight of the company’s
financial reporting (also referred to as those charged with governance).
(Insert the following paragraph when communicating significant deficiencies and material
weaknesses.)
A significant deficiency is a deficiency, or a combination of deficiencies, in internal control
over financial reporting that is less severe than a material weakness, yet important enough
to merit attention by those responsible for oversight of the company’s financial reporting
(also referred to as those charged with governance).
Continue with the following:
We consider the following identified control deficiencies to be significant deficiencies.
(Describe the significant deficiencies and their potential effects on the achievement of the
objectives of the control criteria.)
(Insert the following paragraph when significant deficiencies were previously
communicated and have not yet been remediated. This includes significant deficiencies
communicated at an interim date or during a previous audit engagement.)
In our letter dated (insert date of our letter), we communicated the following significant
deficiencies that have not been remediated.
(Describe the significant deficiencies and their potential effects on the achievement of the
objectives of the control criteria.)
(Insert the following “Control deficiencies” section only when communicating control
deficiencies in conjunction with this letter. Such written communication is required for an
audit of internal control, but is not required to be made in writing before the issuance of the
internal control report. However, the communication must be made no later than 45 days
after the report release date. If such matters are communicated separately to management,
a copy of the communication should be sent to at least the audit committee chairman, and
this letter should state that such matters were communicated separately.)
Control deficiencies
(Include the following definition paragraph when only communicating control deficiencies.)
A deficiency in internal control (“control deficiency”) exists when the design or operation
of a control does not allow management or employees, in the normal course of performing
their assigned functions, to prevent or detect misstatements on a timely basis.
Continue with the following:
We identified the following control deficiencies. (Describe the control deficiencies and
their potential effects on the achievement of the objectives of the control criteria.)
(Alternatively, insert one of the following sentences, modified as appropriate)
We will separately communicate to you identified control deficiencies.
--or--
On (insert date), we communicated to management certain identified control deficiencies.
(Insert the following “Recommendations to strengthen internal control” section when
communicating recommendations for improvements in internal control over financial
reporting. The firm encourages such communications.)
Recommendations to strengthen internal control
We recommend that the Company and those charged with governance consider the
following actions.
(Describe the recommended actions.)
(Insert the following “Company response” section if management issues a written response
to our communication and such response will be included in a document containing our
communication.)
Company response
The Company’s written response to the internal control matters identified herein has not
been subjected to our audit procedures and, accordingly, we express no opinion on it.
***
This communication is intended solely for the information and use of management, those
charged with governance, and others within the Company (and if applicable, identify any
specified regulatory agency) and is not intended to be and should not be used by anyone
other than these specified parties.
Very truly yours,
GRANT THORNTON LLP (manually)
Communication to Board of Directors on Audit Committee Ineffectiveness
(PCAOB)

E06 This letter is used, in a financial statement audit and in an integrated audit
performed under PCAOB standards, to communicate to the board of directors our
conclusion that the audit committee’s oversight is ineffective.
(Grant Thornton letterhead)
(Current date; no later than 45 days after the report release date)
Board of Directors
(Name of company, such as ABC Company)
(Address of company)
Ladies and Gentlemen:
In connection with our audit of (insert name of company, such as ABC Company’s) (the
“Company”) financial statements as of (insert date, such as December 31, 20XX) and for
the year then ended [insert as applicable, and the Company’s internal control over financial
reporting as of (insert date, such as December 31, 20XX)], the standards established by the
United States Public Company Accounting Oversight Board (“PCAOB standards”) require
that we advise you of the following matters identified during our audit related to the audit
committee’s oversight of the Company’s external financial reporting and internal control
over financial reporting (hereinafter referred to as “internal control”). (Insert the following
if the letter is dated subsequent to the date of our auditor’s report: The matters discussed
herein are those that we noted as of (insert date of auditor’s report), and we did not update
our procedures regarding these matters since that date to the current date.)
Our responsibilities
(Insert the following two paragraphs for a financial statement audit.)
Our responsibility, as prescribed by PCAOB standards, is to plan and perform our audit to
obtain reasonable assurance about whether the financial statements are free of material
misstatement, whether caused by error or fraud. An audit includes consideration of internal
control as a basis for designing audit procedures that are appropriate in the circumstances
for the purpose of expressing our opinion on the financial statements, but not for the
purpose of identifying deficiencies in internal control or expressing an opinion on the
effectiveness of the Company’s internal control. Accordingly, we express no such opinion
on internal control effectiveness.
An audit committee plays an important role within a company’s internal control by setting a
positive tone at the top and challenging a company’s activities in the financial arena. The
aspects of an audit committee’s effectiveness that are important may vary considerably with
the circumstances. In connection with our audit, we did not perform an assessment of the
effectiveness of the audit committee’s oversight of the Company’s external financial
reporting and internal control and, accordingly, we do not express an opinion on the
effectiveness of the audit committee’s oversight. However, we are responsible for
communicating to the Board of Directors ineffective oversight by the audit committee of
the company’s external financial reporting and internal control.
 -- or --
(Alternatively, insert the following two paragraphs for an integrated audit.)
Our responsibility, as prescribed by PCAOB standards, is to plan and perform our audit to
obtain reasonable assurance about whether the financial statements are free of material
misstatement, whether caused by error or fraud, and whether effective internal control was
maintained in all material respects (that is, whether material weaknesses exist as of the date
specified in management’s assessment). The audit is not designed to detect deficiencies in
internal control that, individually or in combination, are less severe than a material
weakness.
An audit committee plays an important role within a company’s internal control by setting a
positive tone at the top and challenging a company’s activities in the financial arena. The
aspects of an audit committee’s effectiveness that are important may vary considerably with
the circumstances. Our audit included an assessment of the effectiveness of the audit
committee’s oversight of the Company’s external financial reporting and internal control.
Such assessment was performed as a part of our understanding of the control environment
and monitoring components of internal control and not for the purpose of performing a
separate and distinct evaluation of the audit committee. Accordingly, we do not express an
opinion on the effectiveness of the audit committee’s oversight. However, we are
responsible for communicating to the Board of Directors ineffective oversight by the audit
committee of the company’s external financial reporting and internal control.
Audit committee ineffectiveness
(Describe the ineffectiveness and its effect on the achievement of the internal control
objectives. Such description should include the definitions of significant deficiency and
material weakness, as applicable. It should also refer to any previous communications
where the matter has not been remediated.)
(Insert the following “Recommendations” section when communicating recommendations
for improvements. The firm encourages such communications.)
Recommendations
We recommend that the Company, the audit committee, and the Board of Directors
consider the following actions.
(Describe the recommended actions.)
***
This communication is intended solely for the information and use of the Board of
Directors, audit committee, management, and others within the Company (and if
applicable, identify any specified regulatory agency) and is not intended to be and should
not be used by anyone other than these specified parties.
Very truly yours,
GRANT THORNTON LLP (manually)
Communication of Other Advisory Comments

E07 The following is an illustrative letter that is used to communicate other advisory
comments and recommendations for internal control improvements, if such
recommendations were not communicated along with the related deficiencies. The letter
should be modified to fit the circumstances of the engagement.
(Grant Thornton letterhead)
(Current date)
(Name and title of addressee, such as Mr. Michael Progress, President)
(Name of company, such as ABC Company)
(Address of company)
Dear Mr. Progress:
In connection with our audit of (insert name of company, such as ABC Company’s) (the
“Company”) financial statements as of (insert date, such as December 31, 20XX) and for
the year then ended, we became aware of several matters relating to operational and
administrative efficiency (add if applicable, and other matters for improving internal
control over financial reporting). This letter summarizes our comments and suggestions
regarding those matters. The matters discussed herein are those that we have noted as of
(report date) and we have not updated our procedures regarding these matters since that
date to the current date.
-- or --
(Insert the following paragraph for an integrated audit.)
In connection with our integrated audit of (insert name of company, such as ABC
Company’s) (the “Company”) financial statements as of (insert date, such as December 31,
20XX) and for the year then ended and the Company’s internal control over financial
reporting as of (insert date, such as December 31, 20XX), we became aware of several
matters relating to operational and administrative efficiency (add if applicable, and other
matters for improving internal control over financial reporting). This letter summarizes our
comments and suggestions regarding those matters. The matters discussed herein are those
that we have noted as of (report date) and we have not updated our procedures regarding
these matters since that date to the current date.
Continue with the following:
We have previously discussed our observations and suggestions with various Company
personnel and would be pleased to discuss them in further detail at your convenience, to
perform any additional study of these matters, or to assist you with implementation, to the
extent our independence is not impaired. (For SEC engagements, use the following: We
have previously discussed our observations and suggestions with various Company
personnel and would be pleased to discuss them in further detail at your convenience.)
(Insert the following “Recommendations for Improving Internal Control over Financial
Reporting” section, as applicable.)
Recommendations for improving internal control over financial reporting
On (insert date), we communicated to management and those charged with governance
certain control deficiencies, significant deficiencies and material weaknesses in internal
control over financial reporting. We recommend that the Company consider the following
actions for improving internal control over financial reporting.
(Describe the recommended actions.)
Operational and administrative efficiency
During our audit, we became aware of the following matters relating to operational or
administrative efficiency.
(Describe the operational and administrative matters and any related recommendations for
improving efficiency.)
(Insert the following “Status of Prior Year Comments,” as applicable.)
Status of prior year comments
While we are pleased that most (or many, or several) of the recommendations we made last
year (or in prior years) have been adopted, others have not been implemented. We believe
that the observations and suggestions below continue to warrant consideration.
(Describe prior year comments, as applicable.)
***
This communication is intended solely for the information and use of management, those
charged with governance, and others within the Company (and if applicable, identify any
specified regulatory agency) and is not intended to be and should not be used by anyone
other than these specified parties.
Very truly yours,
GRANT THORNTON LLP (manually)
Chapter Twenty-Three - Communications of Audit Matters
with Those Charged with Governance
Summary

This Chapter provides guidance on the communication of audit matters with those
charged with governance, recognizing the importance of effective two-way
communication.

Introduction
23.01 “Governance” is the term used to describe the role of persons entrusted with
the supervision, control, and direction of an entity, such as overseeing the strategic
direction of the entity, obligations related to the accountability of the entity, and the
financial reporting process. Those charged with governance are responsible for
ensuring that the entity achieves its objectives with regard to reliable financial reporting,
effective and efficient operations, compliance with laws and regulations, and reporting to
interested parties. TCWG include the board of directors and the audit committee and
may include management or owners if they are charged with a governance role.

23.02 The requirements of national professional accountancy bodies, legislation, or

regulation also may impose obligations on the audit team to make communications on
governance related matters (see the section entitled “Confidentiality”). These additional
communication requirements might not be covered in this Manual; however, they may
affect the content, form, and timing of TCWG communications.

Relevant Persons
23.03 The audit team should use its judgment to determine those persons with
whom to communicate. Typically, TCWG will be the board of directors or an audit
committee, but they may include management or owners if they are also charged with a
governance role. In the unusual circumstance when the entity’s governance structure is
not well defined, or TCWG are not clearly identified, the audit team and the client should
agree on who will participate in the communications.

23.04 The boards of many entities establish audit committees (or similar subgroups
with different names) to assist them in fulfilling their governance responsibilities.
Communication with the audit committee is a key element in the audit team’s
communication with TCWG. However, the audit team always retains the right to
communicate directly with the full board (or larger body) when they believe
communications between the audit committee and the board are not effective, for
whatever reason. While these situations are expected to be rare, if necessary, the audit
team should communicate directly to the full board at least in summary form.
23.05 In some cases, all of TCWG are involved in managing the entity, such as in a
family-owned business. If TCWG are all involved in managing the entity, the audit team
should determine whether communication with person(s) with financial reporting
responsibilities adequately informs all of those with whom the audit team would
otherwise communicate. For example, a small entity may divide responsibilities among
several individuals. The audit team may primarily communicate financial matters with
one individual, but should consider whether the other individuals should also be
included in the communications that are required with TCWG.

Two-way Communications
23.06 Professional standards encourage open and candid two-way communications.
It is no longer permissible for the audit team to send a letter to TCWG to fulfill the
required communication requirements. Effective two-way communications benefit both
the audit team and TCWG. The audit team benefits from the insights and information
from TCWG in planning and performing the audit. In their oversight of the financial
reporting process, TCWG benefit from hearing the views of the audit team regarding
significant matters related to the audit.

23.07 [Tailor the following paragraph for your firm’s communications templates
and/or policies] The firm developed MS PowerPoint templates that contain the required
communications under the applicable professional standards (see section entitled
“Timing and Form of Communications”). Audit teams should tailor these slides to the
circumstances of the engagement and use them to facilitate an open two-way
discussion with TCWG. While the slides can be printed and distributed to those in
attendance, they can also be projected. Regardless of how the slides are used to
facilitate the meeting, a copy of the printed slides should be left with TCWG.

23.08 As discussed above, both parties benefit from effective two-way

communications. Each year, the audit team should consider whether the
communications were adequate. For TCWG, this means that they participate,
understand the issues, and take action. For the audit team, this means that information
is obtained to enable them to plan and perform the audit. Specific procedures need not
be performed by the audit team in making this evaluation. Rather, the evaluation is
accomplished through the observations of the audit team.

23.09 For example, if the audit team observes situations such as the following, they
may conclude that communications were not adequate.
 inappropriate actions taken in response to communications
 lack of action in response to prior communications
 lack of openness of TCWG during the communications
 unwillingness of TCWG to meet with the audit team
 inability to comprehend issues raised by the audit team
 failure by TCWG to perform their financial reporting oversight role
23.10 Further, if TCWG will not communicate matters requested by the audit team,
the audit team may not be able to properly perform risk assessment without information
from TCWG. Also, the audit team may have a scope limitation and be unable to
complete the audit.

23.11 [Tailor the following paragraph to reflect your firm’s consultation policies]
When the audit team concludes that the communication process was not adequate,
there is likely a material weakness in internal control. Controls in the control
environment related to oversight of the financial reporting process are not likely to be
implemented or operating effectively. In such situations, the lead partner should discuss
the matter with the PSP and determine whether this is an engagement with which the
firm should be associated.

Matters to be Communicated
23.12 Matters to be communicated with TCWG are discussed in detail in ISA 260
and AU Section 380 (AICPA and PCAOB standards). Certain of these matters are very
clear (e.g., unrecorded misstatements), while others (e.g., qualitative aspects of the
entity’s significant accounting practices) require judgment as to what would be
significant and relevant to TCWG. However, the audit team does not have any
responsibility to perform audit procedures specifically to identify matters to
communicate. In an integrated audit, refer to Chapter 25 for additional required
communications.

23.13 The audit team should communicate any noncompliance with laws or
regulations (illegal acts) or fraud that come to their attention to the appropriate level of
management and TCWG on a timely basis. Fraud involving senior management or
fraud that is material to the financial statements should be reported directly to TCWG.
The NPPD and RRLA should be consulted in such situations.

23.14 The audit team should not disclose information about illegal acts or fraud to
parties other than TCWG, unless the matter affects the opinion or we have a duty to
disclose such matters (e.g. in response to a subpoena). The firm may also have an
obligation to disclose such matters in accordance with requirements for audits of entities
receiving government financial assistance. Appropriate firm personnel should be
consulted in these situations before any such disclosure is made.

Qualitative Aspects of Significant Accounting Practices

23.15 The audit team should discuss with TCWG their views about the qualitative
aspects of the entity’s significant accounting practices, including accounting policies,
accounting estimates, and financial statement disclosures. Management will generally
be an active participant in these discussions because management has the primary
responsibility for establishing the entity’s accounting practices.
23.16 [Tailor the following paragraph for your firm’s consultation policies and
standard references] Professional standards provide guidance and a list of matters that
may be communicated (see PCAOB and AICPA AU Section 380 and Appendix 2 of ISA
260). Any communications about changes in policies or their application should be
discussed in advance with the PSP or, for SEC clients, the NPPD.

23.17 Objective criteria have not been developed to aid in the consistent evaluation
of the quality of an entity’s significant accounting practices. Therefore, the discussion
should be tailored to the entity’s specific circumstances, including accounting practices
not explicitly addressed in the accounting literature.

23.18 The discussion with TCWG and management concerning the qualitative
aspects of the entity’s significant accounting practices should be made orally to
encourage open and frank communication. However, the workpapers should document
that the discussion took place, including the date of the discussion and the attendees.
The documentation need not include a summary of, or minutes of, the meeting.
Generally, a notation on the agenda or the presentation itself will suffice.

23.19 See the section entitled “Additional Communications for U.S. Public
Companies (Rule 2-07)” for additional guidance.

Disagreements with Management

23.20 [Tailor the following paragraph to reflect your firm’s consultation policies]
Communications relating to disagreements with management, whether or not
satisfactorily resolved, should be discussed in advance with the NPPD. Such
disagreements may arise over:
 the application of accounting principles
 the basis for management's judgments about accounting estimates
 the scope of the audit
 disclosures in the financial statements
 wording of the auditor’s report

23.21 Disagreements do not include differences of opinion based on incomplete

facts or preliminary information that are later resolved. Throughout the planning and
performance of audits, discussions take place with entity personnel about methods of
accounting for transactions and events, the performance and extent of audit
procedures, and matters requiring disclosure. During these discussions, there may be
differences of opinion on the issues, which may occur at various levels of authority in
the entity’s organization and in the firm.

23.22 Because these matters may vary in terms of their significance and because
frank discussions between management and auditors commonly occur, it is impossible
to define precisely which differences of opinion will constitute "disagreements" for
purposes of reporting in accordance with professional standards. However, the
guidelines in the following paragraphs should be considered in determining whether
disagreements have occurred.

23.23 A disagreement ordinarily has occurred when the auditor’s report contains a
modified opinion (qualified, adverse, or disclaimer) because of a departure from the
applicable financial reporting framework or a scope limitation.

23.24 The following do not necessarily constitute disagreements:

 discussions that are fundamental to the audit process about alternative
presentations, possible accounting principles applicable to transactions and
events, audit scope and procedures, and disclosures
 discussions and differences of opinion with personnel on accounting,
disclosure, or auditing matters that are discussed and resolved with
management in a usual and routine manner
 discussions and differences of opinion with personnel at levels below the
level with final decision-making authority (such as the lead partner and the
chief financial officer)

23.25 When the audit team concludes that a disagreement did occur, it should be
reported regardless of whether or not management ultimately adopted the audit team’s
position. The following guidance is applicable to reporting disagreements:
 describe disagreements fairly and concisely; clearly state the facts and
reasons for the audit team’s position
 refer to the auditor’s report when the subject of a disagreement is
addressed therein
 indicate whether the disagreement(s) was resolved to the audit team’s
satisfaction
 discuss draft communications with management to explain the audit team’s
position and to obtain management's perspective

Timing and Form of Communications

23.26 Communications should occur in a sufficiently timely manner to enable TCWG
to take appropriate action. Some items are best communicated early in the audit
process, such as the planned scope and timing. Other items are best communicated
when they occur, such as difficulties in performing the audit when TCWG might be of
assistance in resolving the difficulties. However, most items will still be communicated at
the conclusion of the audit.

23.27 [Tailor the following paragraph for your firm’s applicable templates and their
location] The firm prefers that all required communications be made in writing, except
for the discussion about the qualitative aspects of the entity’s’ significant accounting
practices (discussed above). Accordingly, to facilitate the written communication and
oral discussion of these matters, the firm developed standard MS PowerPoint templates
(“Communications Related to the Audit – Non-SEC” for non-public companies and the
“Annual Audit Committee Meeting Presentation - SEC” for public companies). These
templates should be used for such communications. They are designed to:
 facilitate a meaningful discussion with TCWG
 ascertain that all required matters are discussed
 develop documentation to be included in the workpapers
All topics may not be applicable for every engagement and the templates should be
modified as necessary. The templates can be found in GEL under Letters, Forms and
Templates > Communications with Those Charged with Governance. For audits under
PCAOB standards, the audit team may also use the standard illustrative letter (Audit
Committee Communications – SEC) in conjunction with the template.

23.28 [Include the last sentence if your firm audits SEC registrants] At the
conclusion of the audit, the audit team should determine that all required
communications are made. These communications should occur within the
documentation assembly period. For SEC registrants, the communications should be
made within sufficient time for the audit committee to complete its report for inclusion in
the registrant’s proxy statement or information statement.

23.29 Some of the matters being communicated ordinarily result in internal control
recommendations or other client advisory comments (see Chapter 22). Whenever
possible and appropriate, the written communication should reference our letter on
internal control related matters. Professional standards do not prohibit a combined
report to TCWG and a report of internal control related matters. However, since these
communications address different types of issues, the firm prefers to issue separate
reports.

23.30 [Tailor the following paragraph to reflect your policies and titles] Before
issuance, the written communication should be reviewed by the quality control reviewer,
if assigned to the engagement, and the NPPD should be consulted, where applicable.

23.31 Professional standards do not address dating such written communications.

Accordingly, written communications should ordinarily carry a current date. They should
also be restricted for the use of management and TCWG.

23.32 [Tailor the following paragraph to reflect your practices] The final template
should be attached to the audit workpapers in Voyager. It is not necessary to complete
a Report Guide Sheet or file a copy of the presentation as if it were a report. The audit
documentation should also contain a brief summary of the meeting and those in
attendance.

Preliminary Meeting with Management

23.33 Ordinarily, the audit team initially discusses audit matters of governance
interest with management, except where those matters relate to questions of
management competence or integrity. These initial discussions with management are
important to clarify facts and issues and to give management an opportunity to provide
further information.

23.34 To appropriately clarify the facts and issues and to give management an
opportunity to provide further information, the audit team should:
 discuss findings with appropriate entity personnel
 discuss all observations in a factual manner and avoid accusatory remarks
 ask whether there are any additional facts that should be considered before
finalizing written communications
 listen to responses, keeping in mind that unexpected and important
information may be presented
 consider the impact on, and possible reactions of, entity personnel who are
not present
 obtain an understanding of why past recommendations were not
implemented
 consider management's views regarding the matter and inquire about
actions being contemplated to address the matter
 obtain an understanding of any management objections to proposed
communications and comments

23.35 Matters to be communicated to TCWG should not be eliminated because

management disagrees with them. However, management's editorial suggestions
should be welcomed. If any matters or comments are deleted because the audit team’s
understanding has changed, the reasons should be documented.

Communications Made by Management

23.36 Although management also has communication responsibilities, the audit team
is required to communicate the matters directly to TCWG, not through management.
However, it is appropriate for certain matters to also be made by management, and the
audit team should encourage management to do so. These matters may include:
 significant accounting policies, including accounting estimates and financial
statement disclosures
 significant deficiencies and material weaknesses
 consultation with other accountants
 major issues discussed with management prior to our retention

Finalizing Written Communications

23.37 Written communications of matters of governance interest should be clear,
concise, objective, and factual. Wherever feasible, such communications describe:
 the audit team’s observations or issues identified
 the associated risk or problem that results from the identified condition
  the importance or significance of the condition and its magnitude
 recommendations to correct or improve the identified condition
 the associated benefit to be achieved if the recommendations are
implemented. Estimates of costs or potential savings should be made with
care and be appropriately documented in the workpapers. The inclusion of
such estimates can help in establishing cost/benefit relationships for further
evaluation.

23.38 The following should also be considered in finalizing written communications:

 address the communications appropriately (usually the board of directors,
audit committee and/or management)
 order comments based on significance
 group related comments (by type, location, responsibility, or function)
 tailor the communications specific to the entity
 be cognizant of the costs and benefits of proposed recommendations
 avoid unnecessary verbiage

Prior Recommendations or Suggestions

23.39 In many instances, the audit team may repeat recommendations or
suggestions made in prior years that have not been implemented. The audit team
should usually call attention to this, either by specifically identifying prior
recommendations or suggestions or by making general reference about such matters.

23.40 It may be particularly important in some situations to call attention to such prior
recommendations or suggestions or to oral discussions with (prior) management in the
absence of written communications of such matters; for example, when there have been
changes in ownership or management or in situations where the audit team may be
criticized for not having raised certain issues.

Confidentiality
23.41 [Tailor to reflect your consultation policy]The requirements of national
professional accountancy bodies, legislation, or regulation may impose obligations of
confidentiality that restrict the audit team’s governance communications. The audit team
refers to such requirements, laws, and regulations before communicating with TCWG.
In some circumstances, the potential conflicts with the audit team’s ethical and legal
obligations of confidentiality and reporting may be complex. In these cases, the audit
team may consult with RRLA.
Matters Arising From Components of a Consolidated Group
23.42 When the audit team uses the work of a component auditor on one or more
components (such as a subsidiary, division, or branch), the audit team should obtain
information from the component auditor about matters to be communicated to TCWG.
The group audit team should evaluate the significance of these matters and
communicate them insofar as they relate to the audit of the group financial statements.
When the component auditor issues an audit report on the component, the component
auditor is responsible for communicating matters related to the component.

Required Communications Related to an Interim Review

[Tailor the following paragraphs to reflect the interim review of listed entity
communication requirements relevant to your firm and for your consultation
policies.]

23.43 The audit team should communicate with TCWG matters related to a review of
interim financial information that are, in the audit team’s judgment, significant and
relevant to TCWG in overseeing the financial reporting process. Accordingly, if matters
that are required to be communicated in an audit are identified during an interim review,
they should be communicated to TCWG (see section entitled “Matters to be
Communicated”).

23.44 These matters should be communicated to TCWG (or at least the committee
chair) and management before the entity files its interim financial information with a
regulatory agency or others, such as a private equity exchange. If there is no associated
filing, the matters should be communicated before the financial statements are issued. If
the audit team cannot communicate before the filing (or financial statement issuance),
they should communicate as soon as practicable thereafter. These communications
may be oral or written. Oral communications should be documented. If matters are
communicated orally, the lead partner may want to follow up in writing.

23.45 If the audit team determines it is necessary to communicate the qualitative

aspects of an entity’s significant accounting practices applied to its interim reporting,
these discussions will always be made orally in the manner discussed above. Because
the objective of a review of interim financial information differs significantly from the
objective of an audit, such discussion would generally be limited to the effects of
significant events, transactions, and changes in accounting policies, estimates and
disclosures the audit team considered when conducting the review.

Other TCWG Communications at Interim

23.46 [Tailor to reflect your consultation policies]In addition to the TCWG

communications discussed in the preceding paragraphs, the audit team is required to
discuss the following with the NPPD and the appropriate level of management:
  material modifications that should be made to the interim financial
information for it to conform with the applicable financial reporting
framework
 the filing of interim financial information or, if there is no associated filing,
the issuance of financial statements prior to completion of the review

23.47 [Tailor to reflect your consultation policies]If management does not respond
appropriately to the communications in the previous paragraph within a reasonable
period of time, the audit team should inform TCWG (verbally or in writing; verbal
communications should be documented). If TCWG do not respond to our
communication within a reasonable period of time, we should evaluate whether to
resign from the engagement to review the interim financial information and as the
entity’s auditor. The NPPD should be contacted when considering a resignation.

23.48 The audit team is also required to:

 determine that the appropriate level of management and TCWG is
adequately informed about fraud and possible illegal acts that we become
aware of, unless clearly inconsequential (see section entitled “Matters to be
Communicated”)
 report matters related to the entity's internal control (see Chapter 22)

Required Independence Communications under PCAOB Standards

23.49 PCAOB Rule 3526, Communication with Audit Committees Concerning
Independence, superseded the Board’s interim independence requirement,
Independence Standards Board Standard 1 (ISB 1), Independence Discussions with
Audit Committee, and two related Interpretations. The annual independence
communication requirements in Rule 3526 and ISB 1 are essentially the same, except
that Rule 3526 established an additional independence communication requirement for
auditors before the firm accepts the initial audit engagement. Audit teams should refer
to Chapter 7 of the Independence and Ethics Manual for further guidance on the firm’s
independence communication requirements, including required consultations with the
NPPD and PIC Ethics related to independence threats. These requirements are
currently included in the Voyager audit programs.

23.50 [Tailor to reflect the location of your documents]The following communication

templates are available in Letters, Forms and Templates > Communications with Those
Charged with Governance:
 Initial Independence Letter to Audit Committees
 Annual Independence Letter to Audit Committees

23.51 [Tailor to reflect your documents]Audit teams should also refer to the practice
aide called “Overview of Relationships and Other Matters That May Bear on
Independence,” which identifies hypothetical relationships that could be of particular
interest to an audit committee.
23.52 The audit documentation in Voyager should include the written
communications (the letters above) and a memorandum describing the substance of all
verbal independence communications, including:
 when the discussion occurred
 with whom the discussion took place
 the significant matters discussed
 the audit committee’s response

23.53 If an independence matter is disclosed to the audit committee, the proposal or

audit team should document the independence matters addressed, including the
applicable safeguards, and the conclusions reached by the firm and the audit committee
in the Consultation Database. Once the consultation is approved, the consultation is
included in the audit workpapers. (For prospective clients, the consultation should be
added to the Consultation Database, including audit workpapers, upon the firm’s
acceptance of the initial audit engagement.)

Additional Communications for U.S. Public Companies (Rule 2-07)

[Include this section if your firm audits SEC registrants]

23.54 SEC Rule 2-07 of Regulation S-X requires communication of the following
matters to the audit committee, before the client files its annual report with the SEC:
 critical accounting policies and practices
 alternative accounting treatments for policies and practices related to
material items discussed with management
 other material written communications between the firm and management

23.55 Accordingly, for all SEC audit clients, the lead partner should meet with the
audit committee (prior to the filing of their annual report) to discuss these matters.
Although these communications will occur at least once per year, the communications
should occur more frequently when new matters arise, such as quarterly during interim
reviews.

23.56 The SEC rule does not require these communications to be written; however,
both the audit team and the audit committee should document the communications that
occur. The firm believes that discussions will be enhanced when a formal written report
is not provided to the audit committee. Therefore, the standard communication template
(“Annual Audit Committee Meeting Presentation - SEC”) discussed above is considered
adequate documentation of the communications and the audit team’s documentation
thereof.

23.57 As a service opportunity, the audit team should make the audit committee
aware that:
  they are responsible for reviewing the selection, application, and disclosure
of critical accounting policies
 they should understand the criteria used by management in its selection of
the accounting principles and methods
 they should discuss the appropriateness of critical accounting policies with
senior management and the auditor
 they should document such discussions

Applicability to Investment Companies

23.58 Investment companies within an investment company complex frequently have
common boards of directors and common management. However, they also frequently
have staggered fiscal-year ends. The SEC’s rules require communications with the
investment company’s audit committee annually within 90 days prior to the company’s
annual filing with the SEC or to provide an update to the audit committee of any
changes to the previously reported information in the 90-day period prior to the filing.
Essentially, these rules provide for the audit team to make the required communications
no more than four times during a calendar year.

Critical Accounting Policies and Practices

23.59 Critical accounting policies are those policies that are:

 most important to the portrayal of the issuer's financial condition and results
 require management's most difficult, subjective, or complex judgments,
often as a result of the need to make estimates about the effect of matters
that are inherently uncertain

23.60 Although the SEC does not require the discussion to follow a specific form or
manner, they do expect, at a minimum, for the audit team to communicate their
understanding of the processes used by management to identify all critical accounting
estimates and policies and to make the initial selection of all significant accounting
policies. The discussions should include the audit team’s assessment of the adequacy
of management's disclosures and whether any significant modifications proposed by the
audit team were not included in the company’s financial statements.

23.61 The separate discussion of all critical accounting policies and practices is not
considered a substitute for other communications required by PCAOB standards (AU
Section 380) regarding significant accounting policies, since the discussion about critical
accounting policies and practices might not encompass any new or changed significant
accounting policies and practices. Likewise, the communication of significant accounting
policies and practices required under PCAOB standards is not intended to dilute the
communications related to critical accounting policies and practices, since the issues
affecting critical accounting policies and practices, such as sensitivities of assumptions
and others, should be specifically tailored to events in the current year. Further, the
selection of significant accounting policies and practices should consider a broad range
of transactions occurring over time.

Alternative Accounting Treatments

23.62 The audit team is also required to communicate all alternative accounting
treatments of financial information related to material items that were discussed with
management. These communications should include the:
 ramifications of the use of such alternative treatments
 required disclosures
 treatment preferred by the audit team

23.63 The communications should also include recognition, measurement, and

disclosure considerations related to general accounting policies and the accounting for
specific transactions. Communications relating to the accounting for specific
transactions should include the underlying facts, financial statement accounts that are
impacted, and the applicability of existing corporate accounting policies to the
transaction. Communications relating to general accounting policies should include the:
 initial selection of and changes in significant accounting policies
 impact of management's judgments and significant accounting estimates,
as well as the audit team’s judgments about the quality of the policies
 range of alternatives available under the applicable financial reporting
framework that were discussed by management and the audit team,
including the audit team’s understanding of the reasons for the selection of
the chosen policy

Other Material Written Communications

23.64 The audit team is also required to provide the audit committee with copies of
material written communications between management and the firm (prior to filing the
annual report with the SEC). Written communications would not include documents in
draft form or pending items, which will need to be provided to the audit committee
before the next annual report is filed. Examples of material written communications
include (but are not limited to) engagement and representation letters, internal control
communications and advisory letters, independence letters, preferability letters, and the
Summary of Passed Adjusting Journal Entries. The audit team should consider what
additional written communications should be provided to the audit committee.
Chapter Twenty-Four — Group Audits and International
Engagements
[GT-US AASM Chapter 24 is an acceptable alternative to this Chapter. Chapter 24 in
that manual differs from this Chapter as US GAAS allows the principal auditor to refer to
another auditor when reporting.]

Summary

This Chapter provides an overview of GTI and discusses Horizon’s approach to

performing group audits and conducting international engagements. The guidance
includes considerations for working with component auditors, including GTI member
firms, correspondent firms, and unaffiliated firms.

Overview of Grant Thornton International

24.01 GTI is one of the world’s leading organizations of independently owned and
managed professional services firms providing assurance, tax, and advisory services to
privately held businesses and public interest entities. Accordingly, all GTI member firms
share a commitment to providing the same high quality service to their clients, wherever
they choose to do business.

24.02 Services are delivered by GTI member firms, a network of independent firms
throughout the world. GTI is a non-practicing international umbrella organization and
does not deliver services in its own name or otherwise.

24.03 Each member firm in GTI is a separate firm. These firms are not members of one
international partnership or otherwise legal partners with each other (with the exception
of certain limited instances), nor is any one firm responsible for the services or activities
of any other. Each firm governs itself and handles its administrative matters on a local
basis. Although many of the member firms now carry the Grant Thornton name, either
exclusively or in their national practice names, there is no common ownership among
the firms or by GTI.

GTI Member and Correspondent Firms

24.04 GTI member firms have agreed to comply with GTI policies and procedures.
Ordinarily, GTI member firms will have “Grant Thornton” in their name. All firms listed in
the GTI Directory and on the website are member firms, unless designated as
correspondent firms.

24.05 Correspondent firms perform agreed services on behalf of member firms but they
do not have the same rights or responsibilities. They are not member firms of GTI. They
are not allowed to use the Grant Thornton name, nor can they have access to audit
software or audit methodology developed by GTI.

International Practice Partners

24.06 GTI’s worldwide expertise is available through International Practice Partners

assigned in every country. International Practice Partners work together to provide the
necessary resources to meet the needs of member firms and their clients. International
Practice Partners are an important part of Grant Thornton's strategy of attracting and
serving international business referrals in the local marketplace.

International Business Centers

24.07 GTI operates a network of IBCs in key global financial centers. IBCs share a
common purpose and provide focus and commitment to quality service, including
improving service quality between member firms on cross-border referrals.

24.08 IBCs have several purposes and benefits, including to:

 establish a coordinated, comprehensive resource that can quickly assess a
client/prospect’s international business needs; and, once those needs are
clarified, identify the optimal skills, expertise and experiences within GTI to
provide the best delivery of service
 enhance and grow our international services and aggressively market GTI’s
global capabilities within the organization and in our market place, resulting in
enhanced service for existing clients and the development of new full service
client relationships
 improve client service and satisfaction on existing and new cross-border referrals
and to ensure all significant clients are aware of the scope of our international
capabilities
 pursue the transfer of existing international assignments to GTI member firms
where a competitor is currently performing the international work

International Business Center Directors

24.09 GTI’s IBCs are structured as the gateway to all the resources of GTI’s
international network. Each IBC is led by an IBC Director, experienced in international
business and familiar with the wealth of expertise held by GTI partners around the
world. As a single point of contact for the client, the IBC Director will pass inquiries to
the relevant experts within the GTI organization.
Group Audits

Defining a Group Audit

24.10 A group audit is an audit of an entity that has components. A component is an

entity or business activity for which financial information is prepared and included in the
group financial statements. Accordingly, components could include, for example, a
subsidiary, other legal entity, an equity-method investment, a joint venture or a division.
The definition of a component is broad, but the defining element is that financial
information is prepared for inclusion in the group financial statements.

24.11 Group audits are not defined by who audits the components. As a result,
components may be audited by the group audit team, another audit team within the
same firm, auditors in a GTI member or correspondent firm, or auditors from an
unaffiliated firm.

Accepting Group Audit Engagements

24.12 Group audit teams should follow all client acceptance procedures as discussed in
Chapter 3. During the acceptance process, the group audit team considers the
engagement characteristics and audit risks of the group. Such considerations include
whether the group audit team is able to obtain sufficient appropriate audit evidence for
the entire group, including all components, in order to take responsibility for the opinion
on the group's financial statements (see “Serving as the Group Auditor” below).

24.13 The lead partner of the group audit team should resign or not accept an
engagement when group management imposes restrictions that make it impossible to
obtain sufficient appropriate audit evidence and the possible effect is a disclaimer of
opinion.

Identifying the Components

24.14 The breadth of the group audit definition and the sophistication of modern
accounting systems will result in many group audits. Audit teams should evaluate each
entity to determine whether it meets the definition of a group audit. When the entity
meets the definition, the audit team begins by identifying the components. The audit
team considers both the structure of the entity and its accounting system. Every entity
organizes its accounting systems differently, for example, according to geography, legal
structure, or by individual products. As a result, each group audit approach will have
differences.

24.15 When making the determination of whether an engagement is a group audit,

some common situations can be confusing to evaluate. For example, entities with
equity-method investments qualify as group audits. Additionally, when an audit team
from a different office in the same firm audits a component, the audit meets the criteria
for a group audit. Teams should bear in mind, the composition of the audit team does
not factor into the group audit determination. The composition of the entity defines
whether the entity is a group.

24.16 Audit teams should communicate with management when there are significant
components, such as equity-method investments, where involvement in the component
audit may not have occurred in the past.

24.17 When numerous components exist within the group accounting system, an audit
approach that aggregates components into a single component may be more effective
and efficient than an approach based on individual components. For example, consider
the situation where an entity establishes many components. These components capture
financial information related to various products within a common industry or customer
base, share a common accounting system, and contain similar financial reporting risks.
In this situation, the audit team may determine that it is more effective and efficient to
aggregate these components and audit each significant cycle as a single population.

Serving as the Group Auditor

24.18 After understanding the entity and its components, the audit team decides
whether its participation is sufficient to enable the firm to serve as the group auditor and
report on the financial statements taken as a whole.

24.19 In deciding whether the firm’s participation is sufficient to enable the audit team
to serve as the group auditor, the audit team considers:
 the materiality of the portion of the financial statements audited in comparison
with the portion audited by component auditors
 the extent of knowledge of the overall financial statements and the entity to be
reported upon
 the risk of material misstatements in the financial statements of the components
audited by component auditors
 the importance of the components the firms audited in relation to the entity as a
whole
 the extent of group auditor involvement required in the component audits and
whether they can achieve it
 the performance of additional procedures regarding the components audited by
component auditors

24.20 Professional standards do not provide quantitative guidelines for considering

these matters. Further, it is not practical to set forth specific guidelines for determining
whether it is appropriate to serve as the group auditor. Each situation should be
considered in light of the specific facts and circumstances.

24.21 When the firm audits over 50% of assets and/or revenues of the entity to be
reported on, it is ordinarily clear that the firm’s participation is sufficient to serve as the
group auditor. However, where one or both of these percentages are less than 50%, the
determination requires judgment. In these cases, several factors may influence on the
decision, including:
 the nature of the assets and revenues audited by us and by the other auditors is
an important factor in considering the relative importance of the components. For
example, if the operations of the entity are both active (e.g., manufacturing
operations) and passive (e.g., investment activities), which auditor audits the
most important or critical component
 which auditor audits the parent company or the controlling operation or activity
 which auditor has greater familiarity with and knowledge of the overall entity; for
example, if there are two auditors following a recent business combination of two
companies of approximately equal size, the auditor most familiar with the nature
and direction of activities of the combined operations may have greater
knowledge and be able to act as the group auditor
 [Tailor the following paragraph to suit your policies] percentages of the portion
audited outside the United States. GTUS will not normally accept an engagement
or new client if the client’s principal operations and its management are located
outside the U.S.

24.22 [Tailor the following paragraph for domestic regulatory guidance, if any] The
SEC staff believes that the group auditor should audit more than 50% of the assets and
revenues presented in the registrant’s financial statements. The staff has not objected
to an auditor’s report solely on the basis that the auditor is taking responsibility for less
than 50% of the assets and revenues of the registrant if that report is issued by an
auditor required to be designated as the group auditor because of the laws, regulations,
stock exchanges rules, or similar circumstances applicable to the registrant.

24.23 [Tailor the following paragraph to reflect your consultation policies] When the
audit team determines that the firm is the group auditor, although the firm audits less
than 50% of assets and/or revenues, the audit team should consult with the NPPD.

Evaluating the Components for Significance

24.24 Horizon uses a two-step process to determine an audit strategy for the
components of a group. The first step, determining significant components, involves
considering both quantitative and qualitative factors. The following guidelines will help
group audit teams make consistent decisions.

24.25 If a component exceeds 10% of total assets, revenues, or equity of the

consolidated entity, the audit team should consider the component to be significant.
Further, components that fall in the 5 to 10% range should be carefully evaluated before
deeming them not to be significant. Also, consideration should be given to those
situations in which there are multiple components that are not individually significant,
but when aggregated together on an appropriate basis, exceed the 10% threshold.

24.26 Qualitative factors could make an otherwise insignificant component significant.

The following factors are guidelines and they are not meant to be “bright lines.” Audit
teams should use judgment to determine whether the qualitative factors are of such
significance that they change a quantitatively not significant component into a significant
component. Qualitative items include:
 foreign exchange activities
 derivative activities
 translation rate volatility
 newly formed or acquired component
 significant changes in operations at the component
 unique accounting systems and internal control processes
 impact of group-wide internal controls

24.27 The audit team uses the GTI developed Component Evaluation spreadsheet to
document the evaluation of the quantitative and qualitative factors considered in the
determination of significance of each component. The spreadsheet is in GEL under
Practice Aids > Group Audits.

Types of Audit Responses

24.28 The second step, determining an audit response for each component, also
involves considering both quantitative and qualitative factors. Understanding the types
of response will help in understanding the process of determining the appropriate
response for each component.

24.29 Horizon provides three responses to the risks present at a component:

 comprehensive
 targeted
 analytical

Comprehensive Response

24.30 A comprehensive response is an audit of the component's financial information.

The group audit team selects this approach when the component is significant to the
group and the significance is such that an audit of the component’s financial information
is necessary to obtain sufficient appropriate audit evidence for the audit of the group.

24.31 A comprehensive response does not mean that the component auditor will
complete all audit procedures necessary to issue a separate opinion on the financial
statements. In fact, many times the component may not prepare financial statements in
accordance with the applicable financial reporting framework. In addition, the
component auditor often will not perform many of the general file procedures performed
at the group-level. While each group audit will differ, in a comprehensive approach the
component auditor will usually perform internal control and substantive procedures for
the cycles (based on component materiality) that would be considered significant when
performing an audit on the component.
24.32 Refer to Group Audits in Chapter 7 for additional information on calculating
component materiality.

24.33 While the comprehensive response does allow for tailoring, audit teams should
not remove procedures required by the group audit standard. For example, professional
standards require the group auditor to participate in the component risk assessment
process (i.e., determining reasonably possible risks) and to determine component
materiality. In performing the risk assessment at the component level, the group and
component auditor may identify reasonably possible risks specific to the component that
could impact the audit conclusion at the group level, and as such require an audit
response. The group auditor may choose to participate directly in responding to the
risks in those situations.

24.34 The procedures required to be performed when a component entity is determined

to be significant, must be performed by the group auditor or the component auditor. The
group auditor cannot use another GTI member firm, acting on behalf of the group audit
team, to review the component auditor's work. This approach would result in the group
audit team relying on two separate firms and the additional procedures noted above
would need to be performed twice, which would not be efficient or effective.

Targeted Response

24.35 A targeted response means the group audit team identified one or more
reasonably possible risks at a component and has determined that audit procedures at
the component level are needed to respond to the risk(s). The group audit team selects
this approach whenever the component is significant to the group and the significance is
such that sufficient appropriate audit evidence for the audit of the group can be obtained
by performing audit procedures that respond to identified risk(s). Audit procedures could
be targeted by auditing one or more cycles (account balance, classes of transactions, or
disclosures) that contain reasonably possible risks of material misstatement of the
group financial statements and/or performing specific auditing procedures at the
component level that address specific risk(s) of material misstatement to the group
financial statements (for example, a material environmental liability).

24.36 The component auditor performs the procedures using group materiality and
group tolerable error. The group audit team does not need to reduce or otherwise
recalculate materiality for determining the scope of a targeted response.

Analytical Response

24.37 An analytical response is applied to components that are not individually

significant. The group audit team selects this approach when the component is not
significant and the risks can be addressed sufficiently by applying analytical procedures
at the group level.

24.38 The group auditor normally performs the analytical procedures in the group
Voyager file.
Determining the Appropriate Response

24.39 Determining an appropriate audit response (comprehensive, targeted or

analytical) for each component, also involves considering both quantitative and
qualitative factors.

24.40 The Component Evaluation spreadsheet assists the audit team in analyzing
quantitative factors by disaggregating each component’s estimated benchmarks (net of
inter-group transactions). The disaggregated benchmarks are:
 current assets
 total assets
 current liabilities
 total liabilities
 equity
 revenues
 earnings

24.41 The firm suggests the following quantitative guidelines to assist audit teams in
determining an appropriate response:
Size of Component
Benchmark to Group Significant Component? Response
If all > 25% Yes Comprehensive
If any >= 10% Yes Comprehensive or Targeted
If any between 5 and 10% Maybe Targeted
If all < 5% No Analytical

24.42 When a component is very large, a comprehensive response may be obvious.

However, a comprehensive response may also be appropriate in other situations due to
qualitative risk factors present at a component.

24.43 It can be helpful to consider audit procedures as a continuum. At one end, the
group auditor performs analytical procedures, such as a common size comparisons,
and at the opposite end, the component auditor performs an audit, similar to the effort
needed to issue an audit opinion on the component. The response for each component
falls somewhere along the continuum, and the response for each component is
different. As the response begins to veer into the next level, the group auditor should
determine whether the appropriate response really is a higher level on the continuum
(e.g., move from analytical to targeted; targeted to comprehensive).

24.44 After determining the group audit response based on significance, the group
auditor evaluates the response to determine whether they will obtain sufficient
appropriate audit evidence from the planned procedures. When the response is
insufficient, the group auditor should perform additional procedures or request
component auditors to perform additional procedures.
Statutory Audits

24.45 Many jurisdictions require entities located within their boundaries to undergo a
statutory audit, an audit performed under local auditing standards and regulations. In
this situation, the group audit team may wish to consider using the audit required by
statute as audit evidence for the group audit. There are several challenges in
successfully executing this approach, including:
 differences in the financial reporting framework
 differences in auditing and other standards
 whether the statutory audit of the component will be completed in time to meet
the group's reporting timetable
 whether the statutory audit file can be completed and archived on the same
timetable as the audit of the group

24.46 These challenges are significant and it is unlikely that all can be overcome in a
way that the group audit team can solely rely upon the work performed in the statutory
audit process. Instead, the component auditor should follow the group audit approach
and perform the comprehensive or targeted procedures first. The component auditor
can leverage the work performed for the group audit when performing the statutory
engagement.

24.47 In all cases, the group auditor determines the maximum value of component
materiality. When materiality for statutory audit purposes is less than component
materiality it may be desirable to use the smaller value in both audits.

Developing an Audit Strategy for the Group

24.48 An appropriate audit strategy for auditing significant components depends on:
 whether the response is comprehensive or targeted
 the identity of the component auditor (that is, whether the component auditor is
another audit team of the firm, a member firm, or unaffiliated firm, including a
correspondent firm)

24.49 The group auditor should develop an audit strategy for the entire group, not just
the portions completed by the group auditor. The group auditor gains knowledge of the
group’s transaction processing, financial reporting, and internal control during the client
acceptance process and through prior year audits. The group auditor should test, or
assign the component auditor to test, controls the group auditor expects to be operating
effectively when developing the audit strategy.

Tailoring the Voyager File

24.50 The group auditor should tailor the Voyager file for the group audit by performing
the following:
  adding the group’s components to the Organization Structure tool. The group
auditor should include each component and all of the applicable information
including the auditor performing procedures over the component.
 documenting entity-level controls over components in the process Monitor
business units (subsidiaries, branches, divisions, locations) and documenting
controls over consolidation in the activity, “Consolidating and closing worksheets”
 answering “yes” to the global question, Is this a group audit (i.e., an audit of an
entity comprised of multiple components such as subsidiaries, divisions, or
activities for which financial information is prepared)?
 completing these four programs:
Qualification of Other Auditors
Work of Other Auditors
Reports of Other Auditors
Consolidation Process[formatting?]

Evaluating Professional Reputation of Component Auditors

24.51 The group auditor is responsible for determining whether the component auditors
participating in the engagement are independent, competent to perform their duties, and
understand their responsibilities.

24.52 The group auditor should evaluate whether component auditors meet these
requirements each period. Regardless of whether the component auditor is a member
firm, the group auditor should perform procedures to determine their competence to
perform the engagement according to professional standards.

24.53 When the same component auditor assists in subsequent periods, the group
auditor may use the prior experience with the group auditor as evidence of their current
period qualifications. This initial and subsequent knowledge can be obtained in a variety
of ways, such as:
 visiting the component auditor
 discussing the component auditor’s professional reputation with other auditors
 confirming status with professional regulatory organizations

24.54 When the component auditor is a member firm, the group audit team has access
to information that is not available for correspondent firms and unaffiliated firms. The
use of the Horizon audit methodology globally means that the group audit team can
communicate with member firms using the same concepts and terminology.

24.55 To assist the group auditor in evaluating a member firm’s professional reputation
and standing, GTI will provide two sources of information about the member firm.

24.56 First, to the extent that it can do so without violating confidentiality obligations,
GTI makes relevant results of its most recent inspection report, GTAR, available to
designated member firm personnel through a secure website. This information is
confidential and should be solely for the purposes of complying with professional
requirements, including whether and how to use the member firm in the group audit. In
[Tailor this sentence to reflect your process]GTUS, the PIC SEC is the designated
person that has access to the secure website. Therefore, audit teams should obtain a
summary of the GTAR results for each member firm used in the group audit from the
PIC SEC.

24.57 [Tailor this paragraph to reflect your process]Second, GTI will provide information
about the professional reputation and standing of each GTI member firm that
participates in the group audit (referred to as the GTI professional reputation and
standing letter). In GTUS the PIC SEC will request the letter from GTI and will provide
this information on each member firm that participates in the group audit to the group’s
lead partner. Group audit teams that use member firms must request the information
about such firms from the PIC SEC.

24.58 [Tailor this paragraph to reflect your process]The information received from the
PIC SEC should be reviewed and included in the workpapers. It is the responsibility of
the group audit team to tailor the audit approach to address relevant deficiencies noted,
if any.

24.59 In instances where the information obtained about the member firm indicates
significant issues with the firm’s system of quality control, the audit team may decide to
treat a member firm as if it were a non-GTI member firm. In such circumstances, the
audit team should answer Voyager’s tailoring question to indicate that a non-member
firm is included as a component auditor and then tailor the audit procedures to address
the indentified deficiencies. Depending on the circumstances, procedures to perform
could include:
 visiting the client location to obtain first-hand knowledge of the component and its
environment
 participating in the discussions with management of the component being
audited by the component auditors (for example, risk assessments, complex
accounting transactions, audit adjustments, internal control matters, and other
items deemed appropriate for the particular engagement)
 performing supplemental tests of the accounts being audited by the other
auditors
 all of the above

24.60 When evaluating a non-GTI member firm, domestic or foreign, an attempt must
also be made to make inquiries of such parties as the appropriate foreign professional
organization, regulatory body, the GTI member firm in the foreign jurisdiction and the
component auditor’s domestic affiliate.

24.61 [Tailor this paragraph to reflect your process]Currently there are very few
situations in which non-GTI member firms are involved in US audits, but to avoid
duplicative efforts, consider contacting the PIC SEC to discuss the best approach for
obtaining information about a non-GTI member firm’s professional reputation and
standing.
Evaluating Competency

24.62 The group auditor should evaluate the component auditor’s competency with
respect to the group auditor’s accounting and auditing standards and the complexity of
the audit subject matter.

24.63 In many cases, the standards applicable to the group auditor may be the same
as the standards applicable to the component auditor. For example, most jurisdictions
use or base their auditing standards on the ISAs. Most auditors are able to represent
that they understand and will apply the ISAs.

24.64 Complexity in subject matter can range from relatively simple to complex. An
example of subject matter that may be simple is auditing the reasonably possible risks
in inventory of an entity that does not manufacture products. An example of subject
matter that may be complex is auditing fair values of a large and diverse investment
portfolio. In all cases, the group auditor determines whether component auditors are
capable of discharging their responsibilities. For complex subject matter, this
determination involves considering additional factors with respect to the component
auditor's expertise and their ability to access sufficient appropriate audit evidence.

24.65 Where accounting or auditing standards differ or the subject matter is complex,
the group auditor’s direct involvement in the audit or in the audit area depends on the
component auditor’s (including other GTI member firms) recent knowledge and
experience. The resumes of each partner and manager from the component audit team
are a source of evidence of recent knowledge and experience. For example, when the
entity is an SEC registrant, resumes highlighting prior SEC issuer experience, SEC-
related training attended during the last 24 months, and how many years they have
participated in the subsidiary audit would help the group auditor determine the degree of
his or her involvement in the subsidiary audit.

Concluding on Reputation and Competency

24.66 When the group audit team concludes that the work of the component auditor
cannot be used, the group audit team needs to obtain sufficient procedures through
other means. For example, if feasible, the group audit team can attempt to obtain the
necessary evidence by directly performing the component audit procedures. If the group
audit team obtains sufficient appropriate audit evidence, the report will not require
modification. If the group audit team is unable to obtain the evidence, they should
express a qualified opinion or a disclaimer of opinion.

Communicating Using the Component Auditor Assignment Memorandum

24.67 [Tailor this paragraph to reflect the location of your CAAM]Planning and
communicating are the keys to effectively and efficiently executing group audits. An
Excel tool, the CAAM, assists audit teams in this process. The CAAM facilitates sharing
of pertinent information among the group and component audit teams. The CAAM is
located in GEL under Practice Aids > Group Audits > Practice Aids 2010.
24.68 The CAAM provides a consistent format for the group auditor to communicate
requirements to component auditors. Additionally, the CAAM includes sections for the
component auditor to complete and return to the group auditor. These communications
are essential in promoting quality and consistency of the work performed as well as
complying with professional standards.

24.69 The group audit team should complete the CAAM for all group audits that involve
component auditors. The CAAM is the primary document for communicating information
and expectations for the group audit; therefore, the group auditor should provide
adequate guidance and clear instructions to the component auditors so they understand
the group auditor’s expectations and requirements.

24.70 The group auditor completes the general information in the CAAM for the entire
group audit team. Additionally, the group auditor tailors a tab for each of the component
auditors performing comprehensive or targeted responses. The group auditor then
tailors the instructions on the individual worksheets for the specific component auditor
who will perform the work.

24.71 The component auditor uses the CAAM as instructions for the engagement. In
addition, the component auditor completes portions of the CAAM with additional
component information (e.g., related parties, intercompany balances) and the results of
the procedures performed (e.g., misstatements identified, Summary of Significant
Matters). The component auditor documents any changes in the planned audit
procedures so that the group auditor is able to evaluate the procedures performed and
determine whether further procedures are necessary.

24.72 During planning, the component’s audit team’s partner or manager should review
the CAAM with the group audit team via conference call, video conference, Microsoft
Live Meeting, etc. The group auditor should avoid just sending the CAAM and assuming
the component auditor understands the engagement. The group and component
auditors should speak directly whenever possible.

24.73 Group audits create administrative and coordination challenges in planning,

executing, and concluding and engagement. Group audits that involve other countries
can also introduce challenges with respect to regulations, culture, and language.
Experience demonstrates that the communication process is key to managing these
challenges. Effectiveness and efficiency enhancements occur when the group audit
team plans and devotes sufficient time to administration and coordination activities.

24.74 Email presently is the primary communication tool used in the group audit
communication process. However, email is not the sole communication tool available
and experience demonstrates that overreliance on email may create problems.

24.75 Examples of other communication techniques available to enhance collaboration

include:
 conducting periodic group conference calls. For example, a conference call
during the planning process will help identify risks to address at the group level
 and enhance the understanding of responses to risks. Calls during the execution
phase of the audit will help in the early identification and resolution of issues and
otherwise help manage execution and completion activities.
 using application sharing/eMeeting technology to work together on a document
or to review completed documents. Microsoft Office Communicator and Microsoft
Office Live Meeting are effective applications that are available to audit teams.
These applications allow a shared document, such as a Voyager file or an Excel
document, to appear on multiple computer screens.

Selecting a Voyager File Option

Use of Voyager

24.76 All GTI member firms have implemented Voyager and this common platform
significantly enhances the ability for group and component audit teams to work together.
However, some member firms need time to translate a release or may have resource
issues that cause a delay in implementing a new version. The result is a short period
after the release of a new version of Voyager when all member firms are not using the
same version. Group audit teams will face challenges during this transition period when
working with member firms that have not yet implemented the current release of
Voyager. The paragraphs that follow provide guidance to audit teams in these
situations.

24.77 It is very important that group auditors contact component auditors to discuss
their Voyager implementation plans. In order to share Voyager files, both the group and
component auditors need to use the same version of Voyager.

24.78 If the component auditor is using an earlier version of Voyager, the group auditor
should determine whether the component firm plans to implement the latest version
shortly. If so, an effective strategy is to delay the component audit work until the
component firm issues the release. If the component audit firm does not have current
implementation plans, the group auditor should provide the component auditor with a
tailored Voyager audit program (printed or pdf).

24.79 If the component auditor is not using Voyager at all, the group auditor should
challenge the component audit firm’s decision not to use Voyager. In addition, both
firms should discuss this matter with GTI audit leadership.

General Considerations

24.80 If the component auditor wants to propose changes to the scope or planned
procedures, they should obtain approval from the group auditor in advance. This
includes proposed departures from sampling methodology, changes to materiality or
modifications of audit procedures, including procedures deemed not applicable. The
group audit program should be reviewed to identify areas where the same audit tests
may be used for both the group audit and the component audit report.
24.81 Separate files should be used to document the work performed for the
component audit and the work performed for the group audit to comply with
documentation standards and record retention policies for each country. This topic is
discussed in detail below.

24.82 Each group audit is unique; therefore, the CAAM includes numerous options for
creating Voyager files.

24.83 Exhibit 24.2 contains the Managing Voyager Files Flowchart, which visually
depicts the options discussed below.

Comprehensive Response – Group Auditor Creates Voyager file (CAAM Option 1)

24.84 The group auditor should ordinarily create the Voyager file when the component
auditor will not perform a separate statutory audit engagement. The group auditor is
responsible for completing, archiving, and retaining the file according to the group
auditor’s firm policies, professional standards, and regulations. The component auditor
should not retain a copy of the Voyager file and has no responsibility for archiving or
retaining the file. Adhering to this process is important because multiple copies of the
Voyager file are not acceptable. The file belongs to the firm who created the file and that
file should be the only version retained.

Comprehensive Response – Component Auditor Creates Voyager file and Performs

Statutory Audit (CAAM Option 2)

24.85 In this situation, the component auditor should create the Voyager file for
purposes of performing the group audit. Otherwise, if the group auditor creates the
Voyager file, the component auditor will not be able to apply the processes described
below and will have to create a separate file using the component audit firm’s masterfile
to be able to complete and archive the statutory audit Voyager file.

24.86 The Voyager file created by the component auditor to perform the group audit is
tailored with the participation of the group auditor and the instructions provided in the
CAAM. The component auditor completes the engagement using this file. The group
auditor should review the completed work, determine that the work is sufficient for
purposes of the group audit, and obtain copies of the audit documentation needed for
the group audit documentation. After the group auditor completes this process, the
component auditor archives the file within the period communicated by the group
auditor. This step is critical in order to comply with professional standards. The group
auditor is responsible for communicating the group audit report date to the component
auditor to enable them to archive the file in a timely manner. The component auditor
should understand the retention needs of the group auditor and protect the Voyager file
and other audit documentation until notified by the group auditor that it is no longer
needed.

24.87 Prior to archiving the group Voyager file, the component auditor should use
Voyager's Copy feature to duplicate the file. The duplicate file should be renamed to
something such as “ABC Statutory.” The component auditor should tailor and complete
this new file for the statutory audit. The component auditor is responsible for completing,
archiving, and retaining the file according to the component auditor’s firm policies,
professional standards, and regulations.

24.88 In summary, the component auditor retains two Voyager files: (1) one supporting
the work performed for purposes of the group audit and (2) one supporting the work
performed for purposes of the statutory audit.

24.89 Prior to performing the next year’s audit, the component auditor should
rollforward the group audit Voyager file and tailor it in accordance with the new CAAM
provided by the group auditor. The process for completing that file would be the same
as described above. For the statutory audit engagement, the component audit team has
two options: (1) rollforward the prior year component Voyager file or (2) make a new
copy of the current period group Voyager file. Ordinarily it is more efficient to rollforward
the component Voyager file to retain the prior year tailoring. However, when significant
changes occurred between the two years, it may be more efficient to begin with a new
statutory Voyager file by creating a new copy of the group Voyager file. This action will
preserve changes to controls or other tailoring in the group audit file.

Comprehensive Response – Component Auditor Creates Voyager file to Comply with

Domestic Requirements (CAAM Option 3)

24.90 When the need to perform a statutory audit is absent, component auditors should
only create the Voyager file when there are domestic requirements that are best
addressed by creating the Voyager file from the component auditor's masterfile. As a
result, we expect group audit teams will rarely use this option. Again, in this situation the
component auditor creates a Voyager file for purposes of performing the group audit.
The file is tailored with the participation of the group auditor and the instructions
provided in the CAAM. The component auditor completes the engagement using this
file. The group auditor reviews the work, determines whether the work is sufficient for
purposes of the group audit, and obtains copies of the work needed for the group audit
documentation. The component auditor then completes the file and archives it within the
period communicated by the group auditor. Again, this is an important step and it is the
group auditor’s responsibility to communicate the report date of the group audit report to
the component audit team to enable them to archive the file in a timely manner. The
component auditor should understand the retention needs of the group auditor and
protect the Voyager file and other audit documentation until notified by the group auditor
that it is no longer needed.

Targeted Response – Group Auditor Creates Voyager File

24.91 When the component auditor is a GTI member firm or office of the same firm, the
group auditor creates a separate Voyager file or checks out sections of the group (the
parent) Voyager file. The component auditor completes the requested procedures and
returns the file to the group auditor. In a targeted response, the component auditor
should not retain the actual Voyager file or a copy of it. The group audit team is
responsible for completing, archiving, and retaining the file according to applicable
professional standards and regulations.

24.92 If the component auditor performing a targeted response is also engaged to

perform a statutory audit, the component auditor should create a separate Voyager file
using the component firm’s Voyager masterfile. The work is not part of the group audit.
Accordingly, the component audit team is responsible for completing, archiving, and
retaining the file according to the component auditor’s firm policies, professional
standards, and regulations. When the work performed by the component auditor for the
group can be used in the statutory audit, it is acceptable for the component audit team
to retain copies of this work to include in their Voyager file.

Unaffiliated Component Auditors

24.93 When the component auditor is not a member firm, the group audit team cannot
send the component auditor a Voyager file. While it is not possible for the component
auditor to use Voyager, it is possible for the group audit team to use Voyager to design
the required audit procedures. These procedures could then be provided to the
component auditor in Word, Excel, PDF, or printed copy format. Additionally, a clear
and concise CAAM with instructions, information, and expectations is essential when
the other auditor is not a member firm.

Other Circumstances

24.94 Group audit teams will occasionally encounter circumstances that require unique
and creative solutions not included in the previous discussion. Member firms can
address these circumstances by communicating with each other and seeking solutions
that resolve the needs of all the firms participating in the group audit.

24.95 [Tailor to reflect your process]There are countries that may not be able to provide
certain documents to audit teams, due to their privacy and confidentiality laws. If
another GTI member firm or other firm indicates that they may not be able to provide
necessary documents, contact the NMP – International.

Reviewing Component Auditor Completed Procedures

24.96 The group auditor has the right to review the programs, the fieldwork, and the
workpapers relating to assignments it has referred. On request, the component auditor
should freely share information and provide workpapers and files, as permitted, and
provide drafts of reports for review prior to their release. The cost of such a review will
be the responsibility of the group auditor, unless otherwise established by agreement
between the firms involved.

24.97 When an entity is determined to be significant, the workpapers prepared by the

component auditor should be reviewed by the group auditor. If the component auditor is
able to send the audit workpapers to the group auditor, the review process can be
performed at the premises of the group auditor. If the component auditor is unable to
send the electronic audit workpapers to the group auditor, the workpapers will need to
be reviewed at the premises of the component auditor. The workpaper review may be
performed by a secondee.

24.98 When the group auditor is unable to obtain sufficient appropriate audit evidence,
the group auditor will need to modify the audit opinion. This outcome is true regardless
of whether the restriction is imposed by management or the component jurisdiction.

24.99 Communicating Report Release Dates

24.100 To comply with the documentation standards and record retention policies,
group audit teams are responsible for communicating the date of the audit report to all
component auditors assisting with the group audit. This communication is essential for
component auditors to complete the assembly of their audit documentation, record
changes to their workpapers after the documentation assembly period (a rare
occurrence) and “lock down” their engagement files within the documentation assembly
period. International audit standards require archiving of audit workpapers within 60
days of the date of the audit report. However some jurisdictions, such as the U.S. have
a 45 day documentation completion requirement. The communication should occur for
all group audits, public and non-public.

24.101 The following is acceptable language for communicating with component

auditors:
Grant Thornton LLP dated the auditor’s report for XYZ Company and subsidiaries on
March 15, 200X. In accordance with professional standards, all documentation must be
complete and the audit files “locked down” within 45 days. Changes made to the audit
workpapers after this 45-day documentation assembly period, including those prepared
by your firm as part of this audit, should be documented. The individual making the
change and the reason for the change should also be documented.

Appointing Component Auditors

Interoffice Engagements and Referrals

24.102 As stated previously, component auditors may include a team from a

different office within the same firm. These situations are also referred to as an
interoffice engagement, one undertaken by one office on behalf of, or referred by,
another office. The work required may take the form of targeted or comprehensive
procedures on a subsidiary, a local office, branch, division, factory, or site visits for the
purpose of observing inventory, divisional or branch verification procedures, tests of
controls or other audit procedures.

Initiating the Assignment

24.103 A request for assistance from another office is usually made by the lead
partner in writing and to the receiving office lead partner responsible for the assigned
work who acknowledges the request. When referred work consists of assistance similar
to that provided in previous years, the request is frequently oral, but should be
documented by both offices.

24.104 The request for assistance should communicate information about the
engagement. This communication may include items such as:
 nature of the engagement and information concerning its significance
 planning considerations
 guidance on the nature, timing, and extent of testing required, including desired
supplementary or special procedures
 names of known related parties, information about the parties, and special
instructions, if any, pertaining to the auditing of transactions with such parties
 required reports
 consolidation requirements
 completion dates
 other offices involved in the engagement
 budget and fee information

24.105 The group audit team usually completes a worksheet in the CAAM for
each component auditor, including component auditors located in another office.

24.106 The component auditor at the receiving office is ordinarily responsible for:
 acknowledging receipt of instructions
 agreeing on the proposed timetable, instructions, and budget
 notifying the group audit team of deviations from the originally agreed plan,
including:
- timing problems
- state of clients’ records and their ability to adhere to timetables
- any unexpected assurance service problems

24.107 To expedite the resolution of these matters, notification should be made at

the as soon as possible.

24.108 To ensure the component understands its responsibilities, the component

auditor communicates (or confirms) the requirements of the engagement directly with
the component.

Planning Considerations

24.109 Engagements involving other offices of the firm require additional

planning. The group audit team should:
 determine the engagement objectives to be met by the component audit team
  understand any specific reporting requirements (including administrative matters
such as by whom the reports are to be produced, number of copies, and to whom
they should be addressed)
 define the scope of the engagement and limitations of scope, if any
 establish time schedules to meet overall deadlines
 prepare budget guidelines for the component auditor engagement plan and
budget prior to commencement of the engagement
 identify the level of staff to be assigned by the component auditor office
 agree on the responsibility for review and other services

24.110 The group auditor should communicate these items as soon as

practicable.

Assignment of Personnel

24.111 The group audit lead partner is responsible for identifying the level of staff
to be assigned by the receiving office. Changes to level of staff should be agreed with
the group audit team in advance. Assignment of less experienced personnel could lead
to a deficient audit or to a disagreement or misunderstanding with the client. For
example, improper staffing of even a simple branch inventory observation or receivable
circularization could provide an impression to the entity’s parent office that we lack
interest in serving them.

24.112 A partner should be assigned responsibility for overseeing the satisfactory

completion of the component audit procedures, unless otherwise specified by the group
audit team.

Interoffice Charges and Billing Adjustments

24.113 Both the group and component audit teams should have a clear
understanding of interoffice charges including:
 the client and assignment numbers where the costs are to be charged, including
appropriate assigned timekeepers
 billing arrangements (which office “owns” the assignment in CMS, who is to
discuss billing arrangements with the client, who will do the billing, who to bill,
etc.)
 constraints on billing set by the originating office
 responsibility for budget deviations and any unrecovered costs

24.114 If the group auditor is unable to provide budget data, the receiving office
should provide the group auditor with estimates needed to complete the assigned tasks.
Significant deviations from the estimated budget are to be communicated to the group
auditor on a timely basis.

24.115 Generally, the receiving office’s charges for work are a component of the
assignment ledger and, unless agreed-upon in advance by the OMP’s of the offices
involved, will bear billing adjustments at the same rate as the group auditor’s charges
for work. Exceptions to these general rules are covered below.

24.116 Some assignments involve a substantial amount of work by several

offices. Ordinarily, the office responsible for the administration of an engagement
assumes all responsibility for billing adjustments unless other arrangements are agreed
to in advance by the OMP’s of the offices involved.

24.117 [Tailor to reflect your process]Generally, interoffice charges are based on

the rate sets for each assignment and planned write-off percentages based on
estimated fee arrangements with clients. However, if the use by one office of staff
personnel of another office extends over a period of time, the respective OMP may
agree to a particular write-off percentage based upon a division of profit attributable to
the use of the loaned staff member on the particular assignment, the supervision of the
staff member’s activities, and division of expenses.

24.118 [Tailor to reflect your process]If the OMP’s cannot resolve differences
arising from interoffice transfer pricing charges, billing adjustments, or servicing of
clients, the matter is referred to the appropriate RMP’s for settlement.

International Referrals

Overview

24.119 The ultimate responsibility for the control of all work that is assigned by
one GTI member or correspondent firm to another always rests with the group audit
lead partner who is responsible for referring the work. The parameters of the work to be
performed and a budget of the fees to be charged should be agreed between the group
audit lead partner and the component audit partner responsible for the performance of
the referred assignment. In order to avoid any possible misunderstanding at a later
date, full consultation, both as to the scope of the work and to the policy on fees, must
take place prior to the commencement of the work in all circumstances. Good
communications and proper controls at all times are essential to avoid disagreements.

24.120 All work referred to a receiving firm is to be performed, at a minimum, in

accordance with the generally accepted professional standards of the referring firm. In
every case, each firm has the right to indicate to the other the specific professional
procedures which should be employed in accordance with the nature of the work and of
any agreement with the client. Certain countries have their own legal requirements as to
general work to be performed, and receiving offices should not be required to perform
work below the minimum standards or requirements of their own country. It is essential
that the referring firm be informed of these requirements, which may differ from practice
in the referring country, before the assignment is commenced.

24.121 It is the responsibility of the audit team to prepare a CAAM including the
information necessary for the receiving office to perform their work effectively and
efficiently. Because of differences in language and customs, communications should be
clearly written, with as much detail as necessary in the circumstances.

24.122 Because of the problems frequently encountered with international

communications, it is essential that whenever group or component auditors send
important documentation, such as instructions, reports, and so on, they determine,
through communications with the receiving firm, that the information was received and
understood. The receiving firm should provide the acknowledgment as soon as
possible.

Engagement Letter Protocols

24.123 [Tailor to reflect your process]GTI member firms agreed on an

International Engagement Protocol to assist the respective firms when working together
on assurance assignments. Tools, including Services Agreements, to properly apply the
Protocol and instructions for their use are available on KSource under Internal Client
Services > Legal Services > International Assignments > International Engagement
Protocol.

Fee Issues

24.124 There are a number of fee issues that may arise in international situations
that should be anticipated and dealt with at an early stage, including:
 which firm will bear the exchange rate risk (e.g., work to be performed in the UK
may be quoted in US dollars for the convenience of the client)
 if realization rates differ significantly among the various GTI firms rendering
services, some form of equalization may be appropriate. This outcome will
depend on a number of factors, including the competitive environment and rate
structure in each country
 payment terms, normally expected to be driven by local custom, can be modified
when appropriate (e.g., if all billings are administered through the referring office)

Representation Letter Protocols

24.125 The component auditor is responsible for following the code of ethics
required to achieve the objectives of the group audit. Most countries base their code of
ethics on, or follow, the Code of Ethics for Professional Accountants issued by the
International Ethics Standards Board of Accountants.

24.126 The group auditor should communicate the ethical requirements of the
group audit based on the Code and advise the component auditor on additional
applicable ethical requirements, if any, which are necessary to the group audit
(including additional independence requirements).
24.127 Similarly, the component auditor is responsible for following the auditing
standards required to achieve the objectives of the group audit. Most countries base
their auditing standards on, or follow, the ISAs issued by the IAASB.

24.128 [Tailor to reflect the location of your letters]The component auditor

representation letter provides the group auditor with documentation of the component
auditor’s knowledge or, and compliance with, relevant ethics, independence and
auditing standards. All GTI member firms should use the GTI representation letter for
both representation requests and responses to such requests. These letters are located
in GEL under Letters, Forms and Templates > Other Auditors > GTI Member Firms.

24.129 Where domestic auditing or ethical standards differ from international

standards, the letter requires the group auditor to specify the differences. For example,
domestic independence standards may prohibit auditors from performing certain
services such as bookkeeping or valuation services. In this situation, the group auditor
would describe the prohibited services in the letter and obtain representation that the
component auditor did not provide such services.

24.130 Increased effectiveness and efficiency in communications will be achieved

when component auditors provide the group auditor with a completed letter during the
planning phase of the audit. There is no need to also provide representations at the end
of the audit unless changes occurred during the course of the audit that require
amendments to the letter.

24.131 [Include if your firm audits SEC registrants]Independence representations

are also required to comply with initial and annual communication requirements in
PCAOB Rule 3526, Communication with Audit Committees Concerning Independence,
as discussed in Chapter 23 of the AASM and Chapter 7 of the Independence and Ethics
Manual.

24.132 [Include if your firm audits SEC registrants and tailor to reflect the location
of your letters]To assist in maintaining our independence, an independence letter must
also be obtained from GTI member firms in countries where SEC audit clients have
subsidiaries or operating units, even if a GTI member firm does not audit the subsidiary
or operating unit in that country. This letter is required as GTI member firms may not be
aware that we are the auditors of a US public company unless they perform audit
services for the subsidiary or investee in their country. Refer to GEL Letters, Forms and
Templates > Other Auditors > Independence Representation Requests and Responses
- GTI Member Firm Not Involved in US Audit (SEC) > GTI Member Firm SEC
Independence Request and Illustrative Response.

24.133 [Include if your firm audits SEC registrants]When a registration statement

and comfort letter for underwriters is involved, the group audit team should request a
representation from all other accountants whose reports appear in the registration
statement indicating that they are independent.
24.134 [Tailor to reflect the location of your letters]Refer to GEL, Letters, Forms
and Templates > Other Auditors for additional illustrative letters to GTI member firms
and all other auditors.

Reporting on Group Audits and International Engagements

General Considerations

24.135 The inability to obtain sufficient appropriate audit evidence may arise from
restrictions imposed during the audit by component management or component audit
teams (e.g., inability to be sufficiently involved in the component auditor’s risk
assessment process or the inability to review the component audit team’s workpapers).
The lead partner of the group should:
 determine whether sufficient appropriate audit evidence to accept responsibility
for the audit opinion of the group was obtained
 evaluate whether the group audit team was involved in the work of component
auditors to the extent necessary

24.136 The opinion should be modified when the group auditor is not able to
obtain sufficient appropriate audit evidence or otherwise was not able to meet the
requirements of the professional standards. An example worth emphasizing is when an
equity-method investment is a significant component and restrictions are such that the
group audit team is not able to comply with the requirements of ISA 600.

24.137 Firms may be asked by management to report on audited financial

statements in a registration statement or similar filing with a regulatory organization
such as the SEC, or other bodies performing similar functions in the US or other
countries. The firm in the country where the regulatory filing is to be made (the “home
firm”) typically has knowledge about the specialized rules and regulations for which the
filings may be subject. If the filing is to be made with the SEC, GTI adopted certain
specific policies and procedures to comply with SEC rules. These policies and rules are
discussed below (see Gatekeeping Procedures) and must be followed, even when the
work has not been referred by GTUS.

Modified Reports

24.138 If the other auditor issues, or intends to issue, a modified auditor’s report,
the group auditor should consider the subject of the modification and the impact on the
financial statements of the entity on which the group auditor is reporting, including
whether a modification of the group auditor’s report is required.
Another Firm Serves as Group Auditor and Expresses Reliance on Us

24.139 There may be situations where we audit a component part of an entity and
another firm that serves as group auditor wishes to express reliance on us. We
ordinarily would not object to this. However, the use of our name should be given only
with our express permission and only when our report is presented together with that of
the group auditor. In some instances, we may also obtain a representation letter from
the group auditor stating whether anything came to their attention that would indicate
that there have been any events, transactions or other changes that would have a
material effect upon the component’s financial statements we audited.

24.140 [Include this paragraph if your firm audits SEC registrants]When our report
is included in a registrant’s filing because the group auditor referred to our report, the
financial statements and schedules covered by our report are generally not included in
the filing. In such circumstances, we should modify our report to indicate that the
statements and schedules are not separately presented (see Chapter 21). In addition,
we are required to make the necessary communications to the audit committee before
the filing of our report with the SEC.

References to Accounting and Auditing Standards

24.141 Financial statements may be distributed and used outside the country of
origin for cross-border capital raising purposes or the statements may be accessible
from many locations throughout the world via the Internet. GTI strongly recommends
that financial statements be prepared using the accounting principles of the country of
origin and that appropriate disclosure of such principles be made in the financial
statements. This position is consistent with that recommended by professional
standards. In the absence of any suitable local standards, it is recommended that
financial statements be produced in accordance with IFRS.

24.142 Auditor’s reports should refer to the accounting principles used in

preparing the financial statements and the auditing standards used during the audit.
Disclosing the applicable standards helps users better understand which country’s
accounting principles and auditing standards were used. ISAs include certain minimum
reporting requirements, and local auditing standards may also include specific reporting
requirements, when applying GAAP or GAAS of another country (discussed below).

Applying GAAP or GAAS of Another Country

24.143 An audit team may be applying the accounting or auditing standards of

another country in the following situations:
 the firm is reporting that the client’s financial statements are in compliance with
another country’s GAAP
 the firm is reporting that the financial statements have been audited in
accordance with another country’s GAAS
  the firm is issuing a specialized report covered by auditing standards of another
country (e.g., audits of service organization controls)
 the firm is reporting that the financial statements are in accordance with IFRS
(e.g., IFRS is not the GAAP of the firm’s country and the firm does not have IFRS
expertise)
Inaccuracies in these reports may damage both the reputation of the member firm in the
country where the report is being used (“the local firm”) and the GTI brand.

24.144 Managing this risk requires timely and effective communication and
consultation. Therefore, the audit team is required to consult with the Head of
Assurance of the member firm, in the country whose GAAP or GAAS will be reported
under prior to accepting an engagement. Such engagements include:
 issuing assurance reports on financial statements prepared in accordance with
the local firm’s GAAP
 issuing assurance reports under the local firm’s GAAS
 advising a client about regulatory requirements or other matters such as listing
requirements, raising capital, corporate structure or acquisitions in the country of
the local firm

24.145 The action taken as a result of the consultation will depend on a number of
factors, including the client characteristics, the activity being reported on and the
experience of the foreign firm with the relevant matters. It is expected that at a minimum
such consultation with the Head of Assurance in the applicable country will address:
 the involvement of the local firm (if any) in the planning and execution of the
engagement
 the method used to comply with the local firm country’s GAAS and GAAP (for
example, the Head of Assurance may require the member firm to use the local
firm’s Voyager masterfile)
 the quality control procedures over the GAAP, GAAS, and regulatory
requirements that will be performed

24.146 [Tailor this paragraph to reflect your procedures] When reporting on

financial statements prepared under IFRS, the audit team should contact the NPSG
IFRS specialists to arrange for the review the financial statements prior to release.

24.147 There may be implications of the decisions arising from consultation

(including timing of the service delivery and cost), which will need to be communicated
to the client.

Gatekeeping Procedures
24.148 Entities frequently include their financial statements in filings. Entities may
also include their financial statements in offering documents for the private placement of
their securities in a foreign jurisdiction. Those offering documents often contain
provisions that require the mandatory registration of the securities shortly after the initial
offering. Entities that include their financial statements in filings in a foreign jurisdiction
are referred to in this section as "filing clients."

24.149 Inaccuracies in these filings may damage both the reputation of the
member firm with the filing client (“client-serving member firm”) and the GTI brand. The
gatekeeping policies and procedures described in this section respond to this risk. The
procedures address how the client-serving member firm and the member firm in the
foreign jurisdiction (“gatekeeping firm”) should interact. In addition to mitigating risk, the
gatekeeping review is helpful because of the gatekeeping firm’s knowledge of the
accounting, ethical and regulatory requirements in that jurisdiction.

Responsibilities of the client-serving member firm

24.150 The audit partner-in-charge of the engagement of the client-serving
member firm should provide timely notification to the national assurance partner-in-
charge of the gatekeeping firm, or such partner’s delegate, about the filing that their
client will be making. Timely notification enables the gatekeeping firm to secure
appropriate resources to assist the audit partner-in-charge of the engagement and to
perform the gatekeeping procedures.

24.151 The audit partner-in-charge of the engagement should also obtain and
execute the Cross-Border Filing Agreement in Appendix A of this manual from the
gatekeeping firm. This document should not be altered except to provide the information
that is required in the designated tailorable sections of the agreement.

Responsibilities of the gatekeeping firm

24.152 Upon notification of a pending filing, the gatekeeping firm should assign a
“filing reviewer(s)” who is knowledgeable about the rules, regulations and filing
requirements, as well as the accounting, auditing, and ethical standards generally
accepted in the jurisdiction where the filing or offering is to be made. The filing
reviewer(s) will perform the procedures specified in the Cross-Border Filing Agreement.
These procedures are performed to provide assistance to the audit partner-in-charge of
the engagement and the client-serving member firm.

24.153 Upon completion of the procedures, the filing reviewer should provide a
written statement to the audit partner-in-charge of the engagement that the procedures
were completed in accordance with policy. The audit partner-in-charge of the
engagement should retain this written statement in the audit files. The filing reviewer
should also retain a copy of the written statement for a period that is consistent with the
gatekeeping firm’s retention polices as evidence that the procedures were completed.
The gatekeeping firm should only retain documentation assembled during the
performance of the procedures that is required by standards or regulations of their
jurisdiction. Documents retained by the gatekeeping firm would ordinarily not include
review notes or notes regarding inquiries made of the audit team or others.
Limitation of procedures

24.154 The procedures performed by the filing reviewer do not relieve the audit
partner-in-charge of the engagement of any of the responsibilities for the performance
of the audit of, and the report rendered by, the client-serving member firm on the
financial statements included in the documents to be filed and/or issued in the domicile
country of the gatekeeping firm. Also, the filing reviewer does not assume any of the
responsibilities of the audit partner-in-charge of the engagement or of the engagement
quality control reviewer.

24.155 Because of the limited nature of the procedures described above, it is

recognized that the filing reviewer cannot and does not assume any responsibility for
detecting a departure from, or noncompliance with, accounting, auditing, regulatory
disclosure and ethical standards generally accepted in the domicile country of the
gatekeeping firm.

Disagreements

24.156 If the filing reviewer and the audit partner-in-charge of the engagement
have conflicting views as to the resolution of matters that came to the attention of the
filing reviewer when performing the procedures for filings described above, that
disagreement should be resolved in accordance with the policies and procedures
established by the gatekeeping firm.

Additional services warranted

24.157 There may be circumstances where the client-serving member firm and/or
gatekeeping firm believes that additional services (beyond the gatekeeping services)
are warranted in the circumstances. The need for and scope of such additional services
shall be discussed among the firms involved and appropriate engagement terms
agreed. These additional services, if any, are beyond the scope of gatekeeping services
and shall not be considered as such. If such services fall under the Cross Border
Assignments Policy, then a services agreement will be entered into as set out in that
policy. Any disagreements regarding the additional services should be discussed with
the assurance leaders in both firms and, if necessary, with the Global leader –
assurance services.

Other Topics
24.158 The following provides guidance with regard to:
 private company attest or advisory services gatekeeping assignments
 advising clients about international matters
 GTUS policies for audits of SEC registrants by other GTI member firms
 foreign entities acquired by a US registrant
 joint audit engagements
  using personnel of other accounting firms performing procedures under our
direction

Private Company Attest or Advisory Services Gatekeeping Assignments

24.159 Private company attest or advisory services (PCAS) gatekeeping
assignments involve GTUS’s performance of limited procedures related to a non-SEC
filing company (private company) attest or advisory service performed by another GTI
member firm. These assignments are limited in scope. Because the procedures are
limited procedures, it is strictly prohibited for other GTI member firms to promote
GTUS’s involvement to sell their services.

24.160 A request from a GTI member firm will be considered a PCAS

gatekeeping assignment when the following factors apply:
 The intent is to provide services to another GTI member firm rather than directly
to the client.
 GTUS is providing a limited review of the document specifically for the benefit of
another GTI member firm.

24.161 PCAS gatekeeping assignments are performed by the US firm, when

approved by the PIC SEC. Under appropriate circumstances, PCAS gatekeeping
assignments involve limited procedures performed on:
 audits of controls at a service organization
 valuation reports
 audits of non-public entities reporting under US GAAP

24.162 Gatekeeping assignments can also be performed for other engagements,

if approved by the PIC SEC and the NMP NPSG, or his/her designee.

24.163 The limited procedures performed should be specified within the PCAS
Gatekeeping Agreement available in GEL under Letters, Forms and Templates > Other
Auditors > GTI Member Firms.

24.164 The GTUS professional should discuss and resolve all relevant issues
relating to the assignment with the requesting firm’s engagement partner. Unresolved
issues should be discussed with the PIC SEC. This consultation and the performance of
appropriate follow-up actions should be completed before finalizing the deliverable,
which is a standardized memorandum as discussed below.

24.165 The procedures performed by GTUS do not relieve the GTI member firm’s
partner of any responsibilities for the performance of the engagement, including
detecting a departure from, or noncompliance with, applicable professional standards in
the report rendered by the GTI member firm. GTUS does not assume any of the
responsibilities of the GTI member firm.
24.166 The deliverable for a PCAS gatekeeping assignment consists of a
memorandum to the engagement partner of the other GTI member firm. A sample
memorandum can be obtained from the PIC SEC for teams to use. The memorandum is
acknowledgement that the limited procedures have been performed. Any significant,
unresolved issues should also be included in this memorandum. The GTI member firm
is responsible for determining the resolution of any matter raised by GTUS.

24.167 The memorandum is not to be shared with the member firm’s client, nor
may it be disclosed to any individual or firm other than the referring GTI member firm
without the US firm’s prior written consent of the PIC SEC or his/her designee.

24.168 In all instances, even if GTUS is subsequently asked not to issue a

memorandum to the requesting firm, a memorandum documenting the limited
procedures that were performed should be sent to the PIC SEC, and, when consulted,
the NPPD.

24.169 Under no circumstances may GTUS use the PCAS Gatekeeping

Agreement when working with a GTI correspondent firm or another accounting firm. For
engagements involving GTI correspondent firms or other accounting firms outside the
GTI network, contact RRLA for the appropriate agreement.

Advising Clients about International Matters such as Listing Requirements,

Capital Formation and Acquisitions in Other Countries

24.170 A firm (the referring firm) may be asked by a client to advise or otherwise
assist management with matters such as listing requirements, capital formation or
acquisitions in another country. GTI’s Advisory Services Support & Implementation
Group (SIG) can provide information on these matters, including the member firms that
are authorized to provide such services. In addition, the local member of GTI has
knowledge about matters such as taxation and regulatory requirements that need to be
understood by the client, and may have other knowledge that would be useful (such as
information about a target company in an acquisition).

24.171 In these situations, the referring firm must notify the local GTI member and
discuss the type of advice that should be given to the client. In so doing, potentially
embarrassing situations (that might affect one or both firms), as well as litigation and
possible damage to reputation that could result from inaccurate or incomplete advice
can be avoided. Unless arrangements are made to do so, the local firm does not
assume any responsibility for the assignment beyond those discussed in this Chapter.

24.172 If the local firm believes that an important condition exists that, in their
view, is not being adequately considered by the referring firm, the matter should be
referred to the Chief Executive Officer of each firm for joint disposition.
GTUS Policies for Audits of SEC Registrants by Other GTI Member Firms

24.173 This section applies to audits conducted by other GTI member firms of US
“foreign private issuers” and audits of US domestic companies that are not audited by
GTUS and which have securities registered in US public markets. This section does not
apply to audits of foreign subsidiaries or operations of public company clients of GTUS.

24.174 SOX Section 102 prohibits public accounting firms that are not registered
with the PCAOB from preparing or issuing, or participating in the preparation or
issuance of, audit reports on US public companies (i.e. “issuers” as defined by SOX).
The PCAOB’s rules require registration of all public accounting firms (domestic and non-
US) that issue or prepare audit reports on US public companies, or that play a
“substantial role” in the preparation of such audit reports issued by another accounting
firm. SOX Section 106(a) provides that non-US public accounting firms are subject to
the PCAOB’s rules to the same extent as a U.S. public accounting firm.

Foreign Entities Acquired by a US Registrant

24.175 When a significant foreign entity is acquired by a US registrant, audited

financial statements of the foreign business are generally required to be filed by the
registrant in a document filed with the SEC, usually in a Form 8-K filing. The audit must
be performed in accordance with PCAOB auditing standards or US GAAS as
appropriate, and the financial statements may need to be prepared in accordance with,
or reconciled to, US GAAP.

24.176 In some situations, it may be possible for a GTI member firm to perform
the necessary audit and to sign the audit report in its own name. However, many of GTI
member firms do not have insurance coverage in the US and they may be unwilling to
be associated with an SEC-filed document. For example, many of the European firms
may not have US coverage, and those that do may have limited amounts. Because of
this, the GTI member firm may not be willing to take responsibility for the foreign audit,
but may agree to provide support. This means that unless another firm is engaged to
perform the audit of the foreign company, which is obviously undesirable, we need to
perform sufficient procedures to enable us to sign the audit report in our name (i.e.,
“Grant Thornton LLP”). This section discusses procedures that can help smooth the
process.

24.177 As soon as it is known that a foreign company’s financial statements will

be required to be included in a US registrant’s SEC-filed document, the engagement
partner should contact the GTI member firm to determine to what extent they would be
willing to become involved in the engagement. This should usually be coordinated with
the US partner or manager who is on temporary assignment (secondment) in the
specified region or with an IBC director or practice leader.

24.178 The assistance of one of these partners or managers should be sought,

since there is a wide variety of capabilities of GTI member firms, and a wide variety of
audit procedures that are required depending on the country. These partners and
managers are a useful resource for determining the extent of the work that will be
required to complete the audit, as well as who might be available to perform the
necessary procedures. For example, the GTI member firm may not be familiar with US
GAAP, US GAAS or PCAOB auditing and related professional practice standards and,
consequently, may be unable to assist in reconciling from foreign to US GAAP, if
needed.

24.179 It will usually be necessary for engagement partners and managers of the
US registrant to be significantly involved in the audit of the foreign company. If the local
GTI member firm has agreed to provide assistance (but not to sign the report), our
involvement might be accomplished by having the engagement partner travel to the
foreign entity at least twice (for planning and completion), and having a US-based
engagement manager on site during the engagement, supervising the key audit areas.
In some instances, a US manager on secondment may be available; however, it will
usually be appropriate for a US-based manager to be involved.

24.180 As a reminder, all of our current quality assurance policies apply, including
where applicable, new client acceptance. Because of the nature of these engagements,
they are required to have a quality control review, as well as a review by the NPPD,
International Standards Partner or their designee. Accordingly, the quality control
reviewer should be familiar with reconciliation issues. A US partner on secondment, as
well as the US-based International Standards Partner, may be available to assist with
the quality control review.

24.181 In situations where the GTI member firm has agreed to perform the audit
and sign its own name, in the interests of superior client service, we believe that the US
engagement partner should, at a minimum:
 contact a partner on secondment or an IBC director or practice leader to
determine the capabilities of the member firm and ensure their knowledge of US
GAAP, and as applicable, US GAAS or PCAOB auditing standards
 discuss the engagement with the reporting firm and review specific planning and
other issues as soon as possible, including decisions about selection of key audit
areas and the risk assessment procedures
 discuss significant matters noted during the audit with the reporting firm at the
engagement completion stage
 read the report and financial statements to be issued to be alert about matters
that may affect the US registrant and for obvious US reporting and disclosure
matters
 offer other assistance that may be necessary to assist the GTI member firm

Joint Audit Engagements

24.182 The firm occasionally participates in joint audit engagements with other
accounting firms. (For this purpose, a joint audit is defined as one where two or more
firms work together on an audit and produce an auditor’s report signed by each firm.)
Under no circumstances will GTUS participate in a joint audit of an SEC
registrant.

24.183 [Tailor the following paragraph to reflect your policies and procedures] In
most instances, the joint audit is with a much smaller firm, and we should be aware that
third parties may claim full reliance on us. Accordingly, the following procedures should
be followed for joint audit engagements:
 We should only entertain such engagements where the reputation and standing
of the other firm is known to us, or where we have made suitable inquiries about
such matters. (Inquiries as to the reputation and standing of the other firm need
not be performed if the other firm is a GTI member or correspondent firm.)
 A copy of the latest peer/quality review of the joint auditor should be obtained. (If
no such report is available, or the report is modified, the NPPD should be
consulted.)
 Consideration should be given to insurance coverage of the other firm in relation
to the joint audit engagement being proposed.
 We should make the customary new client inquiries about the reputation and
background of the proposed client and its officers.
 When the joint auditor is not another national firm, we should perform appropriate
planning, supervision, and review procedures with respect to the entire
engagement, including review of the audit programs and workpapers of the other
firm. (When another national firm is involved, these matters should be
coordinated.) We would ordinarily expect to participate in discussions with
management of components being examined by the other auditing firm.
 Preliminary arrangements concerning these matters, and as to billing,
maintenance of files, resolution of problems, etc., should be discussed prior to
accepting the engagement. Subsequently the understanding concerning these
matters should be in writing.
 We should have an engagement letter with the client. The letter may be written
jointly by both firms; if the more customary arrangement of obtaining separate
letters is followed, appropriate references to the joint audit and report should be
inserted.
 When significant portions of the engagement are performed by another firm, we
prefer that Voyager and our forms and letters be used. When this is not feasible,
we should ensure that the work performed and workpaper documentation are
sufficient to satisfy the requirements of the firm. This is important to the audit
programs that deal with unique aspects of the firm’s audit approach, in particular:
- Planning
- related party procedures
- partner, manager, and quality control review procedures (under the
firm’s policies, a quality control review should be performed on joint
audit engagements)
- risk assessments
- understanding and documentation of internal control over financial
reporting and our understanding of the client’s business
  Where the other auditor is a foreign auditor, care should be taken to ensure that
the audit is performed according to US GAAS and that the financial statements
are in accordance with US GAAP. For example, the client representation letter
and the requests for representations from the client’s lawyers should specifically
conform to the requirements of US GAAS.
 Our files should contain a copy of all workpapers used to support the auditor’s
report, even if those workpapers were prepared by the other firm.
 The client representation letter should be addressed to both firms.
 Before accepting an initial joint audit engagement, new client acceptance
procedures are required (see Chapter 3). As part of that process, a
memorandum discussing the participation of the other auditing firm in the
engagement and the reasons for a joint audit should be prepared and attached to
the client acceptance file.
 We should obtain from the other firm representations as to independence,
maintenance of regulatory and professional continuing education requirements,
and, if applicable, knowledge of specialized industry practices and regulatory
agency requirements. We should consider the experience level of specific
personnel and an assessment of their professional capability.

24.184 An illustrative memorandum of understanding for a joint audit engagement

and an illustrative representation letter are presented later in this Chapter.

Using Personnel of Other Accounting Firms Performing Procedures under

Our Direction

24.185 Certain engagements may involve the use of personnel of other

accounting firms performing procedures under our direction. These situations are
different from joint audit engagements in that the other firm’s personnel are acting on
our behalf and under our supervision and only our firm will sign the report. In most
cases, personnel of other accounting firms will be used to prepare account analyses
and prepare financial statements and tax returns or perform audit procedures, such as
observing inventories at certain locations. However, in other instances, personnel of
other accounting firms might actually be performing audit procedures (other than
inventory observation).

24.186 [Tailor the last bullet point for applicable policies] We should only
entertain such engagements where all of the following are present:
 the reputation and standing of the other firm is known to us, or where we have
made suitable inquiries about such matters
 we gave careful consideration to the reasons for using other firm’s personnel
 we perform sufficient procedures so as not to call into question our ability to issue
a report on the financial statements
 the economics make good business sense
  for any assistance in an audit of an SEC registrant, the PIC SEC has approved
use of the other firm (including GTI member firms) as using personnel of another
accounting firm is the same as engaging the firm itself

24.187 In addition to employing procedures similar to those followed when

considering the work of internal auditors, we should consider:
 the experience level of personnel and an assessment of their professional
capability (and independence)
 capacities in which personnel are being used (i.e., performing audit procedures in
conjunction with our staff or performing audit procedures independently)
 the degree of supervision and control necessary

24.188 [Tailor the following paragraph to reflect your policies and procedures] At
a minimum:
 a GT partner should be involved in, and approve, audit planning, including the
determination of reasonably possible risks, risk and intended control reliance
assessments, and the nature and extent of testing to be performed by the
personnel of other firm
 Voyager and our forms are to be used
 GT should provide significant on-site supervision in the form of an engagement
manager and/or in-charge accountant
 when related party accounts and transactions are sensitive and/or material, we
should either:
- perform the necessary related party procedures ourselves
- perform the procedures with assistance by manager or partner-level
staff of the other firm
- when such accounts and transactions are less sensitive, we may
review the results of procedures performed by the other firm and
consider whether additional procedures are necessary
 our personnel must perform partner, manager and, if applicable, quality control
review procedures
 our personnel should perform:
- substantially all work for reasonably possible risks, except for work that
we would usually delegate to assistants. For example, personnel of the
other firm might perform testing necessary to support inventory
valuation and sample selections. In addition, our personnel should
ensure that they have obtained the necessary understanding of
internal controls and the client’s business. The NPPD should be
consulted regarding any exceptions to this policy. When such
exceptions are made, we should closely supervise and test the work of
personnel of the other firm.
 procedures supporting any special work unique to SEC engagements (for
example, updates for registration statements, comfort letter work, reading
foreparts of Form 10-K, etc.)
  our files should contain all original workpapers used to support the auditor’s
report, even if those workpapers were prepared by personnel of the other firm
 we should obtain, from the other firm and personnel used on the engagement,
representations as to independence, maintenance of regulatory and professional
continuing education requirements and, if applicable, knowledge of specialized
industry practices and regulatory agency requirements. (If the other firm’s
personnel are assigned to areas unique to a specialized industry, the
representation should include any specialized CPE required by the firm).

Joint Audit Engagement Illustrative Memorandum of Understanding

[Tailor the illustrative letter to reflect your policies and relevant standards]

Note: Under no circumstances will we participate in a joint audit of an SEC client.

Parties: Grant Thornton LLP (GT)

Smith, Jones & Co. (SJ & Co.)
Performance
A joint audit of the financial statements of Baker Manufacturing Co. for the year ended
December 31, 20X0 and preparation of income tax returns for the year then ended.
As between the parties, each will be responsible to the other for any errors or omissions
respecting the work performed or assigned for its performance in the course of the audit.
Budgeted Hours
Prior to commencement of the engagement, each firm will have reviewed the hours budgeted
for the various segments of the engagement and will have indicated its approval. Specific
segments will be assigned to each firm.
After commencement of the engagement, detailed time sheets will be submitted weekly to the
engagement manager.
Staff personnel are expected to conform to the working hours of the client.
Participation
Each firm will assign an engagement partner to work jointly in planning and review.
It is mutually agreed that day-to-day management of the engagement will be assigned to the
engagement manager. This person will be responsible for coordinating the fieldwork between
the two firms and keeping the engagement partners informed of the assignment progress on a
current basis.
Each firm will assign an in-charge accountant and one or more assistants to perform those
segments of the work assigned to it. It is intended that each firm will furnish staff equally, or as
subsequently agreed upon by the engagement partners to complete the engagement as soon as
possible. In those circumstances where segments are dependent upon one another for
completion, an agreeable efficient approach will be arranged by the engagement manager. Any
major accounting, auditing or reporting problems encountered will be brought to the attention
of the engagement manager for resolution.
Major Problem Resolution
Should accounting, auditing or reporting problems arise which the engagement manager
cannot resolve, or which the two firms cannot agree upon or to which the client takes
exception, the following procedures will be followed:
1. The engagement partners and the engagement manager will meet to attempt resolution of a
problem.
2. The engagement manager will seek the research, counsel and advice of the local GT office
Professional Standards Partner.
3. If the problem is not yet resolved, the firms will come to agreement through GT’s
established problem resolution process so that an agreed position may be taken in
presenting or defending the problem in discussions with the client.
4. Should the client wish to discuss or take exception to the problem, John Smith, managing
partner of Smith, Jones & Co. will present the agreed position to the client. Support will be
provided by GT.
Personnel Assigned
(Tentative) GT SJ & Co.
Engagement Partner
Engagement Manager
In-charge Accountant
Review
The in-charge accountants for each firm will review their assistants’ work in the field and sign
off the appropriate line on the appropriate review module. The engagement partner review will
be performed by both engagement partners and will entail a review by each of those areas
assigned to his firm as well as the work of the other firm to the extent deemed necessary. Upon
completion of the engagement partners’ review, an office review of the entire audit will be
conducted by GT’s Professional Standards Partner.
Typing and Processing of Report
Responsibility for typing and processing will be determined at a later date.
Auditor’s Report Letter
The report letter will be signed by both firms on a combined letterhead of the two firms.
Workpapers
Horizon (Grant Thornton’s Audit Approach), including Voyager and indexing system will be
used for this audit. All workpapers pertaining to this audit will be under the combined control
of both firms while the audit is in process. Upon completion of the audit, the workpapers will
be reproduced in GT’s office, and a complete set of reproduced workpapers will be given to SJ
& Co. for their use.
Special Assignments
If work is requested of SJ & Co., they will perform the work or, at their discretion, delegate all
or a portion of the work to GT. (If a portion is delegated or joint ventured, the details of the
working relationship will be worked out between SJ & Co. and GT.)
If work is requested of GT by Baker Manufacturing Co., we will consult with SJ & Co. and
proceed with the performance of the assignment in a manner mutually agreed to and decided
by both firms. No work will be performed by GT without the concurrence of SJ & Co.
 SJ & Co. will receive periodic status reports on any work performed by GT be it audit, tax or
special.
Billing of Fee
(See Chapter 6 for billing of fees language. Add the following language after the Firm’s billing of fees language:)
Invoices will be prepared and submitted to the client by SJ & Co. in the names of both firms.
Progress billings will be based on total hours and out-of-pocket expenses incurred by both
firms. Time charges will be billed at each firm’s regular hourly rates.
Should any portion of the time charges (as computed in the foregoing paragraph) become
unbillable or uncollectible, the related write-off will be allocated as follows:
a. If both firms can agree that the cause of the write-off can be identified, the write-off will be
borne by the firm whose personnel caused the write-off.
b. Otherwise, each firm’s proportionate share will be determined by multiplying the write-off
by a fraction, the numerator of which will be the gross time charges of the respective firm and
the denominator will be the sum of the gross time charges for both firms.
GRANT THORNTON LLP
Date: ____________

_____________________________________________________
(Signature and Title)

SMITH, JONES & COMPANY

Date: ____________

_____________________________________________________
(Signature and Title)

Illustrative Joint Audit Representation Letter to Grant Thornton LLP

[Tailor the illustrative letter to reflect your policies and relevant standards]

(SJ & C letterhead)

Note: Under no circumstances will we participate in a joint audit of an SEC client.

(SJ & C letterhead)

Grant Thornton LLP
(insert local address)
Dear Sir or Madam:
In connection with our joint audit of the financial statements of Baker Manufacturing Co. for
the year ended December 31, 20X0, being performed in accordance with our memorandum of
understanding dated November 22, 20X0, we confirm to you the following:
1. We are familiar with Rule 101 of the Code of Professional Conduct of the American
Institute of Certified Public Accountants and the related interpretations. As far as Baker
Manufacturing Co. is concerned, our Firm has been for the period covered by the financial
statements reported upon and thereafter to date, in fact, independent as contemplated by
such rule and interpretations.
2. The personnel assigned to this engagement have the appropriate background and
experience (add, if applicable: including specialized knowledge relating to the (specialized) industry) to
perform their responsibilities and have met the minimum continuing education
requirements required by the AICPA, and the applicable state board (add, if applicable: and
other regulatory agencies).
Very truly yours,
Smith Jones & Company
Exhibit 24.2 Managing Voyager Files Flowchart
Type of
response?

Comprehensive Targeted

Group auditor
Statutory
creates Voyager
audit?
file

Yes No

CAAM 2 Component
auditor performs
Who creates
procedures
file?
Component
auditor creates
Voyager file for
group audit Component Group
Auditor Auditor
File returned to
group auditor
CAAM 3 CAAM 1

Component
auditor performs
procedures Component Group auditor
auditor creates creates Voyager
Voyager file file Group auditor
completes and
archives file
Group auditor
reviews work and
obtains
necessary Component Component
documentation auditor performs auditor performs
procedures procedures

Group auditor
communicates Group auditor
group report date reviews work and
Group auditor
obtains
reviews work
necessary
documentation

Component
auditor spawns a
copy of the Group auditor
Voyager file File returned to
communicates
group auditor
group report date

Component
auditor
completes and Component Group auditor
archives group auditor issues group
Voyager file completes and report, completes
archives group and archives the
Voyager file file
Component
auditor performs
statutory audit
using spawned
Voyager file

Component
auditor
completes and
archives
statutory
Voyager file
Exhibit 24.3 GTI Client Service Guidelines
GTI has developed the following guidelines that will help promote the delivery of
outstanding international service:
 When a client service request is referred to another firm, clear instructions should
be provided that:
- describe the assignment
- provide background or explanatory information (including pertinent
information about the size and scope of the parent entity)
- establish materiality parameters
- indicate when the assignment should be completed
- provide information concerning fee expectations or estimate the
number of hours the assignment is expected to take and indicate who
should be invoiced
- explain work that is promotional or non-billable (there should be an
agreement as to who will absorb such costs)
- ask for confirmation that the request has been received
- identify the partner or other individual to whom the response and any
questions should be submitted
- determine that all requirements have been understood
 The lead (client services) partner should initiate communications and follow up
on service performance. For example, communications should be established
immediately upon learning that a client is planning a visit; a sales branch is to be
opened, etc. The lead partner cannot delegate responsibility for such
communications to the client. The lead partner is responsible for our services -
not the client.
 The receiving firm should:
- notify the requesting firm within 24 hours that the communication was
received
- make certain that the assignment or instructions received are
understood. If in doubt - ask! (It is often useful to confirm our
understanding by direct discussion)
- if a response is called for, indicate when it can be expected
- provide a brief outline of the proposed engagement plan
- estimate the hours and fees involved
- indicate when the work will be completed
- identify the responding partner or other individual and the person who
will be responsible for the engagement
- ensure that there is a clear understanding regarding fee arrangements
- send a copy of all communications to the referring lead partner and
applicable International Practice Partner
 When clients of another GTI member firm visit a local firm, the local firm should:
- request background information from the lead partner (if it has not
already been provided )
- ascertain the client’s agenda
 - offer to provide assistance with locating an office and telephone for
temporary use as well as translation
- have someone (preferably a partner) at the meeting who speaks the
client’s language
- if familiar with the client’s agenda and possible needs, prepare an
outline of points to be considered in advance of the meeting
 If a visiting foreign client requests non-professional services that may not be
appropriate to the professional standards of the local country (e.g., preparing,
signing or co-signing checks, approving disbursements or acting as a nominee
resident owner of stocks), the foreign client and referring lead partner should be
advised that such services are not appropriate.
 If a visiting foreign client requests assistance without a previous introduction and
without previous notification by the lead partner, it should be assumed the lead
partner is unaware of such contact and:
- the identity of the service office and lead partner should be determined
- the lead partner should be immediately notified, requesting guidance
and attempting to ascertain whether, in fact, the lead partner was
unaware of the planned visit
- the information should be requested from the lead partner that would
have been furnished in accordance with the guidance above
- if the lead partner is unavailable, discretion should be used in assisting
the client until contact can be made
 As a stand-alone entity, the foreign client’s local operating unit may require
services in connection with financial statements, tax return assistance, or
consulting services. After the initial arrangements are made, the required
services should ordinarily be performed on a recurring basis, by dealing directly
with personnel at the local operating unit. Frequently, the fees for these services
will also be invoiced locally. However, unless advised to the contrary, the lead
partner should keep the referring firm lead partner informed, including the
following:
- advise of any special services that are requested by the client or that
we believe to be necessary
- when the engagement is completed, send a copy of all important work
products (audit reports and financial statements, etc.)
- describe any problems or difficulties encountered, or any
recommendations concerning the local unit
- advise of the fees charged for each type of service rendered
 Services to the local unit should be viewed in the broader context of the parent
company client. Therefore, if service conflicts arise between the local operating
unit and the parent company client, they should be communicated to, and
resolved by, the parent company lead partner.
 If a service complaint is received, it should immediately be investigated and
addressed. Such complaints sometimes result from unrealistic expectations. For
example, it is unrealistic to assume that matters such as general and business
customs, office facilities, and personnel attitudes, will be the same as in the
 client’s home country. However, it is not unrealistic for the client to expect
prompt, courteous and professional service.
 In any event, all service complaints should immediately be reported to the GTI
Chief Executive Officer and the designated International Practice Partner.
 The responsibility for such reporting rests with the lead partners in the referring
and receiving offices.
 Appendix A: Cross-border filing agreement
June 2013

Instructional Notes: (delete before finalizing this agreement)

Delete reference to “Appendix A” above before finalizing this Agreement.
Put this letter on the letterhead of the Gatekeeping Firm
Refer to the Policy for cross-border filings in conjunction with the preparation of this
Agreement.
For reference, “filings” covered by this Agreement involve an assurance report issued
by a member firm that is included in a “filing” in a foreign jurisdiction, which includes (a)
registration statements or other documents filed with foreign regulators, (b) offering
documents in connection with private placement of securities (i.e., offerings exempt
from registration), and (c) in an annual report that is made available to shareholders or
bondholders.
Text highlighted in square brackets must be modified to reflect the specific engagement.
---------------------
[Date]
[Legal name of Client-Serving Member Firm]

RE: Cross-Border Filing Agreement - [Legal Name of Client-

Serving Member Firm’s Client]
Dear [ ],
1 PURPOSE
1.1. The purpose of this Cross-Border Filing Agreement (the “Agreement”) is to set out the terms and
conditions under which [legal name of Gatekeeping Firm] (the “Gatekeeping Firm,” or “our”) agrees to
perform the Gatekeeping Services (as defined herein) related to [legal name of Client-Serving Member
Firm] (“the Client-Serving Member Firm”) audit engagement of [legal name of Client-Serving Member
Firm’s client] (the “Client”) for the year ending [insert applicable year end].

1.2. The Gatekeeping Services are performed consistent with Grant Thornton International Ltd’s ("GTIL")
Policy for cross-border filings and applicable laws and regulations and are set out in the Exhibit to this
Agreement.

2 DEFINITIONS
2.1. In this Agreement, the following expressions have the meanings set out below.

2.2. “Engagement Letter” means the particular agreement relating to the engagement (the “Engagement”) the
Client-Serving Member Firm has or will be deemed to have entered into with the Client.

2.3. “Financial Information” is the information, statements and filing or offering document that is to be
prepared by the Client in connection with its filing with a foreign jurisdiction regulator, offering of
 securities in a foreign jurisdiction, or listing of securities on [name of relevant exchange in the
Gatekeeping Firm’s jurisdiction].

2.4. “Gatekeeping Services” mean the procedures to be performed by the Gatekeeping Firm in accordance
with the Exhibit.

2.5. “Professionals” mean the particular partners and employees of the Gatekeeping Firm (including the filing
reviewer(s)) selected by such firm to provide the Gatekeeping Services under this Agreement in
accordance with the terms of the Agreement. The Professionals are partners and/or employees of the
Gatekeeping Firm.

3 OBLIGATIONS
3.1. The Gatekeeping Firm will assign certain Professionals who will perform the Gatekeeping Services in
connection with the Financial Information within a period of time as may be agreed to by the parties to
this Agreement.

3.2. The Client-Serving Member Firm acknowledges that the Gatekeeping Firm is also a member firm of
Grant Thornton International Ltd ("GTIL"). GTIL's member firms provide professional services through
its international network. Member firms are not members of one international partnership or otherwise
legal partners with each other. There is no common ownership, control, governance, or agency between
GTIL member firms and GTIL.

3.3. The parties agree, on behalf of themselves and their respective partners, principals and employees, that
they will not (i) negotiate or enter into any oral or written contract, agreement or arrangement on behalf
of, or in the name of the other party, or otherwise bind the other party, or GTIL; or (ii) describe or
represent themselves as employees, partners or joint venturers of the other party or GTIL.

3.4. The involvement of the Gatekeeping Firm does not relieve the Client-Serving Member Firm of the
responsibility for the performance, in accordance with standards of the [insert applicable professional
standards], of the audit engagement with its Client. Also, the Gatekeeping Firm does not assume any of
the responsibilities of the Client-Serving Member Firm or its personnel, including the engagement partner
or the engagement quality control reviewer (or such other term as used by the applicable professional
standards to define the quality control partner that is part of the audit engagement).

3.5. Because of the limited nature of the Gatekeeping Services, it is recognized that the Gatekeeping Firm
cannot and does not assume any responsibility for detecting a departure from, or non-compliance with
applicable professional standards of the Gatekeeping Firm’s domicile country.

3.6. For the avoidance of doubt, the Gatekeeping Firm shall have no interaction with the Client or any of its
advisors; all communications will be between the Gatekeeping Firm and the Client-Serving Member Firm
and no communication from the Gatekeeping Firm may be forwarded or otherwise made available to the
Client without the explicit prior approval of the Gatekeeping Firm. Furthermore, no agreements between
the Client-Serving Member Firm and its Client, including the Engagement Letter, or other documents,
whether written or oral, may contain reference to the Gatekeeping Firm, unless required to address
confidentiality restrictions, local laws or regulations.
4 FEES
4.1. The Gatekeeping Firm shall directly bill the Client-Serving Member Firm the following amounts for its
work:

Standard Hourly Rate: [insert amount and relevant currency]

4.2. The Gatekeeping Firm's normal billing rates for this type of work do not include out of pocket expenses.
Expenses will be billed to the Client-Serving Member Firm in addition to the fees for the services. The
Gatekeeping Firm will provide timely information to the Client-Serving Member Firm regarding any
costs incurred. The Gatekeeping Firm's fees are due within 30 days of its invoice.

4.3. The Client-Serving Member Firm is not permitted to deduct fees, taxes or other amounts assessed by its
country of domicile from its amounts due under this Agreement to the Gatekeeping Firm.

5 DISPUTE RESOLUTION
5.1. The parties agree that any dispute arising out of or resulting from this Agreement shall be governed by the
dispute resolution provisions in this section 5. The obligations of the parties pursuant to this section 5
shall survive termination of this Agreement.

5.2. In the first instance, the parties should always try to resolve any disputes informally, but in the event that
the parties cannot agree an informal resolution each party shall immediately notify the other party in
writing of any threat relating to this Agreement. Both the Gatekeeping Firm and Client-Serving Member
Firm agree not to settle any claim without the other’s prior consent, which shall not be unreasonably
withheld, conditioned, or delayed. The parties agree to render full cooperation to each other to defend
such claims.

5.3. The Client-Serving Member Firm agrees to reimburse the Gatekeeping Firm for all reasonable expenses
including reasonable attorney's fees and expenses, as they are incurred in connection with the
investigation of, preparation for, or defence of, any pending or threatened claim or action or proceeding
arising from this Agreement or the Engagement, whether or not the Gatekeeping Firm is a party. If any
action, suit, proceeding, or investigation is commenced, as to which the Gatekeeping Firm proposes to
demand reimbursement, the Gatekeeping Firm shall notify the Client-Serving Member Firm. The
Gatekeeping Firm shall have the right to retain counsel at the Client-Serving Member Firm’s expense and
the Client-Serving Member Firm shall pay as incurred the reasonable fees and expenses of counsel
retained by the Gatekeeping Firm.

5.4. Nothing contained in this Agreement is intended to confer jurisdiction over the Gatekeeping Firm by the
Client or anyone claiming rights on account of the Gatekeeping Services to make the Gatekeeping Firm
an indispensable party to any proceeding or claim asserted by the Client or the Client-Serving Member
Firm in any jurisdiction other than the domicile country of the Gatekeeping Firm. The Client-Serving
Member Firm shall not join the Gatekeeping Firm in any legal proceedings with the Client.

6 LIABILITY
6.1. For the avoidance of doubt, the Gatekeeping Firm shall have no liability whatsoever, including without
limitation, to the Client or third parties or for departures from, or non-compliance with, applicable
professional standards (including applicable accounting, auditing and independence standards). The
 Client-Serving Member Firm is solely liable for any costs, expenses or damages that may result from the
Engagement with the Client or third parties.

6.2. The Client-Serving Member Firm shall extend its protections in the Engagement to the Gatekeeping Firm.
The Gatekeeping Firm therefore is offered the protections available to the Client-Serving Member Firm
arising out of the Engagement.

7 TERMINATION
7.1. The Gatekeeping Firm and the Client-Serving Member Firm each reserve the right to terminate this
Agreement at any time and for any reason subject to giving the other reasonable advance notice in writing
and in the event of such termination the Client-Serving Member Firm will pay to the Gatekeeping Firm
such amount as may be necessary to cover the work done by any of the Professionals to the date of such
termination.

7.2. The obligations of sections 5, 6, 7 and 9 shall survive termination of this Agreement, as well as such other
provisions that by their nature should survive.

8 MISCELLANEOUS
8.1. No partnership is hereby created between the parties, nor shall it be deemed to exist and neither party
shall have the authority to bind the other party without the prior written approval of the other party given
in each and every case. In addition, nothing in this Agreement is intended to make either party responsible
for the actions of one another or to establish any measure of control beyond this Agreement.

8.2. This Agreement shall relate solely to the Gatekeeping Firm and the Client-Serving Member Firm in
connection with the Gatekeeping Services and it shall not extend to other activities and transactions in any
respect whatsoever. Moreover, no consulting services shall be provided under this Agreement.

8.3. Without our prior written consent, neither party will assign, delegate, sub-contract or otherwise transfer
the benefit or burden of this Agreement.

8.4. If any portion of this Agreement is held invalid, the invalidity or unenforceability for any reason,
including independence, of such provision shall, to that extent, be of no further force and effect and the
Agreement shall consist of the remaining provisions and shall not prejudice or affect the validity or
enforceability of the remainder. In addition, if the Gatekeeping Services are subject to the independence
rules of the U.S. Securities and Exchange Commission (SEC) or another agency or regulatory body
performing a similar function in another country with respect to the Client-Serving Member Firm, such
that any provision in this Agreement would impair the Client-Serving Member Firm’s independence
under the SEC’s or other agency or regulatory body’s rules, such provision shall, to that extent, be of no
further force and effect and the Agreement shall consist of the remaining provisions.

8.5. The Client-Serving Member Firm may not promote this engagement as a joint engagement, nor may it
portray the role of the Gatekeeping Firm in a manner that could be construed as the Gatekeeping Firm
having any responsibility for the Engagement.
9 GOVERNING LAW
9.1. This Agreement shall be governed by and construed in accordance with the laws of the domicile country
of the Gatekeeping Firm and the Client-Serving Member Firm agrees to submit for all purposes in
connection herewith to the exclusive jurisdiction of the domicile country of the Gatekeeping Firm.

10 WHOLE AGREEMENT
10.1. This Agreement embodies the whole agreement between the parties relating to the provision of
Gatekeeping Services provided to the Client-Serving Member Firm by the Gatekeeping Firm and
supplements and supersedes and cancels all previous agreements and working arrangements whether oral
or written, statutory, expressed or implied between the parties relating thereto.

10.2. If the Client-Serving Member Firm agrees to these terms, an authorized person should sign where
indicated at the end of this Agreement and return it to the Gatekeeping Firm.

Yours sincerely
[The Gatekeeping Firm Partner’s Signature]
[Legal name of the Gatekeeping Firm]

The terms of this Agreement are acknowledged and agreed by:

[Legal name of the Client-Serving Member Firm]

By: [The Client-Serving Member Firm Partner’s Signature]
Printed name:
Date:
 Exhibit – Gatekeeping Services
The procedures to be performed by the filing reviewer(s)/Professionals performing the
Gatekeeping Services are:
(1) Reading all of the documents to be filed (or otherwise to be made available to
shareholders in the domicile country of the Gatekeeping Firm) with particular
attention given to compliance as to form of the financial statements (and related
schedules) and auditor’s report with the applicable accounting, auditing, financial
reporting and regulatory disclosure requirements for such filings.
(2) Discussing with the Client-Serving Member Firm’s audit partner-in-charge of the
engagement:
(i) the engagement team's familiarity with and understanding of the
applicable auditing, accounting, financial reporting, regulatory disclosure
and ethical standards of the domicile country of the Gatekeeping Firm,
(ii) the significant differences between:

(a) the accounting and financial reporting standards and regulatory

disclosure requirements used in the presentation of the financial
statements included or incorporated in the document to be filed (or
otherwise to be made available to shareholders in the domicile country of
the Gatekeeping Firm) and those applicable in the Client-Serving Member
Firm’s domicile country, and

(b) the auditing and ethical standards of the Client-Serving Member Firm's
domicile country and those applicable in the domicile country of the
Gatekeeping Firm; and
(iii) any significant auditing, accounting, financial reporting, regulatory
disclosure and ethical matters that come to the attention of the filing
reviewer(s) when performing the procedures described in this Exhibit,
including how any such matters were addressed and resolved by the
Client-Serving Member Firm’s audit partner-in-charge of the engagement.
(3) Issuing a written statement, as set forth below, to the Client-Serving Member
Firm’s audit partner-in-charge of the engagement that the Gatekeeping Services
were completed in accordance with this Exhibit.
(i) Written statement prepared by the filing reviewer(s):
I have performed the procedures set forth in the Cross-border filing
agreement dated [insert date of agreement] between [insert legal name of
the Gatekeeping Firm] and [insert the legal name of the Client-Serving
Member Firm].
Filing reviewer signature: Date:
Chapter Twenty-Five - Integrated Audits
Summary

This Chapter provides guidance for performing an integrated audit. An integrated audit
refers to a combined engagement of both a financial statement and an internal control
audit. Most of this Chapter addresses policies and guidance for performing the internal
control audit part of the integrated audit, but also includes policies and guidance on how
to perform the integrated audit effectively and efficiently. The policies and guidance
presented in this Chapter should be applied to integrated audits performed under
AICPA or PCAOB standards (and other jurisdictional standards that are based on these
standards).

Introduction and Applicability

Overview

25.01 Internal control effectiveness is vital to the safety and sound operation of
businesses of all types and sizes. The stakeholders of a business, including its
shareholders, regulators, insurers and lenders, among many others, expect
management to establish and monitor internal control to ensure accurate financial
reporting.

25.02 When management fails in this responsibility, the possibility of significant

misstatements and inaccurate communications increases considerably. For this reason,
some stakeholders are demanding that management explicitly state that its internal
control is implemented and operates effectively. They also demand that the external
auditors conduct an audit and report on management’s assertion that internal control is
implemented and operates effectively.

25.03 The frequency and magnitude of financial statement restatements occurring

around the world due to fraud and error have caused regulators and lawmakers to
respond with legislation and rules to compel good corporate behavior and to penalize
offenders.

25.04 SOX is one example of such a response. SOX requires certain entities whose
stock is registered on the U.S. securities exchanges to have an integrated audit.
Likewise, the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA)
established annual integrated audit requirements for the largest U.S. banks and savings
institutions. Other regulatory and legislative bodies around the world have adopted
SOX-like requirements and others are considering them. Similarly, regulators in other
public-interest industries (governments, not-for-profits, benefit plans) are also
considering SOX-like rules and regulations.
Engagement Objective

25.05 The objective of an internal control audit is to express an opinion on the

effectiveness of internal control over financial reporting. The audit team should plan and
perform the audit to obtain reasonable assurance about whether the entity maintained,
in all material respects, effective internal control over financial reporting as of the date..
In other words, the auditor obtains reasonable assurance that no material weaknesses
in internal control existed as of the date specified.

25.06 The following are the elements of an internal control audit:

 planning the engagement
 obtaining an understanding of internal control
 assessing risk
 evaluating design effectiveness
 testing and evaluating operating effectiveness
 forming an opinion on the effectiveness of internal control

Professional Standards

25.07 The professional standards to apply when performing an internal control audit
vary depending on the type of entity. For example, U.S. public company auditors must
follow standards established by the PCAOB. PCAOB Auditing Standard (AS) 5 applies
to audits of internal control. The AICPA also adopted an internal control audit standard
that is similar to AS 5. PCAOB and AICPA standards require that auditors must audit
the financial statements of an entity for which they perform an internal control audit.

25.08 The policies and guidance presented in this Chapter comply with PCAOB and
AICPA standards. Application of PCAOB or AICPA standards for FDICIA reporting
institutions is discussed later in this Chapter.

Conditions for Engagement Performance

25.09 The firm can perform an internal control audit if all of the following conditions
are met:
 the firm also performs the financial statement audit
 management accepts responsibility for the effectiveness of internal control
over financial reporting
 management evaluates the effectiveness of such internal control using a
suitable, recognized control framework. Although highly unlikely, consult
with the NPPD if an entity requests an integrated audit and evaluates its
internal control using a framework other than COSO
Performing the Internal Control Audit

Horizon’s top-down Approach to an Integrated Audit

25.10 The following table demonstrates that Horizon’s approach to an integrated

audit is consistent with the top-down approach mandated by the PCAOB and AICPA
standards and other standard setters throughout the world who embrace the PCAOB
(and AICPA) requirements.
PCAOB Horizon
Understand the overall financial reporting risks at Understand the entity and its environment to
the financial statement level identify matters that impact the financial
statements
Focus on entity-level controls to understand and Identify, understand, document, and evaluate
evaluate their design effectiveness the design effectiveness of all entity-level
controls, including financial reporting
Identify significant accounts and disclosures Identify significant accounting cycles (those
with significant accounts, groups of accounts,
disclosures, or classes of transactions greater
than tolerable error)
Identify the assertions relevant to each Identify the risks in relevant assertions where a
significant account material misstatement could occur
Understand flow of transactions and how they For the processes associated with the
are initiated, authorized, processed, and identified risks, perform walkthroughs to
recorded confirm our understanding and verify that
controls are implemented
Identify the points at which errors or fraud could Identify “very” and “somewhat” important
occur in the process processes (points where fraud or errors are
more likely)
Identify controls to test that prevent or detect Identify key controls
errors or fraud on a timely basis
Clearly link individual controls with the significant In Voyager, the key controls are linked to the
accounts and assertions to which they relate cycles, assertions, and processes to which
they relate

Planning
25.11 The financial statement and internal control audits are referred to as an
integrated audit because they are so entwined. To be effective, they must be performed
together.

25.12 When developing an overall strategy, the audit team considers many factors,
such as the entity’s business, industry, organization, components, operating
characteristics, reporting practices, internal control, and any recent changes; economic
conditions; legal and regulatory matters; materiality, inherent risk, and other factors
relating to the determination of material weaknesses.
25.13 Such factors impact the audit team’s consideration of the nature, timing, and
extent of work to be performed. Accordingly, to obtain evidence about the effectiveness
of controls for all relevant assertions (those that have a reasonable possibility of
containing a material misstatement) related to all significant accounts and disclosures in
the financial statements, it is essential to start the planning and risk assessment
process in a timely manner.

Risk-Based Approach

25.14 Risk assessment procedures are performed in a financial statement audit to

identify areas where the risk of material misstatement is more than remote (reasonably
possible) so that suitable audit procedures can be designed to respond to the identified
risks. In performing an integrated audit, it is essential that the risk assessment process
is consistent between the financial statement and internal control audits. Therefore, if
the audit team assesses an assertion as having a reasonably possible risk of material
misstatement in the financial statement audit (whether due to error or fraud) that
assertion should also be considered as having a reasonably possible risk of material
misstatement for purposes of the internal control audit.

25.15 In performing risk assessment procedures for the integrated audit, the audit
team identifies reasonably possible risks for each relevant assertion. Not reasonably
possible risks are those risks that represent a lower likelihood of material misstatement.
These judgments should be consistently applied in the internal control audit. As in a
financial statement audit where substantive procedures are more extensive for
reasonably possible risks than for not reasonably possible risks, in an internal control
audit, control testing should be more extensive for reasonably possible risks than for not
reasonably possible risks.

Significant Cycles

25.16 Significant accounts are defined by professional standards as those accounts

where there is a reasonable possibility that the account could contain misstatements
that individually, or when aggregated with others, could have a material effect on the
financial statements, considering the risks of both overstatement and understatement.
Other accounts may be significant on a qualitative basis based on the expectations of a
reasonable user.

25.17 This definition means that an account is significant when it is quantitatively

material to the financial statements, regardless of inherent risk factors. Additionally,
qualitative factors can make an otherwise insignificant account significant. However,
qualitative factors cannot make a quantitatively material account insignificant.

25.18 Horizon gets to the same place, but uses a slightly different approach to get
there. Because Horizon utilizes the cycle approach, significance is defined in terms of
the cycle. In Horizon, a significant cycle is one that contains accounts or disclosure
amounts that are quantitatively or qualitatively material. Only significant cycles are in
scope for a financial statement audit or an integrated audit. This approach is consistent
with professional standards.

25.19 To illustrate, ordinarily deposits in a depository institution, fixed assets in a

manufacturing entity and payroll expenses for a construction contractor are
quantitatively material to the financial statements and would be considered a significant
account under professional standards, within the scope of the internal control audit. In
Horizon, these material accounts would cause the audit team to identify the deposits
and employee compensation transaction cycles as significant and therefore in scope.
Further, an account such as receivables from related parties may not be quantitatively
material, but qualitative factors (fraud risks, among others) may cause it to be significant
and within the scope of the internal control audit.

25.20 In the Horizon methodology, the audit team identifies significant cycles (those
having accounts or disclosure amounts that are quantitatively or qualitatively material to
the financial statements). In Horizon, the audit team determines quantitative materiality,
which generally includes all accounts or disclosure amounts greater than tolerable error.
Once a cycle is identified as being a significant cycle, it will be further evaluated to
determine whether reasonably possible risks are present.

25.21 It is important to document considerations of which accounts are material to

verify that they are addressed in the significant cycles. For example, a liability account
for a material environmental liability may not be included in any transaction cycle and
would therefore have to be considered separately. To ensure that controls over
significant cycles are documented and evaluated, accounts should be mapped to the
significant cycles. In a more complex entity with diverse operations, this mapping may
require documentation to verify that all material accounts are included in the scope of
the engagement, but in a less complex engagement, specific documentation may not be
necessary to make this verification.

25.22 [Tailor this paragraph to reflect your consultation policy]Judgment is used in

determining quantitative materiality. For a public entity, this amount ordinarily should not
exceed 5% of pre-tax earnings. For purposes of identifying significant cycles and
determining what is within the scope of the internal control audit, the audit team should
deem any account in excess of tolerable error (60% of materiality) to be material. This
threshold addresses the aggregation of otherwise immaterial accounts to a material
error and is consistent with the methodology employed by other global firms. When
accounts are at or near tolerable error, consultation with the NPPD is required before
the audit team can exclude them from the scope of the internal control audit.

25.23 In summary, an account is within the scope of the internal control audit when it
is quantitatively material or material because of qualitative factors. Risk of misstatement
does not enter into this judgment. Once a cycle is designated as significant, the audit
team should identify the financial statement risks that could cause the financial
statements to be materially misstated. If a cycle is not designated as being significant,
no further audit work is required to be performed on that cycle or any assertions
associated with it. This is true for both a financial statement audit and an integrated
audit.

Using the Work of Others

25.24 When management engages outside consultants to assist them in

documenting and testing internal control, the audit team should meet with management
and its consultants early in planning to make sure everyone understands their part and
that the final results will be satisfactory to all parties. During these discussions, it is
important to remember that the audit team cannot participate in management’s process
other than to review and provide feedback.

25.25 The audit team also considers its use of the work of others to alter the nature,
timing, and extent of the work to be performed directly, as discussed later in this
Chapter.

Scaling the Integrated Audit

25.26 The integrated audit should be scaled to the size and complexity of the entity.
The firm’s risk-based audit approach accomplishes this by focusing audit effort on
financial statement items where the risk of material misstatement is reasonably
possible.

Other Planning Considerations

25.27 During planning, the audit team will also evaluate the number of components,
to determine which ones to visit and the extent of tests to perform at each. These
considerations are also discussed later in this Chapter.

Summary of Planning

25.28 The steps in planning an integrated audit are very similar to those performed
in planning a financial statement audit. The essential element is the risk assessment
process (identifying where the risk of material misstatement is more than remote –
reasonably possible risks). These are the areas where the audit team will focus effort in
both the financial statement and internal control audits. Other areas that are material to
the financial statements, but for which the risk of material misstatement is not
reasonably possible, are included in the scope of both audits, but do not warrant the
attention or the audit effort required of reasonably possible risks.

Management’s Assessment Process

25.29 Before the audit team can perform an internal control audit, management must
perform its own assessment of the effectiveness of internal control. Management’s
assessment process is very similar to that of the audit team in that internal control must
be documented, evaluated for design effectiveness, and tested and evaluated for
operating effectiveness.

25.30 An internal control audit does not relieve management of its responsibility to
separately assess internal control effectiveness. Likewise, management’s assessment
does not relieve the audit team of its responsibility to obtain sufficient evidence to
support its opinion on internal control.

Management’s Use of Others to Document and Test Controls

25.31 Management must take ownership of its process for evaluating internal control
effectiveness. For a variety of reasons, including lack of qualified resources, lack of
time, or lack of tools, management may engage outside consultants to assist them in
documenting and testing internal control.

25.32 Outside consultants may use their own evaluation tools to document and test
internal control. The audit team should review the outside consultant’s methodologies to
ensure that the objectives of the internal control audit will be met. For example, the
firm’s methodology evaluates the significant cycles to identify the accounts and
processes where internal controls are needed. It would promote efficiency if
management used a similar methodology.

25.33 Management cannot use Voyager to document and test its internal control, as
it assists the audit team in evaluating design effectiveness, process importance and
also suggests tests of controls. To maintain independence, these are evaluations and
judgments that management must make independently of the audit team.

Obtaining an Understanding of Internal Control

25.34 The audit team must obtain and document its understanding of the entity’s
internal control over financial reporting for all five components of internal control - the
control environment, risk assessment, control activities, information and communication,
and monitoring. Although the standards do not specify the form that such
documentation should take, the firm requires the use of Voyager.

25.35 As mentioned previously, the audit team must obtain evidence about the
effectiveness of controls for all relevant assertions related to all significant accounts and
disclosures in the financial statements. While all significant cycles (those cycles having
activities and processes associated with significant accounts, groups of accounts,
disclosures or classes of transactions) are included in the scope of the internal control
audit, audit effort and attention will be directed to those assertions where the risk of
material misstatement is more than remote (reasonably possible risks). As such, the
minimum documentation (within Voyager) for an internal control audit includes all
governance controls, including financial reporting, and all activities-level controls in very
important and somewhat important processes within all significant cycles.
25.36 For “reasonably possible” risks, the audit team must understand the internal
controls established by the entity to address them. In a financial statement audit, these
internal controls may or may not be tested, depending on the strategy employed by the
audit team. However, in an integrated audit, the audit team will always test these
internal controls.

25.37 To respond to identified risks that are not reasonably possible in a financial
statement audit, the audit team ordinarily does not require an understanding of internal
controls related to the risk. This is because it is ordinarily sufficient to address the risks
with substantive procedures alone, such as analytical procedures or substantive
procedures such as high value testing.

25.38 In an integrated audit, unlike the financial statement audit, the audit team must
also understand internal controls that address risks that are not reasonably possible.
This understanding is required, as the firm will be opining on the effectiveness of
internal controls. However, for such risks, the audit team has latitude in determining the
appropriate level of testing because these risks represent a lower likelihood of material
misstatement. The nature and extent of testing should be commensurate with this lower
risk.

25.39 Accordingly, the audit team should be diligent in determining process

importance to ensure the appropriate understanding is obtained. Process importance
helps the audit team to focus on processes where the risk of error or fraud is greatest by
assessing the applicability of various factors (i.e., materiality, complexity, fraud and
related parties, and recent changes).

25.40 It is important that audit team members with sufficient experience and
knowledge obtain and document their understanding of internal control. To ensure that
the understanding of internal control and the documentation in Voyager is accurate, the
audit team should perform procedures that include:
 making inquiries of appropriate management, supervisory, and staff
personnel
 inspecting company documents
 observing the application of specific controls
 tracing transactions through the information system (walkthroughs)

Using an IT Specialist

25.41 An IT specialist should be included on the audit team when the entity’s use of
IT in initiating, processing or recording transactions is pervasive or complex. IT
specialists should, at a minimum, participate in the risk assessment procedures and
attend the meeting of the audit team to assess risk. IT specialists may participate in
documenting IT general and application controls and perform tests of automated
controls as appropriate in the circumstances.
25.42 An entity’s pervasive and complex use of IT applies if any of the following are
applicable:
 IT security administration involves significant complexity (e.g., large
number of users, complex use of groups or transaction codes, high level
of integration between applications and operating systems)
 the entity uses financial reporting applications that were either (a)
developed internally or (b) highly-customized commercial packages
 the volume of transactions processed, the complexity of processing or the
lack of a visible audit trail is such that reliance on automated controls may
be required
 the entity uses e-commerce applications that are electronically integrated
with financial applications
 significant conversions of data or applications took place during the year
 errors in financial reporting resulted from IT processing

25.43 The audit team should document the company’s IT Profile in Voyager early in
the process as the IT specialist will want to understand this before determining the level
of involvement appropriate for the engagement.

25.44 Most entities use some form of IT in their financial reporting processes. IT
governance controls and IT activities-level controls will likely require testing in an
internal control audit. The audit team must involve an IT specialist in designing and
conducting these tests when the entity’s use of IT is pervasive or complex. In less
complex or pervasive environments, use of an IT specialist to review the testing strategy
and the results of tests is strongly encouraged when automated controls are tested.

Using a Tax Specialist

25.45 A tax specialist (manager or partner) should be included on the audit team for
all integrated audits to assist in performing tax risk assessment and to assist with the
documentation of design effectiveness and the evaluation of the operating effectiveness
of selected controls over tax reporting.

25.46 The tax specialist’s primary objective is to assess tax exposure in the following
tax areas:
 federal income
 state and local
 international
 property
 transactional
 other

25.47 Tax areas where exposures are identified should be further evaluated to
develop substantive procedures to respond to the risks identified.
25.48 The tax specialist should also assist the audit team in documenting the
processes and controls in each of the six areas. Further, the tax specialist assists in
evaluating the operating effectiveness of such controls by designing tests and
evaluating results.

Documenting Entity-Level Controls

25.49 Entity-level controls present unique challenges because of their subjective

nature. Therefore, except as described in the next paragraph, the audit team should
document these controls themselves and not substitute their judgment by using the
documentation of entity-level controls prepared by others. Examples of subjective entity-
level controls include communicating the right information to the right people,
establishing a code of conduct, and training and developing people.

25.50 However, using the work of others is appropriate for entity-level controls that
are less subjective, such as certain IT general controls. Many of these controls are
objective and can be evaluated as to whether they are actually implemented from the
documentation itself. Examples of objective entity-level controls include certain IT
general controls (e.g., security administration, program change, and computer
operations), and controls that monitor components.

Evaluating the Effectiveness of the Audit Committee’s Oversight

25.51 When obtaining an understanding of internal control, the audit team should
assess the effectiveness of the audit committee (or similar subgroups with different
names, such as the board of directors if there is no audit committee). Although
management is responsible for establishing and maintaining effective internal control
over financial reporting, the audit committee is a vital component of an entity’s internal
control. An effective audit committee provides oversight of the financial reporting
process, including the internal and external audit functions. An effective audit committee
also sets the tone at the top and challenges the entity’s activities.

25.52 A company’s board of directors is responsible for evaluating the performance

and effectiveness of the audit committee. The audit team should assess the
effectiveness of the audit committee as part of its evaluation of the control environment
and monitoring components of internal control over financial reporting (and not for the
purpose of performing a separate and distinct evaluation of the audit committee). In this
regard, the audit team evaluates the audit committee’s oversight of the company’s
external financial reporting and internal control over financial reporting by considering
factors, such as:
 its independence from management
 the clarity with which responsibilities are articulated
 how well the audit committee and management understand those
responsibilities
 the audit committee’s involvement and interaction with internal and
external auditors and with key members of management
  whether the audit committee raises and pursues the right questions with
management and the auditor, such as those relating to critical accounting
policies and accounting estimates

25.53 The audit team uses Voyager to perform this evaluation. Within governance
controls, the audit team will obtain and document its understanding of the audit
committee’s:
 roles and responsibilities
 composition and recruitment with regard to competent and active
committee members
 oversight of financial reporting and internal control testing activities
 oversight of internal audit
 oversight of external audit
 interaction with the Board of Directors

25.54 Voyager will further assist the audit team in evaluating design effectiveness by
identifying control weaknesses and deficiencies as they relate to audit committee
effectiveness. The audit team, however, is ultimately responsible for determining
whether a significant deficiency or material weakness exists.

25.55 Ineffective audit committee oversight is, at a minimum, a significant deficiency.

It is also a strong indicator that a material weakness in internal control over financial
reporting exists.

Performing Walkthroughs
25.56 Walkthroughs enable the audit team to determine whether internal control is
accurately documented, understand the flow of transactions, determine whether
controls are implemented, obtain necessary information to evaluate design
effectiveness, and better understand the client’s business. They involve tracing a single
transaction through the information system from its inception, through all intermediate
processes, until it culminates in the financial statements.

25.57 In an internal control audit, as with financial statement audits, walkthroughs

should be performed each year. Walkthroughs should include the entire process of
initiating, authorizing, recording, processing and reporting individual transactions and
controls for each very important and somewhat important process in significant cycles.
Walkthroughs should also include controls intended to address the risk of fraud (fraud
prevention/detection controls). The walkthroughs, which are documented in Voyager,
should be performed directly by the audit team, not by others under their supervision.
Further, the walkthroughs should be performed by experienced auditors. Inexperienced
personnel may perform walkthroughs only if they are closely supervised.

25.58 The audit team should perform at least one walkthrough for each major class
of transactions within each Voyager cycle. As mentioned previously, all very important
and somewhat important processes are included within the walkthrough procedures. At
least one transaction should be selected for performing the walkthrough.

25.59 In Voyager, the audit team can choose between “inspection” and “observation”
for each control that is included in the walkthrough. In an integrated audit, inspection
should be used to determine whether controls in processes associated with reasonably
possible risks are implemented. Observation can be used to determine whether controls
in processes in lower risk areas are implemented; however, it is always acceptable to
use inspection. Inspection should be used if the audit team believes the additional
inquiries are necessary to determine that controls are implemented.

25.60 During the walkthrough, the audit team should verify that controls, as
documented in Voyager, are implemented. To determine whether the required
procedures and controls are performed (and whether they are performed timely), at
each point where important procedures or controls occur, the audit team should
question company personnel about their understanding of what is required and how
their work fits into the cycle activities. The audit team can corroborate the information
obtained by asking people to demonstrate what they do and to describe their
understanding of previous and succeeding processes.

25.61 In addition, the audit team should follow the process flow of actual transactions
by using the same documents (original documents; not copies) and technology used by
company personnel. The audit team also should inquire of relevant personnel and
corroborate information by asking personnel to describe their understanding and by
using follow-up questions that could help identify the abuse of controls or indicators of
fraud. These questions include, but are not limited to:
 how entity personnel identify errors
 what action is taken upon finding an error
 what errors have they found; if an error has never been found, the audit
team should consider the reasons why (e.g., good preventive controls,
person lacks skill, etc.)
 what happens as a result of finding an error
 how are (were) the errors resolved
 whether they have ever been asked to override the process or control, the
situation, why and what happened

25.62 When significant changes in the process flow of transactions have occurred
during the period under audit, the audit team should evaluate the nature of such
changes and the effect on the related accounts to determine whether to walk through
transactions that were processed before and after the change. In such circumstances,
discussion with the PSP or consultation with the NPPD is encouraged.

25.63 Walkthroughs also should be performed for components that will be separately
documented and evaluated (e.g., individually important locations, locations with
significant risks, and other locations where activities-level controls will be documented).
Evaluating Design Effectiveness

25.64 As stated previously, the audit team should obtain an understanding of the five
components of internal control. Once all the entity-level controls and activities-level
controls in very important and somewhat important processes are documented,
Voyager assists in evaluating design effectiveness.

25.65 Design effectiveness is the process of determining whether internal control,

taken as a whole, achieves the objective of reliable and accurate financial reporting. It is
possible for control deficiencies to exist, while the overall control objectives are still met
due to other controls that are implemented. Accordingly, this is the process where one
must step back and view internal control in its entirety and not focus on one or two
areas.

25.66 Procedures to evaluate the design effectiveness of a specific control are

concerned with whether that control is suitably designed to prevent, or detect and
correct material misstatements in financial statement assertions. Such procedures will
vary depending on the nature of the specific control, the nature of the entity’s
documentation, and the complexity and sophistication of the entity’s operations and
systems.

25.67 When evaluating design effectiveness, the audit team gathers documentation
to assess whether the control is suitably designed to prevent, or detect and correct
material misstatements on a timely basis. Voyager assists by identifying control findings
such as areas where controls that achieve objectives are expected and when such
controls are missing. The audit team must evaluate such findings to determine whether
they represent deficiencies, significant deficiencies or material weaknesses.

25.68 The audit team should consider whether deficiencies and significant
deficiencies can aggregate to a more serious deficiency. For example, several
deficiencies that affect the same risk could aggregate to a significant deficiency.

25.69 Again, although Voyager assists the audit team in evaluating design
effectiveness by identifying control findings, the audit team is ultimately responsible for
judging whether the finding is valid and, if so, the severity of the finding (i.e., a
deficiency, significant deficiency or material weakness). It is also important to note that
governance controls warrant a much closer look, as these controls are difficult to
evaluate due to their subjective nature.

Testing and Evaluating Operating Effectiveness

25.70 The audit team should obtain evidence about the operating effectiveness of
controls for all relevant assertions related to all significant accounts and disclosures in
the financial statements. This evidence is obtained every year, as each audit must stand
on its own.
25.71 Accordingly, operating effectiveness must be tested to obtain sufficient
evidence to support the audit team’s opinion. These tests are concerned with how the
control was applied, the consistency with which it was applied, and who applied it. The
tests ordinarily include procedures such as:
 inquiries of appropriate personnel
 inspection of relevant documentation
 observation of the entity’s operations
 reapplication or reperformance of the control

Key Controls

25.72 In Horizon, key controls are the controls selected for testing. Therefore, key
controls are those that the audit team believes must operate effectively if material
misstatements are to be prevented, or detected and corrected. Key controls may be
tested by the audit team directly or, when appropriate, tested by others (see discussion
of using the work of others later in this section).

25.73 Key controls should:

 be designed to prevent, or detect and correct material misstatements in
significant financial statement account balances, classes of transactions,
and disclosures
 be capable of being tested by examining documentary evidence,
observation and inquiry, reperformance, or the use of CAATs

25.74 The audit team’s level of testing is equivalent to that required to achieve a
control risk assessment of Low (i.e., the intended control reliance that tests of controls
will be performed to verify that controls operate effectively is achieved for a relevant
risk). This level of testing is appropriate for reasonably possible risks. As a reminder,
control risk for a reasonably possible risk can be assessed as Low only when IT security
controls and activities-level controls in very and somewhat important processes are
documented, designed effectively and operate effectively (tested). In addition, pervasive
entity-level controls (governance controls) should be evaluated and if deficiencies are
identified, those deficiencies should be further evaluated to determine whether they
could affect the relevant assertions.

25.75 For reasonably possible risks, key controls should be identified from the very
and somewhat important processes. Judgment should be exercised in determining
whether to select key controls in all of the somewhat important processes. It is not
necessary to identify key controls in every somewhat important process; however, it
would be unusual to select no key controls in the somewhat important processes.

25.76 For not reasonably possible risks, the audit team has latitude in determining
the appropriate level of testing because these risks represent a lower likelihood of
material misstatement. The nature and extent of testing should be commensurate with
this lower risk. When the audit team determines that it is necessary to test internal
controls over risks that are not reasonably possible, they may restrict their testing to
controls in very important processes and select no more than 50% of key controls that
they would have selected if the risk were reasonably possible. Also, when such controls
are tested by others, the audit team may address the risk by testing the work of others.

25.77 To illustrate these points, assume for a reasonably possible risk that the audit
team selects 10 key controls from the very and somewhat important processes. All 10
controls should be tested by the audit team or others. If that same risk was not
reasonably possible, the audit team would select no more than 5 key controls from only
the very important processes. Again, all 5 controls would be tested by the audit team or
others. The other controls will be considered for testing in future periods.

Selecting Key Controls

25.78 In selecting key controls, there are four important considerations the audit
team makes:
 is the process associated with a reasonably possible or not reasonably
possible risk?
 what is the importance of the process (could material errors or fraud
occur)?
 what types of errors or fraud could occur?
 what controls are essential to prevent, or detect and correct these errors
or fraud?

25.79 In determining key controls, the audit team also considers the control
objectives (e.g., authorization, completeness and accuracy, etc.) and the nature of the
control (e.g., automated versus manual, preventive versus detective, etc.). The audit
team focuses on the relevant objectives and identifies the controls necessary to achieve
those objectives.

25.80 Additional considerations in selecting key controls include:

 controls sometimes operate together to achieve objectives
 manual controls are effective in nonroutine processes that require
significant judgment
 automated controls are more reliable over routine processes
 preventive controls are necessary at the boundary
 processes with only detective controls have higher risk (may have to test
more controls)

Testing Key Controls

25.81 Activities-level tests of controls are built into Voyager and include:
 inquiry and observation
 sampling
 reperformance
 CAAT
25.82 These tests are explained further elsewhere in this manual. As a reminder,
inquiry alone does not provide sufficient evidence to support the operating effectiveness
of a control. Further, because observation is pertinent only at a point in time, the audit
team should supplement observation with inquiries and inspection of documents.

25.83 The audit team should document whether a control is key by using Voyager’s
“Key Controls” tool.

25.84 The evidence that is necessary to support the internal control audit opinion is a
matter of professional judgment. However, the period tested must be adequate to
determine whether the controls are operating effectively as of the date specified in
management’s assessment (e.g., year-end). Matters such as the following should be
considered:
 points at which errors or fraud could occur
 the nature of the control
 the significance of the control (or controls) in achieving the objectives of
the control criteria and whether more than one control achieves a specific
objective
 the nature and extent of tests of the operating effectiveness of the
controls, if any, performed by the entity (considering that evidence
obtained directly by the audit team is more persuasive than information
obtained indirectly, such as from management or other entity personnel)
 the risk of noncompliance with the control, which might be assessed by
considering:
– whether there have been changes in the volume or nature of
transactions that might adversely affect control design or operating
effectiveness
– whether there have been changes in the design of controls
– the degree to which the control relies on the effectiveness of other
controls (e.g., control environment or computer general controls)
– whether there have been changes in key personnel who perform the
control or monitor its performance
– whether the control relies on performance by an individual or electronic
equipment
– the complexity of the control

25.85 The nature, timing, and extent of the tests of controls that can be performed
are influenced by:
 the nature of the entity’s controls (e.g., whether or not documentary
evidence exists, whether the control is manual or automated)
 preliminary judgments about the effectiveness of the control environment
 the frequency with which specific controls operate and specific controls
are applied (e.g., whether the control operates continuously or
infrequently). For example, in a depository institution, loan and deposit
controls operate continuously while controls over interim regulatory reports
and other financial reports operate only at certain times. Therefore, tests
 of controls should be performed over a sufficient period of time for the
audit team to determine whether, at the date specified in the assessment,
the controls necessary of achieving the control criteria’s objectives are
operating effectively. Further, controls over the financial reporting process
may operate only after the “as of” date and, accordingly, would be tested
at that time.
 changes in internal control made by management. It may not be
necessary to consider the design and operating effectiveness of
superseded controls if the new controls achieve the related objectives for
a sufficient time.
 importance of the control (e.g., controls that address multiple assertions
and certain period-end detective controls may be more important than
related preventive controls)
 procedures performed in the subsequent audit. Each year, the audit team
should vary the nature, timing, and extent of testing to introduce
unpredictability into the testing and to respond to changes in
circumstances.

25.86 Manual controls, controls that operate frequently and controls addressing
numerous assertions require more testing, while automated controls, controls that
operate infrequently, and controls over fewer assertions require less testing.

25.87 Attribute sampling (see Chapter 14) is used to determine the sample size for
tests of controls for both financial statement and internal control audits. When sampling
is used to test a key control for a particular risk, the appropriate sample size is 25 for
very important processes. For somewhat important processes, a sample of 10 should
be used. These sample sizes are built into Voyager.

25.88 The following table summarizes the type of test to employ and the extent of
testing required for manual, documented controls based on the frequency of when the
control operates. The sampling calculator in Voyager computes the proper sample size
when sampling is selected as the test type.
Somewhat
Type of test to important Very important
Control frequency employ processes processes
Every transaction Sampling 10 25
Daily Sampling 10 25
Weekly Reperformance 3 5
Monthly Reperformance 2 2
Quarterly Reperformance 1 2
Annually Reperformance 1 1

25.89 When performing tests at an interim date, the audit team should determine
what additional evidence to obtain regarding the operation of the control for the
remaining period. The audit team may need to inquire about changes since the interim
date, observe previously tested controls, and/or perform additional tests of operating
effectiveness. In determining the additional evidence to obtain, the audit team evaluates
the:
 specific controls tested at an interim date and the results thereof
 degree of evidence about operating effectiveness that was obtained
 length of the remaining period; consider additional tests of controls in very
important processes when this period is greater than 3 months
 possibility of significant changes subsequent to testing

25.90 For reasonably possible risks, the work the audit team performs should be
nearer to year-end or the audit team should perform more extensive rollforward
procedures to determine that key controls are still effective at year end. For this
purpose, the firm considers “at or near year end” to be within 45 days. For not
reasonably possible risks, the audit team can be more flexible in the timing of testing
and the rollforward procedures can be less extensive.

25.91 In addition, tests of controls should be performed nearer to the “as of” date for:
 controls over significant nonroutine transactions
 controls over accounts or processes with a high degree of subjectivity or
judgment in measurement
 controls over the recording of period-end adjustments; the period-end
financial reporting process is tested at the time of operation

25.92 When an exception is identified, the audit team should determine the effect of
the exception on the nature and extent of additional testing that may be necessary.
Additional testing, beyond inquiry, is required to conclude that an identified exception
does not represent a control deficiency. Further, the audit team should never conclude
that an exception is the result of an “isolated” occurrence.

25.93 Exceptions noted during tests of operating effectiveness and recorded and
unrecorded misstatements are added to the SoCF and evaluated by the audit team.
See the sections entitled “Forming an Opinion” and “Framework for Evaluating Control
Exceptions and Deficiencies” for additional guidance on evaluating exceptions and
misstatements.

Guidelines for Testing Remediated Controls

25.94 In performing its assessment, management may identify control deficiencies.

Depending on the severity of the deficiencies, management may decide to remediate its
controls. Controls must operate for a sufficient period of time for the audit team to
determine whether, at the date specified in the assessment, the controls necessary in
achieving the control objectives are operating effectively. The following provides
guidelines for testing remediated controls:
 if the controls were remediated for greater than 90 days, the audit team
can perform normal testing
  if the controls were remediated for less than 90 days, the audit team
should use the remediated controls table below
 the audit team must observe the performance of undocumented controls
at the time the control operates
 pervasive controls cannot be remediated in the final quarter

25.95 The following prescribes the sample sizes for testing remediated manual,
documented controls. Automated controls should operate for the minimum period
specified below; however, fewer items can be selected for testing.
Minimum Period of Somewhat
Control Operation for Remediated Important Very Important
Frequency Control Processes Processes
Every transaction 30 days 10 25
Daily 30 days 10 25
Weekly 4 weeks 1 2
Monthly 2 months 1 2
Quarterly 2 quarters 1 1

Extent of Testing Once a Material Weakness Is Identified

25.96 When management identifies a material weakness or if the audit team

identifies a material weakness during testing, it is still necessary to continue the internal
control audit even though the one material weakness will result in an adverse opinion on
internal control effectiveness. Accordingly, the audit team is required to complete the
internal control audit regardless of whether a material weakness is identified by either
management or the audit team.

Using the Work of Others

25.97 The audit team’s own work must provide the principal evidence for the opinion
on internal control over financial reporting. However, the audit team can use the work of
others, in certain circumstances, to alter the work they perform directly. In determining
the extent to which the audit team can use the work of others, the audit team performs a
judgmental quantitative and qualitative assessment, which is discussed below.

25.98 The work of others includes work performed by:

 internal audit
 other entity personnel
 third parties working under the direction of management or the audit
committee, such as other auditors hired by the entity to assist with
management’s assessment. This does not include other (component)
auditors that perform an internal control audit on a component.

25.99 In determining whether to use the work of others, the audit team considers
factors such as the:
  pervasiveness of the control
 degree of judgment involved in evaluating operating effectiveness
 competence and objectivity of those performing the work
 potential for management override
 the materiality of the account or disclosure, risk of material misstatement,
and the level of judgment or estimation required in the account or
disclosure

25.100 Such considerations assist the audit team in determining the extent they could
use the work of others to alter the nature, timing, and extent of the work the audit team
performs directly. For example, the higher the risk of material misstatement, the greater
the need for the audit team to perform its own work. It is important to note that using the
work of others reduces the number of key controls tested but not the extent of testing on
a particular control.

25.101 The audit team can only use the work of other individuals if those individuals
are competent and objective.

25.102 When evaluating competence, the audit team considers factors such as
experience, education, professional certification, continuing education, practices
regarding the assignment of work, supervision and review, the quality of documentation
and performance evaluations.

25.103 When evaluating objectivity, the audit team considers the organizational status
(e.g., who do the individuals report to, do such individuals have direct access to the
audit committee, and does the board or audit committee oversee employment
decisions) and the policies to maintain objectivity (e.g., are the individuals assigned to
test areas where relatives work or to test areas where such individuals are recently or
soon to be assigned). Internal auditors may have greater objectivity than other company
personnel; however, internal auditors who report to management are less objective.
Further, internal auditors who have operational responsibilities may have no objectivity.

25.104 The audit team cannot use the work of others to reduce the amount of work
they perform directly in these areas:
 subjective entity-level controls
 walkthrough procedures (see next paragraph)
 controls that are self-assessed by management or other entity personnel
 controls over financial reporting

25.105 Although walkthroughs are included in the list above, the audit team may use
the work of others when the people performing the work are directly supervised by the
audit team. Only internal auditors or consultants hired by management are allowed to
work under the direction of the audit team. Direct supervision includes:
 assessing their competence and objectivity
 describing their responsibilities, which includes informing the audit team of
significant matters
  specifically requesting and describing the work to be performed, including
the objectives of the procedures and the matters that may affect the
nature, timing, and extent of such procedures
 supervising, reviewing, evaluating, and testing the work performed

25.106 It is never acceptable to use the work of management for this purpose.
Likewise, the work of those under our direct supervision cannot be used by
management as part of their evaluation.

25.107 Self-assessed controls are those evaluated by the same person or persons
who are responsible for performing the controls. This is acceptable as a basis for
management supporting its assessment, but the lack of objectivity prohibits the audit
team from using this work as evidence of operating effectiveness.

25.108 The audit team should consider using the work of others especially when:
 controls are not pervasive
 there is a low degree of judgment involved in evaluating operating
effectiveness
 those performing the work are competent and objective
 there is a low potential for management override

25.109 When using the work of others, the audit team must test the quality and
effectiveness of their work. To test the work of others and evaluate the quality of their
work, the audit team performs a combination of direct testing and reperformance.

25.110 As a reminder, management may have tested many more controls than those
the audit team selected as key controls. The guidance contained herein only pertains to
the key controls selected by the audit team. The audit team does not have any
responsibility to perform testing beyond the key controls they select.

25.111 For reasonably possible risks, all key controls selected by the audit team
should be tested. The audit team itself should perform direct testing on 50% to 70% of
the key controls (selected from very and somewhat important processes). For the key
controls not directly tested by the audit team, the audit team should review and
reperform 20% to 50% of the testing performed by others. This is accomplished by
selecting “Management - Reperform” from the test of control options in Voyager. For the
remainder of the key controls, the audit team need only verify that management’s
testing of such controls is appropriate. This is accomplished by selecting “Management
– Review Only” from the test of control options in Voyager.

25.112 To illustrate, for the risk “Recorded receivables not valid” (a reasonably
possible risk associated with the revenue – existence assertion), the audit team
identified ten key controls from the very and somewhat important processes. Eight of
these controls were included in the scope of management’s testing. The audit team
performed direct testing on four of the eight controls tested by management to verify
that the results achieved by management were accurate. The audit team reviewed and
reperformed managements testing on two of the key controls included in management’s
test work from the other four key controls. Because two of the key controls were not
tested by management, the audit team performed direct testing on both of those
controls. To summarize:
 10 key controls selected by the audit team
 8 of those controls included in the scope of management’s testing
 6 – tested directly by the audit team (4 of the controls (50%) tested by
management and the 2 management did not test)
 2 – tested by reviewing and reperforming the tests performed by
management (20%)
 2 – tested by reviewing the tests performed by management (20%)

25.113 For not reasonably possible risks, the audit team has latitude in determining
the appropriate level of testing when the key controls were tested by management. This
is appropriate because these assertions represent a lower likelihood of material
misstatement. However, judgment should be exercised to determine appropriate level of
work that is commensurate with the risk. As discussed previously, the audit team should
select fewer key controls in not reasonably possible risks (not more than 50% of the
number would be selected if the same risk were reasonably possible) and the key
controls should be selected entirely from the very important processes. The audit team
can exercise their judgment and directly test none of the controls or directly test up to
50% of the key controls tested by others. The audit team can also exercise their
judgment and review and reperform none of the key controls or review and reperform up
to 20% of the key controls tested by others. For the untested key controls, the audit
team need only verify that management’s testing of such controls is appropriate.

25.114 To illustrate, for the risk “Capital asset activity not valid” (a not reasonably
possible risk associated with the capital assets – valuation gross assertion), the audit
team identified 4 key controls from the very important processes. This represented
approximately half of the controls that would have been selected as key controls if the
risk was assessed as reasonably possible. Due to the risk of misstatement associated
with this risk, the audit team determined that no direct testing was warranted. The audit
team selected one of the key controls tested by management and reperformed
management’s testing. The audit team then scanned the work of management for the
remaining 3 key controls to determine that such work was complete and appropriate.

25.115 The guidance provided in the previous paragraphs is summarized in the

following table:
Risk of material misstatement
How Audit Team Tests Key Controls Reasonably Not reasonably
possible possible

Direct testing 50% to 70% 0% to 50%

Reperform testing performed by others 20% to 50% 0% to 50%

Review testing performed by others 0% to 30% 0% to 50%

Note: For not reasonably possible risks, the audit team should ordinarily select 50% of the key controls for
testing. The table above reflects this by showing that the maximum number of key controls tested by the audit
 team would be 50% of the total key controls.

25.116 For not reasonably possible risks relevant to transaction cycles where high
volumes of transactions occur, such as certain payroll situations, testing performed
should be at the higher end of the ranges shown. However, total key controls tested
need not exceed the combined 50% threshold shown in the table above (e.g., 40%
direct testing and 10% reperformance or 30% direct testing and 20% reperformance).

25.117 The tests performed will vary depending on the extent the audit team will alter
the nature, timing, and extent of the work they will perform directly. However, such tests
should be sufficient to enable the audit team to evaluate whether the:
 scope of the work is appropriate
 work programs are adequate
 work is adequately documented
 conclusions are appropriate
 reports are consistent with the results of work performed

25.118 The audit team should make its own judgments as to the sufficiency of
evidence obtained and other factors affecting the opinion, such as the significance of
identified control deficiencies.

25.119 Regardless of whether the audit team uses the work of others, they should
obtain an understanding of the results of procedures performed by others, including
work performed with respect to the control environment. The audit team also can obtain
additional evidence by reviewing the work of others who have performed and
documented walkthroughs. In addition, the audit team should review all reports issued
during the year by internal audit (or similar functions, such as loan review in a financial
institution) that address controls related to financial reporting and evaluate any control
deficiencies identified in those reports.

Multi-Locations or Business Units

25.120 When an entity has multiple locations or business units (components), the
audit team must determine the components where the group audit team or a component
auditor will perform tests of controls.

25.121 In determining the locations (or business units) to include in testing, the audit
team evaluates the:
 relative financial significance to the entity as a whole
 risk that a misstatement could arise from such locations or business units
and could materially affect the entity as a whole

25.122 Locations determined to be individually important (e.g., those with a level of

financial significance that could create a material misstatement in the financial
statements) should be evaluated and tested separately. Significance is presumed if any
measure related to the location or business unit, such as assets, revenues, net worth,
among others, is 10% or more of the consolidated entity. Locations that fall in the 5% to
10% range should be carefully evaluated before deeming them not individually
important. These evaluations should be documented.

25.123 A location may still be considered individually important based on qualitative

factors.

25.124 Insignificant operations can be ignored. Other locations must be evaluated to

determine whether risks are present that could, individually or when aggregated with
other components, generate a material misstatement in the consolidated financial
statements.

25.125 Designating a component to be in scope does not mean that extensive

procedures will be performed. For such components, risk assessment procedures must
be performed to determine the nature, timing, and extent of work to be performed at
each component. The risks identified will drive the appropriate response. Some of the
risks may be adequately addressed by entity-level controls (see discussion of entity-
level controls below). In these circumstances, the group audit team should test the
entity-level controls rather than the activities-level controls at the component. When
entity-level controls do not operate at an appropriate level of precision, the response
should include visiting the component and testing the activities-level controls that
address the risks identified. A component auditor may perform this work.

Homogenous Operations

25.126 Some entities have potentially hundreds of locations (components) with

identical operations and controls. The audit approach in these situations is dependent
on the audit team’s evaluation of the effectiveness and precision of entity-level controls
established by the entity to monitor the components.

25.127 When entity-level controls operate at a sufficient precision to prevent and

detect and correct material misstatements arising at components from affecting the
consolidated financial statements, the audit team can test the entity-level controls rather
than the activities-level controls that operate at the components.

25.128 However, the group audit team or a component auditor must still visit a few
locations to verify that their understanding of the activities-level controls that operate
there is accurate and that such controls are implemented. Full testing is not required,
but walkthroughs should be performed to verify that controls operate as intended to
enable the entity-level controls to operate effectively. Remember, entity-level controls in
this environment are designed to detect and correct, or prevent a misstatement. Audit
teams must be satisfied that the entity-level controls achieve this objective; otherwise
the activities-level controls at the locations must be tested as described in the following
paragraphs.

25.129 [Tailor this paragraph to reflect your consultation policy]For entities that
operate with very large numbers of homogenous operations and whose entity-level
controls over such operations are missing or ineffective, the dilemma for the group audit
team is how to achieve appropriate coverage without visiting hundreds of locations.
Auditors in the profession agree that a sampling approach is permissible in these
situations, recognizing that the expected coverage will not be met. Accordingly, the
sampling table (discussed below) should be used when an entity with homogenous
operations does not have precise entity-level controls over its operations. The group
audit team should consult with the NPPD to determine that the sampling approach will
achieve the audit objectives and is the optimal approach.

25.130 For this approach to be effective, the audit team must carefully consider the
following:
 If sampling is used and control deficiencies are identified at any one
location, it may not be possible to complete the engagement. This is
because the only alternative in this situation is to use the brute force
method and select locations until the appropriate coverage is achieved.
This is likely to be impractical due to the number of locations of such
entities.
 Locations should be varied from year to year.
 Management is expected to test all controls over its operations, including
each location. This can be accomplished using self-assessment by
personnel at these locations.

25.131 As previously discussed, this sampling table should only be used when an
entity with a large number of homogenous operations does not have precise entity-level
controls over its operations.
Homogeneous Number to
Locations Method Select
<50 Brute Force **
51-100 Sample 31
101-150 Sample 36
151-250 Sample 40
251-500 Sample 45
501-1000 Sample 48
>1000 Sample 50

Other Circumstances

25.132 Entities acquired on or before the date of management’s assessment, and

operations that are accounted for as discontinued operations on the date of
management’s assessment should ordinarily be in scope. In other words, such entities
should be included in management’s assessment (and the audit team’s evaluation) if
they were acquired on or before the assessment date. This may create a scope
limitation if the audit team is unable to obtain the necessary evidence to determine
whether the controls related to the entity are appropriately designed and have been
operating effectively for a sufficient period of time. For dispositions or discontinued
operations prior to the assessment date, the audit team may still need to evaluate
controls, as they may be significant to interim reporting.

25.133 The SEC does allow management to limit its assessment of internal control
over financial reporting by excluding certain entities. The entities that can be excluded
include those acquired near the “as of” date that would otherwise present a scope
limitation. Refer to SEC staff guidance “Office of the Chief Accountant and Division of
Corporation Finance: Management’s Report on Internal Control Over Financial
Reporting and Disclosure in Exchange Act Periodic Reports, Frequently Asked
Questions”, dated June 23, 2004, for more specific information.

25.134 Controls over the reporting of equity-method investees should be included in

the scope of the engagement. The evaluation does not extend to controls at the equity
method investee.

25.135 Management limits the scope of its assessment where it does not have
authority to affect, and therefore cannot assess, the controls in place over certain
amounts (e.g., certain variable interest entities). The audit team should evaluate the
reasonableness of management’s conclusions and management’s disclosure of such
circumstances in its assessment. This would not constitute a scope limitation; however,
the audit team may need to modify the report to add an explanatory paragraph if
management’s disclosure requires modification.

25.136 Ultimately, the determination of which components to document and test is

highly judgmental. It is important that management and the audit team agree on these
matters early in the year for the audit team to decide that a component must be tested
near the end of the fiscal year and to allow sufficient time to perform such testing.

Service Organizations
25.137 A service organization deemed to be part of the entity’s information system is
a part of the entity’s internal control over financial reporting. Chapter 10 provides
guidance on service organizations for a financial statement audit. The audit team may
also apply the concepts in Chapter 10 to an internal control audit. Ordinarily, in an
internal control audit, the audit team should:
 obtain an understanding of the controls at the:
– service organization that are relevant to the entity’s internal control
– entity over the activities of the service organization
 test the operating effectiveness of the relevant controls by:
– performing tests of the entity’s controls over the activities of the service
organization
– performing tests of controls at the service organization
– obtaining a service auditor’s report on controls or an agreed-upon
procedures report; which should be evaluated (e.g., period covered,
 scope of work performed, and results thereof) to determine whether it
provides sufficient evidence

25.138 When using a service auditor’s report, the audit team may need to apply
additional procedures (e.g., evaluating management’s procedures, obtaining information
directly from the service organization, requesting the service auditor to perform
additional procedures, and directly performing procedures at the service organization)
when:
 the service auditor’s report identifies a qualification or errors in processing
 a significant period of time has elapsed between the time period covered
by the report and the date of management’s assessment
 the service organization’s activities are significant
 there have been changes in the service organization’s controls
 the scope of the service auditor’s work provides insufficient evidence

25.139 The audit team should not refer to the service auditor’s report when
expressing an opinion on internal control over financial reporting.

Forming an Opinion

25.140 When forming an opinion on internal control, the audit team should evaluate all
evidence obtained, including:
 management’s assessment and its report
 matters identified in reports issued by internal auditors (or similar
functions)
 the results of tests of controls
 identified control deficiencies and whether they, individually or in
combination, represent significant deficiencies or material weaknesses
(additional guidance below)
 results of substantive procedures performed during the financial statement
audit, specifically recorded adjustments and misstatements. Identified
misstatements indicate that internal control failed to prevent or detect an
error and correcting the misstatement does not eliminate the deficiency
nor mitigate the finding

25.141 The opinion relates to the effectiveness of the entity’s internal control taken as
a whole, not to the effectiveness of each individual component of the control criteria or
to the operation of any particular control.

25.142 As stated previously, when forming an opinion, the audit team should evaluate
management’s assessment and its report. When performing such evaluation, the
auditor evaluates whether:
 management properly stated its responsibility for establishing and
maintaining adequate internal control
  management’s description of internal control covered by their assessment
is adequate
 the framework used by management is appropriately identified
 management’s assessment is free of material misstatement and
acceptable by:
– stating whether internal control is effective
– avoiding negative assurance (“nothing came to our attention”)
– not concluding that internal control is effective when a material
weakness exists
 material weaknesses are disclosed
 the date of their assessment (assertion) is appropriately disclosed

25.143 Professional standards categorize deficiencies as follows:

 a deficiency in internal control exists when the design or operation of a
control does not allow the company’s management or employees, in the
normal course of performing their assigned functions, to prevent, or detect
and correct misstatements on a timely basis. A deficiency includes
missing controls that are necessary to prevent, or detect and correct
misstatements on a timely basis.
 a deficiency should be classified as a significant deficiency if, by itself or in
combination with other deficiencies, it is less severe than a material
weakness, yet important enough to merit attention by those charged with
governance
 a deficiency should be classified as a material weakness if, by itself or in
combination with other deficiencies, there is a reasonable possibility that a
material misstatement (in the company’s annual or interim financial
statements) will not be prevented, or detected and corrected on a timely
basis

25.144 The specific definitions above may slightly differ depending on the applicable
professional standards. However, the audit team will ordinarily reach the same
conclusion regarding the severity of the deficiencies. The severity of a deficiency
depends on:
 whether there is a reasonable possibility that the controls will fail to
prevent, or detect and correct a financial statement misstatement
 the magnitude of the potential financial statement misstatement

25.145 The definition of a significant deficiency requires the audit team to exercise
judgment as to which deficiencies (in addition to material weaknesses) should be
reported to those charged with governance. In applying this judgment, the audit team
should consider what would be important to those charged with governance. The
judgment about what is important may result in differences between the audit team’s
and management’s classification of deficiencies.

25.146 The audit team must make a quantitative determination that a deficiency could
not result in a misstatement that exceeds materiality, but no other quantitative
evaluation is required. The quantitative threshold is removed completely for determining
whether a deficiency is a significant deficiency. If a deficiency could cause the annual or
interim financial statements to be misstated by a material amount, it is a material
weakness, unless such misstatement is not reasonably possible.

25.147 It is also important to note that the amount that an account balance or class of
transactions can be overstated is usually the recorded amount. However, the recorded
amount is not a limitation on the amount of potential understatement. Accordingly, the
risk of misstatement may differ for the maximum possible misstatement (overstatement)
than for lesser possible amounts (understatement).

25.148 An internal control evaluation framework is discussed in Chapter 10 and

provides additional guidance for classifying findings as deficiencies, significant
deficiencies, or material weaknesses. This framework considers compensating controls,
qualitative factors, and the prudent official.

25.149 Finally, the audit team should understand management’s planned corrective
actions and consider whether they are reasonable, timely, and adequate. If
management is not responsive, the audit team should communicate to the next level of
authority (e.g., the audit committee). In subsequent years, understanding
management’s response and determining whether it was implemented assists the audit
team in planning the audit. The audit team’s understanding of these matters should be
documented.

Reporting
25.150 Professional standards detail the specific items to be included in the internal
control audit report. Illustrative reports in accordance with AICPA and PCAOB
standards are presented later in this Chapter.

25.151 Reports ordinarily are addressed to the entity’s board of directors (or audit
committee). The reports ordinarily should be sent or delivered to the member of the
board of directors designated to distribute them (e.g., Chairman of the Board) and to the
chair of the audit committee.

25.152 Reports should be dated as of the date the audit team has obtained sufficient
evidence to support the opinions (for the internal control audit and the financial
statement audit) and should bear the same date as the audit team’s opinion on the
audited financial statements. Refer to Chapters 21 and 26 for guidance on who may
sign the report and whether such signature can be manual or typed.

25.153 Rule 2-02 of Regulation S-X (f) governs SEC rules and regulations regarding
reporting on internal control.
Separate or Combined Reports

25.154 Professional standards allow the auditor to choose between separate or

combined reports. A combined report would contain both the opinion on the financial
statements and the opinion on internal control. The firm prefers that separate reports be
issued for the financial statement and internal control audit.

25.155 For separate reports, the illustrative internal control audit reports contain the
required wording to refer to the financial statement audit. The reference to the financial
statement audit should not be modified to refer to any schedules that were reported on
as part of that audit.

25.156 In addition, the following paragraph should be added to the report on the
financial statements (see Chapter 21).

We also have audited, in accordance with the standards of the Public Company Accounting
Oversight Board (United States) (or: with attestation standards established by the American
Institute of Certified Public Accountants), W Company’s internal control over financial
reporting as of December 31, 20X3, based on criteria established in Internal Control—
Integrated Framework issued by the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) and our report dated (date of report, which should be the
same date as the date of our report on the financial statements) expressed (include nature
of opinion).

25.157 If the client prefers a combined report, the firm has no objection to that form of
reporting. Illustrative examples of a combined report are provided below. The combined
report addresses multiple reporting periods for the financial statements presented, but
only the end of the most recent fiscal year for the effectiveness of internal control.

Report Modifications
25.158 The audit team can express an unqualified opinion on the effectiveness of
internal control only when the audit team is able to apply all necessary procedures.
Additionally, there can be no material weaknesses in internal control.

A Material Weakness Is Identified

25.159 When a material weakness is identified, neither management nor the auditor
can conclude that internal control over financial reporting is effective. Assuming the
audit team is able to complete all necessary procedures (i.e., no scope limitation); the
audit team should express an adverse opinion on internal control.

25.160 When expressing an adverse opinion on the effectiveness of internal control

due to a material weakness, the report must include:
 the definition of a material weakness
  a statement that a material weakness has been identified and an
identification of the material weakness described in management’s
assessment
 disclosure of whether the opinion on the financial statements was affected
by the adverse opinion on internal control. To express an unqualified
opinion on the financial statements in such circumstances, the audit team
must perform substantive procedures to determine that the account does
not contain a material misstatement.

25.161 If the material weakness is not included in management’s assessment, the

auditor’s report should be modified to include a statement to that effect and a
description of the material weakness, including specific information about the nature of
the weakness and its actual and potential effect on the presentation of financial
statements issued during the existence of the weakness. The audit team is required to
communicate in writing to the audit committee when a material weakness was not
disclosed or identified as such in management’s report.

25.162 If management’s description of the material weakness is inadequate or

incomplete, the audit team should describe this conclusion, as well as the information
necessary to fairly describe the material weakness. In such circumstances, it may be
necessary to include a detailed description of the material weakness, as if the material
weakness was not included in management’s report.

Deficiencies Related to Management’s Assessment and Monitoring

25.163 [Tailor this paragraph to reflect your consultation policies]The auditor is

required to plan and perform the audit to obtain reasonable assurance that all material
weaknesses are identified. A question arises as to how this would apply to the situations
in which management’s monitoring activities are ineffective or the evidence supporting
management’s assessment is insufficient, including situations where management
cannot complete its assessment. The audit team must carefully evaluate these
situations to determine the appropriate reporting. When these situations are
encountered, the audit team is encouraged to consult with the NPPD.

25.164 Accordingly, the audit team may encounter the following reporting situations
when management’s monitoring activities are ineffective or the evidence to support the
assessment is insufficient.
 The control deficiency is determined to be a deficiency or a significant
deficiency; an unqualified report is appropriate, if no other reporting
situations apply.
 The control deficiency is determined to be a material weakness; an
adverse report is appropriate, unless the auditor is unable to perform the
procedures necessary to identify other material weaknesses (i.e., a scope
limitation is imposed).
25.165 For example, management’s inability to document and test certain aspects of
the business represents a deficiency in the control environment and monitoring
components of internal control. If the components or transactions subject to these
controls are material to the financial statements, the audit team would likely conclude
that a material weakness exists. The audit team should address this with the NPPD.

Restrictions on the Scope of the Engagement are Imposed

25.166 When the audit team is unable to apply all the procedures necessary due to a
scope limitation, they should withdraw from the engagement or disclaim an opinion. This
includes situations where management remediated a material weakness, but the auditor
is unable to obtain evidence of operating effectiveness over a sufficient period of time.

25.167 Scope limitations should be discussed with the NPPD to determine the
appropriate action and reporting. If the scope limitation is imposed by management, the
lead partner should discuss the matter with the PSP and consult with the NPPD and
RRLA.

25.168 As a reminder, when disclaiming an opinion due to a scope limitation, the

auditor is still required to describe any identified material weaknesses.

Opinion Based, in Part, on the Report of Another Auditor

25.169 The guidance in Chapter 24 and AU Section 543, Part of Audit Performed by
Other Independent Auditors, should be followed when determining whether to serve as
group auditor and whether to use the work of other auditors as a basis, in part, for the
opinion, including whether to make reference to another auditor in the report. It should
be noted that the group auditor of the financial statements also should be the group
auditor of internal control and accordingly, would need to participate sufficiently in the
internal control audit.

25.170 The decision about whether to make reference to another auditor in the report
on internal control might differ from the decision to refer to another auditor in regards to
the financial statement audit. For example, the financial statement audit report might
refer to the audit of a significant equity investment audited by another auditor, while the
report on internal control over financial reporting does not make such reference, as
management’s evaluation ordinarily would not extend to controls at the equity method
investee.

25.171 If the audit team decides to refer to another auditor’s report as the basis, in
part, for the opinion, that fact should be disclosed when describing the scope of the
audit. The audit team also should refer to the other auditor’s report when expressing the
opinion.

25.172 In addition, if the audit team decides to make reference to the other auditor in
the report, then the other auditor must perform an integrated audit and separately issue
a report in accordance with the applicable professional standards.
Modifications Related to Management’s Report

25.173 The audit team is required to evaluate management’s report, including the
presentation of the elements that management is required to present under the SEC’s
rules (see Item 308(a) of Regulations S-B and S-K) or AICPA standards. The NPPD is
required to read all management reports prior to the release of the internal control audit
report.

25.174 When management’s report is incomplete or improperly presented, the audit

team should modify the report to include, at a minimum, an explanatory paragraph
describing the reasons for this conclusion. The illustrative internal control audit reports
provide guidance if management’s report is incomplete or improperly presented.

25.175 If management refuses to present a written assessment (or report) or refuses

to take responsibility for the effectiveness of its internal control, the audit team should
consult with the NPPD to determine the appropriate course of action.

Management’s Report Contains Additional Information

25.176 Management’s report on internal control may contain other information in

addition to their assessment of effectiveness and the elements required by the SEC’s
rules or AICPA standards. This may include disclosures about corrective actions taken
by the entity after the date of management’s assessment, the entity’s plans to
implement new controls, or a statement that management believes the cost of
correcting a material weakness would exceed the benefits to be derived from doing so.
The audit team should disclaim an opinion on such information. For example, when
disclaiming an opinion on management’s cost-benefit statement, the following should be
used as the last paragraph of the report:

We do not express an opinion or any other form of assurance on management’s statement

referring to the costs and related benefits of implementing new controls.

25.177 If the audit team believes that the additional information contains a material
misstatement of fact, they should:
 discuss the matter with management and suggest, as necessary, that
management consult with the appropriate parties, such as legal counsel
 where management has not revised its statement or its report and a
material misstatement of fact remains,
– notify management and the audit committee, in writing, of the audit
team’s views concerning the information
– consult with RRLA about further actions, including the audit team’s
responsibilities under Section 10A of the Securities Exchange Act of
1934

25.178 When such information is contained outside of management’s report on

internal control, the audit team is not required to disclaim an opinion; however, the audit
team should read the information and consider whether it contains a material
inconsistency or a material misstatement of fact. If the audit team believes the
information contains a material misstatement of fact, the audit team should follow the
guidance in the preceding paragraph.

Firm Policies and Other Related Matters

Written Representations

25.179 [Tailor to reflect the location of your letters]When performing an integrated

audit, written representations relating to the internal control audit should be obtained in
a combined representation letter that covers the internal control audit and the financial
statement audit. Illustrative representation letters that contain the required
representations can be found in GEL under Letters, Forms and Templates > Audit
Representation Letters.

Communicating Deficiencies

25.180 Refer to Chapter 22 for communication requirements related to identified

deficiencies, significant deficiencies, and material weaknesses.

Subsequent Events

25.181 To identify matters that might affect the effectiveness of internal control over
financial reporting, the audit team should perform the following procedures subsequent
to the as of date through the date of the auditor’s report:
 inquire of management whether there were any changes in internal control
or factors that might significantly affect internal control
 inquire about and examine applicable internal auditor reports issued
during the subsequent period
 inquire about and examine reports of deficiencies from other independent
auditors
 inquire about and examine reports of regulatory agencies on the entity’s
internal control
 inquire about and examine information about the effectiveness of the
entity’s internal control obtained from other professional engagements
 perform other inquiries and examine other documents, as necessary

25.182 If, subsequent to the date as of which internal control is being audited but
before the date of the auditor's report, the audit team obtains knowledge about a
material weakness that existed as of the date specified in management’s assessment,
the audit team should issue an adverse opinion. If the audit team is unable to determine
the effect of the subsequent event on the effectiveness of the entity’s internal control as
of the date specified in management’s assessment, a disclaimer should be issued.
25.183 The audit team may identify subsequent events relating to conditions that did
not exist at the date specified in the assessment but arose subsequent to that date and
before the release of the auditor’s report. When such events have a material effect on
(or are reasonably likely to have a material effect on) internal control, an explanatory
paragraph describing the event and its effects (or directing the user’s attention to the
event and its effects as disclosed in management’s assessment) should be added to the
report.

Subsequent Discovery of Information Existing at the Date of the Report

25.184 After the issuance of the report, the audit team may become aware of
conditions that existed at the report date that might have affected the opinion. The audit
team should presume that, if the previously issued financial statements and the report
thereon were recalled and reissued to reflect the correction of a misstatement, the
report on internal control as of the same specified date should be recalled and reissued
to reflect the material weakness that existed at that date. Additional guidance on
restatements is discussed below.

Restatements and Internal Control Audit Reports

25.185 When previously issued financial statements are restated for any reason,
consideration should be given to the effect of such restatement on the internal control
audit report. There are a number of different scenarios that the audit team may
encounter, each of which requires judgment in determining the appropriate form of
internal control audit report. The presumption is that when a restatement occurs
because of an error, it is a strong indicator that a material weakness in internal control
exists.

25.186 With respect to a restatement, there are several issues that must be
considered, including:
 management’s reassessment of whether internal control was effective and
other disclosure requirements
 the date of the audit report
 our evaluation of management’s assessment of whether a material
weakness existed as of the balance sheet date to which the report relates
 our assessment of whether the internal control audit report should be
restated

25.187 The following paragraphs provide guidance on these matters and address
dating the internal control audit report in conjunction with the issuance of restated
financial statements. Due to the differing facts and circumstances in each restatement,
firm policy requires that such matters be addressed with the NPPD and, if needed, a
member of the SEC Group.
Management’s Disclosure Requirements

25.188 Item 308(a) of Regulation S-K requires management to make only one
assessment of its internal control (year-end balance sheet date) and does not require
management to revise its original report on internal control effectiveness in its Form 10-
K/A. The SEC, at several AICPA SEC Regulations Committee meetings during 2005,
has emphasized this point. Furthermore, the Staff has noted that while audit standards
require the auditor to consider the need to revise its opinion on internal control as a
result of the correction of an error in previously issued financial statements, the SEC’s
rules do not have a similar requirement for registrants.

25.189 Accordingly, if the audit team concludes that a restatement indicates that a
material weakness in internal control existed as of the year-end balance sheet date and
management elects not to restate and reissue their report on internal control, then the
auditor may be required to issue an adverse opinion on the effectiveness of internal
control over financial reporting in the Form 10-K/A. This is true regardless of additional
disclosures made by the registrant elsewhere in the Form 10-K/A regarding the
subsequent material weakness(es) identified.

25.190 Although management is not required to perform another assessment of the

effectiveness of its internal control, it is required to disclose all material weaknesses and
any changes in its internal control in the amended Form 10-K/A, as required by Item
308 of Regulation S-K. Furthermore, the company may need to revise its Regulation S-
K, Item 307 disclosures in the amended document to disclose the impact of the
restatement on the effectiveness of the company’s disclosure controls and procedures
as of its year-end balance sheet date. The SEC staff expects registrants to make
specific disclosure of any new material weakness in the amended 10-K/A.

25.191 Additionally, if management elects not to restate and reissue their report on
internal control, the Staff expects clear disclosure linking the original conclusion in
management’s report to the additional disclosures regarding the material weakness. In
this situation, the company is also expected to disclose that another assessment has
not been performed, and had management been aware of the material weakness as of
the balance sheet date, which resulted in the subsequent restatement, their prior
conclusion on the effectiveness of the internal control may have been different.

25.192 The staff also reiterated at the AICPA SEC Regulations Committee meetings
that it is presumed that a restatement in previously filed financial statements is a strong
indicator that a material weakness in internal control over financial reporting existed as
of the prior balance sheet date, and therefore they would expect to see revised
disclosures under Item 308 and Item 307.

Date of Audit Reports

25.193 When previously issued financial statements are restated, the audit report on
those financial statements may either be reissued with a new date or reissued with a
dual date. As discussed previously, when separate reports on the financial statements
and on internal control are issued, each report should refer to the other and should be
dated the same. As such, in a restatement where the audit report on the financial
statements is reissued, the internal control audit report must also be reissued (except as
otherwise indicated below) to correspond to the date of the audit report on the financial
statements. This is true regardless of the effect the restatement had on internal control.

25.194 When the audit report on the restated financial statements is dual-dated, the
date of the financial statement opinion is considered to be the original (first) date. In this
situation, depending on the circumstances, the date of the audit report on internal
control either will not change or may be dual-dated similar to the financial statement
audit report, as discussed further below.

Reporting Scenarios When Financial Statements Are Restated Due to an Error

25.195 The presumption is that when a restatement occurs because of an error, it is a

strong indicator that a material weakness in internal control existed as of the year-end
balance sheet date. Although expected to be rare, there may be a situation whereby
both management and the auditor agree that the restatement did not indicate that a
material weakness existed as of the balance sheet date. Restatement situations that do
not result in the conclusion that a material weakness existed as of the balance sheet
date require NPPD approval. As a reminder, restatement in this context refers to the
correction of a misstatement due to error or fraud; it does not include restatements to
reflect a change in accounting principles to comply with a new accounting principle or a
voluntary change from one generally accepted accounting principle to another generally
accepted accounting principle.

25.196 Before the conclusion is reached with respect to the dating of the financial
statement audit report (i.e., new report date or dual-date), consideration should be given
to the effect the restatement will have on the internal control audit report. Dating of the
auditor’s internal control opinion depends on the pervasiveness of the control issues. If
the material weakness is isolated to those areas involved in the restatement, both audit
reports may be dual-dated. However, if the control issues could affect areas other than
those involved with the restatement, the auditor is required to update the internal control
opinion and thus the financial statement audit opinion. When control issues are
pervasive, dual-dating the audit opinions is not permitted.

25.197 There are a number of different scenarios that the audit team may encounter,
each of which requires judgment in determining the appropriate form of internal control
audit report. The following scenarios are discussed below:
 management’s assessment and the audit team’s internal control opinion
do not change; material weakness already identified
 management’s assessment and the audit team’s internal control opinion
do not change; NEW material weakness identified
 management’s assessment does not change; the audit team’s internal
control opinion is downgraded
  management’s assessment and the audit team’s internal control opinion
are downgraded

25.198 In each situation above, or any other scenarios that the audit team may
encounter, the audit team should consult with the NPPD, and if needed, a member of
the SEC Group. Note that these scenarios assume that management will reissue their
report on internal control (as appropriate). It is expected that management will reissue
their report (as appropriate).

Management’s assessment and the audit team’s internal control opinion do not change;
material weakness already identified

25.199 Under one restatement scenario, both management and the audit team agree
that the restatement indicates that a material weakness existed as of the balance sheet
date. Management’s original report identified this specific material weakness and
concluded that its internal control was ineffective. The audit team’s original opinion on
internal control effectiveness was adverse. Because of the original conclusions
regarding the material weakness already identified, neither management’s assessment
nor the audit team’s internal control opinion require updating.

25.200 The following table summarizes the date of the audit reports:
Financial statement audit opinion in restatement

Reissued with a new date Dual-dated

Internal control Reissued as of same date Remains unchanged and

opinion in does not need to be
1
restatement reissued

1 This is because the date of the financial statement audit opinion is the original (first) date,
not the dual (second) date.

Management’s assessment and the audit team’s internal control opinion do not change;
NEW material weakness identified

25.201 Under this restatement scenario, both management and the audit team agree
that the restatement indicates that a material weakness existed as of the balance sheet
date. Management’s original assessment concluded that its internal control was
ineffective. The audit team’s original opinion on internal control effectiveness was
adverse. In this restatement, however, management concludes, and the auditor agrees,
that a new material weakness existed as of the balance sheet date. Management’s
report should be updated and reissued to disclose the additional material weakness
identified.

25.202 Dating of the internal control opinion depends on the pervasiveness of the
control issues. The following table summarizes the date of the audit reports:
Financial statement audit opinion in restatement
 Reissued with a new date Dual-dated

Internal control Reissued as of same date Permitted only when the

opinion in control issues are not
1
restatement pervasive

1 Control issues isolated to those areas involved in the restatement. If the control issues
could affect areas other than those involved with the restatement, then the audit team is
required to update the internal control opinion and thus the financial statement audit
opinion. When control issues are pervasive, dual-dating the audit opinions is not
permitted.

Management’s assessment does not change; the audit team’s internal control opinion is
downgraded

25.203 In this restatement scenario (should be rare), management does not believe
the restatement indicates that a material weakness existed as of the balance sheet
date, but the auditor believes it did. Management does not change its original report,
which concluded that internal control was effective. The auditor must update its opinion
on internal control effectiveness to adverse.

25.204 Because the internal control opinion is updated, the financial statement audit
opinion must also be reissued as of the same date. Dual-dating the financial statement
audit opinion is not permitted.

Management’s assessment and the audit team’s internal control opinion are
downgraded

25.205 In this restatement scenario, both management and the audit team agree that
the restatement indicates that a material weakness existed as of the balance sheet
date. Management’s original report concluded that its internal control was effective.
Thus, management should update its report to address the material weakness and
conclude that internal control was ineffective. The auditor’s original opinion on internal
control effectiveness was unqualified. The auditor must update its opinion on internal
control effectiveness to adverse.

25.206 The following table summarizes the date of the audit reports:
Financial statement audit opinion in restatement

Reissued with a new date Dual-dated

Internal control Reissued as of same date Permitted only when the

opinion in control issues are not
1
restatement pervasive

1 Control issues isolated to those areas involved in the restatement. If the control issues
could affect areas other than those involved with the restatement, then the audit team is
required to update the internal control opinion and thus the financial statement audit
opinion. When control issues are pervasive, dual-dating the audit opinions is not
permitted.
Requirements for Internal Control Audit Report when Events Occur Subsequent
to Year-end that Require Retroactive Restatement of Financial Statements when
Reissued

25.207 Certain events occurring after the end of a fiscal year will require retroactive
restatement of that year’s financial statements if they are reissued, including
discontinued operations, a change in reportable segments, and a combination of entities
under common control. In these reporting scenarios, consideration should also be given
to the requirements for the internal control audit report in the document containing the
restated financial statements. Reissuance of the internal control audit report in these
scenarios depends on whether the underlying entities were included in the original
internal control audit scope. These situations typically arise when the registrant files a
registration statement subsequent to the issuance of the Form 10-K for the fiscal year
just ended.

Discontinued Operations and Change in Reportable Segments

25.208 A registrant disposes of or classifies as held-for-sale properties that are

treated as discontinued operations, or changes its reportable segments. Subsequent to
the date interim financials reflecting the changes have been issued, the registrant files a
registration statement. SEC rules require that a complete set of restated audited
financial statements giving retroactive effect to the changes be included in the filing.
Registration statement rules do not require the internal control information required by
Regulation S-K, Item 308. However, because (1) the report on the financial statement
audit is being updated and (2) the scope of the internal control audit has not changed
due to the restatement, the internal control audit report should be reissued as of the
same date as the financial statement audit report included in the registration statement.
Thus, the reissued internal control audit report should be included in the registration
statement.

25.209 Contact the NPPD if the conclusion to dual-date the financial statement audit
opinion is made.

Combination of Entities under Common Control

25.210 A registrant acquires an entity subsequent to its fiscal year-end, and the
accounting treatment is a combination of entities under common control (similar to
pooling-of-interests). Subsequent to the date post-combination period results have been
issued, the registrant files a registration statement. SEC rules require that a complete
set of restated audited financial statements giving retroactive effect to the “pooling” be
included in the filing. Registration statement rules do not require the internal control
information required by Regulation S-K, Item 308. While the report on the financial
statement audit is being updated to reflect the combination, the entity acquired was not
included in the original scope of the internal control audit. As such, in this reporting
scenario, the internal control audit report should not be included in the registration
statement. Furthermore, the fourth paragraph in the audit report on the restated
financial statements should be deleted.

Illustrative Reports (AS 5)

25.211 The illustrative internal control audit reports presented below are in
accordance with AS 5. Illustrative reports in accordance with AT Section 501 are
presented later in this Chapter.

Unqualified Opinion on Internal Control (Separate Report)

25.212 The following is an illustrative AS 5 separate report that expresses an

unqualified opinion on internal control.

REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM

Board of Directors and Shareholders

W Company
We have audited W Company’s (a Delaware Corporation) internal control over financial
reporting as of December 31, 20X3, based on criteria established in Internal Control—
Integrated Framework issued by the Committee of Sponsoring Organizations of the
Treadway Commission (COSO). W Company’s management is responsible for maintaining
effective internal control over financial reporting and for its assessment of the effectiveness
of internal control over financial reporting, included in the accompanying (title of
management’s report). Our responsibility is to express an opinion on W Company’s
internal control over financial reporting based on our audit.
We conducted our audit in accordance with the standards of the Public Company
Accounting Oversight Board (United States). Those standards require that we plan and
perform the audit to obtain reasonable assurance about whether effective internal control
over financial reporting was maintained in all material respects. Our audit included
obtaining an understanding of internal control over financial reporting, assessing the risk
that a material weakness exists, testing and evaluating the design and operating
effectiveness of internal control based on the assessed risk, and performing such other
procedures as we considered necessary in the circumstances. We believe that our audit
provides a reasonable basis for our opinion.
A company’s internal control over financial reporting is a process designed to provide
reasonable assurance regarding the reliability of financial reporting and the preparation of
financial statements for external purposes in accordance with generally accepted accounting
principles. A company’s internal control over financial reporting includes those policies and
procedures that (1) pertain to the maintenance of records that, in reasonable detail,
accurately and fairly reflect the transactions and dispositions of the assets of the company;
(2) provide reasonable assurance that transactions are recorded as necessary to permit
preparation of financial statements in accordance with generally accepted accounting
principles, and that receipts and expenditures of the company are being made only in
accordance with authorizations of management and directors of the company; and (3)
provide reasonable assurance regarding prevention or timely detection of unauthorized
acquisition, use, or disposition of the company’s assets that could have a material effect on
the financial statements.
 Because of its inherent limitations, internal control over financial reporting may not prevent
or detect misstatements. Also, projections of any evaluation of effectiveness to future
periods are subject to the risk that controls may become inadequate because of changes in
conditions, or that the degree of compliance with the policies or procedures may
deteriorate.
In our opinion, W Company maintained, in all material respects, effective internal control
over financial reporting as of December 31, 20X3, based on criteria established in Internal
Control—Integrated Framework issued by COSO.
We also have audited, in accordance with the standards of the Public Company Accounting
Oversight Board (United States), the (identify financial statements and entity as described
in our audit report) and our report dated (date of report, which should be the same as the
date of this report) expressed (include nature of opinion, such as “an unqualified
opinion”).
(Add the following disclaimer paragraph, as applicable)
We do not express an opinion or any other form of assurance on (describe other
information in management’s report not covered by our opinion).
GRANT THORNTON LLP (signed manually) OR
/s/ GRANT THORNTON LLP (typed)

City, State (or Country)

Date (such as, March 15, 20X3)

Adverse Opinion on Internal Control (Material Weakness)

25.213 The following is an illustrative AS 5 separate report that expresses an adverse

opinion on internal control due to a material weakness. Under AS 5, an adverse opinion
is required if a material weakness exists as of the date of management’s assessment
(unless the scope of the engagement is limited).

REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM

Board of Directors and Shareholders

W Company
We have audited W Company’s (a Delaware Corporation) internal control over financial
reporting as of December 31, 20X3, based on criteria established in Internal Control—
Integrated Framework issued by the Committee of Sponsoring Organizations of the
Treadway Commission (COSO). W Company’s management is responsible for maintaining
effective internal control over financial reporting and for its assessment of the effectiveness
of internal control over financial reporting, included in the accompanying (title of
management’s report). Our responsibility is to express an opinion on W Company’s
internal control over financial reporting based on our audit.
We conducted our audit in accordance with the standards of the Public Company
Accounting Oversight Board (United States). Those standards require that we plan and
perform the audit to obtain reasonable assurance about whether effective internal control
over financial reporting was maintained in all material respects. Our audit included
obtaining an understanding of internal control over financial reporting, assessing the risk
that a material weakness exists, testing and evaluating the design and operating
effectiveness of internal control based on the assessed risk, and performing such other
procedures as we considered necessary in the circumstances. We believe that our audit
provides a reasonable basis for our opinion.
A company’s internal control over financial reporting is a process designed to provide
reasonable assurance regarding the reliability of financial reporting and the preparation of
financial statements for external purposes in accordance with generally accepted accounting
principles. A company’s internal control over financial reporting includes those policies and
procedures that (1) pertain to the maintenance of records that, in reasonable detail,
accurately and fairly reflect the transactions and dispositions of the assets of the company;
(2) provide reasonable assurance that transactions are recorded as necessary to permit
preparation of financial statements in accordance with generally accepted accounting
principles, and that receipts and expenditures of the company are being made only in
accordance with authorizations of management and directors of the company; and (3)
provide reasonable assurance regarding prevention or timely detection of unauthorized
acquisition, use, or disposition of the company’s assets that could have a material effect on
the financial statements.
Because of its inherent limitations, internal control over financial reporting may not prevent
or detect misstatements. Also, projections of any evaluation of effectiveness to future
periods are subject to the risk that controls may become inadequate because of changes in
conditions, or that the degree of compliance with the policies or procedures may
deteriorate.
A material weakness is a deficiency, or combination of control deficiencies, in internal
control over financial reporting, such that there is a reasonable possibility that a material
misstatement of the company’s annual or interim financial statements will not be prevented
or detected on a timely basis. The following material weakness has been identified and
included in management’s assessment. (Identify the material weakness described in
management’s report.) 1
In our opinion, because of the effect of the material weakness described above on the
achievement of the objectives of the control criteria, W Company has not maintained
effective internal control over financial reporting as of December 31, 20X3, based on
criteria established in Internal Control—Integrated Framework issued by COSO.
We also have audited, in accordance with the standards of the Public Company Accounting
Oversight Board (United States), the (identify financial statements and entity as described
in our audit report). The material weakness identified above was considered in determining
the nature, timing, and extent of audit tests applied in our audit of the 20X3 financial
statements, and this report does not affect our report dated (date of report, which should be
the same as the date of this report), which expressed (include nature of opinion) on those
financial statements.2
(Add the following disclaimer paragraph, as applicable)
We do not express an opinion or any other form of assurance on (describe other
information in management’s report not covered by our opinion).
GRANT THORNTON LLP (signed manually) OR
/s/ GRANT THORNTON LLP (typed)
 City, State (or Country)
Date (such as, March 15, 20X3)
1
If the material weakness is not included in management’s report, modify this paragraph
to state that a material weakness was identified but not included in management’s
assessment and include a description of the material weakness, including its nature and
its actual and potential effect on the presentation of the company’s financial statements
issued during the existence of the material weakness. If management’s description of
the material weakness is inadequate or incomplete, describe this conclusion, as well as
the information necessary to fairly describe the material weakness. In such
circumstances, it may be necessary to include a detailed description of the material
weakness, as if the material weakness was not included in management’s report.
2
Modify this sentence when the opinion on the financial statements is affected by the
adverse opinion on internal control.

Disclaimer on Internal Control (Scope Limitation)

25.214 The following is an illustrative AS 5 separate report that disclaims an opinion

on internal control due to a scope limitation. AS 5 does not permit the auditor to issue a
qualified opinion.

REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM

Board of Directors and Shareholders
W Company
We were engaged to audit W Company’s (a Delaware Corporation) internal control over
financial reporting as of December 31, 20X3, based on criteria established in Internal
Control—Integrated Framework issued by the Committee of Sponsoring Organizations of
the Treadway Commission (COSO). W Company’s management is responsible for
maintaining effective internal control over financial reporting and for its assessment of the
effectiveness of internal control over financial reporting, included in the accompanying
(title of management’s report).
(Add a paragraph that describes the substantive reasons for the scope limitation).
Accordingly, we were unable to perform auditing procedures necessary to form an opinion
on W Company’s internal control over financial reporting as of December 31, 20X3.
A company’s internal control over financial reporting is a process designed to provide
reasonable assurance regarding the reliability of financial reporting and the preparation of
financial statements for external purposes in accordance with generally accepted accounting
principles. A company’s internal control over financial reporting includes those policies and
procedures that (1) pertain to the maintenance of records that, in reasonable detail,
accurately and fairly reflect the transactions and dispositions of the assets of the company;
(2) provide reasonable assurance that transactions are recorded as necessary to permit
preparation of financial statements in accordance with generally accepted accounting
principles, and that receipts and expenditures of the company are being made only in
accordance with authorizations of management and directors of the company; and (3)
provide reasonable assurance regarding prevention or timely detection of unauthorized
acquisition, use, or disposition of the company’s assets that could have a material effect on
the financial statements.
 Because of its inherent limitations, internal control over financial reporting may not prevent
or detect misstatements. Also, projections of any evaluation of effectiveness to future
periods are subject to the risk that controls may become inadequate because of changes in
conditions, or that the degree of compliance with the policies or procedures may
deteriorate.
(Add the following material weakness paragraph, as applicable)
A material weakness is a deficiency, or combination of control deficiencies, in internal
control over financial reporting, such that there is a reasonable possibility that a material
misstatement of the company’s annual or interim financial statements will not be prevented
or detected on a timely basis. If one or more material weaknesses exist, a company’s
internal control over financial reporting cannot be considered effective. The following
material weakness has been identified and included in management’s assessment. (Identify
the material weakness described in management’s report and include a description of the
material weakness, including its nature and its actual and potential effect on the
presentation of the company’s financial statements issued during the existence of the
material weakness.) 1
Because of the limitation on the scope of our audit described in the second paragraph, the
scope of our work was not sufficient to enable us to express, and we do not express, an
opinion on the effectiveness of W Company’s internal control over financial reporting.
We have audited, in accordance with the standards of the Public Company Accounting
Oversight Board (United States), the (identify financial statements and entity as described
in our audit report) and our report dated (date of report, which should be the same as the
date of this report) expressed (include nature of opinion, such as “an unqualified
opinion”).2
(Add the following disclaimer paragraph, as applicable)
We do not express an opinion or any other form of assurance on (describe other
information in management’s report not covered by our opinion).
GRANT THORNTON LLP (signed manually) OR
/s/ GRANT THORNTON LLP (typed)

City, State (or Country)

Date (such as, March 15, 20X3)
1
If the material weakness is not included in management’s report, modify this paragraph
to state that a material weakness was identified but not included in management’s
assessment. If the disclosure in management’s report is not fairly presented, describe
this conclusion.
2
Modify this paragraph and/or sentence when the opinion on the financial statements is
affected by the disclaimer.

Unqualified Opinion on Internal Control (Reference to Other Auditors)

25.215 The following is an illustrative AS 5 separate report that expresses an

unqualified opinion on internal control and refers to the report of other auditors as a
basis, in part, for expressing such opinion. As a reminder, if the audit team decides to
refer to another auditor, the other auditor must perform an integrated audit and
separately issue a report under AS 5.

REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM

Board of Directors and Shareholders
W Company
We have audited W Company’s (a Delaware Corporation) internal control over financial
reporting as of December 31, 20X3, based on criteria established in Internal Control—
Integrated Framework issued by the Committee of Sponsoring Organizations of the
Treadway Commission (COSO). W Company’s management is responsible for maintaining
effective internal control over financial reporting and for its assessment of the effectiveness
of internal control over financial reporting, included in the accompanying (title of
management’s report). Our responsibility is to express an opinion on W Company’s
internal control over financial reporting based on our audit. We did not audit internal
control over financial reporting of B Company, a wholly owned subsidiary, whose financial
statements reflect total assets and revenues constituting 20 and 30 percent, respectively, of
the related consolidated financial statement amounts as of and for the year ended December
31, 20X3. B Company’s internal control over financial reporting was audited by other
auditors whose report has been furnished to us, and our opinion, insofar as it relates to B
Company’s internal control over financial reporting in relation to W Company taken as a
whole, is based solely on the report of the other auditors.
We conducted our audit in accordance with the standards of the Public Company
Accounting Oversight Board (United States). Those standards require that we plan and
perform the audit to obtain reasonable assurance about whether effective internal control
over financial reporting was maintained in all material respects. Our audit included
obtaining an understanding of internal control over financial reporting, assessing the risk
that a material weakness exists, testing and evaluating the design and operating
effectiveness of internal control based on the assessed risk, and performing such other
procedures as we considered necessary in the circumstances. We believe that our audit and
the report of other auditors provide a reasonable basis for our opinion.
A company’s internal control over financial reporting is a process designed to provide
reasonable assurance regarding the reliability of financial reporting and the preparation of
financial statements for external purposes in accordance with generally accepted accounting
principles. A company’s internal control over financial reporting includes those policies and
procedures that (1) pertain to the maintenance of records that, in reasonable detail,
accurately and fairly reflect the transactions and dispositions of the assets of the company;
(2) provide reasonable assurance that transactions are recorded as necessary to permit
preparation of financial statements in accordance with generally accepted accounting
principles, and that receipts and expenditures of the company are being made only in
accordance with authorizations of management and directors of the company; and (3)
provide reasonable assurance regarding prevention or timely detection of unauthorized
acquisition, use, or disposition of the company’s assets that could have a material effect on
the financial statements.
Because of its inherent limitations, internal control over financial reporting may not prevent
or detect misstatements. Also, projections of any evaluation of effectiveness to future
periods are subject to the risk that controls may become inadequate because of changes in
conditions, or that the degree of compliance with the policies or procedures may
deteriorate.
In our opinion, based on our audit and the report of other auditors, W Company maintained,
in all material respects, effective internal control over financial reporting as of December
31, 20X3, based on criteria established in Internal Control—Integrated Framework issued
by COSO.
 We also have audited, in accordance with the standards of the Public Company Accounting
Oversight Board (United States), the (identify financial statements and entity as described
in our audit report) and our report dated (date of report, which should be the same as the
date of this report) expressed (include nature of opinion, such as “an unqualified
opinion”).
(Add the following disclaimer paragraph, as applicable)
We do not express an opinion or any other form of assurance on (describe other
information in management’s report not covered by our opinion).
GRANT THORNTON LLP (signed manually) OR
/s/ GRANT THORNTON LLP (typed)

City, State (or Country)

Date (such as, March 15, 20X3)

Unqualified Opinion on Internal Control (Acquired Entity Excluded)

25.216 The following is an illustrative report that expresses an unqualified opinion on

internal control in situations in which the SEC allows management to limit, and
management limits, its assertion by excluding certain entities (in this example, an
acquired entity). In these situations, our opinion would not be affected by a scope
limitation.

REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM

Board of Directors and Shareholders
W Company
We have audited W Company’s (a Delaware Corporation) internal control over financial
reporting as of December 31, 20X3, based on criteria established in Internal Control—
Integrated Framework issued by the Committee of Sponsoring Organizations of the
Treadway Commission (COSO). W Company’s management is responsible for maintaining
effective internal control over financial reporting and for its assessment of the effectiveness
of internal control over financial reporting, included in the accompanying (title of
management’s report) (Management’s Report). Our responsibility is to express an opinion
on W Company’s internal control over financial reporting based on our audit. Our audit of,
and opinion on, W Company’s internal control over financial reporting does not include
internal control over financial reporting of B Company, a wholly owned subsidiary, whose
financial statements reflect total assets and revenues constituting 20 and 30 percent,
respectively, of the related consolidated financial statement amounts as of and for the year
ended December 31, 20XX. As indicated in Management’s Report, B Company was
acquired during 20XX and therefore, management’s assertion on the effectiveness of W
Company’s internal control over financial reporting excluded internal control over financial
reporting of B Company.1
We conducted our audit in accordance with the standards of the Public Company
Accounting Oversight Board (United States). Those standards require that we plan and
perform the audit to obtain reasonable assurance about whether effective internal control
over financial reporting was maintained in all material respects. Our audit included
obtaining an understanding of internal control over financial reporting, assessing the risk
that a material weakness exists, testing and evaluating the design and operating
effectiveness of internal control based on the assessed risk, and performing such other
procedures as we considered necessary in the circumstances. We believe that our audit
provides a reasonable basis for our opinion.
A company’s internal control over financial reporting is a process designed to provide
reasonable assurance regarding the reliability of financial reporting and the preparation of
financial statements for external purposes in accordance with generally accepted accounting
principles. A company’s internal control over financial reporting includes those policies and
procedures that (1) pertain to the maintenance of records that, in reasonable detail,
accurately and fairly reflect the transactions and dispositions of the assets of the company;
(2) provide reasonable assurance that transactions are recorded as necessary to permit
preparation of financial statements in accordance with generally accepted accounting
principles, and that receipts and expenditures of the company are being made only in
accordance with authorizations of management and directors of the company; and (3)
provide reasonable assurance regarding prevention or timely detection of unauthorized
acquisition, use, or disposition of the company’s assets that could have a material effect on
the financial statements.
Because of its inherent limitations, internal control over financial reporting may not prevent
or detect misstatements. Also, projections of any evaluation of effectiveness to future
periods are subject to the risk that controls may become inadequate because of changes in
conditions, or that the degree of compliance with the policies or procedures may
deteriorate.
In our opinion, W Company maintained, in all material respects, effective internal control
over financial reporting as of December 31, 20X3, based on criteria established in Internal
Control—Integrated Framework issued by COSO.
We also have audited, in accordance with the standards of the Public Company Accounting
Oversight Board (United States), the (identify financial statements and entity as described
in our audit report) and our report dated (date of report, which should be the same as the
date of this report) expressed (include nature of opinion, such as “an unqualified
opinion”).
(Add the following disclaimer paragraph, as applicable)
We do not express an opinion or any other form of assurance on (describe other
information in management’s report not covered by our opinion).
GRANT THORNTON LLP (signed manually) OR
/s/ GRANT THORNTON LLP (typed)

City, State (or Country)

Date (such as, March 15, 20X3)
1
The audit team may need to modify this sentence so that it parallels the language in
management’s report.
Unqualified Opinion on Internal Control (Combined Report)

25.217 The following is an illustrative combined AS 5 report that expresses an

unqualified opinion on the financial statements and on internal control. However, the
firm still prefers issuing separate reports for financial statement and internal control
audits.

REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM

Board of Directors and Shareholders
W Company
We have audited the accompanying balance sheets of W Company (a Delaware
corporation) as of December 31, 20X3 and 20X2, and the related statements of income (and
comprehensive income), (comprehensive income), stockholders’ equity, and cash flows for
each of the three years in the period ended December 31, 20X3. We also have audited W
Company’s internal control over financial reporting as of December 31, 20X3, based on
criteria established in Internal Control—Integrated Framework issued by the Committee of
Sponsoring Organizations of the Treadway Commission (COSO). W Company’s
management is responsible for these financial statements, for maintaining effective internal
control over financial reporting, and for its assessment of the effectiveness of internal
control over financial reporting, included in the accompanying (title of management’s
report). Our responsibility is to express an opinion on these financial statements and an
opinion on W Company’s internal control over financial reporting based on our audits.
We conducted our audits in accordance with the standards of the Public Company
Accounting Oversight Board (United States). Those standards require that we plan and
perform the audits to obtain reasonable assurance about whether the financial statements are
free of material misstatement and whether effective internal control over financial reporting
was maintained in all material respects. Our audits of the financial statements included
examining, on a test basis, evidence supporting the amounts and disclosures in the financial
statements, assessing the accounting principles used and significant estimates made by
management, and evaluating the overall financial statement presentation. Our audit of
internal control over financial reporting included obtaining an understanding of internal
control over financial reporting, assessing the risk that a material weakness exists, and
testing and evaluating the design and operating effectiveness of internal control based on
the assessed risk. Our audits also included performing such other procedures as we
considered necessary in the circumstances. We believe that our audits provide a reasonable
basis for our opinions.
A company’s internal control over financial reporting is a process designed to provide
reasonable assurance regarding the reliability of financial reporting and the preparation of
financial statements for external purposes in accordance with generally accepted accounting
principles. A company’s internal control over financial reporting includes those policies and
procedures that (1) pertain to the maintenance of records that, in reasonable detail,
accurately and fairly reflect the transactions and dispositions of the assets of the company;
(2) provide reasonable assurance that transactions are recorded as necessary to permit
preparation of financial statements in accordance with generally accepted accounting
principles, and that receipts and expenditures of the company are being made only in
accordance with authorizations of management and directors of the company; and (3)
provide reasonable assurance regarding prevention or timely detection of unauthorized
acquisition, use, or disposition of the company’s assets that could have a material effect on
the financial statements.
 Because of its inherent limitations, internal control over financial reporting may not prevent
or detect misstatements. Also, projections of any evaluation of effectiveness to future
periods are subject to the risk that controls may become inadequate because of changes in
conditions, or that the degree of compliance with the policies or procedures may
deteriorate.
In our opinion, the financial statements referred to above present fairly, in all material
respects, the financial position of W Company as of December 31, 20X3 and 20X2, and the
results of its operations and its cash flows for each of the three years in the period ended
December 31, 20X3 in conformity with accounting principles generally accepted in the
United States of America. Also in our opinion, W Company maintained, in all material
respects, effective internal control over financial reporting as of December 31, 20X3, based
on criteria established in Internal Control—Integrated Framework issued by COSO.
(Add the following disclaimer paragraph, as applicable)
We do not express an opinion or any other form of assurance on (describe other
information in management’s report not covered by our opinion).
GRANT THORNTON LLP (signed manually) OR
/s/ GRANT THORNTON LLP (typed)

City, State (or Country)

Date (such as, March 15, 20X3)

Reporting Under AT Section 501

25.218 This section provides illustrative reports when reporting on an internal control
audit in accordance with AICPA AT Section 501.

Unqualified Opinion on Internal Control

25.219 The following is an illustrative report expressing an unqualified opinion directly

on internal control. Although AT Section 501 permits an auditor to report on
management’s assertion, the firm prefers reporting directly on internal control similar to
AS 5.

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

Board of Directors
W Company
We have audited W Company’s (a Delaware Corporation) internal control over financial
reporting as of December 31, 20XX, based on criteria established in Internal Control—
Integrated Framework issued by the Committee of Sponsoring Organizations of the
Treadway Commission (COSO). W Company’s management is responsible for maintaining
effective internal control over financial reporting and for its assertion of the effectiveness of
internal control over financial reporting, included in the accompanying (title of
management’s report). Our responsibility is to express an opinion on W Company’s
internal control over financial reporting based on our audit.
 We conducted our audit in accordance with attestation standards established by the
American Institute of Certified Public Accountants. Those standards require that we plan
and perform the audit to obtain reasonable assurance about whether effective internal
control over financial reporting was maintained in all material respects. Our audit included
obtaining an understanding of internal control over financial reporting, assessing the risk
that a material weakness exists, testing and evaluating the design and operating
effectiveness of internal control based on the assessed risk, and performing such other
procedures as we considered necessary in the circumstances. We believe that our audit
provides a reasonable basis for our opinion.
A company’s internal control over financial reporting is a process effected by those charged
with governance, management, and other personnel, designed to provide reasonable
assurance regarding the preparation of reliable financial statements in accordance with
generally accepted accounting principles. A company’s internal control over financial
reporting includes those policies and procedures that (1) pertain to the maintenance of
records that, in reasonable detail, accurately and fairly reflect the transactions and
dispositions of the assets of the company; (2) provide reasonable assurance that transactions
are recorded as necessary to permit preparation of financial statements in accordance with
generally accepted accounting principles, and that receipts and expenditures of the company
are being made only in accordance with authorizations of management and those charged
with governance; and (3) provide reasonable assurance regarding prevention, or timely
detection and correction of unauthorized acquisition, use, or disposition of the company’s
assets that could have a material effect on the financial statements.
Because of its inherent limitations, internal control over financial reporting may not
prevent, or detect and correct misstatements. Also, projections of any evaluation of
effectiveness to future periods are subject to the risk that controls may become inadequate
because of changes in conditions, or that the degree of compliance with the policies or
procedures may deteriorate.
In our opinion, W Company maintained, in all material respects, effective internal control
over financial reporting as of December 31, 20XX, based on criteria established in Internal
Control—Integrated Framework issued by COSO.

We also have audited, in accordance with auditing standards generally accepted in the
United States of America established by the American Institute of Certified Public
Accountants, the (identify financial statements and entity as described in our audit report)
and our report dated (date of report, which should be the same as the date of this report)
expressed (include nature of opinion, such as “an unqualified opinion”).
(Add the following disclaimer paragraph, as applicable)
We do not express an opinion or any other form of assurance on (describe other
information in management’s report not covered by our opinion).
GRANT THORNTON LLP (signed manually)

City, State (or Country)

Date (such as, March 15, 20XX)

Unqualified Opinion on Management’s Assertion

25.220 The following is an illustrative report expressing an unqualified opinion on

management’s assertion. The firm prefers reporting directly on internal control in lieu of
on management’s assertion.
 REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS
Board of Directors
W Company
We have audited management’s assertion, included in the accompanying (title of
management’s report), that W Company (a Delaware Corporation) maintained effective
internal control over financial reporting as of December 31, 20XX, based on criteria
established in Internal Control—Integrated Framework issued by the Committee of
Sponsoring Organizations of the Treadway Commission (COSO).1 W Company’s
management is responsible for maintaining effective internal control over financial
reporting and for its assertion of the effectiveness of internal control over financial
reporting. Our responsibility is to express an opinion on management’s assertion based on
our audit.
We conducted our audit in accordance with attestation standards established by the
American Institute of Certified Public Accountants. Those standards require that we plan
and perform the audit to obtain reasonable assurance about whether effective internal
control over financial reporting was maintained in all material respects. Our audit included
obtaining an understanding of internal control over financial reporting, assessing the risk
that a material weakness exists, testing and evaluating the design and operating
effectiveness of internal control based on the assessed risk, and performing such other
procedures as we considered necessary in the circumstances. We believe that our audit
provides a reasonable basis for our opinion.
A company’s internal control over financial reporting is a process effected by those charged
with governance, management, and other personnel, designed to provide reasonable
assurance regarding the preparation of reliable financial statements in accordance with
generally accepted accounting principles. A company’s internal control over financial
reporting includes those policies and procedures that (1) pertain to the maintenance of
records that, in reasonable detail, accurately and fairly reflect the transactions and
dispositions of the assets of the company; (2) provide reasonable assurance that transactions
are recorded as necessary to permit preparation of financial statements in accordance with
generally accepted accounting principles, and that receipts and expenditures of the company
are being made only in accordance with authorizations of management and those charged
with governance; and (3) provide reasonable assurance regarding prevention, or timely
detection and correction of unauthorized acquisition, use, or disposition of the company’s
assets that could have a material effect on the financial statements.
Because of its inherent limitations, internal control over financial reporting may not
prevent, or detect and correct misstatements. Also, projections of any evaluation of
effectiveness to future periods are subject to the risk that controls may become inadequate
because of changes in conditions, or that the degree of compliance with the policies or
procedures may deteriorate.
In our opinion, management’s assertion that W Company maintained effective internal
control over financial reporting as of December 31, 20XX is fairly stated, in all material
respects, based on criteria established in Internal Control—Integrated Framework issued by
COSO.
We also have audited, in accordance with auditing standards generally accepted in the
United States of America established by the American Institute of Certified Public
Accountants, the (identify financial statements and entity as described in our audit report)
and our report dated (date of report, which should be the same as the date of this report)
expressed (include nature of opinion, such as “an unqualified opinion”).
(Add the following disclaimer paragraph, as applicable)
 We do not express an opinion or any other form of assurance on (describe other
information in management’s report not covered by our opinion).
GRANT THORNTON LLP (signed manually)

City, State (or Country)

Date (such as, March 15, 20XX)
1
The audit team may need to modify the introductory and opinion paragraphs so that the
description of management’s assertion parallels the description used in management’s
report.

Adverse Opinion on Internal Control (Material Weakness)

25.221 The following is an illustrative report expressing an adverse opinion on internal

control. An adverse opinion is required if a material weakness exists as of the date of
management’s assertion (unless the scope of the engagement is limited). In such
circumstances, we are required to report directly on internal control, not on
management’s assertion.

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

Board of Directors
W Company
We have audited W Company’s (a Delaware Corporation) internal control over financial
reporting as of December 31, 20XX, based on criteria established in Internal Control—
Integrated Framework issued by the Committee of Sponsoring Organizations of the
Treadway Commission (COSO). W Company’s management is responsible for maintaining
effective internal control over financial reporting and for its assertion of the effectiveness of
internal control over financial reporting, included in the accompanying (title of
management’s report) (Management’s Report). Our responsibility is to express an opinion
on W Company’s internal control over financial reporting based on our audit.
We conducted our audit in accordance with attestation standards established by the
American Institute of Certified Public Accountants. Those standards require that we plan
and perform the audit to obtain reasonable assurance about whether effective internal
control over financial reporting was maintained in all material respects. Our audit included
obtaining an understanding of internal control over financial reporting, assessing the risk
that a material weakness exists, testing and evaluating the design and operating
effectiveness of internal control based on the assessed risk, and performing such other
procedures as we considered necessary in the circumstances. We believe that our audit
provides a reasonable basis for our opinion.
A company’s internal control over financial reporting is a process effected by those charged
with governance, management, and other personnel, designed to provide reasonable
assurance regarding the preparation of reliable financial statements in accordance with
generally accepted accounting principles. A company’s internal control over financial
reporting includes those policies and procedures that (1) pertain to the maintenance of
records that, in reasonable detail, accurately and fairly reflect the transactions and
dispositions of the assets of the company; (2) provide reasonable assurance that transactions
are recorded as necessary to permit preparation of financial statements in accordance with
generally accepted accounting principles, and that receipts and expenditures of the company
are being made only in accordance with authorizations of management and those charged
with governance; and (3) provide reasonable assurance regarding prevention, or timely
detection and correction of unauthorized acquisition, use, or disposition of the company’s
assets that could have a material effect on the financial statements.
Because of its inherent limitations, internal control over financial reporting may not
prevent, or detect and correct misstatements. Also, projections of any evaluation of
effectiveness to future periods are subject to the risk that controls may become inadequate
because of changes in conditions, or that the degree of compliance with the policies or
procedures may deteriorate.
A material weakness is a deficiency, or combination of deficiencies, in internal control over
financial reporting, such that there is a reasonable possibility that a material misstatement of
the company’s financial statements will not be prevented, or detected and corrected on a
timely basis. The following material weakness has been identified and included in
Management’s Report. (Identify the material weakness described in management’s report.)1
In our opinion, because of the effect of the material weakness described above on the
achievement of the objectives of the control criteria, W Company has not maintained
effective internal control over financial reporting as of December 31, 20XX, based on
criteria established in Internal Control—Integrated Framework issued by COSO.
We also have audited, in accordance with auditing standards generally accepted in the
United States of America established by the American Institute of Certified Public
Accountants, the (identify financial statements and entity as described in our audit report).
The material weakness identified above was considered in determining the nature, timing,
and extent of audit tests applied in our audit of the 20XX financial statements, and this
report does not affect our report dated (date of report, which should be the same as the date
of this report), which expressed (include nature of opinion) on those financial statements.2
(Add the following disclaimer paragraph, as applicable)
We do not express an opinion or any other form of assurance on (describe other
information in management’s report not covered by our opinion).
GRANT THORNTON LLP (signed manually)

City, State (or Country)

Date (such as, March 15, 20XX)
 1
The auditor’s report need only refer to the material weaknesses described in
management’s report and need not include a description of each material weakness,
provided each material weakness is included and fairly presented in all material
respects in management’s report. If the material weakness is not included in
management’s report, modify this paragraph to state that a material weakness was
identified but not included in management’s report and include a description of the
material weakness, including its nature and its actual and potential effect on the
presentation of the company’s financial statements issued during the existence of the
material weakness. If management’s description of the material weakness is inadequate
or incomplete, describe this conclusion, as well as the information necessary to fairly
describe the material weakness. In such circumstances, it may be necessary to include a
detailed description of the material weakness, as if the material weakness was not
included in management’s report.
2
Modify this sentence when the opinion on the financial statements is affected by the
adverse opinion on internal control.

Disclaimer on Internal Control (Scope Limitation)

25.222 The following is an illustrative report that disclaims an opinion on internal

control due to a scope limitation. A qualified opinion is not permitted.

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

Board of Directors
W Company
We were engaged to audit W Company’s (a Delaware Corporation) internal control over
financial reporting as of December 31, 20XX, based on criteria established in Internal
Control—Integrated Framework issued by the Committee of Sponsoring Organizations of
the Treadway Commission (COSO). W Company’s management is responsible for
maintaining effective internal control over financial reporting and for its assertion of the
effectiveness of internal control over financial reporting, included in the accompanying
(title of management’s report) (Management’s Report).
(Add a paragraph that describes the substantive reasons for the scope limitation.)
Accordingly, we were unable to perform auditing procedures necessary to form an opinion
on W Company’s internal control over financial reporting as of December 31, 20XX.
A company’s internal control over financial reporting is a process effected by those charged
with governance, management, and other personnel, designed to provide reasonable
assurance regarding the preparation of reliable financial statements in accordance with
generally accepted accounting principles. A company’s internal control over financial
reporting includes those policies and procedures that (1) pertain to the maintenance of
records that, in reasonable detail, accurately and fairly reflect the transactions and
dispositions of the assets of the company; (2) provide reasonable assurance that transactions
are recorded as necessary to permit preparation of financial statements in accordance with
generally accepted accounting principles, and that receipts and expenditures of the company
are being made only in accordance with authorizations of management and those charged
with governance; and (3) provide reasonable assurance regarding prevention, or timely
detection and correction of unauthorized acquisition, use, or disposition of the company’s
assets that could have a material effect on the financial statements.
 Because of its inherent limitations, internal control over financial reporting may not
prevent, or detect and correct misstatements. Also, projections of any evaluation of
effectiveness to future periods are subject to the risk that controls may become inadequate
because of changes in conditions, or that the degree of compliance with the policies or
procedures may deteriorate.
(Add the following material weakness paragraph, as applicable)
A material weakness is a deficiency, or combination of deficiencies, in internal control over
financial reporting, such that there is a reasonable possibility that a material misstatement of
the company’s financial statements will not be prevented, or detected and corrected on a
timely basis. If one or more material weaknesses exist, a company’s internal control over
financial reporting cannot be considered effective. The following material weakness has
been identified and included in Management’s Report. (Identify the material weakness
described in management’s report and include a description of the material weakness,
including its nature and its actual and potential effect on the presentation of the company’s
financial statements issued during the existence of the material weakness.)1
Because of the limitation on the scope of our audit described in the second paragraph, the
scope of our work was not sufficient to enable us to express, and we do not express, an
opinion on the effectiveness of W Company’s internal control over financial reporting.
We have audited, in accordance with auditing standards generally accepted in the United
States of America established by the American Institute of Certified Public Accountants,
the (identify financial statements and entity as described in our audit report) and our report
dated (date of report, which should be the same as the date of this report) expressed
(include nature of opinion, such as “an unqualified opinion”).2
(Add the following disclaimer paragraph, as applicable)
We do not express an opinion or any other form of assurance on (describe other
information in management’s report not covered by our opinion).
GRANT THORNTON LLP (signed manually)

City, State (or Country)

Date (such as, March 15, 20XX)
1 If the material weakness is not included in management’s report, modify this paragraph
to state that a material weakness was identified but not included in management’s
report. If the disclosure in management’s report is not fairly presented, describe this
conclusion.
2 Modify this sentence when the opinion on the financial statements is affected by the
disclaimer.

Unqualified Opinion on Internal Control (Reference to Other Auditors)

25.223 The following is an illustrative report that expresses an unqualified opinion on

internal control and refers to the report of other auditors as a basis, in part, for
expressing such opinion. If the audit team decides to refer to another auditor, the other
auditor must separately issue a report under AICPA standards.

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

Board of Directors
W Company
We have audited W Company’s (a Delaware Corporation) internal control over financial
reporting as of December 31, 20XX, based on criteria established in Internal Control—
Integrated Framework issued by the Committee of Sponsoring Organizations of the
Treadway Commission (COSO). W Company’s management is responsible for maintaining
effective internal control over financial reporting and for its assertion of the effectiveness of
internal control over financial reporting, included in the accompanying (title of
management’s report). Our responsibility is to express an opinion on W Company’s
internal control over financial reporting based on our audit. We did not audit internal
control over financial reporting of B Company, a wholly owned subsidiary, whose financial
statements reflect total assets and revenues constituting 20 and 30 percent, respectively, of
the related consolidated financial statement amounts as of and for the year ended
December 31, 20XX. B Company’s internal control over financial reporting was audited by
other auditors whose report has been furnished to us, and our opinion, insofar as it relates to
B Company’s internal control over financial reporting in relation to W Company taken as a
whole, is based solely on the report of the other auditors.
We conducted our audit in accordance with attestation standards established by the
American Institute of Certified Public Accountants. Those standards require that we plan
and perform the audit to obtain reasonable assurance about whether effective internal
control over financial reporting was maintained in all material respects. Our audit included
obtaining an understanding of internal control over financial reporting, assessing the risk
that a material weakness exists, testing and evaluating the design and operating
effectiveness of internal control based on the assessed risk, and performing such other
procedures as we considered necessary in the circumstances. We believe that our audit and
the report of other auditors provide a reasonable basis for our opinion.
A company’s internal control over financial reporting is a process effected by those charged
with governance, management, and other personnel, designed to provide reasonable
assurance regarding the preparation of reliable financial statements in accordance with
generally accepted accounting principles. A company’s internal control over financial
reporting includes those policies and procedures that (1) pertain to the maintenance of
records that, in reasonable detail, accurately and fairly reflect the transactions and
dispositions of the assets of the company; (2) provide reasonable assurance that transactions
are recorded as necessary to permit preparation of financial statements in accordance with
generally accepted accounting principles, and that receipts and expenditures of the company
are being made only in accordance with authorizations of management and those charged
with governance; and (3) provide reasonable assurance regarding prevention, or timely
detection and correction of unauthorized acquisition, use, or disposition of the company’s
assets that could have a material effect on the financial statements.
Because of its inherent limitations, internal control over financial reporting may not
prevent, or detect and correct misstatements. Also, projections of any evaluation of
effectiveness to future periods are subject to the risk that controls may become inadequate
because of changes in conditions, or that the degree of compliance with the policies or
procedures may deteriorate.
In our opinion, based on our audit and the report of other auditors, W Company maintained,
in all material respects, effective internal control over financial reporting as of
December 31, 20XX, based on criteria established in Internal Control—Integrated
Framework issued by COSO.
 We also have audited, in accordance with auditing standards generally accepted in the
United States of America established by the American Institute of Certified Public
Accountants, the (identify financial statements and entity as described in our audit report)
and our report dated (date of report, which should be the same as the date of this report)
expressed (include nature of opinion, such as “an unqualified opinion”).
(Add the following disclaimer paragraph, as applicable)
We do not express an opinion or any other form of assurance on (describe other
information in management’s report not covered by our opinion).
GRANT THORNTON LLP (signed manually)

City, State (or Country)

Date (such as, March 15, 20XX)

Unqualified Opinion on Internal Control (Acquired Entity Excluded)

25.224 The following is an illustrative report that expresses an unqualified opinion on

internal control in situations in which a regulator allows management to limit, and
management limits, its assertion by excluding certain entities (in this example, an
acquired entity). In these situations, our opinion would not be affected by a scope
limitation.

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

Board of Directors
W Company
We have audited W Company’s (a Delaware Corporation) internal control over financial
reporting as of December 31, 20XX, based on criteria established in Internal Control—
Integrated Framework issued by the Committee of Sponsoring Organizations of the
Treadway Commission (COSO). W Company’s management is responsible for maintaining
effective internal control over financial reporting and for its assertion of the effectiveness of
internal control over financial reporting, included in the accompanying (title of
management’s report) (Management’s Report). Our responsibility is to express an opinion
on W Company’s internal control over financial reporting based on our audit. Our audit of,
and opinion on, W Company’s internal control over financial reporting does not include
internal control over financial reporting of B Company, a wholly owned subsidiary, whose
financial statements reflect total assets and revenues constituting 20 and 30 percent,
respectively, of the related consolidated financial statement amounts as of and for the year
ended December 31, 20XX. As indicated in Management’s Report, B Company was
acquired during 20XX and therefore, management’s assertion on the effectiveness of W
Company’s internal control over financial reporting excluded internal control over financial
reporting of B Company.1
We conducted our audit in accordance with attestation standards established by the
American Institute of Certified Public Accountants. Those standards require that we plan
and perform the audit to obtain reasonable assurance about whether effective internal
control over financial reporting was maintained in all material respects. Our audit included
obtaining an understanding of internal control over financial reporting, assessing the risk
that a material weakness exists, testing and evaluating the design and operating
effectiveness of internal control based on the assessed risk, and performing such other
procedures as we considered necessary in the circumstances. We believe that our audit
provides a reasonable basis for our opinion.
A company’s internal control over financial reporting is a process effected by those charged
with governance, management, and other personnel, designed to provide reasonable
assurance regarding the preparation of reliable financial statements in accordance with
generally accepted accounting principles. A company’s internal control over financial
reporting includes those policies and procedures that (1) pertain to the maintenance of
records that, in reasonable detail, accurately and fairly reflect the transactions and
dispositions of the assets of the company; (2) provide reasonable assurance that transactions
are recorded as necessary to permit preparation of financial statements in accordance with
generally accepted accounting principles, and that receipts and expenditures of the company
are being made only in accordance with authorizations of management and those charged
with governance; and (3) provide reasonable assurance regarding prevention, or timely
detection and correction of unauthorized acquisition, use, or disposition of the company’s
assets that could have a material effect on the financial statements.
Because of its inherent limitations, internal control over financial reporting may not
prevent, or detect and correct misstatements. Also, projections of any evaluation of
effectiveness to future periods are subject to the risk that controls may become inadequate
because of changes in conditions, or that the degree of compliance with the policies or
procedures may deteriorate.
In our opinion, W Company maintained, in all material respects, effective internal control
over financial reporting as of December 31, 20XX, based on criteria established in Internal
Control—Integrated Framework issued by COSO.
We also have audited, in accordance with auditing standards generally accepted in the
United States of America established by the American Institute of Certified Public
Accountants, the (identify financial statements and entity as described in our audit report)
and our report dated (date of report, which should be the same as the date of this report)
expressed (include nature of opinion, such as “an unqualified opinion”).
(Add the following disclaimer paragraph, as applicable)
We do not express an opinion or any other form of assurance on (describe other
information in management’s report not covered by our opinion).
GRANT THORNTON LLP (signed manually)

City, State (or Country)

Date (such as, March 15, 20XX)
1
The audit team may need to modify this sentence so that it parallels the language in
management’s report.
Unqualified Opinion on Internal Control (Combined Report)

25.225 The following is an illustrative combined report expressing an unqualified

opinion on the financial statements and on internal control. However, the firm prefers
issuing separate reports for financial statement and internal control audits.

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

Board of Directors
W Company
We have audited the accompanying balance sheets of W Company (a Delaware
corporation) as of December 31, 20X2 and 20X1, and the related statements of income (and
comprehensive income), (comprehensive income), stockholders’ equity, and cash flows for
the years then ended. We also have audited W Company’s internal control over financial
reporting as of December 31, 20X2, based on criteria established in Internal Control—
Integrated Framework issued by the Committee of Sponsoring Organizations of the
Treadway Commission (COSO). W Company’s management is responsible for these
financial statements, for maintaining effective internal control over financial reporting, and
for its assertion of the effectiveness of internal control over financial reporting, included in
the accompanying (title of management’s report). Our responsibility is to express an
opinion on these financial statements and an opinion on W Company’s internal control over
financial reporting based on our audits.
We conducted our audit of the financial statements in accordance with auditing standards
generally accepted in the United States of America and our audit of internal control over
financial reporting in accordance with attestation standards established by the American
Institute of Certified Public Accountants. Those standards require that we plan and perform
the audits to obtain reasonable assurance about whether the financial statements are free of
material misstatement and whether effective internal control over financial reporting was
maintained in all material respects. Our audits of the financial statements included
examining, on a test basis, evidence supporting the amounts and disclosures in the financial
statements, assessing the accounting principles used and significant estimates made by
management, and evaluating the overall financial statement presentation. Our audit of
internal control over financial reporting included obtaining an understanding of internal
control over financial reporting, assessing the risk that a material weakness exists, and
testing and evaluating the design and operating effectiveness of internal control based on
the assessed risk. Our audits also included performing such other procedures as we
considered necessary in the circumstances. We believe that our audits provide a reasonable
basis for our opinions.
A company’s internal control over financial reporting is a process effected by those charged
with governance, management, and other personnel, designed to provide reasonable
assurance regarding the preparation of reliable financial statements in accordance with
generally accepted accounting principles. A company’s internal control over financial
reporting includes those policies and procedures that (1) pertain to the maintenance of
records that, in reasonable detail, accurately and fairly reflect the transactions and
dispositions of the assets of the company; (2) provide reasonable assurance that transactions
are recorded as necessary to permit preparation of financial statements in accordance with
generally accepted accounting principles, and that receipts and expenditures of the company
are being made only in accordance with authorizations of management and those charged
with governance; and (3) provide reasonable assurance regarding prevention, or timely
detection and correction of unauthorized acquisition, use, or disposition of the company’s
assets that could have a material effect on the financial statements.
 Because of its inherent limitations, internal control over financial reporting may not
prevent, or detect and correct misstatements. Also, projections of any evaluation of
effectiveness to future periods are subject to the risk that controls may become inadequate
because of changes in conditions, or that the degree of compliance with the policies or
procedures may deteriorate.
In our opinion, the financial statements referred to above present fairly, in all material
respects, the financial position of W Company as of December 31, 20X2 and 20X1, and the
results of its operations and its cash flows for the years then ended in conformity with
accounting principles generally accepted in the United States of America. Also in our
opinion, W Company maintained, in all material respects, effective internal control over
financial reporting as of December 31, 20X2, based on criteria established in Internal
Control—Integrated Framework issued by COSO.
(Add the following disclaimer paragraph, as applicable)
We do not express an opinion or any other form of assurance on (describe other
information in management’s report not covered by our opinion).
GRANT THORNTON LLP (signed manually)
City, State (or Country)
Date (such as, March 15, 20XX)

FDICIA Reporting Depository Institutions

25.226 The application of FDICIA requirements in conjunction with Section 404
requirements creates a number of potential reporting scenarios. Certain public bank
holding companies do not meet the SEC’s accelerated filing requirements and
therefore, are not subject to an internal control audit. However, a subsidiary bank of the
holding company may be subject to FDICIA internal control reporting requirements or
the bank holding company may elect to report on controls for FDICIA at the holding
company level.

25.227 Essentially, AICPA standards should now be used when the bank holding
company or the IDI is not an issuer. Since both AICPA and PCAOB standards require
the audit of internal control to be integrated with the financial statement audit, the firm
believes it would be inappropriate to refer to PCAOB standards for the financial
statement audit and AICPA standards for the internal control audit of the same entity,
such as when the bank holding company is not an accelerated filer but elects to report
on controls for FDICIA at the holding company level.

25.228 The table below addresses these reporting scenarios.

Professional
Controls covered by internal
standards to be
control audit
applied

FDICIA reporting at bank holding company (BHC) level

 BHC is an issuer PCAOB Controls over consolidated BHC
(accelerated and non- regulatory reporting and external
accelerated filers) consolidated GAAP financial
reporting
BHC is NOT an issuer AICPA

FDICIA reporting at insured depository institution (IDI) level

IDI is an issuer PCAOB Controls over IDI regulatory reporting

(accelerated and non- in Call Report and external GAAP
accelerated filers) financial reporting

IDI is NOT an issuer, BHC is AICPA

NOT an issuer
1
IDI is NOT an issuer, BHC is PCAOB Controls over IDI regulatory reporting
an issuer in Call Report and external GAAP
financial reporting
If BHC is an accelerated filer, controls
over BHC’s external consolidated
GAAP financial reporting (no
reference to regulatory reporting)

1 PCAOB standards are required for purposes of the audit of the BHC. However, a separate
report under AICPA standards may be used to report on the IDI’s internal control.

25.229 Financial reporting includes financial statements prepared under GAAP and
the schedules equivalent to the basic financial statements that are included in the IDI’s
(or holding company’s) applicable regulatory report. Therefore, management’s assertion
and the auditor’s report should clearly include a specific description of the scope of
internal control over financial reporting. Additional guidance is provided below when
reporting on internal control at the IDI level and on the financial statements at the BHC
level.

AS 5 Reports

25.230 The bank holding company or the IDI may be an issuer subject to Section 404
reporting. The following provides modified definition paragraphs under AS 5 when
reporting on controls for FDICIA at the IDI or at the holding company level.

25.231 The following AS 5 definition paragraph should be used when the bank
holding company subject to Section 404 elects to report on controls for FDICIA at the
holding company level.

AS 5 Definition Paragraph (Holding Company)

 A company’s internal control over financial reporting is a process designed to provide
reasonable assurance regarding the reliability of financial reporting and the preparation of
financial statements for external purposes in accordance with generally accepted accounting
principles. Because management’s assessment and our audit were conducted to also meet
reporting requirements of Section 112 of the Federal Deposit Insurance Corporation
Improvement Act (FDICIA), management’s assessment and our audit of (Holding
Company’s) internal control over financial reporting included controls over the preparation
of financial statements in accordance with the instructions to the Consolidated Financial
Statements for Bank Holding Companies (Form FR Y-9C (or insert other applicable Y
report)). A company’s internal control over financial reporting includes those policies and
procedures that (1) pertain to the maintenance of records that, in reasonable detail,
accurately and fairly reflect the transactions and dispositions of the assets of the company;
(2) provide reasonable assurance that transactions are recorded as necessary to permit
preparation of financial statements in accordance with generally accepted accounting
principles, and that receipts and expenditures of the company are being made only in
accordance with authorizations of management and directors of the company; and (3)
provide reasonable assurance regarding prevention or timely detection of unauthorized
acquisition, use, or disposition of the company’s assets that could have a material effect on
the financial statements.

25.232 Although rare, it may be possible for the IDI to also be an issuer subject to
Section 404. The following AS 5 definition paragraph should be used in a report on the
IDI’s controls when the IDI is subject to Section 404 and also reports under FDICIA.

AS 5 Definition Paragraph (Issuer Bank)

A company’s internal control over financial reporting is a process designed to provide
reasonable assurance regarding the reliability of financial reporting and the preparation of
financial statements for external purposes in accordance with generally accepted accounting
principles. Because management’s assessment and our audit were conducted to also meet
reporting requirements of Section 112 of the Federal Deposit Insurance Corporation
Improvement Act (FDICIA), management’s assessment and our audit of (Issuer Bank’s)
internal control over financial reporting included controls over the preparation of schedules
equivalent to basic financial statements in accordance with the Federal Financial
Institutions Examination Council Instructions for Consolidated Reports of Condition and
Income (call report instructions). A company’s internal control over financial reporting
includes those policies and procedures that (1) pertain to the maintenance of records that, in
reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets
of the company; (2) provide reasonable assurance that transactions are recorded as
necessary to permit preparation of financial statements in accordance with generally
accepted accounting principles, and that receipts and expenditures of the company are being
made only in accordance with authorizations of management and directors of the company;
and (3) provide reasonable assurance regarding prevention or timely detection of
unauthorized acquisition, use, or disposition of the company’s assets that could have a
material effect on the financial statements.

AT Section 501 Reports

25.233 The following provides illustrative internal control audit report language under
AICPA standards for FDICIA reporting depository institutions. For such engagements,
we should report directly on internal control.
25.234 The following AICPA definition paragraph should be used when the bank
holding company (which is not an issuer) elects to report on controls for FDICIA at the
holding company level.

AT Section 501 definition paragraph (holding company)

A company’s internal control over financial reporting is a process effected by those charged
with governance, management, and other personnel, designed to provide reasonable
assurance regarding the preparation of reliable financial statements in accordance with
generally accepted accounting principles. Because management’s assertion and our audit
were conducted to also meet the reporting requirements of Section 112 of the Federal
Deposit Insurance Corporation Improvement Act (FDICIA), management’s assertion and
our audit of (Holding Company’s) internal control over financial reporting included
controls over the preparation of financial statements in accordance with the instructions to
the Consolidated Financial Statements for Bank Holding Companies (Form FR Y-9C (or
insert other applicable Y report)). A company’s internal control over financial reporting
includes those policies and procedures that (1) pertain to the maintenance of records that, in
reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets
of the company; (2) provide reasonable assurance that transactions are recorded as
necessary to permit preparation of financial statements in accordance with generally
accepted accounting principles, and that receipts and expenditures of the company are being
made only in accordance with authorizations of management and those charged with
governance; and (3) provide reasonable assurance regarding prevention, or timely detection
and correction of unauthorized acquisition, use, or disposition of the company’s assets that
could have a material effect on the financial statements.

25.235 The following AICPA definition paragraph should be used when the IDI reports
on internal control as required by FDICIA and is not an issuer. This paragraph is used
only when the IDI prepares external GAAP financial statements. Additional guidance is
provided below when reporting on internal control at the IDI level and on the financial
statements at the BHC level, when the IDI does not prepare external GAAP financial
statements.

AICPA definition paragraph (subsidiary bank)

 A company’s internal control over financial reporting is a process effected by those charged
with governance, management, and other personnel, designed to provide reasonable
assurance regarding the preparation of reliable financial statements in accordance with
generally accepted accounting principles. Because management’s assertion and our audit
were conducted to meet the reporting requirements of Section 112 of the Federal Deposit
Insurance Corporation Improvement Act (FDICIA), management’s assertion and our audit
of (Subsidiary Bank’s) internal control over financial reporting included controls over the
preparation of schedules equivalent to basic financial statements in accordance with the
Federal Financial Institutions Examination Council Instructions for Consolidated Reports of
Condition and Income (call report instructions). A company’s internal control over financial
reporting includes those policies and procedures that (1) pertain to the maintenance of
records that, in reasonable detail, accurately and fairly reflect the transactions and
dispositions of the assets of the company; (2) provide reasonable assurance that transactions
are recorded as necessary to permit preparation of financial statements in accordance with
generally accepted accounting principles, and that receipts and expenditures of the company
are being made only in accordance with authorizations of management and those charged
with governance; and (3) provide reasonable assurance regarding prevention, or timely
detection and correction of unauthorized acquisition, use, or disposition of the company’s
assets that could have a material effect on the financial statements.

25.236 Certain IDIs may be subject to the financial reporting requirements of the
Office of Thrift Supervision (OTS). In such circumstances, the definition paragraph
should be modified appropriately to refer to the instructions for Thrift Financial Reports.
OTS banks must also prepare external GAAP financial statements.

AICPA definition paragraph (OTS subsidiary bank)

A company’s internal control over financial reporting is a process effected by those charged
with governance, management, and other personnel, designed to provide reasonable
assurance regarding the preparation of reliable financial statements in accordance with
generally accepted accounting principles. Because management’s assertion and our audit
were conducted to meet the reporting requirements of Section 112 of the Federal Deposit
Insurance Corporation Improvement Act (FDICIA), management’s assertion and our audit
of (Subsidiary Bank’s) internal control over financial reporting included controls over the
preparation of schedules equivalent to basic financial statements in accordance with the
Office of Thrift Supervision Instructions for Thrift Financial Reports (TFR instructions). A
company’s internal control over financial reporting includes those policies and procedures
that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly
reflect the transactions and dispositions of the assets of the company; (2) provide
reasonable assurance that transactions are recorded as necessary to permit preparation of
financial statements in accordance with generally accepted accounting principles, and that
receipts and expenditures of the company are being made only in accordance with
authorizations of management and those charged with governance; and (3) provide
reasonable assurance regarding prevention, or timely detection and correction of
unauthorized acquisition, use, or disposition of the company’s assets that could have a
material effect on the financial statements.
Applying AT Section 501 when Reporting on Internal Control at the IDI Level and
on Financial Statements at the BHC Level

25.237 FDICIA requires that certain IDIs have an internal control audit at the IDI level,
but permits them, in some cases, to use the consolidated BHC financial statements to
satisfy the audited financial statements requirement. This presents problems when the
IDI does not prepare separate external GAAP financial statements because AT Section
501 requires the auditor to perform an integrated audit when reporting on internal
control. Interpretation 1 of AT Section 9501, “Reporting Under Section 112 of the
Federal Deposit Insurance Corporation Improvement Act,” addresses how an auditor
can meet the integrated audit requirement and report on the IDI’s internal control when
the IDI does not prepare external GAAP financial statements.

25.238 The Interpretation discusses situations an auditor may encounter when the IDI
does not prepare external GAAP financial statements, but is subject to the FDICIA
internal control audit requirement. One situation is likely to be the most prevalent; that
is, when the IDI comprises substantially all of the consolidated total assets. In this
situation, the Interpretation points out that the financial reporting controls of the
consolidated BHC likely reside at the IDI, and in substance, an integrated audit is
performed even though, technically, the IDI does not prepare separate GAAP financial
statements. The firm expects this to be the situation for most of our nonpublic BHC
clients that perform integrated audits. If so, the Interpretation does not affect the
performance of the audit, and the audit team should continue to document the
integrated audit within one Voyager file for the consolidated entity.

25.239 Other situations require careful evaluation. As the IDI’s percentage of the
consolidated total assets becomes smaller, the audit team must plan and perform the
integrated audit of the IDI separate from the rest of the holding company. This would
require a separate Voyager file to be created as an integrated audit of the IDI. The audit
team would need to capture and test the financial reporting controls that produce
financial information equivalent to external GAAP financial statements. Some of these
controls may operate at the BHC level. As it relates to satisfying the financial statement
audit requirements, the audit team would audit (based on materiality determined at the
IDI level, not the BHC level):
 the IDI’s schedules equivalent to the basic financial statements that are
included in the IDI’s regulatory report, and
 the IDI’s financial information (including disclosure information) provided to
the holding company for preparation of the consolidated financial
statements.

25.240 The PSP is responsible for identifying the nonpublic FDICIA integrated audits
performed in their office to determine whether the engagement falls within the scope of
the Interpretation. The PSP should discuss with the audit team the BHC structure and
the audit team’s approach to achieve an integrated audit and should consider whether
to consult with the NPPD.
25.241 The form of the report on an IDI’s internal control for purposes of FDICIA when
the IDI does not prepare external GAAP financial statements differs from a standard AT
Section 501 report as follows:
 reference to COSO is modified to refer to Section 112 of FDICIA because
COSO only establishes control objectives relating to the preparation of
reliable “published” financial statements
 the definition of internal control paragraph is modified to refer to the
controls over the preparation of the IDI’s financial information included in
the consolidated BHC’s financial statements
 a separate paragraph referring to the financial statement audit is not
included because the audit team does not issue an auditor’s report on the
IDI’s financial information. Likewise, the financial statement audit report on
the consolidated BHC’s financial statements should not include a separate
paragraph referencing the internal control audit at the IDI level
 based on the modified COSO criteria, the report is restricted as to use by
the IDI, the FDIC, and other federal bank regulatory agencies, as
applicable

25.242 The following is an illustrative report expressing an opinion directly on an IDI’s

internal control when the IDI does not prepare external GAAP financial statements and
uses the consolidated BHC’s financial statements to satisfy the audited financial
statements requirement under FDICIA. Refer to the guidance in this Chapter for report
modifications.

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

Board of Directors
W Company
We have audited W Company’s (a Delaware Corporation) internal control over financial
reporting as of December 31, 20XX, based on criteria established in Internal Control—
Integrated Framework issued by the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) as modified for the express purpose of meeting the
regulatory requirements of Section 112 of the Federal Deposit Insurance Corporation
Improvement Act (FDICIA). W Company’s management is responsible for maintaining
effective internal control over financial reporting and for its assertion of the effectiveness of
internal control over financial reporting, included in the accompanying (title of
management’s report).1 Our responsibility is to express an opinion on W Company’s
internal control over financial reporting based on our audit.
We conducted our audit in accordance with attestation standards established by the
American Institute of Certified Public Accountants. Those standards require that we plan
and perform the audit to obtain reasonable assurance about whether effective internal
control over financial reporting was maintained in all material respects. Our audit included
obtaining an understanding of internal control over financial reporting, assessing the risk
that a material weakness exists, testing and evaluating the design and operating
effectiveness of internal control based on the assessed risk, and performing such other
procedures as we considered necessary in the circumstances. We believe that our audit
provides a reasonable basis for our opinion.
 A company’s internal control over financial reporting is a process effected by those charged
with governance, management, and other personnel, designed to provide reasonable
assurance regarding the preparation of reliable financial statements in accordance with
generally accepted accounting principles. Because management’s assertion and our audit
were conducted to meet the reporting requirements of Section 112 of FDICIA,
management’s assertion and our audit of W Company’s internal control over financial
reporting included controls over the preparation of financial information for purposes of
(consolidating holding company’s) financial statements in accordance with accounting
principles generally accepted in the United States of America and controls over the
preparation of schedules equivalent to basic financial statements in accordance with the
Federal Financial Institutions Examination Council Instructions for Consolidated Reports of
Condition and Income (call report instructions). A company’s internal control over financial
reporting includes those policies and procedures that (1) pertain to the maintenance of
records that, in reasonable detail, accurately and fairly reflect the transactions and
dispositions of the assets of the company; (2) provide reasonable assurance that transactions
are recorded as necessary to permit preparation of financial statements in accordance with
generally accepted accounting principles, and that receipts and expenditures of the company
are being made only in accordance with authorizations of management and those charged
with governance; and (3) provide reasonable assurance regarding prevention, or timely
detection and correction of unauthorized acquisition, use, or disposition of the company’s
assets that could have a material effect on the financial statements.
Because of its inherent limitations, internal control over financial reporting may not
prevent, or detect and correct misstatements. Also, projections of any evaluation of
effectiveness to future periods are subject to the risk that controls may become inadequate
because of changes in conditions, or that the degree of compliance with the policies or
procedures may deteriorate.
In our opinion, W Company maintained, in all material respects, effective internal control
over financial reporting as of December 31, 20XX, based on criteria established in Internal
Control—Integrated Framework issued by COSO as modified for the express purpose of
meeting the regulatory requirements of Section 112 of FDICIA.
(Add the following disclaimer paragraph, as applicable)
We do not express an opinion or any other form of assurance on (describe other
information in management’s report not covered by our opinion).
This report is intended solely for the information and use of management, (identify the body
or individuals charged with governance), others within the organization, the Federal
Deposit Insurance Corporation and (other federal bank regulatory agency) and is not
intended to be and should not be used by anyone other than these specified parties.
GRANT THORNTON LLP (signed manually)
City, State (or Country)
Date (such as, March 15, 20XX)
1
Management’s signed report containing management’s assertion must accompany our
auditor’s report. AT Section 501 provides an illustrative management report.

Management’s Report

25.243 In accordance with Section 112 of FDICIA, management must issue a report
on its assessment of the effectiveness of the entity’s internal controls and its compliance
with laws and regulations. Section 112 also requires the accountant to “…examine,
attest to, and report separately on, the assertions of management concerning the
institution’s internal control structure and procedures for financial reporting.” The
accountant is not required to report on compliance with laws and regulations.

25.244 Management’s assertion and the auditor’s report should clearly include a
specific description of the scope of internal control over financial reporting. The nature
and scope of management’s assertion in their report on internal control must be closely
evaluated. The scope of internal control over financial reporting in management’s report
should be consistent with the scopes indicated in the preceding sections. We should
decline to issue our internal control audit report if management does not include an
appropriate written assertion that clearly describes the scope of internal control over
financial reporting in their report.

25.245 When management’s report contains other information in addition to their

assessment of internal control effectiveness, the audit team should disclaim an opinion
on such information (as discussed previously). Further, if management issues a
combined report on internal control and compliance with laws and regulations, the audit
team should also disclaim an opinion on management’s assessment of compliance.

25.246 The following provides an illustrative disclaimer pertaining to compliance with

laws and regulations. Such disclaimer is not necessary when management issues a
separate report on such compliance.

We do not express an opinion or any other form of assurance on management’s statement

referring to compliance with designated laws and regulations.

Safeguarding of Assets

25.247 Controls over the safeguarding of assets that are needed for reliable financial
reporting are implicit in management’s assertion and the auditor’s report thereon.
Consequently, management’s report may explicitly refer to safeguarding of assets to
emphasize that the scope of their assertion includes such controls.

25.248 When management’s assertion makes reference to safeguarding controls

using language such as “controls over financial reporting, including controls over the
safeguarding of assets,” the internal control audit report need not be modified, as the
definition of internal control in the definition paragraph includes reference to applicable
financial reporting safeguarding controls.

25.249 However, if management’s assertion makes reference to safeguarding

controls using language such as “controls over financial reporting, and controls over the
safeguarding of assets,” the audit team should carefully consider whether the controls
covered by management’s assertion fall outside of financial reporting controls, and
whether the wording adequately communicates the scope of management’s assertion.
In such cases, the audit team should:
  ask management to consider changing its assertion to use the wording
“controls over financial reporting, including controls over the safeguarding
of assets,” such that their assertion only covers financial reporting controls
 disclaim an opinion on the portion of management’s assertion that was not
included within the scope of the audit team’s work (e.g., safeguarding
controls (without limitation) and safeguarding controls including those over
operations). Generally, the audit team’s work does not extend beyond
financial reporting controls. When management’s assertion covers
safeguarding controls beyond financial reporting, management’s report
should clearly define the safeguarding controls included in its assertion
and state the criteria used to assess the adequacy of those controls,
including specifying the threshold for measuring the materiality of
weaknesses in operations controls (as such threshold is not covered in
COSO and does not relate to the financial statements)

25.250 The audit team should consult with the NPPD if the wording of management’s
assertion with respect to safeguarding of assets differs from the wording recommended
above (controls over financial reporting, including controls over the safeguarding of
assets).

Reporting on Whether a Previously Reported Material Weakness

Continues to Exist
25.251 The PCAOB issued AS 4 to provide a mechanism for entities to obtain auditor
assurance that a previously reported material weakness no longer exists. While this
type of engagement is allowed, the firm believes demand will be low and has concerns
about misperceptions and confusions that users may reach based on such reports. The
firm is most concerned about a user who sees only a “clean” report on a selected
material weakness and believes that all material weaknesses no longer exist. The firm
is also concerned about users who project the opinion on the effectiveness of internal
control to the date of the report on a previously reported material weakness.

25.252 Accordingly, the firm considers an AS 4 engagement to contain risks and

discourages their performance. The express approval of the NPPD, who will consult
with the NMP NPSG, must be obtained prior to agreeing to perform an AS 4
examination. In addition, NPPD involvement is required throughout the engagement,
including a pre-release report read.

25.253 In the rare situation where the firm accepts an AS 4 engagement, it will only be
considered if the material weakness is a discrete problem with a limited effect on
internal control. Reporting on material weaknesses that have a pervasive effect, such as
most entity-level controls, requires a broad and extensive base of work. The more
subjective and the more pervasive the material weakness, the more testing, over a
longer period of time, is necessary to determine whether the material weakness was
remediated. For example, certain IT general controls ordinarily would permit the audit
team to obtain sufficient evidence as to their operating effectiveness in a shorter period
of time than a pervasive, entity-level control, such as the control environment. If the
material weakness is not suitable for this type of narrow, interim reporting, the firm will
not accept the engagement.

25.254 The firm will not perform an AS 4 engagement in the following circumstances:
 the audit partner and quality control reviewer on the most recent internal
control audit will not participate in the engagement (an exception may be
permitted only as it pertains to partner rotation requirements)
 the firm is the predecessor auditor
 the firm is the successor auditor
 the material weakness relates to entity-level controls that are pervasive
and subjective (see above)
 the material weakness is not completely remediated (downgraded to a
deficiency)
 firm personnel will not perform the testing directly
 the “remediation” is not based on changes in the design or operation of
internal control (management asserts the material weakness no longer
exists due to changes in size of the entity or other judgments about the
materiality of potential misstatements)
Chapter Twenty Six - Audits of Service Organization Controls
Summary

This Chapter discusses engagements to audit service organization controls that are
likely to be part of user entities’ internal control over financial reporting.

Introduction
26.01 It is quite common today for entities (both large and small) to outsource
aspects of their business activities to other organizations. These “service organizations”
provide services ranging from performing a specific task under the direction of the entity
to replacing entire business units or functions of the entity. Many of the services
provided by service organizations are integral to the entity’s business operations.
However, not all of those services are directly linked to an entity’s information system
relevant to financial reporting.

26.02 A service organization’s services are part of a user entity’s information system,
including related business processes, relevant to financial reporting if they affect any of
the following:
 the classes of transactions in the entity’s operations that are significant to
the entity’s financial statements
 the procedures, within both automated and manual systems, by which the
entity’s transactions are initiated, authorized, recorded, processed, and
reported in the financial statements
 the related electronic or manual accounting records, supporting
information, and specific accounts in the entity’s financial statements
involved in initiating, authorizing, recording, processing, and reporting the
entity’s transactions
 how the entity’s information system captures events and conditions, other
than transactions, that are significant to the financial statements
 the financial reporting process used to prepare the entity’s financial
statements, including significant accounting estimates and disclosures

26.03 Service organizations include, but are not limited to, the following:
 bank trust departments that service assets for employee benefit plans or
others
 mortgage or loan servicing organizations
 technology centers that process transactions and related data
 organizations that develop, provide, and maintain software
 organizations that process payroll and employee payroll tax filings

26.04 A service auditor is an auditor who reports on controls at a service

organization that affect user entities’ internal control. The report assists the user entity in
understanding the service organization's activities and to determine the processes and
controls they should implement. The service auditor’s report also assists the auditor of a
user entity (user auditor) in performing the audit of the user entity’s financial statements.

26.05 Although this Chapter addresses reports on controls at service organizations

that are likely to be relevant to user entity’s internal control over financial reporting, it
may be adapted and applied when reporting on other types of service organization
controls.

Types of Reports and Services

26.06 Service auditors may be engaged to audit and report on a description of a

service organization’s system and either:
 the suitability of the design of controls (“type 1”)
 the suitability of the design and operating effectiveness of controls (“type
2”)

26.07 Reports for a type 1 engagement are as of a point in time whereas type 2
reports cover a specified period. To be useful to user auditors, a type 2 report ordinarily
covers a minimum period of six months. If the period is less than six months, the service
organization may describe the reasons for the shorter period in the description of the
system and the service auditor’s report may include this information. Circumstances that
may result in a report covering a period of less than six months include:
 the service auditor was engaged close to the date by which the report on
controls is to be issued, and certain controls can be tested only through
observation
 the service organization (or a particular system or application) has been in
operation for less than six months
 significant changes have been made to the controls and it is not
practicable either to wait six months before issuing a report or to issue a
report covering the system both before and after the changes

Pre-engagement Activities

Client Acceptance and Reacceptance

26.08 All new prospective engagements to report on service organization controls,

including new engagements with existing assurance clients, should undergo audit client
acceptance procedures in accordance with the policies stated elsewhere in this Manual.
This includes creating an initial acceptance record (and reacceptance of continuing
engagements for both public and nonpublic clients) using the GTI Client Acceptance
software. Teams should attach the draft engagement letter and the control objectives
from the prior year report to the record.
26.09 A key consideration in client acceptance is evaluation of the suitability of
control objectives that the service organization desires to cover in the report. Some
organizations may desire reports that cover control objectives:
 that are not relevant to a user auditor (for example, disaster-recovery
controls)
 that were not in operation during the testing period
 that are limited in scope and therefore unlikely to be useful to user entities
or user auditors
 only IT general controls

26.10 Ordinarily, such engagements should not be accepted. In addition, the firm
ordinarily will not accept an engagement to report on IT general controls in the absence
of reporting on specific IT applications. If, for example, a service organization is
responsible for developing or changing application software or providing other
transaction processing services in addition to IT infrastructure (e.g., hardware, system
software, security), a report on IT general computer controls alone may not provide user
auditors with a sufficient understanding of the service organization’s controls relevant to
their audit of the user entity. The decision to accept an engagement to report only on IT
general controls should carefully consider whether such reports will provide sufficient
information to avoid potential ambiguities about the service organization’s internal
control. Ultimately the audit team should consider whether such reporting will be useful
to user entities and their auditors.

26.11 The audit team should evaluate the suitability of management’s criteria for
measuring and presenting the description of the system and the suitability of the design
and operating effectiveness of controls. Professional standards describe the suitable
criteria for the audit of service organization controls. The firm should only accept an
engagement if the audit team believes that the criteria will be suitable for the intended
user entities and their auditors.

International Considerations

26.12 [Tailor to reflect the location of your form]GTIL’s risk management policies
require that, before completing client acceptance procedures, each GTI member firm
perform independence conflict checks if the service organization has any international
operations. The firm’s documentation required to perform the independence check is
available on KSource under Communities > Internal Client Services > People >
Independence and Ethics > Independence Conflict Request.

Training and Proficiency

26.13 As part of the client acceptance and reacceptance process, a determination

should be made as to whether the proposed audit team has adequate training and
proficiency to complete the engagement with professional competence. Audits of
service organization controls must be performed under the leadership of a SAS or Audit
partner who has adequate, relevant experience. The lead partner is responsible for
determining, prior to the beginning of fieldwork, whether professionals assigned to the
engagement collectively possess adequate competencies and experience.

26.14 All professionals involved in an audit of service organization controls should

possess the appropriate knowledge and experience to fulfill their responsibilities related
to these engagements. This includes completing the training programs developed by
the firm for audits of service organization controls.

Independence Rules and Considerations

Reportable Investments List

26.15 The Reportable Investments List (RIL) provides a listing of all audit clients of
the firm and their affiliated entities for which independence is required. The audit team is
required to verify that a service organization that meets any one of the following criteria
is included as a restricted entity on the RIL:
 has publicly traded equity securities or debt
 has intrastate offerings of debt or equity securities
 trades on an exchange (including a foreign exchange), the NASDAQ,
over-the-counter, bulletin boards, or the pink sheets
 is a depository institution
 is a lender or entity that services loans, including mortgage operations
 is a broker-dealer
 is a registered investment adviser
 is a hedge fund
 is a limited partnership or limited liability corporation that offers units or
shares for sale to the public
 is a state or local government organization, including service bureaus
 is a not-for-profit organization that has conduit debt through government
agencies or intermediary organizations

Independence Rules and Considerations

26.16 [Tailor to reflect location]Service organization control audits are attest services
and are subject to independence rules. Nonaudit services described as “prohibited” for
financial statement audits are also prohibited for these clients (see the Nonaudit
Services Matrix on KSource under Communities > Internal Client Services > People >
Independence and Ethics).

26.17 While these engagements do not entail reporting on the financial statements of
the service organization, in certain situations, they may impair the firm’s independence
related to financial statement audit clients. For example, if we audit the financial
statements of a listed client that is a service organization and we also perform an audit
of service organization controls, our independence would be impaired only if our report
on the service organization controls is used by management of the listed audit client in
its own assessment of internal control over financial reporting.
26.18 [Tailor to reflect your consultation policy]If, however, an unrelated user entity is
our listed audit client, there is no independence conflict if the user entity uses our report
on the service organization controls as part of its assessment of internal control. This
may change in the future, as regulators continue to evaluate this issue. However, the
audit team performing the audit of service organization controls should consult with the
NPPD in situations where the service organization is controlled by or is an affiliate of an
listed audit client or where the listed audit client is the majority or sole customer of the
service organization.

26.19 When the firm is not the auditor of record for a service organization that is an
SEC registrant, a broker-dealer, a Federal Deposit Insurance Corporation Improvement
Act of 1991 (FDICIA) or Office of Thrift Supervision (OTS) financial institution, a
registered investment adviser, a hedge fund, an employee benefit plan that files a Form
11-K, or other entity where the SEC independence rules apply, these engagements are
subject only to the AICPA’s independence rules, including independence rules with
respect to performing non-attest services. (Refer to the Nonaudit Service Matrix and the
GTUS Independence and Ethics Manual).

AICPA independence rules are addressed in this manual as it is anticipated that

member firms, in some situations, will conduct the engagement under AICPA standards.
In this situation, member firms should also follow the policies Using the GAAP and
GAAS of another country contained in Chapter 24.

26.20 The firm and any accounting or consulting firm that we engage to assist us as
part of the audit team are required to be independent under the AICPA independence
rules. Certain exceptions may apply when we use outside experts. We need to be
independent beginning at the earlier of when we are engaged to perform the services or
when we begin work on the engagement. The “period of the engagement” extends
beyond the date of our report until the firm’s attest relationship with the client is
terminated.

26.21 When we perform a service organization control audit for an entity where we
are subject to the SEC’s independence rules, such as when we audit an issuer, a
broker-dealer, a FDICIA financial institution, a registered investment adviser, a hedge
fund, or an employee benefit plan that files a Form 11-K, the firm and all of the GTI
member firms also need to follow the firm’s guidelines on audit committee pre-approval
of an audit-related service in addition to the AICPA requirements. For issuers and
FDICIA financial institutions, the PCAOB’s independence rules and the SEC’s
independence rules for issuers (partner rotation, one-year cooling off, audit partner
compensation) requirements also apply. For example, we would need to assess
whether the lead partner on the engagement met the criteria for an “other audit partner”
for rotation purposes.

26.22 [Tailor to reflect the location of your policies]Firm policies and procedures
regarding ethics and independence are discussed in the firm’s Independence and
Ethics Manual.
Independence Considerations Related to Readiness Reviews and Controls
Documentation

26.23 As with any audit, readiness reviews (engagements that provide

recommendations and feedback on client-prepared documentation allowing
management to identify and correct potential weaknesses prior to a formal control audit)
must comply with AICPA ET Interpretation 101-3 and, if applicable, the SEC
independence rules. When a readiness review is performed as a stand-alone
engagement (not as part of an internal audit outsourcing or co-sourcing engagement),
no conflict exists if the engagement was performed in accordance with, as applicable,
the AICPA ET Interpretation 101-3 requirements or the SEC independence rules. In
addition, if the service organization is an SEC audit client or subject to the SEC
independence rules, such as a FDICIA or OTS financial institution or a broker-dealer,
we must communicate our conclusion that, the readiness review engagement does not
impair the firm’s independence so that the audit committee or its equivalent may
evaluate the services prior to pre-approving the professional services. In addition, as
mentioned previously, our readiness review cannot be used by management to assess
its internal control.

26.24 For any readiness review performed as part of the service organization control
audit, we cannot engage in any activities deemed to be management activities that we
will examine at a later date during the service organization control audit or the audit of
the financial statements. Such activities impair our independence and prevent us from
performing the service organization control audit. Accordingly, preparing controls
documentation on behalf of clients is a prohibited activity that impairs independence.
Although general templates, outlines, recommendations and suggestions, and feedback
on client prepared documentation can be provided to clients as part of assessment-
related readiness services, management is responsible for all controls documentation
and description of controls in the report. If we prepare control documentation or the
description of controls on behalf of management, another auditor would have to perform
the engagement for at least one period before we could perform it.

26.25 If we assist a service organization in the development of control objectives in

connection with a readiness assessment engagement, we may use those objectives in
succeeding engagements. However, service organization management must explicitly
accept responsibility for the objectives in the report.

26.26 The work performed in a readiness assessment should provide the audit team
with an understanding of the service organization that can be leveraged in performing
the audit. However, this understanding should be documented in the audit workpapers.
The testing performed during the readiness assessment may not be leveraged because
all testing performed to support the report must be performed during the period covered
by the report.
State Licensing Requirements

26.27 [Include and tailor if licensing requirements exist]As discussed elsewhere in

this Manual, before agreeing to provide services to a client, the audit team, including the
lead partner, should be in compliance with the firm’s licensing policies and state
accountancy laws and regulations. At a minimum, the lead partner must be a properly
licensed CPA in the state where our issuing office is located. Because licensing
requirements vary from state to state, such requirements must also be considered when
work is to be performed at locations in other states. Partners and other personnel are
encouraged to contact the Licensing Help Desk with specific licensing questions.

Engagement letters

26.28 [Tailor to reflect the location of your letters]An engagement letter can be found
under Letters, Forms and Templates > Audits of Controls at Service Organizations. With
tailoring, the same letter will apply for both SEC and non-SEC engagements.

26.29 [Tailor to reflect the location of your letters]The user entity and its auditor may
separately engage us to perform procedures that are substantive in nature for the
benefit of the user auditor. Such substantive procedures may also be imposed by
governmental authorities or through contractual agreements. Ordinarily, such
engagements should be structured as agreed-upon procedures engagements.
Illustrative engagement letters for such engagements are available under Letters,
Forms and Templates > Agreed-Upon Procedures.

26.30 The firm will allow teams to arrange multi-year agreements with clients using,
for example, master service agreements (MSA). However, even when we have a multi-
year MSA, we must complete the client reacceptance process and obtain a new
engagement letter each year.

26.31 [Tailor to reflect your policyies]Terms and conditions are normally appended to
an annual engagement letter and these can be placed in the MSA. The MSA can also
be used as an attachment or be incorporated by reference into each annual
engagement letter. Any changes in the terms and conditions from year to year can be
included in the annual engagement letter without having to renegotiate the entire MSA.
RRLA should be involved in drafting the MSA and harmonizing it with the annual
engagement letter to avoid confusion and inconsistencies.

Confidentiality and Nondisclosure Agreements

26.32 [Tailor to reflect your policies and the location of your letters]RRLA has
developed standard templates for confidentiality and nondisclosure agreements, which
are available on KSource under Communities > Internal Client Services > Operations >
Legal Services > Legal Forms. The standard template for clients and potential clients
can be provided without further consultation, unless the template is modified. As a
reminder, RRLA should review and approve any modifications to the standard template
and any requests to sign client-developed agreements.

Responsibilities
26.33 Service organization management and the audit team each have specific
responsibilities in a service organization control audit.

Service Organization Management

26.34 Service organization management is responsible for:

 determining whether the engagement is type 1 or type 2
 preparing a description of the system
 specifying the control objectives, identifying the risks that threaten those
objectives, and designing, implementing, and documenting controls
 preparing a written assertion that will accompany our report and having a
reasonable basis for its assertion
 selecting the criteria to be used and stating them in its assertion
 providing us with access to information needed to perform the
engagement

Audit Team

26.35 The audit team is responsible for reading the description of the system to gain
an understanding of the representations made by management and for performing
procedures to determine whether the description presents fairly, in all material respects,
the relevant aspects of the service organization’s controls that have been implemented.
The audit team is required to tailor and complete the audit program within Voyager.
Audit teams should not use an audit program in Excel.

26.36 Professional standards describe the matters to be addressed by the

description of the system so that it is fairly presented. The audit team should determine
whether these matters:
 address all the major aspects of processing (within the scope of the
engagement) that may be relevant to user entities and their auditors in
planning and performing an audit of financial statements
 contain any significant omissions or inaccuracies

26.37 The audit team is also responsible for determining that the controls, as
described, are suitably designed to achieve the control objectives specified by
management and, for a type 2 engagement, whether the controls operated effectively
through the period to achieve the objectives.
Lead Partner

26.38 [Tailor to reflect your policies]When a non-CPA BAS principal is assigned to

an engagement instead of a licensed CPA, an audit partner must serve this role. The
audit partner is responsible for complying with professional standards, and the BAS
principal is focused on the subject matter of the engagement. In this situation, it takes
the skills of both professionals to perform the engagement and comply with professional
standards; both should review the audit documentation as necessary to fulfill their roles.

26.39 The amount of time and the level of involvement the partner spends on an
engagement depend on many client and audit team factors. The partner is responsible
for compliance with professional standards and the quality of our work product.
Therefore, the partner should spend whatever time and also review whatever audit
documentation he or she considers necessary to ensure that the engagement complies
with professional standards and firm policies. Although we cannot generalize about the
time that will be needed, the partner should be as involved in planning, meetings, and
reviews of workpapers and report drafts as they would be on a financial statement audit.

Quality Control Review

26.40 [The last sentence only to reflect your policies]All service organization control
audits require the assignment of a quality control reviewer. The quality control reviewer
may be a partner, a principal, or a manager and should possess knowledge of the
professional standards and firm policies relevant to these engagements. In cases where
a BAS professional serves as the lead partner, the quality control reviewer should be an
audit services professional.

26.41 [Tailor to reflect your consultation policies]Any exception to the quality control
review policies should be rare and must be approved in advance by the PSP. The
premise behind these policies is to ensure that the right combination of audit and IT
skills are brought to each engagement. The combination of the partner and quality
control review roles will enable the team to evaluate whether the report and our opinion
are both in compliance with professional standards and are quality deliverables.

26.42 The scope of the quality control review includes reviewing the report and the
relevant documentation and discussing the engagement with the lead partner and/or
manager. Quality control reviewers document their review by completing the Quality
Control Review program in Voyager and signing off the documents reviewed.

26.43 The quality control review must be completed and all modifications made to
resolve any issues identified during the course of the review, prior to the date of the
report.

Control Considerations
26.44 Professional judgment is necessary to determine whether the controls tested
are sufficient to achieve their respective control objectives. Conclusions regarding the
achievement of control objectives should be consistent with the service organization’s
processing and exception-handling experience during the period covered by the report.

26.45 Management is responsible for identifying control objectives in the description

of the system. Sometimes management’s objectives do not appear relevant to the
subject matter of the report. Control objectives are considered questionable if they:
 are not relevant to financial reporting assertions and risks of user entities
(for example, business risks, contractual compliance, data privacy, and
security of non-financial/confidential data)
 involve control activities that don’t interact with user entity financial
reporting controls (typically relating to applications and business
processes not relevant to financial reporting, for example, fee for services
activities, such as document imaging)
 do not otherwise appear to be relevant to the needs of user entity auditors
 are so lacking in specificity that it is difficult, if not impossible, to assess
whether they have been achieved
 are incomplete such that a necessary objective may be missing because
the service organization lacks adequate controls to achieve the objective

26.46 Appendix E of the AICPA Audit Guide, “Service Organizations: Applying SAS
No. 70, As Amended,” includes illustrative control objectives for various types of service
organizations. Recognize when using this guide that it will be updated and replaced. In
the meantime, the illustrative control objectives may still be useful for reference. The
firm currently does not capture or catalog standard/typical control objectives by industry.
However, certain industry-relevant information is publicly available on the Internet. For
example, the Securities Industry and Financial Markets Association provides certain
high-level control objectives information. Audit teams should also consider working with
appropriate industry teams to assist in the verification of clients’ industry-specific control
objectives and related controls.

26.47 In the course of performing audit procedures such as walkthroughs, tests of

controls, and inquiries, the audit team should be alert for circumstances that might
indicate the presence of underlying control issues. These include:
 incidents of processing failures, loss or destruction of data, and significant
downtime
 program reruns during routine batch application processing cycles and
emergency program changes
 IT-generated reports that users consider erroneous, incomplete, untimely,
or otherwise unreliable
 difficulty in performing routine reconciliation and balancing using IT-
generated reports
 recurring reconciling differences or write-offs of reconciling items
 double or incomplete posting of transactions
 unexplained and/or unresolved application dysfunctions
  excessive backlog of both open problem tickets and “fixes” relating to
application and data errors
 data correction requiring direct access to production databases by IT or
users rather than through application program functions

26.48 Any of these indicators, if excessive in their occurrence, may be

manifestations of one or more control issues. For example, excessive program abends
(sudden failures of a computer program) may be caused by gaps in IT general controls,
such as change management, security administration, and/or program execution
management. Some of these problems may also be the result of application and
business process–level control gaps and other anomalies that exist, in spite of a sound
IT general controls environment existing during the period covered by the report.

26.49 Audit teams are not expected to design and perform procedures to detect
these matters; however, once identified, the audit team is obligated to perform follow up
procedures. This would include documenting their considerations about whether such
matters impact conclusions regarding the design or operating effectiveness of the
related controls.

26.50 The absence of these indicators does not mean that controls are effective. The
audit team is required to obtain sufficient, appropriate audit evidence to reach this
conclusion.

Walkthroughs

26.51 Audit teams perform walkthroughs as part of the engagement. The objectives
of walkthroughs for service organization control audits are the same as for financial
statement audits and include:
 determining whether internal control is accurately documented
 understanding the flow of transactions
 determining whether controls are implemented

26.52 All of this information is necessary to evaluate design effectiveness. It is

important to realize that professional standards state that inquiry alone is not sufficient
evidence to determine whether controls are implemented. This typically means that the
audit team needs to observe the operation of a control or examine evidence of the
implementation of the control. The nature of the control and its associated processes is
a main factor in determining how to verify its implementation. For example, a
walkthrough test is best suited for controls that are components of an end-to-end
process. The audit team satisfies the three objectives by tracing an item through the
entire process. A walkthrough is not feasible for other types of controls and the audit
team will need to perform observation or examine documents to determine whether the
control is implemented.

26.53 Accordingly, the technique used to verify whether controls were implemented
will determine the form of documentation placed in the file. In some cases (for example,
program change management), the documentation could take the form of a
walkthrough. In other cases (for example, relevant control environment controls), the
document could take the form of memo.

Required Controls at User Entities (User Control Considerations)

26.54 In some instances, implementation of certain controls by the user entity may
be necessary to achieve a specified control objective, such as controls:
 over passwords needed to access the service organization’s applications
through computer terminals
 to verify that all input sent to the service organization is complete,
accurate, and authorized
 to determine that all required output is received from the service
organization and reconciled to the input sent to the service organization

26.55 User entity controls (also known as complementary user entity controls) that
are required to achieve a control objective should be delineated in management’s
description of controls and referred to in our report. If the description does not identify
these controls, the audit team should request that management amend the description
to include the missing information.

26.56 If management does not amend the description, we should include in our
report an explanatory paragraph describing the required user controls and consider
whether the opinion should be qualified as to the fairness of the presentation of the
description.

Testing and Evaluation

26.57 In a type 2 engagement, the firm opines on the operating effectiveness of the
controls at the service organization that are the subject matter of the engagement.

26.58 There are a variety of audit procedures available to test these controls,
including:
 sampling (applying audit procedures to less than 100% of the population
using statistical techniques that allow the results to be projected to the
entire population)
 reperformance (applying audit procedures to less than 100% of the
population but unable to project the results to the entire population
because statistical techniques were not used)

Sampling

26.59 The firm’s attribute sampling guidelines are discussed in more detail in
Chapter 14. Audit teams should follow the attribute sampling table in this Manual to
determine the appropriate sample size, not IDEA. However, IDEA can be used to select
the items to test in the population based on that sample size. The workpapers where the
testing is performed should contain all of this documentation.

26.60 Sampling is the preferred testing approach, where appropriate, because the
results can be projected to the entire population. Therefore, sampling should generally
be used for controls that operate frequently and have larger populations.

26.61 Sampling is ordinarily not appropriate for populations less than 100 because
the sample size becomes unusually large in relation to the population. For smaller
populations, the firm recommends using reperformance (discussed below).

26.62 Attribute sampling is appropriate when testing manual controls. The attribute
of the sample is whether the control operated effectively to achieve the specified control
objective during the period specified. The period of time is not relevant to the sample
size, and the sample size should not be reduced for periods of less than one year.

26.63 Sampling should ordinarily not be used to test the operating effectiveness of
automated controls. When automated controls operate in an environment where
applicable IT general controls are designed and operate effectively, they will be
executed consistently throughout the period. Therefore it is not necessary to test
multiple occurrences of automated controls. When testing automated controls, a
selection of two or three items is sufficient to support our conclusion.

Reperformance

26.64 Reperformance is appropriate for controls that operate infrequently (i.e.,

smaller populations). Populations with fewer than 100 items are considered smaller
populations where sampling is ordinarily not appropriate due to the size of the sample in
relation to the population.

26.65 When using reperformance, the audit team judgmentally selects items to test
and determines whether further testing is necessary based on the outcome of those
tests. The firm recommends testing 10 percent of the population when using
reperformance (for example, for a population of 50, 5 items would be tested).

26.66 The results of reperformance are not sufficient, in themselves, to allow

extrapolation to the entire population of control occurrences. However, augmenting
reperformance with other tests, such as inquiry and observation (in connection with
evaluating design effectiveness, for instance, or searching for indicators in conflict with
reperformance results), is usually sufficient to support conclusions on operating
effectiveness.

Responding to Exceptions

26.67 When an exception (or deviation) is identified in testing, the audit team may
either test additional items or test alternative controls.
26.68 Before testing additional items, the audit team should carefully consider
whether further testing would yield different results. The likelihood of discovering
additional errors in the population is ordinarily quite high. Therefore, the audit team
should discuss the specific situation with the lead partner or manager before increasing
the sample size and performing further testing.

26.69 If no more than two exceptions are identified after expanding the sample size
as permitted in the table set forth in Chapter 14 (i.e., “Minimum sample size – two
deviations”), the audit team can conclude that the control operated effectively.

26.70 If three or more exceptions are identified at any point in the testing (i.e., in
testing the original minimum sample or in the expanded sample), the audit team should
stop the test for that attribute and consider the control ineffective or “failed.”

26.71 In such circumstances, another control that achieves the same control
objective may be tested to determine whether the alternative control operated effectively
and supported the achievement of the specified control objective.

26.72 The concept of an “isolated” error is never valid. Audit teams should not
conclude that identified exceptions are isolated and no further testing is warranted.

26.73 All exceptions identified during testing should be resolved by either

management identifying and correcting all exceptions in the population or the audit team
evaluating the impact of the exceptions on our report.

Use of Others
26.74 If the service organization has an internal audit function, the audit team should
understand the nature of internal audit’s responsibilities and activities. If internal audit is
both objective and competent and the work is relevant to the engagement, the audit
team can use the work of internal auditors to modify or reduce, but not eliminate, tests
of controls performed directly by the audit team. In this case, the audit team evaluates
and performs procedures on internal audit’s work to determine its adequacy.

26.75 The audit team should not refer to internal audit in our report, except for a type
2 report where internal audit’s work was used in performing tests of controls. The
responsibility for the report rests solely with the audit team, and the audit team should
perform procedures to obtain sufficient, appropriate evidence to support our opinion. In
a type 2 report, our description of the tests of controls performed discloses internal
audit’s work and our procedures with respect to that work.

26.76 [Tailor to reflect your consultation policies]The audit team may use the work of
other auditors (GTI member firms, GTI correspondent firms, and other unaffiliated
firms). Because these cases are expected to be rare, the audit team should discuss the
matter with the PSP when contemplating whether to use the work of another auditor.
Consultation
26.77 [Tailor to reflect your process]Audit teams should follow the guidance for
consultations with the National Office found in this Manual.

Deficiencies in IT General Controls

26.78 Engagements whose scope includes IT applications typically also involve the
evaluation of IT general controls that directly impact those applications (such as
program maintenance, security, batch program execution). Some of the IT general
control processes and control activities of the service organization may not be relevant
to the applications and business processes falling within the scope of the engagement.

26.79 Accordingly, non-relevant IT general controls should not be considered in-

scope. We opine on the achievement of control objectives, rather than individual control
activities; we can determine the nature and extent of testing required. We do not need
to test any irrelevant controls, and we can limit the testing of less important controls.
Testing of automated controls may be ineffective if IT general control deficiencies are
severe and have a pervasive effect on the integrity and consistent performance of
automated controls.

26.80 [Tailor to reflect your consultation policies]In such environments, the audit
team should consult with the PSP and NPPD to determine whether or not to complete
the engagement.

Reporting Exceptions

26.81 For type 2 engagements, our report should describe the tests of controls
performed and the identified control exceptions (that is, the sample size, the number of
exceptions, and the related impact).

26.82 [Tailor to reflect your consultation policies]In describing the control tests and
the related results, the audit team should disclose all identified exceptions in the report
unless, through discussion with the quality control reviewer and consultation with the
NPPD, a determination is made that disclosure of the exception would not be relevant to
the user auditors. This includes situations where the audit team concludes that the
control operated effectively. In other words, the audit team should include in the type 2
report all exceptions noted in the course of the engagement—during both the audit
team’s testing and internal audit’s testing—unless they are clearly inconsequential to
user entities.

Reporting

26.83 [Tailor if you are providing example standard reports]Refer to ISAE 3402 for
example reports.
Other Design Deficiencies

26.84 The audit team is not concerned with design deficiencies that could potentially
affect processing in future periods. If the audit team becomes aware of such
deficiencies, it may communicate them to the service organization and advise
management to disclose the deficiencies, including remediation plans, in a separate
section of its description of controls.

26.85 [Tailor to reflect your consultation policies]The firm prefers that management
disclose such information and requires that we disclaim an opinion on such disclosures.
Accordingly, if the audit team believes additional disclosures are necessary and intends
to include such disclosures in our report, they should consult with the NPPD.

Identified Fraud, Illegal Acts, and Uncorrected Errors

26.86 [Tailor to reflect your consultation policies]If, during the course of the
engagement, the audit team becomes aware of fraud, potential illegal acts, or
uncorrected errors that may affect one or more user entities, they should consult with
the NPPD to determine the appropriate course of action, including the required
communications under professional standards.

Representation letter
26.87 The audit team should obtain a representation letter as of the date of the
report. If the service organization uses a subservice organization and the description of
the system uses the inclusive method (that is, the description of the system includes the
services of the subservice organization), the audit team should also obtain written
representations from management of the subservice organization.

26.88 Management’s refusal to furnish all appropriate written representations

constitutes a limitation on the scope of the engagement, sufficient to preclude an
unqualified opinion and generally sufficient to cause the audit team to disclaim an
opinion or withdraw from the engagement. The audit team is required to disclaim an
opinion or withdraw from the engagement if management will not provide
representations that reaffirm its assertion and that indicate that management has
provided us with access to all relevant information and people.

26.89 [Tailor to reflect the location of your letter]An illustrative representation letter
can be found under Letters, Forms and Templates > Audits of Controls at Service
Organizations. The illustrative letter includes the minimum representations that are
required to comply with professional standards and firm policy.

Reporting
General

26.90 [Tailor to reflect your consultation policies]The following table summarizes the
various reporting implications that may be encountered:
Matters Covered by Service Matters that may affect
Auditor’s Report service auditor’s opinion Reporting implications

Description of the system is Omissions or inaccuracies in If the description is not

fairly presented as of a the description, including amended, consult with the
specific date (type1) or a incomplete control objectives NPPD to determine whether
specific period (type2). This or controls that have not been to issue a qualified or
includes whether the control implemented. adverse opinion.
objectives are appropriate
and whether the controls The audit team should ask An explanatory paragraph,
were implemented. management to amend the prior to the opinion
description. paragraph, is required to
describe the omission or
inaccuracy.
Note: Omissions would not
necessarily affect the audit
team’s opinion on the
suitability of the design or
operating effectiveness of the
controls, because those
opinions relate only to control
objectives that are included in
the description.

Controls were suitably Design deficiencies (controls If the controls do not achieve
designed to achieve the do not achieve the control the control objectives, a
control objectives as of a objectives). qualified (“except for”) opinion
specific date (type 1) or a is issued.
specific period (type 2).
An explanatory paragraph,
prior to the opinion
paragraph, is required to
describe the design
deficiencies.

Controls operated effectively Operating deficiencies If the audit team determines

during a specific period (type (controls did not operate that controls are not
2). effectively). operating with sufficient
effectiveness to achieve the
control objectives, a qualified
(“except for”) opinion is
issued.

An explanatory paragraph,
prior to the opinion
paragraph, is required to
describe the operating
deficiencies.

26.91 The report cannot be dated until the audit team obtains sufficient, appropriate
audit evidence. In addition, the review procedures performed by the partner, manager,
and quality control reviewer must be completed, and all open points that may affect the
description of controls or our report must be cleared, on or before the report date.

Evaluating Other Design Deficiencies

26.92 The audit team should consider whether any other information, irrespective of
the specified control objectives, causes them to conclude that:
 design deficiencies exist that could adversely affect the service
organization’s ability to record, process, summarize, or report financial
data to user entities without error
 user entities would generally not be expected to have controls in place to
mitigate such deficiencies

26.93 The audit team is not required to search for such deficiencies. However, if
such deficiencies are identified and excluded from the description of the system, the
audit team should request that management amend the description.

26.94 If management does not amend the description, our report should describe
such deficiencies in an explanatory paragraph preceding the opinion paragraph. The
audit team should also qualify the opinion as to the fairness of the presentation.

Other Information

26.95 Management’s report may include information that is not covered in our report
or that falls outside the scope of the engagement, such as:
 planned changes in controls or remediation plans, or cost-benefit
statements
 qualitative information that may not be readily or objectively measurable,
such as marketing claims
 information, including control objectives, not considered relevant to user
entities’ internal control over financial reporting

26.96 If management includes such information, it should be presented in a separate

section outside of its description of the system, such as a section titled “Other
Information Provided by the Service Organization.” In addition, the audit team should
disclaim an opinion on any information that is not covered in our report.

26.97 Management may want to include in their report the actions it has taken or
plans to take to respond to testing exceptions. Such responses may be included and
are considered other information not covered by our opinion. For the convenience of
readers of our report, management’s responses can be positioned with the description
of our testing, provided their responses are labeled, “Management’s responses not
covered by auditor’s report.” Our disclaimer for other information should also reference
this section, but need not refer to each specific management response.
26.98 If the audit team believes such information contains a material inconsistency
or a material misstatement of fact, it should apply the guidance in the reporting Chapter
of this Manual.

Documentation Completion

26.99 [Tailor to reflect your archiving deadline]Professional standards provide for a

period of time after the report release date for the audit team to assemble the final files.
The firm allows 45 days, during which time the audit team may:
 complete the documentation and assemble evidence previously obtained,
discussed, and agreed with the relevant team members before the report
date
 perform routine assembling procedures, such as deleting or discarding
superseded documentation and sorting, collating, and cross-referencing
final workpapers
 obtain final sign-offs in the file

26.100 [Tailor to reflect your archiving deadline]The audit team may not use the 45
days to complete existing work or add new evidence. If additional procedures are
performed after the report release date or additional evidence is obtained, consultation
with the PSP and NPPD is required, as this circumstance may indicate that the report
should not have been released.

Changes in the Service Organization’s Controls

26.101 In a type 2 engagement, management’s description of the service
organization’s system should include changes in the system during the period covered
by the report. The audit team should inquire about these changes. If the audit team
believes such changes would be considered significant by user entities and their
auditors, those changes should be included in the description. Depending on the nature
of the change and its relevance to achieving the control objectives, the audit team may
need to test controls before and after the change.

26.102 If the service organization does not include the changes in its description, the
audit team should request that management amend the description. If management
does not amend the description, the changes should be described in an explanatory
paragraph in our report. The explanatory paragraph should include the following:
 a description of the previous control(s)
 a description of the current control(s)
 an indication of when the change(s) occurred

26.103 If management omits this information, the audit team should determine the
effect on the opinion as to the fairness of presentation of the description. Ordinarily, if
the opinion is modified for the missing information, the explanatory paragraph is
included prior to the opinion paragraph to describe the basis for the modification. If the
opinion is not modified, the explanatory paragraph is included after the opinion
paragraph.

Use and Distribution of Reports

26.104 The use of our report is restricted to management of the service organization,
its user entities (customers) and the independent auditors of its user entities.

26.105 The service organization may indicate that it has a service auditor’s report
available for its customers; however, because the report is restricted, the firm’s name
and report should not be publicized or referred to in any document, electronic site, or
other forum without our prior written consent.

26.106 If the service organization plans to distribute our report to prospective

customers, the service organization is responsible for obtaining an affirmative written
acknowledgment as to the use and purpose of the report. A letter to be used for this
purpose is attached to the firm’s illustrative engagement letter. The service organization
should obtain this letter from their prospective customer in advance prior to providing
our report.

Subsequent Events

26.107 Subsequent events are changes in the service organization’s systems that
occur subsequent to the period covered by the report that could significantly affect
management’s assertion.

26.108 The audit team has no responsibility to detect subsequent events. However,
the audit team is required to (a) inquire of management as to whether it is aware of any
subsequent events through the date of our report, and (b) obtain written representations
from management regarding such events.

26.109 If subsequent events come to the audit team’s attention prior to the report
date, the events should be considered in formulating our opinion and evaluating the
disclosure requirements. The audit team should consider this information in determining
whether controls at the service organization that could affect user entities’ internal
control were implemented, suitably designed, and operating effectively (if applicable).

26.110 Management should disclose any event where disclosure is necessary to

prevent users from being misled. This type of information should be adequately
disclosed by the service organization in a section of its report titled “Other Information
Provided by the Service Organization.” If management does not disclose such
information, it should be disclosed in the service auditor’s report.

26.111 After the release of our report, we may become aware of conditions that
existed at the report date that might have affected management’s assertion and our
report had we been aware of such matters. In this circumstance, the audit team should
adapt and apply the guidance related to subsequently discovered facts in Chapter 18.
Record Retention
26.112 [Tailor to reflect the location of your policies]The firm’s record retention policies
and guidance are set forth in the appendices to this Manual. These policies require
retention of certain paper documents and electronic files, including records and client
documents that are created, sent, or received in connection with the services provided
as well as documents containing conclusions, opinions, analyses, or financial data
related to the services. Audit teams performing these engagements must understand
and comply with these policies.
Chapter Twenty-Seven - Review Engagements
Summary

This chapter includes policies for performing review engagements for nonpublic entities.

Introduction
27.01 [Tailor to reflect your standards]This chapter covers engagements to review
financial statements as defined in International Standards on Review Engagements
(ISRE) 2400.

27.02 A review entails performing inquiry and analytical procedures that provide a
reasonable basis for obtaining limited assurance that no material modifications are
required for the financial statements to be in conformity with the applicable financial
reporting framework. The information in the financial statements and the fairness of
presentation of those financial statements is management's responsibility, regardless of
whether the firm is engaged to perform a review.

27.03 The firm should not issue review reports on partial presentations, such as
presentations of specified elements, accounts or items of financial statements.

General Standards and Policies

Nature of Services

27.04 The objective of a review differs significantly from that of an audit. The
objective of an audit is to obtain a reasonable basis for expressing an opinion regarding
the financial statements taken as a whole. A review, however, does not provide such a
basis because it is substantially less in scope. A review does not contemplate:
 obtaining an understanding of internal control
 assessing risks of material misstatement
 testing accounting records and inquiry responses by obtaining
corroborating evidence through inspection, observation, and confirmation
 performing procedures to detect material misstatements due to fraud or
illegal acts
 conducting certain other procedures performed during an audit

27.05 A review may bring significant matters affecting the financial statements to the
engagement team’s attention, but it does not provide assurance that the team will
become aware of all significant matters that would ordinarily be disclosed in an audit.
Client Acceptance and Reacceptance

27.06 Chapter 3 describes the firm’s policies related to acceptance of new clients
and reacceptance of existing clients, including review engagements. The engagement
team should understand the expected form and content of the financial statements,
including the accounting basis on which they are to be presented and by whom they are
intended to be used.

27.07 Before accepting a review, the engagement team should carefully consider the
business risk implications. Plaintiff's legal counsel has suggested that a review report
entails legal responsibility similar to a report on audited financial statements. If the
financial statements should prove not to have been prepared in accordance with the
framework, it would be extremely difficult for the firm to demonstrate that appropriate
attention to "warning flags" would not have revealed the situation.

27.08 [Tailor to reflect your policies]Accordingly, the firm will not ordinarily accept a
review in high business risk situations. For example, the firm would not issue a review
report in connection with a business sale or acquisition, the sale of securities in a
private placement transaction, or similar undertakings. In rare instances, the NPPD may
permit exceptions, such as when financial statements previously audited by the firm will
accompany the reviewed financial statements.

27.09 While the review standard does not require communications with a
predecessor accountant, the engagement team should consider making inquiries of the
predecessor in determining whether to accept a review in circumstances such as the
following:
 information about the prospective client or its management is limited or
appears to require special attention
 the change in accountants takes place substantially after the end of the
period for which financial statements are to be reviewed
 there have been frequent changes in accountants

27.10 Inquiries of the predecessor accountant are similar to those performed in

conjunction with accepting an audit engagement. When the engagement team decides
to inquire of the predecessor, they should obtain permission from the prospective client
who should authorize the predecessor to respond fully. In certain instances, the
engagement team may also request access to the predecessor's workpapers, although
such access may validly be denied. If the prospective client refuses to permit the
predecessor to respond or the response is limited, the engagement team should inquire
about the reasons and consider the implications in accepting the engagement.

Engagement Staffing

27.11 [Tailor to reflect your policy]Review engagements require the assignment of an

assurance partner.
Engagement Letters

27.12 [Tailor to reflect your practice]The firm requires engagement letters for review
engagements. Illustrative letters are located under Letters, Forms and Templates >
Compilation and Review - SSARS. General policies on engagement letters are
discussed in Chapter 6.

Independence

27.13 [Tailor to reflect the location of your policies]The firm must be independent to
perform a review. The Independence and Ethics Manual describes the independence
requirements for review engagements, including permitted and prohibited bookkeeping
and other non-attest services that may be requested.

Access to Workpapers

27.14 [Tailor to reflect your practice]The firm’s workpaper access policies apply,
adapted as necessary, to review engagements. If the firm will permit access to its
workpapers, the illustrative letters under Letters, Forms and Templates > Access and
Termination Letters should be appropriately modified.

Engagement Performance

Understanding the Entity and Its Environment

27.15 When performing a review, the engagement team should have a general
understanding of the:
 industry in which the entity operates
 accounting principles and practices used by the entity for significant
accounts and disclosures
 nature of the entity’s business, organization structure, and transactions
 nature of the entity’s assets, liabilities, revenues, and expenses
 the entity’s operating characteristics, including matters such as:
– types of products and services
– operating locations
– production and distribution
– compensation methods
– material transactions with related parties
 form of the entity’s accounting records
 stated qualifications of the entity’s accounting personnel

27.16 Ordinarily, the engagement team obtains knowledge of these matters through
experience with the entity or its industry and inquiry of the entity’s personnel.
Review Procedures

27.17 Voyager should be used on all review engagements. The review program in
Voyager incorporates the inquiry and analytical procedures for a typical review
engagement, including those procedures required by standards. It is tailored for several
industries, such as commercial, manufacturing, financial institutions, and construction.

27.18 Voyager is intended only as a listing of potential procedures. It identifies the

review objectives and procedures the engagement follows when they are suitable for
the conditions of the engagement. When applying the procedures, the engagement
team should consider their prior and current experience with the entity and their
knowledge about the entity’s industry and its accounting practices. Any alternative
procedures should be documented in the workpapers. In addition, any significant
matters coming to the engagement team’s attention should be adequately considered,
documented, and resolved.

27.19 Analytical procedures should be applied to identify and provide a basis for
inquiry about the relationships and individual items that appear to be unusual and that
may indicate a material misstatement. Analytical procedures should include:
 developing expectations by identifying and using plausible relationships
that are reasonably expected to exist based on the engagement team’s
understanding of the entity and its environment
 comparing recorded amounts, or ratios developed from recorded amounts,
to the engagement team’s expectations

27.20 The expectations developed in a review engagement ordinarily are less

encompassing than those developed in an audit are. In addition, the engagement team
is ordinarily not required to corroborate management's responses with other evidence.
However, the engagement team should consider the reasonableness and consistency
of management's responses in light of the results of other review procedures and the
engagement team’s knowledge of the entity and its environment.

27.21 [Tailor to reflect your consultation policy]If the engagement team becomes
aware of information that is incorrect, incomplete, or otherwise unsatisfactory, they
should perform the additional procedures deemed necessary to achieve limited
assurance. If any evidence or information comes to the engagement team’s attention
regarding fraud or an illegal act that may have occurred, the engagement team should
request management to consider the effect on the financial statements. The
engagement team will also need to communicate fraud or illegal acts to those charged
with governance in accordance with professional standards, and consider withdrawing.
Prior to doing so, the engagement team should consult with the NPPD.

Disclosure Checklists

27.22 The appropriate disclosure checklist should be used for all review
engagements.
Representation Letters

27.23 [Tailor to reflect the location of your letters]A representation letter is required
for each review engagement. An illustrative letter, suitable for most reviews, is available
under Letters, Forms and Templates > Compilation and Review - SSARS.

27.24 The representation letter should have the same date as the review report. It
should cover all financial statements and periods covered by the report and should be
appropriately tailored to fit the engagement circumstances, including matters specific to
the entity’s business or industry. Similar to an audit, a representation on passed
adjusting journal entries should be included and the related schedule attached to the
letter. The engagement team should determine that this schedule, which is reviewed by
management and referenced in the representation letter, is returned to the engagement
team and included in the documentation.

27.25 The representation letter should be signed by members of management who

are responsible for and knowledgeable, either directly or through others in the
organization, about the matters covered in the letter, generally the chief executive
officer and chief financial officer. Preferably, one of the signers should be a member of
the board of directors. Even if current management was not present during all periods
covered by the report, the engagement team should obtain written representations from
current management on all such periods.

27.26 There may be occasions where the engagement team reviews the financial
statements of a subsidiary, but not those of the parent company. In such instances, the
engagement team may obtain representations from top management of the parent
company concerning matters that affect the subsidiary.

27.27 [Tailor to reflect your policies]Occasionally, management may request that the
suggested letter be modified. The engagement partner and the PSP should approve
such modifications. However, modifications or caveats, which appear to negate
management’s responsibilities, should not be accepted. Any questions about such
matters should be discussed with the NPPD.

Updating Representation Letter

27.28 The engagement team should consider obtaining an updating representation

letter in the following circumstances:
 a significant period of time has elapsed since the completion of the
procedures and the expected release of the report
 a material subsequent event occurred after the completion of the
procedures but before the release of the report

27.29 [Tailor to reflect the location of your letter]An updating representation letter is
required when the engagement team reissues the review report on a prior period for
comparative purposes. An illustrative letter is available under Letters, Forms and
Templates > Compilation and Review - SSARS.

Documentation

27.30 The documentation required for review engagements is described in the

respective Voyager program. In most cases, no other workpapers are needed. The
following should be included in the workpapers:
 client acceptance and reacceptance documentation
 engagement letter
 matters covered by inquiry procedures
 analytical procedures performed, including:
– expectations, where significant expectations are not otherwise readily
determinable, and factors considered in their development
– results of the comparison of the expectations to the recorded amounts
or ratios developed from recorded amounts
– additional procedures performed in response to significant unexpected
differences and the results of such procedures
 copies of all financial statements, schedules, and computations prepared
by the engagement team
 unusual matters the engagement team considered during the performance
of the review, including their disposition
 significant findings or issues, actions taken, and their resolution and the
basis for the final conclusions reached

27.31 [Tailor to reflect the location of your policies]Refer to the appendices of this
Manual for the firm’s record retention policies and procedures, which apply to reviews.

Engagement Review

In-Charge Accountant Review

27.32 The in-charge accountant has the primary responsibility for the conduct of the
engagement, as outlined by the engagement partner or manager, and for bringing to the
partner or manager’s attention any factors that become known to the engagement team
that may require a reevaluation of the client relationship.

27.33 Review of the work performed by other members of the engagement team
takes place by the in-charge accountant continuously throughout the engagement. In
particular, the in-charge accountant is responsible for:
 determining that all phases of the work have been completed in accordance
with the engagement plan
 determining that the engagement has been conducted and the report
prepared in accordance with firm policies and professional standards
  determining that the workpapers contain the necessary documentation to
comply with firm policies and professional standards
 determining that all non-substantive materials in the workpapers have been
disposed of in accordance with the firm’s record retention policies
 obtaining the partner or manager’s approval of the adjusting journal entries
before providing them to management
 obtaining management’s approval of adjusting journal entries
 evaluating the performance of staff

Partner and Manager Review

27.34 The partner and manager review should consist of:

 reading the financial statements to ascertain that they make sense from an
overall business standpoint
 determining that the applicable firm policies and procedures and
professional standards have been followed
 resolving all questions raised in the review performed by the in-charge
accountant
 tracing amounts from workpapers to primary schedules, trial balance, and
the financial statements
 cross-checking amounts appearing in more than one place in the report
and checking computations
 requesting, as needed, the assistance of the PSP on technical accounting
matters
 approving the tailoring of the representation letter
 noting any factors that may affect a decision to continue the client
relationship for the succeeding year

Quality Control Review

27.35 The requirement for a quality control review is determined by using EPF.
Engagements with an EPF of “3” or “4” do not have a quality control reviewer assigned
to the engagement team. However, the firm continues to encourage each operating
office to adopt reasonable policies to ensure the quality of reports issued, including a
pre-release report read.

27.36 In addition to engagements with an EPF of “1” or “2,” quality control reviews
are required for any review engagement that may be subject to regulatory access and
review. If needed, engagement teams should override the calculated EPF to a “2” and
provide the explanation for doing so.

27.37 When a quality control review is required, the quality control reviewer is
responsible for:
 discussing unusual or significant matters or concerns with the partner
  reading the financial statements and report to determine that they make
good business sense and comply with professional standards and firm
policies
 clearing all questions with the partner; controversial points that cannot be
resolved should be referred to the PSP or OMP

27.38 Although a quality control reviewer is not required to review specific

workpapers, nothing in these policies precludes such a review. For example, if
questions arise during the course of performing the specified procedures, the quality
control reviewer may review the engagement documentation and the resolution of
certain matters.

Tax Specialist Review

27.39 [Tailor to reflect your process]The partner or manager should consider the
need for a tax specialist review. Alternatively, the PSP may request the tax specialist to
review tax accruals in certain circumstances, such as when complex deferred tax
considerations apply or the effects of new tax laws may be significant.

Pre-Release Report Read

27.40 The firm does not require a pre-release read of a review report. However, an
office may require a pre-release report read as part of its quality control procedures, or
a partner may request that another assurance partner or management read the report
and financial statements to get a different perspective.

27.41 A pre-release report read is not intended as a quality control or other review
and does not alleviate the responsibilities of the partner or other members of the
engagement team. Nor does the person performing the reading assume the
responsibility of a quality control reviewer.

27.42 Generally, an assurance partner or manager outside of the engagement team

performs a pre-release report read, which is a “cold” reading of the report. The person
performing the pre-release read considers whether the:
 the report and financial statements, on their face, appear appropriate
 amounts are internally consistent and lend themselves to comparison
 the financial statements are properly identified and appropriately organized
(e.g., correct page numbers and appropriate legends or other necessary
identification)
 the notes to financial statements are properly referenced
 there are any obvious typographical or clerical errors

Signing the Report

27.43 [Tailor to reflect your policies]Review reports must bear the firm’s signature.
Only an assurance partner may sign the firm's name to a review report. If a pre-release
report read is performed by an assurance partner, this partner may sign the report. The
PSP may also sign the review report.

Reporting Requirements
27.44 A review report is required. The firm’s standard review report is included in
Exhibit 28.1.

27.45 The firm believes it is permissible under professional standards to render a

special report on an audit of financial statements prepared on a regulatory basis solely
for filing with a regulatory agency and to render a review report on the financial
statements prepared in accordance with the applicable financial reporting framework for
the same entity for the same period.

Report Dating

27.46 Similar to an audit, the review report should not be dated before substantially
all procedures are completed and procedures are not complete until a full set of
financial statements is prepared.

27.47 When the engagement team becomes aware of essential information that was
not available on the report date, the report may be dual dated. In this circumstance,
refer to professional standards and Chapter 21 for requirements and guidance.

Subsequent Discovery of Facts

27.48 Subsequent to the date of the report, the engagement team may become
aware of facts that may have existed at that date that cause the engagement team to
have reservations about the information supplied by the entity. In these circumstances,
refer to professional standards and Chapter 18 for requirements and guidance in
determining the appropriate course of action.

Report Reissuances

27.49 Occasionally, a client may request additional copies of a previously issued

report. In these instances, the firm has no responsibility to make a further investigation
or inquire as to events that may have occurred since the original report date.
Accordingly, the additional copies should bear the original report date.

27.50 If the prior period financial statements are restated, the engagement team
should consider the propriety of the restatement. When the report is reissued, it should
ordinarily be dual dated and include a paragraph disclosing the restatement. If possible,
the engagement team should obtain a written statement from management describing
the information currently obtained and its effect on the prior period financial statements
and, if applicable, their understanding of its effect on the reissued report.
General Report Format

27.51 Review reports should be presented on firm letterhead and manually signed.
Generally, review reports should be bound in the firm's standard report cover. The title
“Financial Statements and Accountant’s Review Report” should ordinarily be used on
the report cover.

27.52 [Tailor to reflect your consultation policy]Similar to an audit, the engagement

team may emphasize a particular matter. Ordinarily, the firm prefers to avoid such
emphasis paragraphs, and they should only be used after consultation with the NPPD.
Since the emphasized matter is not intended to qualify the opinion, no reference should
be made in the opinion paragraph, and phrases such as “with the foregoing (following)
explanation” should not be used.

27.53 The following policies related to the reviewed financial statements should
ordinarily be applied:
 the financial statements should ordinarily be presented in a typical
presentation format
 the heading of each page of the financial statements should contain the
reference “See Accountant’s Review Report”
 the bottom of each page of the financial statements should contain the
reference “The accompanying notes are an integral part of these
statements”
 departures from the applicable financial reporting framework, of which the
engagement team has knowledge, should be disclosed

Departures From the Framework

27.54 When the engagement team becomes aware of departures from the
applicable financial reporting framework (including inadequate disclosures or other
deficiencies in the financial statements), they should request management to revise the
financial statements accordingly. If the financial statements are not revised and the
effect of the departure is material to the financial statements, the review report should
be modified.

27.55 The report should disclose the departure and the effects of such departure on
the financial statements, if such effects have been determined by management or are
known as the result of the review procedures. The engagement team is not required to
determine the effects of a departure if management has not done so, provided that the
report states that such determination has not been made. Care should be exercised in
describing the departure and the effects (if known) to avoid any inferences that the firm
has formed an opinion.

27.56 [Tailor to reflect your consultation policy]There may be instances where the
engagement team believes that the departures from the framework, or other
deficiencies, are such that the financial statements will be misleading, even with the
modifications to the report. In these cases, the NPPD should be consulted, and the
engagement team should consider withdrawing from the review engagement.

Special Situations

OCBOA Financial Statements and Other Presentations

27.57 The firm may be engaged to review financial statements prepared in

accordance with an other comprehensive basis of accounting. Such financial
statements should include:

 a description of the OCBOA, including a summary of significant accounting

policies and the primary differences from the applicable financial reporting
framework
 informative disclosures similar to those required by the applicable financial
reporting frameworkif the statements contain items that are the same or
similar

27.58 We may also be engaged to review financial statements prepared in

accordance with criteria contained in contractual agreements or regulatory provisions. In
such circumstances, the report should be restricted as to its use.

Personal Financial Statements

27.59 [Tailor to reflect your policies]Review engagements on personal financial

statements should not be undertaken without consulting the NPPD. These
engagements should be approached with caution because of the limitations associated
with individual financial position, such as lack of internal controls and incomplete
records.

27.60 If, as a result of performing review procedures, the engagement team has
reason to conclude that unrecorded assets or liabilities may exist, and the engagement
team’s inquiries are not satisfactorily resolved, the firm will ordinarily be precluded from
issuing a review report.

27.61 [Tailor to reflect available references]Refer to the AICPA Personal Financial

Statements Guide for guidance.

Other Situations Affecting Reviews

Going Concern and Other Uncertainties

27.62 Unlike an audit, the engagement team has no responsibility to determine if
substantial doubt exists as to the entity's ability to continue as a going concern for a
reasonable period. However, during the course of these engagements, this or other
types of uncertainties may come to the engagement team’s attention.

27.63 When going concern or other material uncertainties come to the engagement
team’s attention, the financial statements should include appropriate disclosure of the
matter.
 In accordance with standards, the following policies are applicable: if
satisfactory disclosure is made, the standard review report is ordinarily
appropriate
 if management refuses to disclose the uncertainty, such departure should
be disclosed in the report; care should be exercised so that no
representations are included in the report that may increase the firm’s
responsibility or appear to contradict the report

27.64 [Tailor to reflect your currency]The following provides an illustrative report

paragraph describing the departure for a going concern uncertainty:

The financial statements, which have been prepared assuming that the Company will
continue as a going concern, show a net loss of $XXX,XXX and a use of cash for
operations of $XXX,XXX for the year ended December, 31, 20X0, a deficit in working
capital of $XXX,XXX, an accumulated deficit capital of $XXX,XXX and a deficit in
stockholders' equity of $XXX,XXX at December 31, 20X0. The accompanying financial
statements do not, however, include disclosures that the foregoing conditions raise
substantial doubt about the Company's ability to continue as a going concern, nor do they
include any adjustments that might result from the outcome of this uncertainty.

Disclosure of Approximations in Interim Reports

27.65 Approximations in year-end financial statements are generally limited to those

that result from allocations between periods or among joint activities. For interim
financial statements, however, a number of items of accounting data may be
approximated, such as inventories.

27.66 The interim financial statements should disclose the fact that certain items
were approximated. The language “Approximated by Management” incorporated into
the applicable financial statement caption should be suitable, in most cases, to indicate
material approximations in interim financial statements.

27.67 If the engagement team is aware that the financial statements contain material
estimates that are unreasonable, they should insist on appropriate revision or refuse to
be associated with them.

Reporting on Supplementary and Other Information

27.68 We may also be engaged to review supplementary information that will
accompany the basic financial statements. Such supplementary information should be
separated from the basic financial statements by a page with the center caption
“Supplementary Information.”

27.69 [Tailor to reflect your reporting framework]When the firm reviewed the
supplementary information, the following paragraph should be included in the review
report:

Our review was made for the purpose of expressing a conclusion that there are no material
modifications that should be made to the basic financial statements in order for them to be
in conformity with accounting principles generally accepted in the United States of
America. The (identify accompanying information) on page XX is presented for purposes of
additional analysis and is not a required part of the basic financial statements. Such
supplementary information, which is the responsibility of management, has been subjected
to the inquiry and analytical procedures applied in the review of the basic financial
statements. We are not aware of any material modifications that should be made to such
information.

27.70 [Tailor to reflect your accounting framework and standard setter]Other

information that was not reviewed should be on separate pages and clearly marked as
not having been reviewed. In addition, one of the following paragraphs should be
included in the review report:

(Use the following paragraph when the supplementary information was compiled.)
Our review was made for the purpose of expressing a conclusion that there are no material
modifications that should be made to the basic financial statements in order for them to be
in conformity with accounting principles generally accepted in the United States of
America. The (identify accompanying information) on page XX, which is the responsibility
of management, is presented for purposes of additional analysis and is not a required part of
the basic financial statements. Such supplementary information has not been subjected to
the inquiry and analytical procedures applied in the review of the basic financial statements,
but was compiled by us in accordance with Statements on Standards for Accounting and
Review Services issued by the American Institute of Certified Public Accountants from
information that is the representation of management, without audit or review. Accordingly,
we do not express an opinion or provide any assurance on such information.

(Use the following paragraph when the supplementary information was neither audited,
compiled, or reviewed.)
Our review was made for the purpose of expressing a conclusion that there are no material
modifications that should be made to the basic financial statements in order for them to be
in conformity with accounting principles generally accepted in the United States of
America. The (identify accompanying information) on page XX is presented for purposes of
additional analysis and is not a required part of the basic financial statements. Such
supplementary information, which is the responsibility of management, has not been not
audited, reviewed, or compiled by us and, accordingly, we do not express an opinion or any
other form of assurance on such information.
Restricted-Use Reports and Statements

27.71 Compilation reports on financial statements prepared in conformity with the

applicable financial reporting frameworkor OCBOA are ordinarily not restricted as to
use. As previously indicated, the engagement team should restrict the use of the report
when the financial statements are prepared based on criteria in contractual
arrangements or regulatory provisions.

27.72 Refer to professional standards for additional requirements and guidance on

the following:
 Issuing a single combined report that covers general-use and restricted-use
presentations
 agreeing to add other parties as specified parties

Change in Engagement to Review

27.73 There may be instances when the firm was engaged to audit the financial
statements but, before completion, management requests to change the engagement to
a review. A request to change the engagement may result from:
 a change in circumstances
 a misunderstanding as to the nature of an audit
 management becoming aware of the availability of review services
 a restriction on the scope of the audit, whether imposed by management
or caused by circumstances

27.74 Before the firm will agree to change the engagement to a review, the
engagement team should consider the reason given for the request, particularly the
implications of a restriction on the scope of the audit, whether imposed by management
or by circumstances. If the auditing procedures are substantially complete or the cost to
complete such procedures is relatively insignificant, the engagement team should
consider the propriety of accepting the change.

27.75 A change in circumstances that affects the entity's requirement for an audit, or
a misunderstanding concerning the nature of an audit and the alternative review
services, would ordinarily be considered a reasonable basis for requesting a change in
the engagement. A scope limitation, however, can have implications that are more
serious. For example, when the engagement team is prohibited by management from
corresponding with the entity's legal counsel, or when management has refused to sign
a representation letter, the firm ordinarily would be precluded from issuing a review
report.

27.76 [Tailor to reflect your consultation process]When the reason for a change in
engagement seems inappropriate, the proposed change should be discussed with the
NPPD. The engagement team should not agree to a change in engagement if there is
not a reasonable justification for doing so.
27.77 When the reason for the change seems appropriate, the engagement team
should agree with management on the terms of the review engagement and record
them in a new engagement letter. The review report should not include reference to the
original engagement, including any auditing procedures that may have been performed
or scope limitations that resulted in the changed engagement.

Reports Covering More Than One Fiscal Period

27.78 Current period financial statements that are reviewed should not be presented
with those of prior periods unless the firm or the predecessor compiled, reviewed, or
audited the prior statements.

27.79 When comparative financial statements are presented, the nature of the report
depends upon the level of service provided in each of the reporting periods. When the
service provided in the current period is at a lower level than that provided in the prior
period, the earlier report should generally be reissued as opposed to being updated.
When the firm performed the same level of service in each period, or when a higher
level of service is provided in the current period, the engagement team should update
the report on the financial statements of the earlier period.

27.80 During a current engagement, the engagement team should be alert for
circumstances or events that may affect the prior period financial statements presented
or the adequacy of the informative disclosures made in those statements. The
engagement team should consider the effects of such circumstances or events in
updating the report on the prior period financial statements. Consideration should be
given to:
 repeating notes and explanations pertinent to the prior period statements
and modifying such information to reflect subsequent developments
 restating the prior period statements for those prior period adjustments that
were reflected in retained earnings in the current year

27.81 [Tailor to reflect your accounting framework and professional standards]When

comparative financial statements are presented and the prior period was compiled, the
following paragraph should be added as the final paragraph of the review report. The
title of the report is also changed to “Independent Accountant’s Report.” The following
paragraph may also be used when the current period was audited.

The accompanying 20X1 financial statements of XYZ Company were compiled by us in

accordance with Statements on Standards for Accounting and Review Services issued by
the American Institute of Certified Public Accountants. The objective of a compilation is to
assist management in presenting financial information in the form of financial statements
without undertaking to obtain or provide any assurance that there are no material
modifications that should be made to the financial statements. We have not audited or
reviewed the 20X1 financial statements and, accordingly, do not express an opinion or
provide any assurance about whether these financial statements are in accordance with
accounting principles generally accepted in the United States of America.
Updated Reports

27.82 [Tailor to reflect your accounting framework]During the course of the current
engagement, we may encounter events or circumstances that affect the statements of a
prior period. In updating the report on the prior period financial statements, it may be
necessary to issue a report different from that previously issued. Refer to professional
standards for the appropriate reporting in this circumstance. The following is an
illustrative report paragraph that may be appropriate when there is a changed reference
to a departure from the applicable financial reporting framework:

In our previous review report, dated March 1, 20X1, on the 20X0 financial statements, we
referred to a departure from accounting principles generally accepted in the United States of
America in that the Company carried its land at appraised values. However, management
has informed us, as disclosed in note X to the financial statements, that the Company has
restated its 20X0 financial statements to eliminate the departure from accounting principles
generally accepted in the United States of America.

Prior Period Services Performed by Other Accountants

27.83 When prior period financial statements that were audited, reviewed, or
compiled by other accountants are to be presented in comparative financial statements,
management is responsible for requesting the predecessor accountants to reissue their
previous report. The predecessor accountants are not required to reissue their report on
a prior period; although they may do so if satisfactory arrangements can be made with
their former client, and they perform certain procedures.

27.84 [Tailor to reflect your accounting framework]If the predecessor accountants do

not reissue their report, the firm’s report on the current period should make reference in
an additional paragraph to the predecessors’ report on the prior period; or the firm may
be engaged to perform a compilation, review, or audit of the prior period and report
accordingly. Illustrations of the language to be included in the review report in this
circumstance are as follows:

(Include the following if the prior period was compiled.)

The 20X0 financial statements of ABC Company were compiled by other accountants
whose report, dated February 15, 20X1, stated that they did not audit or review those
financial statements and, accordingly, did not express an opinion or provide any assurance
about whether those financial statements are in accordance with accounting principles
generally accepted in the United States of America.

(Include the following if the prior period was reviewed.)

The 20X0 financial statements of ABC Company were reviewed by other accountants
whose report, dated March 15, 20X1, stated that they were not aware of any material
modifications that should be made to those financial statements in order for them to be in
conformity with accounting principles generally accepted in the United States of America.
 Note: These illustrations should be modified to incorporate a description of any
modifications to the standard report, including any emphasis paragraphs.

27.85 When prior-period financial statements have been restated, the predecessor
accountants may reissue their report. If the predecessor accountants do not reissue
their report, the firm may be engaged to report on the financial statements of the prior
year. If the firm is not engaged to report on the prior year’s financial statements, the
report should indicate in the introductory paragraph that a predecessor accountant
reported on the financial statements of the prior period before restatement. If the firm is
engaged to review the restatement adjustment(s), the report may also indicate that the
firm reviewed such adjustment(s).

27.86 [Tailor to reflect your accounting framework]The following is an illustrative

example of the introductory paragraph when the predecessor accountant’s report is not
presented and the firm reviews the restatement adjustment(s) in comparative financial
statements:

We have reviewed …The 20X0 financial statements of ABC Company before the effects of
the adjustment(s) that was (were) applied to restate the 20X0 financial statements to correct
an error described in Note X were reviewed by other accountants whose report, dated
March 31, 20X1, stated that they were not aware of any material modifications that should
be made to those financial statements in order for them to be in conformity with accounting
principles generally accepted in the United States of America.
Management…
Our responsibility…
Based on our review…
We also reviewed the adjustment(s) as described in Note X that was (were) applied to
restate the 20X0 financial statements to correct an error. Based on our review, nothing came
to our attention to indicate that the adjustment(s) is (are) not appropriate and properly
applied.

27.87 [Tailor to reflect your consultation policies]If, during the engagement, the
engagement team becomes aware of information that leads them to believe the
financial statements reported on by the predecessor require revision, the engagement
team is required to inform management to communicate this information to the
predecessor accountant. If management refuses to do so, the engagement team should
evaluate the possible implications on the engagement, including whether to resign from
the engagement, and consider consulting with the NPPD.
Reissuing a Prior Period Report When We Are the Predecessor

27.88 When the firm is requested, as predecessor accountants, to reissue a review

report on prior period financial statements, the engagement team should consider
whether the previous report is still appropriate because of:
 events subsequent to the date of the report
 the current presentation of the prior period financial statements
 changes in the financial statements that require modifications to the report

27.89 Therefore, the following procedures should be performed:

 read the current period statements and the successors’ report
 compare the prior period statements with those of the current period
 obtain an updating representation letter from the former client
 obtain a letter from the successor stating whether they are aware of any
matters, which in their opinion, might have a material effect on the financial
statements of the prior period

27.90 In performing these procedures, the engagement team may become aware of
matters or events occurring subsequent to the date of the report on the prior period that
may affect the previous report. The engagement team should then:
 make inquiries or perform analytical procedures similar to those that would
have been performed if the engagement team had been previously aware
of such information
 perform any other procedures the engagement team considers necessary
in the circumstances
 determine whether to reissue the report in accordance with the guidance in
professional standards and firm policies

27.91 If the above procedures are not completed, the engagement team should not
reissue the report, and may consider if another course of action is appropriate.

Combination of Practices

27.92 If the comparative financial statements include prior period statements that
were audited, reviewed, or compiled by a firm with whom the firm has since combined
practices, the engagement team should determine whether it is appropriate to reissue or
update a report on the prior period by considering the guidance provided in Chapter 21.

Reporting Status

27.93 [Tailor to reflect your consultation policy]When reporting on comparative

financial statements, the current status of the entity, whether public or nonpublic, should
be considered. If there is a change in status, it may not be appropriate to reissue the
report in comparative statements. In this circumstance, the engagement team should
discuss the matter with the PSP.
Exhibit 27.1- Illustrative Review Reports
[Tailor this exhibit to reflect your standard review report]

E01 The following illustrates the firm’s standard review report. Additional report
modifications, such as reporting on supplementary and other information, are described
throughout this Chapter.

E02 The firm believes it is preferable to include (but does not require) a title.
“Independent Accountant’s Review Report” or “Report of Independent Certified Public
Accountants” may be used.

INDEPENDENT ACCOUNTANT’S REVIEW REPORT

Board of Directors
XYZ Company
(Modify the following paragraph to appropriately identify the financial statements. For
example, for the cash basis of accounting, reference may be made to the statement of assets
and liabilities arising from cash transactions and the related statement of revenue collected
and expensed paid.)
We have reviewed the accompanying balance sheet(s) of XYZ Company (a Florida
corporation) as of December 31, 20X2 (and 20X1), and the related statements of income
(and comprehensive income), (comprehensive income), retained earnings, and cash flows
for the year(s) then ended. A review includes primarily applying analytical procedures to
management’s financial data and making inquiries of company management. A review is
substantially less in scope than an audit, the objective of which is the expression of an
opinion regarding the financial statements as a whole. Accordingly, we do not express such
an opinion.
Management is responsible for the preparation and fair presentation of the financial
statements in accordance with accounting principles generally accepted in the United States
of America (alternatively, identify the other comprehensive basis of accounting, such as the
cash or income tax basis of accounting) and for designing, implementing, and maintaining
internal control relevant to the preparation and fair presentation of the financial statements.
Our responsibility is to conduct the review in accordance with Statements on Standards for
Accounting and Review Services issued by the American Institute of Certified Public
Accountants. Those standards require us to perform procedures to obtain limited assurance
that there are no material modifications that should be made to the financial statements. We
believe that the results of our procedures provide a reasonable basis for our report.
Based on our review(s), we are not aware of any material modifications that should be
made to the accompanying financial statements in order for them to be in conformity with
accounting principles generally accepted in the United States of America (alternatively,
identify the other comprehensive basis of accounting and refer to the note that describes
that basis of accounting, such as the cash or income tax basis of accounting, as described
in Note X).
 (Include the following paragraph restricting the use of the report when required by
professional standards or firm policy.)
This report is intended solely for the information and use of (the specified parties) and is
not intended to be and should not be used by anyone other than these specified parties.
GRANT THORNTON LLP (manually)
Tampa, Florida
February 14, 20X2

E03 The following provides an illustrative modification of the firm’s standard review
report when a material departure from the applicable financial reporting framework is
identified.

Our responsibility is to…

Based on our review, with the exception of the matter(s) described in the following
paragraph(s), we are not aware of any material modifications that should be made to the
accompanying financial statements in order for them to be in conformity with accounting
principles generally accepted in the United States of America (alternatively, identify the
other comprehensive basis of accounting and refer to the note that describes that basis of
accounting, such as the cash or income tax basis of accounting, as described in Note X).
(Describe material departures from the applicable financial reporting framework and the
effects on the financial statements. The following provides an example of omitted inventory
overhead costs.)
As described in Note X to the financial statements, the Company has only included material
and direct labor costs in the value of work in process and finished goods inventories.
Accounting principles generally accepted in the United States of America require that the
value of such inventories also include manufacturing overhead costs. Management has
informed us that, if the financial statements were corrected for this departure from
accounting principles generally accepted in the United States of America, beginning
retained earnings as of December 31, 20X0 would be increased by $XX,XXX, inventories
would be increased by $XX,XXX, and income taxes payable would be increased by
$X,XXX as of December 31, 20X2, and net income would be increased by $XX,XXX for
the year then ended. (Alternatively, indicate that the effects on the financial statements have
not been determined, such as follows: The effects of this departure from accounting
principles generally accepted in the United States of America on the accompanying
financial statements have not been determined.)
Chapter Twenty-Eight - Compilation Engagements
Summary

This Chapter includes policies for performing compilations of nonpublic entity financial
statements.

Introduction
28.01 [Tailor to reflect your standards]This chapter covers engagements to compile
financial statements as defined in International Standards on Related Services 4410.

28.02 A compilation is presenting in the form of financial statements information that

is the representation of the management without expressing any assurance on the
statements. The information in the financial statements and the fairness of the
presentation is management's responsibility, regardless of whether the firm is engaged
to perform a compilation.

28.03 A compilation of financial statements occurs whenever the firm:

 is engaged to report on compiled financial statements
 submits financial statements to a client, whether or not they are expected to
be used by a third party (anyone other than management)

28.04 A compilation may be performed by merely presenting general ledger amounts

in acceptable financial statement form with disclosures or by omitting substantially all
disclosures. A compilation may also be performed by presenting general ledger figures
in a prescribed form, which may call for departures from the applicable financial
reporting framework due to varying measurement principles or the lack of disclosures.

28.05 When the firm provides an entity with controllership or other management
services or performs a business valuation that entails the submission of financial
statements, the firm is also performing a compilation and should adhere to professional
standards. Submission is a broad concept that includes financial statements prepared
by the firm for presentation to a client. Judgment is required in determining whether the
firm prepared the financial statements. Factors to consider in reaching this judgment
include:
 the process used to create the financial statements
 whether the client reasonably expected that, as part of the professional
services engagement, the firm would prepare financial statements
 the extent of work effort the firm contributed to the financial statements
 where the underlying accounting information resides
28.06 [Tailor to reflect your policies]Ordinarily, the firm will not undertake an
engagement to compile partial presentations, including specified elements, accounts, or
items of financial statements.

General Standards and Policies

Nature of Services

28.07 The objective in a compilation is substantially different from the objective in a

review or an audit. In a compilation, the engagement team is not required to make
inquiries or perform other procedures to verify, corroborate, or review information
provided by management. Consequently, the report does not express any form of
assurance on the financial statements.

28.08 [Tailor to reflect your policies]Professional standards discuss the requirements

for evaluating the extent of other accounting services performed during a compilation
and their effect on issuing a compilation report. There is no requirement for the firm to
“upgrade” the report for other accounting services performed during a compilation,
unless the firm is in a position to issue a review report. In this situation, after discussion
with the PSP, the engagement team may discuss the level of service with the client to
decide whether to revise their understanding regarding the nature of the services being
rendered.

Client Acceptance and Reacceptance

28.09 Chapter 3 describes the firm’s policies related to acceptance of new clients
and reacceptance of existing clients, including compilation engagements. Before
accepting a compilation, the engagement team should carefully consider the business
risk implications. The engagement team should understand the expected form and
content of the financial statements, including the accounting basis on which they are to
be presented and by whom they are intended to be used.

28.10 An engagement to compile financial statements that will substantially omit all
disclosures is permitted when:
 to the engagement team’s knowledge, the financial statements are not
intended to mislead those persons who are expected to use them
 the financial statements are included in a prescribed form

28.11 [Tailor to reflect your policies]The firm should not undertake an engagement to
compile financial statements that omit substantially all disclosures if the firm previously
issued a higher-level report on the same period's statements, unless the purpose is to
present comparative statements as described later in this Chapter. In addition, the firm
does not ordinarily permit association with financial statements incorporating selective
disclosures, as also described later in this Chapter.
28.12 While compilation standards do not require communications with a
predecessor accountant, the engagement team should consider making inquiries of the
predecessor in determining whether to accept a compilation in circumstances such as
the following:
 information about the prospective client or its management is limited or
appears to require special attention
 the change in accountants takes place substantially after the end of the
period to be compiled
 there have been frequent changes in accountants

28.13 Inquiries of the predecessor accountant are similar to those performed in

conjunction with accepting an audit engagement. When the engagement team decides
to inquire of the predecessor, they should obtain permission from the prospective client
who should authorize the predecessor to respond fully. In certain instances, the
engagement team may also request access to the predecessor's workpapers, although
such access may be validly denied. If the prospective client refuses to permit the
predecessor to respond or the response is limited, the engagement team should inquire
about the reasons and consider the implications in accepting the engagement.

Engagement Staffing

28.14 [Tailor to reflect your policies]Because of the size and nature of compilation
engagements, an operating office will frequently assign either an assurance partner or
manager to serve in the partner role. Nothing in these policies requires that an
assurance partner be assigned to a compilation engagement; however, offices are
expected to determine that personnel with appropriate background and experience are
involved.

Engagement Letters

28.15 [Tailor to reflect the location of your letters]The firm requires engagement
letters for compilation engagements. Illustrative letters are located in GEL under Letters,
Forms and Templates > Compilation and Review - SSARS. General policies on
engagement letters are discussed in Chapter 6.

Independence

28.16 A compilation does not require the firm to be independent. Although it is firm
policy to maintain independence on all compilation engagements, there may be
instances when the firm is not independent.

28.17 Standards permit a firm to disclose the reason for a lack of independence in
the compilation report. If such disclosure is made, all of the reasons are required to be
disclosed. It should be noted that once the firm’s independence is impaired, the firm
does not continue to monitor its independence. As such, the firm may not be able to
meet the requirement in the standards to disclose all of the reasons for the lack of
independence. Accordingly, the firm’s compilation report should simply indicate that we
are not independent.

28.18 [Tailor to reflect your policies]In rare circumstances, a client may request us to
disclose the reason for a lack of independence. If this is the case, the engagement team
should consult with the PIC Ethics and the NPPD to determine whether the firm should
and would be able to disclose all of the reasons for the lack of independence in the
particular circumstances.

28.19 [Tailor to reflect the location of your guidance, if any]The Independence and
Ethics Manual describes the independence requirements for compilation engagements,
including permitted and prohibited bookkeeping and other non-attest services that may
be requested.

Access to Workpapers

28.20 [Tailor to reflect location]The firm’s workpaper access policies apply, adapted
as necessary, to compilation engagements. If the firm will permit access to its
workpapers, the illustrative letters in GEL under Letters, Forms and Templates > Access
and Termination Letters should be appropriately modified.

Engagement Performance

Understanding the Entity and Its Environment

28.21 When performing a compilation, the engagement team should have a general
understanding of:
 the industry in which the entity operates
 nature of the entity’s business, organization structure, and transactions
 accounting principles and practices used by the entity
 form of the entity’s accounting records
 stated qualifications of the entity’s accounting personnel

28.22 Ordinarily, the engagement team obtains knowledge of these matters through
experience with the entity or its industry and inquiry of the entity’s personnel.

Compilation Procedures

28.23 The engagement team is normally not required to make inquiries or perform
other procedures to verify, corroborate, or review information supplied by the entity.
Although not required, Voyager contains certain suggested inquiries for compilation
engagements.

28.24 [Tailor to reflect your consultation policies]The engagement team’s knowledge

of the entity and any inquiries performed may lead the engagement team to conclude
that information supplied by the entity is incorrect, incomplete, or otherwise
unsatisfactory. This would include situations in which any evidence or information
comes to the engagement team’s attention regarding fraud or an illegal act that may
have occurred (which should first be discussed with the PSP). In this circumstance, the
engagement team should:
 request management to consider the effect of these matters and
communicate the results to us
 consider the effect of management’s conclusions on the report
 communicate fraud or illegal acts to those charged with governance in
accordance with professional standards, and consider withdrawing

28.25 [Tailor to reflect your consultation policies]If the engagement team believes
that the financial statements are materially misstated, the engagement team should
obtain additional or revised information. If the entity refuses to provide additional or
revised information, the firm is required to withdraw from the engagement. Prior to
withdrawing, the partner/manager should discuss the matter with the PSP.

Reading Financial Statements

28.26 Before submission, the engagement team should read the financial statements
and consider whether their form is appropriate and whether they are free from obvious
material errors, such as arithmetical or clerical mistakes, or misstates in the application
of accounting principles, including inadequate disclosure.

Documentation

28.27 The documentation required for compilation engagements is described in the

respective Voyager program. In most cases, no other workpapers are needed. The
following should be included in the workpapers:
 client acceptance and reacceptance documentation
 engagement letter
 copies of all financial statements, schedules, and computations prepared
by the engagement team
 significant findings or issues, actions taken, and their resolution
 communications to management, whether verbal or written, regarding fraud
or illegal acts

28.28 [Tailor to reflect the location of your policies]Refer to the appendices of this
Manual for the firm’s record retention policies and procedures, which apply to
compilations.
Engagement Review

In-Charge Accountant Review

28.29 The in-charge accountant has the primary responsibility for the conduct of the
engagement, as outlined by the engagement partner/manager, and for bringing to the
partner/manager’s attention any factors that become known to the engagement team
that may require a reevaluation of the client relationship.

28.30 Review of the work performed by other members of the engagement team
takes place by the in-charge accountant continuously throughout the engagement. In
particular, the in-charge accountant is responsible for:
 determining that all phases of the work have been completed in accordance
with the engagement plan
 determining that the engagement has been conducted and the report
prepared in accordance with firm policies and professional standards
 determining that the workpapers contain the necessary documentation to
comply with firm policies and professional standards
 determining that all non-substantive materials in the workpapers have been
disposed of in accordance with the firm’s record retention policies
 obtaining the partner/manager’s approval of adjusting journal entries before
providing them to management
 obtaining management’s approval of adjusting journal entries
 evaluating the performance of staff

Partner/Manager Review

28.31 [Tailor the penultimate bullet to reflect your consultation process]The

partner/manager review should consist of:
 reading the financial statements to ascertain that they make sense from an
overall business standpoint
 determining that the applicable firm policies and procedures and
professional standards have been followed
 resolving all questions raised in the review performed by the in-charge
accountant
 tracing amounts from workpapers to primary schedules, trial balance, and
the financial statements
 cross-checking amounts appearing in more than one place in the report
 checking computations, except for computer-generated compilations
 requesting, as needed, the assistance of the PSP on technical accounting
matters
 noting any factors that may affect a decision to continue the client
relationship for the succeeding year
Quality Control Review

28.32 [Tailor to reflect your policies]A quality control review is required whenever an
assurance partner is not assigned to the engagement. This includes engagements for
which the engagement administrator is an assurance manager or from another line of
business, such as tax or consulting services. For all other engagements, the
requirement for a quality control review is determined by using EPF. Engagements with
an EPF of “3” or “4” do not have a quality control reviewer assigned to the engagement.
However, the firm continues to encourage each operating office to adopt reasonable
policies to ensure the quality of reports issued, including a pre-release report read.

28.33 When a quality control review is required, the quality control reviewer is
responsible for:
 discussing unusual or significant matters or concerns with the
partner/manager
 reading the financial statements and report to determine that they make
good business sense and comply with professional standards and firm
policies
 clearing all questions with the partner/manager; controversial points that
cannot be resolved should be referred to the PSP or OMP

28.34 Although a quality control reviewer is not required to review specific

workpapers, nothing in these policies precludes such a review. For example, if
questions arise during the course of performing the specified procedures, the quality
control reviewer may review the engagement documentation and the resolution of
certain matters.

Tax Specialist Review

28.35 [Tailor to reflect your policies]The partner/manager should consider the need
for a tax specialist review. Alternatively, the PSP may request the tax specialist to
review tax accruals in certain circumstances, such as when complex deferred tax
considerations apply or the effects of new tax laws may be significant.

Pre-Release Report Read

28.36 [Tailor to reflect your policies]The firm does not require a pre-release read of a
compilation report. However, an office may require a pre-release report read as part of
its quality control procedures, or a partner/manager may request that another
partner/manager read the report and financial statements to get a different perspective.

28.37 A pre-release report read is not intended as a quality control or other review
and does not alleviate the responsibilities of the partner/manager or other members of
the engagement team. Nor does the person performing the reading assume the
responsibility of a quality control reviewer.
28.38 Generally, an assurance partner/manager outside of the engagement team
performs a pre-release report read, which is a “cold” reading of the report. The person
performing the pre-release read considers whether:
 the report and financial statements, on their face, appear appropriate
 amounts are internally consistent and lend themselves to comparison
 the financial statements are properly identified and appropriately organized
(e.g., correct page numbers; appropriate legends or other necessary
identification, such as "restricted for management’s use only")
 the notes to the financial statements are properly referenced
 there are any obvious typographical or clerical errors

Signing the Report

28.39 [Tailor to reflect your policies]Compilation reports must bear the firm’s
signature. The firm's name may be manually signed or typed. The OMP may delegate
authority to sign compilation reports to any assurance partner, senior manager, or
manager, provided the necessary licensing requirements are met. Such authorization
should be documented in the workpapers. If a pre-release report read is performed, the
partner, senior manager, or manager who performs the final read will ordinarily sign the
report.

Reporting Requirements
28.40 [Tailor to reflect your policies]A compilation report is required, except when the
compiled financial statements are not reasonably expected to be used by a third party.
However, the firm prefers that a report be issued. In the rare circumstance that a report
will not be issued, the matter should be discussed with the PSP. In addition, each page
of the financial statements should be restricted as to their use. The following provides
appropriate restrictive language.
“Restricted for Management’s Use Only”
“Solely for the information and use by management of (name of entity) and not intended to
be and should not be used by any other party.”

28.41 [Tailor to reflect your policies]Use of the firm's name in a document or written
communication containing financial statements that have not been audited, compiled, or
reviewed is not permitted unless a statement such as the following accompanies them:
The accompanying balance sheet of X Company as of December 31, 20XX and the related
statements of income and cash flows for the year then ended were not audited, reviewed, or
compiled by us and, accordingly, we do not express an opinion or any other form of
assurance on them.

28.42 The firm’s standard compilation report is included in Exhibit 29.1.

Report Dating

28.43 Similar to an audit, the compilation report should not be dated before
substantially all procedures are completed and procedures are not complete until a full
set of financial statements is prepared. The proper date is important because it
establishes a professional and legal cutoff for the firm’s responsibilities.

28.44 When the engagement team becomes aware of essential information that was
not available on the report date, the report may be dual dated. In this circumstance,
refer to professional standards and Chapter 21 for requirements and guidance.

Subsequent Discovery of Facts

28.45 Subsequent to the date of the report, the engagement team may become
aware of facts that may have existed at that date that cause the engagement team to
have reservations about the information supplied by the entity. In these circumstances,
refer to professional standards and Chapter 18 for requirements and guidance in
determining the appropriate course of action.

Report Reissuances

28.46 Occasionally, a client may request additional copies of a previously issued

report. In these instances, the firm has no responsibility to make a further investigation
or inquire as to events that may have occurred since the original report date.
Accordingly, the additional copies should bear the original report date.

28.47 If the prior period financial statements are restated, the engagement team
should consider the propriety of the restatement. When the report is reissued, it should
ordinarily be dual dated and include a paragraph disclosing the restatement. If possible,
the engagement team should obtain a written statement from management describing
the information currently obtained and its effect on the prior period financial statements
and, if applicable, their understanding of its effect on the reissued report.

General Report Format

28.48 [Tailor to reflect your policies]Compilation reports should be presented on firm

letterhead (except in situations involving printed reports where letterhead is ordinarily
not used).

28.49 [Tailor to reflect your policies]The firm's standard report covers may be used
where appropriate, but are not required. If a formal report is issued, the title "Financial
Statements and Accountant’s Compilation Report" should ordinarily be used on the
report cover.

28.50 [Tailor to reflect your policies]The following policies related to the compiled
financial statements should ordinarily be applied:
  the heading of each page of the financial statements should contain the
reference "See Accountant’s Compilation Report"
 if disclosures are included, the bottom of each page of the financial
statements should contain the reference “The accompanying notes are an
integral part of these statements”
 formal typed financial statements should ordinarily be presented in a typical
presentation format. Less formal financial statements need not have all the
classifications in a typical presentation

Disclosures and Departures From the Framework

28.51 [Tailor to reflect your policies]When the engagement team knows that the
financial statements are at variance with the applicable financial reporting framework or
the prescribed form, including the omission of some or all disclosures (unless the firm
was engaged to compile financial statements that omit substantially all disclosures), the
engagement team should insist upon appropriate revision.

28.52 [Tailor to reflect your policies]If the financial statements are not revised for
material departures, a modification of the compilation report will ordinarily be sufficient.
However, in some instances, the engagement team may conclude that this would not
adequately indicate the deficiencies in the financial statements taken as a whole. In
those cases, the NPPD should be consulted, and the engagement team should
consider withdrawing from the compilation engagement.

28.53 [Tailor to reflect your policies]SSARS and its interpretations provide that
management may include some note disclosures while choosing to omit others if the
disclosures are labeled “Selected Information – Substantially All Disclosures Required
by Generally Accepted Accounting Principles Are Not Included.” However, because of
the difficulty of determining which selective disclosures should be included in the
financial statements for them not to be misleading, the firm does not ordinarily permit
association with financial statements incorporating selective disclosures. Therefore,
financial statements with which the firm is associated should either include all necessary
note disclosures or completely omit them (unless the financial statements are in a
prescribed form).

28.54 [Tailor to reflect your policies and the relevant reporting framework]Depending
on the magnitude of the effects of departures, the significance of the affected items, the
pervasiveness and overall impact of the misstatements, and whether disclosure has
been made of the effects of departures, the following optional paragraph may be used
after consulting with the NPPD. Such paragraph would follow the other report
modifications related to departures from the framework.
Because the significance and pervasiveness of the matters discussed above make it difficult
to assess their impact on the financial statements taken as a whole, users of these financial
statements should recognize that they might reach different conclusions about the
Company's financial position, results of operations, and cash flows if they had access to
 revised financial statements prepared in conformity with accounting principles generally
accepted in the United States of America.

Special Situations

OCBOA Financial Statements and Other Presentations

28.55 We may be engaged to compile financial statements prepared in accordance
with an other comprehensive basis of accounting. Such financial statements should
include:
 a description of the OCBOA, including a summary of significant accounting
policies and the primary differences from the applicable financial reporting
framework
 informative disclosures similar to those required by the applicable financial
reporting frameworkif the statements contain items that are the same or
similar

28.56 We may also be engaged to compile financial statements prepared in

accordance with criteria contained in contractual agreements or regulatory provisions. In
such circumstances, the compilation report should be restricted as to its use.

Sole Proprietorship

28.57 The firm may be engaged to compile the financial statements for a
proprietorship. The compilation report would be addressed to the proprietor. A separate
paragraph, generally the last paragraph, would be added to the compilation report to
distinguish between the personal assets and the business assets of the proprietor as
follows:
The accompanying financial statements have been prepared solely from the accounts of
ABC Company, and they do not include the personal accounts of the owner or those of any
other operation in which she is engaged.

28.58 [Tailor to reflect your policies]If the engagement team believes that personal
and business assets and liabilities have not been properly segregated, they should
recommend issuance of personal financial statements, which include the proprietor's
assets and liabilities at fair value. If this is not acceptable to the proprietor, consult with
the NPPD and consider withdrawing from the engagement. In addition to the required
disclosures, disclosure should also be made that no income taxes are payable by, or
provided for, the proprietorship and substantial withdrawals made or anticipated by the
proprietor after the balance sheet date.
Personal Financial Statements

28.59 [Tailor to reflect available guidance]The firm may be engaged to compile

personal financial statements. In this circumstance, refer to the AICPA Personal
Financial Statements Guide for guidance.

28.60 If, as a result of performing the compilation, the engagement team has reason
to conclude that unrecorded assets or liabilities may exist, and the matter is not
satisfactorily resolved, the firm will ordinarily be precluded from issuing a compilation
report.

Financial Statements in Prescribed Forms

28.61 The firm may be engaged to compile financial statements on prescribed forms
where the form or its related instructions call for departures from generally accepted
accounting principles. Prescribed forms are any standard preprinted form designed or
adopted by the body to which it is to be submitted. The definition does not extend to
forms that are designed or adopted by the entity whose financial statements are to be
compiled. Illustrations of prescribed forms include those required to be submitted to
industry trade associations, credit agencies, banks, and governmental and regulatory
bodies (other than those concerned with the sale or trading of securities).

28.62 When financial statements are included in certain prescribed forms, there is a
presumption that the information required by the form is sufficient to meet the needs of
the users of the forms. Accordingly, GAAP departures mandated by the prescribed form
do not result in a modified compilation report. A modified report is presented when the
financial statements:
 include a departure from GAAP not mandated by the prescribed form
 contain a departure from the requirements of the prescribed form itself

28.63 Refer to firm’s standard illustrative report as well as professional standards for
specific reporting guidance when the financial statements are prepared based on a
prescribed form.

Other Situations Affecting Compilations

Going Concern and Other Uncertainties

28.64 Unlike an audit, the engagement team has no responsibility to determine if

substantial doubt exists as to the entity's ability to continue as a going concern for a
reasonable period. However, during the course of the engagement, this or other types
of uncertainties may come to the engagement team’s attention.
28.65 When going concern or other material uncertainties come to the engagement
team’s attention, the financial statements should include appropriate disclosure of the
matter, unless the financial statements omit substantially all disclosures.

28.66 In accordance with standards, the following policies are applicable:

 if satisfactory disclosure is made, the standard compilation report is
ordinarily appropriate
 if management refuses to disclose the uncertainty, such departure should
be disclosed in the report; care should be exercised so that no
representations are included in the report that may increase the firm’s
responsibility or appear to contradict the report

28.67 The following provides an illustrative report paragraph describing the

departure for a going concern uncertainty:

The financial statements, which have been prepared assuming that the Company will
continue as a going concern, show a net loss of $XXX,XXX and a use of cash for
operations of $XXX,XXX for the year ended December, 31, 20X0, a deficit in working
capital of $XXX,XXX, an accumulated deficit capital of $XXX,XXX and a deficit in
stockholders' equity of $XXX,XXX at December 31, 20X0. The accompanying financial
statements do not, however, include disclosures that the foregoing conditions raise
substantial doubt about the Company's ability to continue as a going concern, nor do they
include any adjustments that might result from the outcome of this uncertainty.

Disclosure of Approximations in Interim Reports

28.68 Approximations in year-end financial statements are generally limited to those

that result from allocations between time periods or among joint activities. For interim
financial statements, however, a number of items of accounting data may be
approximated, such as inventories.

28.69 The interim financial statements should disclose the fact that certain items
were approximated. The language “Approximated by Management” incorporated into
the applicable financial statement caption should be suitable, in most cases, to indicate
material approximations in interim financial statements.

28.70 If the engagement team is aware that the financial statements contain material
estimates that are unreasonable, they should insist on appropriate revision or refuse to
be associated with them.

Reporting on Supplementary and Other Information

28.71 We may also be engaged to compile supplementary information that will
accompany the basic financial statements. Such supplementary information should be
separated from the basic financial statements by a page with the center caption
“Supplementary Information.”
28.72 When the firm compiled the supplementary information, the following
paragraph should be included in the compilation report:

We also compiled the (identify accompanying supplementary information) on page XX,

which is presented for purposes of additional analysis and is not a required part of the basic
financial statements. Such supplementary information is the responsibility of management.
We have not audited or reviewed this supplementary information, and we do not express an
opinion or provide any assurance on such information.

28.73 Other information that was not compiled should be on separate pages and
clearly marked as not having been compiled. In addition, the following paragraph should
be included in the compilation report:

The (identify accompanying information) on page XX was not audited, reviewed, or

compiled by us and, accordingly, we do not express an opinion or any other form of
assurance on such information.

Restricted-Use Reports and Statements

28.74 [Tailor to reflect your policies]Compilation reports on financial statements

prepared in conformity with GAAP or OCBOA are ordinarily not restricted as to use. As
previously indicated, the engagement team should restrict the use of the report when
the financial statements are prepared based on criteria in contractual arrangements or
regulatory provisions.

28.75 [Tailor to reflect your policies]As a reminder, when a compilation report is not
issued because the financial statements are not intended for use by third-parties, the
financial statements should also include restrictive language. If the engagement team
becomes aware that restricted compiled financial statements were distributed to third
parties, the partner/manager should discuss the situation with the entity and request
that the entity have the statements returned. If the entity does not comply with this
request within a reasonable period, the partner should, after discussion with the PSP
and consultation with the NPPD and RRLA, notify known third parties that the financial
statements are not intended for third-party use.

28.76 Refer to professional standards for additional requirements and guidance on

the following:
 issuing a single combined report that covers general-use and restricted-use
presentations
 agreeing to add other parties as specified parties
Change in Engagement to Compilation

28.77 There may be instances when the firm was engaged to audit or review the
financial statements but, before completion, management requests to change the
engagement to a compilation. A request to change the engagement may result from:
 a change in circumstances
 a misunderstanding as to the nature of the engagement
 management becoming aware of the availability of compilation services
 a restriction on the scope of the engagement, whether imposed by
management or caused by circumstances

28.78 Before the firm will agree to change the engagement to a compilation, the
engagement team should consider the reason given for the request, particularly the
implications of a restriction on the scope of the engagement, whether imposed by
management or by circumstances. If the auditing or review procedures are substantially
complete or the cost to complete such procedures is relatively insignificant, the
engagement team should consider the propriety of accepting the change.

28.79 A change in circumstances that affects the entity's requirement for an audit or
a review, or a misunderstanding concerning the nature of the engagement and the
alternative compilation services, would ordinarily be considered a reasonable basis for
requesting a change in the engagement. A scope limitation, however, can have
implications that are more serious. For example, in an audit, when the engagement
team is prohibited by management from corresponding with the entity's legal counsel, or
when management has refused to sign a representation letter, the firm ordinarily would
be precluded from issuing a compilation report.

28.80 [Tailor to reflect your policies]When the reason for a change in engagement
seems inappropriate, the proposed change should be discussed with the NPPD. We
should not agree to a change in engagement if there is not a reasonable justification for
doing so.

28.81 When the reason for the change seems appropriate, the engagement team
should agree with management on the terms of the compilation engagement and record
them in a new engagement letter. The compilation report should not include reference
to the original engagement, including any auditing or review procedures that may have
been performed or scope limitations that resulted in the changed engagement.

Reports on Comparative Financial Statements

28.82 The following discusses various matters relating to comparative financial
statements.
Reports Covering More Than One Fiscal Period

28.83 Current period financial statements that are compiled should not be presented
with those of prior periods, unless the firm or a predecessor compiled, reviewed, or
audited the prior statements.

28.84 When comparative financial statements are presented, the nature of the report
depends upon the level of service provided in each of the reporting periods. When the
service provided in the current period is at a lower level than that provided in the prior
period, the earlier report should generally be reissued as opposed to being updated.
When the firm performed the same level of service in each period, or when a higher
level of service is provided in the current period, the engagement team should update
the report on the financial statements of the earlier period.

28.85 During a current engagement, the engagement team should be alert for
circumstances or events that may affect the prior period financial statements presented
or the adequacy of the informative disclosures made in those statements. The
engagement team should consider the effects of such circumstances or events in
updating the report on the prior period financial statements. Consideration should be
given to:
 repeating notes and explanations pertinent to the prior period statements
and modifying such information to reflect subsequent developments
 restating the prior period statements for those prior period adjustments that
were reflected in retained earnings in the current year

28.86 [Tailor to reflect your policies and your accounting framework]When

comparative financial statements are presented and the prior period was reviewed, the
following paragraph should be added as the final paragraph of the compilation report.
The title of the report should also be changed to “Independent Accountant’s Report.”
Although a combined compilation and review report or separate reports may be issued,
the firm prefers reporting on the review in a separate paragraph as follows. This
paragraph may also be used when the current period was audited.
The accompanying 20X1 financial statements of XYZ Company were reviewed by us in
accordance with Statements on Standards for Accounting and Review Services issued by the
American Institute of Certified Public Accountants. Our report dated February 14, 20X2
stated that we were not aware of any material modifications that should be made to the
accompanying financial statements in order for them to be in conformity with accounting
principles generally accepted in the United States of America (alternatively, identify the
other comprehensive basis of accounting and refer to the note that describes that basis of
accounting, such as the cash or income tax basis of accounting, as described in Note X). We
have not performed any procedures in connection with that review engagement since that
date. However, a review is substantially less in scope than an audit, the objective of which is
the expression of an opinion regarding the financial statements as a whole. Accordingly, we
do not express such an opinion on the 20X1 financial statements.
Updated Reports

28.87 [Tailor to reflect your policies and your accounting framework]During the
course of the current engagement, we may encounter events or circumstances that
affect the statements of a prior period. In updating the report on the prior period financial
statements, it may be necessary to issue a report different from that previously issued.
Refer to professional standards for the appropriate reporting in this circumstance. The
following is an illustrative report paragraph that may be appropriate when there is a
changed reference to a departure from GAAP:

In our previous compilation report, dated March 1, 20X1, on the 20X0 financial statements,
we referred to a departure from accounting principles generally accepted in the United
States of America in that the Company carried its land at appraised values. However,
management has informed us, as disclosed in Note X to the financial statements, that the
Company has restated its 20X0 financial statements to eliminate the departure from
accounting principles generally accepted in the United States of America.

Prior Period Services Performed by Other Accountants

28.88 When prior period financial statements that were audited, reviewed, or
compiled by other accountants are to be presented in comparative financial statements,
management is responsible for requesting the predecessor accountants to reissue their
previous report. The predecessor accountants are not required to reissue their report on
a prior period; although, they may do so if satisfactory arrangements can be made with
their former client, and they perform certain procedures.

28.89 [Tailor to reflect your policies and your accounting framework]If the
predecessor accountants do not reissue their report, the firm’s report on the current
period should make reference in an additional paragraph to the predecessors’ report on
the prior period; or the firm may be engaged to perform a compilation, review, or audit of
the prior period and report accordingly. Illustrations of the language to be included in the
compilation report in this circumstance are as follows:

(Include the following if the prior period was compiled.)

The 20X0 financial statements of ABC Company were compiled by other accountants
whose report, dated February 15, 20X1, stated that they did not audit or review those
financial statements and, accordingly, did not express an opinion or provide any assurance
about whether those financial statements are in accordance with accounting principles
generally accepted in the United States of America.

(Include the following if the prior period was reviewed.)

The 20X0 financial statements of ABC Company were reviewed by other accountants
whose report, dated March 15, 20X1, stated that they were not aware of any material
modifications that should be made to those financial statements in order for them to be in
conformity with accounting principles generally accepted in the United States of America.
 Note: These illustrations should be modified to incorporate a description of any
modifications to the standard report, including any emphasis paragraphs.

28.90 When prior-period financial statements have been restated, the predecessor
accountants may reissue their report. If the predecessor accountants do not reissue
their report, the firm may be engaged to report on the financial statements of the prior
period. If the firm is not engaged to report on the prior period’s financial statements, the
report should indicate in the introductory paragraph that a predecessor accountant
reported on the financial statements of the prior period before restatement. If the firm is
engaged to compile the restatement adjustment(s), the report may also indicate that the
firm compiled such adjustment(s).

28.91 [Tailor to reflect your accounting framework]The following is an illustrative

example of the introductory paragraph when the predecessor accountant’s report is not
presented and the firm compiles the restatement adjustment(s) in comparative financial
statements:

We have compiled ... We also compiled the adjustment(s) described in Note X that was
(were) applied to restate the 20X0 financial statements to correct an error. The 20X0
financial statements of ABC Company, before the effects of the adjustment(s) that was
(were) applied to restate the 20X0 financial statements to correct an error described in Note
X, were compiled by other accountants whose report, dated March 31, 20X1, stated that
they did not audit or review those financial statements and, accordingly, did not express an
opinion or provide any assurance about whether those financial statements are in
accordance with accounting principles generally accepted in the United States of America.

28.92 [Tailor to reflect your policies]If, during the engagement, the engagement team
becomes aware of information that leads them to believe that the financial statements
reported on by the predecessor require revision, the engagement team is required to
inform management to communicate this information to the predecessor accountant. If
management refuses to do so, the engagement team should evaluate the possible
implications on the engagement, including whether to resign from the engagement, and
consider consulting with the NPPD.

Reissuing a Prior Period Report When We Are the Predecessor

28.93 When the firm is requested, as predecessor accountants, to reissue a

compilation report on prior period financial statements, the engagement team should
consider whether the previous report is still appropriate because of:
 events subsequent to the date of the report
 the current presentation of the prior period financial statements
 changes in the financial statements that require modifications to the report

28.94 Therefore, the following procedures should be performed:

  read the current period statements and the successors’ report
 compare the prior period statements with those of the current period
 obtain a letter from the successor stating whether they are aware of any
matters, which in their opinion, might have a material effect on the financial
statements of the prior period

28.95 In performing these procedures, the engagement team may become aware of
matters or events occurring subsequent to the date of the report on the prior period that
may affect the previous report. The engagement team should then:
 make inquiries similar to those that would have been performed if the
engagement team had been previously aware of such information
 perform any other procedures the engagement team considers necessary
in the circumstances
 determine whether to reissue the report in accordance with the guidance in
professional standards and firm policies

28.96 If the above procedures are not completed, the engagement team should not
reissue the report and may consider if another course of action is appropriate.

Reporting on Financial Statements That Previously Did Not Omit

Disclosures

28.97 Compiled financial statements that omit substantially all disclosures are not
comparable to financial statements that include such disclosures. Accordingly, a
comparative report should not be issued when the statements of one or more prior
periods omit substantially all the disclosures.

28.98 [Tailor to reflect your accounting framework]When the firm previously audited,
reviewed, or compiled financial statements that included substantially all required
disclosures, the firm may subsequently be requested to compile statements for the
same period that omit substantially all disclosures for comparative purposes. In such a
case, the report should include an additional paragraph indicating the nature of the
previous services rendered and the date of the previous report, such as follows:

The accompanying 20X0 financial statements were compiled by us from financial

statements that did not omit substantially all of the disclosures required by accounting
principles generally accepted in the United States of America and that we previously
reviewed as indicated in our report dated March 15, 20X1.

Combination of Practices

28.99 If the comparative financial statements include prior period statements that
were audited, reviewed, or compiled by a firm with whom the firm has since combined
practices, the engagement team should determine whether it is appropriate to reissue or
update a report on the prior period by considering the guidance provided in Chapter 21.
Reporting Status

28.100 [Tailor to reflect your policies]When reporting on comparative financial

statements, the current status of the entity, whether public or nonpublic, should be
considered. If there is a change in status, it may not be appropriate to reissue the report
in comparative statements. In this circumstance, the engagement team should discuss
the matter with the PSP.

Exhibit 29.1 Illustrative Compilation Report

[Tailor this Exhibit to reflect your standard compilation report]

28.101 The following illustrates the firm’s standard compilation report. Additional
report modifications, such as reporting on supplementary and other information, are
described throughout this Chapter.

28.102 The firm believes it is preferable to include (but does not require) a title.
"Independent Accountant’s Compilation Report" or "Report of Independent Certified
Public Accountants" may be used provided the firm is independent.
INDEPENDENT ACCOUNTANT’S COMPILATION REPORT*
Board of Directors
XYZ Company
(Modify the following paragraph to appropriately identify the financial statements.)
We have compiled the accompanying balance sheet(s) of XYZ Company (an Illinois
Corporation) as of December 31, 20X2 (and 20X1), and the related statements of income
(and comprehensive income), (comprehensive income), retained earnings, and cash flows for
the year(s) then ended. We have not audited or reviewed these financial statements and,
accordingly, do not express an opinion or provide any assurance about whether the financial
statements are in accordance with accounting principles generally accepted in the United
States of America (alternatively, identify the other comprehensive basis of accounting, such
as the cash or income tax basis of accounting).
Management is responsible for the preparation and fair presentation of the financial
statements in accordance with accounting principles generally accepted in the United States
of America (alternatively, identify the other comprehensive basis of accounting, such as the
cash or income tax basis of accounting) and for designing, implementing, and maintaining
internal control relevant to the preparation and fair presentation of the financial statements.
Our responsibility is to conduct the compilation in accordance with Statements on Standards
for Accounting and Review Services issued by the American Institute of Certified Public
Accountants. The objective of a compilation is to assist management in presenting financial
information in the form of financial statements without undertaking to obtain or provide any
assurance that there are no material modifications that should be made to the financial
statements. (Include the following sentence when a material departure from the applicable
financial reporting framework is identified; this sentence is not required when the financial
statements omit substantially all disclosures: During our compilation, we did become aware
of a departure (certain departures) from accounting principles generally accepted in the
United States of America (alternatively, identify the other comprehensive basis of
accounting, such as the cash or income tax basis of accounting) that is (are) described in the
following paragraph(s).)
(Describe, if applicable, material departures from the applicable financial reporting
framework and the effects on the financial statements. The following provides an example of
omitted inventory overhead costs.)
As described in Note X to the financial statements, the Company has only included material
and direct labor costs in the value of work in process and finished goods inventories.
Accounting principles generally accepted in the United States of America require that the
value of such inventories also include manufacturing overhead costs. Management has
informed us that, if the financial statements were corrected for this departure from
accounting principles generally accepted in the United States of America, beginning
retained earnings as of December 31, 20X0 would be increased by $XX,XXX, inventories
would be increased by $XX,XXX, and income taxes payable would be increased by
$X,XXX as of December 31, 20X2, and net income would be increased by $XX,XXX for
the year then ended. (Alternatively, indicate that the effects on the financial statements have
not been determined, such as follows: The effects of this departure from accounting
principles generally accepted in the United States of America on the accompanying
financial statements have not been determined.)
(Include the following paragraph when the financial statements omit substantially all
disclosures, but they are otherwise in conformity with the applicable financial reporting
framework.)
Management has elected to omit substantially all of the disclosures required by accounting
principles generally accepted in the United States of America (alternatively, identify the
other comprehensive basis of accounting and refer to the note that describes that basis of
accounting, such as the cash or income tax basis of accounting). If the omitted disclosures
were included in the financial statements, they might influence the user’s conclusions about
the Company’s financial position, results of operations, and cash flows (alternatively,
modify for other comprehensive bases of accounting; for example, for the income tax basis
of accounting reference can be made to the company’s assets, liabilities, equity, revenue
and expenses). Accordingly, the financial statements are not designed for those who are not
informed about such matters.
(Include the following paragraph when we are not independent. The reasons for a lack of
independence should not be disclosed, unless the team has consulted with the PIC Ethics
and the NPPD.)
We are not independent with respect to XYZ Company.
(Include the following paragraph restricting the use of the report when required by
professional standards or firm policy.)
This report is intended solely for the information and use of (the specified parties) and is not
intended to be and should not be used by anyone other than these specified parties.
GRANT THORNTON LLP (manually)
Chicago, Illinois
January 18, 20X2
* Reference to “independent” in the title should be eliminated if we are not independent.

28.103