Study Guide – AUD (2024) Mnemonics List

A1 – Audit Reports
M1: Professional Standards
Audits
● Statements on Auditing Standards (SAS)
○ Used for nonissuers (private companies)
○ Set by AICPA Auditing Standards Board (ASB)
● PCAOB Auditing Standards (AS)
○ Used for issuers (public companies)
○ Set by the Public Company Accounting Oversight Board (PCAOB)
● Generally Accepted Government Auditing Standards (GAGAS)
○ Used for government organizations
○ Set by Governmental Accountability Office (GAO)

Other Engagements
● Statements on Standards for Attestation Engagements (SSAE)
○ Provide guidance for attestation engagements
○ Set by AICPA
○ Applies to examinations, reviews, or assertions on a third party subject matter
● Statements on Standards for Accounting and Review Services (SSARS)
○ Provide guidance for unaudited services and information for nonissuers (private companies)
○ Set by AICPA Accounting and Review Services Committee
○ Applies to preparation/review of financial statements or forecasts for private companies

Guidelines
● Code of Professional Conduct
○ Provides guidelines to the members of the AICPA for behavior in the conduct of their business.
○ Also provides assurance to the public that the profession maintains high standards.
● Statements on Quality Control Standards (SQCS)
○ Provides guidance to CPA firms about policies and procedures designed to ensure the firm complies with
professional standards and regulatory requirements.

● GAAS Hierarchy
1. AICPA SAS (nonissuers/private) and PCAOB AS (issuers/public)
■ Most authoritative
■ Auditor should use professional judgment
■ Specific language is used to clarify the auditors level of responsibility:
○ “Must” or “Required” = Unconditional statement; auditor MUST do this.
○ “Should” = Presumptively mandatory requirement; must be able to justify departure and
document in writing.
○ “May,” “might,” and “could” = Not an imposed requirement; only a recommendation
2. Interpretive Publications
Page 1 of 350
 ■ Recommendations for how auditing standards should be applied, but not considered to be auditing
standards.
■ Auditing interpretations of SAS and PCAOB AS, collectively known as GAAS.
■ AICPA Audit and Accounting Guides
■ Auditing Statements of Position (SOP)
3. Other Auditing Publications
■ Not authoritative, but may be helpful.
■ Journal of Accountancy
■ Professional Journals
■ Textbooks
■ CPE courses

Notes from MCQs

○

Page 2 of 350
 M2: Audit Engagements
● The Audit Process
1. Engagement Acceptance
2. Assess Risk and Plan Response
3. Perform Procedures and Obtain Evidence
4. Form Conclusions
5. Reporting
● Purpose of an Audit
○ To provide financial statement users with an opinion on whether the statements are presented fairly, in all
material aspects, in accordance with the applicable reporting framework (such as GAAP).
○ Auditors reports give credibility to financial statements.
● Management Responsibilities
○ Preparing financial statements in accordance with their applicable framework.
○ Designing, implementation, and maintaining internal controls.
● Auditors Responsibilities
○ Expressing an opinion on the financial statements
○ Maintaining professional skepticism
○ Complying with ethical requirements
○ Exercising professional judgment
○ Obtaining sufficient and appropriate evidence
○ Complying with GAAS

● Maintaining Professional Skepticism

○ Professional skepticism is having a questioning mind.
■ Trust, but verify.
○ Be alert for:
■ Evidence that contradicts other evidence
■ Information that calls into question the reliability of documents
■ Possible fraud
■ Need for additional audit procedures
■ Evidence that may impact initial risk assessment
○ Professional skepticism may be hard to meet due to unconscious human bias, such as developing
inappropriate levels of trust or confidence in management.
● Complying with Ethical Requirements
○ Auditors should meet ethical requirements, such as being independent in both fact and appearance.
● Exercising Professional Judgment
○ Audits often require interpretation of both ethics and GAAS, as well as other informed decisions.
○ Professional judgment may be necessary for materiality, risk, drawing conclusions, etc.
● Obtaining Sufficient and Appropriate Evidence
○ Reduces risk to an acceptable low level.
○ Enables the auditor to draw reasonable conclusions and form an opinion.
● Complying with GAAS

Page 3 of 350
 ○ GAAS provides a set of guidelines and principles for planning, performing, and reporting on audit
engagements.
○ In certain audit engagements, auditors may conduct audits with both GAAS as well as some other form of
standards.

● Reasonable Assurance and Inherent Limitations of an Audit

○ In order to express an opinion, auditors obtain reasonable assurance that financial statements are free
from material misstatement, whether from error or fraud.
○ Reasonable assurance is a high, but not absolute, level of assurance.
○ In order to obtain reasonable assurance, the auditor must:
1. Plan the work and properly supervise any assistants
2. Determine and apply the appropriate level of materiality levels
3. Identify and assess risks of material misstatement, whether due to error or fraud; and
4. Obtain sufficient appropriate audit evidence
○ Absolute assurance is unable to be obtained due to limitations such as:
■ The nature of reporting (subjective decisions, such as allowance for accounts receivable)
■ The nature of audit procedures (management may not provide complete information)
■ Timeliness of financial reporting and balance of cost and benefit.
● Nature and Scope of the Engagement
○ Auditors may be hired to perform an audit for a single period or multiple periods.
○ An audit may be on the complete financial statements, a single financial statement, or specific elements,
accounts, or items on a financial statement.
○ Nonissuers have a choice of either:
■ A financial statement audit only, OR
■ An integrated audit (two opinions are rendered)
● Audit of both the financial statements, as well as the effectiveness of internal controls.
○ Issuers must have auditors perform integrated audits, where two opinions are rendered.
● Objectives of the Financial Statement Audit
○ To obtain reasonable assurance about whether the statements as a whole are free from material
misstatement, whether from error or fraud, which enables auditors to express their opinions.
○ To report on the financial statements and communicate as required by GAAS based on their findings.
● Objectives of the Audit of Internal Controls over Financial Reporting
○ Required for issuers; optional for nonissuers.
○ To express an opinion on the effectiveness of the company’s internal controls over financial reporting.
○ To obtain reasonable assurance about whether material weaknesses exist as of the date specified in
management's assessment.
○ If an audit of internal control is done, an audit over the financial statements must also be done.
● Objectives of the ERISA Plan Financial Statements Audit
○ Audits of Defined Benefit Plans (Employee Retirement Income Security Act of 1974)
○ To form an opinion on the ERISA plan financial statements based on evidence obtained.
○ To express a clear opinion on the plan through a written report.
○ To appropriately communicate to management and those charged with governance the auditors findings.

Page 4 of 350
Page 5 of 350
 M3: Forming an Audit Opinion
● Considerations when Forming an Audit Opinion
○ Sufficient appropriate audit evidence was obtained as required by GAAS.
■ Nonissuer - SAS
■ Issuer - PCAOB AS
○ Financial statements are fairly presented, in all material respects, in accordance with the applicable
framework, such as GAAP.
○ The selected framework provides guidance on how transactions and events should be recorded.
■ For example, a building account should be reported at cost - accumulated depreciation if using GAAP.
■ Appropriate disclosures and policies should also be present.

Types of Opinions
● Unmodified (Nonissuers) and Unqualified (Issuers)
○ Best opinion possible
○ States that financial statements are presented fairly, in all material respects, in accordance with the
applicable financial reporting framework.
○ Issued when sufficient appropriate audit evidence is obtained, no material misstatements are present, and
the applicable framework is followed.
● Modified Opinions
○ Auditors are unable to obtain sufficient appropriate audit evidence to express opinions (audit issues), OR
○ Auditors conclude that financial statements are materially misstated (financial statement issues).
■ For example, inaccurate numbers or missing disclosures.
○ Qualified Opinion (financial statement issues)
■ Financial statements contain misstatements.
■ Material, but NOT pervasive.
■ Not the best, but not the worst opinion.
■ For example, the client reports the building at fair value, and deny’s correcting the report.
○ Qualified Opinion (audit issues)
■ Auditors are unable to gather sufficient appropriate audit evidence.
■ Material, but NOT pervasive.
■ Not the best, but not the worst opinion.
○ Disclaimer of Opinion
■ Auditors are unable to gather sufficient appropriate audit evidence.
■ Therefore, auditors deny offering an opinion.
■ Material AND pervasive.
■ Worst opinion (audit issues)
○ Adverse Opinion
■ Financial statements contain misstatements.
■ Material AND pervasive.
■ Worst opinion (financial statement issues)

Page 6 of 350
 ○
○

● Pervasive
○ Have far-reaching effects across several accounts, or
○ If specific to only one account, it:
■ Represents a significant portion of the financial statements, or
■ Has issues with disclosures that are fundamental to the users’ understanding.

● Notes from MCQs

○ Emphasis-of-matter, other-matter, and explanatory paragraphs are used by auditors to add additional
communications to the auditor’s report without changing the auditor’s opinion.
■ Nonissuers = emphasis-of-matter and other-matter
■ Issuers = explanatory

Page 7 of 350
 M4: Unmodified (Unqualified) Opinion
Nonissuers - Unmodified
● Unmodified opinions (nonissuers)
○ Sufficient appropriate audit evidence has been obtained and
○ Financial statements are fairly presented with respect to the applicable framework.
● Required sections (“OBRA”)
○ Opinion (First section)
○ Basis for Opinion (Second section)
○ Responsibilities of Management for the Financial Statements (Anywhere after second section)
○ Auditor's Responsibilities for the Audit of the Financial Statements (Anywhere after second section)
● Opinion includes:
○ Name of client.
○ Statement that the financials have been audited.
○ Title of each financial statement and reference to the notes.
○ Dates or periods covered by the financials.
○ A statement that the financials are presented fairly in accordance with the applicable framework.
○ Identification of the applicable framework, and the country of origin (such as GAAP).
● Basis for opinion includes:
○ Statement that the audit was conducted with GAAS, and the country of origin (such as the US).
○ Reference to the auditor’s responsibilities section of the report.
○ Statement that the auditor is required to be independent and meet ethical standards.
○ Statement as to whether the auditor believes that the evidence obtained is sufficient and appropriate.
● Responsibilities of Management for the Financial Statements
○ Explanation that management is responsible for preparation of financial statements.
○ Statement that management is responsible for internal controls.
○ When required, evaluation of whether there are conditions that raise substantial doubt on going concern.
○ Reference the framework used (such as GAAP)
● Auditor's Responsibilities for the Audit of the Financial Statements
○ Statement that the objectives of the auditor are to gain reasonable assurance, issue a report and give an
opinion.
○ Statement about what reasonable assurance is.
○ Statement that not detecting fraud is a higher risk than not detecting errors (collusion, forgery, etc.).
○ Statement on what considers a misstatement to be material.
○ Description of auditor’s responsibilities to:
■ Exercise professional judgment
■ Identify and assess risks
■ Obtain an understanding of internal controls
■ Evaluate appropriateness of policies used and overall presentation of financials
■ Conclude whether there are conditions that raise substantial doubt as a going concern (GAAS requires)
○ Statement that the auditor is required to communicate findings with those charged with governance.
○ Examine on a test basis.
○ Reference the use of GAAS throughout.

Page 8 of 350
● Other reporting structures:
○ Title - clearly indicate that it is an independent report (“Independent Auditor’s Report”)
○ Addressee - addressed to those charged with governance (typically NOT management)
○ Signature of the auditor’s firm
○ City and State where the auditor’s report is issued
○ Date of the auditor’s report - the date the auditor had obtained sufficient appropriate audit evidence

● Audits in accordance with two sets of standards

○ For example, auditing a governmental entity will require the use of both GAAS and GAGAS.
○ Done if auditors are engaged by a client to do so.
○ Both auditing standards are referenced in the Basis for Opinion and Auditor’s Responsibilities sections.
● Audits in accordance with GAAS and PCAOB standards
○ If the auditor follows PCAOB standards when not required, the auditor must:
■ Follow GAAS standards in addition to PCAOB
■ Use the report required by the PCAOB
■ Amend the PCAOB (issuer) report to state the audit was also done with GAAS

● Key Audit Matters (KAMs) Section

○ Optional section.
○ Added when the client requests auditors to do so.
○ Provides visibility into the more complex areas or areas that require judgment in the audit.
○ KAMs are selected from the matters communicated to those with governance.
○ When deciding KAMs, auditors consider:
■ Areas with higher assess risk
■ Areas requiring significant judgment
■ Significant events or transactions
○ KAMs section can be added anywhere after the second section (Basis for Opinion).
○ Must include the heading “Key Audit Matters”.
○ Must include the definition of what key audit matters are.
○ Order of KAMs listed is a judgment decision.
○ KAMs should NOT include matters giving rise to:
■ A qualified opinion (this will be referenced in the Basis for Opinion section).
■ Substantial doubt existing about an entity's ability to continue as a going concern.
○ KAMs are PROHIBITED from being communicated for adverse and disclaimer opinions.

Issuers - Unqualified
● Unqualified opinions (issuers)
○ Sufficient appropriate audit evidence has been obtained and
○ Financial statements are fairly presented with respect to the applicable framework.
● Required sections
○ Opinion on the Financial Statements (First section)

Page 9 of 350
 ○ Basis for Opinion (Second section)
○ Critical Audit Matters (Anywhere after second section)
● Opinion on the financial statements includes:
○ Name of client
○ Statement identifying each financial and any related schedules
○ Dates or periods covered by financials
○ Statement indicating that an audit occurred
○ Statement about if the financials are presented fairly and follow the applicable framework (opinion)
○ Reference GAAP
● Basis for Opinion includes:
○ Statement that financials are responsibility of management.
○ Statement that auditors responsibility is to express an opinion.
○ Statement that the auditor is registered with the PCAOB in the U.S. and is required to be independent.
○ Statement that audit was conducted with standards of PCAOB.
○ Statement that standards require reasonable assurance to be obtained.
○ Statement that the audit included:
■ Assessing risk
■ Examining, on a test basis, evidence regarding amounts and disclosures
■ Evaluating accounting principles and significant estimates
■ Evaluating overall presentation of financials
○ Statement that the auditor believes a reasonable basis for their opinion.

● Critical Audit Matters:

○ Appears when an unqualified or qualified opinion is rendered.
○ CAMs provide more visibility into the more challenging areas of the audit.
○ To be considered a critical audit matter, ALL three criteria must be met:
1. Matter that was communicated or required to be communicated to the audit committee.
2. Relate to accounts or disclosures material to the financial statements.
3. Involve challenging, subjective, or complex auditor judgment.
○ Identification of CAMs (“IPAD”)
■ Identify each CAM in the report
■ Describe the principal considerations that led to considering it a CAM
■ Describe how the CAM was addressed
■ Refer to the relevant financial statement accounts and disclosures
○ If no CAMs were identified, auditors should still give the definition of a CAM, and state that there were no
CAMs determined.
○ CAMs are omitted when a disclaimer or adverse opinion is given.

● Other reporting structures:

○ Title - must include the title “Report on Independent Registered Public Accounting Firm”
○ Addressee - must be addressed to the shareholders and board of directors
○ Signature of the auditor’s firm

Page 10 of 350
 ○ Tenure - statement containing the year in which the auditor began serving as the auditor
○ City and State from which the report was issued
○ Report date - on or after the date sufficient appropriate audit evidence has been obtained.

● Points to Remember
○ The auditor’s opinion appears before the basic financial statements and footnote disclosures.
○ Opinion section is the first section that appears in both nonissuer and issuer reports.
○ Nonissuers
■ GAAP referenced in Opinion and Management Responsibilities sections
■ GAAS referenced in Basis for Opinion and Auditor’s Responsibilities sections
○ Issuers
■ GAAP referenced in Opinion section
■ GAAS referenced in Basis for Opinion section

● Reporting for smaller reporting companies vs larger companies

○ Unless indicated otherwise, issuers are generally large or accelerated filers.
○ Large accelerated and accelerated filers are required to have an integrated audit (two opinions).
■ Fairness of financial statements
■ Operating effectiveness of internal control
○ Smaller reporting companies (less than $100 million in annual revenue) are only required to have one
opinion.
■ Fairness of financial statements
○ Basis for Opinion section is updated to state:
■ The company is not required to have nor was asked to perform an audit over its internal controls.
■ The auditor is required to gain an understanding of internal controls, but is not stating an opinion on
them.

● Form AP (Audit Participants)

○ The auditor of an issuer must file form AP with the PCAOB for each audit issued:
■ By the 35th day after the audit report is filed with the SEC.
■ If the audit report is included with a registration statement, this form must be filed within 10 days.
○ Include details such as:
■ Name of firm
■ Name of issuer
■ Date of audit report
■ End date of financial statements
■ Name of engagement partner
■ Participation of other audit firms
○ Optional inclusions:
■ Engagement partner’s full name, and/or
■ Statements that the auditor is responsible for the audits and did their work in accordance with PCAOB
standards. In addition, the auditor should include total audit hours the other audit firm participated in.

Page 11 of 350
● Notes from MCQs
○ Consistency is implicitly stated, and will be addressed in an emphasis-of-matter paragraph if there are
inconsistency issues.

Page 12 of 350
 M5: Modified Opinions Due to Financial Statement Issues
● Modified opinion (financial statement issues)
○ The auditor is able to gather sufficient appropriate audit evidence, but finds a material misstatement.
○ Qualified = Material but NOT pervasive.
○ Adverse = Material AND pervasive.

● Financial Statement Issues

○ Not following selected framework (such as GAAP)
■ Ex) Client should have capitalized leases, but they didn’t.
■ Exception - Client departs from GAAP, but the auditor agrees with the departure because the financials
would have been misleading had GAAP been followed. An unmodified or unqualified opinion could be
given here. (Rare occurrence)
○ Inappropriate accounting principles
■ Ex) Client does not want to consolidate financials even though they control 50% of another entity.
○ Unreasonable estimates
○ Providing inadequate disclosures
■ Ex) Client is not willing to include disclosures in financial statements.
○ Incorrect numbers
■ Ex) Client purchased $10,000 of furniture on account, but only wants to recognize a $1,000 liability.
○ No reasonable justification for a change in accounting principle.
■ Ex) Client changes from FIFO to LIFO without providing a valid reason.
○ Client presents its financial position and results but omits the statement of cash flows.
■ This would result in a qualified opinion.
■ Complete set of financial statements include:
● Balance sheet

● Statement of Income (or comprehensive income)

● Statement of changes in equity

● Cash flow statement

● Disclosures (aka footnotes)

■ This would be acceptable IF the client asks for only one financial to be given an opinion on.

Page 13 of 350
 ○

● Nonissuer report changes for Qualified opinions

○ Opinion → Qualified Opinion
■ Opinion sentence adds the wording: “Except for… as described in the Basis for Qualified opinion
section…”
○ Basis for Opinion → Basis for Qualified Opinion
■ Add paragraph describing departure from framework and quantify effects (if possible) following the
opinion section.
■ Sufficient appropriate audit evidence for “qualified” opinion should be claimed.
○ All other elements are the same as unmodified.

● Nonissuer report changes for Adverse opinions

○ Opinion → Adverse Opinion
■ “Because of the significance of the matter discussed in the Basis for Adverse Opinion section of the
report….. do not present fairly….”
○ Basis for Opinion → Basis for Adverse Opinion
■ Add paragraph describing departure from framework and quantify effects (if possible) following the
opinion section.
■ Sufficient appropriate audit evidence for “adverse” opinion should be claimed.
○ Key Audit Matters section is OMITTED.
○ All other elements are the same as unmodified.

● Issuer report changes for Qualified opinions

○ No heading changes for qualified opinions.
■ Headings are consistent with unqualified opinions,
■ Headings change for disclaimer opinions (audit issues).
○ Opinion on the Financial Statements section
Page 14 of 350
 ■ “Except for… as discussed in the following paragraph…”
■ Add paragraph describing departure from framework and quantify effects (if possible).
○ All other elements are the same as unqualified.

● Issuer report changes for Adverse opinions

○ No heading changes for qualified opinions.
■ Headings are consistent with unqualified opinions,
■ Headings change for disclaimer opinions (audit issues).
○ Opinion on the Financial Statements section
■ “Because of… discussed in the following paragraph, the financial statements do not present fairly…”
■ Add paragraph describing departure from framework and quantify effects (if possible).
○ Critical Audit Matters section is OMITTED.
○ All other elements are the same as unqualified.

● Notes from MCQs

○

Page 15 of 350
 M6: Modified Opinions Due to Audit Issues
● Modified opinion (audit issues)
○ The auditor is unable to gather sufficient appropriate audit evidence.
○ Qualified = Material but NOT pervasive.
○ Disclaimer = Material AND pervasive.

● Audit Issues (scope limitations)

○ Time constraints
○ Inability to obtain sufficient appropriate evidence such as:
■ Observing inventory
■ Confirm receivables
■ Obtain audited financial statements of a consolidated investee
■ Restrictions on the use of auditing procedures
■ Inadequacy of accounting records
○ Refusal of clients attorney to respond to an inquiry

● Scenarios that result in a disclaimer of opinion:

○ Auditor is not independent
○ Unaudited financial statements
○ Refusal of management to take responsibility for the fair presentation of financials in conformity with GAAP
(may also withdraw rather than disclaim opinion).

● Causes of Audit Issues (scope limitations)

○ Circumstances beyond the control of the entity relating to the nature or timing of the auditors work.
■ Ex) a fire
■ The auditor should determine whether it is possible to perform alternative procedures.
○ Management-imposed limitations
■ Ex) management not giving evidence that was asked for, or not allowing auditors to speak to someone.
■ Auditor should ask management to remove the limitation
■ If management does not remove the limitation, communicate with those charged with governance to
see if they can remove the limitation, or determine if there are alternative procedures to perform.
■ If the possible effect from the scope limitation is both material and pervasive, either disclaim an
opinion or withdraw from the engagement.

● Unaudited Financial Statements

○ Financial statement association occurs when an accountant either:

Page 16 of 350
 ■ Consents to the use of their name in connection with the financial statements, or
■ Has prepared the financial statements, even if the accountant's name is not used.
○ When the auditor is not independent but is required to report on the financial statements, the auditor
should disclaim an opinion and should specifically state that they are not independent.
■ All reasons for lack of independence should be stated, if chosen to provide those reasons.
○ Requirements for a disclaimer on unaudited financial statements:
■ Accountant must read the financial statements for obvious errors.
■ “Unaudited” should be clearly marked on each page of the financial statements.
■ The disclaimer may accompany the unaudited financial statements, or it may be placed directly on
them.

● Nonissuer report changes for Qualified opinions

○ Opinion → Qualified Opinion
■ Opinion sentence adds the wording: “Except for the possible effects of the matter as described in the
Basis for Qualified Opinion section…”
● Do NOT refer to the scope limitations in the opinion sentence, the limitations will be addressed
in the basis section.
○ Basis for Opinion → Basis for Qualified Opinion
■ Add in a paragraph explaining the reasons for inability to obtain evidence.
■ Sufficient appropriate audit evidence for “qualified” opinion should be claimed.
○ All other elements are the same as unmodified.

● Nonissuer report changes for Disclaimer opinions

○ Opinion → Disclaimer of Opinion
■ State that auditors were only “engaged to” audit X company (company was not audited).
■ Opinion sentence is omitted as an opinion is NOT being given.
■ “Do not express an opinion… because of significance of matters described in Basis for Disclaimer of
Opinion section, not able to obtain sufficient appropriate audit evidence.”
○ Basis for Opinion → Basis for Disclaimer of Opinion
■ Add in a paragraph explaining reasons for inability to obtain evidence.
■ Removed from section:
● Referral to auditors responsibilities section.
● Sufficient appropriate audit evidence for opinion (cannot gather).
○ Auditor’s Responsibilities section
■ Removed from section:
● Reasonable assurance claim
● Identify and assess risk of material misstatement claim
● Examine on a test basis claim
● Understand internal control claim
● Evaluating policies, estimates, overall presentation, and going concern claim(s)
○ If engaged to report on Key Audit Matters, KAMs section is OMITTED.

Page 17 of 350
 ○

● Issuer report changes for Qualified opinions

○ No heading changes for qualified opinions.
■ Headings are consistent with unqualified opinions,
■ Headings change for disclaimer opinions (audit issues).
○ Opinion on the Financial Statements section
■ “Except for the effects of the adjustments, if any, … as described below”
● Focus on potential adjustments in this sentence, do not focus on scope limitations.
■ Add paragraph explaining reasons for inability to obtain evidence.
● Describe scope limitations here.
○ Basis for Opinion
■ “Except as discussed above”

● Issuer report changes for Disclaimer opinions

○ Opinion on the Financial Statements → Disclaimer of Opinion on the Financial Statements
■ State that auditors were only “engaged to” audit X company (company was not audited).
■ Opinion sentence is altered/removed.
■ “As described in the following paragraph, because… not able to obtain sufficient appropriate audit
evidence… do not express an opinion.”
■ Add paragraph explaining reasons for inability to obtain evidence.
○ Basis for Opinion → Basis for Disclaimer of Opinion
■ Only included in section:
● Management is responsible for financial statements claim.
● Registered with PCAOB and independent claim(s).
Page 18 of 350
 ○ Critical Audit Matters section is OMITTED.
○

● Summary of each report changes (nonissuer vs issuer; misstatement vs scope limitation)

Page 19 of 350
○

Page 20 of 350
 ○

● Notes from MCQs

○

M7: Emphasis-of-Matter, Other-Matter, and Explanatory Paragraphs

Emphasis-of-Matter Paragraphs
● Definition
○ Used when referring to a matter that is appropriately presented or disclosed in the financial statements
and is fundamental to the users’ understanding of the financials.
○ For a nonissuer (private company), this paragraph is included in the report when required by GAAS, or at
the auditor’s discretion.
● Reporting Requirements
○ Use the heading “Emphasis-of-Matter” or other appropriate heading.
■ Required to use “Emphasis-of-Matter” if KAMs are reported on.
○ Describe the matter being emphasized and the location of the relevant disclosures from the financials.
■ Ex) As discussed in note 5…. there was a fire in ABC company…
○ Indicate that the auditor’s opinion is not modified with respect to the matter.
● Required Uses (“CAP”)
○ Consistency (Lack of)
■ To describe a justified change in accounting principle with material effects.
■ To describe a change in reporting entity that results in financial statements, in effect, that are of a
different entity.
○ Audit opinion change
■ Subsequently discovered facts lead to a change in an audit opinion.

Page 21 of 350
 ○ Purpose - special purpose frameworks
■ The financial statements are prepared with a special purpose framework.
● Optional Uses
○ The extent to which the group engagement team is involved in the work of the component auditor.
○ The uncertainty related to the outcome of unusually important litigation or regulatory action.
■ Typically, uncertainties that are properly accounted for are NOT added as paragraphs, however if the
uncertainty is “unusually important,” then an emphasis-of-matter may be added.
○ A major catastrophe having significant effects on the financial position.
○ Significant related party transactions.
○ Unusually important subsequent events.
○ Conditions raising substantial doubt as a going concern exist but have been alleviated by plans and
disclosed.
● Not appropriate for use to describe any matter already identified as a key audit matter.

Other-Matter Paragraphs
● Definition
○ Used when referring to matters other than those that are presented or disclosed in the financials.
○ Matters are relevant to:
■ Users’ understanding of the audit
■ Auditor’s responsibilities
■ Audit report
○ Included in the auditor’s report when required by GAAS or at the auditor’s discretion.
● Reporting Requirements
○ An “other-matter” or other appropriate heading is used.
● Required Uses
○ Restrict Use
■ Alert in audit that restricts use for certain individuals.
■ Ex)
● Report on compliance included in the auditor's report on the financial statements.

● Financial statements prepared using contractual or regulatory basis of accounting (except when
intended for general use).
○ Subsequently discovered facts that lead to a change in opinion
○ Comparative financial statements and:
■ Prior period financials were audited by another firm and the audit report is not reissued.
■ Current period financials are presented in comparative form with prior period financials that were
compiled or reviewed, or in comparative form with prior period financials that were not reviewed.
● Not appropriate for use to describe any matter already identified as a key audit matter.

Page 22 of 350
●

Explanatory Paragraphs
● Definition
○ Used for Issuers (public companies).
○ Used to explain certain matters without modifying the opinion.
○ Included in the report when required by PCAOB auditing standards or at the auditor’s discretion.
● Reporting Requirements
○ Use an appropriate heading.
○ Describe the matter being emphasized and the location of relevant disclosures about the matter in the
financial statements.
○ The location of the explanatory paragraph will generally follow the opinion paragraph in an unqualified
report.

Page 23 of 350
●

General Notes
● Lack of Consistency
○ Unless explicitly stated otherwise, the auditor’s report implies that the financial statements are comparable
between periods (consistency).
○ Standard report does not explicitly state consistency, it’s implied.
○ Unless the auditor adds an emphasis-of-matter or explanatory paragraph, the user can assume consistency
(no changes in accounting principles or adjustments to correct material misstatements from prior periods).
○ Examples:
■ Use FIFO in Year 2 and Year 1 → Do not mention that years are consistent (it’s implied in the report).
■ Adopt a new accounting principle in the current year → If justified, add emphasis-of-matter (nonissuer)
or explanatory paragraph (issuer).
● Lack of Consistency (cont’d)
○ When evaluating the acceptability of an accounting change, auditors should consider:
1. The newly adopted principle is in accordance with the applicable reporting framework.
2. The method of accounting for the change is acceptable.
3. The disclosures related to the change are appropriate and adequate.
4. The entity has justified that the new principle is preferable.
○ Auditor is satisfied → Emphasis-of-matter (or explanatory) paragraph should be added.
○ Auditor is unsatisfied → If change results in material misstatement, opinion may need to be modified.
● Examples of Circumstances that Affect Consistency
○ The following situations require an emphasis-of-matter or explanatory paragraph.
○ A change in accounting estimate that is inseparable from a change in principle.
■ Ex) A change in depreciation method.
○ Corrections of an error in accounting principle.
Page 24 of 350
 ■ Ex) Changing from cash method (non-GAAP) to the accrual method (GAAP).
○ Correction of a material misstatement in previously issued financial statements.
○ A change in reporting entity that results in financial statements that are, in effect, those of a different
reporting entity.
○ If an entity’s financial statements include a significant investment accounted for using the equity method,
the auditor’s evaluation of consistency should include consideration of the investee.
■ If the investee makes a change in accounting principle that is material to the investing entity, that
change should be described in an emphasis-of-matter or explanatory paragraph.
● Effects of an Acceptable Change on the Auditor’s Report
○ Immaterial → No revision to the report is necessary.
○ Material → Add emphasis-of-matter or explanatory paragraph.
○ This paragraph should:
■ Describe the change in principle and reference the entity’s disclosure.
■ Be included in the auditor’s report in the period of change in principle and all subsequent periods until
the new principle is applied to all periods presented.

● Notes from MCQs

○

M8: Reporting With Different Opinions and Other Auditors

● Comparative financial statements are financial statements that present more than one year.
○ Audit reports indicate when comparative financial statements are present.
○ “as of December 31, 20X1 and 20X0…”
○ Therefore, only this phrase as well as the date of the auditor's report can be changed from year to year.

● Reporting with different opinions

○ Auditors must let users know what happened in all financial statement years presented.
○ You cannot simply ignore a prior period if it's presented.
○ The auditor’s opinion may differ with respect to different periods.
■ Ex) Prior year may be unmodified while current year is qualified.
○ Complete financial statements as well as individual financial statements may have differing opinions, even
within the same year.
■ 20X2 complete financial statements = Unmodified.
■ 20X1 Balance sheet = Unmodified.
■ 20X1 Income statement, changes in stockholders' equity, and cash flows = Disclaimer.
○ Example as to why a balance sheet may be unmodified while the other statements are disclaimers:
■ Auditor was engaged after the beginning of the year and last year is unaudited.
■ In essence, the auditor is facing a scope limitation as the beginning balances may not be discernible.
■ For instance, if the auditor cannot count beginning inventory, then COGS may be unobtainable.
■ This example would be relevant for “period of time” financials, such as those that got disclaimers.
■ “Point in time” financials, such as the balance sheet, are up to date at that point in time.

Page 25 of 350
● Updating (changing) prior opinions
○ If a modified opinion is given in Year 1, but changes are made to fix the issue in Year 2, the auditor should
update their opinion to unmodified (unqualified) for Year 1 and
○ Add an emphasis-of-matter or other-matter or explanatory paragraph to the audit report.

● Updating (changing) opinion format (only “DORCS” change their mind) (disclose these in paragraph)
○ Date of the auditor’s previous report
○ Opinion type previously issued
○ Reason for the prior opinion
○ Changes that have occurred
○ Statement that the ”opinion… is different”

● Reporting with Predecessor Auditors

○ When prior year financials were audited by another auditor, two situations can occur:
1. Prior auditor’s report is presented
2. Prior auditor’s report is not presented.

○ Report of predecessor auditor presented

■ Prior year’s auditor’s report is reissued.
■ In doing this, previous auditor should:
● Read the statements for the current period.

● Compare the audited statements with the current period statements.

● Obtain a letter from the current auditor asking if they had discovered any changes that would
have material effects on the prior periods financial statements (Letter of Representation).
● Obtain a letter from management asking if there are any previous management representations
that have changed or whether any subsequent events occurred that require disclosure for the
prior period financial statements (Letter of Representation).
■ After determining whether previous financial statements are still appropriate as issued, the
predecessor auditor should date the report as appropriate:
● Unrevised → Use original report date when reissuing previous report.

● Revised → Dual date is used in the event that the predecessor auditor revises the report.

○ Report of predecessor auditor is NOT reissued

■ When the current auditor does not present the predecessor auditors report, the current auditor should
express an opinion on the current period financials only and indicate in an other-matter or explanatory
paragraph:
● That the financial statements of the prior period were audited by the predecessor auditor.

Page 26 of 350
 ● The type of opinion expressed by the predecessor auditor, and the reason for any modifications to
the opinion, if applicable.
● The nature of any emphasis-of-matter, other-matter, or explanatory paragraph included in the
predecessor’s report.
● The date of the predecessor auditor’s report.

○ Prior period financial statements reviewed or compiled

■ When the current period financial statements were reviewed or compiled and the report of the prior
period is not reissued, an other-matter or explanatory paragraph should be added and include:
● The service (review or compilation) performed in the prior period

● The date of the prior period report

● A description of any material modifications described in the report

● A statement that the service was less in scope than an audit and does not provide the basis for
expressing an opinion (review).
● A statement that no opinion or other form of assurance is expressed (compilation).

● Other reporting considerations

○ If the prior period financial statements were not audited, reviewed, or compiled, the auditor should include
an other-matter or explanatory paragraph stating that the auditor did not audit, review, or compile the
prior period statements and that the auditor assumes no responsibility for them.
○ When unaudited financial statements are presented with audited financial statements in comparative
form, the unaudited financials should be clearly marked as “unaudited.”
○ If unaudited financials are presented in comparative form with audited financials in documents filed with
the SEC, such statements should be marked “unaudited,” but should not be referred to in the auditor's
report.

● Reporting on Audits of Group Financial Statements

○ Definitions
■ Group Engagement Partner (AICPA) or Principal Auditor (PCAOB) → the partner or other person who is
responsible for the engagement and auditor’s report.
■ Group Financial Statements → financial statements from all components included (i.e. subsidiaries).
■ Group Engagement Team → includes the engagement partner, other partners, and staff who establish
audit strategy, communicate with component auditors, perform work, etc.
■ Component → an entity of business activity that prepares financial information included in the group
financial statements (such as a subsidiary)
■ Component Auditor → an auditor who performs work on the financial information of a component that
will be used as evidence in the group audit.

Page 27 of 350
 ● An auditor may elect to audit the entire consolidated financial statements and choose NOT to hire
another auditor to audit the components.
■

○ Component Auditor
■ Group engagement team must understand the following for each component auditor:
● Whether they are independent and will comply with all relevant ethical requirements;

● Their professional competence; and

● Their reputation
■ If the component auditor is not independent or the group engagement team has serious concerns
about any of the matters listed above, the group engagement team should NOT use the work on the
component auditor or make reference to the component auditor in the auditor’s report.

○ The group engagement team will determine:

■ The extent to which the engagement team will be involved in the work of the component auditor.
■ Components that are significant or insignificant.
● Significant = will need to be audited.

● Insignificant = analytical procedures only.

■ The group auditor mainly focuses on the components that can impact the consolidated financial
statements, as that is where most of the auditor’s effort is spent.

○ When the group engagement team relies on the work on a component auditor, there are two options:
1. Group engagement team takes full responsibility for the audit of the component.
● Do not reference the component auditor.
2. Group engagement team and component audit divide responsibility.

Page 28 of 350
 ● Reference the component auditor.

○ Option 1: Assume full responsibility

■ No reference to the component auditor should be made in the auditor’s report.
■ Treat component auditor like staff when assuming responsibility.
■ In this case, group engagement team is responsible for:
● Determining the type of work to be performed on the financial information of the components.

● Reviewing component auditors work.

○ Option 2: Divide responsibility
■ Reference the component auditor in the auditor’s report.
■ In this situation, the group engagement team is not assuming responsibility for the component
auditor’s work.
■ The component auditor will provide their audit report to the group.
● Component auditor must follow GAAS, and PCAOB AS if required, report should be unrestricted.
■ Group engagement partner will determine the appropriate opinion based on the group engagement
audit and the audit report given by the component auditor.
■ Even when responsibility is divided, component auditors' independence, ethics, and reputation should
still be evaluated.
○ Referencing the component auditors
■ Nonissuers → reference only occurs in the Opinion section.
■ Issuers → reference occurs in both the Opinion and Basis for Opinion sections.
■ Magnitude of the portion of the financial statements audited by the component auditor should be
given in the opinion sections.
● Ex) “...statements reflect total assets and revenues constituting 20 percent and 22 percent…”
■ Typically, component auditors are only referred to as “other auditors” when they are referenced.

● Notes from MCQs

○

M9: Subsequent Events

● A subsequent event is an event or transaction that occurs after the balance sheet date but before the financial
statements are issued or available to be issued.
○ Balance sheet date → December 31, 20X1
○ Issued financial statements → February 15, 20X2
○ Subsequent events are the events that occur between December 31 and February 15.
● Two categories of subsequent events:
1. Recognized subsequent event
2. Nonrecognized subsequent event
○ Management needs to figure out which category the event falls under.
○ This is based on when the underlying event occurred.

Page 29 of 350
● Recognized subsequent event
○ Events that provide additional information about conditions that existed at the balance sheet date.
○ Underlying event existed at or before the balance sheet date.
○ Adjust records and disclosure required.
○ These events will often relate to estimated accounts.
○ Adjusting and disclosing these events ensures financial statements are best represented for the period.
○ Example scenario (litigation):
■ The company is already facing litigation on or before December 31.
■ The original amount recorded was $150,000 (probable and estimable loss).
■ On February 5, the company settled the litigation for $200,000.
■ Therefore, the litigation recorded will be adjusted and disclosed to show the true amount.
■ The financial statements issued on February 15 will now reflect this event.
○ Example scenario (uncollectible receivables):
■ A customer notifies your company that the customer is going bankrupt on January 15.
■ Because the company already had receivables/uncollectibles recorded before December 15, this is a
recognized subsequent event.
■ The financials will be updated and the event will be disclosed for the February 15 issuance.

● Nonrecognized subsequent event

○ Events that provide information about conditions that occurred after the balance sheet date.
○ Underlying event occurred after the balance sheet date.
○ Disclosure only (NO adjustments).
○ Examples:
■ Sale of capital stock
■ Business combination
■ Settlement of litigation that arose AFTER the balance sheet date
■ Natural disaster that resulted in loss of building or inventory
○ Example scenario:
■ Balance sheet date → December 31, 20X1
■ Fire occurs → January 5, 20X2
■ This event occurred after the balance sheet date, so only disclosure should be considered for Feb. 15
issuance.

● Management's Responsibility for Subsequent Events

○ Subsequent events should be evaluated through either:
■ The date the financial statements are issued or widely distributed (issuers).
■ The date the financial statements are available to be issued or in a form and format that complies with
GAAP and all approvals for issuance have been obtained (nonissuers).
○ When an entity reissues or revises financial statements, the entity generally should NOT recognize
subsequent events that occurred between the date the financial statements were issued or available to be
issued.

Page 30 of 350
● Auditor’s Responsibility for Subsequent Events
○ Understand and evaluate subsequent events (“PRIME”)
■ Post Balance Sheet Transactions
● Changes in stock or long-term debt after year end.
■ Representation Letter → obtain a letter from management asking if any events occurred during the
subsequent event period that requires adjustment or disclosure.
■ Inquiry → inquire the client’s legal counsel and management about whether any subsequent events
have occurred.
● Status of litigation, new commitments, unusual transactions, etc.
■ Minutes → obtain and review the minutes of stockholders, directors, and other committee meetings
during the subsequent period.
■ Examine → examine the most recent interim financial statements and compare them with financials
under audit.

○ The auditor has an active responsibility to evaluate subsequent events during the period between the date
of the financial statements and the date of the auditor’s report.
■ Balance sheet date → December 31, 20X1
■ Auditor’s report date → February 10, 20X2
■ Auditor is responsible for subsequent event evaluation from December 31 until February 10.
● PRIME procedures through this date.
○ Auditor responsibility AFTER the original auditor’s report date occurs if:
■ Auditor’s report is included in an exempt offering document and the auditor is involved.
● Date extended through the distribution, circulation, or submission of the document.
■ Auditor’s report is included in a registration statement.
● Date extended through the date of or shortly before the date of the registration statement.

● Auditor Action - After Report Issuance

○ If more material information becomes available after an auditor report has been issued, the auditor will
indeed to:
■ Investigate if the information is reliable.
■ If it existed at the report date and would have affected the auditor’s report.
○ Key terms to look for when an auditor needs to investigate after report date:
■ “Information existed at the report date” or
■ “New information that existed for the year under audit”
○ Auditor is not responsible for information that did not exist at the report date.
■ Ex) litigation that settles after the report date.
○ If the auditor determines that this information is something the auditor should have known about when
the report was issued, the auditor should:
■ Determine if there are individuals relying on, or likely to rely on, the financial statements.

Page 31 of 350
 ■ Discuss the matter with management or those charged with governance.
■ Advise the client to immediately disclose the new information and its impact on the financials.
■ Disclosure can be done by:
● Advising the client to reissue revised financial statements along with a new audit report, and
describe reasons for revision;
● Advising the client to make necessary disclosures and revision to any financials; or

● If effect cannot be determined on a timely basis, provide notification that the financials and
auditor’s report should not be relied upon.
○ If adjustments or disclosures are made by the client after the original auditor’s report date, the auditor will
need to perform additional procedures.
■ As a result, the auditor may either:
■

○ If a client refuses to take action to address materially affected information, the auditor should notify each
member of the board of directors.
○ If even the board of directors does not take action, perform the following (“DAR them to fix it”):
■ Disassociate → notify the client that the auditor’s report must no longer be used for their financials.
■ Alert agencies → notify any applicable regulatory agencies that the auditor’s report should no longer be
relied on.
■ Relying parties → notify persons known to or likely to be relying on the financials that the auditor’s
report should no longer be relied upon.

● Notes from MCQs

○

Page 32 of 350
 M10: Other Information and Supplementary Information
Other Information
● Definition
○ Financial or nonfinancial information (other than the statements and the auditor’s report) included in the
annual report.
○ Not required by a standard setter.
● Examples of other information include:
○ A report by management or those charged with governance
○ Financial summaries or highlights
○ Employment data
○ Financial raptors
○ Selected quarterly data
● Other information does NOT include:
○ Press releases or cover letters accompanying the document containing the audited financial statements
and auditor’s report.
○ Information contained in analyst briefings.
○ Information contained on the entity's website.
● Auditor’s responsibilities for other information:
○ Read the other information.
○ Consider any material inconsistencies between the other information and the audited financial statements.
■ If other information shows $20mill in revenue, but audited financials show $5mill, there are issues.
■ In this scenario, determine if the financials or other information needs to be revised.
■ Auditor should request management to correct the material inconsistency.
● Material inconsistencies: Auditor’s action
○ Upon identification of material inconsistencies between the audited financial statements and the other
information, the auditors actions depends on what information requires revision:
■ Audited financials need to be revised, but management refuses → auditor should modify opinion.
■ Other information needs to be revised, but management refuses → communicate to those charged
with governance and:
● Consider the implications for the auditor’s report;

● Withhold the use of the report; or

● Withdraw from the engagement and consult with legal counsel.

● Material misstatement of fact: Auditor’s action
○ Other information may include a misstatement that is unrelated to the financial statement data.
■ Ex) Other information states a company introduced two new products, when this isn't true.
○ If the auditor becomes aware of a material misstatement of fact, do the following:
■ Discuss the matter with management
■ If management refuses to take corrective action, request that management consult with legal counsel.
■ If after consultation with the third party, and the auditor still believes there is a misstatement, notify
those charged with governance.

Page 33 of 350
 ○ Because opinions relate to the fairness of the basic financial statements, companies may still get
unmodified/unqualified opinions even if there are material misstatements of fact in other information.
● Reporting other information
○ Nonissuer → Report in a separate section (location not specified).
○ Issuer → Required when issues with information reported (typically located after opinion paragraph).
■ Not required to include an explanatory paragraph when other information is included in a document
with the auditor’s report.
■ However, the auditor may choose to include an explanatory paragraph within the auditor’s report
disclaiming an opinion on the other information.
○ Heading should be “Other Information [Included in the Annual Report]”
○ Auditor’s responsibilities over other information should be stated in the paragraph.

Supplementary Information
● Definition
○ Information presented outside of the basic financial statements that may be presented in a document
containing the audited financial statements or separate from the financial statements.
○ An auditor may be engaged to provide an opinion on this type of information.
○ The auditor is not providing an opinion on information unrelated to the financial statements.
○ The auditor has two objectives:
1. To evaluate the presentation of the supplementary information as a whole.
2. To provide an opinion on whether the supplementary information is fairly stated in all material
respects in relation to the financial statements.
● Audit procedures
○ The auditor should perform the following using the same materiality level used for financial audit:
■ Inquire management regarding the purpose of supplementary information and its preparation.
■ Obtain an understanding of the methods used and changes of methods.
■ Inquire regarding any significant assumptions.
■ Compare and reconcile the information to the audited financial statements and underlying accounting
records.
■ Evaluate completeness and appropriateness.
■ Determine whether the form and content complies with applicable criteria.
■ Obtain written representations from management regarding the information.

● Reporting for Nonissuers

○ May be presented in either a:
■ Separate section in the auditor’s report with the heading “Supplementary Information” OR
■ Separate report
○ Regardless of method of reporting, the supplementary information paragraph should include:
■ Identify supplemental information;
■ Describe procedures performed; and
■ Provide the opinion.
○ If a material misstatement is present, and management refuses to revise the supplementary information:
■ Modify the opinion on the information (qualified or adverse) and describe the misstatement.
Page 34 of 350
 ■ If a separate report is being issued, withhold the report.
○ Effects of Modifications to the Audit Report on the FInancial Statements:

● Reporting for Issuers

○ Unless prescribed by regulatory requirements, supplementary information may be presented in either a:
■ Explanatory paragraph in the auditor’s report on the financial statements, OR
■ Separate report
○ Regardless of method of reporting, the supplementary information paragraph should include:
■ Identify supplemental information;
■ Describe procedures performed; and
■ Provide the opinion.
○ If a material misstatement is present, the auditor should:
■ Describe the misstatement in the auditor’s report on the supplemental information; and
■ Express a qualified or adverse opinion on the supplemental information.
○ Effects of Modifications to the Audit Report on the FInancial Statements:

Required Supplementary Information

● Definition
○ Information that a designated account standard setter (e.g., GASB, SEC) requires to accompany the basic
financial statements.
○ Generally, the opinion on the basic financial statements does NOT cover the required supplementary
information.
○ The auditor’s responsibility for required supplementary information is to perform limited procedures on
the information.
Page 35 of 350
● Nonissuers
○ The auditor of a nonissuer should add a separate section to the auditor’s report with the heading “Required
Supplementary Information” to explain the following, as applicable:
■ No issues → The required supplementary information is included, and the auditor has applied the
required procedures.
■ Issues:
● All or some of the required supplementary information is omitted;

● Some required supplementary information is missing and some is presented;

● The auditor has identified material departures from the guidelines;

● The auditor is not able to complete the required procedures or there are unresolved doubts;
■ The separate section should state that the required supplementary information is the responsibility of
management, and the auditor does NOT express an opinion on such information.
○ For nonissuers, whenever required supplementary information is required to be presented, a separate
section is added to the audit report, regardless of whether there are issues or not with the information.

● Issuers
○ PCAOB standards do not require the auditor to add an explanatory paragraph to the audited financial
statements or refer to the required supplementary information unless one of the following is applicable:
■ The required information is omitted;
■ There are material departures from the guidelines;
■ The auditor is unable to complete prescribed procedures;
■ There are unresolved doubts about conformance of required supplementary information.
○ Essentially, there needs to be an issue with the required supplementary information.

Multiple-Choice Tips

Page 36 of 350
● Notes from MCQs
○

M11: Special Purpose Frameworks

● Auditors evaluate financial statements based on the framework selected by management, such as GAAP.
● Nonissuers can prepare their financial statements using special purpose frameworks.
● Special purpose frameworks are financial reporting frameworks other than GAAP, such as the following:
○ Cash Basis → Used to record cash receipts and disbursements
○ Tax Basis → Used to file income tax returns
○ Regulatory Basis → Used to comply with the requirements of regulatory agencies in certain jurisdictions
○ Contractual Basis → Used to comply with an agreement between an entity and third party
○ Other Basis → Used to define a set of logical, reasonable criteria that is applied to material items
●

○ Description of purpose → goes in the management’s responsibilities section.

● Differences from standard auditor’s reports

○ Non-GAAP financial statement titles should be used for special purpose frameworks.
■ Instead of “Balance Sheet” → “Balance Sheet-Cash Basis”
■ Instead of “Income Statement” → “Statement of Income-Regulatory Basis”
■ Etc…
○ When management has a choice of financial reporting framework, the management's responsibility section
should make reference to its responsibility for determining the framework as acceptable.

○ If required, the report should include an emphasis-of-matter paragraph that:

■ Indicates that the financial statements were prepared in accordance with the applicable framework.
Page 37 of 350
 ■ Refers to the note in the financial statements that describes the framework.
■ States that the framework is a basis of accounting other than GAAP.
■ States that the financial statements may not be suitable for any purpose other than the stated purpose
(when the purpose is required to be described).

○ If required, the report should include an other-matter paragraph that restricts the use:
■ “Our report is intended solely for the use of the board of directors and management…”
■ “... should not be used by anyone other than these specific parties…”

○ If the auditor is required by law or regulation to use a specific layout, form, or wording, the auditor’s report
should only refer to GAAS if the report includes all the minimum report requirements of GAAS.
■ If the layout, form, or wording is not acceptable, the auditor should reword the form or attach a
correctly worded separate report.

○ Examples of all these differences are given in the lecture/textbook.

● Notes from MCQs

○ Special purpose frameworks may also be known as “other comprehensive basis of accounting (OCBOA)”.
○ Financial statements prepared under a special framework with unacceptable statement titles will require a
qualified opinion with a basis for modification paragraph.

A2 – Engagement Quality and Acceptance, Planning, and Internal Control

M1: Engagement Acceptance and Terms
● Management
○ Represents the individual or group of individuals that are responsible for the conduct of the entity’s
operations.
● Those Charged with Governance
○ Refers to those who bear responsibility to oversee the obligations and strategic direction of an entity,
including the financial reporting process.
○ On the exam, this often refers to the “board of directors” or the “audit committee”
○ However it may also refer to:
■ Members of the entity’s legal structure, such as company directors.
■ External parties, such as government agencies.

● Purpose of the Audit Committee

○ Made up of three to five “outside directors” (not employees of the company) OR
○ Directors that are not employees and have no material financial interest in the company.
○ The use of an audit committee tends to strengthen the public’s trust in the independence of the auditor.

Page 38 of 350
● Functions of the Audit Committee
○ The main function of the audit committee is to enhance internal control by creating direct communication
between the “outside directors” (audit committee) and the auditor.
○ The audit committee typically:
■ Selects and appoints the auditor and sets the audit fee.
■ Assures the auditor is independent.
■ Reviews the nature, details, and scope of the audit engagement.
■ Reviews the quality of the auditors work.
■ Ensures recommendations made by the auditor are given attention.
■ Maintains lines of communication between the auditors and the board of directors.
■ Helps to resolve disputes between management and auditors in regards to accounting treatments.
■ Evaluates the internal control environment, along with the auditor.
■ Makes reports to the board and the stockholders, when necessary.

● Communication with the Audit Committee

○ Auditors should have appropriate access to the audit committee periodically.
○ Auditors should meet with the audit committee without management present at least once per year.

● Timing of Auditor Appointment

○ Although early appointment of an auditor allows the auditor to plan a more efficient auditor, an auditor is
permitted to accept an engagement near or after year-end.
○ The auditors should consider whether late appointment will post limitations, such as:
■ A qualified opinion or disclaimer of opinion; and
■ Discussion of such concerns with the client.

● Client Acceptance and Continuance

○ Before acceptance, the auditor should assess the following:
■ The firm’s ability to meet reporting deadlines
■ The firm’s ability to staff the engagement with personnel
■ The firm’s independence from the client
■ The integrity of the client’s management
■ Whether the group engagement team will be able to obtain sufficient appropriate audit evidence

● Preconditions for an Audit

○ Auditors should determine whether the financial reporting framework used is acceptable.
○ Auditor should obtain agreement from management regarding their responsibilities for:
■ The preparation of the financial statements; and
■ The design, implementation, and maintenance of internal controls.
■ Providing the auditor with access to ALL information relevant to the financial statements and
unrestricted access to all persons necessary to obtain evidence.
○ The auditor should not accept an engagement if management or those charged with governance impose a
scope limitation.
■ Ex) lack of accounting records.
Page 39 of 350
 ■ If the entity is required by law or regulation to have an audit, a disclaimer of opinion is acceptable, and
the auditor is permitted to accept the engagement, but not required.
■ If a management-imposed scope limitation will result in a qualified opinion, or if the limitation is
beyond management's control (such as a fire destroyed documents), the auditor can accept the client.

● Engagement Letter (example given in lecture/textbook)

○ The auditor and those charged with governance should agree to the terms of the engagement in writing.
○ The letter should be signed and dated by the client and included in the auditor’s documentation.
○ The letter should include the following elements:
■ Addressee
■ Objective and Scope of the Audit
■ Responsibility of the Auditor
■ Responsibility of Management
■ Other relevant information (optional)
● Timing of the audit

● Arrangements with the prior auditor

● Expectations that management will provide the representation letter

● Agreement of management to make all relevant information available in a timely manner

● Use of specialists or internal auditors

■ Reporting
■ Signature
○ MCQ Tips
■ Engagement letter may include some information related to overall audit strategy.
● Ex) Timing of testing or Involvement of specialist of testing
■ Engagement letter does NOT typically include information about specific audit procedures.
● Ex) Performing analytical procedures or Sending out confirmations

● ERISA Plan Financial Statements Audit

○ Audits over items such as 401(k) plans, retirement plans, etc.
○ Apply all SAS, except those that don’t apply + SAS: Forming an Opinion and Reporting on Financial
Statements of Employee Benefit Plans Subject to ERISA

● ERISA Audits - Management Responsibilities

○ Auditor should obtain the agreement from management that they are responsible for:
■ Maintaining a current plan instrument, including all plan amendments.
■ Administering the plan and determining that the plan’s transactions are in conformity with the plans
provisions, including records with respect to each participant to determine benefits due/become due.
○ ERISA Section 103(a)(3)(C) audit, determine whether:

Page 40 of 350
 ■ This type of audit is permissible under the circumstances;
■ The investment information is prepared and certified by a qualified institution;
■ The certification meets the requirements of the Department of Labor’s rules and regulations; and
■ The certified investment information is appropriately measured, presented, and disclosed in
accordance with the applicable framework.

● ERISA Audits - Auditor Responsibilities

○ Auditor should obtain agreement with management or those with governance to:
■ Provide the auditor, prior to the dating of the auditor’s report, a draft of Form 5500 that is substantially
complete, including:
● The certification meets the requirements of the Department of Labor’s rules and regulations; and

● The forms and schedules that should have a material effect, both qualitative and quantitative, on
the information in the financials and ERISA-required supplemental schedules.
○ When management elects to have an ERISA Section 103(a)(3)(C) audit, auditors should:
■ Inquire management about how management determined that the entity preparing and certifying the
information is a qualified institution.
○ Previous audit standards required an auditor to issue a disclaimer when limited-scoped.
○ Under SAS 136, limited-scope audits will now be referred to as “ERISA Section 103(a)(3)(C)” and are no
longer considered a scope limitation, but rather permits the auditor to issue a form of unmodified opinion.
○ When the auditor’s report on ERISA plan financial statements, whether management elects to have a
Section 103(a)(3)(C) audit or not, and the opinion is adverse or disclaimer, the auditor cannot express an
opinion on the supplemental schedules.
■ When permitted by law or regulation, the auditor may withdraw from the engagement to report on the
ERISA-required supplemental schedules.
■ If the auditor does not withdraw, the audit report should be modified accordingly.
■ (Reporting on ERISA audits is a less likely test area)

● Recurring Auditors
○ Issuers → Auditors must agree to the terms of the audit with the audit committee in an engagement letter.
■ Letter should be provided annually.
○ Nonissuers → If no revision is necessary, auditors should remind management of the terms.
■ If there are changes to the terms, the auditor should obtain a signed engagement letter.

● Initial Audits
○ An engagement in which the financial statements from the prior period were either unaudited or audited
by another audit firm.
○ Before acceptance:
■ Auditor must obtain the potential client’s permission to make inquiries with the predecessor auditor.
■ If permission is not given, the auditor should consider why and whether to accept the engagement.
○ Questions to ask the predecessor auditor: (Exam favorite area, know these)
■ Management integrity;
■ Disagreements with management;
Page 41 of 350
 ■ Reasons for the change in auditor;
■ Any fraud, noncompliance, and internal control matters related communications; and
■ Nature of entity’s relationships and transactions with related parties and significant unusual
transactions.

● Change in Engagement
○ Occurs when a client wants to change from an audit to a review or compilation.
■ Review → require less procedures than an audit.
■ Compilation → require less procedures than a review.
○ Auditor’s concern may be “is the client trying to hide something?”
○ Before agreeing to the change, auditor’s should consider:
■ Effort required to complete the engagement (is the audit already almost complete?);
■ The estimated additional cost to complete the engagement; and
■ The reason for the request, especially when scope limitations are present.
○ Acceptable reasons for a change include:
■ Changes in client requirements (the bank loaning to client no longer requires an audit); or
■ Misunderstanding as to the nature of the service to be rendered.
○ If the reason for change is justified, the auditor must comply with the standards for a compilation or review
and issue the appropriate report.
○ The report should not refer to the original engagement, procedures performed, or any scope limitation.
○ Unacceptable reasons for change include:
■ The engagement would uncover errors or fraud; or
■ The client is attempting to create misleading or deceptive financial statements.
■ The client refused to allow correspondence with legal counsel (scope-related)
■ The client refuses to provide a signed representation letter (scope-related)

● Notes from MCQs

○ A review of the predecessor auditor’s working papers (audit documentation) is appropriate and customary
to facilitate the auditor’s work (it can help navigate the current period).
○ Those charged with governance do not choose the procedures done in an audit, that is up to the auditors.
○ Inquiry of the predecessor auditor is a required pre-acceptance procedure (must get consent from client).
○ If a predecessor auditor refuses to give the new auditor access to documentation, the new auditor should
review the risk assessment of the opening balances of the financial statements.

Page 42 of 350
 M2: Engagement Quality
● Statements on Quality Control Standards
○ AICPA Code of Professional Conduct requires firms providing audits, attestation, and reviews to adopt a
system of quality control.
○ Statements on Quality Control Standards are issued by the Auditing Standards Board to provide guidance.
○ Adopting a system of quality helps ensure policies and procedures are designed and implemented to
ensure:
■ Firm complies with professional standards (such as GAAS).
■ Firm complies with legal and regulatory requirements
■ Any report issued is appropriate.

● Elements of Audit and Assurance Engagement Quality (“HELPME”)

○ Human Resources
■ Recruitment and Hiring → ensure appropriate capabilities and competency
■ Assign personnel to engagement → consider continuity and period rotation of personnel
■ Professional development → on-the-job training and continuing education
■ Performance evaluation, compensating, and advancement (promotions)
○ Engagement/Client Acceptance and Continuance
■ Policies should be in place to provide the firm with reasonable assurance that:
● There is minimal likelihood of association with a client whose management lacks integrity.

● The firm can reasonably expect to finish the engagementment.

● The firm can comply with all legal and ethical requirements, such as independence.
○ Leadership Responsibilities
■ Firm leadership bears the ultimate responsibility for the firm’s quality control system.
■ Leadership should establish a tone at the top that emphasizes quality.
○ Performance of the Engagement
■ Ensure proper supervision and work is appropriately reviewed.
■ Maintain confidentiality, safe custody, accessibility, retrievability, retention of engagement documents.
■ Allows consultation with experts.
■ Provides a means to resolve differences in opinion.
■ Firms may develop and use standard audit forms/checklists/questionnaires.
○ Monitoring
■ Helps provide reasonable assurance that the quality system is relevant, adequate, operating effectively,
and complied with in practice.
■ Involves ongoing evaluation of the design and effectiveness of the quality control system.
■ Should be performed by qualified individuals and a partner should bear ultimate responsibility.
■ “Wrap-up” or a second partner review who is not involved in the audit can do this review.
● Issuer → Required

● Nonissuer → Not required

Page 43 of 350
 ■ Peer review conducted under AICPA Standards
● Required every 3 years
○ Ethical Requirements
■ Helps maintain public confidence by providing reasonable assurance, such as independence:
● At least annually, all firm staff should confirm independence in writing (paper or electronic form)

● Performance of professional responsibilities with integrity and objectivity.

● Quality Control Policies and Procedures

○ The nature and extent of a firm’s quality control policies and procedures depends on:
■ Size of firm;
■ Organization structure of firm;
■ Nature and complexity of firm’s practices;
■ Degree of operating autonomy allowed its personnel and its individual offices; and
■ Cost-benefit consideration.
○ Quality Control Standards vs. GAAS
■

■ Failed or inadequate quality control system does NOT = Lack of compliance with GAAS.
● Ex) you can fail to have a peer review (failed monitoring), but still meet GAAS standards.

● Reviewing the Work of Others

○ All work performed on the audit should be reviewed by members of the engagement team senior to those
who performed the work.
○ A review consists of whether:
■ The work has been formed in accordance with standards and laws/regulations.
■ Significant findings require further consideration.
■ Appropriate consultations have taken place and been documented.
■ The nature, timing, and extent of work is appropriate.
■ The work performed supports the conclusions and is appropriately documented.
■ Evidence obtained is sufficient and appropriate to support conclusions.

Page 44 of 350
 ■ Objectives of the engagement have been achieved.
○ Audit documentation should include:
■ Who performed the work and the date it was completed.
■ Who reviewed the audit documentation and the date of the review.

● Engagement Partner Review

○ Engagement partner should review the following significant findings or issues on a timely basis:
■ Critical areas of judgment
■ Significant risks (e.g. revenue recognition or management override of controls)
■ Other areas based on professional judgment of the partner

● Engagement Quality: Specific Considerations for Nonissuers

○ The auditor’s objective of implementing quality control procedures at the engagement level includes
providing reasonable assurance that:
■ The audit complies with professional standards and laws/regulations.
■ The auditor issues a report that is appropriate.

● Engagement Partner Responsibilities - Nonissuers

○ Engagement partners are responsible for the overall quality of the engagement.
○ Engagement partners should:
■ Remain alert for noncompliance with ethical requirements by engagement members.
■ Engagement team members are independent.
■ Be satisfied with the procedures regarding client acceptance and continuance.
■ Be satisfied that the engagement team and external specialists have competence and capabilities.
■ Take responsibility for direction, supervision, and performance of the engagement.
■ Take responsibility for reviews being performed in accordance with the firm's policies and procedures.
■ Be satisfied that sufficient appropriate evidence has been obtained.

● Engagement Quality Control Review - Nonissuers

○ Provides an objective evaluation of significant judgments made and conclusions reached.
○ If a quality control review is performed, it should be done before the audit report is released.
○ Performed only when required by firm policies and procedures.
○ Can be performed by a partner or other qualified individual, none of whom is part of the audit.
○ The reviewer must have sufficient and appropriate experience and authority to do the review.
○ The reviewer’s evaluation should include:
■ Discussion of significant findings with the engagement partner.
■ Reading the financial statements and proposed auditor report.
■ Review audit documentation related to judgments and conclusions.
■ Evaluation of conclusions reached in formulating the auditor’s report.

● Engagement Quality: Specific Considerations for Issuers

○ PCAOB standards require an engagement quality review and approval of audit report issuance.
○ An engagement quality review is performed by a partner who is not associated with the audit.
Page 45 of 350
 ○ The reviewer must be competent, independent, objective, and act with integrity.
○ The reviewer is required to:
■ Hold discussions with the engagement partner and team; and
■ Review audit documentation to evaluate judgments made and overall conclusions reached.

● Engagement Quality Review (the reviewer should…)

○ Evaluate significant judgments related to items such as prior experience with clients, risks, and materiality.
○ Evaluate the engagement team’s assessment of and responses to risks.
○ Evaluate significant judgments about materiality, misstatements, and control deficiencies.
○ Review evaluation of firm’s independence in relation to the engagement.
○ Review the engagement completion document.
○ Review the financial statements, management's report of internal control, and the engagement report.
○ Read other information to be filed with the SEC and determine whether action has been taken.
○ Evaluate consultations, documentation, and conclusions related to those.
○ Evaluate communications with management, audit committee, and regulatory bodies.
○ Evaluate whether engagement documentation indicates the team responded to risks appropriately.
○ Evaluate the engagement team's determination, communication, and documentation of critical matters.

● Concurring Approval of Issuance - Issuers

○ PCAOB standards require a concurring approval of issuance from the reviewer before a firm can give a
client permission to use the audit report.
○ Approval can be given if there are NO significant engagement deficiencies, such as:
■ The engagement team failed to obtain sufficient appropriate evidence.
■ The team reached an inappropriate overall conclusion.
■ The engagement report is not appropriate for the circumstances.
■ The firm is not independent of the client.

● Notes from MCQs

○ An understanding between the auditor and the client generally includes the auditor’s responsibilities.
■ Ex) the auditor is responsible for reporting any significant deficiencies in internal control to the audit
committee (or those charged with governance).

M3: Documentation
● Audit Documentation
○ Also referred to as “working papers” or “workpapers”
○ Principal record of audit procedures performed, evidence obtained, and conclusions reached.
○ Audit documentation should provide:
■ Evidence of the auditor’s report and the conclusion about objectives of the auditor.
■ Evidence that the audit was in accordance with GAAS and any other regulatory requirements.
Page 46 of 350
 ○ Audit workpapers support the audit opinion, NOT the client’s financial statements.

● Audit Documentation Should:

○ Assist the engagement team in planning, conducting, and supervising the audit.
○ Show that accounting records reconcile with the financial statements and disclosures.
○ Be prepared with enough detail so that an experienced auditor with no connection to the audit can
understand:
■ The nature, extent, and timing of procedures performed;
■ The results of the procedures performed, and evidence obtained;
■ The significant findings or issues arising during the audit; and
■ The conclusions reached, and judgments made to those conclusions.
○ Show who performed the work as well as the date of the work.
○ Show who reviewed the work as well as the date of the review.
○ Include abstracts or copies of significant contracts or agreements.
○ Document discussions of findings or issues with management, those with governance, and others.
○ When possible, documentation should provide evidence that professional skepticism was maintained:
■ Ex) when evidence is obtained that both contradicts and corroborates a management assertion, the
auditor should document:
● How the evidence was evaluated; and

● Any professional judgments made when concluding the impact to the audit.
(Full example shown in lecture)

● Retention and Completion

○ Report release date
■ Date where auditor grants client permission to use auditor’s report.
■ Often, this is the same date as the auditor’s report date or the date the report is delivered to client.
■ Auditor should document the report release date.

○ Document retention
■ Nonissuers → Retain for at least 5 years (after report release date)
■ Issuers → Retain for at least 7 years (after report release date)

○ Documentation completion date

■ Auditor is granted a certain window allowing them to assemble the final audit documentation file.
■ The end of this window is referred to as the “documentation completion date.”
■ This window isn’t meant to perform more procedures, but more like an organization period.
■ Nonissuers → assemble within 60 days (after report release date)
■ Issuers → assemble within 45 days (after report release date)
■ After this date, existing documentation must not be deleted, and additions to the audit documentation
must be documented as such.

Page 47 of 350
● Nature and Extent of Audit Documentation
○ May be in:
■ Paper form;
■ Electronic form; or
■ Other media
○ The specific quantity, type, and content of documentation are based on the auditor's judgment.
○ To determine these, the auditor should consider:
■ Size and complexity of client;
■ Risk of material misstatement;
■ Significance of the evidence obtained; and
■ Nature and extent of any exceptions identified.
○ Generally, audit documentation will consist of:
■ A permanent or continuous audit file.
■ A current file

● Permanent (Continuous) File

○ Includes audit documentation that has a continuing interest from year to year.
○ Examples:
■ Pension plans
■ Multi-year leases
■ Multi-year contracts
■ Stock options
■ Bylaws
■ Bond indentures
■ Articles of incorporation

● Current File
○ Contains all audit documentation applicable to the CURRENT year under audit.
○ Examples:
■ Audit plan
■ Audit report
■ Financial statements
■ Trial balance, adjusting journal entries
■ Confirmations
■ Mgmt representation letter
■ Tests of controls
■ Substantive tests
■ 1 year or less contracts
■ Significant audit findings

● Significant Audit Findings and Related Professional Judgments

○ Includes matters that are related to the selection and application of accounting principles.

Page 48 of 350
 ○ Especially includes those involving complex or unusual transactions, or estimates and uncertainties, and
related management assumptions.
○ Related to matters that give rise to significant risks.
○ Related to possible material misstatements in the financial statements.
○ Cause significant difficulty in applying audit procedures, or indicate need for alternative procedures.
○ May result in modification of the opinion or inclusion of an emphasis-of-matter paragraph.

● Tickmarks
○ Auditor’s often use tickmarks or symbols to indicate the work that has been performed.
○ Audit documentation should include explanations of any tickmarks used.
○ Tickmarks may vary from audit to audit.
○ Example given in lecture/textbook.

Page 49 of 350
● Notes from MCQs
○ An auditor is NOT allowed to make any deletions to documentation before the end of the retention period.

M4: COSO Internal Control Framework

● Overview of Internal Control
○ COSO provides a framework for effective internal control.
○ A key component of risk assessment is obtaining an understanding of internal controls.
○ Internal controls → a policy of procedure established to achieve the control objectives of management.

● COSO Internal Control Framework

○ Committee of Sponsoring Organizations (COSO)
○ Independent private sector initiative.
○ Established in mid-80s to study factors that lead to fraudulent financial reporting.
○ Sponsoring organizations:
■ American Accounting Association (AAA)
■ American Institute of Certified Public Accountants (AICPA)
■ Financial Executives Institute (FEI)
■ Institute of Internal Auditors (IIA)
■ Institute of Management Accountants (IMA)
○ In 1992, COSO issued Internal Control - Integrated Framework in order to assist in assessing internal control
effectiveness.
○ In 2013, the framework received an update to deal with changes in technology, business models,
globalization, outsourcing, and regulatory environment.
■ One significant update involved the creation of 17 principles categorized within the 5 components.
○ COSO’s framework is widely regarded as an appropriate and comprehensive basis to document the
assessment of internal controls over financial reporting.

● COSO Cube

Page 50 of 350
● 3 Objectives - ORC
● 5 Components - CRIME
● 17 Principles - EBOCA, SAFR, OIE, SO D, CAT P

● Internal Control Objectives (“ORC”)

○ Operating: effectiveness/efficiency of operations
○ Reporting: reliability of financial reporting
○ Compliance: adhering to all applicable laws/regulations

● Components and Principles of the COSO Framework (“CRIME”)

○ Control Environment (EBOCA)
■ Commitment to Ethics and integrity
● Sets the tone at the top.

● Foundation of all other components.

■ Board independence & oversight
● Establishing oversight responsibilities.

● Providing oversight for the system of internal control.

■ Organizational structure
● Establishing reporting lines.

Page 51 of 350
 ● Defining & assigning responsibilities appropriate to organization’s objectives.
■ Commitment to Competence
● Hire/develop/retain competent employees.

● Evaluating competence & addressing shortcomings.

■ Accountability
● Hold individuals accountable.

● Establish performance measures, incentives & rewards.

○ Risk Assessment (SAFR) “Make entity SAFR”
■ Specify objectives
● Identify objectives that reflect management choices.

● Comply with accounting standards, laws & regulations.

■ Identify and Assess changes
● Assess changes in the external environment, business model, leadership, etc.
■ Consider potential for Fraud
● Assess incentives, pressures, opportunities, attitudes, and rationalizations.
■ Identify and analyze Risks
● Analyze internal and external factors.

● Involve appropriate levels of management, and determine how to respond.

○ Information and Communication (OIE) “OIE that’s a lot of information”
■ Obtain and use information
● Generate and use relevant info to support internal control.
■ Internally communicate information
● Internally communicate info, including relevant objectives & responsibilities.

● Flow of information up, down and across the organization.

■ Communicate with External parties
● Management should have open, two-way external communication channels.
○ Monitoring Activities (SO D) “Monitor SOD or grass won’t grow”
■ Separate and/or Ongoing evaluations
● Ongoing/separate evaluations to make sure components of IC are present & functioning.
■ Communication of Deficiencies
● Communicate deficiencies in a timely manner to responsible parties.

Page 52 of 350
 ● Monitor corrective actions.
○ (Existing) Control Activities (CAT P)
■ Select and develop Control Activities
● Integrate with risk assessment when selecting activities.

● Consider entity-specific factors.

■ Select and develop Technology controls
■ Deployment of Policies and Procedures

Detail/Auditor’s objectives for each component

● Control Environment
○ Controls related to the control environment are primarily indirect controls.
■ CRM → Indirect
■ IE → Direct
○ Auditor should understand controls, processes, and structures that address:
■ Management’s culture and commitment to integrity and ethical values; E
■ How those charged with governance oversee internal controls; B
■ The entity’s assignment of authority and responsibility; O
■ How the entity attracts, develops, and retains competent individuals; and C
■ How the entity holds individuals accountable. A

○ The auditor should understand the attitudes, awareness, and actions of those charged with governance
with respect to internal control.
○ Responsibility of those charged with governance, such as an audit committee, include:
■ Evaluating actions of management, understanding business transactions, and overseeing reporting;
■ Overseeing “whistleblower” procedures; and
■ Overseeing the process for reviewing the effectiveness of design, implementation, and operation of the
entity’s internal controls.

● Risk Assessment
○ Circumstances from which risks may arise include:
■ Change in regulations or operating environment.
■ New personnel
■ New information systems
■ Environment, social, or governance issues (ESG)
■ Rapid expansion of operations
■ Use of IT and the incorporation of new technology
■ New business models, products, or activities
■ Corporate restructuring
■ Expansion or acquisition of foreign operations
■ Adoption of new accounting principles

Page 53 of 350
 ○ Management may decide to either accept a risk based on cost/other considerations or take action to
address and reduce the risk.
○ Auditors should consider whether risks identified by management may result in a material misstatement.
○ The auditor must also evaluate any use of IT and it’s associated risks:
■ Potential reliance on inaccurate systems.
■ Unauthorized access to data
■ Unauthorized changes to data, systems, or programs
■ Potential loss of data

● Information and Communication

○ May include several direct controls.
○ Auditors should understand the design and implementation of information and communication systems
that relate directly to financial reporting.
○ Information and communication systems support the identification, capture, and exchange of information.
○ Information systems relevant to financial reporting consists of activities, policies, and records designed to:
■ Initiate, record, and process the entity’s transactions and resolve wrong transactions.
■ Process and account for system overrides.
■ Incorporate information from transaction processing in the general ledger.
■ Capture and process information relevant to the financial statements other than transactions, such as:
● Depreciation, amortization, or allowance for doubtful accounts.
○ Communication involves providing an understanding of roles and responsibilities pertaining to an entity’s
internal controls.
○ Auditor’s should obtain an understanding of the methods used to communicate between people regarding
roles, responsibilities, and significant matters about financial reporting.
○ Auditors should be aware of communications:
■ Between management and those charged with governance (particularly the audit committee); and
■ Between management and external parties.
○ For significant classes of transactions, balances, and disclosures, the auditor should understand:
■ How information flows through the entity’s information system, such as how transactions are initiated,
recorded, processed, corrected, included in the general ledger, and reported to financials.
■ The financial reporting process used to prepare financial statements.
■ Entity’s resources, including IT, relevant to processing information.

● Monitoring
○ Process that an entity uses to assess the quality of control performance over time.
○ Assess the design and performance of controls and take corrective actions, when necessary.
○ Establishing and maintaining internal controls is up to management.
○ Management must monitor controls to determine:
■ If operating as intended; and
■ Whether they have been modified to account for any changes in conditions.
○ Auditors should obtain an understanding related to monitoring:
■ Ongoing/separate evaluations, and communications of any deficiencies (SO D)
Page 54 of 350
 ■ Entity’s internal audit function
■ Sources of information used in the monitoring process and management’s basis for deeming it reliable.
● Information may come from external sources, such as customer complaints or regulators.

● (Existing) Control Activities

○ Controls that are designed to ensure:
■ Management directives are carried out; and
■ Necessary steps to address risks are taken.
○ Primarily include direct controls, but may also include some indirect controls.
○ Direct controls impact the financial statements, and these are the controls auditors are most interested in.
○ Strong systems of internal control may include - “PAID TIPS” (be familiar, but may not need to memorize)
○ Prenumbering of Documents
■ All transactions are recorded (completeness)
■ No transactions are recorded more than once (existence)
○ Authorization
■ Affirms a transaction is valid and should occur before commitment of resources.
■ Ex) stamp of approval or a signature from higher-up.
○ Independent Checks to Maintain Asset Accountability
■ Verification of work previously performed by others; or
■ Reconciliation of two or more data elements.
■ Ex) bank reconciliations or comparison of physical inventory to records.
○ Documentation
■ Provides evidence of the underlying transactions
■ Is a basis for establishing responsibility for transactions.
○ Timely and Appropriate Financial Performance Reviews
■ Comparison of actual performance to budgets, forecasts, and prior periods.
■ Comparison of financial and nonfinancial information.
■ Ex) sports team comparing attendance to reasonableness of ticket sales.
○ Information Processing Controls
■ Help to protect integrity of information by ensuring validity, proper authorization, and accuracy,
■ May be automated (i.e. embedded in IT applications).
■ Manual controls may include controls over the input/output of information into and out of the system.
○ Physical or Logical Controls for Safeguarding Assets and Information
■ Involve security devices, limited access programs, restricted areas, etc.
■ Examples) security keys for doors, passwords, multifactor authentication, biometrics, etc.
○ Segregation of Duties
■ Involves ensuring that people do not perform incompatible duties.
■ Duties should be segregated so the work of one person cross-checks another person.
■ Particularly important with respect to an entity's IT.
● Granting/restricting access, data, and execution activities should be segregated.
■ Functions that should be segregated in all scenarios - “ARC”
Page 55 of 350
 ● Authorization

● Record keeping

● Custody of related assets

○ Auditors should obtain knowledge about control activities while studying the other components.
○ Auditors should use judgment to determine whether additional knowledge must be obtained.
○ An audit does NOT require an understanding of ALL control activities.
○ The auditor’s primary consideration should be whether, and how, a control prevents, detects, and corrects
material misstatements.

Page 56 of 350
● Notes from MCQs
○ Setting and communicating expectations would be considered under the control environment.

Page 57 of 350
 M5: Planning
● During planning, the auditor is required to:
○ Obtain knowledge of the client’s business and industry.
○ Develop the audit strategy.
○ Develop the audit plan.
○ Perform risk assessment procedures.

● Nature and Extent of Planning

○ Size and complexity of the entity can change planning activities.
■ More complex:
● Several business lines

● Many levels of management

● Complex transactions
■ Less complex:
● Fewer business lines

● Fewer levels of management

● More centralized accounting functions

○ Auditor’s previous experience with the company can speed up/slow down planning.
○ Changes in circumstances that occur during the audit may affect the planning phase.

● Involvement of Key Engagement Team Members

○ The engagement partner and other key members should be involved in planning.
○ Engagement Partner
■ Planning the audit
■ Supervising the work of engagement team members.
■ Compliance with relevant auditing standards.
○ Audit Senior, Audit staff, or other team members
■ GAAS requires supervision of assistants during the audit to ensure work performed is:
● Adequate to accomplish objectives; and

● Consistent with the conclusion in the report.

● Supervision of Assistants
○ Supervisors should have a conference with all team members prior to an audit to discuss technical aspects.
○ When assistants are used, proper supervision includes:
■ Directing the efforts of assistants.
■ Informing them of their responsibilities:
● The objectives they are to perform;
Page 58 of 350
 ● The nature, timing, and extent of procedures they are to perform; and

● Any matters that may affect their performance.

■ Staying informed (e.g. telling staff to report back) regarding significant auditing issues, new
developments, or other difficulties.
■ Evaluating whether appropriate action has been taken in accordance with applicable standards

○ The nature, extent, and timing of the supervision can depend on:
■ The size and complexity of the entity;
■ The nature of the work assigned;
■ The qualifications of the assistants; and
■ The assessed risks of material misstatement.

● Disagreements Among Auditors

○ Differences may exist between audit team members at the end of an audit.
○ In this case, consult with the auditor who has final responsibility of the audit, typically the audit partner.
○ If the difference still exists after consulting the higher-up, disagreeing staff members can disassociate
themselves from the resolution by documenting their disagreement.
■ In this event, the basis for the final resolution should also be documented.

● Background of Planning
○ Audits use a risk-based approach.
○ Not every account is audited equally.
○ Accounts with a higher risk of material misstatement will receive more attention.
○ An auditor should obtain an understanding of the client's business and industry during planning.
○ Understanding the business and industry helps understand their events and transactions better.
● Experience in Planning
○ Auditors are NOT required to have prior experience with a client’s business or industry to accept an audit.
○ Once the engagement is taken, the auditor must obtain an understanding of the business and industry.

● Knowledge of the Client’s Industry

○ Obtaining knowledge about the industry helps highlight practices unique to that industry.
○ Most common sources of industry information are:
■ AICPA accounting and audit guides;
■ Trade publications and professional trade associations;
■ Government publications; and
■ AICPA Accounting Trends and Techniques (an annual survey of accounting practices).

● Knowledge of the Client’s Business

○ There are various methods of getting to know a client's business.
○ Tour the facilities.
○ Review the financial history of the client, such as written documents:

Page 59 of 350
 ■ Previous audit reports;
■ Annual and permanent audit files;
■ Prior year and interim financial statements; and
■ SEC filings.
○ Obtain an understanding of the client’s accounting:
■ May affect the design of controls, which in turn affects planned audit procedures.
■ Specifically, understand methods used to gather and process accounting information.
● Computer processing usage;

● Outside service organizations used;

■ Methods such as these influence the design of internal controls.
■ Policies and procedures manuals often provide accounting information.
○ Inquire with current business personnel.
■ Can ask about current developments affecting the entity, for example.

● Audit Strategy
○ Outline that sets the scope, timing, and direction of the audit and helps guide the audit plan.
○ Audit strategy outlines:
■ Scope of the engagement;
■ Reporting objectives;
■ Timing of the audit;
■ Required communications; and
■ Factors that determine the focus of the audit.
○ Developing an audit strategy early in the process helps determine resources needed, such as:
■ Assignment of staff to specific audit areas (higher experience = higher complex areas);
■ Involvement of other auditors, specialists, and client’s internal auditors;
■ Timing of testing (interim vs. year-end) and audit team meetings;
■ Budget hours to assign to specific audit areas; and
■ The extent, location, and timing of reviews of audit work.

● Factors That Determine the Focus of the Audit

○ Preliminary evaluations of materiality, audit risk, and controls.
○ Material locations and account balances.
○ Areas in which there is a higher risk of material misstatement, including disclosures.
○ Significant accounting changes.
○ Significant business and industry developments, such as legal and regulatory matters.

● Factors that Define the Scope of the Audit

○ Size and complexity of the entity to be audited, including parent-subsidiary relationships.
○ Effect of IT on the audit.
○ Knowledge gained from prior experience with the entity.
○ Use of service organizations by the entity.

Page 60 of 350
● Factors over Reporting Objectives, Audit Timing, and Required Communications
○ Deadlines for interim and financial reporting.
○ Key dates for meetings with management and those charged with governance.
○ Nature and timing of audit team communications, such as team meetings and reviews.
○ The expected type and timing of reports and other communications.
○ Expected or required communications with third parties.

● Developing the Audit Plan

○ Based on the strategy that outlines the nature (type of procedure), extent (how many procedures), and
timing of the procedures to be performed.
○ Audit plan is much more detailed than the audit strategy.
○ A written audit plan is required.
○ May be prepared by using a prior year audit plan or using a template.

● Audit Procedures
○ Performed to obtain evidence on which to base the audit opinion.
○ May be categorized as either:
■ Risk Assessment Procedures → used to obtain an understanding of the entity’s environment, including
internal control, in order to assess risks of material misstatement.
■ Further Audit Procedures
● Test of Controls → used to evaluate the operating effectiveness of controls

● $ubstantive Procedures (required) → used to detect material misstatements to transaction

classes, account balances, and disclosures. Includes other audit procedures required by GAAS.
○ Test of Details
○ Substantive Analytical Procedures

○ During planning, auditors generally establish the timing of work, which may include interim dates.
■ When audit procedures are performed before year-end, the auditor must:
● Assess the incremental risk involved; and

● Determine whether alternative procedures exist to extend the interim conclusion to year-end.
■ Typically, the more risky accounts will be tested at year-end.
■ Auditors may decide to test less-risky accounts at interim dates.

○ Auditors should consider the methods used by the client to process accounting information, and whether
those methods affect the availability of data.
■ For example, when computer processing is used, documents may exist only briefly and later discarded.
■ Auditors may need to schedule procedures to catch the information before it's discarded.
■ Auditors should also consider performing tests several times during the year.

Page 61 of 350
● ERISA Audit - Additional Risk Assessment Procedures
○ Auditor should obtain and read the most current plan instrument, including amendments.
■ If not necessary to test provisions, auditor should document the considerations in that conclusion.

○ Plan Tax Status

■ When plans are tax-exempt status, such plans are required to be in accordance with IRC requirements.
■ Management is responsible for conducting nondiscrimination and other compliance tests at least
annually, unless otherwise told by IRC.
■ Audit should consider whether the plan has performed and passed, corrected, or intends to correct
failures relevant to IRC compliance tests.

○ Prohibited Transactions
■ Auditors should evaluate if prohibited transactions have been reported to supplemental schedules.
■ If the plan has prohibited transactions with a party in interest, and it has not been reported, the auditor
should discuss the matter with management.

○ Auditors should perform procedures necessary to be satisfied that amounts reported are correct.
○ When management elects to have an ERISA Section 103(a)(3)(C) audit, the auditor should:
■ Evaluate management’s assessment on if the entity issuing the certification is a qualified institution.
■ If there are concerns about the qualification of the certifying institution, discuss with management.
■ If management does not provide sufficient support, discuss with those charged with governance.

○ Further auditor objectives for ERISA Section 103(a)(3)(C) audits include:

■ Identify which investment information is certified.
■ Perform the following procedures on the certified investment information:
● Obtain and read the certification.

● Compare the certified investment information with the related information presented.

● Read the disclosures relating to the certified investment information, and determine if they are in
accordance with the requirements.
● If the information is incomplete, wrong, etc., discuss matters with management and perform more
procedures to determine the next step.
■ Perform audit procedures on financial statement information, including:
● Disclosures, not covered by the certification; and

● Noninvestment-related information based on the assessed risk of material misstatement.

○ Plans may hold investments in which only a portion are covered by a certification.
■ In that case, auditor should perform audit procedures on the information that has NOT been certified.

● Financial Statement Assertions (“COVERUP”)

Page 62 of 350
 ○ Completeness
■ All account balances, transactions, and disclosures that should have been recorded and included.
○ Cutoff
■ Transactions have been recorded in the correct accounting period.
○ Valuation, Allocation, and Accuracy
■ Account balances, transactions, disclosures are measured appropriately.
○ Existence and Occurrence
■ Account balances exist and pertain to the company.
○ Rights and Obligations
■ Entity holds the rights to assets, and liabilities are the obligations of the entity.
○ Understandability of Presentation and Classification
■ Transactions have been recorded in proper accounts.
■ Financial information is appropriately presented and described.

● Relevant assertions and their use

○ Relevant assertions are assertions that have an identified risk of material misstatement.
○ When determining relevant assertions, auditors should consider both likelihood and magnitude of
misstatement.
○ The auditor should identify potential misstatements that may occur, and then design audit procedures to
address those risks.
■ Objective → Related assertion → Potential misstatement → Determine audit procedure
■

● Drafting the Audit Plan

○ The audit plan is a listing of procedures that the auditor believes are necessary to accomplish objectives.
○ After sufficient information has been gathered, an audit plan is drafted.
○ A written audit plan is required for every audit.
○ Audit plan should:
■ Set out procedures in reasonable detail, specifying nature, extent, and timing of work; and
■ Include a reference to the assertion under consideration.
○ Nature, extent, and timing of procedures (“NET”):
■ Nature → refers to the type of procedure that's going to be performed.
■ Extent → refers to the number of items.
■ Timing → refers to the testing period or testing as of date.
○ As the audit progresses, audit plans may need to be modified in response to changing conditions.
■ Modifications are often made after assessing risks, or based on results of procedures.
■ The audit plan should be designed so that evidence gathered will support conclusions.

Page 63 of 350
● Group Audit Plan
○ The group audit team should develop a group audit strategy and a group audit plan.
○ A group audit plan should:
■ Detail the extent to which the group engagement team will use the work of component auditors; and
■ Whether the auditor’s report will make reference to the audit of a component auditor.

● Communication of the Planned Scope and Timing of an Engagement

○ The purpose of communicating this information is to:
■ Provide insight to those charged with governance regarding audit activities; amd
■ To improve the auditor's understanding of the entity.
○ The auditor should communicate the planned scope and timing of the audit, including significant risks
identified.
○ Auditors may communicate:
■ Plans to address risks of material misstatements
■ Plans on what audit procedures they are performing
■ Plan to approach system of internal controls
■ Factors that affected their determination of materiality
■ Plans on using the client’s internal auditor staff or specific specialists
■ Plans for addressing significant changes
○ The auditor should be careful not to compromise the effectiveness of the audit by giving away too much
information and making the procedures predictable.
○ Auditors can also ask questions themselves:
■ What is the allocation of responsibility?
■ What are the entity’s objectives, strategies, and risks?
■ Have you had any significant communications with regulators?
■ Are there any matters you want us to pay attention to?
○ Auditor should also ask about:
■ Changes to internal control;
■ Any fraud;
■ Any relevant changes (such as changes to financial reporting); and
■ Any actions on matters we previously communicated to you.

● Notes from MCQs

○ For audit strategy, incorrect questions typically relate to procedures performed in the audit, but after the
planning phase (performing tests, sending out letters of inquiry to lawyers, results of tests, etc).
○ If an engagement team member is dissenting the conclusion of their team, they are NOT allowed to simply
accept the engagement team’s conclusion despite their reservation.
○ When testing accounts at interim dates, auditors generally select accounts that are reasonably predictable with
respect to:
■ Amount, relative significance, and composition.

Page 64 of 350
 ○ Auditors use substantive procedures AND tests of controls at relevant assertion levels to test a client's
significant account balances, transaction classes, and disclosure items in the financial statements.

M6: Using the Work of Others

Use of Internal Auditors
● Internal Audit
○ Evaluate and approve of the effectiveness of governance, risk management, and internal control processes.
○ Part of the monitoring process of internal controls.
○ Help management by providing information about design and implementation of internal control.
○ More comprehensive audit plan than external auditors.
○ Some testing may be the same as those performed by external auditors.

● Client’s Internal Auditors

○ When planning the audit, the auditor should consider the involvement of the internal auditors.
○ Internal auditors may be used to:
■ Use the work of the internal audit function in obtaining evidence; and/or
■ Provide direct assistance.
○ The external auditor CANNOT share responsibility for:
■ Issuing the report;
■ Audit decisions;
■ Judgments; or
■ Assessments made as part of the audit.

● Effect of the Internal Auditor’s Work

○ The work of an internal auditor may aid the external auditor in:
■ Obtaining understanding of the client's internal controls;
■ Assessing risk (“which areas are more risky?”);
■ Performing control testing; and
■ Performing substantive procedures.
○ Internal auditors are NOT independent of the client.
○ Therefore, internal auditors work alone cannot eliminate direct testing by the external auditors related to:
■ Assertions with high risk of material misstatement; or
■ A high degree of subjectivity.
○ Direct testing by the external auditor may not be necessary for assertions with:
■ A low risk of material misstatement; or
■ A low degree of subjectivity.

● Direct Assistance Provided by the Internal Auditor

○ External auditors may ask internal auditors to perform a specific task to aid in the audit.
○ External auditors should do the following related to internal auditors work:
■ Supervise, review, and evaluate.

Page 65 of 350
 ■ Test the work performed.

● Exam Day Hints

○ Questions about Direct Assistance → Internal audit may provide direct assistance for:
■ Obtaining an understanding of internal controls
■ Performing test of controls
■ Performing substantive tests
○ Questions about Sharing Responsibility → External auditor CANNOT share responsibility for subjective:
■ Assessments
■ Materiality
■ Estimate accounts
○ Questions about Relying on Internal Auditors Work → Look for answers for low degree of:
■ Subjectivity
■ Lower risk
■ Lower materiality

● External Auditor Responsibilities

○

○ Competence → reflected by education, professional certification, experience, etc.

○ Objectivity → reflected by the organization level to which the internal auditor reports, as well as prohibiting
internal auditors from auditing areas where they lack independence.
○ Systematic and Disciplined Approach → applying appropriate policies and procedures set by professional
bodies of internal auditors.
■ Internal audit function is structured and run by actual internal auditors, not random employees.

○ External auditor should supervise and review all work performed on the audit.
○ External auditor remains solely responsible for the report on the financial statements.
○ Although internal auditors may assist with regard to routine tasks, they CANNOT make judgment calls.
■ Judgment calls are the responsibility of external auditors.

Use of Specialists
● A specialist is a person or firm with special skills in a field other than accounting or auditing.
○ Actuaries, appraisers, attorneys, engineers, etc.
● A specialist can be considered as a:

Page 66 of 350
 ○ Auditor’s Specialist → used by the auditor to assist in obtaining appropriate sufficient audit evidence.
■ PCAOB Term → Auditor-employed specialist or Auditor-engaged specialist
○ Management’s Specialist → used by the entity to assist in preparing the financial statements.
■ PCAOB Term → Company specialist

● Determining the Need for an Auditor’s Specialist

○ May be engaged whenever the auditor believes it is desirable and necessary.
○ Example → a company sells diamonds and the auditor needs them appraised.
○ Other examples may include:
■ Value restricted securities and works of art.
■ Determine physical characteristics of goods, such as mineral reserves.
■ Determine specialized estimates, such as actuarial calculations.
■ Interpret technical standards or legal documents.

● Understand the Specialist’s Field of Expertise

○ An auditor should have sufficient understanding of the specialists field of work in order to:
■ Evaluate relevant, reliability, and adequacy of work;
■ Determine the nature, scope, and objectives of work; and
■ If auditors receive information from management’s specialist, they may need their own specialist to
validate the work.

● Competence, Capabilities, and Objectivity

○ Auditors must be satisfied with the competence, capabilities, and objectivity from the specialist.
○ To assess competence and capability, an auditor should obtain understanding of specialists certification,
experience, and reputation.
○ Auditors should evaluate any possible relationships with the entity that may affect objectivity:
■ Unrelated specialists → best for assurance
■ Related specialists → acceptable in certain circumstances, but more procedures should be done.

● Agreement with the Auditor’s Specialist

○ The auditor should agree with the auditor’s specialist regarding:
1. The nature, scope, and objectives of work of specialist;
2. The roles and responsibilities of both auditors and specialists;
3. The nature, timing, and extent of communication between auditor and specialist;
4. The need for the specialist to observe confidentiality requirements.
○ Auditor does NOT need to have a written agreement with management’s specialist.

● Evaluate the Adequacy of Work

○ Auditors should perform procedures to evaluate relevance, reliability, and adequacy of work, such as:
■ Making inquiries of the specialist.
■ Reviewing the working papers used by the specialist:
● Company-produced data → Test accuracy and completeness.

Page 67 of 350
 ● Eternal-based data → Evaluate relevant and reliability of data.

● Significant assumptions → Obtain an understanding and determine consistency of assumptions.

● Methods → Determine if method is appropriate and follows requirements of framework.

■ Review reports of the specialist.
■ Perform procedures, such as:
● Observing the work of the specialist.

● Examining published data.

● Confirming relevant matters with third parties.

● Performing detailed analytical procedures.

● Reperforming calculations
■ Engaging in discussion with another specialist to determine if findings are consistent.
● If not consistent, discuss those inconsistencies.
■ Discussing the report of the auditor’s specialist with management.

● Extent of Evidence
○ The necessary extent of evidence from specialists depends on:
■ Significance of the specialists work to the auditor’s conclusions;
■ Risk of material misstatement in the matter to which the specialists work relates; and
■ The knowledge, skill, and ability of the specialist.

● Effect on the Auditor’s Report

○ Do NOT refer to the specialist when:
■ Referring to management’s specialist.
■ Auditor is expressing an unmodified or unqualified opinion.
○ May refer to the auditor’s specialist when:
■ Modified opinion due to the auditor’s specialist’s findings.
■ Explanatory paragraph added to the audit report.
■ If it helps users understand a critical audit matter or key audit matter.
○ When a specialist is referred to, the auditor should indicate that the reference does not reduce the
auditor’s responsibility for the audit opinion.
○ The auditor may need permission from the specialist before making reference to them.

Use of IT Auditor
● Information technology auditing is a specialized area of auditing.
● Those who possess specialized knowledge in information technology are called IT auditors.
● IT auditors are NOT considered specialists.
● An IT auditor may be used throughout the audit, including:
Page 68 of 350
 ○ Obtaining and understanding of internal control.
○ Assessing risks
○ Performing control test work
○ Performing substantive procedures
● IT auditors must be informed about their role, including:
○ Complying with ethical requirements and to plan and perform the audit with professional skepticism.
○ The objectives of the work to be performed.
○ The nature of the entity’s business.
○ Risk-related issues.
○ Problems that may arise.
○ The detailed approach to the performance of the engagement.
● The audit partner supervises and reviews the work performed by any IT auditors.

Using the Work of a Component Auditor

● See A1:M8 for a refresher on what a component auditor is and what they do.

● Determining the Need for a Component Auditor

○ A component auditor may:
■ Be needed to obtain sufficient appropriate audit evidence over a subsidiary.
■ Be required by law or regulation.
■ Have been engaged by subsidiary management for another reason.

● Competence, Capabilities, and Objectivity

○ Regardless of whether the group auditor will make reference to the component auditor, the component
auditor should be:
■ Competent;
■ Capable; and
■ Objective.
○ The group engagement team should obtain the following:
■ Whether the component auditor is independent.
■ Whether the component auditor understands and will comply with ethical requirements.
■ The extent to which the group engagement team will be involved in the component auditors work.
■ Whether the component auditor operates in a regulatory environment that oversees auditors.

● Agreement with the Component Auditor

○ The group auditor should provide instructions to the component auditor and agree, in writing, regarding:
■ The nature, scope, and objectives of the work of the component auditor;
■ The respective roles and responsibilities of the group auditor and component auditor; and
■ The nature, extent, and timing of communication between group auditor and component auditor.

● Evaluate the Adequacy of the Component Auditor’s Work

○ The group auditor will review communication from the component auditor that must include:
■ Significant risks of material misstatements, and the component auditors' response to those risks.
Page 69 of 350
 ■ A list of corrected and uncorrected misstatements of the component.
■ Indicators of possible management bias regarding estimates and applying accounting principles.
■ Description of any identified material weaknesses and significant deficiencies in internal control.
■ Whether the component auditor has complied with the team's requirements.
■ Noncompliance with laws or regulations at a component or group level.
■ Other significant findings and issues.
■ Any other matters that may be relevant to the group audit.

● Extent of Evidence
○ If the group auditor is assuming responsibility for the component auditors work, the group auditor should
be involved in the risk assessment to identify more risky areas.
○ The nature, extent, and timing of this involvement may vary, but at a minimum should include:
■ Component’s business activities that are significant to the group.
■ Susceptibility of the component to material misstatement.

● Effect on the Auditor’s Report

○ When the group auditor decides to make reference to the component auditor, meaning the group auditor
does not assume responsibility of the component auditor, the group financial statements should indicate:
■ The component was audited by the component auditor.
■ The magnitude of the financial statement audited by the component auditor.
■ The group auditor has taken responsibility for evaluating the adjustments to convert the component’s
financial statements to the applicable framework (if applicable).
■ The component auditor performed additional procedures in order to meet relevant requirements of
GAAS (if the component auditor performed under different auditing standards).

● Notes from MCQs

○

M7: Materiality
● When establishing the audit strategy, the auditor should determine:
○ Materiality for the financial statements as a whole;
○ Performance materiality; and
○ When necessary, materiality levels for particular transactions, balances, or disclosures.

Materiality as a Whole
● Used to determine the audit opinion.
● Auditor’s responsibilities section includes:
○ “objective to obtain reasonable assurance… statements as a whole are free from material misstatement”
● Misstatement → Recorded amount or disclosure that is incorrect or omitted.
● Material → If there is substantial likelihood that misstatements would influence judgment of a reasonable user.

Page 70 of 350
● Needs of Users
○ Materiality is influenced by the auditor's perception of the needs of financial statement users.
○ Users are assumed to:
■ Have knowledge over the business, economy, and accounting.
■ Recognize that financial statements inherently have some uncertainty.
■ Understand how materiality affects both preparation and audits of financial statements.
■ Be able to properly analyze financial statements, and make reasonable judgments.

● Factors to be Considered
○ Materiality is based on professional judgment.
○ Both qualitative and quantitative factors must be considered when setting materiality.
○ The materiality level needs to be expressed as a specified amount.
○ When assessing materiality, the smallest level of misstatement that could be material on any one of the
financial statements should be used.
■ Ex) $100,000 misstatement = material on income statement.
■ $75,000 misstatement = material on balance sheet.
■ Therefore, $75,000 should be used for materiality.

● Preliminary Assessment of Materiality

○ The auditor applies a percentage to a financial statement benchmark.
○ If current financial statement numbers are not yet available or accurate, auditors may use the entity’s
annualized interim financial statements or its prior period annual financial statement.
○ Examples of materiality benchmarks to calculate materiality include:
■ Total revenue
■ Gross profit
■ Profit before tax from continuing operations
■ Net assets
○ Professional judgment is used when selecting the benchmark and its percentage to calculate materiality.

Page 71 of 350
Performance Materiality (nonissuer) and Tolerable Misstatement (issuer)
● Used to:
○ Determine the assessment of risks of material misstatement; and
○ Determine the nature, extent, and timing of tests.
● Definitions
○ Standards → The amount or amounts set by the auditor at less than materiality for the financial statements
as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and
undetected misstatements exceeds materiality for the financial statement as a whole.
○ Translated Definition → The auditor should use an amount that is lower than materiality while planning
audits and testing items.
● Why use an amount lower than materiality as a whole?
○ Potential for misstatements to go undetected.
○ Possibility that client may not adjust records to correct misstatements that are found.

Page 72 of 350
Materiality for Particular Transactions, Balances, or Disclosures
● As necessary, the auditor determines that separate materiality levels need to be applied.
● This amount must be less than materiality.
● Calculating particular levels of materiality for accounts, balances, or disclosures is NOT required.

General Notes on Materiality

● Clearly Trivial → misstatements that are clearly inconsequential.
○ Example: a misstatement of one dollar.
○ The auditor sets the clearly trivial amount.

● Example of calculating materiality levels

Page 73 of 350
 ○ If the financial statements were off by $12,500 or more, the auditor would modify the opinion.

● Materiality in Group Audits

○ The group engagement team determines the following:
○

● Revising the Assessment of Materiality

○ Auditor’s determination of materiality ordinarily occurs during the planning stage of the audit.
○ These assessments are often based on preliminary data.
○ Therefore, the determination of materiality will typically be revised as the audit progresses.
○ Examples of situations that would require revision may include:
■ Original materiality levels were based on estimated or prior amounts different from actual amounts.
■ Events or changes (e.g. changes in laws, regulations, frameworks, etc) that occurred after materiality
levels were established.

● Notes from MCQs

○

Page 74 of 350
 M8: Audit Risk
● Audit risk is the risk that the auditor may unknowingly modify the opinion of the financial statements that are
materially misstated.
○ Essentially, it's the risk that the auditor issues the wrong opinion.
○ Ex) auditor issues unmodified/unqualified opinion, but should have issued a modified opinion.
○ Audit risk arises because the auditor obtains only reasonable (and not absolute) assurance about whether
the financial statements are free from material misstatement.

● What is a Material Misstatement?

○ An omission or misstatement that makes it probable that the judgment of a reasonable person relying on
that information would have been changed or influenced by the omission or misstatement.
○ Misstatements can result from errors (unintentional) or fraud (intentional).
○ Misstatements include:
■ Inaccuracies in the collection or processing of data.
■ Departures from GAAP.
■ Omissions.
■ Incorrect estimates or judgments.
■ Inappropriate selection or application of policies.
■ Inappropriate classification, aggregation, or disaggregation of information.
○ The auditor should consider what level of misstatement would be material, either alone or in the aggregate
with other misstatements. (See M7)

● Types of Misstatements
○ Factual misstatement → misstatements about which there is no doubt.
■ Ex) booking a copier for $5,000 when you bought it for $500 (no installation/ready for use costs).
○ Judgment misstatement → differences arising between auditor and management regarding judgments.
■ May include recognition, measurement, presentation, disclosure, etc.
■ Ex) auditor believes allowance account should be 4% of gross receivables, management thinks 3%.
○ Projected misstatement → auditor’s best estimate of misstatements in populations based on projections of
misstatements identified in the audit samples drawn from that population.
■ Ex) 10% misstatement in sample = 10% misstatement in the population from which that sample was
taken.

Audit Risk Model

● Audit Risk (AR) = Risk of Material Misstatement (RMM) x Detection Risk (DR)
○ Components of audit risk may be assessed either:
■ Quantitatively → percentage; or
■ Nonquantitatively → high, medium, low, etc. (most common in exam questions).
○ Audit risk comprises the risk that:
■ Financial statements are materially misstated (risk of material misstatement, or RMM); and
■ The auditor will not detect such misstatements (detection risk, or DR)
○ Audit risk should be low.

Page 75 of 350
 ○ Risk of material misstatement should be assessed by the auditor.
○ Detection risk is controlled by the auditor.

● Risk of Material Misstatement (RMM = IR x CR)

○ There is a reasonable possibility of a misstatement occurring (likelihood); and
○ If it were to occur, there is a reasonable possibility of it being material (magnitude).
○ Risk of Material Misstatement can be broken down further as:
■ Risk of Material Misstatement = Inherent Risk x Control Risk

○ Inherent risk → susceptibility of an assertion to a material misstatement before the consideration of any
related controls.
○ Inherent risk factors are the characteristics about events or conditions that cause such risk.
○ Inherent risk factors can be quantitative or qualitative, and include:
■

○ Depending on the degree to which these factors exist, the level of inherent risk assessment varies on a
scale that is referred to as the spectrum of inherent risk.
■ This spectrum provides a frame of reference to determine the significance of both likelihood and
magnitude of misstatement.
○ Auditors assess inherent risk as a high if the account is more likely to be materially misstated.
○ Assertions involving these factors generally have a high inherent risk:
■ High-volume, unique, or individually significant transactions
■ Complex or subjective calculations
■ Amounts derived from estimates
■ Cash
○ Other factors specific to the entity may also tend to increase inherent risk, such as:
■ Technology that renders a product obsolete.
■ Lack of working capital.
■ Decline in the overall industry or economy.

Page 76 of 350
 ○ Control Risk → risk that the client's internal controls don’t catch the material misstatement.
○ An auditor assesses control risk BELOW the maximum (e.g., low or medium) if the auditor plans to rely on
controls (design and implementation of controls are operating effectively).
■ Auditors will test controls to support control risk below the maximum.
■ RMM will be equal to IR x CR
○ An auditor assesses control risk AT the maximum (i.e., high) if:
■ There are no effective controls relative to the specific assertion;
■ The implemented controls are not operating effectively; or
■ Sufficient appropriate audit evidence may be obtained by substantive testing only.
○ Typically, when CR is high, the auditor will NOT test controls and will proceed straight to substantive tests.
■ RMM will be equal to IR.

○ Inherent risk and control risk exist independently of the audit, and the auditor generally cannot change
these risks.
■ Inherent and control risks are specific to that entity, the auditor cannot change aspects of the entity.
■ However, the auditor can change their assessment of these risks as the audit progresses.

● Detection Risk
○ Risk that the auditor will NOT detect a material misstatement that exists.
○ Detection risk is a function of the effectiveness of audit procedures and how they are applied.
○ Auditor controls this type of risk.
○ Some amount of detection risk will always exist because:
■ Auditor does not examine 100% of an account balance or transaction; and
■ Auditors may make mistakes in applying procedures or interpreting results.
○ Detection risk has an INVERSE relationship with RMM.
■ RMM = High; DR = Low
■ RMM = Low; DR = High
○

Page 77 of 350
 ○ Even if control risk is low, substantive procedures will always be necessary for each relevant assertion.
■ You can’t simply say “I don’t want to do substantive testing” because the risk is low.

● “Must-Knows” for the Exam

○ Be able to identify when IR is assessed as higher vs. lower on the spectrum of inherent risk.
○ Be able to identify when CR is assessed as maximum vs. below the maximum.
○ Be aware of the inverse relationship between RMM and DR.
○ RMM affects DR, but DR does not determine RMM.
■ RMM = entity specific; DR = set by auditor.
○ Be aware of the inverse relationships between DR and assurance required by substantive testing (NET).
■ See pictures with arrows above here.

● Example problem

● Audit Risk and Materiality: Overall Considerations

○ Audit risk and materiality should be considered together in designing the NET of audit procedures.
○ A class transaction, balance, or disclosure is significant when there is an identified risk of material
misstatement at the assertion level (that is, one or more relevant assertions).
○ Stand-back requirement → when there is a material transaction, balance, or disclosure that is NOT deemed
to be significant (no relevant assertion identified), the auditor should assess whether that determination
remains appropriate.

Page 78 of 350
● Inverse Relationship Between Audit Risk and Materiality
○ The risk of a very large misstatement may be low, whereas the risk of a small misstatement may be high.
○ Example:
■ Accounts receivable = $500,000
■ Less likely large misstatement = $499,999
■ More likely small misstatement = $0.01
○ The more material a misstatement is, the less likely it is that the auditor will NOT detect it.

● Notes from MCQs

○

Page 79 of 350
 M9: Fraud Risk
● Error → Unintentional misstatements or omissions of amounts or disclosures in the financial statements.
● Fraud → Intentional act involving the use of deception that results in misstatements of the financials.

● Fraudulent Financial Reporting

○ Intentional misstatements or omissions that are designed to deceive financial statement users.
○ Usually involves management.
○ May involve acts such as:
■ Manipulation, falsification, or alteration of records or supporting documents of financials.
■ Misrepresentation in, or intentional omission of, events, transactions, or other information.
■ Intentional misapplication of accounting principles.

● Misappropriation of Assets
○ Theft of an entity’s assets when the effect of the theft causes financial statements to not follow GAAP.
○ Usually involves one or more individuals among management, employees, or third parties.
○ These acts:
■ May involve stealing assets; or
■ May cause an entity to pay for something that has not been received.

● Fraud Risk Factors (Fraud Triangle)

○ Opportunity → a lack of effective controls.
■ Ex) weak controls over cash (no locks on cash registers)
○ Incentives/Pressures → a reason to commit fraud.
■ Ex) bonus earned contingent upon reaching certain results.
■ Ex) excessive pressure for management to meet aggressive goals.
○ Rationalization/Attitude → an attempt to justify the behavior.
■ Ex) disregard for authority (known history of violations).

● Reasonable Assurance
○ The risk of not detecting a material misstatement from fraud is higher than the risk from error.
○ Because of the concealment aspects of fraud and the need to apply judgment, even properly planned
audits may fail to detect fraud.
○ Fraud is often difficult to detect because those engaged in fraud will try to conceal it.
■ Such as through collusion among various parties.
○ The risk of not detecting management fraud is higher than employee’s because management is in a
position to override controls and conceal the fraud.

● Responsibility
○ Management → designing and implementing programs and controls to prevent, deter, and detect fraud.
○ Auditor → plan and perform the audit to obtain reasonable assurance about whether the financial
statements are free of material misstatement, whether caused by error or fraud.
■ As part of audit planning, auditors must assess the risk of material misstatement due to fraud.

Page 80 of 350
 ■ This fraud risk assessment is an ongoing process and should be considered at every phase of the audit.

● Required Discussion Among Engagement Personnel

○ Discussions of potential material misstatement from fraud is a part of planning.
○ The discussions should involve all key members of the team and the engagement partner.
■ Specialists may also be brought in.
○ Discussions should include:
■ How and where the financial statements might be susceptible to fraud.
■ How management could conceal fraudulent financial reporting.
■ How assets could be misappropriated.
■ An emphasis on the importance of professional skepticism (having a questioning mind).
■ Consideration of the risk of management overriding controls.
■ How the auditor might respond to identified fraud risks.
○ The primary objective of these discussions is to assess the potential for material misstatements from fraud.

● Obtaining Information
1. Inquiry of entity personnel regarding their views of fraud risk
■ Inquiries should be made regarding:
● The overall risk of fraud.

● Identified or suspected instances of fraud.

● Communication of management's code of ethics.

● The extent of oversight and whether there are locations for which fraud risk might be more likely.

● Whether management or those with governance received and responded to complaints of fraud.

● The process for identifying and responding to fraud risk and the controls established for fraud.

● The internal auditor’s procedures to detect risk and if management responds to any detections.
■ Inconsistent or unsatisfactory responses indicate the need for additional evidence.

2. Consider the results of analytical procedures

■ Analytical procedures during planning help the auditor obtain an understanding of the client.
■ Procedures related to revenue are required to be done to help identify unusual relationships.
● Often use data aggregated, such as by month, rather than individual transactions.

3. Evaluate fraud risk factors

■ Fraud triangle factors are typically present when fraud occurs.
■ Auditors use judgment to determine to what extent the factors are present.
■ All three factors present = greatest fraud risk
■ All three factors being present is NOT an absolute indication that fraud is occurring.
■ Likewise, lack of any or all three factors does NOT imply that there is no fraud risk.
Page 81 of 350
● Identifying Risk
○ Auditors should use the information gathered from above to identify risks that may result from fraud.
○ Attributes of risk:
■ Type of risk → fraudulent financial reporting or misappropriation of assets?
■ Significance of the risk → can it lead to a material misstatement?
■ Likelihood of the risk → how likely is it to happen?
■ Pervasiveness of the risk → does it affect all financial statements, or only specific accounts?
○ There is a presumption in every audit that two risks exist:
1. Improper revenue recognition
2. Management override of controls
■ These risks should be addressed by the auditor in evaluating overall fraud risk.
○ The auditor should also consider the susceptibility of items to manipulation, which include:
■ A high degree of management judgment and subjectivity (e.g. allowance for receivables)
■ Highly complex accounting principles (e.g. derivatives)

● Responding to Assessed Fraud Risk

1. Overall, general response
■ Assigning personnel to the engagement.
■ Determining the appropriate level of supervision of engagement personnel.
■ Evaluating management's selection and application of principles.
■ Incorporating unpredictability into the audit, such as doing different procedures from last year.
● Unpredictability is important.

2. Response encompassing specific audit procedures

■ Nature → perform more persuasive procedures
■ Extent → increase sample sizes
■ Timing → perform procedures at year-end

3. Response addressing management override

■ Obtain an understanding of the financial reporting process and controls to determine if they have been
overridden.
■ Examine journal entries and other adjustments for possible misstatements due to fraud.
■ Review accounting estimates for bias.
■ Evaluate the business purpose for significant unusual transactions.

○ In situations in which fraud risk still exists, the auditor may consider withdrawing from the engagement.

● Evaluating Audit Evidence

○ The auditor is required to assess fraud risk throughout the audit and to evaluate, at the end of the audit,
whether results affect this assessment.
○ Certain conditions noted during fieldwork may affect the auditor’s assessment of fraud risk.

Page 82 of 350
 ○ These conditions are not absolute evidence fraud has occurred, but may suggest it:
■ Discrepancies in records
■ Conflicting or missing evidential matter
■ Problematic relationships between auditor and management
■ Objections by management to the auditor meeting privately with audit committee
■ Policies that appear inconsistent with industry practices
■ Frequent changes to accounting estimates that do not appear to result from circumstances
■ Tolerance of violations of the company’s code of conduct
○

○ Auditors should consider whether any misstatements are indicative of fraud.

○ Misstatements caused by fraud, even if immaterial, may be indicative of management integrity.
○ A final evaluation (at or near the end of fieldwork) should be made regarding assessing fraud risk.

● Communication (internally)
○ Generally, any findings of fraud (even immaterial) should be discussed with one level above those involved.
○ Material fraud → discuss with senior management (CEO) and those charged with governance.
○ Senior management fraud (CEO) → report directly to those charged with governance.
○ If any identified risk factors represent significant deficiencies or material weaknesses over internal control,
such items should be reported to senior management and those charged with governance.

● Communications (externally)
○ Ordinarily, the disclosure of fraud to parties outside of senior management and those charged with
governance is NOT part of the auditor’s responsibilities.
○ In certain circumstances, a duty to disclose to outside parties may exist, such as:
■ To comply with certain legal and regulatory requirements.
■ To a successor auditor when the successor makes contact with predecessor (with client permission).
■ In response to a subpoena.
■ To a funding agency in accordance with requirements.
■ To authorities when management and those charged with governance fail to take corrective action.

Page 83 of 350
● Documentation Requirements
○ Complete documentation of the auditors fraud risk assessment and response is required.
○ Document the following items:
■ The planning discussion among the engagement team, including when it happened, who was involved,
and the subject matter discussed.
■ The procedures performed to obtain information related to fraud risk.
■ Specified identified risks of fraud at the financial statement and assertion level.
■ Identified controls that address fraud risk.
■ If the auditor has not identified improper revenue recognition as fraud risk, and if not, why.
■ The results of procedures performed, including those designed to address management override.
■ The nature of communications made about fraud.

● Notes from MCQs

○ Disclosure of information to outside parties may be appropriate in circumstances of a change in auditor.
■ This is reported to the SEC in a Form 8-K.

A3 – Risk, Evidence, and Sampling

M1: Understanding the Entity and Its Environment
● Risk Assessment Overview
○ An auditor should perform risk assessment procedures to:
■ Identify and assess risks of material misstatement.
■ Make informed judgments.
○ Risk assessment procedures include:
■ Obtain an understanding of the entity and its environment.
■ Obtain an understanding of internal controls.
■ Inquire of the audit committee, management, and others about risks of material misstatement.
■ Perform analytical procedures to assess planning.
■ Conduct a discussion among the engagement team about risks.
■ Perform other procedures.
○ Auditors should design and perform risk assessment procedures so that they are not biased towards
obtaining corroborative, rather than contradictory, evidence.

● Inquiries
○ Generally made of management, those responsible for financial reporting, and others.
○ Inquiries may also be appropriate for individuals who are responsible for different areas with different
levels of authority.
■ Those charged with governance, such as the board and audit committee.
○ Internal auditors provide insight into operations and risks as well as findings of deficiencies.

Page 84 of 350
 ■ Understanding such matters raised by the internal auditors and the outcomes of the entity’s own risk
assessment process are of particular relevance.
■ Other internal auditors may be inquired as well (IT, marketing, risk management, in-house counsel).

● Observation and Inspection

○ The auditor should ensure that risk assessment procedures include inspection and observation.
○ Such procedures may:
■ Support;
■ Corroborate; or
■ Contradict inquiries made by management and others.
○ Management's behavior may also be observed.

● Analytical Procedures Required to be Performed During Planning

○ Analytical procedures consist of evaluations of financial information made by a study of meaningful
relationships among data.
■ Ex) Trends or ratios
○ This may include relationships between both financial and nonfinancial data.
■ Financial data is generally used, but relevant nonfinancial data related to financial data may be used.
■ Ex) Sales (financial data) per square foot (nonfinancial data). (See mini-exam 1 simulation)
○ Consist of data aggregated at a high level, such as comparing budgets to actual results.
■ “High level” → For the year; By month; By product line → Assess Risk and Plan Response
■ “Lower level” → Per transaction → Perform procedures phase
○ Analytical procedures often involve:
■ Comparing current year to prior year
■ Comparing current year to budget
■ Ratios to prior year or industry
○ Analytical procedures used in planning phase focus on:
■ Enhancing the auditor's understanding of the entity and its transactions.
■ Helping the auditor identify unusual transactions and events, especially related to fraud.
○ Analytical procedures performed during planning are required to focus on revenue.
○ Auditors should also take into account analytical procedures performed during interim reviews (if done).

● Risk Assessment Discussion

○ Focus of the discussion should be on the susceptibility of material misstatements on financials.
○ Discussion should include:
■ Areas of significant risk.
■ Company’s selection and application of accounting principles, including disclosure requirements.
■ Areas that involve unusual accounting procedures.
■ Important control systems.
■ Materiality levels.
○ Similar to the fraud assessment discussion learned about earlier, the discussion also:
■ Includes key members of the audit team.

Page 85 of 350
 ■ Important matters should be communicated to members not present.
■ Emphasizes the need to exercise professional skepticism.
■ Allows more experienced members to share insights with less experienced staff.
○ The discussion of fraud risk and overall risk assessment may be done at the same time.

● Other Procedures
○ Reviewing external information (e.g., trade journals and analysts reports).
○ The results of the fraud risk assessment and discussion.
○ Information obtained during client acceptance or continuance process.
○ Information obtained on other engagements performed for the entity.
○ Prior period evidence, to the extent that it is relevant.

● Risk Assessment Procedures and Audit Evidence

○ Risk assessment procedures sometimes provide evidence about:
■ Transactions;
■ Balances;
■ Disclosures; or
■ Controls, even if they were not designed to provide evidence.
○ The auditor may also choose to perform $ubstantive procedures or tests of controls with risk assessment
procedures, if it is efficient to do so.

● Ongoing Assessment
○ Similar to fraud risk assessments, overall risk assessments is a process that evolves throughout the audit.
○ If evidence is obtained that changes assessed risk, the auditor should revise the assessment and modify
planned audit procedures.

● Scalability Considerations
○ The size and complexity of an entity may determine the way in which the entity’s controls are designed,
implemented, and maintained.
○ A less complex entity may often use less formal means to achieve control objectives.
○ Ex)
■ A small or midsized entity may not have written policies or an independent party charged with
governance.
■ Instead, its management may be more actively involved in financial reporting or may establish a high
integrity culture.
○ Auditors should use their judgment to:
■ Understand the components of the internal controls; and
■ Make an overall assessment of control risk.

● Nature of the Entity

○ Auditor’s understanding should include:
■ Organizational structure;
■ Ownership and governance;
Page 86 of 350
 ■ Business model; and
■ Extent to which the use of IT is integrated into operations.
○ PCAOB has additional guidance for issuers:
■ Read public information about the entity.
■ Observe or read transcripts of earnings calls and other public meetings.
■ Obtain information from SEC filings and other sources of trade activity.
■ Obtain understanding of compensation arrangements with senior management, such as bonuses.
■ Inquire the chair of the compensation committee (or its equivalent) about executive compensation.
■ Obtain an understanding of policies and procedures regarding the authorization of executive expenses.

● Objectives, Strategies, and Business Risks

○ Objectives → overall plans for the entity.
○ Strategies → means used to achieve objectives.
○ Business risks → result from events or circumstances that could negatively affect the entity's ability to
achieve its objectives and execute its strategies.
○ Examples of business risks (be familiar, but may not need to memorize):
■ Industry developments → lack personnel to deal with development or may make a product obsolete.
■ New products and services → increase in product expense which may pressure management.
■ Expansion of the business → demand may not have been accurately estimated, so too much inventory.
■ Regulatory requirements → legal exposure may increase.
■ Current and prospective financing requirements → financing may be lost from requirements.
■ New accounting requirements → may result in incomplete or improper implementation.
■ Use of IT → implementation of a new IT system may affect operations and reporting.
■ Climate-related events → may impact an entity’s ability to obtain financing or attract investors.

● Selection and Application of Accounting Policies (the auditor should…)

○ Understand the entity’s selection and application of accounting policies.
○ Evaluate whether the policies are appropriate for the business and apply to the applicable framework.
○ Focus on understanding the significant policies, especially those with a lack of guidance.
○ Consider the entity’s methods for recognizing and reporting significant unusual transactions.

● Entity’s Financial Performance

○ Management measures and reviews financial performance to evaluate if business is meeting objectives.
○ The auditor should obtain an understanding of this measurement and review.
■ Ex) in situations in which management receives performance-based compensation, unusual growth
may indicate management bias in the financials.
○ To obtain an understanding on incentives or pressures to commit fraud, auditors may consider:
■ Measures that form the basis for contractual commitments or incentive compensation arrangements;
■ Measures used by external parties to review a company’s performance; and
■ Indicators of key performance (both financial and nonfinancial).

Page 87 of 350
 ○ The auditor's understanding of industry, regulatory, and other factors, as well as the entity’s nature,
objective strategies, business risks, and financial performance, aid the auditor in assessing the entity’s
inherent risk. (Inherent risk is defined in M8)

● Understanding the Group, Its Components, and Their Environment

○ Group engagement team should do the following:
■ Enhance its understandings of the group, its components, and their environments, including group-
wide controls.
■ Obtain an understanding of the consolidation process, including the instructions issued by group
management to components.

● Understanding the IT Environment

○ The use of IT affects the way transactions are:
■ Initiated;
■ Recorded;
■ Processed; and
■ Reported.
○ An entity’s use of IT affects both:
■ The design and implementation of the internal controls; and
■ The audit procedures used to gather evidence.
○ Audit objectives are the same in both computerized and manual environments.
○ An entity’s IT environment may consist of multiple layers of supporting IT infrastructure.
■ Hardware → physical devices (servers, computers, etc.)
■ Software → programs on hardware (enterprise resource planning systems)
■ Network → internet connectivity, firewalls, security
■ Operating system → manages system resources and hardware (windows, iOS, etc).
■ Data Storage → may be physical (harddrives) or nonphysical (cloud storage).
○ To obtain an understanding of the IT environment, the auditor might:
■ Tour the facilities; and
■ Conduct inquiries of entity personnel.
○ An auditor must document their understanding of the IT environment; including:
■ The IT applications used to process information; and
■ The supporting IT infrastructure.
○ Understanding the risks arising from the use of IT may impact the auditor’s:
■ Decision to test the operating effectiveness of controls.
■ Assessment of control risk
■ Assessment of inherent risk
■ Strategy for testing information produced by or involving IT applications.
■ Design of further audit procedures.
● Test of controls

● Substantive testing

Page 88 of 350
● Relevant External Factors Impacting Entities
○ Industry Factors
■ Competitive environment
■ Supplier and customer relationships
● For example, 1 supplier might be more risky
■ Cyclical or seasonal activity
● For example, a toy company has a lot more sales during the holidays.
■ The market and competition, including demand, capacity, and price competition.
○ Regulatory Factors
■ Regulatory environment
■ The regulatory environment encompasses the legal and political environment.
■ Ex) environmental requirements for the industry and laws and regulations.
○ Government Policy Factors
■ Relates to the decision and actions a governmental entity takes, which influence politics, business, and
the overall economy.
■ Examples include:
● Taxation

● Subsidies

● Interest rates
○ Financial Reporting Framework Factors
■ Applicable framework acts as the guidelines for the financial statements preparation.
■ Typically based on the type of business and where it's located.
■ Factors an auditor might consider include:
● Accounting principles

● Framework of a regulated industry, including requirements and disclosures.

● Industry-specific practices.
○ Technology Factors
■ Include ways that technology directly affects the entity’s industry and operations.
■ Auditor may consider:
● Automation

● Security
○ Supply Chain Factors
■ System of producing and delivering goods and services from raw materials stage to the final delivery to
end users and customers.
■ Auditor may consider:

Page 89 of 350
 ● Bottlenecks due to political risks and government instability.

● Product quality issues (may impact warranties).

○ Economic Factors
■ Elements of the overall economy (macroeconomics); and
■ Elements related to the economy’s impact on individuals goods and services (microeconomics).
■ Auditors may consider (see info below).

● Microeconomics
○ Supply
■ Price and quantity are positively related (price up, quantity supplied up)
■ Higher the price, the more sellers want to produce that good.
■ Change in quantity supplied (movement along the supply curve)
● Change in the amount producers are willing and able to produce resulting solely from a change in
price.

●
■ Change in supply (movement of the supply curve)
● Change in the amount of a good supplied resulting from a change in something other than the
price of the good.
■ Factors that shift supply curves (“ECOST”)
● E - Changes in price expectations of the supplying firm
○ Prices decreasing in the future → supply up (sell now) → shift right
● C - Changes in production costs (price of inputs)
○ COGS down → profits up, supply up
● O - Changes in the price or demand for other goods we sell
○ What we sell = down → supply of another good = up
○ Ex) we sell electric and gas cars, when demand for gas is down, we supply more electric
● S - Changes in subsidies or taxes
○ Increased subsidies or decreased taxes → supply up

Page 90 of 350
 ● T - Changes in production technology
○ Improvement in technology → shift supply curve right → supply up
●

○ Demand
■ Quantity of a good individuals are willing and able to purchase at a given price.
■ Price and quantity demanded are inversely related (negative slope).
■ The higher the price of an item, the less buyers will demand.
■ Change in quantity demanded (movement along the demand curve)
● Change in the amount of good demanded resulting solely from a change in price

●
■ Change in demand (shift of supply curve)
● Change in the amount of a good resulting from something other than price.
■ Factors that shift demand curves (factors other than price) (“WRITEN”)
● W - Changes in wealth
○ Wealth up → demand up → shift right
● R - Changes in the price of related goods (substitutes and complements)
○ Substitute price up → demand up
○ Complement price up → demand down

Page 91 of 350
 ● I - Changes in consumer income
○ Income up → demand up
● T - Changes in consumer tastes or preferences for a product
○ Tastes towards → demand up
○ Tastes away from → demand down
● E - Changes in consumer expectations
○ Price in future up → demand up (buy now)
● N - Changes in the number of buyers served by the market
○ Number of buyers up → demand up
● “SPINE” is also a potential mnemonic.

○ Market Equilibrium
■ Equilibrium price and output quantity = point where supply and demand curves intersect.
■ If supply and/or demand curves shift, the equilibrium price and quantity will change.

○ Elasticity
■ Measure of how sensitive the demand for, or the supply of, a product is to a change in price.
■ Price Elasticity of Demand → % change in quantity demanded driven by % change in price.
● More substitutes = more elastic (e.g. coffee).
○ Ex) increase price by 10%, quantity demanded will decrease 20%.
● Less substitutes = more inelastic (e.g., insulin).
○ Ex) increase price by 10%, quantity demanded will decrease 5%.

■ Price Elasticity of Supply → % change in quantity supplied driven by % change in price.

Page 92 of 350
 ● Stored easily = more elastic (e.g., items that keep).

● Perishable items = more inelastic (e.g., items that go bad quickly).

■ Cross Elasticity
● Deals with substitutes and compliments.

● % change in the quantity demanded (or supplied) of one good caused by the price change of another good.

● Substitute goods = Price of pepsi goes up → Demand of Coke goes up

● Complementary goods = Price of jelly goes up → Demand for Peanut Butter goes down

■ Income Elasticity
● Measures the % change in quantity demanded for a product for a given % change in income.

● As income increases → demand increases for normal/superior goods.

● As income increases → demand decreases for interior goods.

○ Profit Maximization
■ Occurs when marginal revenue = marginal cost.
■ Marginal revenue → amount of revenue a company earns for each additional unit sold.
■ Marginal cost → additional amount of cost incurred from producing each additional unit.
■ The point at which marginal revenue = marginal cost is the point in which total revenues exceed total costs by the
largest amount.

● Macroeconomics
○ Business Cycles
■ Business cycles refer to the rise and fall of economic activity relative to long-term growth trends.
■ Some companies are less affected by business cycles, such as hospitals.
■ Some industries are more affected by the business cycle, such as real estate.

Page 93 of 350
■
■ Expansionary Phase
● Rising profits, strong growth, increased demand, rising prices, lower unemployment, rising
economic activity, etc.
■ Peak
● High point of activity.

● Profits are at their highest level.

● Firms are facing capacity constraints.

● Input shortages lead to higher costs and higher price levels.

■ Contractionary Phase
● Falling economic activity

● Slowing (or decreasing growth)

● Reduced demand

● Falling profits

● Higher unemployment
■ Trough
● Low point in economic activity.

● Profits are at their lowest levels.

● Firms have excess capacity.

● Firms must reduce costs and their workforce.

■ Recovery Phase
● Recovering economic activity.

Page 94 of 350
 ● Rising demand.

● Profit stabilization.

● Increase in employment.

○ Recession → Two consecutive quarters of falling national output (GDP).

○ Depression → A very severe recession; it lasts for years.

○ Economic Indicators
■ Used by economists and analysts to predict timing, severity, and duration of business cycles.
■ Leading Indicators
● Tend to predict economic activity.

● Change before the economy starts to follow a certain trend.

● Average weekly unemployment insurance initial claims → more claims = bad indication

● Bond yield curve → increase = good indication

● Interest rate spreads → increase in rate = cooling down (contracting) economy

● Producer price index (PPI) → slight increase = economy is headed in a good direction.
■ Coincident Indicators
● Current state of the economy.

● Change at approximately the same time as the whole economy.

● Ex) Industrial product, manufacturing and trade sales, and gross domestic product (GDP).
■ Lagging Indicators
● Tend to follow economic activity.

● Change after a given economic trend has already started.

● Used to confirm or dispute previous forecasts.

● Include:
○ Average duration of unemployment → higher = worse; lower = better
○ Consumer price index (CPI) (change in prices over time) → smaller increase = healthy
○ Average prime rate charged by banks.
○ Commercial and industrial loans outstanding.
○ Ratio of consumer installment credit to personal income.
○ Changes in labor cost per unit of manufacturing output.
○ Inventories-to-sales ratio.

Page 95 of 350
● Notes from MCQs
○ More leading indicators include:
■ Orders for goods → lead to more material purchases, hirings, etc.
■ Building permits → lead to more material purchases, hirings, etc.
■ Unfilled orders
■ Prices for materials used in production (PPI)
○ More Coincident indicators include:
■ Number of employees on nonagricultural payrolls
■ Production
○ Lagging indicators tend to follow economic activity, or occur as a result of economic activity.
○ Unaudited information from internal quarterly reports may be used for analytical procedures in the
planning stage.

M2: Understanding the Control Environment and Business Processes

● Consideration of the Components of Internal Control
○ Internal control components → CRIME
○ Although the five components provide a useful framework for identifying and evaluating controls, an
auditor should be:
■ More concerned with whether the controls prevent, detect, and correct misstatements; and
■ Less concerned with the classification of controls into categories.
○ Auditors should be worried about financial reporting controls, not the efficiency of operation of controls.

○ System of Internal Controls → policies, procedures, and activities put in place by management to mitigate
risk.
○ System of internal controls are relevant to:
■ The entire entity; and
■ Any of the entity’s operating units or business functions.
○ CRIME is applicable to the audit of every entity.
○ Management may use:
■ An internal control framework specified by COSO (such as CRIME); or
■ Another internal control framework with different components.
○ The auditor may use COSO or another framework as long as all of the components are addressed.

● Identifying Controls Relevant to Reliable Financial Reporting

○ Auditors are required to test the design and implementation of controls when the controls meet one or
more of the following criteria:
■ Controls address a significant risk (e.g., related parties, revenue recognition).
■ Controls over journal entries or other adjustments.

Page 96 of 350
 ■ Controls will be used by the auditor to test the operating effectiveness.

○ Preventive Controls → designed to provide reasonable assurance that only valid transactions are
recognized, approved, and submitted for processing.
■ Most preventive controls are applied before the processing activity starts.
■ Ex) system prevents February 31st from being entered as a date.
○ More preventive examples:
■ Firing of component individuals;
■ Personnel training;
■ Segregation of Duties (ARC); and
■ Technology-related controls such as firewalls, antivirus, and security configuration management.

○ Detective Controls → designed to provide reasonable assurance that errors or irregularities are discovered
and corrected on a timely basis.
■ Normally performed after processing has been completed.
■ Ex) Performance of account reconciliations (e.g., bank reconciliations).

● Effect of IT on Internal Control

○ IT may affect any of the five CRIME components of internal control.
■ Control Environment → management fails to address IT risks appropriately
■ Risk Assessment → IT may enhance by providing timely information.
■ Information and Communication → make extensive use of IT.
■ Monitoring → much of the information used in monitoring is gathered through IT.
■ Existing Control Activities → IT may affect the way the controls are implemented.
○ Most IT systems include a combination of manual controls and automated controls.
○ Manual controls → performed by people
■ More suitable when judgment and discretion is required.
■ Better used for nonrecurring transactions or potential misstatements that are difficult to predict.
■ Used to monitor automated controls.
■ May pose additional risks as opposed to automated controls due to human error or bias.
○ Automated controls → internal controls using IT
■ Control activities that can be adequately designed and automated.
■ More suitable for high volume or recurring transactions.

● General IT Controls
○ Policies and procedures that:
■ Relate to many applications; and
■ Support the effective functioning and proper operation of IT and the integrity of the entity’s
information system.
○ Address the risks arising from the use of IT and can be categorized as:
■ Applications → correlate to the nature and extent of application functionality.
■ Database → address risks arising from the use of IT related to unauthorized updates in databases.

Page 97 of 350
 ■ Operating System → address risks related to the use of IT related to administrative access.
■ Network → address risks regarding network segmentation, remote access, and authentication.
○ The auditor first obtains an understanding of the risks arising from IT and then identifies the general IT
controls put in place to address those risks.

○ Controls Related to Managing Access to Applications and Technology Areas

■ Authentication → validate that a user is using their own log-in.
■ Authorization → ensure users only access necessary information (facilitates segregation of duties).
■ Provisioning and Deprovisioning → adding, updating, or removing access privileges.
■ Privileged Access → administrative user access.
■ User-Access Reviews → evaluate user access authorizations over time.
■ Physical Access → physical access to data center and hardware (such as having locks on doors).

○ Controls Related to Changes to the IT Environment

■ Change-Management Process → process to design, program, test, and migrate changes to end-users.
■ Segregation of Duties over Change Migration → during the change process, duties should be separate.
■ System Development, Acquisition, or Implementation and Data Conversion → process over IT
application development or implementation and data conversion.

○ Controls Related to Managing IT Operations

■ Job Scheduling and Monitoring → access to schedules and initiation of jobs related to financial
reporting, including oversight of execution.
■ Back-up and Recovery → process to ensure financial reporting data are backed up and available.
■ Intrusion Detection → monitoring IT environment for vulnerabilities or intrusion.

○ Information Processing Controls → help to ensure the integrity of data in an entity’s system.
○ Controls over input, processing, and output include:
■ Controls over interfaces, integrations, and e-commerce.
■ Checking the mathematical accuracy of records and reports.
■ Maintaining and reviewing accounts and trial balances.
■ Automated edit checks of input data.
■ Manual follow-ups of exception reports.

● Performing Walk-Throughs to Obtain an Understanding

○ The auditor must perform procedures to obtain an understanding of CRIME of internal control.
○ Auditor’s may perform walk-throughs to:
■ Obtain an understanding of internal controls; and
■ Eventually test the design and implementation of identified controls.
○ Walk-Throughs → trace the flow of transactions and relevant financial reporting data through the
accounting system from inception through recording in the:
■ General ledger; and
■ Presentation in the financial statements.

Page 98 of 350
 ○ A walk-through can be performed by selecting a single transaction and tracing it through the entity’s
information processing system from inception to financial reporting.
○ To perform walk-throughs, the auditor should make inquiries of those who use the internal controls.
○ Inquiries should be made of:
■ Individual’s understanding of the entity’s procedures and controls.
■ Individual’s understanding of the processing and controls performed on the information before and
after information is handled.
■ Whether the processing and controls are performed as required on a timely basis.
○ Inquiry alone is not sufficient.
○ Additional procedures should be performed, such as:
■ Observing individuals perform the controls.
■ Re-performing the controls.
■ Inspecting relevant documents and records.
■ Making inquiries of additional people with knowledge over controls.

● Evaluate the Design and Implementation of Controls

○ Once the auditor has gained an understanding of controls, the auditor must:
1. Evaluate the design and implementation of identified controls;
2. Assess the risks of material misstatement; and
3. Design the nature, extent, and timing of further audit procedures.

○ Evaluate the Design and Implementation

■ Design → involves determining whether the control is capable of preventing, detecting, and correcting
material misstatements.
■ Implementation → a control has been implemented if it exists and is being used.
● To determine implementation, auditors should obtain evidence about whether those performing
the controls have an awareness of:
○ The existence of the control and their responsibility; and
○ Working knowledge of how the procedures should be performed.
■ Procedures → used to obtain evidence about the design and implementation of controls
● Inquiry of personnel

● Observation of application of controls

● Inspection of documents and reports

● Reperforming specific controls

○ The auditor’s understanding of the entity’s controls allows the auditor to make a preliminary assessment of
control risk.

● Document the Understanding of Internal Control

○ GAAS requires auditors to document their understanding on the design and implementation of controls.
○ Documentation should include:
Page 99 of 350
 ■ Key elements of understanding each of the control components (CRIME); and
■ The sources of information from which understanding was obtained.
○ Documentation may include any item and auditor can “FIND”
■ Flowchart
■ Internal Control Questionnaire or Checklists
■ Narrative
■ Documentation from the client

○ Flowcharts → a symbolic diagram representing the sequential flow of:

■ Authority;
■ Processes; and
■ Documents

○ Internal Control Questionnaires

■ Generally consist of a list of questions to be answered by “yes” or “no” responses.
■ A negative response is designed to draw attention to possible weaknesses in controls.
■ Written explanations are required for “no” answers.

○ Narratives
■ A written version of a flowchart.
■ A description of the auditor's understanding of the system of internal control.
■ Prepared by following a sequence of events for a transaction.
■ Flowcharts → appropriate for MORE complex control structures.
■ Narratives → appropriate for LESS complex control structures.

○ Documentation from the Client

■ An entity’s procedures manuals may include documentation of the accounting system and controls.
■ The entity’s organizational chart outlines lines of authority and responsibility.

● Consider the Limitations of Internal Control

○ A strong system of internal control only provides reasonable assurance due to inherent limitations:
■ Management override of internal control.
Page 100 of 350
 ■ Human error, either in design or use of controls.
■ Deliberate bypassing of controls through collusion.
■ External events beyond the control of the entity.
■ Issues related to the suitability of the entity’s objectives.

● Notes from MCQs

○ General controls include procedures to ensure appropriate systems software acquisition.
○ You only need to sample one transaction for automated controls, because that one sample should be able
to be applied across all transactions. Automated controls are supposed to be consistently applied.

M3: Identifying, Assessing, and Responding to Risk

Assessment of Risk
● Overview
○ Auditors should assess the risk of material misstatements at the:
■ Financial Statement Level
■ Assertion Level
○ Auditors should also identify significant risks.
○ Identification of risks helps the auditor determine the appropriate response.

● Financial Statement Level Risks

○ Risks that relate pervasively to the financial statements as a whole and could potentially impact many
individual assertions.
○ Financial statement level risks include weaknesses related to:
■ The process used to prepare the financial statements.
● The development of estimates.

● The preparation of disclosures.

■ The overall system of internal control.
■ Lack of qualified personnel in financial reporting roles.
● Ex) janitor prepares financial statements.
■ The selection and application of significant accounting policies.

● Assertion Level Risks (“COVERUP” from A2:M5)

○ Risks of material misstatement that do not relate pervasively to the financials, but rather to specific:
■ Transactions;
■ Accounting balances; or
■ Disclosures

Page 101 of 350

 ○ Examples:
■ Existence of accounts receivable.
■ Valuation of inventory.
○ For identified risks of material misstatement at the assertion level, the auditor should assess both inherent
risk and control risk (separately).
■ RMM does not need to be split up for financial statement level risks.
○ Significant risks are identified risks of material misstatement where inherent risk is close to the upper end
of the inherent risk spectrum.
■ Determination of significant risks should ignore the effects of controls.
■ What meets the criteria of “upper end” of the inherent risk spectrum is a judgment call.

■
○ Factors that may be indicative of significant risks include:
■ Areas with higher risk of fraud.
■ Significant emerging economic, accounting, or other developments.
■ Related party transactions that are significant or unusual.
■ Improper revenue recognition.
■ Nonroutine, unusual, or complex transactions.
■ Estimates or other subjective measurements with high degree of uncertainty.
■ Accounting principles that are subject to different interpretations.

● Assessing Specific Risks

○ For each identified risk, the auditor should consider:
■ What could go wrong at the relevant assertion level.
■ The significance and likelihood of potential material misstatements (inherent risk spectrum).
■ Whether tests of controls are required because substantive tests don't provide enough evidence.
■ Whether the risk relates to a specific assertion or has a pervasive effect on financials.

● Required Documentation
○ The discussion among the audit team regarding the application of the applicable financial framework and
the susceptibility of the financial statements to material misstatement should be documented including:
■ How and when it occurred;
■ The participants;
■ The subject matter discussed; and
■ Significant decisions reached.
○ Document key elements of:
Page 102 of 350
 ■ The understanding of the entity, its environment, and the applicable reporting framework.
■ The sources of information used to develop the understanding; and
■ The risk assessment procedures performed.
○ The evaluation of the design of controls and whether such controls have been implemented.
○ The identified and assessed risks of material misstatement (at both levels), including:
■ Significant risks and risks for which substantive procedures alone are not enough; and
■ The rationale for significant judgments made.
○ A more complex entity/environment results in more extensive audit procedures and documentation.

● PCAOB Standards: Guidance for Issuers

○ PCAOB standards require that in an audit of a company with operations in multiple locations or business
units, the auditors should determine the extent of procedures performed at selected locations or units.
○ The amount of audit attention devoted to a location should be correlated to the risk of that location.
○ Factors that are relevant to the assessment of risks for a particular location may include:
■ Nature and amount of assets, liabilities, and transactions executed at that location.
■ Any significant transactions that are outside the normal course of business.
■ The materiality of that location or unit.
■ Specific risks associated with that particular location.
■ Whether the risks of that location, when combined with other locations, are more risky.
■ The degree of centralization of records.
■ The effectiveness of the control environment and management's control at that location.

Responses to Risk
● Overall Response to Financial Statement Level Risk
○ Communicate to the audit team an increased need for professional skepticism.
○ Assign staff with more experience or specialized skills.
○ Change the nature, extent, and timing and direction of supervision and review of work.
○ Incorporate a greater level of unpredictability to the audit.
○ Make changes to the overall audit strategy, such as increasing the NET of tests.

● Response to Risks at the Relevant Assertion Level

○ The auditor should design tests that address the risks of misstatement for each relevant assertion of:
■ Transaction;
■ Balance; and
■ Disclosure
○ The linkage should be clear between the assessed level of risk for that assertion and the nature, extent, and
timing of further audit procedures.
■ Higher RMM = Stronger NET
■ Lower RMM = Weaker NET (Refer to chart under “Detection Risk” in A2:M8)

○ The NATURE of an audit procedure includes both:

■ Its purpose (test of controls vs. substantive); and

Page 103 of 350

 ■ Its type (inspection, observation, inquiry, confirmation, etc.).
■ Higher RMM = More persuasive evidence needed.

○ The EXTENT of an audit procedure refers to the quantity to be performed, such as:
■ The number of observations to be made; or
■ The same size to be used.
■ Higher RMM = Larger sample size may be needed.

○ The TIMING of an audit procedure refers to the date tests are done:
■ At an interim date; or
■ At period end.
■ Higher RMM = tests are done closer to year-end.
■ In determining the timing of tests, auditors should consider when relevant information is available.
■ Some procedures occur only at certain times, such as those that use electronic data that does not store
indefinitely.

○ The auditor’s specific approach to identified risks of material misstatement at the assertion level may
consist of either:
■ A substantive approach only; or
■ A combined approach (tests of controls and substantive approach).
○ Substantive Approach Only
■ For certain assertions, auditors may exclude the effect of controls.
■ Control risk may be assessed at maximum.
■ In these circumstances, only substantive tests will be done.
■ This occurs because control risk is assessed at max because:
● There are no effective controls relative to that assertion;

● The implemented controls are not operating effectively; or

● Risk of the particular assertion may be addressed only by substantive procedures.

○ Combined Approach
■ Uses both tests of controls and substantive procedures.
■ If controls are operating effectively, less assurance will be required for substantive tests.

○ Tests of Controls are generally required:

■ When a significant amount of information is processed and reported through IT.
■ When an entity conducts its business using IT and no physical documentation is maintained.

○ Dual-Purpose Tests
■ Test of controls that is performed concurrently with a test of details on the same transaction.
■ Ex) checking for proper approval and proper recorded amount on the same invoice.

● Response to Significant Risks

Page 104 of 350
 ○ For all significant risks, the auditor should:
■ Evaluate the design of related controls and determine whether they have been implemented.
■ If relying on controls related to the risk, tests of controls must be performed in the current period.
■ Perform substantive tests that are clearly linked and responsive to the risk.
■ Obtain more persuasive evidence the higher the assessment of risk.
■ Communicate significant risks to those charged with governance.
■ Consider the significant risks in determining KAMs or CAMs, when applicable.
■ Ensure more involvement by the group engagement partner if the risk is associated with a component.

Tests of Controls
● Tests of Controls are performed when:
○ The auditor’s risk assessment is based on the assumption that controls are operating effectively.
■ Control Risk = Low
○ When substantive tests alone are insufficient.
■ Ex) Client uses technology extensively.

● Operating Effectiveness of Controls

○ Some risk assessment procedures performed to gain an understanding of controls may provide evidence
about operating effectiveness, even if not intended to do so.
○ If it is efficient to do so, auditors may test controls concurrently with obtaining an understanding of them.
○ To clarify, auditors are required to obtain an understanding on the design and implementation of controls,
they are NOT required to test the controls.

● Nature of Tests of Controls

○ Tests of the operating effectiveness of controls through:
■ Inquiries, Observation, Inspection, and Reperformance
○ Inquiry alone is not sufficient.
○ Observation is only relevant at the time it's made, so it should be supplemented with other procedures.
○ For some controls, operating effectiveness may be evidenced by documentation.
○ For other controls, such as segregation of duties, documentation may not be relevant.
■ To test such controls, the auditor would likely rely on inquiry and observation.
○ Procedures to test design effectiveness include:
■ Inquiries
■ Observation
■ Inspection
■ Walkthroughs including these procedures are sufficient to test design effectiveness.
○ Procedures to test operating effectiveness include:
■ Inquiries
■ Observation
■ Inspection
■ Reperformance
● Used exclusively for testing operating effectiveness.
Page 105 of 350
● Extent of Tests of Controls
○ The more extensively a control is tested, the greater the evidence obtained.
○ The auditor should consider the following factors for extent of testing controls:
■ The frequency of the performance of the control during the period.
■ The extent to which the auditor will rely on the control to reduce substantive procedures.

● Timing of Tests of Controls

○ Testing at a Particular Time vs. Testing Throughout a Period
■ When tests of controls are performed at one particular time, they only provide evidence at that time.
■ Controls tested throughout the period provide evidence of effectiveness during that entire period.
■ Controls that are tested only during an interim period should be supplemented by additional evidence
for the remaining period.
■ Ex)
● Interim period testing = Jan 1 - Sep 30

● Coming back next year, roll forward procedures should be done for Oct 1 - Dec 31
○ Evidence Obtained in Prior Audits
■ Prior year evidence obtained over operating effectiveness of controls may be used in current year as
long as the auditor obtains evidence about whether changes to those controls have occurred.
● Changes → operating effectiveness must be retested.

● No changes → operative effectiveness must be tested at least once every third year.
■ Auditors may NOT rely on prior year audit evidence for controls that mitigate significant risks.
● Auditor must retest the control every year.

● Results of Test of Controls

○ After testing controls, the auditor will conclude that controls are either:
■ Operating effectively and can be relied upon → proceed to substantive testing.
■ Not operating effectively → test alternative controls or reassess control risk to higher level.

○ Control deficiencies may be noted in the:

■ Design of controls → missing or badly explained internal control.
■ Operation of an effectively designed control → well designed, but not being used correctly.
○ Design of control deficiencies examples include:
■ Inadequate documentation and design of internal control over preparation of financial statements.
■ Lack of appropriate controls over segregation of duties.
■ Lack of appropriate qualifications or training of client personnel.
■ Inadequate design of monitoring controls or the absence of a process to report deficiencies.
○ Operation of an effectively designed control deficiencies examples include:
■ Failure of control over a significant account (such as failure to obtain authorization).

Page 106 of 350

 ■ Undue bias or lack of objectivity.
■ Misrepresentation by client personnel to the auditor (indicator of fraud).
■ Management override of controls.
■ Failure of information and communication component to provide complete, accurate and timely info.

○ When controls deficiencies are noted, the auditor should:

■ Consider compensating controls.
■ Decide whether there is a significant deficiency or material weakness.
■ Consider the magnitude and possibility of potential misstatements that could occur.
■ Design substantive tests related to any deficiencies noted.

● Operating Effectiveness of Controls (Big Picture; Summary)

Substantive Procedures
● Substantive procedures → used to detect material misstatements at the relevant assertion level.
● The nature, extent, and timing (NET) of substantive procedures should be responsive to assessed risk of
material misstatement (RMM).
● Regardless of the assessed control risk, substantive procedures are required for each relevant assertion of each
significant transaction, balance, or disclosure.
● Substantive procedures should include:
○ Agreement of the financial statements, including disclosures, to the underlying records.
○ Examination of material journal entries or adjustments made while preparing the financial statements.
○ Evaluation of the overall presentation of the financial statements, including disclosures, in accordance with
the applicable framework.

● Nature of Substantive Procedures

○ Substantive procedures is broken down into two tests:

Page 107 of 350

 ■ Test of Details
■ Substantive Analytical Procedures

○ Test of Details → audit procedures used to gather evidence to support the balances in financial statements.
■ Applied to transactions, balances, and disclosures.
■ Typically provides MORE assurance than analytical procedures.
■ If control risk is high, the auditor may perform tests of details only.
■ Ex) Copier is on books for $500, so the auditor examines invoice to match the $500.

○ Substantive Analytical Procedures → comparing amounts in financial statements to auditors expectations.

■ Made by plausible relationships among both financial and nonfinancial data.
■ Often used when there is a large volume of predictable transactions.
■ Typically provides LESS assurance than tests of details.
■ If control risk is low or medium, then analytical procedures may be sufficient to reduce detection risk.
■ Ex) if employees earned a bonus of 5%, expect payroll to be up 5%.

● Extent of Substantive Procedures

○ Higher RMM = Lower detection risk = More assurance required from substantive tests = larger sample size.
○ Lower RMM = Higher detection risk = Less assurance required from substantive tests = smaller sample size.
○ The more extensively a substantive procedure is performed, the greater the evidence obtained.

● Timing of Substantive Procedures

○ May be performed during an interim period, at period end, or after period end.
○ Performing substantive procedures at an interim date increases the risk that the auditor will not detect
material misstatements.
○ In certain situations, such as those with fraud risk or higher RMM, the auditor may choose to perform
substantive procedures at or near year-end.
○ If misstatements are discovered at an interim date, the auditor:
■ Should modify the related risk assessment and the procedures performed for the remaining period; or
■ Should consider repeating audit procedures at year-end.
○ Evidence obtained from substantive tests performed in a prior audit may NOT be used in the current audit.

● Exam Tips
○ Read the entire answer choice
■ Incorrect answer choices often have similar words to a correct choice.
○ When there is similar working in the answer choices, ignore the words that are the same in each choice,
and figure out what is different to try and find the correct answer.
○ Switching between management and auditor roles: know the perspective of the question.
■ Are you being asked what would a manager do or what would an auditor do?

● Notes from MCQs

Page 108 of 350
○ Another reason to not test controls is because it would be inefficient to test the operating effectiveness of
controls.
○ If analytical procedures have revealed no unusual or unexpected results, the auditor may decide to reduce
tests of details.

Page 109 of 350

 M4: Specific Areas of Engagement Risk and Consideration
Noncompliance
● Noncompliance → an act of omission or commission by an entity which is against laws and regulations.
● Noncompliance can result in fines, litigation, or other consequences that might have material effects on the
financial statements.

● Responsibility for Compliance

○ Management and Those Charged with Governance
■ Ensure that the entity’s operations are following laws and regulations.
■ Report amounts and disclosures in accordance with laws and regulations.
○ Auditor
■ Obtain reasonable assurance that financial statements are free of material misstatement due to
noncompliance with laws and regulations.
■ The auditor is NOT responsible for preventing noncompliance and CANNOT be expected to detect all
instances of noncompliance.
○ Inherent limitations are greater on an auditor’s ability to detect noncompliance because:
■ Many laws do not affect financial statements and are not captured by information systems.
■ Noncompliance may be concealed through collusion, override of controls, fraud, etc.
■ Whether an act constitutes noncompliance is a matter of legal determination.

● Auditor Procedures Related to Noncompliance

○ When obtaining an understanding of the entity’s environment, the auditor should understand:
■ The legal framework applicable to the entity and industry or sector; and
■ How the entity is complying with that framework.
○ Auditors determine whether laws and regulations have a direct or indirect effect on the financials.
○ Direct Effect → material amounts and disclosures are determined by laws and regulations.
■ Ex) Tax provision on financial statements
■ Audit procedure → obtain evidence as with any other part of the financial statements.
○ Indirect Effect → indirectly effect the financials, but have a fundamental effect on operations.
■ Ex) HIPAA and patient confidentiality records.
■ Audit procedures
● Inquire with management or higher-ups about if the entity is following such laws.

● Inspect correspondence with relevant licensing and regulatory authorities.

○ Indicators of noncompliance may include:
■ Investigations by regulatory organizations or government departments.
■ Payments of fines or penalties.
■ Unusual payments in cash or purchases in the form of cashiers’ checks.
■ Purchases made at prices significantly above or below market price.
○ When noncompliance is identified or suspected, discuss the matter with management at least one level
above those suspected of noncompliance, or those charged with governance.

Page 110 of 350

 ■ If neither management nor those charged with governance provides sufficient information that proves
compliance, and compliance may be material, consult with legal-counsel.
■ The auditor may also withdraw from engagements, if withdrawal is possible under laws.

● Reporting Noncompliance
○ Matters involving noncompliance, other than clearly inconsequential matters, should be communicated
with those charged with governance.
■ If noncompliance appears to be intentional and material → communicate as soon as possible.
○ Management or those charged with governance are involved → communicate to next higher authority.
■ No higher level of authority → may need to obtain legal advice.

○ Ordinarily, disclosure of noncompliance to outside parties is not part of the auditor’s responsibility.
○ In the following circumstances, noncompliance may be communicated to outside parties:
■ In response to inquiries from an auditor to a predecessor auditor.
■ In response to a court order.
■ In compliance with requirements for the audits of entities that receive federal financial assistance from
a government agency.

○ Noncompliance has material effect on financial statements → Qualified or Adverse opinion

○ Unable to obtain evidence due to noncompliance → Qualified or Disclaimer opinion
○ If a client refuses to accept a modified report, auditors should withdraw and notify those charged with
governance in writing.

Accounting Estimates
● Estimate → monetary amount within the financial statements or disclosures that have a lack of precision.
○ Also known as “estimation uncertainty.”
● Estimations are used because either:
○ Data about past events cannot be accumulated in a timely, cost-effect manner; or
○ Measurement depends on the outcome of future events.
● Examples of estimates:
○ Allowance for doubtful accounts
○ Pension plans
○ Warranty obligations
○ Pending litigation
○ Fair value of assets or liabilities, including goodwill and intangible assets.

● Estimates can be imprecise and can be influenced by management judgment.

○ Buildings → Generally, does not contain estimates and easy to verify amounts.
○ Estimates → Not easy to verify amounts, and may contain subjective decisions.
● Judgments may involve unintentional or intentional management bias.
● The degree of estimation uncertainty affects the risk of material misstatement of estimates.
● The susceptibility of an accounting estimate to management bias increases with the subjectivity involved.
○ Low estimation uncertainty → simple, few assumptions.
Page 111 of 350
 ■ Life of an asset.
■ Estimates based on active and open market data that are readily available.
○ High estimation uncertainty → complex, many assumptions.
■ Allowance for doubtful accounts.
■ Employee retirement benefit liabilities.

● Auditor’s Responsibilities
○ Auditor should consider:
■ Transactions or events that may give rise to estimates.
■ The requirements of any applicable reporting framework.
■ The outcome or previous estimates.
■ When applicable, their reestimation to assist in identifying and assessing risk of material misstatement.
○ Auditors should also assess the potential need for specialists.
○ Inherent risk and control risk should be assessed separately when assessing estimates.
○ When assessing estimates, the auditor should:
■ Evaluate the degree of estimation uncertainty.
■ Evaluate the impact of inherent risk factors, such as complexity or subjectivity.
■ Determine whether the accounting estimate gives rise to a significant risk.
○ Once estimates have been assessed, the auditor should plan and perform audit procedures that are
responsive to the level of risk assessed, and the reasons for such risk assessment.
■ Ex) RMM higher = More persuasive evidence needed.
○ The further audit procedures should include one or more of:
■ Obtaining evidence from events occurring up to the date of the auditor’s report and comparing to the
value of the estimate.
■ Testing how management made the estimate.
■ Developing the auditors own point estimate or range.

● Obtaining Evidence up to Auditor’s Report

○ Think of this procedure similar to that of verifying pending litigation for a company.
○ In order to obtain evidence of the estimate, you might receive a letter from a lawyer with a settlement
amount.

Page 112 of 350

● Testing How Management Made the Estimate
○ Auditor needs to obtain an understanding about how management:
■ Select and apply methods
■ Significant assumptions
■ Data used

○ Select and Apply Methods

■ Measurement techniques used to make an accounting estimate.
■ Applied using a computation tool or process, such as a model.
■ Ex) Black-Scholes model for pricing share-based compensation.
■ Auditors will test management's estimate for:
● Whether the calculations are accurate.

● Whether judgments related to complex modeling have been consistently applied.

○ Significant Assumptions
■ Judgments made based on available information.
■ Ex) interest rates, discount rates, or the outcome of future events.
■ Auditors will test management's estimate for:
● Whether the assumptions used are consistent with one another.

● When applicable, whether management has the intent and ability to carry out action related to
assumptions.

○ Data Used
■ Information used that can be obtained through direct observations or external parties.
■ Ex) Historical prices or quantities.
■ Auditors will test management's estimate for:
Page 113 of 350
 ● Whether the data is relevant and reliable.

● Whether the data has been understood and interpreted by management.

● Developing the Auditor’s Point Estimate or Range

○ Auditor may develop a point estimate by:
■ Using a different model than the one used by management.
■ Using management’s model, but using alternative assumptions.
■ Engaging a specialist to develop and execute a model.
○ If ranges are made, ensure that it only includes amounts that:
■ Are supported by sufficient appropriate audit evidence; and
■ Are reasonable.

● Performing Audit Procedures (Cont’d)

○ Some accounting estimates require the use of complex models.
○ Models or methods are complex if:
■ They require the use of specialized skills or knowledge; or
■ It is difficult to obtain or maintain the integrity of the data used in the model.
○ When a more complex model is used, auditors should consider whether:
■ The entity has validated that the model’s integrity is suitable for intended use;
■ Appropriate change control policies exist; and
■ Management has the appropriate skills to understand the model.

○ Examples of indicators of management bias to estimates include:

■ Changes in estimate, or method of making it, when management has made a subjective assessment
that there has been a change in circumstances.
● Ex) Lowering the allowance for doubtful accounts % because they believe customers are going to
start paying better.
● There should be a justifiable reason for the change.
■ Selection of assumptions that consistently yield an estimate favorable for management objectives.
■ Selection of an estimate that indicates patterns of optimism or pessimism.

● Best Estimate vs. Range of Reasonable Estimates

○ If an auditor determines that an estimate is unreasonable or incorrectly stated, the auditor can calculate
the misstatement amount by:

○ Best Estimate → Client’s recorded estimate

- Best estimate supported by audit evidence
= Misstatement

○ Range of

Page 114 of 350

 Reasonable Estimate → Client’s recorded estimate
- Closest estimate in range to recorded amount (when no best estimate)
= Misstatement

○ The auditor should evaluate whether the difference between the reported estimate and the best estimate
indicates possible management bias.

Related Party Transactions

● Except for very routine transactions, it is virtually impossible to determine whether a transaction would have
taken place in exactly the same manner if the parties weren’t related.
○ Transaction between UNRELATED parties → arm’s length transaction.
○ Related party transactions are NOT arm’s length.
● For this reason, the substance of a related party transaction may be very different from its form, and GAAP
requires that such transactions be disclosed.
● Related parties may include the reporting entity’s:
○ Affiliates;
○ Principal owners;
○ Management; and
○ Members of their immediate families.

● Audit Procedures
○ Specific procedures regarding material transactions of related parties should include:
■ Obtaining an understanding the company’s process for:
● Identifying related parties;

● Authorizing and approving transactions with related parties; and

● Accounting for and disclosing relationships and transactions.

○ The auditor should obtain a conflict-of-interest statement from management.
■ This should include the names of all related parties, as well as….
● The nature of the relationships (including ownership structure).

● Whether the entity entered into, modified, or terminated any transactions with related parties.

● Background information of related parties (physical location, industry, etc.).

● Changes from the prior period.

● The types and business purposes of any related party transactions.

○ Inquiring about any unauthorized or unapproved related party transactions where exceptions were
granted, and the reasons for why they were granted.
○ Inquiring of those charged with governance regarding:
■ Their understanding of any significant or unusual relations and transactions with related parties; and
■ Whether they have any concerns regarding relationships or transactions with related parties.
Page 115 of 350
 ○ Reviewing filings with the SEC concerning the names of officers and directors who occupy management
positions in other businesses.
○ Reviewing material transactions for related party evidence, such as bank and legal confirmations, minutes,
summaries of recent meetings, and other appropriate records and documents.
○ Reviewing prior years’ audit documentation or inquiring of the predecessor auditor.

● Identifying Related Party Transactions

○ The auditor should remain alert for the following items, which may indicate related party transactions:
■ Compensating balance arrangements.
● Ex) a company holding a certain amount of money for a specific reason.
■ Loan guarantees
● Ex) paying the loan for another company if they are unable.
■ Transactions based on terms that differ significantly from market terms.
○ When the auditor finds related party transactions that should be disclosed or are significant risk:
■ Read the underlying contracts or agreements, if any, and evaluate whether:
● The business purpose of the transaction suggests fraud.

● The transactions have been appropriately accounted for and disclosed.

■ Obtain audit evidence that the transactions have been properly authorized and approved.
○ Example:

● Identification of Previously Unidentified or Undisclosed Related Party Transactions

○ If found, the auditor should:
1. Communicate the information to other members of the audit team.
2. Request that management identify all transactions with newly identified related parties.
3. Inquire why the controls failed to identify and disclose the related party relationship.
4. Perform appropriate substantive procedures.
5. Reconsider the risk that other related parties or transactions have not been identified or disclosed.
6. Evaluate the audit implications if management's nondisclosure appears intentional.

● PCAOB Additional Guidance for Issuers

○ Determine whether any exceptions to the company’s established policies or procedures were given.
○ Evaluate the financial capabilities of related parties with respect to loan commitments, guarantees, etc.
○ Perform procedures on intercompany account balances as of concurrent dates, even if fiscal years differ.

Page 116 of 350

Litigation, Claims, and Assessments
● The following procedures can be used to discover potential litigation, claims, and assessments:
○ Management inquiry.
○ Review of IRS reports and tax returns.
○ Review minutes from board and stockholder meetings.
○ Obtaining a letter from the client's attorney.
○ Reviewing correspondence and invoices from attorneys.
○ Obtaining a management’s representation letter.

● Letter of Inquiry to Client’s Attorney

○ Management is responsible for identifying and accounting for all contingent liabilities.
○ The management representation letter should indicate that they have disclosed all relevant information.
○ The attorney letter is a means of supporting information provided by management.
■ Client approval is necessary but refusal to send a letter may lead to a disclaimer (scope limitation).
■ Refusal to respond by the attorney may also lead to a qualified or disclaimer (scope limitation).
○ Process:
■

● Attorney Responses to Letter of Inquiry

○ Responses may be limited to:
■ Matters to which they have only been told about from the client.
■ Matters that are not considered confidential.
○ The response should include the attorney’s professional opinion on the expected outcome of any lawsuits
and likely outcome of any liability, including court costs.
■ Probably, Reasonably Possible, Remote

Page 117 of 350

 ■

■ If an accrual is made and a range is provided:

● GAAP requires the best estimate of the loss be accrued.
○ Ex) Range is $300,000-$400,000, with $350,000 being the best estimate → accrue $350,000.
● If no amount in the range is best, use the minimum amount in range.
○ Ex) Range is $300,000-$400,000, with no best guess → accrue $300,000 + add note of range.

● Typical Incorrect Answers Regarding Attorney Letter

○ “Confirm directly with the client's attorney that all litigation, claims, and assessments have been recorded
and disclosed.”
■ Not an attorney's job to be familiar with GAAP disclosure requirements.
○ “Examine legal documents in the client’s attorney’s possession concerning litigation, claims, and
assessments.”
■ A letter of inquiry is sufficient enough.

Ability to Continue as a Going Concern

● GAAP → A disclosure is required when there are conditions or events that raise substantial doubt about the
entity’s ability to continue as a going concern.
● GAAS → The auditor is required to evaluate whether substantial doubt exists about the entity’s ability to
continue as a going concern.
● Auditor should determine whether the entity has the ability to continue for a reasonable period of time:
○ FASB → 1 year after the date the financials are issued (issuers) or available to be issued (nonissuers).
○ GASB → 1 year beyond the date of the financial statements.
○ Not applicable to framework (e.g., cash basis) → 1 year after the date the financials are issued or available.

● Factors That May Indicate Substantial Doubt (“FINE”)

○ Financial Difficulties
■ Loan defaults, dividend arrearages, denial of usual trade credit, etc.
○ Internal Matters
■ Work stoppages, labor difficulties, dependence on a single contract, etc.
○ Negative Trends
■ Recurrent losses, working capital deficiencies, negative cash flows, etc.
○ External Matters
■ Legal proceedings, loss of key franchise/license/patent, natural disasters, etc.
Page 118 of 350
● Mitigating Factors
○ Plans to borrow money (Increase cash)
○ Plans to restructure debt (Keep cash longer or reduce cash outflow)
○ Plans to sell assets (Increase cash)
○ Plans to delay or reduce expenditures (Keep cash longer or reduce cash outflow)
○ Plans to increase ownership equity (Increase cash)
(Must include both intent and ability to carry out)

● Reporting - Nonissuers
○ The impact on the auditor’s report depends on whether doubt has been alleviated by plans.
○ Substantial Doubt Alleviated → May include (optional) emphasis-of-matter paragraph.
○ Substantial Doubt Remains → Include a separate section.
■ Title must be “Substantial Doubt About the Entity’s Ability to Continue as a Going Concern”
■ Include the terms “substantial doubt” and “going concern.”
■ This paragraph does not state a reasonable period of time, as it is implied.

● Reporting - Issuers
○ If the going concern basis of accounting is appropriate and substantial doubt remains, the auditor should
add an explanatory paragraph.
■ Include the terms “substantial doubt” and “going concern.”
○ Exception:
■ Although the general rule for going concern cases is to add an explanatory paragraph to an unqualified
opinion, the auditor may choose to disclaim an opinion due to a going concern uncertainty (rare).

● Documentation Requirements
○ When the auditor believes substantial doubt, the following items should be documented:
■ The conditions that gave rise to the substantial doubt.
■ Any mitigating factors that the auditor considers significant.
■ Audit work performed to evaluate management's plans.
■ The auditor’s conclusion about whether substantial doubt remains or has been alleviated.
■ Auditor’s conclusion on the financial statements and disclosures.

● Other Going Concern Considerations

○ If the entity’s going concern disclosures are inadequate or a departure from GAAP, a qualified or adverse
opinion may be appropriate.
○ If the financial statements have been prepared using the going concern basis but that is inappropriate, the
auditor should express an adverse opinion.
○ If doubts about the entity’s ability to continue as a going concern are removed in a subsequent period, the
going concern section of the prior period does not need to be repeated.

● Notes from MCQs

Page 119 of 350
 ○ Related party transactions are given special consideration because they could cause the financial
statements to fail to achieve fair presentation.

M5: Sufficient Appropriate Evidence

● Audit evidence → all the information that the auditor uses to arrive at conclusions to base an opinion.
○ Risk assessment procedures
○ Tests of controls
○ Substantive procedures
○ Other audit procedures

● Types of Audit Evidence

○ May take different forms, such as:
■ Oral information
■ Visual information
■ Paper documents
■ Electronic documents and data
○ Accounting Records
■ Consist of entries and supporting records such as journal entries, ledgers, checks, invoices, and
worksheets.
■ Accounting records alone do not provide sufficient support for an audit opinion.
○ Corroborating (supporting) evidence and Contradictory evidence
■ These are documents that are not part of the accounting records, but help support those accounting
records or contradict them.
■ Consists of meeting minutes, confirmations, analysts’ reports, and information gathered through
observation, inquiry, and inspection.
■ Corroborating (supporting) evidence → provides additional support and gives validity.
■ Contradictory → provides support that an amount is incorrect, and results in more procedures.

● Evidence in Electronic Form

○ Some accounting records or evidence may be available only in electronic form.
○ Electronic evidence may be initially available, but it may not be retrievable forever.
○ The auditor must consider the time during which the information is available when determining the nature,
extent, and timing of procedures.
■ Ex) a company purges electronic data every 3 months, auditors should visit more frequently.

● Obtaining Audit Evidence as a Reasonable Basis for an Opinion

○ Audits provide reasonable assurance that financial statements are fairly presented, and the auditor must
rely on evidence that is persuasive rather than conclusive.
○ Persuasiveness → subjective concept that relates uniquely to each audit.
■ Nature, extent, and timing of procedures performed influences persuasiveness.
○ Cost-benefit considerations may be a valid reason for performing only certain procedures.
Page 120 of 350
 ■ Cost alone or difficulty in obtaining evidence is NOT a valid basis for omitting a procedure with no
alternative.
○ Auditors must use professional skepticism and sound judgment in determining the procedures to be
performed and evaluating evidence gathered.

● Sufficiency and Appropriateness of Audit Evidence

○ Sufficiency → refers to the quantity of audit evidence.
○ The auditor’s decision regarding sufficiency of evidence is influenced by:
■ Risk of material misstatement → right risk = more evidence needed.
■ Quality of audit evidence → higher quality = less evidence may be needed.

○ Appropriateness → refers to the reliability and relevance of evidence.

○ Hierarchy of Reliability of Audit Evidence (“AEIO”) (most reliable to least reliable)
■ Auditor’s Direct Personal Knowledge and Observation → evidence obtained directly by the auditor.
● Ex) observation, physical examination, inspection, etc.
■ External Evidence → evidence obtained from independent sources outside the entity.
● Ex) Evidence sent directly to the auditor (e.g., bank confirmation) (more persuasive)

● Ex) Evidence received and held by the client (e.g., bank statement) (less persuasive)

● Evidence obtained from a management's specialist is not an external source.

■ Internal Evidence → produced by the client.
● Strong, effective internal controls improve the reliability of internal evidence.

● If a client has weak or no internal controls, internal evidence is not seen as reliable.
■ Oral Evidence → inquiries
● Typically, oral evidence is not sufficient audit evidence on its own.

○ Other Reliability Considerations

■ When evidence gathered from different sources is consistent, a greater degree of assurance is given.
■ Evidence must be relevant → must relate to the financial statement assertions under consideration and
the time period of the evidence must match the time period covered under audit.

● Results of Further Audit Procedures

○ Results of audit procedures may lead the auditor to:
■ Reassess the risks of material misstatement (RMM).
■ Identify control deficiencies as a result of tests of controls or substantive procedures.
■ Identify misstatements as a result of substantive procedures.

○ Reassess the risks of material misstatement (RMM)

■ Initially, an auditor assessed RMM as low in the planning stage.

Page 121 of 350

 ■ While performing procedures and obtaining evidence, the auditor realized that RMM should be
assessed higher due to complexities uncovered during substantive testing.
■ Therefore, the auditor will go back and increase the RMM.
● Increase RMM = Decrease in Detection Risk

● Decrease in Detection Risk = More persuasive evidence needed.

■ In turn, the future audit procedures will be changed in terms of their nature, extent, and timing.
● Nature → more effective procedures.

● Extent → larger sample size.

● Timing → test at year-end.

○ Identify control deficiencies as a result of tests of controls or substantive procedures.

■ Initially, an auditor assessed RMM as low in the planning stage.
■ During procedures, the auditor realizes that RMM should be higher due to control deficiencies.
■ Therefore, the auditor will go back and increase the RMM.
■ In turn, the future audit procedures will be changed in terms of their nature, extent, and timing.

○ Identify misstatements as a result of substantive procedures

■ Client’s records → Customer A accounts receivable of $200.
■ Customer A confirmation → confirms $0 because payment was already sent.
■ Therefore, auditors will need to investigate and obtain further evidence of when client was paid.

● Sufficiency and Appropriateness of Audit Evidence.

○ The auditor uses judgment about the sufficiency and appropriateness of evidence, but should consider:
■ The achievement of audit objectives.
■ Auditor’s risk assessment.
■ Significance of uncorrected misstatements and possibility of further undetected misstatements.
■ Effectiveness of management’s responses to controls.
■ Experience gained during previous audits.
■ Results of audit procedures, including any instances of errors or fraud.
■ Understanding of the entity and its environment.

● Impact of Auditor Bias

○ When obtaining evidence, auditors must be aware of both unconscious and conscious biases.
○ Availability Bias → tendency to place more weight on events that are more recent.
○ Confirmation Bias → tendency to place more weight on information that supports rather than contradicts.
○ Overconfidence Bias → tendency to overestimate one’s ability to make accurate judgments.
○ Anchoring Bias → tendency to use initial information as an anchor to assess further information.
○ Automation Bias → tendency to favor information generated from automated systems.

Page 122 of 350

● Notes from MCQs
○ PCAOB standards state that the relevance of audit evidence depends on whether the audit procedure is
designed to test for an understatement or overstatement.

Page 123 of 350

 M6: Procedures to Obtain Evidence
● “C (the) FIVE CARROT WARS” can be used to remember the following procedures.
● Standard Audit Procedures
○ Observation → auditor looks at process performed by others.
■ Ex) Tour the facilities or observe segregation of duties (ARC)
○ Reperformance → auditor independently performs a process themselves.
■ Ex) Testing a login process to see if it locks you out after a few wrong attempts.
○ Inquiry → requesting information from knowledgeable parties.
■ Can be done internally (e.g., management) or externally (e.g., bankers).
■ Inquiry alone is insufficient, and should be used with other procedures.
○ Walk-through → includes questioning personnel about their understanding of processes.
○ Subsequent Events Review → auditor is required to perform certain procedures for the period from the
balance sheet date to auditor’s report date.
■ Recognized event (type 1) = require adjustments and/or disclosures.
■ Nonrecognized event (type 2) = require disclosure.
○ Examination/Inspection → inspect or examine records, documents, or tangible assets.
■ Records or documents may be internal or external and in either paper or electronic form.
■ Automated tools such as text-recognition may be used to examine large populations.
○ Reconciliation → comparing financial amounts from two independent sources for agreement.
■ Supports the existence and valuation of accounts.
■ Ex) Bank reconciliation or reconciling lead schedules to general ledger amounts.
○ Footing, Cross-Footing, and Recalculation → used by auditors to verify mathematical accuracy.
■ Footing → Adding downwards
■ Cross-Footing → Adding across
■ Recalculation example → auditor recalculates depreciation expense.
○ Cutoff Review → auditor analyzes transactions immediately before and after year-end.
■ Helps support that transactions appear in the proper period.
○ Auditing Related Accounts Simultaneously → checking two accounts at the same time.
■ Ex) long-term liabilities and interest expense
○ Analytical Procedures → evaluations of financial information by studying relationships among data.
■ Essentially, an auditor forms an expectation, and compares that expectation to recorded amounts.
■ Helps highlight unusual fluctuations that could be from errors or fraud.
■ Include comparisons within the current year’s financial statements for internal consistency.
■ Ex) Net income should agree with the increase in retained earnings.
■ Scanning may also be an analytical procedure, since the auditor is looking for unusual items.
○ Vouching → auditor examines support for what is included in the financial statements.
■ Starts with the financial statements and works DOWNWARDS toward source documents.
■ The objective of vouching is to gather evidence regarding possible overstatement errors.
■ Deals with the existence or occurrence assertions.
■ Think of the V as an arrow pointing downward (financials down to source documents).
○ Tracing → similar to vouching, but the opposite direction.
■ Start with the source documents and trace UPWARDS towards the financial statements.
Page 124 of 350
 ■ The objective of tracing is to gather evidence regarding possible understatement errors.
■ Deals with the completeness assertion.
■ Make the top of the T into an arrow that is pointing upwards (source documents to financials).
○ Confirmation → specific type of inquiry that involves obtaining representations from external parties.
■ Used to help confirm that balances are correct in the financials and supporting records of clients.
○ Representation Letter → after fieldwork, the auditor must obtain a management representation letter.

Analytical Procedures

● Designing and Performing Analytical Procedures

1. Determine the procedures that are suitable for testing the assertion(s), taking into account the RMM.
2. Evaluate the reliability of data being used to develop the auditors expectation.
■ The source and comparability of the information;
■ The nature and relevance of the information; and
■ Controls over the preparation of the information.
3. Develop an expectation of recorded amounts or ratios and evaluate if it's reasonable to identify errors.
■ Expectations may be developed based on:
● Financial information from comparable periods;

● Anticipated results from budgets or forecasts;

● Relationships among data within the current period;

● Industry norms; and

● Relationships of financial and nonfinancial data.

4. Perform analytical procedures and compare the results of the procedures with the expectations.
5. Investigate any significant differences by:
■ Inquiring with management and obtain evidence relevant to their responses; and
■ Perform other audit procedures as necessary.

● Efficiency and Effectiveness of Analytical Procedures

Page 125 of 350

○ Nature and Assertion Being Tested
■ Analytical procedures are most effective and efficient for assertions where misstatements are not
apparent from examination of the detailed evidence, or when detail is unavailable.
■ In more simple terms, when an account doesn’t have very much detailed evidence, analytical
procedures will be better to use than a test of details.

○ Plausibility and Predictability of the Data Relationship

■ In order to use analytical procedures, auditors need to have a clear understanding of the relationships
among data.
■ Therefore, analytical procedures should be based on predictable relationships.
● Predictable relationships:
○ Data generated in a stable environment.
○ Involve income statements, rather than just balance sheet accounts.
○ Involve transactions that are less subject to management discretion.
● Predictable relationships are more common in “For the period ended..” statements.

● Income statement, for instance, is a better example for predictable relationships.

● The balance sheet is an “As of…” statement, as it's always changing throughout the period.

● This makes balance sheet accounts less predictable than income statement accounts.

● Interest expense is an example of a pretty predictable account.

○ Availability and Reliability of Data Used to Develop the Expectation

■ Data used should be both readily available and reliable.
■ Reliability of data is enhanced if it is:
● Obtained externally rather than internally;

● Obtained from independent internal sources;

● Generated under effective internal controls;

● Audited previously; and

● Obtained from a variety of sources.

■ More precise expectations are more effective in determining misstatements.

○ Methods Used to Develop the Auditor’s Expectation

Page 126 of 350

 ■
■ Least to most amount of assurance: Trend → Ratio → Predictive modeling → Regression
■ Regression analysis has several advantages over the other methods:
● Provides an explicit, mathematically objective, and precise method for forming expectations.

● Allows inclusion of multiple independent variables.

● Provides direct and quantitative measures of the precision of the expectation.

● Documentation Requirements
○ When an analytical procedure is used as the principal test, the auditor is required to document:
■ The auditor’s expectations.
■ Factors considered in the development of the expectation.
■ Results of the comparison of expectations vs. amount recorded.
■ Additional audit procedures performed in response to unexplained significant differences.
■ The results of such additional procedures.

● Analytical Procedures Used as an Overall Review

○ Analytical procedures are required during the overall review stage of an audit.
○ Generally, a manager or partner who has a big understanding of the client and industry reads the financial
statements and the disclosures to review.
○ The nature and extent of the procedures performed during the overall review may be similar to the
procedures performed during the risk assessment.
Page 127 of 350
 ○ The purpose of applying analytical procedures to the overall review stage is to:
■ Evaluate the overall financial statement presentation.
■ Assess the conclusions reached; and
■ Assist in forming an opinion.
○ The auditor:
■ May also discover additional possibility of misstatements or fraud risks; and
■ Should consider whether additional procedures are warranted.

Vouching and Tracing

● Also known as “Directional Testing”
● Vouching
○ Begin with the financial statements and work downwards towards source documents.
○ Objective is to gather evidence for potential overstatements.
■ Ex) revenue or assets
○ Think of the V as an arrow pointing downward (financials down to source documents).
○ Testing for existence/occurrence
○ Testing for support
○ Example Process of Vouching:
■ Auditor starts with accounts receivable (net of a/r) balance from the balance sheet.
■ Auditor verifies that the total from the balance sheet agrees with the trial balance.
■ Auditor verifies that the total from the trial balance agrees with the ending general ledger balance.
■ Auditor confirms that the general ledger balance agrees with the subsidiary ledger balance.
■ Auditor examines the source documents (sales order, sales invoice, etc.) for a sample of customers
from the subsidiary ledger.
● Confirmations may be sent for this step.
(Visual representation of this process is given in lecture)

● Tracing
○ Begin with the source documents and work upwards towards financial statements.
○ Objective is to gather evidence for potential understatements.
■ Ex) expenses or liabilities
○ Make the top of the T into an arrow that is pointing upwards (source documents up to financials).
○ Testing for completeness
○ Testing for coverage
○ An example of this process can be similar to that of vouching, just the other way around.

● Directional Testing: Existence and Completeness

○ Sometimes the examiners are tricky when using the terms tracing and vouching.
○ Testing for Existence:
■ Tracing backwards from records to source documents.
■ Vouching backwards from records to source documents.
○ Testing for Completeness:
Page 128 of 350
 ■ Tracing forward from source documents to records.
■ Vouching forward from source documents to records.
○ Records to source = Existence
○ Source to records = Completeness

Confirmations
● External confirmation → direct written response to the auditor from a third party.
○ Can be done in paper form, electronic, or other medium.
○ Oral response to a request does not meet the definition of an external confirmation.
○ Auditor is given direct access to information held by a third party → meets definition.
○ Access is provided to the auditor by management → does NOT meet the definition.

● Positive Confirmation vs. Negative Confirmation

○ Positive confirmation → request that the confirming party respond directly to the auditor:
■ By providing the requested information; or
■ By stating that the party agrees or disagrees with the information in the request.

○ Negative confirmation → confirming party only respond if they disagree with the information.

● External Confirmation Procedures

○ Auditors should maintain control over external requests, including:
■ Determining the information to be confirmed or requested.
■ Selecting the appropriate confirming party or parties.
■ Designing the confirmation requests.
■ Sending the requests, including follow-ups.

● Management’s Refusal to Allow External Confirmation Procedures

○ Evaluate the validity and reasonableness of management’s refusal.
○ Evaluate the effect on the risks of material misstatement, including fraud, and on the nature, extent, and
timing of other procedures.
○ Perform alternative procedures.
○ If the auditor determines that management's refusal is unreasonable or if the auditor is unable to obtain
appropriate evidence from alternative procedures:
■ Communicate with those charged with governance; and
■ Determine the implications for the auditor’s opinion.

● Results of External Confirmation Procedures

○ All confirmation responses carry some risk of interception, alteration, or fraud.
○ When responses are received electronically, the auditor may address the reliability of the response by
directly contacting the confirming party to validate:
■ The sender's identity; and
■ The accuracy of the information received.
○ An electronic confirmation system or a process that creates a secure environment may mitigate these risks.
Page 129 of 350
 ○ Confirmation Nonresponse
■ Request that was returned, undelivered, failure to respond, or failure to respond fully to a positive
confirmation.
■ Auditors may send additional confirmation requests.
■ For each nonconfirmation nonresponse, the auditor should perform alternative procedures.

○ Exceptions
■ A response that indicates a difference between:
● The information in the entity’s records; and

● The information provided by the confirming entity.

■ All exceptions should be investigated to determine whether they are indicative of material
misstatement, fraud, or deficiencies in internal controls.
■ Exceptions that result from timing or measurement differences, or clerical errors, do not represent
material misstatements.
● See “Notes from MCQs” from this section for an example of this.

Assertions
● Review of Relevant Assertions (“COVERUP”)
○ Completeness
○ Cutoff
○ Valuation, Allocation, and Accuracy
○ Existence and Occurrence
○ Rights and Obligations
○ Understandability of Presentation and Classification

● Account Balances and Related Disclosures (CVERUP) (Balance Sheet accounts)

○ When procedures relate to asset, liability, and equity account balances, the most relevant assertions are:
○ Completeness
■ All assets, liabilities, and equity interests have been recorded with disclosures made.
○ Valuation, Allocation, and Accuracy
■ Assets, liabilities, equity interests, and disclosures are recorded at correct amounts.
○ Existence and Occurrence
■ Assiets, liabilities, and equity interests exist.
○ Rights and Obligations
■ Entity holds the rights to assets and liabilities are obligated to the entity.
○ Understandability of Presentation and Classification
■ Financial information is appropriately presented and described.

● Transactions, Events, and Related Disclosures (COVEUP) (Income Statement accounts)

○ When testing transactions, the most relevant assertions are:
Page 130 of 350
 ○ Completeness
■ All transactions and events that should have been recorded are recorded.
○ Cutoff
■ Transactions and events are in the correct accounting period.
○ Valuation, Allocation, and Accuracy
■ Amounts, transactions and events have been recorded appropriately.
○ Existence and Occurrence
■ Transactions and events that have happened pertain to the entity.
○ Understandability of Presentation and Classification
■ Transactions and events are recorded in proper accounts and presented and described.

● If you’re going to be familiar with anything, be VERY, VERY familiar with this chart:

Page 131 of 350

● Notes from MCQs
○ If a confirming party mailed their payment on 12/31/Year 1, and the client received their payment on
01/02/Year 2, this may be considered as an exception. Cash receipt date would need to be verified.

M7: Sampling: Part 1

● Sampling → application of audit procedures to less than 100% of items in the account balance or class of
transactions to evaluate some characteristics of the account balance or class.
● When the auditor samples, it is generally assumed:
○ Population being sampled is normally distributed.
○ Each sample has an equal chance of being selected.
○ If a sample is large enough and randomly selected, it will be representative of the population.
○ Auditor considers standard deviation, which is a measure of “variability.”

● Sampling Methods
○ Statistical Sampling
■ Auditors specify the sampling risk they are willing to accept and then calculate the sample size that
provides that degree of reliability.
■ Results are evaluated quantitatively.
■ Enables the auditor to:
● Design an efficient sample.

● Measure the sufficiency of the audit evidence obtained.

● Provide an objective basis for quantitatively evaluating sample results.

● Quantity sampling risk to limit risk to an acceptable level.

○ Nonstatistical sampling
■ The sample size is not determined mathematically.
■ Auditors use their judgment in determining sample size and evaluating results.
Page 132 of 350
 ○ Both of these methods are allowed under GAAS, require professional judgment, and when properly
applied, should provide sufficient audit evidence.

● Professional Judgment
○ The auditor exercises professional judgment in both statistical and nonstatistical sampling to:
1. Identify the population and sampling unit.
2. Select the appropriate sampling method.
3. Evaluate the appropriateness of audit evidence.
4. Consider sampling risk.
5. Evaluate the results obtained from the sample and project those results to the population.

● Types of Sampling
○ Attribute Sampling
■ Estimates rate of occurrence.
■ Primarily used for testing controls.
■ Often deals with yes-or-no questions.
■ Ex) Is the invoice properly approved?
○ Variables Sampling or Probability-Proportional-to-Size (PPS) Sampling
■ Estimates numerical quantity.
■ Generally used for substantive testing.
■ Ex) What is the value of accounts receivable?

● Uncertainty and Audit Sampling

○ Audit risk → uncertainty inherent in applying audit procedures and includes both:
■ Uncertainties due to sampling; and
■ Uncertainties due to factors other than sampling.
○ Sampling risk → possibility that the sample is NOT representative of the population.
■ Therefore, the auditor will reach a different conclusion than the conclusion that would have been
reached if the population was tested.

● Sampling Risk in Substantive Testing (Variable or PPS Sampling)

○ Risk of Incorrect Acceptance → risk that the sample supports that balances are not materially misstated,
when in fact, they are misstated.
■ Sample = fairly stated.
■ Population = material misstated.
■ This leads to an ineffective audit.

Page 133 of 350

 ●

● Had the entire population been tested:

■ When an auditor samples a population, there is always the risk that the sample may not represent the
population.

○ Risk of Incorrect Rejection → sample supports the conclusion that balances are materially misstated, when
in fact, they are not misstated.
■ Sample = material misstated.
■ Population = fairly stated.
■ This would lead to an inefficient audit.
● Because the auditor will want to do more tests when they are not needed.

● Sampling Risks in Tests of Controls (Attribute Sampling)

○ Risk of Assessing Control Risk Too Low → assessed risk on controls based on a sample is too low.
■ Sample → Deviation rate < Tolerable rate = Assess CR low = Controls operating effectively.
■ Population → Deviation rate > Tolerable rate = Assess CR high = Controls not operating effectively.
■ This would lead to an ineffective audit.
Page 134 of 350
 ■ Sample has a lower deviation rate than the population.
■ Because the auditor assessed control risk as low, the auditor will obtain less persuasive evidence.

○ Risk of Assessing Control Risk Too High → assessed risk on controls based on a sample is too high.
■ Sample → Deviation rate > Tolerable rate = Assess CR high = Controls not operating effectively.
■ Population → Deviation rate < Tolerable rate = Assess CR low = Controls operating effectively.
■ This would lead to an inefficient audit.
■ Sample has a higher deviation rate than the population.
■ Because control risk is assessed as high, the auditor will waste time by doing more procedures.

○ Exam Question Tips

■ When a question relates to sampling risk and misstatements, focus on incorrect rejection/acceptance.
■ When a question relates to sampling risk and deviations, focus on control risk assessed as low/high.
■ “Reduced planned reliance on controls” == “Reassess control risk as high” (interchangeable terms).

● Nonsampling Risk
○ Includes all aspects of audit risk that are not due to sampling.
○ Examples:
■ Selecting audit procedures that are not appropriate to achieve a specific objective.
■ Failure by the auditor to recognize misstatements in documents examined.

● Attribute Sampling
○ Statistical sampling method used to estimate the rate (percentage) of occurrence (exception) of a specific
characteristic (attribute).
○ Generally deals with yes-or-no questions.
○ Tolerable Deviation → maximum rate of deviations from a procedure that the auditor will tolerate.
○ Deviation Rate → auditor’s best estimate of the deviation rate in the population.

● Steps of Attribute Sampling

1. Define the objective of the test.
2. Identify the population, including the period covered.
3. Define the sampling unit.
4. Define the attributes of interest to determine deviations.
5. Determine the sample size, and specify the following factors:
■

Page 135 of 350

 ■ Population size is not an issue if the population is large (i.e., greater than 5,000 items).
6. Select the sample by random selection or systemic selection (must have a random start).
■ Block sampling is not allowed (choosing two items right next to each other).
7. Evaluate the sample results.
■ Sample deviation rate + Allowance for sampling risk = Upper deviation rate.
● Allowance → “cushion” to protect against undetected deviations.

● Example of the allowance is given in the lecture.

8. Form conclusions about the internal control tested.
■ Upper deviation rate < tolerable deviation rate = auditor may rely on control.
■ Upper deviation rate > tolerable deviation rate = auditor would not rely on control, and:
● Either select another control or reduce reliance on the control, and modify NET of tests.
9. Document the sampling procedure, including:
■ Steps from planning.
■ Rationale for parameters used.
■ Observed results.
■ The evaluation and interpretation of results.

● Example of Attribute Sampling

○

3. Sample deviation rate + Allowance for sampling risk = Upper deviation rate
■ 1% + X = 4.7%
■ X = 3.7%
4. The auditor is 95% sure the deviation rate does not exceed 4.7%.
■ 100% - 5% (from table) = 95%.
■ Upper deviation rate = 4.7%.

● Other Sampling Models

○ Discovery Sampling → type of attribute sampling when the auditor believes the population deviation rate is
0 or near 0.
Page 136 of 350
 ■ Typically used when looking for critical characteristics (e.g., fraud).
○ Stop-or-go Sampling → designed to avoid oversampling for attributes by allowing the auditor to stop an
audit test before completing all steps.
■ Also known as sequential sampling.
■ It is used when few errors are expected in a population.

● Notes from MCQs

○ If an auditor is unable to apply a designed audit procedure on an item selected as part of a sample for test of
controls, and no alternative procedures are possible, the auditor should treat the items as a deviation from the
prescribed control.
○ Population variability has a direct impact on sample size.
■ Bigger population variability → larger sample size.
○ Risk of incorrect acceptance/rejection → deals with materiality of samples/population.
○ Risk of assessing control risk too high/low → deals with whether controls are deemed effective or not.

M8: Sampling: Part 2

Variable Sampling
● Planning Considerations
○ When planning a particular sample for substantive test of details, the auditor considers:
■ Tolerable misstatement → minimum monetary misstatement the auditor will accept.
○

● Sample Selection Considerations

○ The auditor uses professional judgment to determine which items should be subject to sampling.
○ The auditor may stratify the sample.
■ Stratification → separating items into homogeneous groups and treating each group as a population.
■ Stratification is commonly used when a population has highly variable amounts.
■ Stratification typically results in a reduced sample size.

● Variable Sampling Plans

○ Classical variable sampling measures sampling risk by using the variation of the underlying characteristics of
interest.
Page 137 of 350
 ○ Mean-Per-Unit (MPU) Estimation
■ Uses the average value of the items in the sample to estimate the true population mean.
■ Estimate = Average sample value x Number of items in population
○ Ratio Estimation
■ Uses the ratio of the audited (correct) values of items to their book values to project population value.
■ (Audited (correct) values / Book values) x Value of population
○ Difference Estimation
■ Uses the average difference between the audited (correct) values of items and their book values to
project the actual population value.
■ [(Audited (correct) values - Book values) / Sample Size] x Population = Projected error
■ Population value - Projected error = Point Estimate

● Comparison of Methods
○

○ If an auditor chooses MPU, the auditor should stratify the population into relatively similar groups.
○ Ratio and Difference estimation are only effective when large numbers of overstatements and
understatements are expected.

● Variables Sampling Steps and Example

1. Define the objective of the test.
■ Ex) estimate of the value of client’s accounts receivable balance.
2. Identify the population.
■ Ex) 5,000 accounts with a recorded value of $4,500,000.
3. Define the sampling unit.
■ Ex) each of the 5,000 accounts is a sampling unit.
4. Determine the sample size, and specify the following factors:

Page 138 of 350

 ■

5. Select the sample.

■ Sample should be selected in a way that the sample can be expected to represent the population.
■ Ex) random sampling.
6. Evaluate the sample results.
■ The auditor will project the misstatements found using one of the methods from above.
■ The projected misstatement is applied to the recorded balance to obtain a “point estimate.”
■ The auditor must then add an allowance for sampling risk to the point estimate.
● Similar concept to attribute sampling allowance from Sampling Part 1.
7. Form conclusions about the balances or transactions tested.
■ Determine whether the recorded book value falls within the acceptable range.
■ Range = point estimate +/- the allowance for sampling risk.
■ If it falls within this range, the book value is fairly stated.
8. Document the sampling procedure.
■ Each step should be documented.

● Example Problem (step by step explanation in lecture, if needed)

Page 139 of 350

 ○

● Additional Considerations When Using Audit Data Analytics (ADAs)

○ When using ADAs, the auditor should select an ADA technique that best fits the indeed purpose and
objectives of the procedure, and that best allows for evaluation.
○ After performing the ADA, the auditor should group the data, such as:
■ Data that does not contain misstatements.
■ Data that contains possible misstatements, but are clearly inconsequential.
■ Data that contains possible misstatements that are not clearly inconsequential.
● Auditor should analyze this group for actual misstatements.

Probability-Proportional-to-Size (PPS) Sampling

● PPS → sampling technique in which the sampling unit is defined as an individual dollar in a population.
○ Once a dollar is selected, the entire account containing that dollar is audited.
● Advantages:
○ PPS automatically emphasizes larger items by stratifying the sample. The chance of an item being selected
is proportionate to its dollar amount.
○ If no errors are expected, PPS sampling generally requires a smaller sample size.
● Disadvantages:
○ Zero, negative, and understated balances generally require special considerations.

● PPS Sample Size Determination

○ The auditor selects a PPS sample size by dividing the total number of dollars in the population (book value)
into uniform groups of dollars or intervals.
○ The auditor then selects a logical unit (the balance that includes the selected dollar) from each interval.
Page 140 of 350
 ○ Sampling Interval = Tolerable misstatement / Reliability factor
○ Sample Size = Recorded amount of the population / Sampling Interval

● PPS Example/Illustration (step by step is gone over in the lecture, if needed)

○

○ Create a chart that lists the following and select the appropriate accounts:

Page 141 of 350

○

■ The selections of 15,300 and 20,300 (I believe the 22,300 in the picture is a typo from Becker)
demonstrate how stratifications may reduce the total number of selected sample units.
● They both fall into the range for account 7.
■ Note: items greater than the sampling interval (i.e., 8,500) will be selected in PPS sampling.

○ After selecting accounts, the auditor will send out confirmations to the selected customer accounts.
○ If no errors are found in the sample:
■ Error projection = 0.
■ Allowance for sampling risk would not exceed tolerable error.
■ Auditor would conclude the recorded balance is fairly stated.
○ If book value of the item selected < sampling interval (5,000 in our example):
■ Errors found need to be projected.
○ If book value of the item selected > sampling interval:
■ The actual dollar amount (not a projected value) is used.
○ See these steps here:
○

■ 2nd row = example of no errors found from confirmations (0 projection error).

■ 4th row = example of book value > sampling interval (actual amount, not projection, is used).
■ All other rows = examples of book value < sampling interval (projected errors).
■ “A” = book value from client’s records.
Page 142 of 350
 ■ “B” = value obtained from confirmations sent to customers.
■ “Projected error” = % x Sample interval

● Qualitative Considerations
○ For all types of sampling, the auditor should consider qualitative aspects of deviations, including:
■ Nature and causes of deviations (errors or fraud); and
■ Possible relationships of deviations to other phases of the audit.
● Dual-Purpose Samples
○ An auditor may use the same sample to perform both tests of controls and tests of details.
○ The size of a sample designed for dual purposes should be the larger of the samples that would otherwise
have been designed for the two separate purposes.
■ Ex) sample size used for controls testing = 75; sample size use for substantive testing = 50; use the 75.

● Notes from MCQs

○ The use of ratio estimation sampling as compared to the other methods is most effective when the calculated
audit amounts are approximately proportional to the client’s book amounts.
○ A primary objective of PPS is to identify overstatement errors.
○ Risk of incorrect acceptance may also be known as the reliability factor.

M9: Audit Data Analytics

Audit Data Analytics Tools and Techniques
● Audit Data Analytics (ADAs) → techniques that enable auditors to analyze and review financial and nonfinancial
information to discover patterns, relationships, and anomalies.
● Benefits of ADAs
○ Better understanding of clients and their operations.
○ Advanced assessment of risk in areas that may have otherwise gone undiscovered.
○ Capabilities to test entire populations.
○ Insights gained from evaluating metadata and relationships among data.
○ Increased efficiency of applied procedures.
○ Enhanced fraud detection.
○ Improved communication through data visualizations.

● Steps in Applying ADAs

1. Plan the ADA
■ Determine the objective and purpose of the ADA.
2. Access and obtain data.
■ Includes gaining access to, sourcing, cleaning, and validating the data.
3. Review and analyze the relevance and reliability of sourced data.
4. Perform the ADA utilizing the selected tools and techniques.

Page 143 of 350

 5. Evaluate and address the outcomes to ensure the proposed objective was achieved, the ADA was
performed effectively, and if further procedures should be performed.
■ Outcome may impact the NET of tests.

● Types of Software Used

○ ADAs can be done manually, however that takes too much time.
○ As a result, most ADAs are done using software.

○ Data Extractions and Preparation → used to extract, transform, and load (ETL) data, allowing auditors to:
■ Connect to data sources;
■ Clean the data to remove errors and inconsistencies;
■ Scrub the data to address integrity issues;
■ Adhere to data quality standards;
■ Allow for normalization;
■ Combine data from different sources; and
■ Summarize data.
○ Data extractions and preparation tools also facilitate the automation of data collection by recording each of
the ETL steps for reuse with new data including:
■ Spreadsheet tools
■ Database or structured query language (SQL) explorer
■ Data transformation and cleaning software
■ Robotics process automation (RPA) software

○ Data Modeling → provides a platform for common data analytic procedures.

■ In some cases, this is modeled for common audit analytics, such as Benford’s law analysis or sampling.
■ In some cases, more robust models require connecting to more powerful services, such as:
● Data analytics software and plug-ins

● Data mining software

● Programming scripts

○ Data Visualization → creating charts, graphs, diagrams, etc. to help emphasize trends, relationships, etc.
■ More advanced software can create graphs using text prompts instead of building visuals from scratch.
● Charts and graphs

● Data visualization software

● Natural language processing (NLP) tools

● ADA Techniques
○ ADAs span a wide spectrum of techniques and methodologies.
○ ADAs can be:
Page 144 of 350
 ■ As simple as sorting and filtering; and
■ As advanced as classification and machine learning.
○ Typically, as the complexity of the technique increases, so does the value it brings to the audit.
○ There are four broad categories of data analytics that can be applied as an ADA:
■ Descriptive (Relates to the past)
■ Diagnostic (Relates to the past)
■ Predictive (Relates to the future)
■ Prescriptive (Relates to the future)

○ Descriptive Analytics → explains what happened or what is happening to the data.

■ Descriptive analytics can be achieved by:
● Summary statistics;

● Data sorting and filtering; and

● Aging data

■
(Visual presentation of this example is given in lecture, if needed)

○ Diagnostic Analytics → explains why something happened with the data.

■ Works to uncover correlations, patterns, and relationships among data to explain outcomes.
■ Common diagnostic procedures include:
● Clustering

● Drill-down and drill-through analysis (dig deeper into the data)

● Data mining and discovery

● Variance analysis

● Period-over-period analysis

● Data profiling

● Sequence check

Page 145 of 350

 ■
(Visual presentation of this example is given in lecture, if needed)

○ Predictive Analytics → uses historical data to make predictions, estimates, and assertions about the future.
■ Looks to answer the question of what will happen in the future.
■ Common predictive techniques include:
● Regression analysis

● Forecasting

● Time-series modeling

● Classification

● Sentiment analysis

■
(Visual presentation of this example is given in lecture, if needed)

○ Prescriptive Analytics → prescribe courses of action to help optimize decisions to reach desired outcomes.
■ The most advanced and complex type of analytic.
■ Common prescriptive techniques include:
● What-if analysis

● Decision support and automation

● Machine learning

Page 146 of 350

 ● Natural language processing

■
(Visual presentation of this example is given in lecture, if needed)

○ A good way to remember the four ADA techniques and what they mean, think of a doctors appointment:
■ Descriptive → Explain to your doctor what happened.
■ Diagnostic → Your doctor may take a blood test to explain why you're feeling that way.
■ Predictive → Based on that blood test, your doctor will predict what might help.
■ Prescriptive → Your doctor will prescribe you a medicine to reach your desired outcome, health.

Applying ADAs
● Risk Assessment
○ ADAs can be employed during the risk assessment process to:
■ Identify previously unidentified risks.
■ Identify and assess the RMM at the financial statement level.
■ Identify and assess the RMM at the relevant assertion level.
■ Identify and assess fraud risk.
■ Assist in the determination of additional procedures to perform.

Page 147 of 350

 ○
(Visual presentation of this example is given in lecture, if needed)
○ In terms of the exam, Michelle thinks a question where they give exhibits and ask you to find something
similar to what is shown in this example is likely, so take that for what you will.

● Test of Controls
○ ADAs can provide support and evidence in testing the operating effectiveness of internal controls.
○ ADAs can assist with tests of controls by:
■ Evaluation of external data to validate control outcomes.
■ Analysis of internal data to support or dispute the effectiveness of controls.
■ Review of data for anomalies that are likely to result in control failure.
■ Assist in reperformance activities.

Page 148 of 350

 ○

● Substantive Procedures
○ Auditors use substantive procedures to detect material misstatements in financial statements and
disclosures at the assertion level.
○ ADAs can be applied to both tests of details and analytical procedures.

○ Tests of Details
■ Perform sequence checks on prenumbered items to check for completeness, including evaluation of
both gaps and duplicates.
■ Test entire populations to verify accuracy.
■ Compare transactions against external data to ensure occurrence and accuracy.
■ Utilize structure and content analyses to evaluate source data for missing, inconsistent, or
inappropriate data formatting.

○ Analytical Procedures
■ Comparing current year data to preceding year data.
■ Comparing industry trends to trends found at the audited entity.
■ Developing expectation for amounts to act as a comparison for recorded and reported amounts.
■ The development of expectations may include:
● Regression analysis

● Period-over-period analysis

● Trend analysis

● Classification models

● Ratio analysis
■ Performing a drill-down analysis on significant differences found in expected vs. actual amounts.

Page 149 of 350

 ■

● Concluding the Audit

○ Using ADAs to assist when forming an overall conclusion allows the auditor to gain comfort that no material
misstatements went unidentified or unassessed during the audit.

Sourcing and Reviewing Data Used in ADAs

● Data may be stored in a variety of information systems utilized by the entity, such as:
○ Accounting information systems (AIS)
○ Management information systems (MIS)
○ Executive information systems (EIS)
○ Decision support systems (DSS)
○ Customer relationship management systems (CRM)
○ Supply chain management systems (SCM)
○ Inventory management systems (IMS)
○ Knowledge management systems (KSM)
○ Enterprise resource planning systems (ERP)

● ADA Data Source: Data Storage Functions

○ Data can be stored in a number of different data repositories based on the type of data.
○ Data Lake (largest) → all structured and unstructured data.
■ Only storage that is considered unstructured data.
○ Data Warehouse → structured and organized database tables available for analysis.
■ Central repository
○ Data Mart → subset of database tables used for specific business segments.
○ Data Cubes → database tables transformed for drilling down.
○ Databases → structured tables available for specific analysis.
○ Table → single sheet of attributes and records.
○ Spreadsheets (smallest) → data files that may contain tables and/or other values.

● ADA Data Source: Internal and Reporting Sources

○ Internal data and data used in the making of financial statements provides sources for ADAs.
○ These include:
■ Audited financial statements and/or the financial statements being audited.
■ Transaction logs
■ Subledgers and general ledgers
■ Source documents (i.e., invoices, purchase orders, etc.)
■ Stand-alone data files such as spreadsheets
Page 150 of 350
 ■ Connected devices (Internet of things, or IoT) (i.e., a smart thermometer that tracks stuff).

● ADA Data Source: External Sources

○ Governmental external sources
■ Ex) Tax records or regulatory filings
○ Private external sources
■ Ex) Broker dealer relationships
○ Service organizations external to the entity that provides services, such as cloud computing.

● ADA Data Source: Data File Formats

○ In some cases, auditors may be given access to a data warehouse where they can:
■ Perform queries; and
■ Generate reports with relevant evidence.
○ In most cases, the auditors will make a request for data and receive the requested data in various formats
that can be connected or imported into data analytics software.

○ Tab-separated Text (txt) File → universally accepted, efficient way to move data without limitation of rows.
○ Comma-separated Value (csv) File → efficient way to move data without limitation of rows.
○ Microsoft Excel (xlsx) Spreadsheet → flexible canvas to conduct ad hoc analysis with limitations on rows.
○ Database (db) or Access Database (accdb) File → means to move data into an Access Database for analysis.
○ Extensible Markup Language (xml) File → gives data hierarchical form and makes sharing data easier.
○ Hypercube (hyper) File → allows automated updates of linked documentation when changes occur.
○ Compressed (zip) File → makes file sharing easier and saves storage space.

● ADA Data Types: Structured Data

○ ADA’s can be performed on either structured or unstructured data.
○ Structured data is:
■ Organized, has consistent data types and formats, and is easily searchable.
■ A key feature of relational databases, organizes data into records (i.e., rows in a table), and each record
has the same number of attributes (i.e., columns in a table).
■ Easily searchable through query languages, such as SQL.

● Components of Structured Data

○ Tables → objects in a database are stored in a file containing columns and rows like a spreadsheet.
■ Relational databases combine multiple tables with foreign keys.
○ Attributes → columns that represent characteristics or properties that describe the objects.
■ May include primary keys, foreign keys, and descriptive attributes.
■ Ex) in a table of customers, one attribute (column) could be “Customer Name.”
○ Records → the rows in a table that each contain information about a single entity or object in the table.
○ Fields → The space at the intersections of columns and rows where data is entered.
■ The information placed inside a field is a “data value.”
■ Ex) think of a singular cell in excel, that would be a field.
○ Duplicate Data → break down data into multiple tables.
Page 151 of 350
 ■ Ex) student roster, course table, and enrollment summary.
■ This will reduce duplication and is known as normalization.

● Normalization and Relational Databases

○ A database design technique that reduces data redundancy by dividing large tables into smaller tables.
■ These smaller tables are linked together using foreign keys.
○ Relational Database → an effective way to reduce data redundancies for a structured data set by using the
concept of “keys.”

○ Database Keys → attributes that uniquely identify each record in a table or facilitate the relationship
between two tables.
○ Primary Key → A required attribute in every table that contains a unique identifier.
■ Ex) in a table of customers, a customer number or email address could be a unique identifier.
■ A real life example is a social security number, everyone has a unique one to them.
○ Foreign Keys → attributes in one table that contain values from a primary key in another table.
■ Ex) a sales order record (row) may include Customer ID as a foreign key that refers to the Customer ID
that is the primary key in a customer record to indicate that order involves a specific customer.
■ Ex) Customer ID = primary key in Customer Table; Customer ID = foreign key in the Sales Table.
● Sale ID may be the primary key for the Sales Table, for example.
○ Composite Keys:
■ In some cases where a single attribute cannot uniquely identify a record, it may be combined with
more than one attribute to create a unique key.
■ Ex) each line item on a sales order will typically contain a combination of the Sales Order ID and
Inventory ID. Combined, these values create a unique identifier for each row.
(Good visuals are given for each of these terms as they are explained in the lecture, if needed)

● Unstructured Data
○ This is essentially all data that is NOT structured.
○ This data:
■ Is typically in its original unmodified format; and
■ Remains that way until transformed and modified for analysis.
○ It is difficult to sort and often requires different ADAs than structured data.
○ Unstructured data that may be utilized in an ADA includes:
■ Social media posts;
■ Interview or phone transcripts;
■ Data sourced from sensors (Internet of Things); or
■ Nontraditional data types such as videos or images.
○ Includes data found in data lakes.

● Attributes to Evaluate in ADAs

○ Numeric (quantitative) data such as quantity, counts, or financial values.
■ Discrete Data → cannot be broken into portions, fractions, or decimals (whole numbers).

Page 152 of 350

 ● Ex) employee headcount (cant have half an employee).
■ Continuous Data → can be broken into decimals, units, fractions, and parts.
● Ex) dollar amounts (that include cents).
■ Interval Scale Data → shows each point on a line where zero has no special meaning.
● Ex) temperature degrees.
■ Ratio Scale Data → show each point on a line where zero means the absence of something.
● Ex) $0, meaning money is absent.

○ Text (qualitative) data that provides descriptive values.

■ Nominal Scale Data → describes categories with no numerical relationship.
● Ex) location, such as “Los Angeles, California”
■ Ordinal Scale Data → identifies the rank or order of data.
● Ex) ranking states in order of total revenue.
■ Date and Time Data → indicates when activities or transactions occur, including any detail about time.
● Ex) 6/9/Year 1 at 2:30PM
■ Geographic Location Data → provides information about where operations took place.

● Sourcing Data for ADAs

○ Data sourced for ADAs may be obtained using a variety of technique and methods, including:
■ Built-in reporting provided by information systems.
■ Custom queries
■ Data mining using programming languages (both internal and external)
■ Data-pulls using software
■ Walk-throughs and interviews of clients
■ Research and external sites

● Reliability Procedures
○ The majority of data is sourced from some type of information system.
○ As a result, the auditor will typically perform general IT controls testing to ensure they are sufficient.
○ To determine completeness, accuracy, and reliability of information utilized, auditor could perform:
■ Obtain or create flowcharts or data flow diagrams to gain an understanding of processes.
■ Perform tests of controls around the data being utilized if sourced internally.
■ Use confirmations to verify balances.
■ Recalculate provided data or reperformance of how the data was produced.
■ Perform general IT controls to ensure they are sufficient.
■ Evaluate spreadsheet controls if the data came directly from a spreadsheet.
■ Request a SOC1 report if the data being analyzed was produced from a service organization.

Page 153 of 350

 ● Provides assurance around the controls at the service organization.
■ If available, compare the data utilized in the ADA with data from a separate internal source, or an
external source if possible.
■ Source the data directly from an independent and/or external party.
■ Perform a sequence test on prenumbered documents to provide assurance around completeness.
■ Perform validation of sourced data through review of batch totals, hash totals, and record counts.
■ Perform summary statistics on the data and review outcomes to see if they tie to auditor expectations.
■ Review known relationships in financial statements.
● Ex) ending balance in one period should be the beginning balance in the next period.
■ Reconciling data utilizing known aggregation points and rules provided within information systems.
● Aggregating transaction data to tie it to subledger balances.

● Aggregating subledger balances to tie to the general ledger balances.

○
(Visual presentation of this example is given in lecture, if needed)

● Increasing Reliability
○ Reliability of data can be increased or improved based on:
■ The source of the data and how the extraction occurs.
○ Audit evidence is considered more reliable if:
■ The auditor sourced the data directly.
■ The auditor sourced the data from a source independent of the entity.
■ Controls surrounding the input, processing, and storage of the data are effective.
■ The original documents are provided as opposed to copies.
■ The evidence is documented as opposed to sourced from inquiries alone.

Procedures Performed on Visualizations and Reports

● Using Data Visualizations
○ When using visualizations, the following items should be considered for ethicality and effectiveness:
■ Choose the right type of visualization.
Page 154 of 350
 ● A pie chart communicates different information than a line chart or scatter plot.
■ Apply correct scaling
● Typically, the y-axis should start at 0 to avoid misinterpretation.
■ Use appropriate colors
● Colors can greatly change how the viewer interprets a visualization.

● Consider the audience and its culture when determining color schemes.

● Interpreting Results
○ Regression Analysis
■ Allows for an auditor to evaluate relationships between variables.
■ Ex) an auditor may predict office supplies is driven by total number of labor hours worked.
■ Typically uses scatter plots with a corresponding regression line.
■ A strong correlation between the given variables is indicated by the data points being closer to the line
or a high R2 value.
● R2 = proportion of total variation in y explained by x.

● Will be between 0 and 1, the higher the better.

○ Variance Analysis
■ Used to compare a company’s forecasted or budgeted values against their own values.

Page 155 of 350

○ Period-Over-Period Analysis
■ An auditor may compare financial or nonfinancial values across given periods.
■ A bar or column chart can be effective at comparing values against one another.
● This allows for quick review and evaluation of gaps between values.

● Any significant differences should call for further procedures.

○ Classification
■ A predictive analytic that allows the auditor to use historic data to make predictions about what classes
or categories would best fit a new data point.
■ Scatter plots may be used to demonstrate where values fall in the analysis.
■ An auditor may use visual techniques that show proportional makeup of the population by class or
category, such as a pie chart or tree map.
■ When evaluating a classification scatter plot, most observations will gravitate to one class or another.
■ The auditor should pay close attention to those values that do not clearly fit with their neighbors.

Page 156 of 350

 ■

○ Trend Analysis
■ Can be used to develop expectations of future results.
■ Line charts are the best way to demonstrate trends.
■ If an auditor sees that trends in specific balances or activities are inconsistent with trends in
comparative data, this may drive further procedures to be done for those periods.

● Evaluating and Grouping Potential Misstatements

○ When reviewing the output of the ADA, there may be a number of items that require attention.
■ Outliers, abnormal variances, or unexpected results.
○ If there is a large number of items, the auditor may group the outcomes into categories.
○ The auditor may divide the items found in the output into two broad categories:
■ Clearly inconsequential
■ Not clearly inconsequential

○ Clearly Inconsequential
■ The auditor may be able to quickly determine whether particular items are inconsequential.
■ This means that the auditor believes that these items do not pose a risk of material misstatement,
either individually or in aggregate.
■ The auditor would document the rationale as to why the items are inconsequential, including:

Page 157 of 350

 ● Amounts or the nature of the items or group of items.

○ Not clearly inconsequential

■ The auditor may classify the items in this group by common characteristics found among them.
● Ex) similar time period, values, type, etc.
■ The auditor would then determine the possible misstatements.
■ There would then be a further division of this group:
● No actual misstatement

● Misstatement, but clearly inconsequential (individually or in aggregate)

● Misstatements that are not clearly inconsequential (individually or in aggregate).

○ These will require additional procedures.

● Additional Procedures
○ Consideration of both quantitative and qualitative factors on the nature of the possible misstatement.
○ Assessment to determine if the possible misstatement is a result of fraud.
○ Evaluation of the possible misstatement to see if it results from a failed internal control.
○ Determination of the nature and extent of the substantive procedures to be applied.
■ Ex) evaluating if the test should include the entire population or a sample.

● Notes from MCQs

○ An inner join uses only records that two data sets have in common.

A4 – Performing Further Procedures, Forming Conclusions, and Communications

M1: Revenue Cycle
● This chart will be a great reference throughout all the transaction cycles:

Page 158 of 350

 (Add Confirmations to Rights and Obligations)

● This chart helps tie together the accounts, records, and sources for the revenue cycle:

● Visualization of sources and records - little (bottom) to big (top)

Page 159 of 350

Internal Controls - Revenue Cycle
● Transaction Cycles and Fraud Risk Related to the Revenue Cycle
○ Cash, accounts receivable, and revenue are all accounts that relate to the revenue cycle.
○ There should be a presumption in every audit that there is risk of material misstatement to revenue
recognition fraud.

● Sales - Internal Controls Related to the Revenue Cycle

○ Segregation of duties is very important throughout the entire revenue cycle process.
■ ARC should be segregated.
○ In a strong system of internal controls, segregation of the functions of sales should exist as follows:
1. Preparation of the Sales Order (Authority)
■ Customer places order, and a serially numbered sales order is sent to credit department for approval.
2. Credit Approval (Authority)
■ Credit department determines if the customer can use credit.
■ If approved → copies of sales order is sent to the shipping, billing, and accounting departments.
3. Shipment (Custody)
■ A serially numbered bill of lading is prepared and sent to the customer.
■ Bill of lading:
● Document between the seller and the shipper.

● Explains what was shipped.

● Serves as a receipt of shipment.

■ Goods are shipped, and a receivable is created based on invoice shipping terms.
4. Billing (Record Keeping)
■ Billing department prepares a serially numbered sales invoice.
■ Shipping documents, sales orders, and invoices are all matched to check for validity and proper billing.
■ Prices and discounts are applied to the invoice.
■ Invoice is then sent to the customer and accounts receivable department.
5. Accounting (Record Keeping)

Page 160 of 350

 ■ Sale is entered into the sales journal, and a receivable is recorded.
(Billing and accounting departments may be consolidated in some instances)

● Accounts Receivable - Internal Controls Related to the Revenue Cycle

○ In a strong system of internal controls, segregation of the functions of sales should exist as follows:
1. Sales
■ A receivable is recorded in the A/R control account, general ledger, and A/R subsidiary ledger.
■ An independent person should reconcile these two records periodically.
2. Collection of Cash Receipts
■ When payment is received, the receivable is eliminated.
3. Uncollectible Receivables
■ An aging schedule is prepared and sent to the credit department for use in its collection program.
■ At some point, uncollectible accounts should be written off.
■ Controls for writing off receivables include proper authorization (by the treasurer) and record keeping.
■ Without proper controls, amounts collected could easily be stolen by employees.
4. Sales Returns
■ Returned goods must be examined to ensure that they correspond with the reason for return.
■ A serially numbered receiving report may be used as a sales return slip.
■ Once approved, the sales return is recorded and the related receivable is eliminated.
■ Credit memos should NOT be prepared by those who collect or receive the cash payments on A/R.
● This would violate segregation of duties.
5. Sales Discounts
■ Discount procedures and records should be reviewed to ensure that discounts are given properly and
recorded with the correct method chosen.
■ This ensures that receivables are not overstated.

● Cash - Internal Controls Related to the Revenue Cycle

○ Incoming mail must be opened by a person who does not have access to the accounts receivable ledger.
○ The receipts should be listed in detail and three copies should be sent to the following:
■ Cashier → receives actual receipts and prepares bank deposits. (Custody)
■ Accounts receivable department → enters receipts into the A/R subsidiary records. (Record)
■ Accounting department → enters receipts into A/R control account. (Record)
○ The accounts receivable department should match the details from the bank deposit ticket with the details
from the remittance advice.
■ Remittance advice → notice of payment sent by customer to seller.
○ Cash collections should be restrictively endorsed upon receipt and deposited daily.
○ Devices such as cash registers and lockboxes should be used as safeguards.
■ Lockbox → customer sends money directly to the company's bank who then deposits the money into
the company’s account, and sends copies of checks to the company.
● Used to reduce the amount of people that handle the cash/payment.

Page 161 of 350

● Sales Flowchart (visual for Sales + A/R internal controls explanations above)

○ Notice how write offs are approved by the treasurer.

○ Notice how billing matches documents.

● Collections Flowchart (visual for Cash internal controls explanation above)

Page 162 of 350

 ○ Notice how under both record keeping duties, documents are matched.

Performing Specific Procedures - Revenue Cycle

● Existence is generally a more relevant assertion than completeness for the revenue cycle.
○ Risk of sales/receivables being OVERSTATED (existence) is high.
○ Risk of sales/receivables being UNDERSTATED (completeness) is lower.
● Some ways examiners may ask questions:
○ Provide an auditing procedure and ask for the assertion.
○ Provide the assertion and ask for the most likely auditing procedure.
○ Provide objective and need to determine assertion and/or procedure.
○ Ex) auditor wants to ensure all sales are recorded → Completeness → look for procedures for tracing.

● Auditing Sales Transactions

○ Completeness
■ Source to Records = Test of Completeness
■ Trace shipping documents (source) → sales invoice (records) → sales journal (records).
○ Cutoff
■ Compare invoices from just before and after year-end with:
● Shipment dates; and

Page 163 of 350

 ● Dates the sales were recorded.
■ Ex) Items shipped FOB shipping point after year-end should be excluded from sales for current year.
■ Ex) Look at the last five sales of the year and the first five sales of the next year.
■ Goal) ensure sales for the year under audit are included and next year sales are not.
○ Valuation, Allocation, and Accuracy
■ Compare prices on invoices with authorized price lists.
○ Existence and Occurrence
■ Records to Source = Test of Existence
■ Vouch sales transactions from the sales journal (record) → customer order (source) → shipping
documents (source).
○ Understandability of Presentation and Classification
■ Examine invoices for proper classification.

● Auditing Accounts Receivable

○ Completeness
■ Trace the total from the A/R aging (small records) to the general ledger (large records).
○ Valuation, Allocation, and Accuracy
■ Test the adequacy of the allowance for doubtful accounts.
○ Existence and Occurrence
■ Confirm a sample of accounts receivable.
○ Rights and Obligations
■ Review bank confirmations.
■ Inspect debt agreements.
■ Read board minutes for evidence that receivables have no liens, and have not been factored or sold.

● Accounts Receivable Confirmations (**Very important topic on this exam**)

○ Accounts receivable confirmation is a generally accepted auditing procedure that's usually required unless:
■ Receivables are immaterial;
■ Confirmation would be ineffective; or
■ Inherent and control risks are very low, and other evidence provided is sufficient to lower audit risk.
○ Confirmations provide evidence for:
■ Existence
■ Rights and Obligations
○ Confirmations do NOT provide evidence for:
■ Valuation → customers may confirm a balance owed, even though they may not pay it.
■ Completeness → customers won’t want to report understatement errors in their accounts.
○ There are two types of confirmations:
■ Positive confirmations
■ Negative confirmations

○ Positive Confirmation (Filled-in)

■ Auditor sends a confirmation to a client’s customer asking them to confirm a specified amount.
Page 164 of 350
 ■ Auditor asks for a response from the customer.
■ Customers will indicate whether the stated amount in the confirmation is correct or incorrect.
● If incorrect, the customer is asked to show the proper amount.

■
○ Positive Confirmation (Blank)
■ Auditor sends a confirmation to a client’s customer asking them to FILL-IN the amount in their records.
■ Benefits → provides greater degree of assurance.
■ Limitations → requires greater effort by recipient and has a lower response rate than filled-in.

Page 165 of 350

 ■

○ Negative Confirmations
■ Auditor sends a confirmation to a client’s customer to confirm a specified amount.
■ Auditor states to NOT respond unless the amount indicated is incorrect.
● No news is good news.
■ Used when:
● RMM is low.

● A large number of small account balances are being confirmed.

● There is no reason to expect that recipients of the requests will ignore them.

Page 166 of 350

 ■

○ When confirmations are received back:

■ Confirmed exact amount listed → no problem
■ Confirmed with difference in amount given → investigate:
● Was there a misstatement?

● Was there actually an issue?

● Was it due to timing differences (received check after year end)?

○ Confirmation Non-Responses
■ Typically, another confirmation may be sent.
■ If the response is not received, perform alternative procedures such as:
● Inspecting shipping documents

● Reviewing subsequent cash receipts

■ Typically, sales orders or purchase orders are not persuasive enough to prove existence of A/R.

● Exam Tips
○ Put yourself in the question. Think about how could you be convinced that the account or transaction
assertion has been met?
○ Be familiar with the assertions and the common related procedures.

Page 167 of 350

 ○ Be familiar with records and source documents by transaction cycle.
○ Read all answer choices carefully.
○ Don’t be afraid to choose answer choices that have similar or exact wording as the question.

● Notes from MCQs

○ Confirmation of accounts receivable is required if the receivable balances are material to the financial
statements.
○ The two documents most likely to be created from the revenue cycle are credit memos and sales invoices.
○ Tracing from little to big = testing for completeness
■ Ex) Tracing from shipping documents to sales invoices
○ Tracing from big to little = testing for existence
■ Ex) Tracing from sales invoices to shipping documents
○ A sales cut-off test is used to detect:
■ Unrecorded sales → shipments where no invoice was generated
■ Sales allocated to the wrong period → January sales recorded in December (“holding books open”).
○ Email responses to confirmations create the risk that the response is either tampered with or inauthentic.
■ Request that the senders mail the original forms to the auditor for their response.
■ Emails can be accepted, but auditors should verify them, such as calling the respondent directly.
○ Including a list of items or invoices that constitute a customers’ account balance could help improve response
time and rate to confirmations.
○ Blank confirmations are preferable to be sent to those who don’t give careful consideration to details.
■ This way, the recipient cannot simply sign off without checking the balance.
○ When testing accounts receivable balances rather than individual invoices, it would be beneficial to include a
client-prepared statement of accounts that shows the details of the account balances.
■ This way, confirmation recipients can more easily verify the receivable balance.
○ Confirmation non-response actions could be:
1. Send another confirmation
2. Send (maybe) a third confirmation
Page 168 of 350
 3. Ask the client to get in contact with the confirmation recipient and ask them to reply.
4. Perform alternative procedures.

M2: Expenditure Cycle

● The chart at the beginning of “Revenue Cycle” will also help with expenditure cycles (assertions + procedures).
● This chart helps tie together the accounts, records, and sources for the expenditure cycle:

Internal Controls - Expenditure Cycle

● Purchases
○ The following three functions should be segregated:
1. Purchase Requisition
■ Begins the purchasing cycle.
■ A department in need of items sends a properly approved and serially numbered request to the
purchasing department.
■ The department requesting items should not have authority to place the order themselves.
2. Purchase Orders
■ Purchasing department should take bids from various suppliers before placing orders.
■ Once approved, purchase order is made, indicating the description, quantity, etc. for goods requested.
■ Purchased orders should be prenumbered.
■ Multiple copies of order are sent to:
● Requesting department

● The vendor

● Receiving department

● Accounting department
■ If the purchase is canceled, the copies should be recalled and filed.
3. Recipient of Goods or Services (Receiving Department = Custody)
■ The copy of the purchase order serves as authorization to accept the incoming goods.
■ The purchase order copy should not list the quantity of the goods, to force the receiving department to
count the goods.
Page 169 of 350
 ■ Description of the goods should be matched to the purchase order, and condition should be examined.
■ A receiving report is prepared and forwarded to the accounting department.
■ The goods are forwarded to the requesting department.

● Accounts Payable (Record Keeping)

○ Once the accounting department receives the receiving report, accounting will:
■ Record the payable;
■ Approve the invoice for payment; and
■ Record the payment after it is paid by the treasurer.
1. Recording the Payable
■ The copy of the purchase order sent to accounting notifies that there will be a future cash payment.
■ Receiving report is compared with the purchase order and vendor’s invoice to confirm quantity and
prevent overpaying.
■ The accounting department records the goods as received in inventory and records a payable.
2. Approving Invoice for Payment and Recording Payment
■ When the invoice arrives, the invoice, purchase order, receiving report, and requisition are matched.
■ When payment is made, the payable is reversed.
■ Accounting department should ensure that the invoice amount is correct, and accurately reflects
discounts or returns before approving it for payment.

● Cash Disbursements
○ Ideally, invoices should be paid by check.
○ For effective controls, approving the payment and signing the checks should be segregated.
■ Accounting department → approve payment. (Record Keeping)
■ Treasurer → sign check. (Custody)
○ Approved voucher packets prepared by the accounting department are sent to the treasurer, who
prepares, signs, and mails the checks.
■ Voucher packets → matched invoice, purchase order, receiving report, and requisition.
○ After signing and mailing the check, the treasurer will cancel all supporting documents after payment.
■ Essentially, the treasurer is going to stamp “PAID” on the voucher packet.
■ Helps to ensure the vendor is only paid once.
○ Paid vouchers are returned to the accounting department to record payments and file documents.

● Expenditures Flowchart (visual for internal controls explanation above)

Page 170 of 350

 ○ Note how documents are matched under accounts payable.
○ Note the voucher packet is created under accounts payable.

● A list of controls as well as potential tests of those controls are listed in the lecture/textbook, Michelle said you
can read through once, but don’t have to memorize.

Performing Specific Procedures - Expenditure Cycle

● Auditing Accounts Payable
○ Completeness → perform the following procedures.
■ Agree the accounts payable listing (small record) to the general ledger (large record).
■ Obtain a sample of vendor statements and agree to the vendor accounts.
■ Perform a search for unrecorded liabilities (example in lecture):
● Select cash disbursements made after year-end and examine supporting documentation.

● The auditor looks for items that should have been recorded at year-end but were not.

Page 171 of 350

 ○ Valuation, Allocation, and Accuracy
■ Obtain the accounts payable listing, foot the listing, and agree the listing to the general ledger.
■ Obtain a sample of vendor statements and agree the amounts to the vendor accounts.
■ Review the results of accounts payable confirmations (see below).
○ Existence and Occurrence
■ Vouch selected amounts from the accounts payable listing (record) to the voucher package (source).
■ Auditors may confirm the accounts payable.
● Confirmations are not required because strong external evidence for payables is available.

● Confirmations may still be sent if:

○ Internal controls are weak;
○ There are disputed amounts; or
○ Monthly vendor statements are unavailable.
● Typically, vendors with small or zero balances are selected for confirmations.

● Confirmations for payables primarily test for completeness but provide evidence of existence too.

● Accounts payable confirmations are usually positive blank confirmations.

● A limitation of payables confirmations is that they must be sent to vendors of record.

○ Therefore, unrecorded liabilities may not be detected since they are not recorded.
● Regardless, evidence of unrecorded liabilities will eventually surface when unpaid vendors stop
delivering goods.
○ Rights and Obligations
■ Review a sample of voucher packages for the presence of the purchase requisition, purchase order,
receiving report, and vendor invoice to verify the accounts payable owed.

● Auditing Purchase Transactions

○ Completeness
■ Trace a sample of vouchers (source) to the purchase journal (records).
■ Account for the prenumbered sequencing of purchase orders, receiving reports, and vouchers.
○ Cutoff
■ Compare dates on a sample of vouchers with the dates the transactions were recorded.
■ Examine purchases before and after year-end to determine if they were recorded properly.
○ Valuation, Allocation, and Accuracy
■ Recompute the mathematical accuracy of a sample of vendor invoices.
○ Existence and Occurrence
■ Test a sample of vouchers to confirm proper authorization and the presence of the receiving report.
○ Understandability of Presentation and Classification
■ Verify purchases are appropriately classified.
■ Read disclosures (should be in understandable, plain english).

Page 172 of 350

● Notes from MCQs
○ In auditing accounts payable, an auditor's procedures most likely would focus primarily on
completeness.
■ Understatement (completeness) is more common than overstatement (existence) for payables.
○ When nonconforming goods are returned to a vendor, the purchasing department should send a
debit memo to the accounting department to ensure that accounts payable is reduced.
■ Debit memo → used to reduce accounts payable.
■ Credit memo → used to reduce accounts receivable.
○ When using confirmations:
■ Completeness population = vendors with whom the entity previously did business.
■ Existence population = amounts recorded in the accounts payable subsidiary ledger.

M3: Cash Cycle

● Cash is an area with high fraud risk, especially when internal controls are weak.
● Lapping
○ Fraud scheme where an employee withholds funds received by a customer for personal use and doesn’t
reduce the customers receivable balance.
○ The unrecorded receipt is covered by applying the next receipt to the unrecorded amount.

○
○ To detect lapping, auditors should compare the dollar amounts on the dates on the deposit slip with
accounts receivable credits.
■ For example, in the picture on 05/03, $10 was deposited, but only $5 was credited.
○ Lockboxes are a great tool to use to prevent lapping.

● Kiting
○ Fraud scheme where cash is recorded in two places at once.
○ A check drawn on one bank is deposited in another bank and no record is made of the disbursement in the
balance of the first bank until after year-end.
Page 173 of 350
 ○
○ To detect kiting, a bank transfer schedule is prepared for any bank-to-bank transfers that occur near year-
end.
○ Kiting is identified when a transfer (bank) schedule or records (book) show a receipt date before or at year-
end and a recorded (book) disbursement date after year-end.
■ Receipt date → Dec. 27th

■ Disbursement date → Jan 2nd

● Controls Related to the Cash Cycle

○ Segregation of duties is a key control over cash.
○ Proper segregation demands close consideration be given to check-writing authority.
○ Cash handling (custody), record keeping, and reconciliation of bank statements should be separate.
○ Petty cash activities should also be separated.
○ A voucher system for cash disbursements is a strong internal control for cash.

Performing Specific Procedures - Cash Cycle

● Auditing the Cash Balance
○ Completeness, Valuation and Allocation, and Existence → Bank Confirmations and Bank Reconciliations
○ Bank Confirmations
■ Should be sent to all banks with which the client has done business during the year, even if 0 balance.

■ Bank confirmations are required for closed bank accounts as well.

■ Used to verify year-end balances.

■ Also contains evidence about:

● Actual loans

● Contingent liabilities

● Discounted notes

● Pledged collateral
Page 174 of 350
 ● Guarantee or security agreements
○ Bank Reconciliation
■ Year-end bank reconciliation for every account should be tested by:
1. Footing the bank reconciliation and the list of outstanding checks.
2. Agreeing the balance per the books to the general ledger.
3. Agreeing the balance per the bank to the balance per the bank confirmation.
4. Agreeing deposits in transit and outstanding checks to the cutoff bank statement.
■ Cutoff Bank Statement:

● Obtained from the bank and covers the first 10 to 15 days of the period after year-end.

● Reconciling items typically clear during the 10 to 15 day period.

● Any item that does not should be investigated further.

■ Items on a bank reconciliation:

● Deposits in transit and Outstanding checks = Records

● Balance per Books = Records

● Bank charges and NSF Checks = Source (bank statement)

● Balance per Bank = Source (bank confirmation)

● Auditing Cash Receipts and Cash Disbursements

○ Completeness
■ Cash receipts → trace a sample of remittance advices (source) to cash receipts journal (records).

■ Cash disbursements → trace a sample of canceled checks to the cash disbursements journal.
○ Cutoff
■ Verify the cutoff of cash receipts and disbursements shortly before and after year-end.
○ Valuation, Allocation, and Accuracy
■ Foot the remittance advices and entries on the deposit slip and agree to the cash receipts journal and
bank statement.
○ Existence and Occurrence
■ Vouch a sample of entries in the cash receipts journal to remittance advices, deposit slips, and the bank
statement.
○ Understandability of Presentation and Classification
■ Examine a sample of remittance advices and canceled checks for recording in the proper account.

Page 175 of 350

● Notes from MCQs
○ For the most effective internal control, monthly bank statements should be received directly from
the banks and reviewed by the internal auditor.

Page 176 of 350

 M4: Inventory Cycle
● Controls Related to the Inventory Cycle
○ The following duties should be segregated:
1. Purchasing
■ Serially numbered, properly approved purchase orders should be prepared and issued to receiving and
account departments.
2. Receiving
■ Receiving department is solely responsible for receipt of goods.

■ Responsible for verification of quantity received, detection of damaged goods, preparation of receiving
report, and delivery of goods received to the warehouse department.
■ Quantity ordered should not be shown on the receiving department's copy of the purchase order.

● To force the receiving department to count the goods.

3. Warehouse
■ Warehouse department acts as custodian for the verified quantity of goods received.
4. Shipping
■ Shipping department is responsible for shipment of goods after authorization.

■ Authorization can be in the form of an approved sales order from the credit department.

Performing Specific Procedures - Inventory Cycle

● Auditing the Inventory Balance
○ Observation of the beginning and ending physical inventory counts is a required audit procedure.
○ This observation acts as a dual-purpose test in that it gives evidence about:
■ Internal Controls

● Evaluate management's instructions and procedures for the inventory count.

● Observing the performance of management's count procedures.

■ Substantive Tests

● Inspecting the inventory to ascertain its existence and condition.

● Performing test counts → auditor watches the client count the items.
○ Test count may also be known as auditor count
○ An auditor who is not present to observe the physical inventory must use alternative procedures to justify
any opinion expressed.
■ This is acceptable when it is impractical or impossible to observe inventory or inventory is not material.

Page 177 of 350

 ○ If the company maintains a well-held perpetual inventory system and performs physical cycle counts
throughout the year:
■ The auditor may observe the inventory before or after year-end if necessary.

■ If inventory counting is done at a date other than the date of the financial statements, evidence about
changes in inventory between the count date and financial statement date should be obtained to
ensure proper recording.
■ If assessed level of control risk is too high, observation procedures should be performed at year-end.
○ Inventory held off-site in public warehouses or on consignment:
■ Significant → observe the inventory count.

■ Insignificant → sending confirmations of inventory is sufficient.

● Auditing the Inventory Cycle

○ Completeness (scenario given below)
■ Auditor walks the warehouse floor (source), and selects a random piece of inventory.

■ Once selected, the auditor will trace that selected inventory to the inventory listing (records).

■ This same scenario can also be done with inventory tags (each piece of inventory is typically tagged).

■ Select a random inventory item → trace its inventory tag (source) to the tag listing (records).
○ Valuation, Allocation, and Accuracy
■ Test the mathematical accuracy of the inventory report and reconcile it to the general ledger inventory
accounts.
■ Inquire about and be alert for obsolete or damaged goods.

● Ex) some boxes may look damaged or be dusty.

■ Scan records for slow-moving items (e.g., may use turnover ratio to help identify).

● Ex) think of technology and how quickly they can become obsolete, such as iPhones).

■ Examine vendor invoices, review direct labor rates, test overhead rate computations, and examine
standard cost variance analysis.
○ Existence and Occurrence
■ The same scenario depicted for Completeness can be used here, but BACKWARDS.

■ Select a random inventory item from the inventory listing (records).

■ Go to the warehouse floor (source), and find the item to verify that the listing is correct.

■ The same thing can be done with inventory tags.

Page 178 of 350

 ○ Rights and Obligations
■ Ascertain that consigned inventory on hand is EXCLUDED from the physical inventory count.

■ Confirm consigned goods in the hands of consignees are INCLUDED in inventory balances.

● Company goods given to someone else to sell on their behalf is still the company's inventory.
○ Understandability of Presentation and Classification
■ Read all inventory-related disclosures to ensure that they are understandable.

■ Review inventory records for proper classification between:

● Raw materials

● Work in process

● Finished goods

■ Review inventory disclosures to ensure proper disclosure of pledged or assigned inventory.

● Notes from MCQs

○ Performing cutoff procedures for shipping and receiving may be used for testing the completeness
assertion as it applies to inventory.
■ Provides assurance that goods in transit (shipped or received) are appropriately included or
excluded from inventory.

Page 179 of 350

 M5: Investment Cycle
● Controls Related to the Investment Cycle
○ ARC should be segregated.
○ Authorization → board of directors should authorize the purchase or sale of investments.
○ Custody → independent third-party custodian holds the actual investment.
■ Ex) when investing in stocks or bonds, a stock broker like Fidelity might hold the investment.

■ Investments, such as gold, may be held in a safe-deposit box.

■ At a minimum, the safe deposit box should have joint control by two company officials.
○ Record Keeping → separate party from the actions above to keep detailed records of investments.
■ No access to custody of investments.

■ No authority to purchase or sell investments.

Performing Specific Procedures - Investment Cycle

● Auditing the Investment Balance
○ Completeness
■ Perform a search for unrecorded purchases of securities by examining the transactions for a few days
after year-end.
● Transactions after year-end → Purchase relates to year under audit? → If yes, verify records.
○ Valuation, Allocation, and Accuracy
■ Obtain and foot a listing of investments by category and agree the totals to the general ledger.

■ Obtain evidence supporting the quoted year-end fair value by comparing assigned values to prices
published by various sources or obtained from a third party.
● Ex) using Yahoo finance to search the stock, and multiply its closing price to # of stocks.

■ Recalculate the ending values of investments not reported at fair value.

● Ex) Held–to-maturity should be valued at amortized cost.

■ Determine whether any permanent impairment in the value of individual securities occurred.
○ Existence
■ Held by third party → request confirmations from the custodian for securities in their possession.

■ Held on hand → examine securities in a safe deposit box, such as gold bars.

● Auditor records details of count on a worksheet and requests acknowledgement by client that the
securities were returned intact.
○ Rights and Obligations

Page 180 of 350

 ■ Confirmation of securities and count of securities on hand provide evidence of the entity’s ownership.

● Auditing Investment Transactions

○ Completeness
■ Perform analytical procedures testing the reasonableness of dividend and interest income to determine
that all investment income has been recorded.
○ Cutoff
■ Perform cutoff to ensure that purchases, sales, and investment income were recorded in the proper
period.
○ Valuation, Allocation, and Accuracy
■ Make independent calculations to determine the validity of recorded gains/losses from security sales
and of discount/premium amortization.
■ Recalculation should be made to determine the accuracy of recorded dividend and interest income.

● Investment income from dividends may be recalculated by comparing recorded income with
dividend records provided by investment advisory services, such as Moody’s.
○ Existence and Occurrence
■ The analytical procedures performed to test completeness also provide evidence of existence.
○ Understandability of Presentation and Classification
■ Examine a sample of investment transactions to determine that the transactions were recorded in the
proper accounts.

Auditing Particular Types of Investments

● Marketable Securities
○ Marketable securities → equity securities (stock) and debt securities (bonds).
○ Classified as either trading or available-for-sale over which the investor has no significant influence.
○

■ Classification of Level 1, 2, or 3 should be disclosed in the footnotes.

○ Held-to-maturity debt securities should be carried at amortized cost.

● Investment in Securities
○ Equity Method

Page 181 of 350

 ■ Used to account for investments if significant influence can be exercised by the investor over the
investee.
■ A company that owns 20 to 50 percent of voting stock of another “investee” company is presumed to
exercise significant influence.
■ Investment income is recorded on the income statement.

■
○ How to verify:
■ Obtain and read the financial statements and audit report of the investee (ABC Company).

■ Recalculate and compare with the equity in investee income amount on the financial statements.

○ Additional Considerations
■ If the financial statements are not audited or if the audit report is unsatisfactory, request that the
entity arrange with the investee to have the financial statements audited.
■ If the carrying amount of the investment reflects factors that are not recognized in the investee’s
financial statements or fair values that are materially different from the investee’s carrying value
amounts, obtain evidence regarding such amounts.
■ If the difference between the financial statement periods of the entity and the investee could have a
material effect on the financial statements:
● Determine whether management has considered the lack of comparability; and

● Determine the effect, if any, on the auditor’s report.

● Measuring Fair Value

○ A three-level hierarchy is used to measure fair value:
○ Level 1 → observable quoted prices in active markets for identical assets or liabilities.
■ Ex) stocks
○ Level 2 → observable inputs other than quoted market prices for identical assets or liabilities.
■ Similar assets or liabilities in active markets, or identical or similar assets in inactive markets.

■ Ex) valuing real estate

○ Level 3 → unobservable inputs using estimates and valuation methods, such as discounted cash flow,
determined based on management’s judgments.
■ May use estimates from third-party sources.
Page 182 of 350
● Management’s Responsibility
○ Management is responsible for making fair value measurements and disclosures in accordance with GAAP.
○ Management should use the appropriate valuation method when using Level 3 to estimate fair value.
■ The method should incorporate reasonable assumptions that a market participant would use.

● Auditor’s Responsibility
○ Understand the entity’s process for determining fair value and disclosures, and the applicable framework.
○ Understand identified controls.
○ Separately assess the inherent risk and control risk related to the fair value measurement.
○ Evaluate whether the methods, data, and assumptions used are reasonable and follow GAAP.
○ Consider the need for a specialist.
○ Evaluate the fair value measurement for indicators of management bias.
○ Evaluate whether the fair value measurement disclosures follow GAAP.
○ Evaluate the sufficiency and appropriateness of evidence obtained.
○ Obtain relevant management representations.
○ Communicate relevant matters to those charged with governance.

● Testing Fair Value Measurement and Disclosures

○ Verify quoted market prices.
○ Determine whether management’s significant assumptions are reasonable for fair value.
■ Understand any changes from the prior period.
○ Consider management’s intent and ability to carry out actions that may affect fair values.
○ Determine whether modifications made to observable information reflect assumptions that market
participants would use when pricing the instrument.
○ Evaluate whether the valuation model is appropriate given the entity’s circumstances and the applicable
framework.
○ Test the underlying data for relevance, reliability, and susceptibility to management bias.
○ Develop an auditor’s point estimate or range.
○ Review subsequent events and transactions (before auditor’s report date) for evidence regarding fair value.
○ Consider the use of a specialist.
■ If used, the auditor must understand the methods used to determine fair values.

● Pricing Services
○ Determine whether modifications made to observable information reflect assumptions that market
participants would use when pricing the instrument.
○ Auditors may obtain evidence about fair value by obtaining pricing information from organizations that
routinely provide such information.
○ Reliability of pricing services is affected by the experience and expertise of the service, the methodology
used, and whether the service has a relationship with the client.

Page 183 of 350

 ■ Closer relationship = less persuasive evidence.
○ When using information from multiple pricing services, less information is needed about the particular
methods and inputs used.
■ More services used = better comparison between the services and the client.

● Broker-Dealers
○ If fair value measure is based on a quote from a broker or dealer, the relevance and reliability is based on:
■ The broker or dealer is a market maker for similar instruments.

■ The broker or dealer has a relationship with the entity.

● Impairment Indicators
○ Impairment → loss resulting from a decline in fair value that is other than temporary.
■ Impairments may need to be recorded.
○ Indicators:
■ Fair value is significantly below cost and decline has existed for an extended period of time.

■ The security has been downgraded by a rating agency.

■ The financial condition of the issuer has deteriorated.

● Notes from MCQs

○ Auditors usually test the reasonableness of dividend income from investments in publicly-held companies
by computing amounts that have been received by referring to dividend record books produced by
investment advisory services, such as Moody’s.
○ If an auditor is unable to count the securities in a safe deposit box at the balance sheet date, the auditor
will most likely request the client to have the safe deposit box cleared until the auditor can count the
securities at a later date.
○ Under the equity method, amortization (excess of cost over book value) reduces investment income.
Therefore, if amortization is calculated incorrectly, such as too high, return on investment will be lower.
○ GAAP specifies that, in order to qualify for hedge treatment, the entity must demonstrate and disclose
features including risk exposure. Therefore, an auditor would need to examine for this specific feature.

Page 184 of 350

 M6: Other Transaction Cycles
Property, Plant, and Equipment Cycle
● Controls Related to the PP&E Cycle
○ Internal controls for PP&E includes the controls in both the revenue and expenditure cycles, as well as:
○ Acquisition
■ A special requisition form is generated for acquisitions.

■ The form includes a description, reason for acquisition, amount to be charged, and probable cost.

● This should be approved by top management.

■ Board of directors should approve acquisitions for assets over a certain amount.
○ Subsidiary Ledgers
■ Detailed information concerning each asset is kept in the subsidiary ledger.

■ Usually information including the asset’s description, ID number, location, acquisition date, cost,
depreciation method, and amount of depreciation can be found in this ledger.
○ Physical Security
■ Fixed assets should have ID plates.

■ The serial number on the plate should be listed in the control account.

■ Comparison of serial number on the ID plate to the control account should be made.

■ Physical controls to safeguard assets from theft, destruction, or unauthorized disposition should be in
place, including periodic physical inspection of plant and equipment.
○ Written Policies
■ Written depreciation policies and records should be maintained.
○ Disposition
■ Retirements of assets should be documented on a sequentially numbered work order.

■ Document should contain evidence of proper authorization and reason for retirement.

● Auditing the Property, Plant, and Equipment Balance

○ Completeness
■ Obtain a fixed asset schedule (records-smaller) and agree total to the general ledger (records-larger).

■ Obtain a schedule of additions and dispositions and agree amounts to the fixed asset schedule.

■ Select a sample of actual fixed assets (source) and trace it to the fixed asset schedule (records) and
subsidiary ledger (records).
○ Valuation, Allocation, and Accuracy

Page 185 of 350

 ■ Recalculate accumulated depreciation for reasonableness.

■ Evaluate fixed assets for impairment by examining the entity’s document impairment analysis.
○ Existence and Occurrence
■ Vouch additions to the fixed asset accounts (records) by:

● examining internal documents (source) (i.e., asset requisition form);

● examining external documents (source) (i.e., invoice); and

● inspecting the actual asset (source).

■ Select older fixed assets from the subsidiary ledger (records) and then locate those assets (source) as a
means of testing for unrecorded retirements.
● Remember! → Unrecorded retirements = test of existence = records to source.
○ Rights and Obligations
■ Examine invoices, deeds, and title documents to confirm ownership of fixed assets.

● Auditing Property, Plant, and Equipment Transactions

○ Completeness
■ Trace a sample of fixed asset purchase requisitions (source) to receiving reports (source) and the fixed
asset subsidiary ledger (records).
■ Review repair and maintenance expense accounts to test for completeness of asset additions.

● Sometimes clients will expense items that should have been capitalized.

● Why? → maybe pay less taxes, or not have to worry about calculating depreciation.
○ Cutoff
■ Review fixed asset purchases and dispositions from shortly before and after year-end.

● There is sometimes an overlap between the cutoff and completeness assertion.

● If looking at items right before year-end to ensure they are included, could be considered a
completeness test.
○ Valuation, Allocation, and Accuracy
■ Recalculate depreciation expense amounts for reasonableness and conformity with GAAP.

■ Gains and losses and the removal of accumulated depreciation for fixed assets sold or retired should be
tested for reasonableness.
○ Existence and Occurrence
■ Vouch a sample of purchases (records) to the receiving report (source) and vendor invoice (source).

Page 186 of 350

 ■ Vouch a sample of dispositions (records) to the asset retirement form (source) and other supporting
documentation (source).
○ Understandability of Presentation and Classification
■ Review lease transactions for proper classification.

● Finance should be classified as finance lease, operating as operating lease.

● Example of a fixed asset roll forward, to tie everything together:

Payroll and Personnel Cycle

● Service Organizations
○ Many entities use service organizations to process payroll transactions.
○ A service organization's services are considered to be part of a user entity’s information system when those
services affect the user company’s transactions including initiation, execution, processing, and reporting.
○ Controls used by the service organization are considered to be a part of the user’s information system.

● Segregation of Duties
○ Authorization to Employ and Pay
■ Human resources department should hire new employees and maintain personnel records containing
hire date, department, salary, and position.
○ Supervision
■ All pay base data (hours, sick days, vacation) should be approved by an employee’s supervisor.
○ Timekeeping and Cost Accounting

Page 187 of 350

 ■ Data on which pay is based should be accumulated independent of any other function.

■ Hourly employees should use time clocks to clock in and out.

○ Payroll Check Preparation
■ Payroll department computes salary based on information received.

■ If a service organization is not used, this department is responsible for issuing the unsigned payroll
checks that are to be signed by the treasurer or CFO.
■ If a check signature plate is used to sign the payroll checks, the treasurer or CFO should supervise.

■ There should be controls over access to blank checks and check signature plates.

■ The payroll department is a record-keeping department, so they should not have the authority to
initiate changes in hours or rates, nor the ability to sign checks.
○ Check Distribution
■ Payroll checks are typically deposited directly into employees’ bank accounts.

■ If paychecks are manually given, then checks should be distributed by a person who has no other
payroll function.

● Evaluating the System of Internal Control

○ The auditor should evaluate whether controls provide reasonable assurance that only valid employees are
being paid, that payment is for actual hours worked, and that the correct rate of pay is used.
○ Observe segregation of duties between HR responsibilities (authority) and payroll distribution (custody).
○ Compare personnel records for each department with actual time cards and the employees actually
working in each department.
○ Observe payroll distribution on an unannounced basis to ensure that all personnel being paid are actually
employed by the company.
○ Observe the use of time clocks and investigate times cards not used.
○ Test general and application controls to ensure that payroll transactions are valid, properly authorized, and
completely and accurately recorded.

● Auditing the Payroll Accrual

○ When internal controls over payroll are effective, the auditor generally focuses substantive procedures on
analytical procedures and the recalculation of payroll accruals.
○ When internal controls cannot be relied upon, the auditor generally performs tests related to
completeness, existence, and rights and obligations.
○ Completeness
■ Test the completeness of the payroll accrual when performing the search for unrecorded liabilities.
○ Valuations and Allocation
■ Recalculate any year-end payroll accrual and compare the calculated amount to the reported accrual.

Page 188 of 350

 ○ Existence
■ Vouch amounts from the client’s calculation of the payroll accrual (records) to supporting
documentation (sources/records, such as time cards and employee files).
○ Rights and Obligations
■ Examine supporting documentation (employee file) to verify that the payroll accrual is an obligation to
the entity.

● Auditing Payroll Transactions

○ Completeness
■ Trace a sample of time cards (source) to the payroll register (records).
○ Cutoff
■ Examine a sample of time cards from before and after year-end and compare with the payroll report to
determine if transactions were reported in the proper period.
○ Valuation, Allocation, and Accuracy
■ Compare total recorded payroll with the total payroll checks issued.

■ Test extensions and footings of payroll.

■ Verify pay rates and payroll deductions with employee records from personnel.

■ Recalculate gross and net pay on a test basis.

■ Compare payroll costs with standards or budgets.

■ Recompute the accuracy of a sample of paychecks.

○ Existence and Occurrence
■ Vouch time on payroll summaries by selecting a sample of payroll register entries (record) and
comparing with time cards and approved time reports (source).
○ Understandability of Presentation and Classification
■ Examine a sample of paychecks for classification into the proper expense accounts.

Financing Cycle
● Controls Over Debt (e.g., bonds)
○ Authorization of new debt financing by the board of directors or management.
○ Adequate controls over interest and principal payments and recording of bond premium and discount
amortization amounts.
○ Adequate documentation of all financing agreements.
○ Detailed records of long-term debt and periodic independent verification of amounts between the ledger,
details of debt, and the note holders’ records.

● Controls Over Equity (e.g., stocks)

Page 189 of 350
 ○ All stock issuances, dividend declarations, and treasury stock purchases must be authorized by the board of
directors.
■ Evidence should be recorded in the board meeting minutes.
○ Many large entities use a stock transfer agent who ensures that stock issuances comply with the articles of
incorporation, prepares stock certificates, and maintains records of shares authorized, issued, and
outstanding.
○ If a stock transfer agent is not used, the following controls should be implemented:
■ Periodic independent reconciliation of the stock certificate book with the number of shares outstanding.

■ An office of the entity should ensure that stock transactions comply with the articles of incorporation
and regulatory requirements, and should maintain the stock certificate book.

● Auditing the Debt Balance

○ Completeness
■ Review board minutes for evidence of new debt, obtain new debt agreements, and trace all new debt
contracts (source) to the financial statements (record).
■ Obtain a listing of all debt (records-smaller) and agree the total to the general ledger (records-larger).

■ Inquire of management regarding new debt and any off-balance sheet financing transactions.

■ Trace debt on bank confirmations to the debt agreements and the financial statements.

■ Notes and bonds should be confirmed directly with creditors.

○ Valuation and Allocation
■ Recompute any interest payable and the amortization of premiums or discounts.

■ Examine new debt agreements to determine whether they were recorded at the proper amount.
○ Existence
■ Confirm notes or bonds directly with the creditors or custodian.
○ Rights and Obligations
■ Examine note and bond agreements to verify that they are the obligations of the entity.

● Auditing Debt Transactions

○ Completeness
■ Examine new debt agreements (source) and the board minutes (record) for evidence of new
agreements.
● Review interest expense for payments to debt holders not included in the debt listing.
○ Cutoff
■ Review debt activity shortly before and after year-end to ensure proper period.
Page 190 of 350
 ○ Valuation, Allocation, and Accuracy
■ Test a sample of debt receipts and payments and compare interest expense to the debt balance for
reasonableness.
○ Existence and Occurrence
■ Verify the existence of new debt by reviewing board minutes (record) for evidence of new agreements
and then inspecting the agreements (source).
○ Understandability of Presentation and Classification
■ Examine the due dates of notes and bonds to determine whether the debt should be classified as short
term or long term.

● Auditing the Equity Balance and Transactions

○ Completeness
■ If the client uses a stock transfer agent, third-party confirmations should be used to provide evidence
of the completeness of shares authorized, issued, and outstanding.
■ If a client does NOT use a stock transfer agent, the primary source of evidence of completeness is the
stock certificate book.
○ Valuation
■ Recompute the value assigned to stock transactions during the period.

■ Review the propriety of any direct entries to retained earnings.

■ Analyze the retained earnings account from inception (or since the last audit).
○ Existence and Occurrence
■ Vouch transactions recorded during (records-higher) the current period to board minutes (records-lower).

■ The transfer agent confirmation and inspection of the stock certificate book also provides existence.
○ Understandability of Presentation and Classification
■ Determine whether there are restrictions on retained earnings resulting from:

● Loans, agreements, or state laws.

■ Inquire of management regarding any appropriations of retained earnings.

■ Restrictions and appropriations must be properly disclosed.

● Notes from MCQs

○ When auditing prepaid insurance, and the original policy on plant equipment is not available for inspection,
the absence most likely indicates the possibility of a lien on the plant equipment.

Page 191 of 350

○ An auditor may review the reconciliation of payroll tax forms that a client is responsible for filing in order to
identify potential liabilities for unpaid payroll taxes.
○ In auditing payroll, an auditor would most likely compare payroll costs with entity standards or budgets.

Page 192 of 350

 M7: Misstatements and Internal Control Deficiencies
● Identification of Misstatements
○ The auditor accumulates misstatements identified, other than those that are clearly trivial.
○ Clearly trivial → items that are inconsequential, both individually and in the aggregate.
■ Ex) an account is off by $1
○ The auditor may designate the clearly trivial amount themselves (it will be given on the exam).

● Evaluation of Misstatements
○ The auditor gathers all misstatements found (other than clearly trivial) and presents them to management.
○ Management will then choose whether to incorporate the correcting journal entries or not.
○ Uncorrected misstatements that management does not do are placed on the Summary of Unadjusted
Misstatements.
○ The auditor must consider the effects, both individually and in the aggregate, of uncorrected
misstatements.
○ The auditor must evaluate the materiality of all misstatements found, both quantitative and qualitatively.
○ Quantitative → if aggregate misstatements exceed overall materiality, could result in modified opinion.
○ Qualitative → may cause an otherwise immaterial misstatement to be deemed material.
■ Affect trends in profitability, mask a change in trend, or change a loss into income (or vice versa).

■ Misstatements affect compliance with loan covenants, contracts, or regulatory requirements.

■ Misstatements increase management compensation, indicate bias, or involve fraud or illegal acts.

■ Include a misclassification between certain account balances (e.g., between operating and
nonoperating income).
■ They are currently immaterial, but will have a material effect in the future.

■ Misstatements appear too costly to correct.

● Auditor’s should question whether this is actually true.

● Misstatements and Management Bias

○ When evaluating audit findings, the auditor should consider any potential bias in management’s judgments
about the amounts and disclosures in the financial statements.
○ Examples:
■ Selective correction of misstatements.

■ The identification of additional adjustment entries by management that offset misstatements brought
by the auditor.
○ Always keep a professional skepticism mindset and look out for evidence of management bias.

● Documentation Requirements

Page 193 of 350

 ○ The amount below which misstatements are clearly trivial.
○ All misstatements gathered during the audit and whether or not they have been corrected.
○ Auditor’s conclusion about if uncorrected misstatements are material and the basis for that conclusion.

○ Documentation of uncorrected misstatements should include:

■ The aggregate effect on the financial statements.

■ The evaluation of whether the materiality level or levels for particular transactions, balances, or
disclosures, if any, have been exceeded.
■ The effect of uncorrected misstatements on key ratios or trends and complacent with legal, regulatory,
and contractual requirements.

● Effect of Identified Misstatement on Assessment of Control Risk

○ The auditor must evaluate the type and cause of misstatements discovered to determine if the assessment
of control risk is appropriate.
○ Consider:
1. The frequency with which the misstatement occurred;
● Ex) If the control risk was assessed at low, and there are misstatements, it may indicate an
inaccurate assessment of control risk.
2. The effect of other audit areas; and
3. The financial statement implications.
○ The audit risk model may require reassessment and implications on the entire audit must be considered.
■ Ex) sample sizes used.

● Adjusting Journal Entries

○ Misstatements can be corrected using adjusting journal entries and such adjustments can impact any
account that appears in the financial statements.
■ Overstated accounts will need its natural balance decreased.

■ Understated accounts will need its natural balance increased.

○ Ex) To reduce fictitious sales:
■ DR: Sales
CR: Accounts Receivable

○ Purchases
■ Questions related to purchases may require knowledge of free on board (FOB) shipping point and FOB
destination.
■ It’s important to note whether the client is the buyer or the seller to help determine whether
purchases (such as inventory) should be included or excluded from a balance.

Page 194 of 350

 ■ Shipping terms are important to consider as that can determine when journal entries are recorded by
the buyer and the seller.
■ FOB Shipping Point → as soon as the item is in the carrier’s truck, journal entries are recorded.

● In truck, buyer’s inventory and no longer seller’s inventory.

● Exam questions may indicate that there is inventory in the loading dock of the warehouse.

● If shipping FOB shipping point, the inventory is still the seller’s inventory until it's in the truck.

■ FOB Destination → item has to be at its destination for the journal entries to occur.

○ Perpetual Inventory
■ Inventory and sales are updated every time a sale occurs.

■ The seller records two journal entries:

● DR: Cash or accounts receivable

CR: Sales
● DR: Cost of Goods Sold
CR: Inventory

○ Periodic Inventory
■ Sales are recorded after every sale is made.

■ The seller records one journal entry:

● DR: Cash or accounts receivable

CR: Sales
■ The inventory is adjusted at the end of the period through a periodic count.

■ The formula used to calculate cost of goods sold is:

Page 195 of 350

 ● Beginning Inventory
+ Purchases
Cost of Goods Available for Sale
- Ending Inventory (based on the physical count)
Cost of Goods Sold
■ The journal entry at the end of the period (based on the formula) would be:

● DR: Cost of Goods Sold

CR: Inventory

○ Consignment
■ The auditor needs to know whether the client is the consignor or the consignee.

■ If the client is the consignee → inventory should be excluded from financial statements.

■ If the client is the consignor → inventory should be included in the financial statements.

● Notes from MCQs

○ An auditor’s evaluation of uncorrected misstatements for an audit should include evaluation of the effects
of uncorrected misstatements detected in both the prior year and current year.
○ Not disclosing related party transactions that are under quantitative materiality may still be considered
material based on qualitative terms.

M8: Written Representations

● Management Representation Letter
○ Three main purposes for obtaining a written representation for management:
1. To confirm representations explicitly or implicitly given to the auditor.
2. To indicate and document the continuing appropriateness of such representations.
3. To reduce the possibility of misunderstanding concerning matters that are the subject of the
representations.
○ The auditor should obtain this representation letter at the end of fieldwork.
○ Management should address the letter to the Auditor.

● Requirements
○ In the representation letter, the client asserts that all material matters have been adequately disclosed.
○ Final Piece of Evidential Matter
■ The letter is obtained at the end of the fieldwork and covers up to the date of the audit report.
Page 196 of 350
 ■ It should address all financial statements and periods covered by the report, even if current
management was not present during all periods.
● Ex) CEO was only there for 3 months, but they still must represent the entire period.
○ Letter is Mandatory
■ The auditor MUST receive the letter in order to give an unmodified opinion.

■ Refusal generally results in a disclaimer or withdrawal.

○ Dated Same Date as the Audit Report
■ Representation letter should be the same date as the audit report.

■ Occasionally, circumstances arise that prevent management from signing the letter.

■ When this occurs, the auditor may accept oral confirmation, either on or before the date of the
auditor’s report, that management has reviewed the final letter and will sign the letter without
exception as of the date of the auditor’s report.
■ Possession of the signed letter is necessary before releasing the audit report.
○ Signed by CEO and CFO
■ Members of management with overall responsibility for financial and operating matters, typically the
CEO (or president) and CFO, should sign the letter.
■ Other officers and employees may sign the letter, if asked.
○ Representations
■ In the letter, management provides information on the financial statements, the completeness of
information, recognition, measurement, and disclosure, and subsequent events.
○ Materiality
■ Representations may be limited to items that management and the auditor agree are material.

■ Materiality considerations do not apply to items not directly related to financial statement amounts.

● Ex) all minutes and all financial records should be made available to the auditor.
○ Doubt About the Reliability of Written Representations
■ If the auditor concludes that written representations are not reliable due to various concerns or
unresolved consistencies, the auditor should consider the effect on the audit opinion.
■ When the auditor concludes sufficient doubt on the integrity of management, disclaim or withdrawal.

● Contents of Representation Letter

○ The letter should include the following representations by management:
○ Financial Statements
■ The fair presentation of the financial statements in accordance with the applicable framework.
Page 197 of 350
 ■ The design, implementation, and maintenance of internal controls.
○ Completeness of Information
■ Management has provided the auditor with all relevant information and access.

■ All transactions have been recorded and reflected in the financial statements.
○ Fraud
■ Acknowledgement of management's responsibility for the design, implementation, and maintenance of
controls to prevent and detect fraud.
■ Management has disclosed its assessment of the risk of material misstatement from fraud.

■ Management has disclosed its knowledge of fraud or suspected fraud affecting the entity involving:

● Management, employees with significant roles with controls, or others.

■ Management has disclosed its knowledge of any allegations of fraud or suspected fraud.
○ Laws and Regulations
■ All instances of identified or suspected noncompliance with laws and regulations are disclosed to the
auditor.
○ Uncorrected Misstatements
■ Management believes that uncorrected misstatements are immaterial, individually or in the aggregate.

■ A summary of these items should be included in or attached to the letter.

○ Litigation and Claims
■ All known actual or possible litigation claims have been disclosed to the auditor.

■ They have been accounted for or disclosed in accordance with the applicable framework.
○ Estimates
■ Management believes the methods, assumptions, and data used are appropriate.
○ Related Party Transactions
■ Disclosure of the identity of all the entity’s related parties.

■ Management has appropriately accounted for and disclosed such relationships.

○ Subsequent Events
■ All events subsequent to the date of the financial statements have been disclosed or adjusted.
○ Additional Representations
■ Auditors should obtain other representations specific to the entity, if any.

■ Ex) impact of new accounting principle, impairment of assets, obsolescence of inventory, etc.

Page 198 of 350

● Additional Representation Regarding an ERISA Plan Financial Statements Audit
○ In addition to the representations above, the auditor should request the following representations:
○ Management has provided the auditor with the most current plan instrument for the audit period.
○ Acknowledgement of its responsibility for administering the plan and determining that the plan’s
transactions that are presented and disclosed are in conformity with the plan’s provisions, including:
■ Maintaining sufficient records with respect to each participant to determine benefits due.
○ When management elects to have an ERISA Section 103(a)(3)(C) audit, acknowledgement that
managements election to do so does not affect its responsibility for the financial statements and for
determining whether:
■ An ERISA Section 103(a)(3)(C) audit is permissible under the circumstances;

■ The investment information is prepared and certified by a qualified institution;

■ The certification meets the requirements of the Department of Labor’s Rules and Regulations; and

■ The certified investment information is appropriately measured, presented, and disclosed in

accordance with the applicable framework.

● Written Representation Regarding Internal Control Over Financial Reporting

○ When performing an integrated audit, the auditor should obtain the following representations:
○ Acknowledgement of management’s responsibility for designing, implementing, and maintaining effective
internal controls over financial reporting, and states that management has performed an evaluation of
their effectiveness.
○ Affirmation that management did not rely on the auditor’s procedures as the basis for their assertion.
○ Confirmation that all significant deficiencies and material weaknesses have been disclosed to the auditor,
and indicates whether any deficiencies from previous engagements remain unresolved.
○ A description of any fraud that resulted in a material misstatement or fraud involving senior management,
or other key employees.
○ A statement of whether there were any significant changes to internal control after the “as of” date of the
report.

● Takeaways
○ General statements are included in the management representation letter.
○ Typically, you should be hesitant to select answer choices with absolutes (all, always, never, only).
■ However, answer choices related to management acknowledgement and disclosure may contain the
term “all” and be correct.
○ The management representation letter is where management, not the auditor, asserts their
representations made throughout the audit.
○ The management representation letter is mandatory. Refusal to provide the letter will generally result in a
disclaimer or withdrawal.

Page 199 of 350

● Notes from MCQs
○ Materiality limits would not apply to instances of fraud involving management.

M9: Communication With Management and Those Charged With Governance

● Those charged with governance → those who bear responsibility to oversee the obligations and strategic
direction of an entity, include the financial reporting process.
○ Generally the board of directors and audit committee.
● During the audit, the auditors have a responsibility to establish an effective two-way communication to those
charged with governance regarding:
○ The planned scope and timing of the audit.
○ Information held by those charged with governance that is relevant to the audit.
○ Observations arising from the audit that are relevant to the oversight of the financial reporting process.

● Control Deficiency
○ An auditor may uncover internal control deficiencies in an audit of only the financial statements.
■ While understanding internal controls process, or testing controls, if applicable.
○ Deficiency in design → a necessary control is missing or an existing control does not achieve the desired
objective.
■ Ex) purchasing department should obtain competitive bids, but does not.

■ The control to obtain competitive bids is missing.

○ Deficiency in operation → a properly designed control does not operate as designed or is performed by an
inappropriate person.
■ Ex) client has a control that the billing department matches shipping documents, sales orders, and
invoices, but they do not perform this match.
■ Control is designed well, but is not operating as designed.

● Deficiency Categorization (least worst to the worst)

○ Control Deficiency
■ Exists when the design or operation of a control does not allow management or employees, in the
normal course of performing their assigned functions, to prevent or detect and correct misstatements
on a timely basis.
○ Significant Deficiency
■ A deficiency, or a combination of deficiencies, in internal control that is less severe than a material
weakness, yet important enough to merit attention by those charged with governance.

Page 200 of 350

 ○ Material Weakness
■ A deficiency, or combination of deficiencies, in internal control, such that there is a reasonable
possibility that a material misstatement of the entity’s financial statements will not be prevented or
detected and corrected on a timely basis.

● Indicators of Material Weakness (important)

○ Identification of any level of fraud (including immaterial fraud) perpetrated by senior management.
○ Restatement of previously issued financial statements to correct a material misstatement.
○ Identification by the auditor of a material misstatement that would not have been detected by the entity’s
system of internal control.
○ Ineffective oversight by those charged with governance (the company’s audit committee).

● Evaluation of Control Deficiencies

○ The auditor must evaluate the control deficiencies (both individually and in combination) to determine
whether they represent significant deficiencies or material weaknesses.
○ The severity of a deficiency, or combination, depends on:
■ The actual misstatement amount;

■ Likelihood (reasonable possibility) that controls will fail to prevent, detect, and correct the misstatement; and

■ Magnitude of the dollar amount and the volume of activity in accounts exposed to the deficiency.
○ Examiners tend to focus on magnitude and will provide the materiality amount for the student to
categorize the deficiency.

● Communication of Control Deficiencies

○

○ Even significant deficiencies and material weaknesses that were corrected during the audit should be
communicated in writing to management and those charged with governance.
○ Previously communicated significant deficiencies and material weaknesses that have NOT been corrected
should be communicated again, in writing, during the current audit by referring to the previously issued
written communication and the date of that communication.
○ Some of the communication letter contents may include:
Page 201 of 350
 ■ Restriction to management, those charged with governance, others in the organization, and any
required government authority.
■ No opinion is rendered on internal control.

■ Definition of material weakness, and the ones identified.

■ Definition of significant deficiencies, and the ones identified.

■ Optional: may communicate that no material weaknesses were identified.

■ May NOT communicate the absence of significant deficiencies.

● Additional Required Communication Content for ERISA Audit

○ The auditor should communicate reportable findings from the audit procedures performed related to the
plan’s provisions.
○ Such communication may be done either in a separate section, or however the auditor deems fit.
○ The written communication should include the following:
■ A description of the reporting finding.

● Ex) plan investing in funds that are against the rules of the plan.

■ Sufficient information to enable those charged with governance and management to understand the
context of the communication.
■ An explanation of the potential effects of the reportable findings on the financial statements of the
plan.
○ The auditor should not issue a written communication stating that no reportable findings were identified
during the audit.

● There is an entire video that gives a very high overview of the entire audit process for financial statements.
● The video essentially sums up all of A1-A4 in 6 minutes.
● Rather than trying to summarize everything, here are the steps of the entire audit process (go watch for details)
1. Engagement Acceptance
■ Ethics and independence (covered in A5-A6)

■ Terms of engagement
2. Assess Risk and Plan Response
■ Audit planning, including audit strategy

■ Materiality

■ Risk assessment procedures

● Understand the entity and its environment

Page 202 of 350

 ● Understand internal control

■ Identify and assess risk

■ Respond to Risk
3. Perform Procedures and Obtain Evidence
■ Test of controls, if applicable

■ Substantive testing
4. Form Conclusions
■ Subsequent events

■ Management representation

■ Evaluate audit results

■ Quality control-engagement
5. Reporting
■ Report on audited financial statements

■ Other reporting considerations

● Overall Tips for the Audit Exam

○ Read carefully!
○ Read all four choices before selecting your answer.
■ There might be good answers, but you need to select the best answer.

■ Explain to yourself why the correct answer choice is correct and why incorrect are incorrect.
○ Answer every question
■ If there are extreme opposites, one of the two might be the correct answer.

■ Be careful with answer choices that include absolutes (always, only, never, etc.)
○ Know where you are in the audit process (steps above).
○ Know whose perspective (management and auditor have different responsibilities).
○ Control the amount of time spent on each question.
○ Be familiar with the form and functionality of the exam.

● Notes from MCQs

○ The auditor should discuss with those charged with governance any significant disagreements with
management about matters that are significant to the financial statements or auditor’s report.

Page 203 of 350

 ■ Whether or not satisfactorily resolved.
○ All material weaknesses are also significant deficiencies.
○ Significant deficiencies can be communicated during or after the audit.

Page 204 of 350

 A5 – Integrated Audits, Attestation Engagements, Compliance, and Government Audits
M1: Integrated Audit Procedures
Conditions for Engagement Performance
● Under PCAOB standards, auditors of issuers (public companies) are required to perform an integrated audit.
○ Integrated audit → audit both the financial statements and effectiveness of internal controls.
● According to the Sarbanes-Oxley Act of 2002, a CPA firm:
○ Should render an opinion on the financial statements.
○ Must have a well-defined system of internal control.
● 499 of the Fortune 500 use the COSO version of Internal Control over Financial Reporting
○ “CRIME” mnemonic.
● SOX also mandates that the CPA firm that audits your financials also does the assessment of internal controls.
○ Can’t have one firm do the financials and another firm do the internal controls.
● Nonissuer (private) companies can also have an integrated audit performed.
○ This audit would be done using the AICPA Auditing Standards Board SASs
○ Specifically, SASs 130 governs the audit and report.

● Objective of the Engagement (Issuers and Nonissuers)

1. Express an opinion on the effectiveness of the entity’s internal control over financial reporting.
■ Is the internal control effective at preventing, quickly detecting, and correcting errors/fraud?

■ Internal auditors → monitor that internal controls are present and functioning.

■ External auditors → check that internal controls systems are functioning effectively.

■ Functions for expressing an opinion:

● Ensure proper timing, appropriate personnel, and adequate time to perform the engagement.

● Obtain sufficient appropriate audit evidence.

○ Client’s work = supports internal controls.
○ Auditor’s work = supports the opinion over the internal controls.
● Obtain reasonable assurance about whether material weaknesses exist.
2. The date specified in management’s assessment should correspond to the balance sheet date for the
financial statement audit.
3. An entity’s internal control CANNOT be considered effective if one or more material weaknesses exist.

● Auditor Requirements (Issuers and Nonissuers)

○ Of course with integrated audits, auditors will audit internal controls as well as the financial statements.
1. Plan and perform the integrated audit to achieve the objectives of both engagements.
■ Strong internal controls → more control testing, less testing, more interim work.

Page 205 of 350

 ■ Weak internal controls → substantive testing, more testing, most work at year-end.
2. Use the same control criteria to perform the audit of internal control as management uses for its
evaluation.
3. Test of controls should be designed to provide sufficient audit evidence to support both:
■ The opinion on internal control

■ The control risk assessment for the financial statement audit.

● Management Requirements (Issuers)

○ Section 404 of SOX requires each issuer’s annual report to contain an internal control report that states
management's responsibility for:
■ Establishing adequate internal control structure and procedures for financial reporting.

■ Maintaining and updating controls

○ Change in internal control
■ Management is responsible for establishing and maintaining adopted controls to prevent or quickly
detect errors or fraud.
■ Auditors only give an opinion on management’s representations.

■ Management assesses the effectiveness of the adopted controls through internal audits and reports to
the audit committee.

● Management’s Requirements (Nonissuers)

○ Audit of internal control over financial reporting can be performing ONLY IF management:
■ Accepts responsibility for the effectiveness of internal control.

■ Evaluates the effectiveness of the entity’s internal control using suitable and available criteria, such as
criteria issued by the AICPA or by regulatory agencies.
■ Supports its assessment about the effectiveness of internal control with sufficient appropriate
evidence.
■ Provides a written assessment about the effectiveness of the entity’s internal control with a report that
accompanies the audit report.

● Written Representations (Issuers and Nonissuers)

○ The auditor should obtain a written representation letter from management in which management:
■ Acknowledges its responsibility for establishing and maintaining effective internal control, and states
that management has performed an assessment of the effectiveness of the entity’s internal control.
■ States management’s assessment as of a specified date and specifies the criteria used.

Page 206 of 350

 ● Ex) AICPA or regulatory agency

■ Affirms that management did NOT rely on the auditor’s procedures as the basis for their assessment.

■ States that management has disclosed all deficiencies in design and operation.

● Confirms that all significant deficiencies and material weaknesses have been disclosed to the
auditor.
● Indicates whether any such deficiencies identified in previous engagements are still unresolved.

■ Describes fraud resulting in material misstatement or fraud involving senior management or other
employees who have a significant role in internal controls over financial reporting.
■ States whether there were any significant changes to internal control after the “as of” date of the
report, including any corrective action taken by management regarding significant deficiencies and
material weaknesses identified.

Planning the Engagement

● Overall Planning
○ Planning involves developing an overall strategy for the scope and performance of the engagement.
○ Planning includes evaluating the effectiveness of a company’s internal controls and deciding on the:
■ Starting point of the engagement

■ Process of the engagement

■ Timeline for testing and gathering evidence to support the conclusions on internal control
effectiveness.
○ The evaluation is done in 14 different steps.

● To develop an overall strategy, the auditors should consider:

○ Matters affecting the entity’s industry that include the review of (“FELT”):
■ Financial reporting practices of the industry.

● Controversies, diversity, or other issues

■ Economic conditions

● Labor-intensive organization

● Wages and benefits

■ Laws and regulations impacting industry and the entity’s operations

■ Technology changes

● Use of technology

Page 207 of 350

 ● Hindering growth?
○ Prior knowledge of the company’s internal control
■ Assess past records for irregularities
○ Matters concerning the organization
■ Operations (mainly in the U.S.? in different countries?)

■ Capital structure (debt heavy? equity heavy?)

○ Relative complexity of entity operations
■ Ex) straightforward accounting methods for a cookie company vs. complex methods for a hedge fund.
○ Management’s method of evaluating control effectiveness
■ Methods used assessment

■ Process of internal control testing

■ Internal auditor’s qualifications

■ Consistency in applying controls testing

○ Judgments about materiality and risk
■ Use the same level of materiality and the same risk assessment process to audit both the financial
statements and the internal control over financial reporting.
■ Focus on higher risk areas

■ Factor in the results of the fraud risk assessment performed on the financial statements.
○ Previously communicated deficiencies
○ Legal matters
○ Regulatory matter
○ Public information
○ Nature and extent of available evidence
○ Scaling the audit
■ Smaller or less complex companies achieve control objectives differently than more complex
companies.
■ Ex) cookie company vs. hedge fund from earlier.

● Fraud Risk Assessment

○ To evaluate the effectiveness of internal controls, the auditor should also consider:
■ Potential for management fraud.

■ Three types of management fraud:

Page 208 of 350

 ● Financial statement fraud → lying

● Asset misappropriation → stealing

● Corruption → cheating

■ Management fraud almost always comprises financial statement fraud.

○ Management override for fraud cover-ups.
○ Controls that might address the fraud risk assessment:
■ Significant unusual transactions

■ Period-end journal entries and adjustments

■ Related party transactions (collusion)

■ Significant management estimates (bias)

● Using the Work of Others

○ In evaluating the effectiveness of internal control, auditors may use the work of others who are:
■ Sufficiently competent

■ Objective in their work

■ Qualified
○ The auditors must accept responsibility for using the work of others.
○ When using others' work, auditors should consider the risk associated with the control the other party is
assisting with.
■ As risk increases → a greeted degree of competence and objectivity is required.
○ Use of the work of others may be reduced or eliminated in higher risk areas.
■ May want to do it yourself.

Top-Down Approach
● Top-Down Approach
○ Used in selecting controls to test for which auditors:
■ Evaluate overall risks

■ Consider controls at the entity level

■ Focus on the accounts, disclosures, and assertions that have a reasonable possibility of misstatements.

● Entity-Level Controls
○ The auditor should identify and test entity-level controls that are important to the auditor’s overall opinion
about internal control.
Page 209 of 350
 ○ Entity-level controls include controls related to the:
■ Control environment (C in CRIME)

■ Management override

■ Company’s risk assessment process

■ Centralized processing

■ Monitoring results of operations

■ Monitoring other controls

■ Period-end financial reporting

■ Policies that address significant business control and management practices

● Identifying Specifics in the Financial Statements

○ The auditor’s should identify significant classes of transactions, account balances, disclosures, and their
relevant assertions to evaluate the risk factors that include:
■ Account size and composition

■ Susceptibility to misstatement

■ Volume and complexity of activity

■ Nature of the account, class of transactions, or disclosure

■ Accounting and reporting complexities

■ Exposure to losses

■ Existence of related party transactions

■ Changes from prior period

○ The auditor should assess the risk that a material weakness in that area may exist, as well as the risk that
such weakness will lead to a material misstatement in the financial statements.
■ Greater risk → more audit attention needed (more risk, more evidence; less risk, less evidence)

■ Evaluation of risk factors is the same for both an audit of financial statements and audit of internal
controls.
■ A walk-through of the process is a great way to identify likely sources of potential misstatement.
○ The auditor should test those controls that are important in addressing the risk of material misstatement.

Testing Controls and Evaluating Control Deficiencies

Page 210 of 350

● Under AICPA standards, the auditor in an integrated audit should evaluate the components of internal control
over financial reporting (ICFR) and determine whether the components are:
1. Present and functioning in design, implementation, and operation; and
2. Operating together in an integrated manner.

● Test of Controls
○ Evaluate the design effectiveness:
■ Determine whether the controls, if applied as prescribed, satisfy the company’s control objectives.

■ Determine whether the controls can effectively prevent or detect (and correct) material
misstatements.
● Walk-throughs include inquiry, observation, and inspection, which are great to evaluate design.

○ Test and evaluate the operating effectiveness of the controls and determine whether:
■ The controls are operating as designed.

■ The persons implementing the controls are qualified to implement them effectively.

■ Operating effectiveness is typically tested through:

● Inquiry (not sufficient by itself; refer to “AEIO” in A3:M5)

● Inspection of documentation

● Observation

● Recalculation

● Reperformance

○ Obtain more evidence for controls that are subject to a greater risk of failure:
■ Greater risk → more evidence

■ Less risk → less evidence

○ Obtain sufficient appropriate evidence to support the opinion about the overall effectiveness of the entity’s
internal control:
■ The auditor is NOT responsible for obtaining sufficient evidence to support an opinion about the
effectiveness of EACH individual control.
■ The auditor IS responsible for obtaining sufficient evidence to support an opinion about the
effectiveness of the entity’s internal control OVERALL.

○ Determine the effect of any identified control deviations on the assessment of risk associated with:
Page 211 of 350
 1. The control and the amount of evidence to be obtained.
2. The operating effectiveness of the control.
■ An individual control does not have to operate without any deviations to be considered effective.

● Too many, however, could present problems.

○ Determine the appropriate timing for tests of controls.

■ Tests performed over a longer period of time → more effective than shorter period of time.

■ Tests performed closer to date of management's assertion → more effective than earlier in year.

■ The auditor should use judgment in balancing the timing of tests.

○ Consider knowledge obtained during past audits.

○ Incorporate an element of unpredictability into the testing.
■ This is a very important part.

■ Ex) teacher uses pop quizzes (better and longer example is given in lecture).

● Use of Service Organizations

○ A service organization may be part of an entity’s internal control, such as using one for payroll.
○ In such cases, the auditor should:
■ Obtain an understanding of the relevant controls.

■ Obtain evidence that controls at the service organization are operating effectively by:

● Obtaining a service auditor’s report;

● Testing the entity’s controls over the activities of the service organization; and/or

● Performing tests of controls at the service organization.

○ No reference should be made to the service auditor’s report in the auditor’s report on internal control.

● Benchmarking of Automated Controls

○ Automated application controls are not particularly susceptible to human error.
○ The auditor may not need to repeat specific testing performing in the previous year if:
■ General controls with respect to program modifications, access, and operations are tested and
continue to be effective; and
■ Automated controls have not been changed from one year to the next.
○ Benchmarking is most effective in low-risk situations.

● Evaluating Control Deficiencies (Issuers and Nonissuers)

Page 212 of 350

 ○ The auditor should determine whether identified deficiencies represent:
■ Significant deficiencies; or

■ Material weaknesses (either alone or in combination).

○ This determinations should be based on:
■ Whether there is a reasonable possibility that the control will fail to prevent, or detect, and correct a
material misstatement (Likelihood); and
■ The magnitude of the potential misstatement results from the deficiency.
○ Indicators of material weakness:
■ Senior management fraud

■ Restatement of previous financial statements to correct a material error

■ Identification by the auditor of a material misstatement that the entity’s controls would not have
detected.

Forming an Opinion and Audit Types

● Forming an Opinion (Issuers and Nonissuers)
○ The auditor should form an opinion about the effectiveness of internal control and base this opinion on:
■ Evidence obtained from the financial statement audit.

■ Evidence obtained during the audit of internal control over financial reporting.
○ After forming an opinion on the effectiveness of internal control, the auditor should evaluate
management's report on internal control.
■ Evaluate the report and disclose any discrepancies between the auditor’s opinion and management's
opinion.

● Management’s Report
○ Should include:
■ Indicate that management is responsible for internal control.

■ Describe the subject matter (e.g., controls over financial statement preparation).

■ Identify the criteria used by management to measure the effectiveness of the entity’s internal control.

● Ex) COSO, or other standards

■ Include a statement of management’s assessment about the effectiveness of internal control:

● Including an “as of” date.

● The “as of” date should be the end of the entity’s most recent fiscal year.

Page 213 of 350

 ■ Describe any material weaknesses identified by management.
○ If the auditor determines that required disclosures for one or more material weaknesses have not been
included in the report, this should be stated in the auditor’s report.
○ If the report is incomplete or improperly presented, the auditor should modify his or her own report to
discuss the matter.
■ If management refuses to supply a report, the auditor should withdraw from the engagement.
○ If the report contains additional information beyond the other items, the auditor should:
■ Read the additional information to ensure that there are no material inconsistencies with
management's report.
■ Disclaim an opinion on such information.

● Differences Between Engagements

○ Purpose
■ The purpose of an audit of the effectiveness of an entity’s internal control is to express an opinion
about whether the entity maintained, in all material respects, effective internal controls as of a point in
time based on the control criteria.
■ The purpose of an auditor’s consideration of internal control in an audit of financial statements
conducted with GAAS is to enable the auditor to plan the audit and determine the nature, extent, and
timing of tests to be performed.
○ Relevant Period
■ An audit of ICFR results in an opinion on internal control as of a point in time.

■ An opinion on financial statements relates to a longer period, such as a year.

○ Extent of Testing
■ To render an opinion on internal control, the auditor should obtain evidence about the effectiveness of
selected controls over all relevant assertions.
■ In a financial statement audit, the auditor is not required to test controls over all relevant assertions.
○ Communication of Control Deficiencies
■ Financial statement audit:

● Significant deficiency or material weakness → communicate within 60 days of the report release
date.
● Restricted-use language should be included.

■ Internal control audit:

● Communication must be made by the report release date (not after).

Page 214 of 350

 ● No restriction on the use of the report is required.

● Financial Statement Audit vs. Audit of ICFR (Nonissuers)

○ The results from one type of engagement should be considered in performing the other type of
engagement.
○ In forming an opinion on internal control, the auditor should consider the results of tests of controls
performed as part of the financial statement audit.
○ In concluding on the effectiveness of controls as part of the financial statement audit, the auditor should
consider the results of tests performed as part of the internal control audit.
○ If during the audit of ICFR a deficiency is noted, the auditor should consider this deficiency in determining
the nature, extent, and timing of substantive tests in the financial statement audit.
○ The auditor should consider whether any observations made during the financial statement audit impact
the auditor’s opinion on internal control.

● Notes from MCQs

○ An auditor that is testing controls at a company with multiple business units should test controls over
specific risks at business units that are material to the company’s consolidated financial statements.
○ Top-Down approach → begin by understanding the overall risks to internal control over financial reporting
at the financial statement level.
○ Internal Control Audit:
■ Scope and procedures → more extensive than financial statement audit.
■ Purpose → different than that of a financial statement audit (see “Differences Between Engagements”)

M2: Communication and Reporting in an Integrated Audit

Communications
● Hierarchy of Deficiencies (least worst to worst)
○ Control Deficiency
○ Significant Deficiency
○ Material Weakness

● Communicating Significant Deficiencies and Material Weaknesses

○ Communication to management and those charged with governance should be in writing.
○ Auditors should communicate material weaknesses and significant deficiencies by the report release date.
○ Auditors should communicate any significant deficiencies or material weaknesses previously
communicated, but not corrected, by referring to the previously issued communication.

● Most Important Items Within a Communication Letter (not in order, but included within the letter)
Page 215 of 350
 ○ Address the letter to management.
○ State that the auditor is required to advise them in regards to internal control.
○ State that the auditor's responsibility is to plan and perform their integrated audit.
○ State whether effective internal control was maintained.
○ Explain what a deficiency is.
■ Deficiency → design or operation of a control does not allow to prevent, detect, or correct, errors.
○ Describe the material weaknesses that were identified.
○ Explain what a significant deficiency is.
■ Less severe than a material weakness, but important enough to merit attention.
○ State that the information is intended solely for the use of management.

● All Deficiencies
○ Deficiencies other than material weaknesses and significant deficiencies.
○ Auditor should communicate to management, in writing, all deficiencies identified during the integrated
audit.
○ Auditors should make written communication no later than 60 days following the report release date.
○ Auditors must communicate with the board in writing if they conclude that internal controls are ineffective.
○ Auditors are NOT required to search for control deficiencies less severe than material weakness, but those
identified must be reported.
○ Auditors should NOT issue a report stating that no deficiencies or material weaknesses were found.
○

● Communications With Management and the Audit Committee (Issuers only)

○ Auditor must communicate, in writing, to management and the audit committee, all material weaknesses
identified during the audit.
○ Auditor must communicate any identified significant deficiencies, in writing, to the audit committee.
○ Auditors should communicate to management, in writing, all deficiencies in internal control over financial
reporting identified during the audit and inform the audit committee.
○ Auditor must communicate in writing to the board if the auditor concludes that oversight of financial
reporting and internal control by the company’s audit committee is ineffective.

Page 216 of 350

 ○ Auditors are not required to search for control deficiencies or significant deficiencies, but those that are
identified should be communicated.
○ Auditor does not provide assurance that all control deficiencies have been identified.
■ No report should be issued stating that no deficiencies were noted.
○ PCAOB has not provided sample communications to management or audit committee.
○

Reporting on Internal Control (Nonissuers)

● Two ways of issuing a report on internal controls:
○ Separate reports → issued for financial statements and internal controls over financial reporting.
○ Combined report → issued containing an opinion on both.

● Separate Reports
○ Headings:
1. Opinion on internal control over financial reporting
2. Basis for opinion
3. Responsibilities of management for internal control over financial reporting
4. Auditor’s responsibilities for the auditor of internal control over financial reporting
5. Definition and inherent limitations of internal control over financial reporting
6. Report on other legal and regulatory requirements
7. Report on audits of internal control over financial reporting

○ Opinion on internal control over financial reporting

■ State “We have audited ABC Company’s internal control over financial reporting…”

■ State that the auditor has also audited the financial statements.

○ Basis for Opinion

■ State that the audit was done in accordance with GAAS.

Page 217 of 350

 ■ State that the auditor is required to be independent.

■ State that the auditor has obtained sufficient appropriate audit evidence.

○ Responsibilities of management for internal control over financial reporting

■ “Management is responsible for designing, implementing, and maintaining effective internal control…,
and for its assessment”

○ Auditor’s responsibilities for the auditor of internal control over financial reporting
■ “Our objectives are to obtain reasonable assurance about whether effective internal control…”

■ State that the auditor’s report includes their opinion on internal control.

■ Explain what reasonable assurance is.

● High level of assurance, but not absolute.

■ State that in performing the audit, the auditor:

● Exercised professional judgment…

● Maintained professional skepticism…

● Obtained an understanding of the system…

● Assessed the system for risk…

● Test and evaluate the system…

○ Definition and inherent limitations of internal control over financial reporting

■ Note that internal control is a process

■ State that internal controls are meant to provide reasonable assurance regarding the preparation of
reliable financial statements:
● Maintaining records, in reasonable detail

● Transactions are recorded

● Reasonable assurance → prevent, or timely detect, and correct of errors

■ State that internal controls have inherent limitations, and may nor prevent, or detect and correct.

■ State that in future periods, internal controls may become inadequate due to changes.

○ Report on other legal and regulatory requirements

Page 218 of 350

 ■ This section varies depending on the nature of the auditor's other reporting responsibilities.

○ Auditor would then sign, state the location where the auditor’s report is issued, and date the report.

○ Report on audits of internal control over financial reporting

■ This paragraph is added to the separate report on the financial statements (nonissuer).

■ State that the auditor has also audited ICFR.

■ Date should be the same as the date on the report on the financial statements.

● Combined Report
○ Headings:
1. Opinion on the financial statements and internal control over financial reporting
2. Basis for opinion
3. Responsibilities of management for the financial statements and internal control over financial
reporting
4. Auditor’s responsibilities for the audits of the financial statements and internal control over
financial reporting
5. Definition and inherent limitations of internal control over financial reporting
6. Report on other legal and regulatory requirements
7. Report on audit of ICFR
8. Basis for adverse opinion on internal control over financial reporting (if applicable)

○ Opinion on the financial statements and internal control over financial reporting
■ “We have audited the financial statements…in our opinion they are presented fairly…”

■ “We also have audited internal control over financial reporting…in our opinion, it's effective…”

○ Basis for Opinions

■ State that the audit was done in accordance with GAAS.

■ State that the auditor is required to be independent.

■ State that the auditor has obtained sufficient appropriate audit evidence for the basis of their opinions.

○ Responsibilities of management…
■ State that management is responsible for the preparation and fair presentation of the financials.

■ “Management is responsible for designing, implementing, and maintaining effective internal control…,
and for its assessment”

Page 219 of 350

 ■ State that management is required to evaluate whether there is substantial doubt about their ability to
continue as a going concern.

○ Auditor’s responsibilities…
■ “Our objectives are to obtain reasonable assurance.. financials are free from material misstatement…”

■ Explain what reasonable assurance is.

■ State that in performing the audit, the auditor:

● Exercised professional judgment…

● Maintained professional skepticism…

● Assessed risk of material misstatement…whether due to fraud or error

● Examined, on a test basis, evidence…

● Obtained an understanding of internal control relevant to statement audit…

● Obtained an understanding of internal control relevant to internal control audit…

● Evaluate the appropriateness of accounting policies…

● Consider if there are conditions that raise substantial doubt about going concern…

■ “We are required to communicate… scope and timing… significant audit findings… and internal control-
related matters…”

○ Definition and inherent limitations of internal control over financial reporting

■ Note that internal control is a process.

■ State that internal controls are meant to provide reasonable assurance regarding the preparation of
reliable financial statements:
● Maintaining records, in reasonable detail

● Transactions are recorded

● Reasonable assurance → prevent, or timely detect, and correct of errors

■ State that internal controls have inherent limitations, and may nor prevent, or detect and correct.

■ State that in future periods, internal controls may become inadequate due to changes.

○ Report on other legal and regulatory requirements

■ Section varies.

Page 220 of 350

 ○ Auditor would then sign, state the location where the auditor’s report is issued, and date the report.
■ Date should be no earlier than the date on which sufficient appropriate evidence has been obtained.

■ Date should coincide with the date of the audit report on the financial statements.

○ Report on audit of ICFR (adverse opinion)

■ If a material weakness is found, another paragraph is added into the report.

● Include a “Basis for Adverse Opinion” paragraph.

● Define the term “material weakness”

■ “We have audited internal control… because of the effect of a material weakness…. they have not
maintained effective internal control over financial reporting…”
■ “We have also audited… financial statements… expressed an opinion on them…”

■ “We considered the material weakness… in determining the nature, extent, and timing of audit work…”

■ “This report does not affect such report on the financial statements.”

○ Basis for adverse opinion on internal control over financial reporting (if applicable)
■ State what a material weakness is.

● Reasonable possibility that a material misstatement will not be prevented, or detected and
corrected.
■ State that the audit was conducted in accordance with GAAS.

■ State that independence was required.

■ State that the auditor believes enough evidence was acquired to render such an opinion.

● Other considerations
○ Management’s report fails to include one or more material weaknesses → include them in the audit report.
■ Communicate this with the board.
○ Management’s report includes material weakness, but describes it unfairly → fairly describe in audit report.
○ Auditors should consider the effect of the adverse opinion on the financial statement opinion.
○ Auditors should indicate whether the opinion on the financials was affected by the material weakness.

Reporting on Internal Control (Issuers)

● Two ways of issuing a report on internal controls:
○ Separate reports → issued for financial statements and internal controls over financial reporting.

Page 221 of 350

 ○ Combined report → issued containing an opinion on both.

● Separate Report
○ Headings:
1. Opinion on internal control over financial reporting
2. Basis for Opinion
3. Definitions and Limitations

○ Opinion on internal control over financial reporting

■ “We have audited internal control over financial reporting… in our opinion… it is effective”

■ “We have also audited, in accordance with PCAOB, the financial statements… expressed opinion”

○ Basis for Opinion

■ “Management is responsible for designing, implementing, and maintaining effective internal control…,
and for its assessment”
■ “Our responsibility is to express an opinion on the company’s internal control…”

■ “We are a public firm, registered with the PCAOB, and are required to be independent…”

■ State that the audit was conducted in accordance with PCAOB standards.

■ “Our audit of internal control included:”

● Obtaining an understanding of internal control…

● Assessing the risk that a material weakness exists…

● Testing and evaluating the design and operating effectiveness of internal control…

■ “Our audit also included other procedures as we considered necessary…”

○ Definitions and Limitations

■ Note that internal control is a process.

■ State that internal controls are meant to provide reasonable assurance regarding the preparation of
reliable financial statements:
● Maintaining records, in reasonable detail

● Transactions are recorded

● Reasonable assurance → prevent, or timely detect, and correct of errors

■ State that internal controls have inherent limitations, and may nor prevent, or detect and correct.

Page 222 of 350

 ■ State that in future periods, internal controls may become inadequate due to changes.

○ Auditor would then sign, state how many years they have served as auditor, state their city and state or
country, and date the report.

○ The following paragraph (no heading) should be added immediately after the opinion paragraph on the
financial statement report:
■ “We have also audited, in accordance with PCAOB… the effectiveness of internal control… our report
dated… expressed [opinion].”

● Combined Report
○ Headings:
1. Opinions
2. Basis for Opinion
3. Definitions and Limitations
4. Critical Audit Matters (CAMs)

○ Opinions
■ “We have audited the financial statements…”

■ “We have also audited internal control…”

■ State opinions on financials and internal control.

○ Basis for Opinion

■ State that management is responsible for the financial statements and internal controls.

■ Auditor’s responsibility is to express an opinion on the financials and controls.

■ PCAOB standards require independence.

■ PCAOB standards also require that auditors plan and perform audits to obtain reasonable assurance of
free of material misstatements and effective internal control.
■ During the financial audit, auditors:

● Assessed the risks…

● Responded to those risks…

● Evaluate the accounting principles and significant estimates…

■ During the internal control audit, auditors:

● Obtained an understanding of the system…

Page 223 of 350
 ● Assessed risks of material weaknesses…

● Test and evaluate operations…

○ Definitions and Limitations

■ Note that internal control is a process.

■ State that internal controls are meant to provide reasonable assurance regarding the preparation of
reliable financial statements:
● Maintaining records, in reasonable detail

● Transactions are recorded

● Reasonable assurance → prevent, or timely detect, and correct of errors

■ State that internal controls have inherent limitations, and may nor prevent, or detect and correct.

■ State that in future periods, internal controls may become inadequate due to changes.

○ Critical Audit Matters

■ Include any critical audit matters.

■ Items that require significant and complex judgment from auditors.

○ Auditor would then sign, state how many years they have served as auditor, state their city and state or
country, and date the report.
■ Date should be no earlier than the date on which sufficient appropriate evidence has been obtained.

■ Date should coincide with the date of the audit report on the financial statements.

● Material Weaknesses in Internal Control

○ A material weakness requires an adverse opinion on the audit of internal controls.
○ Audit report must include:
■ The definition of a material weakness.

■ A statement that a material weakness has been identified and therefore the entity’s internal control
over financial reporting cannot be considered effective.
■ An identification of the material weakness described in management's assessment.
○ Management’s report fails to include one or more material weaknesses → include them in the audit report.
■ Communicate this, in writing, to those charged with governance.
○ Management’s report includes material weakness, but describes it unfairly → fairly describe in audit report.

Page 224 of 350

 ○ Auditors should consider the effect of the adverse opinion on the financial statement opinion.
○ Auditors should indicate whether the opinion on the financials was affected by the material weakness.

● Reporting on a Previously Reported Internal Control Weakness

○ In some cases, management’s assessment of the company’s internal control over financial reporting may
reveal that the company has one or more material weaknesses.
○ If the material weaknesses are subsequently eliminated, management may wish to:
■ Communicate this to the investing public.

■ Have an independent auditor attest to the improvements in internal control.

○ An engagement to report on whether a previous weakness continues to exist is a voluntary engagement,
not required by professional standards.
○ The auditor’s objective is to express an opinion on whether a previous weakness has been eliminated.
○ The auditor may perform such an engagement ONLY IF:
■ The auditor has sufficient knowledge over both the company and its internal controls.

■ Management accepts responsibility for the effectiveness of internal control, evaluates its effectiveness,
asserts that they are effective, provides support for this assertion, and presents a written report that
will accompany the auditor’s report.
○ The auditor's testing is limited to the controls specifically identified by management as eliminating the
material weakness.

Other Reporting Issues (Issuers and Nonissuers)

● Scope Limitations
○ The auditor should withdraw or issue a disclaimer of opinion if the scope of the audit is restricted.
○ When disclaiming an opinion because of scope, auditor should state:
■ An opinion is NOT being expressed within the “Disclaimer of Opinion on ICFR” section; and

■ The reasons for the disclaimer within the “Basis for Disclaimer of Opinion on ICFR” section.
○ In a disclaimer of opinion, the auditor should:
■ Modify the first sentence of the intro paragraph slightly (“We were engaged to audit…”) and omit the
last sentence.
■ Omit the scope paragraph (issuer) or amend the auditor’s responsibility paragraph (nonissuer) to state:

● “because of the matter described in the Basis for Disclaimer… we were not able to obtain
sufficient appropriate audit evidence.”
■ Include a separate paragraph (issuer) or a basis for disclaimer of opinion paragraph (nonisser)
describing the reason for the disclaimer.
■ Revise the opinion paragraph (issuer):

Page 225 of 350

 ● “Because of the limitation on the scope… our work was not sufficient… we do not express an
opinion…”
■ Revise the opinion paragraph (nonissuer):

● “We were engaged to audit… because of the matter described… we do not express an opinion…”
○ Also consider the following:
■ Language that might overshadow the disclaimer should not be used.

■ Any material weakness identified should be described, and the definition of material weakness should
be given in the disclaimer.
■ If the opinion cannot be expressed due to a scope limitation, management and those charged with
governance should be informed in writing.
■ The auditor may issue a report disclaiming an opinion on internal controls as soon as the auditor
concludes there is a scope limitation preventing evidence from being obtained.

● Use of Component Auditor

○ A component auditor (other auditor) may be involved in the audit of internal controls.
○ The group engagement partner (primary auditor) decides whether the involvement of the other auditor
warrants reference in the auditor’s report.
○ The decision about whether to make reference to another auditor in the report on internal controls is
independent of the decision made with respect to the financial statement audit.

● Subsequent Events
○ Changes in internal control may occur after the “as of” date of the report, but prior to the date of the
auditor’s report.
○ The auditor should:
■ Inquire with management

■ Obtain written representation

■ Make inquiries and examine documentation for the subsequent period

○ If, before the date of the auditor’s report, the auditor obtains information about a matter that existed on
the “as of” date of the report, appropriate action should be taken.
○ If the auditor obtains information about conditions that arose subsequent to the “as of” date of the
auditor’s report, this information should be included in an explanatory paragraph of the report.
○ The auditor has no responsibility to keep informed with respect to events occurring after the date of the
report, but if the auditor becomes aware of conditions that existed at the report date, appropriate actions
should be taken.

Page 226 of 350

● Notes from MCQs
○ Management provides assurance about the effectiveness of internal controls. However, management does
not provide assurance about the internal controls.
■ Ex) “management hasn’t provided assurance that there are no material weaknesses in controls” would
be ok.
○ The title for an issuers report → “Report of Independent Registered Public Accounting Firm”
○ Integrated audit of issuers → use PCAOB standards
○ Integrated audit of nonissuers → use AICPA standards.

M3: Attestation Engagements and Standards

● Attestation Engagements
○ Engagements in which the practitioner (CPA) is engaged to issue or does issue:
■ An examination report (highest level)

■ A review report

■ An agreed-upon procedures report on subject matter, or on an assertion about the subject matter, that
is the responsibility of a party other than the practitioner (usually management) (lowest level)

● Statements on Standards for Attestation Engagements (SSAE)

○ Provide information addressing services for multiple subject matters.
○ SSAE does not apply to all services provided by a CPA.
○ Each type of attestation service allows a different combination of reporting options:

○
■ Ex) prospective financial statements → examining future financial statement predictions.

● Attestation Standards (SSAE) Overview

○ Intended to provide guidance around the broad variety of attestation services rendered by a CPA.
○ Much broader in scope than GAAS and apply specifically to attestation engagements.
○ Are a natural extension of GAAS but differ conceptually from GAAS in two ways:
Page 227 of 350
 ■ No reference is made to historical financial statements.

■ No reference is made to GAAP.

○ Attestation standards include a hierarchy similar to the GAAS hierarchy:
■ Departures from mandatory requirements must be justified.

■ Interpretative publications should be considered (with departures explained).

■ Other attestation publications have no authoritative status but may be helpful.

● Attestation Standards Common Concepts

○ Attestation standards include guidance concepts common to all attestation engagements (“CAPE CORP”).
○ Compliance with all attestation standards relevant to the engagement.
○ Acceptance and continuance are satisfactorily performed for client relationships and attestation
engagements.
○ Preconditions for an attestation engagement are present.
○ Engagement documentation standards for timeliness, retention, ownership, and confidentiality apply.
○ Acceptance of a change in terms of the engagements as reasonable, when applicable.
○ Using the work of an other practitioner is allowed.
○ Responsibility for quality control.
○ Professional skepticism and professional judgment.

● Attestation Risk
○ Can be represented by three components, although not all three will necessarily be present or significant in
all engagements.
○ Very similar to the audit risk model.

● Additional Reporting Requirements

○ The report may be issued on:
■ the assertion itself; or

■ the subject matter to which the assertion relates.

○ Scope Restrictions
■ Examination → may result in a qualified opinion, disclaimer of opinion, or withdrawal.

■ Review → prevention of necessary procedures from being performed results in withdrawal.

Page 228 of 350

● Examination and Review Engagements
○ Examination and review engagements include three distinct types of engagements:
■ Assertion-Based Examinations

■ Direct Examinations

■ Review Engagements

● A review results in a conclusion (not an opinion).

● Moderate level of assurance is given.

● Review procedures

● Sample - Assertion-Based Examination Report on a Subject Matter

○ Title → Independent Accountant’s Report
○ Introduction → “We have examined [identify the subject matter]...”
○ Scope → “Our examination was conducted…AICPA”
○ Independence Requirements → “We are required to be independent”
○ Inherent Limitations (optional) → Describe the limitations
○ Emphasis of Matters (optional)
○ Opinion → “In our opinion… is presented in accordance with the ‘criteria’ in all material respects”

● Sample - Assertion-Based Examination Report on an Assertion

○ Title → Independent Accountant’s Report
○ Introduction → “We have examined management of XYZ’s assertion that…”
○ Scope → “Our examination was conducted…AICPA…Nature, Extent, Timing”
○ Independence Requirements → “We are required to be independent”
○ Inherent Limitations (optional) → Describe the limitations
○ Emphasis of Matters (optional)
○ Opinion → “In our opinion… management’s assertion that is presented is in accordance with the ‘criteria’ in
the footnotes.”

● Sample - Review Report on a Subject Matter (Unmodified Conclusion)

○ Title → Independent Accountant’s Report
○ Introduction → “We have reviewed [identify the subject matter]...”
○ Scope → “Our review was conducted… AICPA… we planned and performed: Nature, Extent, Timing”
○ Independence Requirements → “We are required to be independent”
○ Description of work performed as a basis for the practitioner’s conclusion.
○ Inherent Limitations
○ Emphasis of Matters (optional)
○ Conclusion → “Based on our review… we are not aware of any material modifications that should be
made…”

Page 229 of 350

● Sample - Review Report on an Assertion about a Subject Matter (Unmodified Conclusion)
○ Use of this report is restricted.
○ Title → Independent Accountant’s Report
○ Introduction → “We have reviewed management of XYZ’s assertion that [identify the assertion]…”
○ Scope → “Our review was conducted…AICPA… we do not express an opinion”
○ Independence Requirements → “We are required to be independent”
○ Description of work performed as a basis for the practitioner’s conclusion.
○ Inherent Limitations
○ Emphasis of Matters (optional)
○ Conclusion → “This report is intended solely for the information and use of [identity the specified parties]...
based on our review we are not aware of any material modifications that should be made to… assertions”

● Agreed-Upon Procedures
○ Agreed-Upon procedures provide no assurance.

● Written Assertions
○ A written assertion is generally obtained in all three engagements.
○ When no written assertion is provided by management, the outcome depends on whether the client is also
the responsible party.
○ Client IS responsible party (scope limitation):
■ Examination → withdrawal (if possible under law/regulation) or disclaim an opinion (if cant withdraw).

■ Review → withdrawal (if possible) or report on subject matter, but modify and restrict the report.

■ Agreed-upon procedures → modify the report based on the scope limitation.

○ Client is NOT responsible party:
■ A report may be issued as long as appropriate procedures are performed and sufficient evidence is
obtained.
■ Practitioners should disclose such refusal in the report, and its use should be restricted.

● Other Requirements
○ Documentation → similar to those of any other audit or review engagement.
○ Understanding with the client, preferable through written communication.
○ A representation letter from the responsible party should be obtained.
○ Inquiry should be made regarding subsequent events.

Page 230 of 350

● Notes from MCQs
○ The consistency assertion in an MD&A presentation addresses whether nonfinanical data has been
accurately derived from related records.
○ When reporting on an examination of a financial projection, the report should be restricted.

Page 231 of 350

 M4: Agreed-Upon Procedures and Prospective Financial Statements
Agreed-Upon Procedures Engagements
● Type attestation engagement in which:
○ A practitioner is engaged by a client → “Engaging party”
○ A party is responsible for the subject matter → “Responsible party
○ These parties may be the same or different parties.
● Practitioner performs specific procedures.
● Practitioner does not provide an opinion.
● Practitioner reports the findings.
● Client and practitioner agree to the procedures.
● Client is responsible for assessing the sufficiency of the procedures performed.

● Conditions Required to Accept an Agreed-Upon Engagement (“I-AM-SURE”)

○ Independence of the practitioner
○ Agreement of the parties
○ Measurability and consistency (whatever we are agreeing to do)
○ Sufficiency of the procedures
○ Use of the report can be general or restricted
○ Responsibility for the subject matter
○ Engagements to perform agreed-upon procedures on prospective financial statements

● Reporting (Required Elements)

○ Report should contain…
○ Addressee
○ Title, signature, address, date
■ Title should include the word independent.
○ Identification of the engaging party, subject matter, nature and intended purpose of the engagement, and
the responsible party.
○ A state that the subject matter is the responsibility of the responsible party.
○ A statement that the engaging party acknowledged that the procedures performed were appropriate.
○ A statement that the report may not be suitable for any other purpose and that users are responsible for
determining appropriateness for their specific purposes.
○ A statement that an agreed-upon procedures engagement involves performing specific procedures that the
engaging party has agreed to.
○ A statement that the engagement was conducted in accordance with the attestation standards of the
AICPA.
○ A description of the procedures performed, related findings, and if applicable, a description of any specified
materiality threshold established.
○ A statement that the practitioner was not engaged to, and did not conduct, an examination or review.
○ A statement that the practitioner is required to be independent, and meet ethical requirements.
○ Where applicable, reservations or restrictions concerning procedures or findings.
○ Certain additional items for prospective financial information.
Page 232 of 350
 ○ Where applicable, a description of any assistance by a specialist.
(Example of Sample report is given in the lecture, along with some important items from this list)

● Explanatory Language (may use)

○ Disclosure of stipulated facts, assumptions, or interpretations used in the application of agreed-upon
procedures.
○ Description of the condition of records, controls, or data to which the procedures were applied.
○ Explanation that the practitioner has no responsibility to update the report.
○ Explanation of sampling risk.
○ Restriction of the use of the report based on circumstances of the engagement.

Prospective Financial Statements

● Prospective Financial Statements are forward looking → based on projections.
○ May cover different periods, such as a period that has partially expired.
■ Ex) “through June, here’s what we’re expecting the entire year to look like”

■ Essentially, you’re projecting what the other half of the year will look like.
○ Statements for periods that have completely expired are NOT considered to be prospective.
■ These are considered to be historical.
○ Pro forma financial statements and partial presentations are NOT prospective financial statements.

● Types of Prospective Financial Statements

○ Financial Forecast
■ Reflects the expected financial results of a future period, to the best of the responsible party’s
knowledge.
■ Expected results.
○ Financial Projection
■ Reflects the financial position and results of operations based on a “what-if” scenario.

■ Hypothetical assumptions.

■ Ex) “If we acquired this company, what would our sales be?”

● Uses of Prospective Financial Statements

○ General Use
■ Statements issued will be used by parties not negotiating directly with the responsible party (the
issuing company).
■ Ex) Sales pitch
○ Limited Use

Page 233 of 350

 ■ Statements will only be used by the responsible party alone or by parties negotiating directly with the
responsible party (the issuing company).
■ Ex) Bankers/lenders

● Engagement Types
○ A practitioner is associated with prospective financial statements primarily in one of four ways.
■ Preparation engagement

■ Compilation engagement

■ Examination engagement

■ Agreed-upon procedures engagement

○ The future cannot be audited, so reviews and audits are NOT applicable to prospective financial
statements.

● Preparation of Prospective Financial Statements

○ SSARS provides guidance for preparation of prospective financial statements.
○ A practitioner should NOT prepare prospective financial information in ANY of the following cases:
■ Exclusion of the summary of significant assumptions.

■ Exclusion of an identification of the hypothetical assumptions.

■ Exclusion of a description of the limitations on the usefulness of the presentation.

● Compilation of Prospective Financial Statements

○ Purpose → proper assembly of the financial data based on the responsible party’s assumptions.
○ Guidelines:
■ No assurance of any kind is given that the statements have been prepared in accordance with AICPA
guidelines or that assumptions made by management are reasonable.
■ Practitioner should read the prospective statements with the summaries of significant assumptions and
accounting policies, and consider whether they appear to be presented in conformity with AICPA
presentations.
■ Practitioner is NOT required to gather supporting evidence but should be aware of obvious
inappropriate assumptions used to construct the statements.
■ Independence is NOT required, but a lack of independence should be disclosed in a separate
paragraph.

● Contents of a Compilation Report

○ Identification of the entity, the prospective financial statements, and the date or period covered.

Page 234 of 350

 ○ A statement that management is responsible for the financial information.
○ A statement that the practitioner has performed the compilation in accordance with SSARS.
○ A statement that the practitioner did not examine or review the financial information.
○ A caveat that the prospective results may not be achieved.
○ A statement that the practitioner has no responsibility to update the report for subsequent events.
○ Signature of the practitioners firm, date of the report, and the city/state where practitioner practices.
(Example of Sample report given in the lecture highlighting important items from this list)

● Compilation of a Financial Forecast

○ With the issuance of SSAE 18, compilations of prospective financial statements are no longer addressed in
the attestation standards (SSAEs) and are instead governed by AR-C section 80 of the SSARS standards.
○ Compilation of a financial projection → standard report would refer to “financial projection” rather than a
forecast.

● Examination of Prospective Financial Statements

○ Purpose → to express an opinion as to whether:
■ The statements are presented in conformity with AICPA guidelines.

■ The underlying assumptions provide a reasonable basis for the prospective statements.
○ Independence is required for examination engagements.
○ In order for the accountant to make such a claim, sufficient evidence must be obtained.
○ Preparation, support, and presentation of statements must be evaluated.

● Contents of Examination Report

○ A title that includes the word independent.
○ The signature of the practitioners firm, the city/state of the firm, and the date of the report.
○ Identification of the prospective financial statements presented.
○ An indication that the criteria against which the financial information was measured or evaluated are the
guidelines for the presentation of a forecast (or projection) established by the AICPA.
○ An identification of the responsible party and a statement that the prospective financial statements are the
responsibility of the responsible party.
○ A statement that the practitioner's responsibility is to express an opinion on the prospective statements.
○ A statement that examination was conducted in accordance with attestation standards.
○ A statement that those standards require the practitioner to plan and perform the examination to obtain
reasonable assurance.
○ A statement that the practitioner believes the examination provinces a reasonable basis for opinion.
○ A description of the nature of an examination engagement.
○ An opinion that the prospective statements are presented in conformity with AICPA guidelines and that the
underlying assumptions are reasonable given the hypothetical assumptions.
○ A statement indicating that the prospective results may not be achieved, and describing any inherent
limitations.
○ A statement that the practitioner has no responsibility to update the report for subsequent events.

Page 235 of 350

 ○ A projection should include:
■ An identification of the hypothetical assumptions.

■ A description of the projection's purpose.

■ A restrictive use paragraph.

○ Modifications to the opinion:
■ AICPA presentation guidelines are not followed → “except for” opinion or adverse opinion.

■ Significant assumptions are not disclosed → adverse opinion

■ One or more of the significant assumptions do not provide reasonable basis → adverse opinion

■ Scope limitation → disclaimer

● Agreed-Upon Procedures of Prospective Financial Statements

○ The conditions and required elements for agreed-upon procedures engagements also apply when such
engagements are related to prospective financial statements.
■ See “I-AM-SURE” at the beginning of this module.
○ Any additional conditions must be included in the summary of significant assumptions.
○ Additional reporting elements include:
■ Reference to the prospective financial statements.

■ Disclaimer on whether the statements are presented in conformity with AICPA standards.

■ Whether the underlying assumptions provide reasonable basis for the statements.

■ Caveat that prospective results may not be achieved.

■ Statement that the accountant assumes no responsibility to update the report.

● Partial Presentation
○ Partial presentations are those that omit one of the following essential elements:
■ Sales

■ Gross profit (or cost of goods sold)

■ Unusual or infrequent items (e.g., an item that will never happen again)

■ Income tax expense

■ Discontinued operations

■ Income from continuing operations

Page 236 of 350
 ■ Net income, EPS, and significant changes in financial position

● General Procedures for Compilation, Examination, and Agree-Upon Procedures

● Prospective Financial Statement Summary

● Pro Forma Financial Statements

Page 237 of 350

 ○ Pro forma financial statements are NOT prospective.
○ Pro forma financial statements → demonstrate the effect of a future hypothetical event.
■ Pro forma adjustments should be based on management’s assumptions.

■ Pro forma financial information should be labeled accordingly to prevent confusion with historical
financial information.
■ Pro forma financial statements may be examined and reviewed.
○ The practitioner should:
■ Obtain an understanding of the relevant and evaluate the pro forma adjustments.

● Ex of evaluate) check mathematical accuracy of adjustments.

■ Make reference (in the report) to the financial statements from which the historical information is
derived; and
■ State whether such statements were audited or reviewed.

● Important Items from a Sample Examination of Pro Forma Report in Lecture

1. “We have examined the pro forma adjustments..”
2. “...derived from historical financial statements, which were audited by us…”
3. “...pro forma adjustments are based on management’s assumptions described in [Note].”
4. “Management is responsible for the financial information. Our responsibility is to express an opinion”
5. “Our examination was conducted with attestation standards by AICPA. Those standards require that we
plan and perform the examination to obtain reasonable assurance…”
6. “An examination involves performing procedures to obtain evidence about management's assumptions..”
7. “The nature, extent, and timing of the procedures depend on our judgment.. assessing risks… whether due
to error or fraud. We believe the evidence provides a reasonable basis for our opinion.”
8. “The objective of this pro forma financial information is to what effects on the historical information might
have been had the underlying transaction occurred at an earlier date”
9. “Actual results may not have been achieved…”
10. “In our opinion…. management’s assumptions provide a reasonable basis…”
11. Sign it, give the city and state, and date the report.

○ More detailed explanation given in lecture.

○ An example of a pro forma review sample is given in lecture as well.
■ Similar to the important items above.

■ Exception is a conclusion is given, not an opinion.

● Notes from MCQs

Page 238 of 350

○ If an auditor of a nonissuer concludes that there is a reasonable justification to change an audit to an
agreed-upon procedures engagement, the report should not include a reference to the original audit
engagement, but may include a reference to procedures that have been performed.
■ Typically, when there is a change in engagement, no reference should be made to procedures that have
been performed, but because it was a switch to an agreed-upon procedures engagement, reference to
the procedures performed is a normal part of that engagement’s report.
○ Any type of prospective financial statements (forecasts and projections) would normally be appropriate for
limited use.
■ Typically, forecasts = general, projections = limited.
○ An accountant who accepts an engagement to compile a financial projection would most likely make the
client aware that the engagement does NOT include an evaluation of the support for the assumptions
underlying the projection.
■ Practitioner would indicate that it is limited in scope, and would not include an opinion or assurance on
the financials or related assumptions.

Page 239 of 350

 M5: Reporting on Controls at a Service Organization
● Relationship Between the Entity and the Service Organization
○ Service organization → outside organization used by an entity to process some portion of their accounting
transactions.
■ Ex) ADP and Paychex, or other organizations that provide payroll services.
○ Services are considered to be part of a user entity’s information system when those services affect the
initiation, execution, processing, or reporting of the user company’s transactions.
■ Controls placed in operation by the service organization are considered to be part of the user
organization’s information system.
■ Service organization’s controls = User entity’s information system.
○ Service organizations often have an auditor perform an attestation examination engagement to report on
the controls of the service organization that are:
■ relevant to the use entity’s system of internal control over financial reporting (SOC 1); or

■ relevant to the security and confidentiality of the information processed by the service org. (SOC 2).

● Objectives of the Service Auditor

1. Obtain reasonable assurance about whether, in all material respects, based on suitable criteria:
■ Management's description of the service organization's system fairly presents the system that was
designed and implemented throughout the specified period (or as of a specified date if a Type 1
report).
■ The controls related to the control objectives stated in management’s description of the service
organization’s system were suitably designed throughout the specified period (or as of a specified date
if a Type 1 report).
■ When included in the scope of the engagement, the controls operated effectively to provide
reasonable assurance that the control objectives stated in management’s description of the service
organization system were achieved throughout the specified period.
2. Report in accordance with the service auditor’s findings.

● Procedures of the Service Auditor

○ Assess the suitability of the criteria.

Page 240 of 350

 ○ Obtain an understanding of the service organization’s system.
○ Obtain evidence regarding management’s description of the service organization’s system.
○ Obtain evidence regarding the design of controls.
○ Obtain evidence regarding the operating effectiveness of controls (Type 2 report only).
○ Obtain written representations from management.
○ Consider subsequent events.

● System and Organization Controls (SOC 1 and SOC 2) Reports

○ System and Organization Controls (SOC) is a suite of offerings a CPA may provide in connection with a
system-level controls at a service organization.
○ There are two different reports a service auditor may provide regarding the controls in place at a service
organization:
■ SOC 1 → SOC for Service Organizations: Internal Control Over Financial Reporting (ICFR)

■ SOC 2 → SOC for Service Organizations: Trust Services Criteria

○ Each report can be issued as either a Type 1 or Type 2 report.

● SOC 1 - Internal Control over Financial Reporting

○ SOC 1 report is a report on controls at a service organization relevant to user entities’ internal control over
financial reporting.
○ A SOC 1 report is:
■ Issued by a service auditor.

■ Intended to be used by a user entity and user auditor in evaluating the impact that certain relevant
controls at the service organization have on the financial statements of the user entity.
○ The use of a SOC 1 report is restricted to the management of the service organization, the user entity, and
the user auditor.

● SOC 2 - Trust Services Criteria

○ SOC 2 is a report on controls at a service organization relevant to security, availability, processing integrity,
confidentiality, or privacy.
○ A SOC 2 report is:
■ Issued by a service auditor.

■ Intended to give assurance to a broad range of users regarding the controls in place at a service
organization relevant to one or more of the Trusted Services Criteria:
● Security, availability, etc. (listed above).
○ The use of a SOC 2 report is also restricted.

● Type 1 Report
○ Report on the design and implementation of a service organization’s identified controls.
○ Does NOT provide assurance on the operating effectiveness of the controls.
Page 241 of 350
 ○ Can be applied to a SOC 1 or SOC 2 report.
○ Contains the following:
1. Management’s description of the service organization’s system.
2. A written assertion by management of the service organization about whether, in all material
respects, and based on suitable criteria:
○ Management’s description of the system fairly presents the design and implementation of
the system as of a specified date.
○ The controls related to the control objectives outlined in management’s description were
suitably designed to achieve the controls objectives as of a specified date.
3. The auditor’s opinion on management’s assertion.
(An example of a Type 1 report letter is given in the lecture.)

● Type 2 Report
○ Report on the design, implementation, and operative effectiveness of a service organization’s controls.
○ Can be applied to a SOC 1 or SOC 2 report.
○ Contains the following:
1. Management’s description of the service organization’s system.
2. A written assertion by management of the service organization about whether, in all material
respects, and based on suitable criteria:
○ Management’s description of the system fairly presents the design and implementation of
the system throughout a specified period.
○ The controls related to the control objectives outlined in management’s description:
■ were suitably designed to achieve control objectives throughout a specified period.

■ operated effectively to achieve the control objectives throughout a specified period.

3. The auditor’s opinion on management’s assertion and a description of the service auditor’s tests of
controls and results of those tests.
(An example of a Type 2 report letter is given in the lecture.)

● User Auditor Responsibilities

○ To provide an appropriate basis for the identification and assessment of the risks of material misstatement
and design and perform audit procedures responsive to those risks, the user auditor should obtain an
understanding of:
■ the nature and significance of the services provided by the service organization; and

■ the effect on the user entity’s system of internal control.

○ When a SOC 1 report is available, the user auditor may utilize the report in its assessment of the user
entity’s internal controls.
○ SOC 1 Type 1 Report:
■ May aid the user auditor in obtaining an understanding of the controls.

Page 242 of 350

 ■ Is provided when tests of the operating effectiveness of the service organizations controls were not
performed.
■ Does not provide the user auditor with a basis for reducing the assessment of control risk as low for
areas of the entity’s accounting that are affected by the service organization.

○ SOC 1 Type 2 Report:

■ Provides the user with assurance about the design, implementation, and operating effectiveness of the
service organization's internal controls.
■ May provide evidence that would allow a reduction in the assessed level of control risk for areas of the
entity’s accounting that are affected by the service organization.

○ Alternatively, such evidence (to allow reduction in assessed risk) can be obtained directly by the user
auditor, either by:
■ testing the user organization's controls over the service organization's activities; or

■ performing tests of controls at the service organization.

○ When the user auditor plans to use a SOC 1 Type 2 report as audit evidence that the controls at the service
organization are operating effectively, the user auditor should be satisfied regarding:
1. The service auditor’s competence and independence.
2. The adequacy of the standards under which the report was issued.
3. Whether the period of time covered by the report is appropriate for the user auditor’s purposes.
4. The adequacy of the time period covered by the tests of controls and the time elapsed since the
performance of the tests of controls.
5. Whether any complimentary controls address the risk of material misstatement in the user entity’s
financial statements and, if so, obtaining an understanding of the design and operating
effectiveness of such controls.
6. The evaluation of whether the tests of controls performed by the service auditor are:
○ Relevant to the assertions in the user entity’s financial statements; and
○ Provide sufficient appropriate audit evidence to support the user auditor’s risk assessment.

● Reporting by the User Auditor

○ If unable to obtain sufficient appropriate audit evidence regarding the services provided by a service
organization relevant to the audit, the user auditor should issue:
■ A qualified opinion; or

■ A disclaimer of opinion.
○ If user auditor issues an unmodified/unqualified opinion → make NO reference to service auditor report.
○ If user auditor issues a modified opinion → permitted to make reference to report to explain modifications.

Page 243 of 350

● Notes from MCQs
○ When other information is presented in a document containing management’s description of its system of
internal control, the service auditor should read the other information in order to identify material
inconsistencies or misstatements.
○ A requirement for accepting an attestation engagement to report on the controls at a service organization
is that the service auditor has the competence and capability to perform the engagement.

M6: Reporting on Compliance

● Compliance reporting → providing reasonable assurance of the detection of material misstatements resulting
from noncompliance with:
○ Contractual agreements
○ Regulatory requirements
○ Laws
○ Regulations
○ Internal control over financial compliance
● An auditor may report on compliance and internal control over compliance as part of a single audit
engagement when auditing a recipient of federal financial assistance.
○ Auditing financial statements + Verifying internal controls over compliance = Compliance Report

● Compliance Reports in Connection with Audited Financial Statements

○ Compliance reports are based on:
■ Contractual agreements

■ Regulatory requirements
○ Conditions:
■ The auditor must have audited the client’s financial statements.

■ The auditor may only issue negative assurance on compliance.

■ This engagement is neither a compliance audit nor an attestation engagement.

● Negative Assurance
○ A statement that the auditor found no evidence that the entity failed to comply with their contractual
agreements.
○ Negative assurance may be given when:
1. There are no identified instances of noncompliance;
2. Auditor must issue an unmodified or qualified opinion on the financial statements; and
Page 244 of 350
 3. Applicable covenants or regulatory requirements have been subjected to audit procedures as part
of the financial statement audit.
○ When the auditor identifies noncompliance:
■ The report on compliance should describe the noncompliance.

■ If an adverse opinion or disclaimer of opinion is expressed on the financial statements, identify the
instances of noncompliance.
○ Report on compliance should be in writing.
■ May be a separate report; or

■ Provided in one or more paragraphs in the audit report on the financial statements.

● Attestation Standards: Compliance Attestation

○ The attestation standards address two types of engagements:
■ Compliance with specified requirements → an entity’s compliance with requirements of specified laws,
regulations, rules, contracts, or grants.
■ Internal control over compliance → an entity’s internal control over compliance with specified
requirements.
○ Practitioners may be engaged to perform agreed-upon procedures or examination engagements on an
entity’s compliance.
○ Practitioners should NOT accept an engagement to perform a review.

● Agreed-Upon Procedures Engagements

○ May be used to assist users in evaluating the following subject matter (or assertions):
■ The entity’s compliance with specified requirements.

■ The entity’s internal control over compliance with specified requirements.

■ Both the two above.

○ The following two conditions MUST be met before performance:
1. Responsible party accepts responsibility for the compliance and internal control over compliance
with specified requirements.
2. Responsible party evaluates the entity’s compliance or internal control over compliance with
specified requirements.
■ Management is responsible for both the compliance and evaluation of compliance.

● Examination Engagements
○ A practitioner may perform an examination related to compliance if the following three conditions are met:
1. Responsible party accepts responsibility for the entity’s compliance and the effectiveness of
internal control over compliance with specified requirements;
2. Responsible party evaluates the entity’s compliance with specified requirements; and
Page 245 of 350
 3. Sufficient evidential matter exists or could be developed to support management’s evaluation.

● Materiality
○ The practitioners consideration of materiality is affected by:
■ The nature of compliance requirements.

■ The nature and frequency of noncompliance identified with appropriate consideration of sampling risk.

■ Qualitative considerations, including the needs and expectations of the report’s users.

● Overall Requirements for Compliance Examination

○ Perform a risk assessment
○ Design responses to the risk assessment
○ Determine if supplementary audit requirements exist.
○ Obtain written representation from management
○ Prepare reports
○ Prepare required documentation

● Documentation Requirements
○ Assessed risk of material noncompliance, including the procedures performed and the documentation of
internal control (narratives, flowcharts, etc).
○ Responses to the risk assessment, including the procedures performed to test compliance and results of
procedures, and tests of controls.
○ The basis or rationale for materiality levels.
○ Compliance with supplemental requirements.

● Summary of Each Engagement

● Representation Letter
○ The following statements should be included as written representations from the responsible party
(management).
○ Management takes responsibility for complying with the specified requirements.
○ Management takes responsibility for establishing and maintaining effective internal control over
compliance.
Page 246 of 350
 ○ Management has performed an evaluation of:
■ The entity’s compliance with specified requirements; or

■ The entity’s controls for ensuring compliance and detecting noncompliance with requirements, as
applicable.
○ Management has disclosed to the practitioner all known noncompliance.
○ Management has made available all documentation related to compliance.
○ Management’s interpretation of any compliance requirements that have varying interpretations.
○ Management has disclosed any communications from regulatory agencies, internal auditors, and other
practitioners concerning possible noncompliance.
○ Management has disclosed any known noncompliance occurring subsequent to the period for which, or
date as of which, management made its assertion.

● Attestation Risk of Noncompliance

○ Attestation risk → risk that the practitioner may unknowingly fail to modify appropriately their opinion.
○ Attestation risk is composed of inherent risk, control risk, and detection risk (similar to audit risk model).

● Risk of Material Noncompliance

○ Inherent Risk → the susceptibility of a compliance requirement to noncompliance that could be material,
assuming there are no related controls.
■ Exists independent of the audit.

■ The auditor cannot change this risk, but can change the assessment of risk based on evidence gathered.
○ Control Risk → risk that noncompliance with a compliance requirement that could be material will not be
prevented or detected on a timely basis by an entity’s internal control.
■ Exists independent of the audit.

■ The auditor cannot change this risk, but can change the assessment of risk based on evidence gathered.

● Detection Risk of Noncompliance

○ Detection risk → risk that the auditor will not detect material noncompliance that exists.
○ The auditor can change this risk by varying the nature, extent, and timing with regard to audit procedures.
○ Detection risk relates to the auditor’s procedures.
○ As the acceptable level of detection risk decreases, the assurance provided by tests of details should
increase.

Page 247 of 350

● Notes from MCQs
○ Tests of the operating effectiveness of controls may be required if any one of the following exist:
■ The risk assessment includes an explanation of the operating effectiveness of controls over compliance,
■ Substantive procedures do not provide enough evidence to support a conclusion, or
■ Tests of controls are required by the applicable government audit requirements.
○

M7: Government Audits

● Sources of Government Auditing Standards
○ Generally Accepted Auditing Standards (GAAS)
■ Issued by the AICPA’s Auditing Standards Board (ASB)

■ Issued in the form of Statements on Auditing Standards (SAS)

○ Generally Accepted Government Auditing Standards (GAGAS)
■ Referred to as the Yellow Book

■ Organized by ethical principles, general standards, standards for financial audits and attestation
engagements, and fieldwork, and reporting standards for performance audits.
■ Contains standards for audits of:

● Government organizations, programs, activities, and functions.

● Government assistance received by contractors, not-for-profit organizations, and other

nongovernmental organizations.

● Types of Government Audits

1. GAAP Basis Financial Statements
■ Audit is performed in accordance with the Yellow Book (GAGAS).

■ Done to verify whether the information in the financial statements is presented fairly.
2. Financial Statements in Conformity with Special Purpose Frameworks
■ Engagement can also include audits for financial statements prepared in conformity with a special
purpose framework or other comprehensive basis of accounting (OCBOA).
■ Government regulators generally specify the OCBOA to be used.

■ Government audit standards can be used in connection with audits of both nonissuers and issuers.

● Typically, issuers = PCAOB standards; nonissuers = AICPA standards.

Page 248 of 350

 ● Government standards can be applied to both.

● Purpose of Government Audits

○ To determine whether the audit was conducted in accordance with applicable laws and regulations, the
CPA ensures that:
■ Financial data was presented with accuracy;

■ Strong internal controls were in place; and

■ There was compliance with financial obligations.

● Ensure that funds were utilized for designated purposes.

● Government Audits: Attestation Engagements

○ Attestation Engagements
■ Performed in conformity with the Yellow Book (GAGAS).

■ Reported as an examination, a review, or an agreed-upon procedure.

○ Subjects of attestation agreements could include:
■ Compliance with specified laws, regulations, rules, contracts, or grants.

■ Effectiveness of internal control over compliance with specified requirements.

■ Presentation of MD&A.

■ Reliability of performance measures.

● Performance Audits
○ Provide objective analysis, findings, and conclusions to assist management in:
■ Improving program performance and operations.

■ Reducing costs.

■ Facilitating decision making.

■ Contributing to accountability.
○ Performance audits have a range of engagements with varying objectives.

● Key Categories of Performance Audits

1. Effectiveness, Economy, and Efficiency
■ Focus on program effectiveness and results.

■ Evaluate whether programs are meeting the goals and objectives.

Page 249 of 350

 ■ Address the costs and resources used to execute program initiatives.
2. Internal Controls
■ Evaluate the internal control over effective and efficient operations.

■ Reliability of reporting.

■ Compliance with laws and regulations.

3. Compliance
■ Evaluate compliance with criteria established by provisions of:

● Laws, regulations, contracts, grant agreements, etc.

■ Internal controls help prevent improper acquisition, use, or disposition of resources.

4. Prospective Analysis
■ Evaluate events that may occur in the future.

■ Suggest actions an entity may take in response to future needs.

● Supplementary Audit Requirements

○ When determining if supplementary audit requirements exist → Entity may have audit requirements
beyond GAAS and GAGAS → Auditor must make the determination.
■ Ex) Single audit requirements related to federal financial assistance (M8).

■ How much money was allocated or how much was spent?

● Government Auditing Standards (GAGAS)

○ GAGAS include a number of requirements for performing financial audits in addition to the standard GAAS
requirements.
○ Previous audits and attestation engagements:
■ Evaluate whether appropriate corrective action to address findings from the previous audit and
attestations have been addressed.
■ Planning procedures should include an inquiry of management about the status of previous audit
findings and recommendations.
■ Management’s response should be included in the auditor’s risk evaluation.

● Addressed previous issues → good thing; management integrity

● Put issues off → bad thing; management not taking it seriously

● Fraud, Noncompliance, and Abuse

○ Audits in accordance with GAGAS require additional attention to fraud, noncompliance, and abuse.

Page 250 of 350

 ○ Auditors should consider compliance with contracts or grant agreements.
○ Auditors should consider occurrences of abuse.
■ Abuse → involves deficient or improper behavior, including the misuse of authority or position for gain.

■ Auditors are not required to detect abuse because abuse is subjective.

■ Awareness of abuse that is quantitatively or qualitatively material obligates the auditor to perform
further testing.
○ Auditors should not interfere with investigators or legal proceedings when pursuing indications of fraud or
noncompliance.

● Developing a Finding
○ Auditors should plan and perform procedures to develop the elements of a finding that are relevant and
necessary to achieve audit objectives.
○ Criteria → define the expectations of a program or operation.
○ Condition → the situation or status that exists.
○ Cause → the reason for the condition or deviation from the criteria.
○ Effect or potential effect → a logical link between the condition and the deviation from the criteria.

● Audit Documentation
○ Documentation can be your best friend or your worst enemy.
○ Auditors should document evidence of supervisory review of the work performed.
○ The document should support:
■ Findings

■ Conclusions

■ Recommendations
○ Auditors should document departures from GAGAS and the impact on the audit due to noncompliance
caused by law, regulation, scope limitation, etc.

● Auditor Communication
○ The auditors should communicate pertinent information to individuals contracting for or requesting the
audit, and to cognizant legislative committees.
○ This requirement does not apply if the law or regulation requiring an audit of the financial statements does
not specifically identify the entities to be audited.
○ When a law or regulation prevents an auditor’s option to withdraw from an engagement or withhold a
report as a result of uncorrected material misstatement.
■ The auditor may issue a report or written communication to those charged with governance and the
appropriate statutory body giving details of the material misstatement.

● Report on Internal Control and Compliance

○ When providing an opinion or a disclaimer on financial statements, auditors should report on:
Page 251 of 350
 ■ Internal control over financial reporting.

■ Compliance with provisions of laws, regulations, contracts, grant agreements, and federal awards.
○ Auditors should include in the same or separate reports a description of the scope of the auditors’ testing
of internal control over financial reporting and compliance with the items listed.
○ Auditors should state whether the tests performed provide sufficient appropriate evidence to support an
opinion on the effectiveness of internal control over compliance.
○ Reports should be made regardless of whether there are control deficiencies:
■ GAGAS for reporting on ICFR:

● Does not require that the auditor express an opinion on internal controls.

● Only require a report on internal control and compliance that describes the scope of testing and
any findings.
■ AICPA standards for ICFR:

● Required to provide a high level of assurance about internal control over financial reporting in the
form of an opinion.
○ Report on financial statements should reference the existence of a separate report on internal control and
compliance if separate reports are being used.

● Communicate Deficiencies in Internal Control, Fraud, and Noncompliance

○ Deficiencies in Internal Control
■ Communicate significant deficiencies and material weaknesses in internal control.
○ Instances of Fraud and Noncompliance
■ Report to the appropriate members of the audited organization:

● Fraud and noncompliance that have a material effect on financials.

● Noncompliance with provisions of contracts or grant agreements that are material.

● Abuse that is material either quantitatively or qualitatively.

○ Less than Material Findings
■ Communicate in writing to appropriate officials.
○ Presenting Findings in the Auditor’s Report
■ Listing of findings

■ Management responses should be included in the report on internal controls and compliance, or may
be separately presented in a schedule of findings.
■ Communication to outside parties can occur when management fails to satisfy legal or regulatory
requirements to report and take appropriate steps, or respond in a timely manner.
Page 252 of 350
● Report Views of Responsible Officials
○ Auditors must solicit and report the views of responsible officials along with any planned corrective actions.
○ The oral comments are acceptable, but these responses should be documented in writing.
○ Written responses by the audited organization are included in the auditor’s report.
○ Oral responses will be confirmed in writing by the auditor, but not published in the report.
○ Responses from the audited organization that either contradict or fail to fully address the auditor’s
comments should prompt the following actions:
■ Evaluate the validity of the audited organizations comments.

■ Explain the basis for the disagreement in the report or modify the comment.
○ Auditors may issue reports without responses if the audited entity refuses to make comments or is unable
to make comments.
○ The report should disclose that the entity did not provide comments.

● Reporting Confidential or Sensitive Information

○ Audit reports should disclose the exclusion of confidential or sensitive information from an audit report by:
■ Reporting the omission of the information.

■ Stating the reason or other circumstance that made the omission necessary.

● Distribution of Reports
○ Audit organizations should distribute auditor’s reports to:
■ Those charged with governance.

■ Audited entity officials.

■ Oversight bodies or those who require or arrange for the audits.

■ Officials with oversight authority or who may be responsible for acting on audit findings and
recommendations.
■ All others authorized to receive reports.
○ Internal audit organizations in government entities must follow the Institute of Internal Auditors (IIA)
International Standards and the head of the internal audit organization:
■ Must consider the risks to the organization prior to the release of reports outside of the organization.

■ Should consult with senior management and control dissemination of reports to intended users.
○ Independent external auditors should clarify report distribution responsibilities with the party contracting
for the audit.
○ Auditors should document any limitation on report distribution.

● Additional GAGAS Considerations for Financial Audits

Page 253 of 350
 ○ Materiality Thresholds
■ Consider reducing materiality thresholds in response to:

● Public accountability issues;

● Various legal and regulatory requirements;

● Visibility and sensitivity of government programs.

○ Early Communication of Deficiencies
■ Deficiencies may be reported early when:

● Urgency or significance of findings may require faster corrective actions or follow-up.

● Ongoing noncompliance undetected by management should be stopped.

(An example of a GAGAS Report on Internal Control and Compliance is given in the lecture)

● Written Representations from Management (GAGAS)

○ The following representations, consistent with or in addition to GAAS, should be included.
○ There are no violations or possible violations of laws or regulations.
○ Management is responsible for the entity’s compliance with laws and regulations.
○ Management has identified and disclosed in writing to the auditor all the laws and regulations that have a
direct and material effect on its financial statements.

● Reporting on Internal Control

○ The auditor should report all significant deficiencies and material weaknesses in internal control.
○ GAGAS (like GAAS) require the auditor to:
■ Obtain an understanding of the design of controls and determine if they have been implemented.

■ Communicate all significant deficiencies (reportable conditions) noted during the audit.
○ GAGAS require a written report on the auditor’s understanding of internal control and the assessment of
control risk in all audits.
■ Different from GAAS, which require written communication only when significant deficiencies
(reportable conditions) are noted.
○ Report all fraud and illegal activities.

Page 254 of 350

 ○

● Notes from MCQs

○ “Presumptively mandatory requirement” = something an auditor “should” do.
■ Requirement should be followed in all cases where the requirement is relevant.
■ An auditor can depart from this, but must give a special explanation as to why and how what they did
instead was a better fit.
○ “Unconditional requirement” = something an auditor “must” do.
■ Requirement must be followed in all cases where the requirement is relevant.
■ Cannot depart.
○ In performing an audit under GAGAS, auditors assume more responsibility than under GAAS.
○ An auditor who identifies potential fraud under GAGAS should extend audit procedures as necessary to
determine if fraud has occurred.
■ If fraud is confirmed, then communicate to management or those with oversight.
○ Compliance audit → give opinion on whether the entity complied with applicable compliance
requirements.
○ Financial statement audit → obtain reasonable assurance if noncompliance would have a material effect.
○ Material illegal acts and fraud or irregularities found during the audit should be included in the audit
report.
○ Management’s written representation will likely include identification of management’s interpretation of
compliance requirements that are subject to different interpretations.

Page 255 of 350

 M8: Single Audits
Overview of Single Audits and Auditee Responsibilities
● Overview of Single Audits
○ Audits of recipients of federal financial assistance should be conducted in accordance with both GAAS and
GAGAS, as well as the following requirements:
■ Expanded internal control documentation and testing requirements.

■ Expanded reporting to include formal written reports on the consideration of internal control and the
assessment of control risk.
■ Expanded reporting to include whether the financial assistance has been used in accordance with laws
and regulations.
■ Application of single audit standards to federal financial assistance.

● Nature and Scope of the Single Audit Act

○ The Single Audit Act is designed to improve the effectiveness of audits of federal awards and reduce the
burden of federal audit requirements of recipients.
○ Type A → federal assistance greater than $750,000
○ Type B → federal assistance less than $750,000
○ The act is required for Type A entities.
○ The act allows for either:
■ Single audit; or

■ Program-specific audit

● Program-Specific Audit
○ Available to certain grant recipients who meet highly restrictive criteria, including:
■ Awards are expended under a single federal program.

■ No financial statement audit would be required.

○ Non-federal entities that spend less than $750,000 during the year (Type B) are exempt from federal audit
requirements for that year.

● Objectives of the Single Audit

○ There are two main objectives of a single audit.
1. Audit of the entity’s financial statements and reporting on a separate schedule of expenditures of federal
awards in relation to those financial statements.
■ Ex) $1,000,00 allocation towards lunches → money should be spent on lunch/food items.
2. Compliance audit of federal awards expended during the year as a basis for issuing additional reports on
compliance related to the following:

Page 256 of 350

 ■ Major programs; and

■ Internal control over compliance

● Materiality Determinations
○ Single audit includes a separate evaluation of materiality for each major program selected.
○ Major programs (Type A) → expend more than $750,000 in financial assistance.
○ Smaller programs (Type B) may be deemed major programs if they are classified as “high risk” even if they
do not meet the monetary threshold.
○ The Uniform Grant Guidance provides guidance on applying the “risk-based approach” to program
selection.

● Audit Requirements
○ Audit requirements apply to:
■ Recipients of federal financial assistance.

■ Subrecipients of federal financial assistance.

■ Contractors (limited requirements)

● Program-Specific Audits
○ Do NOT include reports on the financial statements of the organization taken as a whole.
○ Under certain circumstances, recipients are permitted to have a program-specific audit instead of a single
audit.
■ Entities not covered by the Single Audit Act are also eligible.
○ Auditors must contact the Inspector General of the applicable federal agency and obtain a current
program-specific audit guide.
○ Auditors must follow GAGAS and the guide obtained when performing a program-specific audit.
○ If a program-specific audit guide is not available, the auditor has basically the same responsibilities as in an
audit of a major program for a single audit.

● Auditor Selection
○ Auditors must be selected using procurement standards established by federal guidelines.
○ Procurement standards preclude limitations on competition, such as preventing:
■ Use of a single or sole source vendor (only including one firm).

■ Providing preferences to local firms.

○ Proposals made by auditors must be evaluated for:
■ Responsiveness

■ Experience

Page 257 of 350

 ■ Qualified staff

■ Results of peer reviews

■ Audit organization’s peer review report

■ Consultants engaged to develop indirect cost plans may NOT be engaged as the auditor when the
indirect costs recovered by the auditee in the prior year exceeded $1 million (independence).

● Report Submission
○ The audit report must be submitted within:
■ 30 calendar days of receipt of the auditor’s report; or

■ 9 months after the end of the audit period.

○ Reports must be retained for 3 years from the date of submission.
○ Copies must be available for public inspection (unless restricted by law or regulation).
○ The audit report must be submitted in the following format:
■ The report must be transmitted using a Data Collection Form that follows a specific data set required by
the Office of Management and Budget (OMB).
■ The form must be signed by a responsible official.

■ The reporting package must include:

● Financial statements

● A summary schedule of prior audit findings

● Auditor’s reports

● Correction actions plans

■ The report must be submitted electronically.

Auditor Responsibilities and Reporting Requirements

● The Scope of the Audit (the auditor should…)
○ Express an opinion regarding the fair presentation of the financial statements and related schedules; and
○ Consider internal control, compliance, and previous audit findings.

● Internal Control
○ The auditor should consider internal controls over compliance using major programs as the basis for both
testing and reporting.
○ Understanding of internal control over compliance and compliance testing is not required for nonmajor
federal programs.

Page 258 of 350

 ○ Internal control guidance is taken from both the U.S. Office of the Comptroller General and COSO, as best
practices for frameworks of internal controls.

● Tests of Transactions for Compliance

○ The single audit act requires that the auditor design and test transactions of federal awards for compliance
with statutes, regulations, and the terms and conditions of the federal awards.
○ The audit must be planned to support a low assessed level of control risk of noncompliance for major
programs.
○ The auditor must plan and perform tests of controls over compliance for major programs, keeping in mind
the following:
■ The auditor is not required to test controls that are ineffective.

■ Significant deficiencies and material weaknesses must be reported.

■ When controls are deemed ineffective, additional tests of compliance must be considered.
○ General rule:
■ Effective controls → test

■ Ineffective controls → report

○ Compliance testing is required to provide evidence to support an opinion on the compliance for each major
program.
○ The auditor attempts to obtain reasonable assurance that the auditee complied, in all material respects,
with the compliance requirements.
○ Testing procedures must be designed to detect both intentional and unintentional noncompliance, though
intentional may be concealed and difficult to detect.
○ Subsequent discovery that material noncompliance with requirements exists does not necessarily mean
inadequate planning or judgment from the auditor.
○ Testing may be performed at any stage of the audit concurrently with tests of operating effectiveness of
controls, as separate substantive testing, or as a combination of the two.
○ Auditors consider both audit risk of noncompliance and materiality for each program to give an opinion on
the direct and material compliance requirements for each major program the auditor plans compliance
tests to reduce detection risk.
■ The auditor must also consider both inherent and control risk of noncompliance.
○ Appropriate evidence mirrors the characteristics of audit evidence gathered in financial statements.
○ In determining the nature of tests of compliance with requirements for major programs, consideration of
the nature of those requirements will govern the character of testing, for instance:
■ Compliance testing covering cost principles → test of disbursements.

■ Compliance with procurement requirements → test of purchasing procedures.

■ Compliance with participant eligibility requirements → test of participant qualifications.

Page 259 of 350

● Common Compliance Issues
○ Compliance with federal laws, rules, and regulations are included in separate sections of the Uniform
Guidance described in Title 2 of the Code of Federal Regulations (2CFR).
○ Uniform Guidance includes both administrative requirements and cost principles that are common to all
federal financial assistance and includes a compliance supplement that describes required audit procedures
in a matrix of compliance requirements.

● Uniform Requirements: Administrative Requirements

○ The administrative requirements described in the uniform requirements deal with the federal regulations
associated with all phases of the grant life cycle.
○ Samples of federally mandated administrative requirements for grantees include:
■ Maintenance of appropriate internal controls over federal funds.

■ Identification and appropriate treatment of program income.

■ Compliance with procurement standards (such as open competition and appropriate vendors,
documented procurement procedures, and methods of procurement based on dollar thresholds or
procurement type).
■ Performance monitoring and reporting.

■ Subrecipient monitoring.

■ Record retention requirements.

■ Real property administration (including record keeping and disposition requirements).

● Uniform Requirements: Cost Principles

○ Cost principles described in the Uniform Requirements define costs that are either generally unallowable or
generally allowable, few absolutes apply.
○ The basic criteria for the allowability include whether a cost is reasonable and necessary and properly
allocated to the federally funded program.
○ Additionally, some costs may be allowable with the approval of the federal awarding agency.
○ Uniform requirements also include standards for indirect (facilities or administrative, or F&A) cost
allocation methodologies.
○ Cost allocation methods must be fair, reasonable, and consistently applied.
○ A limited number of specific costs are described, such as:
■ Costs that are generally allowable include compensation (personal services), equipment, direct costs,
insurance, and indemnification.
■ Costs that are generally unallowable include organization costs, entertainment costs, fines, penalties,
damages, and other settlements.

● Uniform Requirements: Compliance Supplement

○ The compliance supplement describes the general provisions that should be tested for specific grants.
Page 260 of 350
 ○ Tested areas mirror the uniform requirements, but may be specifically required for audit focus by an
awarding agency by reference to the matrix of compliance requirements.
○ The general areas of testing may not be all uniformly required for all grants.
○ Examples of compliance requirements include:
■ Activities allowed or unallowed

■ Allowable costs/cost principles

■ Cash management

■ Eligibility

■ Equipment and real property management

■ Matching level of effort, earmarking

■ Period of performance

■ Procurement suspension and debarment

■ Program income

■ Reporting

■ Subrecipient monitoring

■ Special tests and provisions

● Previous Audit Findings

○ The auditor is required to:
■ Follow-up on audit findings from previous audits.

■ Perform procedures to assess the reasonableness of the summary schedule of prior audit findings
prepared by the auditee.

● Audit Reporting (the auditor should…)

○ Express an opinion regarding the fair presentation of the financial statements, in accordance with GAAP
(Financial Statement Report).
○ Express an opinion regarding the fair presentation of the Schedule of Expenditures of Federal Awards
(SEFA) in relation to the financial statements (SEFA Report).
○ Report on internal control over financial reporting and compliance with federal statutes, regulations, and
the terms and conditions for the federal award, including:
■ Scope of testing of internal control and compliance

■ Results of tests

Page 261 of 350

 ■ References to a separate Schedule of Findings and Questioned Costs
○ Report on compliance for each major program and report on internal control over compliance (Single Audit
Report) including:
■ Scope of testing of internal control over compliance with specific references to consideration of fraud,
errors, and the concept of reasonable assurance.
■ An opinion with regard to compliance with federal statutes, regulations, and the terms and conditions
of the federal award.
● Report as qualified or adverse for reportable instances of noncompliance with the requirements
governing a major program, depending on materiality.
● Report immaterial instances of noncompliance, but not specifically identify them.
○ Reference to a separate Schedule of Findings and Questioned Costs, which includes:
■ Summary of the auditor’s results including:

● Type of report issued by the auditor over the financial statements.

● Statement regarding whether significant deficiencies or material weaknesses in internal control

were found during the financial statement audit.
● Statement if significant deficiencies or material weaknesses in internal control over major
programs were disclosed by the Single Audit.
● Discovery of any material noncompliance.

● Type of report issued by the auditor on compliance of major programs.

● Statement regarding whether the auditor disclosed any audit findings.

● Identification of the major programs.

● The dollar threshold used to distinguish between Type A and Type B programs.

● Statement as to whether the auditee qualified as a high-risk or low-risk auditee.

● GAGAS findings.

● Findings and questioned costs for federal awards.

● Audit Findings
○ The auditor must report the following items.
○ Significant deficiencies and material weaknesses in internal control over major programs and significant
instances of abuse related to major programs.
○ Material noncompliance with provisions of federal statutes, regulations, or the terms and conditions of
federal awards related to major programs.
○ Questioned costs of a given type of compliance requirement that exceeds $25,000.
Page 262 of 350
 ○ Any circumstances of why the auditor’s report on compliance for each major program is other than an
unmodified opinion, as applicable.
○ Known or likely fraud affecting a federal award.
○ Instances in which the results of audit follow-up procedures disclosed that the summary schedule of prior
audit findings prepared by the auditee was materially misrepresented.

● Audit Documentation
○ Must be maintained for 3 years after the date of issuance.
○ Contested audit findings or requests by the awarding of cognizant agency may extend the retention period.

● Risk-Based Approach
○ The determination of major programs uses a risk-based approach and a four-step process.
○ The risk-based approach includes the consideration of:
■ Current and prior audit experience.

■ Oversight by federal agencies

■ Inherent risk
1. Identify Type A programs ($750,000 or more) and Type B programs (those that aren’t Type A).
2. Identify Type A programs with low risk and have been audited as a major program in at least one of the two
most recent audit periods. Type A programs CANNOT be low risk if they had:
■ Material weaknesses in internal control for major programs;

■ A modified opinion on the program; or

■ Known or likely questioned costs that exceed 5% of the total federal awards expended for the program.
3. Identify Type B programs that are high risk, using professional judgment (high risk = major program).
4. Determine the coverage requirements. At a minimum, major programs include:
■ All Type A programs not identified as low risk.

■ All Type B programs identified as high risk that meet the coverage requirements.

● Percentage Coverage
○ For low-risk auditees → auditor must test 20% of the total federal awards expended.
○ For other auditees → auditor must test 40% of the total federal awards expended.

● Criteria for Federal Program Risk

○ Current and prior audit experience could indicate higher risk:
■ Multiple internal control structures.

■ Weak monitoring systems for subrecipients.

■ Programs not recently audited as major.

Page 263 of 350

 ○ The inherent risk of a federal program is increased by:
■ The complexity of the program.

■ Being in the early phase of a program’s life cycle.

● Criteria for a Low-Risk Auditee

○ Single audits have been performed on an annual basis for two years.
○ The financial statements received an unmodified opinion.
○ No material weaknesses in internal control were identified under GAGAS.
○ No going concern contingencies were reported.
○ Type A programs that had:
■ No material weaknesses in the auditor’s report on internal controls over compliance.

■ No modified opinion on major programs.

■ No questioned costs in excess of 5% of the award expended.

● Reporting Requirements Summary

● Notes from MCQs

○ Free rents received as part of an award to carry out a federal program are treated as federal funds
expended.
○ Subrecipient → a nonfederal entity that expends federal awards received from another entity to carry out a
federal program.

Page 264 of 350

 ■ Ex) Federal award given to Entity A; Entity A then gives award to Entity B to carry out the program;
Entity B is the subrecipient.
○ A cognizant agency for the audit is typically the federal awarding agency that provides the most amount of
direct funding to a nonfederal entity.

A6 – Accounting and Review Service Engagements, Interim Reviews, and Ethics and Professional Responsibilities
M1: SSARS Engagements
Levels of Service
● Levels of Service
○ CPAs can perform three levels of service with respect to unaudited financial statements of a nonissuer.
1. Preparation
■ No assurance

■ No independence required
2. Compilation
■ No assurance

■ Independence not required, but

■ Must disclose any lack of independence

3. Review
■ Limited assurance

■ Independence required
○ These types of services may be used by clients to:
■ Provide financial information to a local bank where they have a local credit line.

■ Provide to local businesses, such as a vendor.

■ To prepare the tax return, which includes an income statement and balance sheet.

● Preparation
○ Objective → prepare financial statements in accordance with a specified financial reporting framework.
○ May include multiple meetings and communications with the client:
■ Clients' financial records may be incomplete.

■ Adjustments may be needed such as depreciation, pension plan, etc.

Page 265 of 350

 ○ No audit or review procedures performed.
○ No assurance expressed on the financial statements.
○ No report required (non-attest engagement).
○ No determination of CPA’s independence required.

● Compilation
○ Objective → prepare information in the form of financial statements that is the representation of
management.
○ No audit or review procedures performed.
○ No assurance expressed on the financial statements.
○ Report required (attest engagement)
○ Independence by the CPA is not required, but a determination of the CPA’s independence relative to the
entity is required.

● Review
○ Objective → express limited assurance that there are no material modifications that should be made to the
financial statements to conform with the applicable reporting framework.
○ Review may be required when the client’s bank needs assurance about the client’s financial stability, but
the client is not willing to pay for a full audit.
○ Reviews may be done through both:
■ Inquiries → conducted with internal personnel such as owners, management, legal counsel, etc.

● Confirmations not required.

■ Analytical procedures → CPA anticipates results of analytics and develops expectations.

● Involves comparison of results to CPA’s expectations.

● Pursue additional inquiries if results differ from expectations.

○ Considered both an assurance and attest engagement (report required).
○ Independence is required.

● Performance of More than One Service

○ When more than one service is performed by the CPA (e.g., both a compilation and an audit).
○ CPA should generally issue the report that is appropriate for the highest level of service rendered.
○ Attest → Report → Compilation and Review
○ Non-attest → No Report → Preparation
○ Assurance → Reasonable assurance (opinion)
○ Limited assurance → Review
○ No assurance → no opinion/conclusion → Preparation and Compilation

Professional Standards
● The Statements on Standards for Accounting and Review Services (SSARS)

Page 266 of 350

 ○ Promulgated by the Accounting and Review Services Committee of the AICPA.
○ Applicable for accounting, NOT audits. Guidance for audits include:
■ SAS guidance → audit of nonissuers.

■ PCAOB standards → audit of issuers.

○ Provide guidance for unaudited financial statements of information of nonissuers (private companies).
○ An accountant should:
■ Have sufficient knowledge to identify applicable SSARS.

■ Exercise professional judgment in applying SSARS.

■ Be able to justify departures from SSARS.

● An accountant can depart from GAAP and GAAS by explaining their reasons for departure.

● SSARS Applicability
○ Provide standards for unaudited financial statements of nonissuers.
○ Helps the nonissuers share the information with:
■ Local banks

■ Owners who aren’t actively involved on a day-to-day basis.

○ Used for preparation, compilation, and review engagements.
■ NOT applicable to audits.
○ Nonissuer is an entity:
■ For which securities are not registered with the SEC.

■ That is not required to file reports with the SEC.

■ That has not filed a registration statement (that is still pending) with the SEC.

● SSARS Do NOT Apply

○ SSARS do not apply to other accounting services provided by accountants such as:
■ Preparing adjusting/correcting entries, such as:

● Depreciation adjustment.

● Pension adjustment.

■ Consulting on financial matters.

■ Preparing tax returns.

■ Rendering bookkeeping services.

Page 267 of 350

 ■ Processing financial data for clients of other accounting firms.
○ SSARS are not applicable to reviews of interim financial information of nonissers whose annual financial
statements are audited.
■ Statements on Auditing Standards (SAS) apply to these engagements.

■ Ex) review takes place on an interim date, yet the same company has their financials be audited at year
end, then SAS will apply to the interim review, NOT SSARS.

Elements of SSARS Engagements

● Three-Party Relationship
○ Preparation, compilation, and review engagements involve:
■ Management (the responsible party)

■ Accountant in the practice of public accounting (CPAs; you)

■ Intended users of the financial information (outsiders/management).

● Management (are responsible for…)

○ Identifying an applicable financial reporting framework and individual accounting policies.
○ Preparation and fair presentation of the financial statements.
○ The design, implementation, and maintenance of internal control.
○ Preventing and detecting fraud.
○ Ensuring that the entity complies with laws and regulations.
○ Ensuring accuracy and completeness of the records, documents, explanations, and other information.
○ Providing the accountant with access to all information and to necessary persons within the entity.

● Accountant in Practice
○ Management creates the preparation, compilation, and review engagements.
○ Accountants help management prepare, compile, or review the financial statements.
○ The accountant should:
■ Possess knowledge of the accounting principles and practices of the industry in which the entity
operates.
■ Comply with relevant ethical requirements, including:

● The AICPA Code of Professional Conduct

● Rules of state boards of accountancy and applicable regulatory agencies.

■ Exercise professional judgment in the performance of an engagement.

■ Maintain appropriate engagement-level quality control, which includes:

● Human resources (hiring, training, promotions, etc).

Page 268 of 350
 ● Engagement assessment (ethics, independence of the accountant).

● Leadership (leading by example).

● Performance evaluation.

● Monitoring.

● Intended Users
○ Person(s) or class of persons who understand the limitations of the engagement and the financial
statements.
○ Management and intended users may be the same.
○ Intended users may be from the same entity or from different entities.
○ Accountants have NO responsibility to identify the intended users.

● Establishing an Understanding with the Client

○ All SSARS engagements require a written agreement (i.e., an engagement letter) regarding the terms of the
engagement:
■ In accordance with SSARS and another set of standards.

■ Written agreement with:

● Management

● Those charged with governance, when appropriate.

● Other Frameworks (other than GAAP or IFRS)

○ Financial statements may be prepared in accordance with a special purpose framework or framework
generally accepted in another country.
○ Financial statements prepared in accordance with a special purpose framework are not considered
appropriate in form unless the financial statements include:
1. A description of the special purpose framework, including:
○ Summary of significant accounting policies.
○ Description of material differences from GAAP.
2. Disclosures similar to those required by GAAP if the statements contain items that are similar to
those included in GAAP.

● Financial Reporting Framework Generally Accepted in Another Country

○ Accountants should obtain an understanding of such framework and follow reporting requirements
depending on the distribution of the report.
○ Distribution outside of the United States → use either of the following:

Page 269 of 350

 ■ A report in accordance with SSARS that includes a statement that refers to the note of the statements
describing the basis of presentation, including the identification of the country of origin and the
accounting principles.
■ A report in accordance with another set of compilation or review standards.
○ Distribution in the United States:
■ Report in accordance with SSARS, including the requirements related to financial statements prepared
in accordance with a special purpose framework (#1 and #2 above).

● Financial Statements or Financial Information

○ Financial reporting framework determines what constitutes a complete set of financial statements.
○ Typically, a set of financial statements includes:
■ Balance Sheet

■ Income Statement

■ Statement of Cash Flows

■ Statement of Equity

■ Footnotes
○ Accountants may be engaged to prepare, compile, and review a complete set of financial statements or an
individual financial statement.
○ Financial statements may be for an annual period, or for a shorter or longer period.

Subsequent Events and Subsequently Discovered Facts

● Subsequent Event
○ An event or transaction that occurs after the year-end date and prior to the issuance of the financial
statements; and
○ Has a material effect on the financial statements and therefore requires adjustment or disclosure in the
statements.
○ Ex) the financial statements are completed and ready to be released, but a final verdict is reached after the
year-end date for a lawsuit that requires an adjustment to the financial statements.
■ Type 1 subsequent events (such as this) require an adjusting journal entry to the financial statements.

● Also known as a “recognized” event.

■ This is considered a type 1 (recognized) event because the lawsuit was already a part of the financials
as of the end of the period, just wasn’t finalized in terms of value because there was no verdict yet.
○ Ex) an earthquake causes a major warehouse to be destroyed after year end.
■ Type 2 subsequent events (such as this) require disclosure in the financial statements.

● Also known as “nonrecognized” event.

Page 270 of 350

 ■ Events that did not exist prior to the year-end date of the financial statements but need to be disclosed
are called type 2 subsequent events.
■ Type 2 subsequent events need to be disclosed in the footnotes of the financial statements.
○ The accountant should request management to consider whether each event is appropriately reflected in
the financial statements.

● Subsequently Discovered Facts That Become Known to the Accountant BEFORE the Report Release Date
○ If a subsequently discovered fact becomes known after the date of the review report, but before the
release date, the accountant should:
1. Discuss the matter with management.
2. Determine how management intends reporting it:
■ Did management identify the subsequent event as Type 1 and make an adjustment?

■ Did management identify the subsequent event as Type 2 and disclose it in the footnotes?

■ Did management determine the event to be immaterial and do not believe it should be reported?
○ If management decides to update the financial statements, the accountant should perform additional
review procedures and either:
■ Date the accountant's review report as of a later date.

■ Dual date the review report.

○ If management decides NOT to revise the financial statements, but the accountant believes they should be
revised, the review report may require modification.

● Subsequently Discovered Facts That Become Known to the Accountant AFTER the Report Release Date
○ The accountant has no obligation to make continuing inquiries after the report release date.
○ The accountant should take appropriate action when becoming aware of material information that:
■ Existed as of the date of the auditor’s report.

■ People are relying on or are likely to rely on the financial statements.

○ Action 1 → advise the client to immediately disclose the new information and disclose its impact.
○ Action 2 → discuss the matter to determine whether revisions are needed with individuals such as:
■ Management

■ Those charged with governance.

○ If management decides to revise the financial statements, the accountant should perform additional review
procedures and either:
■ Date the report at the later date.

■ Dual date the report.

○ Management action:
Page 271 of 350
 ■ Notify individuals who are relying on the financial statements.

■ Issued revised financial statements.

○ If management refuses to update the financial statements, the accountant should:
■ Notify the client that the report must no longer be associated with the financial statements.

■ Notify applicable regulatory agencies that the accountant’s report should no longer be relied on.

■ Notify persons known to be relying or likely to rely on the financial statements.

● Ex) bank utilizes financials to determine whether to issue a loan, or investors.

● Reporting Fraud and Noncompliance

○ Fraud → Lying
○ Noncompliance → Cheating
○ Communicate about the fraud to the appropriate level of management.
■ Observe how the management reacts to the reported fraud incident.
○ Management should be asked to consider the effect of the fraud or noncompliance with laws and
regulations on the financial statements.
○ Accountants should consider the impact of the matter on the report, compilation, or review report.
○ When the accountant believes that the financial statements are materially misstated, the accountants
should obtain:
■ Additional information

■ Revised information
○ If the entity will not provide additional or revised information, the accountant should withdraw from the
engagement.
○ Inconsequential matters may be communicated to the next level above the incident, but need not be
communicated to the higher ups.
○ Oral communication should be documented.
■ Ex) “I spoke with X about the fraud incident on [date], here was their reaction and plan…”
○ The accountant should consider withdrawing or consulting with legal counsel if fraud or noncompliance
involve an owner or senior management of the business.
■ Think of the control environment, it’s all about the tone at the top, and this is a bad example of it.
○ The only time you can breach confidentiality:
■ Legal/regulatory requirements

■ Successor accountant contacts you

■ Subpoena

Page 272 of 350

● Notes from MCQs
○ SSARS requires compiled financial statements to be accompanied by a compilation report even if the
financial statements are not expected to be used by a third party.
○ An accountant reproducing client-prepared financial statements has not prepared those statements,
therefore they do not comply with SSARS.
○ SSARS explicitly states that SSARS does not apply when an accountant prepares financial statements for
inclusion in written personal financial plans. Other situations where SSARS does not apply when preparing
financial statements includes:
■ Solely for submission to taxing authorities.
■ In conjunction with litigation services that involve pending or potential legal or regulatory proceedings.
■ In conjunction with business valuation services.

Page 273 of 350

 M2: Preparation Engagements
● Preparation of Financial Statements
○ Financial statements should be prepared in accordance with the specified financial reporting framework.
■ Ex) Cash, Tax, U.S. GAAP, IFRS, etc.
○ SSARS is followed for preparation engagements.
○ Preparations are the lowest level of engagements (Preparation → Compilation → Review → Audit)
○ When do preparation standards NOT apply?:
■ Audit, review, or compilation of financial statements

■ Submission to a tax authority

■ Personal financial plan

■ Litigation services

■ Business valuation services

● Establishing an Understanding with the Client

○ Done through an engagement letter.
○ Written understanding → removes misunderstandings
○ Provides documentation → acts as legal proof.
○ Understanding with management and governance should be signed (as appropriate).
○ Engagement letter should include:
■ Objectives of management

■ Management's responsibilities

■ Agreement of management that each page of the financial statements will include a statement
indicating no assurance.
■ Accountant’s responsibilities

■ Limitations on the engagement

■ Identification of the applicable framework

■ Known departure or departures from the applicable framework OR omission of substantially all
required disclosures.
○ Engagement letter headings:
■ Introduction

■ Our Responsibilities (CPAs; you)

■ Management Responsibilities

Page 274 of 350

 ■ Other relevant information (may include items such as fees for the preparation)
(Sample engagement letter is given in the lecture with key parts from above highlighted)

● Preparation Requirements
○ Possess knowledge of and understanding of the entity’s financial reporting framework.
○ Prepare the financial statements.
■ Include a “no assurance” statement on each page.

■ Ex) “No assurance is provided on these financial statements”

■ If the accountant is unable to include a statement on each page, the accountant may:
1. State a disclaimer of opinion on every page, such as “See disclaimer of opinion” and provide a
separate statement stating that you do not provide an opinion on the financials.
2. Perform a Compilation
3. Withdraw to avoid providing false, fraudulent, or deceptive information.

● Financial Statements Prepared with a Special Purpose Framework

○ Examples of special purpose include other comprehensive basis of accounting (OCBOA), tax basis, cash
basis, etc.
○ When using a special purpose framework, include a description of the financial reporting framework:
■ On the face of the financial statements; or

■ In a note to the financial statements.

● Inaccurate and Incomplete Financial Statements

○ Inquiries and performance are not required.
○ Request additional or revised information, if required.
○ In case of a known departure:
■ Disclose the material misstatement in the financial statements; or

■ Consider withdrawing.

● Financial Statements that Omit Substantially All Disclosures

○ Full financial statements are not always wanted by business owners.
○ An accountant may prepare financial statements that omit substantially all disclosures, provided:
■ There is a disclosure of the omission.

■ The reason for the omission was not to mislead.

○ If limited disclosure is acceptable and if the financial statements include only limited notes, label as follows:
■ “Selected Information - Substantially All Disclosures Required By [framework] Are Not Included.”

Page 275 of 350

● Documentation
○ Engagement letter consisting of:
■ The understanding between the client and the accountant.

■ Clients responsibilities

■ Accountants responsibilities
○ A copy of the financial statements prepared by the accountant.
○ Any significant findings or issues.
○ Oral or written communications with management regarding fraud or noncompliance.
○ Any departure from relevant, mandatory requirements.
○ Justification for the departure.
○ How the alternative procedures were sufficient to achieve the intent of that requirement.

● Notes from MCQs

○

Page 276 of 350

 M3: Compilation Engagements
Compilation Requirements
● Compilation Engagement
○ Nonissuers can receive a compilation of financial statements.
○ Assurance on the financial statements is not required.
○ Does not require independence, back lack of independence must be disclosed.
○ Objectives of a Compilation:
■ Assist management in the preparation of financial statements by applying accounting and financial
reporting expertise.
■ No undertaking to obtain or provide any assurance on the financial statements.

● Compilation of Financial Statements

○ Compilation engagements are not assurance engagements.
○ Compilation engagements do not require the accountant to verify the accuracy or completeness of the
information provided by management.
■ However, obvious and/or egregious errors may be brought up with management.
○ Compilation engagements do not require the gathering of evidence to express an opinion or a conclusion
on the financial statements.

● Establishing an Understanding with the Client

○ This understanding should be included in an engagement letter.
○ Engagement letter should include:
■ Objectives of the engagement.

■ Management's responsibilities

■ Accountant’s responsibilities

■ The limitations of the engagement, stating that the engagement cannot be relied upon to disclose
errors, fraud, or noncompliance.
■ Identification of the applicable reporting framework.

■ The expected form and content of the compilation report, and a statement that there may be
circumstances in which the report may differ from its expected form and content.
○ The engagement letter or other suitable form of written agreements should be signed by the accountant or
the accountant’s firm and management or those changed with governance, as appropriate.
○ Engagement letter headings:
■ Introduction

■ Our Responsibilities (CPAs; you)

■ Management Responsibilities
Page 277 of 350
 ■ Our Report

■ Other Relevant Information (such as fees and when its due)

(Sample engagement letter is given in the lecture with key parts from above highlighted)

● Knowledge of Industry Accounting Principles and Practices

○ Accountants should possess adequate knowledge of the accounting principles and practices of the client’s
industry to compile financial statements in an appropriate form.
○ Accounts should survey the facilities and review how records are prepared.
○ If the accountant has no prior experience in the industry, knowledge can be gained through:
■ Conducting research on the industry;

■ Continuing professional education courses; or

■ Utilizing a subcontractor for advice and to provide industry guidance.

○ Accountants aren’t required to have knowledge of the industry before ACCEPTING an engagement, but are
responsible for gaining the required level of knowledge before the engagement begins.

● Understanding the Client’s Business (“STAFF” the job properly)

○ Staff Qualifications → Is the staff well equipped to do the work properly?
○ Transaction Types and Complexities → Are the transactions fundamental or sophisticated?
○ Accounting Principles Used → Is U.S. GAAP or IFRS used? What accounting methods - LIFO or FIFO?
○ Form of Accounting Records → Bookkeeping software? Manual entries? How is information captured?
○ Financial Statements → What is the form and content of the financial statements?

● Reading the Financial Statements

○ Why read the financial statements? → to avoid being associated with false, fraudulent, or misleading
financial statements.
○ If an auditor believes the financial statements are false, fraudulent, or misleading, the auditor should ask
the client to correct the statements.
○ If the client refuses, the auditor should withdraw from the engagement.
○ The accountant should:
■ Consider whether the financial statements are appropriate in form and free from material errors.

■ Check for math errors or clerical mistakes.

■ Ensure there is no misapplication of GAAP.

● Noncompliance with Laws and Regulations, Going Concern, and Subsequent Events

Page 278 of 350

 ○

■ Request management to consider the effect on the financial statements.

■ Evaluate management’s conclusions.

■ Consider the effect on the compilation report.

● Financial Statements that May Be Inaccurate or Incomplete

○ Accountants are not required to, but may, make inquiries or perform other procedures to verify or support
the information supplied by the client.
○ If accountants discover the information is incorrect, incomplete, or unsatisfactory, they should obtain
additional or revised information from the client.
■ If the client refuses to provide such information, the accountants should withdraw.
○ If the accountant becomes aware that the records, documents, explanations, or other information are
incomplete, inaccurate, etc, the accountant should tell management and request additional or corrected
information.
○ The accountant should withdraw from the engagement and inform management with reasons why if
management:
■ Fails to provide records, documents, explanations, or other information requested.

■ Does not make appropriate revisions proposed by the accountant.

■ Does not disclose departures in the financial statements (and the accountant determines not to
disclose those in the compilation report).

● Documentation
○ Documentation provides support that the accountant complied with SSARS when performing the
engagement.
○ Documentation should include:
■ The engagement letter;

■ A copy of the financial statements; and

■ A copy of the accountant's report (compilation report).

Page 279 of 350
 ○ Other documentation that may be included:
■ Information that is unusual.

■ A going concern issue.

■ Information about a failure to comply with laws and regulations.

■ Resolution of questions and concerns raised during engagement and the corresponding responses.

■ Oral or written communications with management regarding fraud or noncompliance that came to the
accountant’s attention.

Compilation Report
● Overview of the Compilation Report
○ The report is the method by which the accountant communicates the extent of the responsibility assumed
for the financial statements.
○ The report is issued when the accountant has complied with the standard for a compilation.
○ The accountant’s report should be in writing and:
■ Include a statement that management is responsible for the financial statements.

■ Identify the entity that requested the compilation.

■ Identify the financial statements that were compiled.

■ Specify the date or period covered by the financial statements.

■ Indicate that SSARS was followed.

■ Include a statement that the accountant did not audit or review.

■ Include a statement that the accountant is not required to perform any procedures to verify the
accuracy or completeness of information provided, and therefore does not express an opinion,
conclusion, or provide any assurance.
■ Include the accountants firm signature, address, and the date of the report.
○ Additional paragraphs are required for certain items such as:
1. Financial statements are prepared in accordance with a special purpose framework.
● Ex) Cash method, tax method, regulatory method, contractual method, etc.

● Accountants should disclose the framework used and refer to it in the footnotes if any information
is omitted.
2. Some clients don’t understand certain statements, so the accountant may not compile certain
statements for the client.
● Disclosures are omitted.

Page 280 of 350

 ● Acceptable as long as it is not being done to mislead or conceal misappropriations.

● Accountants should disclose the statements/footnotes that are not included.

3. Disclose that the accountant is not independent.
● No assurance, therefore no requirement to be independent.

● Not required to include the reasons for not being independent, but if reasons are given, ALL
reasons must be disclosed.
4. Disclose known departures from the applicable reporting framework.
5. Include supplemental information.

● Additional Requirements
○ Each page of the statements should be marked “see Accountant’s Compilation Report” or “see
Independent Accountant's Compilation Report.”
○ SSARS do not require that the compilation report be printed on the accountant’s letterhead.
○ The signature of the accountant or accountant’s firm may be manual, printed, or digital.
○ At the accountant’s discretion, a separate paragraph of the report may be used to emphasize any matter
already disclosed in the financial statements → to make sure the reader does not miss the matter.

(Sample Standard Compilation Report is given in the lecture if needed)

● Reporting on Financial Statements That are Prepared with a Special Purpose Framework
○ If management has a choice of frameworks, the explanation of management’s responsibility for the
financial statements also makes reference to its responsibility for determining that the applicable financial
reporting framework is acceptable in the circumstances.
○ A compilation report prepared in accordance with a special purpose framework should include an
additional paragraph that:
■ Indicates that the financial statements are prepared in accordance with the applicable special purpose
framework, refers to the note that describes the framework, and states that the special purpose
framework is a basis of accounting other than GAAP.
■ States that the financial statements may not be suitable for another purpose (if prepared in accordance
with a contractual basis of accounting).

● Reporting on Financial Statements That Omit Substantially All Disclosures

○ If requested by the client, an accountant may compile financial statements that omit substantially all
disclosures required by the applicable financial reporting framework.
○ The accountant may compile these statements provided:
■ The accountant’s report clearly indicates the omission by including an additional paragraph disclosing
such omissions.

Page 281 of 350

 ● This paragraph should state that if the disclosures were included, they might influence the user’s
conclusions, and should indicate that the financial statements are not designed for those who are
uninformed about the omitted disclosures.
■ In the accountant’s professional judgment, the financial statements would not be misleading.
(A sample report over this subject is given in the lecture, if needed)

● Departures From the Applicable Financial Reporting Framework

○ Departures should:
■ Be disclosed in a separate paragraph of the report.

■ Include disclosure of the effects of the departure on the financial statements (if known).
○ If the accountant believes that disclosure in the report would not be adequate to indicate the deficiencies
in the financial statements → withdraw and provide no further services to those financial statements.
(A sample report over this subject is given in the lecture, if needed)

● Reporting When Not Independent: Disclosure Required

○ An accountant who is not independent with respect to an entity may compile financial statements for such
an entity and issue a report.
○ The last paragraph of the report should disclose the lack of independence.
○ The accountant is permitted, but not required, to disclose the reason(s) for the independence impairment.
○ If the accountant chooses to disclose the reason, ALL reasons must be included in the disclosure.
○ Typically, a simple line of “I am (we are) not independent with respect to XYZ Company” is sufficient.

● Notes from MCQs

○ If an engagement goes from a review to a compilation → make no reference to the original engagement.
○ It is implied in a standard compilation report that substantially all disclosures required by GAAP are
included in the financial statements.
○ If a client does not disclose the basis of accounting used, such as the cash basis, the accountant should
disclose the basis of accounting used in their compilation report.
○ A client has year 1 financials compiled and had substantially all disclosures omitted. Now, the client wants
year 2 financials compiled, except they want all of the disclosures present for year 2. If the client wants to
present both years' financials in comparative form, the accountant may NOT report on the comparative
financials because of this difference because the two years are not comparable.
○ If an accountant is not independent, they should disclose that in the report.
■ Otherwise, independence is implied.
○ An accountant who has a direct financial interest, no matter how small, is considered an independence
impairment (accountant is not independent).
○ The report on compiled projected financial statements should include a separate paragraph that describes
the limitations on the usefulness of the presented statements.

Page 282 of 350

Page 283 of 350
 M4: Review Engagements
● Review of Financial Statements
○ Issuer/Public Company → Interim reviews allowed
○ Nonissuer/Private Company → Anytime
○ Limited assurance given → Independence required
○ Reviews are a higher level of service than preparation or compilation because it results in an expression of
limited assurance.
○ Review report states that the accountant is NOT aware of any material modifications necessary for the
statements to conform with the applicable reporting framework.
○ Inquiry and analytical procedures provide reasonable basis for conclusions.
○ The accountant is not required to obtain an understanding of internal control or assess control risk.

● Accountant’s Objective and Independence

○ Obtain limited assurance as a basis for reporting whether the accountant is aware of any material
modifications that should be made so that statements are in accordance with the framework.
○ The objective is carried out primarily through inquiries and analytical procedures.
○ The accountant must be independent of the entity when performing a review in accordance with SSARS.

● Review Procedures Should Be Tailored

○ Review procedures should be tailored to the specific engagement.
○ Factors affecting procedures performed:
■ Nature and materiality of financial statement items.

■ The likelihood of misstatement.

■ Knowledge from current and previous engagements.

■ Qualifications of the entity’s accounting personnel.

■ The extent to which an item is affected by management’s judgment.

■ Inadequacies in the entity’s underlying financial data.

● Review Requirements (“U LIAR CPA”)

○ U → Understanding with client should be established (through engagement letter).
○ L → Learn and/or obtain sufficient knowledge of the entity’s business.
○ I → Inquiries should be addressed to appropriate individuals.
○ A → Analytical procedures should be performed.
○ R → Review other procedures that should be performed.
○ C → Client representation letter should be obtained from management.
○ P → Professional judgment should be used to evaluate results.
○ A → Accountant (CPA) should communicate results.

● Review Requirements: Understanding

Page 284 of 350
 ○ Understanding with client should be established through engagement letter, and should include:
○ Objectives of the engagement.
○ Management's responsibilities
○ Accountant’s responsibilities
○ Limitations of the engagement.
■ A review is substantially less in scope than an audit.

■ The accountant will not express an opinion on the financial statements.

○ Identification of the applicable financial reporting framework.
○ The expected form and content of the accountant’s review report.
(A sample engagement letter is given in the lecture if needed)

● Review Requirements: Learn

○ Learn and/or obtain sufficient knowledge of the entity’s business.
○ Be familiar with the accounting principles common in the client’s industry.
○ Lack of experience in an industry does not prevent acceptance of an engagement, but the accountant is
required to obtain appropriate knowledge.
■ Reading, professional education, seeking assistance of a specialist, etc.
○ Understand the client’s business and the accounting principles used by the client specifically.
○ Study client’s operating characters.
■ Nature of assets, liabilities, equity, revenues, and expenses.
○ The accountant is NOT required to:
1. Test internal control.
2. Perform audit tests
3. Assess fraud risk
● However, if you become aware of fraud or noncompliance:
○ Consider the effect on the review report; and
○ Request management to consider the effect on the financial statements.
4. Communicate with the predecessor accountant.
● The successor may decide to communicate with the predecessor regarding acceptance of the
engagement and matters of continuing accounting significance.
○ Design the analytical procedures and the inquiries of management based on:
1. The accountant’s understanding of the industry;
2. Accountant’s knowledge of the client; and
3. Risk that the accountant may unknowingly fail to modify the account’s review report on financial
statements that are materially misstated.
○ Determine materiality for the financial statements as a whole.
■ Judge each client based on the respective materiality of each client.

Page 285 of 350

● Review Requirements: Inquiries
○ Inquiries should be addressed to appropriate individuals.
○ The accountant should inquire with members of management with financial statements and accounting
responsibilities.
○ The accountant is generally not required to support management’s responses with other evidence.
■ If responses don’t sound logical, auditors will want to investigate further (“Smell Test”).
○ Inquiries should cover the following:
■ Accounting principles and practices used, and the method of applying them.

■ Procedures for recording, classifying, and summarizing transactions, and for accumulating information
for disclosures.
■ Whether the financials have been prepared and fairly presented with the applicable framework.

■ Whether there have been changes in the entity’s business activities or accounting principles/practices.

■ Matters as to which questions have arisen during the review.

■ Material subsequent events.

■ Significant transactions occurring or recognized during the period, particularly those near the end of
the period.
■ The status of uncorrected misstatements from previous engagements.

■ Material fraud or suspected fraud or noncompliance.

■ Significant journal entries and adjustments.

■ Communications from regulatory agencies.

■ Litigation, claims, and assessments.

■ Actions authorized by stockholders, board of directors, or other management groups.

■ The entity’s ability to continue as a going concern, and management’s plans to mitigate, if applicable.

■ Identification of related parties and related party transactions, and their purpose.

■ Whether there are significant, unusual, or complex transactions, events, or matters that have affected
or may affect the financial statements.
■ Material commitments, contractual obligations, or contingencies, including disclosures.

■ Material nonmonetary transactions or transactions for no consideration in the financial reporting

period under consideration.

● Review Requirements: Analytical Procedures

Page 286 of 350

 ○ Analytical procedures should be performed.
○ Developing an expectation and comparing recorded amounts or ratios based on recorded amounts to that
expectation.
○ Detecting relationships and individual items that appear to be unusual and may indicate material
misstatements.
○ Analytical procedures consist of comparing:
■ Current financial statements with prior period financial statements, or current ratios with prior ratios.

■ Actual financial statements with budgets or forecasts, if available.

■ Financial information with relevant nonfinancial information.

■ Entity’s ratios and indicators with those of other entities in the industry.

■ Relationships among elements in the financials with corresponding prior period relationships.

■ Disaggregated revenue data.

○ Analytical procedures may be performed at the financial statement level or at the detailed account level.
○ If results are inconsistent with other relevant information or differ significantly from expected values, the
accountant should investigate the differences by inquiries and other procedures necessary.

● Review Requirements: Review

○ Review other procedures that should be performed.
○ Read the financial statements for conformity with the applicable reporting framework.
○ Obtain reports from other accountants who have been engaged to audit or review significant components
of the reporting entity.
○ Obtain evidence that the financial statements agree or reconcile with accounting records.
○ Remain alert for arrangement or information that may indicate the existence of related party relationships
or transactions that management had not previously disclosed.
○ Evaluate the adequacy of any work performed by other accountants or experts.
○ Consider whether the going concern basis of accounting is appropriate, determine whether any substantial
doubt exists, and assess management’s plans to alleviate any doubt.
○ Design and perform additional procedures to conclude whether the matter causes the financial statements
as a whole to be materially misstated, if the accountant becomes aware of a matter that may cause this.
○ If the accountant becomes aware of information that is incorrect, incomplete, or otherwise unsatisfactory:
■ Request that management consider the effect on those matters on the financial statements.

■ Consider management's assessment of the matter and determine the effect, if any, on the report.

● Review Requirements: Client Representation

○ Client representation letter should be obtained from management.
○ The accountant is required to obtain a representation letter from management for all financial statements
and periods covered by the review report.
○ The letter should be:
Page 287 of 350
 ■ Dated on the accountant’s report date;

■ Addressed to the accountant; and

■ Signed by the responsible members of management (generally the CEO and CFO).
○ Management’s failure to provide a representation letter results in an incomplete review.
○ Representation letter should include:
■ Management fulfilled all its responsibilities to prepare the financial statements in accordance with the
applicable framework.
■ Management acknowledges its responsibility for designing, implementing, and maintaining internal
control.
■ Management has provided all relevant information and access.

■ Management has responded fully and truthfully to all inquiries.

■ All transactions have been recorded and are reflected in the financial statements.

■ Management has disclosed its knowledge of any fraud that could have a material effect.

■ Management has disclosed its knowledge of any allegations or suspected fraud.

■ Management has disclosed any actual or possible instances of noncompliance with laws.

■ Management has disclosed whether it believes that the effects of uncorrected misstatements are
immaterial.
● SOAP (Summary of Adjustments Passed)

■ Management has disclosed all known or possible litigation.

■ Management has disclosed whether it believes that significant assumptions used are reasonable.

■ Management has disclosed the identity of the entity’s related parties and their transactions.

■ All events subsequent to the date of the financial statements that require adjustments or disclosures
have been adjusted or disclosed.
■ Management has disclosed all information relevant to the use of the going concern assumption.

■ Management has disclosed additional representations related to matters specific to the entity’s
business or industry.
○ If management does not provide written representations, or if the accountant concludes that there is cause
to doubt the written representations:
■ Discuss the matter with management and those charged with governance, as appropriate.
○ If the accountant continues to doubt management’s integrity → withdraw.

Page 288 of 350

● Review Requirements: Professional Judgment
○ Professional judgment should be used to evaluate results.
○ Accountants must be able to perform all necessary procedures.
○ Not completing such procedures would make the review incomplete.
○ Incomplete reviews prevent the issuance of a review report.
○ Accountants should consider whether circumstances also prevent issuing a compilation report.
■ Ex) client is withholding records to conceal fraud → compilation wouldn’t work either.
○ Review engagement documentation:
■ Provides support for the representation by an accountant using SSARS.

■ Should be sufficient to provide a clear understanding of the work performed, including:

● Nature, extent, and timing of review procedures performed.

● Review evidence obtained and its source.

● Engagement conclusions.
○ The accountant should document:
■ Who performed the review procedures.

■ The date the work was completed.

■ Who reviewed the work performed for quality control, and the date and extent of the review.
○ Documentation should also include:
■ The engagement letter.

■ Significant matters, actions taken, and the basis for conclusions reached.

■ Matters about which the accountant has made inquiry and responses thereto.

■ Communications with management regarding the accountant’s expectations to include an emphasis-of-

matter or other-matter paragraph in the review report.
■ Communications with management regarding significant matters arising during the review.

■ If information was identified that was inconsistent with findings regarding significant matters, how the
inconsistency was addressed.
■ Communications with other accountants who have audited or reviewed significant components.

■ The management representation letter.

■ A copy of the reviewed financial statements and the accountant’s review report.

● Review Requirements: Accountant (CPA) Communicates Results

Page 289 of 350

○ Accountant should communicate results.
○ The accountant’s report in a review engagement should include:
■ Title → an appropriate title that includes the word “independent”

■ Addressee → the report should be addressed based on the circumstances of the engagement.

■ Introductory paragraph:

● Identify the entity.

● State that the financial statements have been reviewed.

● Identify the financial statements.

● Specify the date or period covered by the financial statements.

● Include a statement that a review includes primarily applying analytical procedures and inquiries.

● Include a statement that a review is less in scope than an audit, and no opinion is expressed.

■ Management’s Responsibility paragraph → state that management is responsible for:

● Preparation and fair presentation of the financial statements.

● Design, implementation, and maintenance of internal control.

■ Accountant’s Responsibility paragraph → state that:

● The accountant’s responsibility is to conduct the review in accordance with SSARS.

● The standards require the accountant to perform procedures to obtain limited assurance as a
basis for reporting whether the accountant is aware of any material modifications.
● The accountant believes that the results of their procedures provide a reasonable basis for their
conclusion.
● The accountant is required to be independent of the entity.

■ Accountant’s Conclusion paragraph:

● Provide limited assurance → no material modifications necessary.

● If the accountant issues a modified conclusion → include a paragraph with description of the
matters giving rise to the modification.
■ Signature of the accountant.

■ City and State → can be indicated on the letterhead rather than below the signature of the accountant.

■ Date of the Accountant’s Report → the date sufficient appropriate review evidence was obtained as the
basis for the conclusion.
Page 290 of 350
 ■ Each page of the statements should be marked, “See Independent Accountant’s Review Report.”

● Notes from MCQs

○ Written documentation from other types of engagements (such as a compilation) may be used to provide
support for the review report.
○ Ratio analysis → often used to examine relationships between balance sheet accounts.
○ Trend analysis → often used to examine income statement accounts.
○

Page 291 of 350

 M5: Review Reports
● Reports on Review Engagements
○ An accountant must be independent of the client to issue a review report.
○ If the accountant determines that independence is impaired → withdraw.
○ The financial statements as a whole could be considered when determining whether any modification to
the conclusion in the report is appropriate.
○ The accountant's duties when evaluating financial statements include:
■ Evaluate if financial statements adequately refer to or describe the reporting framework.

■ Consider whether terminology used, such as titles, are appropriate.

■ Consider whether the significant accounting policies were adequately disclosed and consistent with the
framework.
■ Ensure the accounting estimates made are reasonable.

■ Consider whether the information presented is relevant, reliable, comparable, and understandable.

■ Consider the adequacy of disclosures.

■ Consider the impact of uncorrected misstatements and qualitative aspects of accounting practices.

● SOAP → Summary of Adjustments Passed

■ Consider the overall presentation, structure, and content of the financial statements.

● Unmodified Conclusion vs. Modified Conclusion

○ Unmodified → nothing has come to the accountant’s attention to believe that the financial statements are
not prepared in accordance with the applicable framework.
○ Modified → the accountant determines that the financial statements are materially misstated based on
procedures performed and review evidence obtained.
■ Qualified → there is a material misstatement that is NOT pervasive.

● Include a description of the matter giving rise to the modification.

■ Adverse → there is a misstatement that is BOTH material and pervasive.

● Include a description of the matter giving rise to the modification.

● Expressing a Qualified/Adverse Conclusion

○ When the accountant determines that the qualified conclusion is appropriate, the accountant should
modify the review report to include:
■ A description of the matter giving rise to the modification, under the heading, “Basis for Qualified
Conclusion.”
■ A conclusion section with the heading, “Qualified Conclusion”.
Page 292 of 350
 ○ When the accountant determines that an adverse conclusion is appropriate, the accountant should modify
the review report to include:
■ A description of the matter giving rise to the modification, under the heading, “Basis for Adverse
Conclusion.”
■ A conclusion section with the heading, “Adverse Conclusion”.

(A sample report is given for each of unmodified, qualified, and adverse conclusions in the lecture, if needed)

● Emphasis-of-Matter Paragraph and Other-Matter Paragraphs

○ In certain circumstances, the accountant is required to include an emphasis-of-matter or other-matter
paragraph in the review report.
○ Such examples include:
■ When management revises financial statements for a subsequently discovered fact that differs from
the original review report.
■ When financial statements are prepared in accordance with a special purpose framework.

■ With respect to a changed reference to a departure from the applicable framework when reporting on
comparative financial statements.
■ When reporting on comparative financial statements when the prior period is audited.

■ When the accountant concludes that substantial doubt about an entity’s ability to continue as a going
concern for a reasonable time remains.
● The entity is headed towards bankruptcy → Full accrual method

● The entity is a going concern, and you cannot use GAAP method → Liquidation method

■ WIth respect to supplementary information that accompanies the reviewed financial statements and
the review report.
■ With respect to required supplementary information.
○ Emphasis-of-matter paragraphs may also be added for:
■ Uncertainties

■ Inconsistencies
○ Emphasis-of-matter paragraphs may also be used to emphasize any matter already disclosed in the
financial statements, such as:
■ Subsequent events

■ Significant related party transactions

■ Changes in accounting principle

Page 293 of 350

 ○ Emphasis-of-matter paragraphs draw users’ attention to a matter appropriately presented or disclosed in
the financial statements.
○ The emphasis-of-matter paragraph should include the paragraph within a separate section of the report
with the heading “Emphasis-of-Matter” or another appropriate heading.
○ The accountant should communicate with management the inclusion of either of these types of paragraphs
in the report to eliminate potential issues.
○ Some emphasis-of-matter paragraphs that may be included at the discretion of the accountant include:
■ Important litigation or regulatory action

■ Major catastrophes

■ Significant related party transactions

■ Unusually important subsequent events.

● Reporting on Financial Statements that are Prepared in Accordance with a Special Purpose Framework
○ A review report prepared in accordance with a special purpose framework could be:
■ Cash basis, Tax basis, Contractual basis, Regulatory Basis
○ Make reference to management’s responsibility for determining the applicable reporting framework.
○ Include an emphasis-of-matter paragraph that:
■ Indicates that the financial statements are prepared in accordance with the applicable framework;

■ Refers to the note in the financial statements that describes the framework;

■ States that the special purpose framework is a basis other than GAAP.
○ If prepared using the regulatory or contractual basis:
■ Include a description of the purpose or refer to the appropriate note in the financial statements.

■ Include an other-matter paragraph restricting the use of the accountant’s review report.
○ The accountant should modify the review report when the accountant becomes aware that the financial
statements do NOT include:
■ A description of the special purpose framework.

■ A summary of significant accounting policies.

■ An adequate description about how the special purpose framework differs from GAAP, the effects of
which need not be quantified.
■ Informative disclosures similar to those required by GAAP when the financial statements contain items
that are the same as, or similar to, those in financial statements prepared in accordance with GAAP.

● Reference to the Work of Other Accountants in an Accountant’s Review Report

Page 294 of 350

 ○ If the accountant of the reporting entity decides NOT to assume responsibility for the audit or review
performed by other accountants:
■ The accountant may make reference to any or all other accountants who audited or reviewed
significant components, as long as the other accountant’s report is not restricted.
○ The decision is solely at the discretion and judgment of the accounting of the reporting entity.
○ Reference to the other accountants would occur in the accountant’s responsibility paragraph and should
indicate the portion of the financial statements audited or reviewed by other accountants.

● Consideration of an Entity’s Ability to Continue as a Going Concern

○ The auditor should perform review procedures related to going concern if:
■ The applicable reporting framework requires management to evaluate their ability to continue as a
going concern; or
■ If the accountant becomes aware of conditions that raise substantial doubt about the entity’s ability to
continue as a going concern.
○ Procedures performed should include:
■ Determining whether the going concern basis of accounting is appropriate.

■ Reviewing management's evaluation of going concern.

■ Inquiring about management’s plan to mitigate those matters.

■ Determining the adequacy of those disclosures.

○ If after considering conditions or events that raise substantial doubt and considering management’s plans,
the accountant concludes that:
■ Going concern is alleviated → accountant may, but not required to, include an emphasis-of-matter
paragraph.
■ Going concern remains → include a separate section in the report with the heading “Substantial Doubt
About the Entity’s Ability to Continue as a Going Concern.”
● Draws attention to the note that discusses the matter and states that the accountant’s conclusion
is not modified with respect to the matter.
○ If the accountant determines that the entity’s disclosures are inadequate → express a qualified or adverse.
○ An accountant may decide to restrict the use of a compilation or review report to certain specified parties.
■ Especially true when using the contractual or regulatory basis.

■ The accountant can’t control the distribution of their report after issuance.

■ The report itself should clearly state that it is intended to be used only by identified parties.

Updating Reports
● Updating the Report

Page 295 of 350

 ○ When reporting on all periods presented:
■ Update the report on one or more prior periods presented on a comparative basis with those of the
current period.
■ Consider information that the accountant has become aware of during the engagement for the current
period financial statements.
■ Consider the effects of the accountant’s report if circumstances or events come to the accountant's
attention that may affect prior period financial statements presented.

● All Periods Compiled or Reviewed

○ Prior period = Compiled ; Current Period = Compiled
○ Prior period = Reviewed ; Current Period = Reviewed
○ Update the report on the prior period and issue it as part of the current report.

● Current Period Reviewed and Prior Period Compiled

○ Prior period = Compiled ; Current period = Reviewed
○ Therefore, the accountant has moved to a higher-level service (compilation to a review).
○ Update the report on the prior period(s) and issue as the last paragraph of the current period’s report.

● Current Period Compiled and Prior Period Reviewed

○ Prior period = Reviewed ; Current period = Compiled
○ Therefore, the accountant has moved to a lower-level service (review to a compilation).
○ Option 1 → Issue a compilation report and add a paragraph to the report that:
■ Describe the responsibility assumed for the prior period statements.

■ Include the date of the original report.

■ State that no review procedures were performed after the date of the review report.
○ Option 2 → Reissue the prior period review report, which may be combined or separate with current report.
■ If combined → state that no review procedures were performed after the review report date.

● Current Period Prepared and Prior Period Compiled or Reviewed

○ Prior period = Compiled or Reviewed ; Current Period = Prepared
○ Therefore, the accountant has moved to a lower-level service.
○ There is no requirement to reference the prior period.

● Columnar Form
○ When both the prior period and current period financials are presented in columnar form.
○ Advise the client to include a clear indication when financial statements that have not been audited,
reviewed, or compiled are presented in columnar form with financial statements that have been compiled.

Page 296 of 350

 ■ Ensure the user does not inappropriately extend the accountant’s compilation report to such financial
statements.

● Omission of Required Disclosures

○ While compiling financial statements, management may decide to not include some disclosures.
○ Compiled financial statements that omit disclosures required by GAAP are not comparable to financial
statements including such disclosures.
○ The accountant should not issue a report on comparative financial statements when the statements for
one or more, but not all, of the periods presented omit substantially all of the disclosures required by
GAAP.

● Information Affecting Previous Reports: Discovered Subsequent Events and Other-Matter Paragraph
○ If the accountant becomes aware of information that would affect the report on prior periods:
■ A previous modification (qualified/adverse) may no longer be necessary.

■ A new modification (unmodified changed to qualified/adverse) may be required.

○ If the accountant becomes aware of information that would affect the report on prior periods:
■ Add an other-matter paragraph to the prior period report that states:
1. The date of the original report;
2. That the statements of the prior period have been changed, if applicable, and
3. The reason for the change in the original report.
○ Fundamental inclusions in the other-matter paragraph (“Only DORCS change their mind”):
■ Date of original report

■ Original conclusion

■ Reason for change

■ Changes that occurred

■ Statement about the change

● Predecessor Accountant’s Compilation or Review Report Reissued Unchanged

○ Predecessor accountants are not required to reissue their report on prior periods.
○ If the predecessor accountants decide to reissue their report, they should decide if their report is still
appropriate:
■ Considering the current presentation of statements for the prior period;

■ Based on subsequent events; and

■ In light of required modifications that may be necessary in the report.

○ If the predecessor auditor decides to reissue the report, they should:

Page 297 of 350

 ■ Read the statements and report of the current period;

■ Compare the prior period statements with those issued previously and currently; and

■ Obtain a letter from the successor auditor stating that they (the successor) are not aware of any
relevant information that might have a material effect on the prior period statements.
○ If the predecessor accountants become aware of information that may affect the financial statements or
their report, they should:
■ Perform the same procedures they would have performed during the previous engagement; and

■ Perform any additional procedures they deem necessary.

○ In summary, whenever a predecessor accountant is asked to reissue their prior report (audit, review, or
compilation), they should read the financial statements and obtain a representation letter from the new
accountant.

● Predecessor’s Report Not Reissued

○ When the prior period financial statements have been subject to a compilation and/or review by a
predecessor accountant and the predecessor’s report is not presented:
■ The successor is not required to make reference to the compilation or review report.

■ The successor may make reference to the report of the predecessor in the current report or perform
that level of service themselves.
○ In making reference to the predecessor accountant’s report, the successor accountants may expand the
report by including an additional paragraph including:
■ A statement that the prior periods were compiled or reviewed by other accountants;

■ The date of their report; and

■ A description of any modifications contained in the report.

○ Predecessors report = compiled:
■ The additional paragraph should state the other accountants:

● Did not audit or review the financial statements;and

● Did not express an opinion or provide assurance.

○ Predecessors report = reviewed:
■ The additional paragraph should state the other accountants:

● Are not aware of any material modifications that should be made, other than those in the report.

● Restated Prior Period Financial Statements

○ Option 1 → Predecessor OR successor accountant may report on changed prior period financial statements,
as restated.
Page 298 of 350
 ○ Option 2 → The successor accounting may report only on the restatement adjustment, while indicating a
predecessor accountant report on the prior period financial statements before restatement.

● Reporting When One Period is Audited

○ Prior period = Unaudited ; Current period = Audited
○ When unaudited financial statements are presented in comparative form with audited financial
statements, the unaudited financial statements should be clearly marked and the accountant should either:
1. Reissue the prior period report; or
2. Include an other-matter paragraph in the current report describing the responsibility assumed for
the prior period statements.

● Current Period Unaudited and Prior Period Audited

○ Prior period = Audited ; Current period = Unaudited
○ Therefore, the accountant has moved to a lower-level service.
○ When the prior period has been audited, the accountant should issue the current period compilation or
review report, and add an other-matter paragraph, which should indicate:
■ That prior period statements were audited;

■ The date of the previous report(s);

■ The opinions expressed, and, if other than unmodified, the reasons for modification; and

■ That no auditing procedures have been performed since the previous report date.

● Current Period Audited and Prior Period Unaudited

○ Prior period = Unaudited ; Current Period = Audited
○ Therefore, the accountant has moved to a higher-level service.
○ When the current period statements are audited, the auditor should include an other-matter paragraph in
the auditor’s report that includes:
■ The service (review or compilation) performed in the prior period;

■ The date of the prior period report;

■ A description of any material modifications described in the report; and

■ A statement that the services was less in scope than an audit and did not provide an opinion.
○ If unaudited financial statements are presented in comparative form with audited financial statements in
documents filed with the SEC, such statements:
■ Should be marked “unaudited”; and

■ Should not be referred to in the auditor’s report.

(The statements need not be withheld until audited.)

Page 299 of 350

●

○ Pink → Applies to each of Preparation, Compilation, and Review.

○ Pink + Brown → Applies to compilations.
○ Pink + Brown + Blue → Applies to reviews.

● Notes from MCQs

○ Other-matter paragraph → used to communicate a matter NOT presented or disclosed in the financial
statements.
○ Emphasis-of-matter paragraph → used to communicate a matter that IS presented or disclosed.

Page 300 of 350

 M6: Interim Reviews
● Interim Period
○ Does not include year-end (for example, December 31).
○ May be other periods, such as quarterly:
■ January 1 to March 31

■ April 1 to June 30

■ July 1 to September 31
○ Interim review:
■ Mandatory for filing with the SEC → quarterly review of financial statements of publicly traded
companies.
■ Required by lenders (loan officers or investors) → quarterly review of financial statements (more than a
compilation) of private companies.
○ Interim financial information presentation:
■ Condensed information → period less than a full year.

● Ex) July 1 to September 31

■ Complete financial statements → rolling 12 months.

● Period ending on a date other than the entity’s fiscal year-end.

● Ex) July 1 to June 31

○ Interim reviews may be conducted for a fiscal term or a rolling 12-month period.

● Applicability: Nonissuers
○ Auditing for prior-year or for current year-end → use SAS for review.
■ Exception → if the auditor conducts interim reviews quarterly WITHOUT an audit → follow SSARS.
○ The same financial reporting framework used in annual financials should be used in interim.
■ Ex) accrual method used in annual → accrual method should be used for interim.
○ The interim financial information should be condensed and conform with an appropriate reporting
framework.
○ The explanatory note should indicate the information does not represent complete financial statements,
and that interim information should be read in conjunction with the latest annual report.

● Applicability: Issuers
○ PCAOB standards should be followed for publicly traded companies.
○ The SEC requires certain entities to:
■ File quarterly reports; or

Page 301 of 350

 ■ Include selected quarterly financial data in their annual reports or in other SEC filings.
○ Review of interim financial information is required for an auditor performing an initial audit of financial
statements that include selected quarterly data.
○ Written report:
■ Not required → auditing standards do not require a written report on review of interim information.

■ Required → if a client states that an auditor has reviewed interim information, then the auditor must
include a written report.

● Procedures (“U LIAR CPA”)

○ U → Understanding with the client established (using an engagement letter).
○ L → Learn and/or obtain sufficient understanding of the entity, its environment, including internal control.
■ Internal control is new for interim reviews (see M4 mnemonic).
○ I → Inquiries should be addressed to appropriate individuals.
○ A → Analytical procedures should be performed.
○ R → Review - other procedures should be performed.
○ C → Client representation letter should be obtained from management.
○ P → Professional judgment should be used to evaluate results.
○ A → Auditor (CPA) should communicate results.

● Understanding With Client (Engagement Letter)

○ Pre-acceptance procedures…
○ Determine whether the financial reporting framework used to prepare interim information is acceptable.
○ Obtain the agreement of management that it acknowledges and understands their responsibility for:
■ Preparation and presentation of interim information;

■ The design, implementation, and maintenance of internal control;

■ Providing the auditor with access to the information and persons needed to complete the review; and

■ Including the auditor’s report in a document containing interim financial information indicating that the
information has been reviewed by the entity's auditor.
○ Provides an understanding regarding the services.
○ Should include the objectives of the engagement.
○ Should include the scope of the engagement:
■ Make inquiries

■ Perform analytical procedures → to provide limited assurance.

○ Management’s Responsibilities:
■ Essentially the same as annual financial statements.

Page 302 of 350

 ■ Responsible for financial statements and internal control.
○ Auditor’s Responsibilities:
■ Comply with SAS for a private company; or

■ Comply with PCAOB for a public company.

○ Limitations of the Engagement:
■ Does not provide reasonable assurance on the financial information.

■ Is not designed to provide assurance regarding internal controls.

■ Note → communicate events of significant deficiencies or material weaknesses in internal controls.

○ Financial Reporting Framework:
■ Identification of the reporting framework in the letter eliminates potential misunderstandings.

● Learn and/or Obtain an Understanding

○ Determine the types of material misstatements that may occur to focus inquiries and analytical procedures
on the appropriate areas. →
○ Evaluate the likelihood that such misstatements will occur. →
○ Select appropriate inquiries and analytical procedures to ensure misstatements have not occurred.
○ The auditor should:
■ Read the documents of prior audits or reviews.

■ Read the most recent annual financial information.

■ Consider the results of any audit procedures performed previously on the current year financials.

■ Make inquiries of management regarding changes in business activities or internal control.

● Ex) think of the changes that might’ve occurred during COVID.

■ Make inquiries regarding the identity of and transactions with related parties.
○ To obtain knowledge:
■ In an initial review, make inquiries of the predecessor auditor and review their documentation (if
permitted).
■ Perform procedures to obtain knowledge if the auditor did not audit the most recent financial
statements.
○ Internal controls over interim financial information may differ from internal controls over annual statements.
■ Significant deficiencies in internal control or scope limitations may make it impractical for the auditor
to perform a review.

● Inquiries Should Be Addressed to Appropriate Individuals

Page 303 of 350
○ Inquiries should be directed to members of management regarding:
■ Whether the interim information was prepared in conformity with the reporting framework.

■ Unusual or complex situations affecting the interim information.

● For complex journal entries → exercise professional skepticism.

● Ask questions and seek clarification.

● Make notes.

■ Significant transactions → near the end of the period.

● End of the period is the most common timing for fraudulent entries to be posted.

■ Status of uncorrected misstatements from previous audits/reviews.

● “SOAP” → Summary of Adjustments Passed

■ Subsequent events.

■ Fraud, suspected fraud, or allegations of fraud.

■ Significant journal entries and adjustments.

● Entries out of the norm

● Entries with large amounts.

■ Communications from regulatory agencies (SEC or IRS).

■ Significant deficiencies and material weaknesses in internal control.

■ Changes in related parties or significant new related party transactions.

■ The entity's ability to continue as a going concern (if applicable, management plans to mitigate).

■ Questionable matters noted during other review procedures.

○ Inquiry may be appropriate with the entity’s lawyer(s).
○ Inquiry of outside attorneys if they do not have internal lawyers and the auditor is aware of litigation.
■ Informed by management.

■ Obtained from reading Board of Directors meeting minutes.

○ Although the review of interim information is not designed to provide assurance, if conditions or events
raise substantial doubt, make inquiries about going concern.
■ Review appropriate meeting minutes.

■ Inquire with management about how they’ve responded.

Page 304 of 350

 ■ Consider the adequacy of the disclosures that management has incorporated into the notes.

● Analytical Procedures Should be Performed

○ Accountant creates their own expectation, then computes results, and compares.
○ Observe trends → compare to previous reports or industry standards → observe ratios.
○ Determine expectations → achieve results → compare results to expectations.
■ If expectations do not reconcile with results → make inquiries.
○ Analytical procedures are performed to provide a basis for inquiries → unusual outcomes will result in
more inquiries.
○ Comparisons may be done between:
■ Current financial ratios to last quarter’s financial ratios.

● Ex) Q2 vs Q1 or Q2 Y2 vs Q2 Y1

■ Actual to budget.

■ Financial to nonfinancial.

■ Ratio benchmarks to industry standards → evaluates performance.

● Review: Other Procedures

○ Read minutes of stockholders meetings, directors’ meetings, etc.
○ Obtain reports from any auditors engaged to review any other division or subsidiary of the entity.
○ Obtain evidence that the interim information reconciles with the accounting records.
■ Verify the existence of support for the presented numbers.
○ Read the interim financial information for conformity with the reporting framework.
○ Read other supplemental information to ensure there are no inconsistencies with the financial statements.
○ Extend review procedures to resolve any outstanding questions.
○ Note → review procedures may be performed before or simultaneously with the entity’s preparation of the
interim financial statements.

● Client Written Representation Letter

○ Obtain a written representation letter from management.
○ Ensure management understands its responsibilities related to the financial information, its completeness,
recognition, measurement, disclosure, subsequent events, internal control, etc.
○ If management refuses to provide the client written representation letter, the auditor should:
■ Discuss the matter with management and those charged with governance.

■ Reevaluate the integrity of management.

■ Consider whether to withdraw from the review engagement.

○ The auditor should not be associated with false, fraudulent, deceptive, or misleading information.
Page 305 of 350
● Professional Judgment to Evaluate Results
○ Are there misstatements? → The auditor should:
■ Determine to what extent misstatements should be accumulated (“SOAP”).

■ Assess whether there are adequate disclosures.

○ If the auditor is unable to perform necessary procedures or management does not provide appropriate
representations (both are scope limitations):
■ No review report should be issued.

■ The auditor should communicate such matters to management and those charged with governance.
○ If the auditor can work around the limitations, then no discussion in the report of scope limitation is
necessary.

● Auditor Communicates Results

○ Prompt communication to management is required if the auditor believes material modifications should be
made to the interim information for it to be in accordance with the applicable reporting framework.
○ Issuer issues interim information before review is done → report to those charged with governance.
○ Nonissuer issues interim information before review is done → report to those charged with governance.
○ If management does not respond appropriately to such communications, the auditor should:
■ Inform those charged with governance;

■ Consider resigning; or

■ Consult with legal counsel.

○ Communications are required with respect to:
■ Fraud and noncompliance with laws and regulations.

■ Significant deficiencies or material weaknesses in internal control.

○ Auditor cannot complete the review? → communicate to those charged with governance the following:
1. The reason the review cannot be completed;
2. That an incomplete review does not provide a basis for reporting and the auditor is prevented from
issuing a review report; and
○ An auditor can issue or help prepare a compilation report for privately held companies, but
not for a publicly traded one.
3. Any material modifications.
○ Communications with those charged with governance should always be made on a timely
basis and be made before the entity files its interim information with a regulatory agency or
as soon as practicable.

○ Departures from the applicable reporting framework (such as GAAP)? → modify the report as:

Page 306 of 350

 ■ Modified → departure is material and NOT pervasive.

■ Adverse → departure is material and pervasive.

■ Auditor should include:

● A description of the departure;

● Describe the effects if they can be determined; and

● If it was an inadequate disclosure, include the necessary information, if practicable.

■ Modified conclusion would read:

● “Based on our review, with the exception of the matter described in the following paragraph(s),
we are not aware of any material modifications…”
■ If the auditor believes that modification of the review report is not sufficient to address the
deficiencies, the auditor should withdraw.

○ What if the auditor determines there is a going concern?

■ Nonissuers → auditor should include a separate section in the auditor’s review report regarding the
going concern when a going concern section was:
● Included in the prior years report and the conditions that caused substantial doubt still exist with
no plans to alleviate; or
● Not included in the prior year’s report and management has included a statement that substantial
doubt exists in its financial statements.
■ Issuers → auditor is not required to include an explanatory paragraph as long as disclosure about the
going concern is adequate.
■ Both Nonissuers and Issuers → if the auditor determines that the disclosure related to substantial
doubt is inadequate, resulting in a departure from the applicable reporting framework, the auditor
should modify the report.

(An example report is given for both nonissuers and issuers in the lecture if needed)

● Other Uses of Interim Financial Information

○ Accompanying Audited Financial Statements
■ Normally, there is no need to refer to the review in the audit report because interim information is not
a required part of the financial statements.
■ Modifications to the audit report are necessary in the following circumstances:

Page 307 of 350

 ● When interim information included in a note to the financial statements is not marked
“unaudited,” the auditor would disclaim an opinion on the interim information.
● When interim financial information accompanies the audited financial statements, the auditor
should include an other-matter paragraph in the auditor’s report when ANY of the following
conditions exist:
○ The reviewed interim information is included in a document containing the audited financial
statements.
○ The interim information accompanying the audited financial statements does not appear to
be presented in accordance with the applicable reporting framework.
○ The auditor’s separate review report that refers to the departure from the applicable
reporting framework is not presented with the interim financial information.
■ For issuers, when quarterly information required by the SEC has not been reviewed:

● An explanatory paragraph with an appropriate heading should be added to the auditor’s report
indicating that the auditor was unable to review such information.
■ For issuers, when quarterly information required by the SEC is omitted:

● An explanatory paragraph should be added to the auditor’s report indicating that the company
has not presented such information.

○ Interim Financial Information Presented in a Registration Statement

■ The Securities Act of 1933 imposes certain responsibilities on an auditor who prepares a report that is
used in connection with a registration statement.
■ If the report on interim information is presented (or incorporated by reference) in a registration
statement:
● A prospectus that includes a statement about the independent auditor’s involvement should
clarify that the report is not considered to be a report or part of the registration statement within
this context.
■ If interim financial information is reviewed:

● Use of name is okay and should be marked “unaudited.”

● Summary of Engagements

Page 308 of 350

U LIAR CPA

Page 309 of 350

● The auditor should withdraw if the statements are found to be:
○ False, Fraudulent, Deceptive, or Misleading.

● Notes from MCQs

○ If a review report on interim financial information is presented in a registration statement, the prospectus
should include a statement that the report is not a “report” or “part” of the registration statement.
■ Accountants should also read the other portions of the registration statement to ensure their name is
not used in a way that indicates greater responsibility than they intended.
○

Page 310 of 350

 M7: The AICPA Code of Professional Conduct
● Overview
○ The AICPA’s Code of Professional Conduct governs any service that a member of the AICPA performs, and
those services include:
■ Audits

■ Special reports

■ Compilations

■ Reviews

■ Services performed on financial forecasts and projections

■ Attestation engagements
○ A professional code of conduct is a distinguishing mark of a profession that accepts a high degree of
responsibility toward the public.
○ Terms to enhance clarity of interpretations and definitions:
■ Consider → used when the member is required to think about several matters.

■ Evaluate → used when the member must assess and weigh the significance of a matter.

■ Determine → used when the member has to come to a conclusion and make a decision on a matter.
○ The code of professional conduct has three sections:
1. Members in public practice (1.XXX)
● Covered member

● Immediate family → think of it as anyone who lives under your roof.

● Close relatives
2. Members in business (2.XXX)
● Ex) fortune 500 company or a mom-and-pop shop.
3. Other members (3.XXX)
● Ex) People between jobs or voluntarily retired.

● Principles
○ These provide the framework that is the basis for the code of conduct.

○ Responsibilities
■ Exercise sensitive professional judgment.

■ Exercise moral judgment.

Page 311 of 350

○ Public Interest
■ Serve the public interest.

■ Honor the public trust.

■ Never subordinate trust for personal gain or advantage.

○ Integrity
■ Act with the highest sense of integrity
○ Objectivity and Independence
■ Maintain objectivity.
○ Due Care
■ Improve services every year.

■ Progress with education and experience.

■ Strive to improve competencies and the quality of services.

■ Avoid negligence.
○ Scope and Nature of Services
■ Exhibit the professional competency to do the job.

■ Meet the standards of the profession.

○ Whether in public (#1) or in corporate (#2):

■ Maintain both integrity and objectivity.

■ Be free from conflicts of interest

○ If in public accounting (#1):
■ Independence required has two functions:

● Independence in fact; and

● Independence in appearance.

■ Independence in appearance → a reasonably prudent business person who is aware of all the facts and
circumstances believes that you can still be objective and exercise professional skepticism.
○ All members are required to:
1. Have adequate internal quality control measure to:
● Determine if the member is independent of the client.

● Determine if the client had the integrity for the member to be associated with the client.

Page 312 of 350

 2. Determine whether, for audit clients, conflicts of interest arise due to the scope and nature of
other services.
● Ex) Getting lead from a relative or from a friend or acquaintance.

● A reasonably prudent business person might question whether the member can be objective.
3. Assess whether the firm’s activities are consistent with professionalism.
○ Remember two major items that are ALWAYS applicable:
■ Integrity

■ Objectivity
○ Independence applies while working in public and attest services only.
■ Ex) Audits, special reports, examinations, agreed-upon procedures, reviews.

● The AICPA Code of Professional Conduct: Rules

○ The “rules” portion of the code consists of rules, interpretations, and rulings.
○ Rules that apply to members are based on what type of member they are (#1, #2, or #3).

○ Members in public practice follow part 1 of the code of conduct.

○ Part 1 is divided into three subcategories:
■ Covered members → no direct or material indirect interest in the company allowed.

■ Immediate family → follow the exact same rules as covered members.

■ Close relatives → if you knew or should have known that they:

● Hold a significant interest in the company.

● Have access to accounting records.

● Have the ability to influence management.

● Rules by Type of Member

Page 313 of 350

AICPA Code Rules
● Independence Rule
○ This rule applies only to members in public practice (type #1; e.g. CPA firms).
○ Members in public practice shall be independent in the performance of professional services as required by
standards, assuming they:
■ Are reasonably prudent.

■ Are aware of all facts and circumstances.

■ Maintain objectivity and professional skepticism.

○ Independence is not required for:
■ Compilations → but lack of independence must be disclosed.

■ Non-attestation services → tax services, consulting services.

○ Independence must be maintained by:
■ Covered members

■ Immediate family (spouse or dependents)

■ Close relatives → if you knew or should have known that they:

● Hold a significant interest in the company.

● Have access to accounting records.

● Have the ability to influence management.

Page 314 of 350

 ○ Member must have independence of mind and in appearance.

● Independence Impaired By Financial Interests

○ Independence is impaired if:
■ A covered member has a direct interest in an attest client (regardless of materiality).

■ A covered member has a material indirect financial interest.

■ A covered member or their immediate family (spouse or dependent) has a loan to or from a client.

■ Acceptance of more than a token gift.

● Ex) client gifts you a pen set → that's probably ok.

● Ex) client gifts you a Ferrari → you’re probably impaired.

■ If you knew or should have known that a close relative:

● Hold a significant interest in the company.

● Have access to accounting records.

● Have the ability to influence management.

○ Independence is NOT impaired if a member has the following interests in a financial institution client:
■ A fully collateralized car loan.

■ A cash advance or credit card balances not exceeding $10,000.

■ A bank account that is fully insured by the governance (FDIC).

■ A passbook loan.
○ Direct financial interests are ownership interests held directly in a client, including:
■ Stock ownership, even if owned in a blind trust.

■ The member is involved in a separate partnership as a general partner, and that partnership has a
financial interest in the client (such as owning shares).
■ A financial trust owns shares of the client, and the member is included as a trustee of that trust.
○ An indirect financial interest involves a removed relationship where a member owns:
■ Shares in a mutual fund that invests heavily in an attest client.

■ Direct financial interest in Company A, and Company A has a direct financial interest in the client.

● Independence Impaired by Employment Relationships

○ Independence is impaired if a member:

Page 315 of 350

 ■ Was previously employed by an attest client.

■ Leaves the audit firm for a position with a client (within cool-off period of 1 year).

■ Participates on the engagement team or is in a position to influence the engagement when the
engagement covers any period of former employment with the client.
● Employee of a client leaves the client to work for the CPA firm.

● Employee cannot be on the engagement team that audits that client, or influence the
engagement.
● At that point, it’s almost as if that employee is auditing their own work.

● This is why there is a 1 year cool-off period.

■ Has an immediate family member or close relative employed with a client in a key position.

■ Leaves the firm and is employed by a client in a key position.

● Ex) 16 of the top executives at Enron had previously been managers or partners at the
accounting firm that audited them.
■ Is seeking or discussing employment with a client or has been offered employment.

● Ex) a client manager asks a CPA firm member to come work for them during an audit.

● This is allowable as long as the individual notifies the firm and is removed from the
engagement.

● Independence Impaired by Business Relationships

○ Independence is impaired if a member makes management directions for an attest client.
○ Independence is NOT impaired if a member or firm:
■ Performs non-attest services for a client and does not serve or appear to serve as a member of a
client’s management.
■ Is a member of or an honorary trustee for a not-for-profit charitable, civic, or religious group.

■ Is a member of the same trade association as a client.

● Ex) part of the same country club.

○ Independence IS impaired if a member has ANY of the following business relationships with an attest client:
■ Director, office, employee, or acting in management capacity.

■ Promoter, underwriter, broker-dealer, or voting trustee.

■ Stock transfer or escrow agent.

Page 316 of 350

 ■ General counsel.

■ Trustee for a client’s pension or profit-sharing trust.

● Activities that Impair Independence (“Prohibited Services”)

○ Independence is impaired if a member is involved in any of the following activities with an attest client.
■ Bookkeeping

■ Having custody of a client’s assets

■ Supervising the employees of the client.

■ Setting up or implementing the client’s IT system.

■ Providing appraisal, valuation, or actuarial services.

■ Doing internal audit activities.

■ Handling litigation services.

■ Being an expert witness.

● Other Reasons Independence May Be Impaired

○ Independence is impaired when the payment of member's professional fees is more than one year overdue
from a client.
■ The client is holding the payment and asking for a clean opinion.

■ A member can continue to do the service if the client guarantees in writing to pay the dues for prior
services before the release of the new report.
○ Independence is impaired when there is actual or threatened litigation, regardless of who is the plaintiff
and who is the defendant.
■ Ex) an auditor sues the client for fraud, or the client sues the auditor for audit deficiencies.
○ Independence is NOT impaired by a lawsuit for an immaterial dollar amount for work unrelated to an
attestation service.
■ Ex) a small car fender-bender between an auditor and employee of a client in the parking lot.

● Integrity and Objective Rule

○ This rules applies to both public practice members (#1) and members in business (#2).
○ In the performance of any professional service, a member shall:
■ Maintain objectivity and integrity.

■ Be free of conflicts of interest.

Page 317 of 350

 ■ Not knowingly misrepresent facts or subordinate his or her judgment to others.
○ Conflict of interest may occur if a member and a client have a significant relationship.
○ Services may still be performed if the:
■ Relationship is disclosed.

■ Consent of the client is obtained.

● General Standard Rule

○ This rules applies to both public practice members (#1) and members in business (#2).
○ A member MUST comply with the following standards in all engagements.
○ Professional Competence
■ Undertake only those professional services that you can reasonably be expected to complete with
professional competence.
○ Planning and Supervision
■ Plan and supervise professional services adequately.
○ Sufficient Relevant Data
■ Obtain enough documentation to support conclusions or recommendations in the report.
○ Due Professional Care
■ Possess the same degree of skills commonly possessed by others in the field.

■ Act as a reasonably prudent accountant would.

■ Critically review work done by those assisting in the engagement.

● Compliance with Standards Rule

○ This rules applies to both public practice members (#1) and members in business (#2).
○ Measures the quality of performance.
○ A member must adhere to AICPA standards when performing:
■ An audit

■ A review

■ A compilation

■ Management consulting

■ Tax services

■ Other professional services

○ A member must comply with all standards:
■ Auditing Standards Board (SAS)
Page 318 of 350
 ■ Public Company Accounting Oversight Board (PCAOB)

■ Management Consulting Services Executive Committee

■ Accounting and Review Services Committee (SSARS)

■ Government Accounting Standards Board (GAGAS)

■ Tax Executive Committee

■ Attestation Standards

■ Financial Accounting Standards Board

■ International Accounting Standards Board

■ Personal Financial Planning Executive Committee

● Accounting Principles Rule

○ This rules applies to both public practice members (#1) and members in business (#2).
○ As a general rule, follow GAAP:
■ Do not express an opinion or state affirmatively or negatively that GAAP is followed if there are
departures.
○ Unusual circumstances may justify a departure from GAAP:
■ Justify that following GAAP would cause the financial statements to be misleading.

■ New legislation and new forms of business transactions for which no standards are designed.

● Ex) cryptocurrencies and blockchain.

■ Unusual degree of materiality or the existence of conflicting industry practices.

○ Departure, when justified, should be described in full in the report.

● Confidential Client Information Rule

○ This rules applies to only public practice members (#1).
○ Do not disclose confidential client information without the client’s approval.
○ Exceptions to the confidentiality rule (important):
■ To comply with a validly issued subpoena or summons.

■ As part of a quality review authorized by the AICPA.

■ In response to any inquiry made by the ethics division or trial board of the AICPA, or under authority of
state statutes.
■ For legal defense against a lawsuit filed by a client.

Page 319 of 350

 ○ Memorize these exceptions as examinsers frequently ask when a CPA can disclose client documentation
without their consent.

● Contingent Fees Rule

○ This rules applies to only public practice members (#1).
○ As a general rule, contingent fees are not allowed.
○ Contingent fees are established when:
■ No fee is charged unless a specific finding or result is obtained.

■ The fee amount is dependent upon the finding or result obtained.

■ Ex) requesting 15% of a client’s tax refund on a tax return in exchange for providing the tax services.
○ Contingent fees are permitted in two cases:
■ When fees are fixed by a court of judicial proceeding.

■ When fees are maintained by law and legislation.

■ Examples:

● Representing a client in an examination of a tax return by an IRS agent.

● Judicial hearing on the acceptability of an item.

■ For compilations or services expected to be used by a third party.

● In such cases, a member must disclose lack of independence.

● Acts Discreditable Rule

○ This rules applies to each of public practice members (#1), members in business (#2), and other members
(#3).
○ Acts that are discreditable to the profession (i.e., don’t do these acts).
○ Failure to return records to a client.
■ The client records must be returned to the client upon request regardless of payment status.
○ Determination by a court or administrative agency of discrimination or harassment.
○ Failure to follow GAAP standards unless disclosed.
○ Negligence in preparing financial statements or records.
○ Failure to follow GAAS and other applicable standards unless disclosed.
○ Solicitation or disclosure of CPA Exam questions and answers.
○ Failure to timely file a personal or firm tax return or timely remit payroll/taxes.
○ Failure to follow regulatory requirements.
○ Promotion or marketing of the member’s abilities to provide professional services in a manner that is:
■ False;

Page 320 of 350

 ■ Misleading; or

■ Deceptive,
○ A member whose employment relationship is terminated shall not take or retain;
■ Originals or copies from the firm’s client files; or

■ Proprietary information without the firm’s permission.

○ Disclosure of any confidential information without the client’s permission.
■ With the exception of the four reasons noted earlier.

● Advertising and Other Forms of Solicitation Rule

○ This rules applies to only public practice members (#1).
○ Advertising is allowed but not in a manner that is:
■ False;

■ Misleading; or

■ Deceptive.
○ Advertisements are misleading and deceptive if they:
■ Crease false or unjustified expectations of favorable results.

● Ex) “I always win” or “I beat the IRS every time”

■ Imply the ability to influence a court, regulatory agent, or official.

● Ex) “My buddy is a judge, come to me and we’ll take care of it”

■ Intentionally underestimate fees.

■ Would mislead or deceive a reasonable person.

● Commissions and Referral Fees Rule

○ This rules applies to only public practice members (#1).
○ The fundamental rule is that commissions and referral fees impair independence.
○ A member in public practice shall NOT for a commission recommend or refer to a client any product or
service when the member or the member’s firm also performs for that client:
■ An audit

■ A review

■ An examination of prospective information

○ Compilations do not require independence, but the lack of independence must be disclosed in the report
and disclosed to the client in writing.
Page 321 of 350
 ○ A member who receives a referral fee for recommending another CPA or pays a referral fee to obtain a
client must disclose this to the client.
○ Independence required:
■ Audits

■ Reviews

■ Examinations on forecasts
○ Independence NOT required:
■ Compilations → but must disclose lack of independence

■ Advisory services

■ Tax return preparations

● Form of Organization and Name Rule

○ This rules applies to only public practice members (#1).
○ The use of misleading firm names is not allowed.
■ Firm may not designate itself as “Members of the AICPA” unless all of its CPA owners are members of
the institute.
■ Firm may not designate itself as “CPAs” (plural) unless all of its owners are CPAs.
○ A firm may continue to use the names of one or more past owners.
■ Can be deceased, retired, resigned, current owners, etc.
○ A firm may not use the names of those who are not associated with it.
■ Ex) cannot use “Bush, Obama, Trump, and Gearty CPAs”
○ If all partners except one have died or left the firm, the remaining partner may continue to practice under
the partnership name for up to 2 years after becoming a sole practitioner.
■ Either bring in more CPAs to continue partnership or become a sole practitioner to avoid misleading.

Conceptual Framework
● Conceptual Framework: Threats and Safeguards Approach
○ The conceptual framework includes seven possible threats that can inhibit one’s ability to comply with
ethical standards.
○ Used to assess the threats to see if they are present.
○ Use the safeguards that could eliminate any threat or reduce it to an acceptable level.

● Conceptual Framework: Background

○ The AICPA Code of Professional Conduct is separated into three groups:
■ Part 1: Members in Public Practice

Page 322 of 350

 ● Conceptual Framework for Members in Public Practice

● Conceptual Framework for Independence

■ Part 2: Members in Business

● Conceptual Framework for Members in Business

■ Part 3: Other Members

○ When if a member works in multiple domains (#1 and #2)? → consult all applicable parts of the code and
apply the most restrictive provisions.
○ The conceptual framework approach requires entities to:
1. Identify threats to compliance with fundamental principles (seven threats).
2. Evaluate the significance of each identified threat.
3. Apply safeguards to eliminate threats or reduce threats to an acceptable level, whenever possible.

● Step 1: Identify Threats

1. Adverse Interest Threat
■ Not acting with objectivity because the members' interests are opposed to the client’s interests.
2. Advocacy Threat
■ Promoting the client’s interests or position to the point the member’s objectivity or independence is
compromised.
3. Familiarity Threat
■ Becoming too sympathetic or too accepting because of a long or close relationship with the client.
4. Management Participation Threat
■ Taking on the role of client management or otherwise assume management responsibilities.
5. Self-Interest Threat
■ Benefiting financially or otherwise, from an interest in, or relationship with, a client or persons
associated with the client.
6. Self-Review Threat
■ Not appropriately evaluating the results of previous judgment made or service performed or
supervised by the member or an individual in the member’s firm.
7. Undue Influence Threat
■ Subordinating the judgment to an individual associated with a client or any relevant third party due to
that individuals:
● Reputation or expertise.

● Aggressive or dominant personality.

● Attempts to coerce or exercise excessive influence over the member.

Page 323 of 350

● Step 2: Evaluate Threats
○ Evaluate the significance of the threat.
○ The member should determine whether a threat is at an acceptable level.
○ Threat is at an acceptable level, does not compromise independence → no further assessment required.
○ Threat is not at an acceptable level → go to Step 3.

● Step 3: Identify Safeguards

○ The member should apply safeguards to eliminate or reduce a threat to an acceptable level, if possible.
○ Safeguards that apply to Members in Public Practice (#1):
■ Created by the profession, legislation, or regulation.

■ Implemented by the client.

■ Implemented by the firm.

○ Safeguards that apply to Members in Business (#2):
■ Created by the profession, legislation, or regulation.

■ Implemented by the employing organization.

● Examples of Threats
1. Adverse Interest Threat
■ The client or client’s organization expressing the intent to or is in the process of commencing litigation
against the member.
■ Litigation is a very common example of this threat.
2. Advocacy Threat
■ Endorsing a client's services or products.

■ Giving or failing to give information that the member knows will unduly influence the conclusions of
others.
■ Promoting the attest client’s securities as part of an initial public offering.
3. Familiarity Threat
■ Having a close friend who is employed by the client/attest client.

■ Regularly accepting gifts or entertainment from a vendor or customer of the employing organization.
4. Management Participation Threat
■ Serving as an officer or a director of the attest client.

■ Designing, implementing, or maintaining internal controls for the attest client.

5. Self-Interest Threat

Page 324 of 350

 ■ Relying excessively on revenue from a single client/attest client.

■ Being in a position where the value of the bonus received from the employing organization is directly
affected by the member’s decisions.
6. Self-Review Threat
■ Performing bookkeeping services for a client.

■ Performing an internal audit procedure at the employing organization.

7. Undue Influence Threat
■ The attest client indicates that it will not award additional engagements if the firm continues to
disagree with the client on an accounting or tax matter.
■ The client pressures the member to associate with misleading information.

■ The client pressures the member to reduce necessary audit procedures in order to reduce audit fees.

● Examples of Safeguards
○ Created by the profession, legislation, or regulation (applicable to #1 and #2 members):
■ Education and training requirements on ethics, independence, and/or professional responsibilities.

■ Continuing education requirements.

■ Professional standards and the threat of discipline.

■ Legislation establishing prohibitions and requirements.

■ Competency and experience requirements for professional licensure.

■ Professional resources, such as hotlines, for consultation on ethical issues.

○ Implemented by the Client (applicable to #1 members):
■ Personnel with suitable skills, knowledge, or experience who make management decisions.

■ The tone at the top emphasizing commitment to fair financial reporting and compliance with the
applicable laws, rules, regulations, and corporate governance.
■ A governance structure to ensure appropriate decision making, oversight, and communications
regarding a firm’s services.
○ Implemented by the Firm (applicable to #1 members):
■ Documented policies regarding the:

● Identification of threats to compliance with the rules.

● Evaluation of the significance of those threats.

● Identification and application of safeguards.

Page 325 of 350
 ■ Discussion of independence and ethics issues with the audit committee or those charged with
governance.
■ Removal of an individual from an attest engagement team who poses a threat to independence or
objectivity.
■ Client acceptance and continuation policies.

■ Policies and procedures that are designed to monitor the firm’s, partner’s, or partner equivalent’s
reliance on revenue from a single client.
○ Implemented by the Employing Organization (applicable to #2 members):
■ The tone at the top emphasizing commitment to fair financial reporting and compliance with the
applicable laws, rules, regulations, and corporate governance.
■ An audit committee charter, including independent audit committee members.

■ Internal policies and procedures requiring disclosure of identified interests or relationships.

■ Human resource policies and procedures stressing the hiring and retention of technically competent
employees.

● Illustrating the Conceptual Framework: An Example of the Entire Process

○ Scenario → Taking a client to a sporting event at the other end of the country.
○ Step 1 → Identify Threats
■ Lots of spending on travel and lodging.

● Is this potentially going to be an impairment?

● Is it a familiarity threat (giving an unreasonable gift)?

○ Step 2 → Evaluate Threats
■ This is a big gift, so the threat is significant.
○ Step 3 → Identify Safeguards
■ Profession, legislation, and regulation:

● AICPA’s code of conduct states that the gift has to be reasonable under circumstances.

■ Implemented by firm:

● Company rules and regulations state there is a limit of $1,000 on entertainment and gifts per
year per client.
■ Implemented by client:

● The client's rules and regulations state there is a limit of $600 on acceptance of entertainment
and gifts.

Page 326 of 350

 ○ Step 4 → Evaluate safeguard options
■ We have three options here, and two of the options have different amounts, which limit do we use?

■ Use the most restrictive limit, which in this case is $600.

■ If the trip costs below $600 → threat at acceptable level → proceed with engagement.

■ If the trip costs above $600 → threat is not at an acceptable level → do not proceed with engagement.

● Notes from MCQs

○ Exercise of due care dictates consultation or referral when a professional engagement exceeds the CPA’s
personal competence.
○ Due care in performing an audit requires a member to plan and supervise adequately any professional
activity for which he or she is responsible.
■ This includes critical review at every level of supervision of the work done and the judgment exercised
by those assisting in the examination.
○ Independence is impaired by a member, a member’s spouse or dependents, or a close family member who
holds a key position in an audit client.
■ According to the Code, a close relative is defined as a parent, sibling, or nondependent child.
○ It is permissible for a member to disclose the name of a client without the client’s consent UNLESS the
disclosure of the name results in the release of confidential information.
Page 327 of 350
 ■ Ex) if a member’s practice is limited to bankruptcy matters, the disclosure of a client’s name suggests
that the client may be experiencing financial difficulties, which would be confidential information.
○ Soliciting questions from the CPA exam without the AICPA’s written authorization is a discreditable act.
○ Examples of activities with an attestation client that impair independence include bookkeeping activities
that include authorization, executing or consummating a transaction on behalf of a client or preparing
source documents or originating data (e.g., purchase orders).
○ Contingent fee arrangements impair the auditor’s independence.

M8: Ethical and Independence Requirements: Part 1

The Sarbanes-Oxley Act of 2002
● The Sarbanes-Oxley Act of 2002
○ In 2002, in the wake of the collapse of Enron and WorldCom, and the restatement of the financial
statements of additional SEC reporting companies, Congress passed the Sarbanes-Oxley Act of 2002.
○ SOX is a federal law which was enacted with the intent of improving the accuracy and reliability of financial
information disclosed by public companies.
○ SOX has had a profound effect on public companies and the audit with expanded requirements related to
financial reporting.

● SOX Title 1: Public Company Accounting Oversight Board (PCAOB)

○ The PCAOB was established to examine the auditors.
○ Title 1 of SOX provides for a Public Company Accounting Oversight Board composed of 5 members.
■ Two members must be CPAs.

■ Three members cannot be CPAs.

○ The board is subject to oversight by the SEC and has the duty to:
■ Register public accounting firms that prepare audit reports for issuers;

■ Establish rules for audit reports of issuers; and

■ Conduct inspections, investigations, and disciplinary proceedings concerning registered firms.

○ The PCAOB must conduct:
■ Annual inspections → registered firms that regularly provide audit reports for more than 100 issuers.

■ Inspection at least once every 3 years → registered firms that provide reports for 100 or fewer issuers.
○ In accordance with Title 1, only a “registered public accounting firm” may prepare audit reports for an SEC
issuer.
○ The application for registration must be updated annually and contain:

Page 328 of 350

 ■ The names of issuers audited in the preceding and current year, including annual fees received for such
audits.
■ A statement of the firm’s quality control policies;

■ A list of all firm accountants who will participate in the audits;

■ Legal or disciplinary proceedings pending against the firm; and

■ Disclosures filed by audited issuers concerning accounting disagreements between the issuer and firm.
○ Each registered firm must consent to cooperate with any request from the PCAOB concerning testimony or
production of documents.
○ Each registered firm must adhere to the following auditing standards:
■ Audit documentation must be maintained for 7 years (criminal penalties will apply for failure to do so).

■ Provide a concurring or section partner review of each audit report.

■ Describe in audit reports the scope of the testing of internal control structure and procedures.
○ Registered accounting firms must monitor professional ethics and independence from issuers that they
audit and must supervise work.
○ The board can conduct investigations of wrongdoing by registered firms or associated persons of those
firms.
○ The PCAOB can impose the following sanctions:
■ Temporary suspension or permanent revocation of PCAOB registration;

■ Temporary or permanent suspension or bar of a person from associated with a registered firm;

■ Temporary or permanent limitation on the activities, functions, or operations of a firm or person;

■ Civil monetary penalties of a maximum of $750,000 for individuals and $15,000,000 for registered firms
for intentional or knowing conduct, including reckless conduct, resulting in violations or repeated
instances of negligent conduct; and max penalties for other violations of:
● $100,000 for individuals; and

● $2,000,000 for registered firms

■ Censure;

■ Require professional education or training; and

■ Any other PCAOB approved sanction.

● SOX Title II: Auditor Independence

○ Prohibited services:
■ Bookkeeping
Page 329 of 350
 ■ Financial information systems design and implementation

■ Appraisal and valuation services

■ Actuarial services

■ Management functions or HR services (hiring people for the client)

■ Internal audit outsourcing services

■ Services as a broker, dealer, investment adviser, or investment broker

■ Legal services

■ Expert services unrelated to the audit

○ Tax services are permissible for the client corporation as a whole, NOT individual officers, but must be
preapproved by the audit committee.
○ The lead audit or coordinating partner and the reviewing partner must rotate off the audit every 5 years.
■ Under PCAOB rules, auditors of issuers must also disclose the name of the engagement partner.
○ All auditing services and permitted non-audit services provided by an auditor to an issuer should be
preapproved by the audit committee of the issuer.
○ Registered firms must report the following to the audit committees of audited corporations:
■ The critical accounting policies and practices to be used;

■ Alternative accounting treatments discussed with the corporation’s management, the ramifications of
the alternatives, and the treatment the firm prefers; and
■ Material written communications between the audit firm and management including a schedule of
unadjusted audit differences and any management letter.
○ The audit firm cannot have employed the issuer’s:
■ CEO;

■ CFO;

■ Controller;

■ Chief accounting officer; or

■ Any person serving in an equivalent position for a one-year period preceding the audit.

SOX - Entity Responsibilities

● Impact of SOX on Entity Responsibilities
○ With the goal of increasing the accuracy and reliability of the financial information reported by issuers, SOX
includes:
■ Numerous provisions for expanded disclosures; and
Page 330 of 350
 ■ The requirement of specific representations by public company officers that accompany the published
financial statements.

● SOX Title III: Corporate Responsibility

○ The corporate responsibility section of the act relates to:
■ The establishment of an audit committee; and

■ The representations made by key corporate officers, typically the CEO and the CFO.

● Public Company Audit Committees (Title III)

○ Public companies are responsible for establishing an audit committee that is directly responsible for the
appointment, compensation, and oversight of the work of the public accounting firm they employ.
■ The auditor reports directly to the audit committee.

■ The audit committee is responsible for resolving disputes between the auditor and management.
○ Audit committee members are to be members of the issuer’s board of directors but are to be otherwise
independent.
○ Independence criteria are as follows:
■ Audit committee members may not accept compensation from the issuer for consulting or advisory
services.
■ Audit committee members may not be an affiliated person of the issuer.

● Affiliation → having the ability to influence financial decisions.

○ Audit committees must establish procedures to accept reports of complaints regarding audit, accounting,
or internal control issuers (whistleblower hotlines).
■ Procedures must accommodate confidential, anonymous reports by employees of the issuer.

■ Procedures must accommodate receipt and retention of complaints as well as method to address
them.

● Corporate Responsibility for Financial Reports (Title III)

○ Corporate officials, typically the CEO and CFO, must sign certain representations regarding annual and
quarterly reports, including their assertion that:
■ They have reviewed the report.

■ The report does not contain untrue statements or omit material information.

■ The financial statements fairly present in all material respects the financial condition and results of
operations of the issuer.
■ The CEO and CFO signing the report must have assumed responsibility for internal controls, including
assertions that:
Page 331 of 350
 ● Internal controls have been designed to ensure material information has been made available.

● Internal controls have been evaluated for effectiveness as of a date within 90 days prior to the
report.
● Their report includes their conclusions as to the effectiveness of internal controls.
○ The CEO and CFO signing the report assert they have made the following disclosures to the auditors and
audit committee:
■ All significant deficiencies and material weaknesses in the design and operation of internal controls
which might adversely affect the financial statements.
■ Any fraud (regardless of materiality) that involves management or any other employee with a
significant role in internal controls.
○ The CEO and CFO signing the report must also represent whether there have been any significant changes
to internal control.

● Improper Influence on the Conduct of Audits (Title III)

○ It is unlawful for any officer or director of an issuer to take any action to fraudulently influence, coerce,
manipulate, or mislead any auditor for the purpose of rendering the financial statements as misleading.
■ This also applies to anyone acting under the direction of an officer or director.

■ Such actions may lead to jail time.

● Forfeiture of Certain Bonuses and Profits (Title III)

○ If an issuer is required to prepare an accounting restatement due to material noncompliance with any
financial reporting requirement under the securities laws, the CEO and CFO may be required to reimburse
the issuer for:
■ Bonuses or incentive-based or equity-based compensation; and/or

■ Gains on sale of securities during that 12-month period.

○ Whether it's a Big R or Little R, the bonuses/incentives are taken back (clawed back).
■ “Big R” → issuers states to not rely on them anymore; will restate a brand new set right away.

■ “Little R” → issuer needs to restate, but will wait until next period and compare changes.

● SOX Title IV: Enhanced Financial Disclosures

○ The enhanced financial disclosures associated with issuer reports include additional details regarding:
■ Financial statements;

■ Internal controls; and

■ Operations of the audit committee.

Page 332 of 350

● Disclosures in Periodic Reports (Generally Quarterly or Annually) (Title IV)
○ Financial statement disclosures are intended to:
■ Ensure that the application of GAAP reflects the economics of the transactions included in the report.

■ And that those transactions are transparent to the reader.

○ Enhanced disclosure requirements include the following:
■ All material correcting adjustments identified by the auditor should be reflected in the financial
statements.
■ The financial statements should disclose all material off-balance sheet transactions:

● Operating leases.

● Contingent obligations.

● Relationships with unconsolidated subsidiaries.

■ Conformance of pro forma financial statements to the following requirements:

● No untrue statements.

● No omitted material information.

● Reconciled with GAAP basis financial statements.

○ Show GAAP first → Pro Forma (non-GAAP) → Show Reconciliation between the two.
■ Use of special purpose entities (SPEs)

● Enhanced Conflict of Interest Provisions (Title IV)

○ Issuers are generally prohibited from making personal loans to directors or executive officers.
■ Exceptions apply if the consumer credit loans are made in the ordinary course of business by the issuer.

■ Exceptions apply if the terms offered to the officer are generally the same as those made to the public.

■ Ex) An officer of a bank takes a loan out with their bank under the same circumstances as the public
and under the ordinary course of business → ok

● Disclosure of Transactions Involving Management and Principal Stockholders (Title IV)

○ Disclosures are required for persons who generally have direct or indirect ownership of more than 10
percent of any class of most any equity security.
■ Disclosures are made by filing a statement.
○ Statements are filed at the following times:
■ At the time of registration.

Page 333 of 350

 ■ When the person achieves 10 percent ownership.

■ If there has been a change in ownership.

● Management Assessment of Internal Controls (Title IV)

○ The assessment of internal controls is commonly referred to as Section 404.
○ Each annual report is required to contain a report that includes the following:
■ A statement that management is responsible for establishing and maintaining an adequate internal
control structure and procedures for financial reporting.
■ An assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the
internal control structure and procedures for financial reporting.
○ The auditor must attest to management’s assessment of internal control.

● Certain Exemptions (Title IV)

○ Investment companies are exempt from certain provisions of this act:
■ Disclosures in periodic reports;

■ Enhanced conflict of interest provisions; and

■ Management assessment of internal controls.

● Code of Ethics for Senior Officers (Title IV)

○ Issuers must disclose whether the issuer has adopted a code of conduct for senior officers (e.g., CEO, CFO,
Controller, and Chief Accountant).
■ If no code of conduct has been adopted, the issuer must disclose the reason(s) why.
○ The code of ethics contemplates standards that promote:
■ Honest and ethical conduct (including handling of conflicts of interest).

■ Full, fair, accurate, and timely disclosures in periodic financial reports.

■ Compliance with laws, rules, and regulations.

○ Changes to or waivers from the code must be reported on a Form 8-K.

● Disclosure of Audit Committee Financial Expert (Title IV)

○ At least 1 member of the audit committee should be a financial expert.
○ Financial reports of the issuer must disclose the existence of a financial expert on the committee, or the
reasons as to why the committee does not have a member who is a financial expert.
○ A financial expert qualifies through education, past experience as a public accountant, or past experience
as a principal financial officer, controller, or principal accounting officer of an issuer.
○ Knowledge of the financial expert should include:
■ Understanding of GAAP.
Page 334 of 350
 ■ Experience in the preparation or auditing of financial statements for comparable issuers.

■ Application of GAAP.

■ Experience with internal controls.

■ Understanding of audit committee functions.

● Enhanced Review of Periodic Disclosures by Issuers (Title IV)

○ The Securities and Exchange Commission (SEC) is required to review disclosures made by issuers, including
those in Form 10-K, on a regular and systematic basis for the protection of investors.
○ When scheduling reviews, the SEC should consider:
■ Issuers that have issued material restatements of financial results.

■ Issuers that experience significant volatility in their stock prices when compared to other issuers
(signifies the entity may be very pressured; think of fraud triangle).
■ Issuers with the largest market capitalization.

■ Emerging companies with disparities in price-to-earnings ratios.

■ Issuers whose operations significantly affect any material sector of the economy (too important/large
to fail).

● SOX Title VIII: Corporate and Criminal Fraud Accountability

○ Focuses largely on the penalties for unethical actions, such as fines, jail time, or both.

● Criminal Penalties for Altering Documents (Title VIII)

○ Individuals who alter, destroy, mutilate, conceal, cover up, falsify, or make false entry in any record,
document, or tangible object with the intent to impede, obstruct, or influence an investigation will be:
■ Fined;

■ Imprisoned for not more than 20 years; or

■ Both fined and imprisoned.

○ Auditors of issuers should retain all audit and review workpapers for a period of 7 years from the end of the
fiscal period in which the audit or review was conducted. Failure to do so will result in:
■ Fine;

■ Imprisoned for not more than 10 years; or

■ Both fined and imprisoned.

● Statute of Limitations for Securities Fraud (Title VIII)

○ The statute of limitations for securities fraud is no later than the:
Page 335 of 350
 ■ Earlier of 2 years after the discovery of the facts constituting the violation; or

■ 5 years after the violation.

● Whistleblower Protection (Title VIII)

○ An employee who lawfully provides evidence of fraud may not be discharged, demoted, suspended,
threatened, harassed, or in any other matter discriminated against for providing such information.
○ An employee who alleges discharge or other discrimination for providing evidence of fraud may file a
complaint with the Secretary of Labor and may be provided with compensatory damages, including:
■ Reinstatement with the same seniority status that the employee would have had;

■ Back pay with interest; and

■ Compensation for any special damages as a result of the discrimination including litigation costs, expert
witness fees, and reasonable attorney fees.

● Criminal Penalties for Securities Fraud (Title VIII)

○ An individual who knowingly executes, or attempts to execute, securities fraud will be fined, imprisoned for
not more than 25 years, or both.

● SOX Title IX: White Collar Crime Penalty Enhancements

● Attempt and Conspiracy (Title IX)

○ An individual who attempts (or conspires) to commit any white-collar offense will be subject to the same
penalties as those who commit the offense, as predetermined by the United States Sentencing
Commission.
○ The penalties for mail and wire fraud were increased from 5 years to 20 years.
○ The penalties for violating ERISA were increased from not more than $5,000 to not more than $100,000
and not more than 1 year to not more than 10 years for individuals (either or both of the fine and prison).
○ Fines imposed upon persons who are not individuals cannot exceed $500,000.

● Amendment to Sentencing Guidelines Related to Certain White-Collar Offenses (Title IX)

○ The United States Sentencing Commission (“Sentencing Commission”) will review and amend, as needed,
sentencing guidelines and policy statements to carry out the Attempt and Conspiracy Act.
■ This includes ensuring that the sentencing guidelines and policy statements consider the nature of any
offense and that the corresponding penalties are commensurate with the provisions of the act.
■ In the event the Sentencing Commission determines a growing trend of a particular offense, it will
review and determine whether any modifications to the sentencing guidelines or policy statements are
necessary.
○ The Sentencing Commission will review any additional aggravating or mitigating circumstances for a
particular offense that could justify an exception to the existing sentencing ranges.

Page 336 of 350

● Failure of Corporate Officers to Certify Financial Reports (Title IX)
○ Any issuer periodic report which contains financial statements that is filed with the SEC must be
accompanied by the following:
■ A written statement that the periodic report fully complies with the Securities Exchange Act of 1934.

■ A written statement that the information contained in the report fairly presents, in all material
respects, the financial condition and operating results of the issuer.
■ The written statements must be signed by the CEO and CFO (or equivalent) of the issuer (who bear
responsibility for these financial statements).
○ Any party that certifies the periodic financial report and/or its content knowing that it does NOT satisfy all
the requirements shall be fined and/or imprisoned.
○ Specifically, a party who:
■ Certifies any statement knowing that it does not comply with all requirements will be fined not more
than $1,000,000 and/or imprisoned for not more than 10 years; or
■ Willfully certifies any statement knowing that it does not comply with all requirements will be fined not
more than $5,000,000 and/or imprisoned for not more than 20 years.

● SOX Title XI: Corporate Fraud Accountability

○ Tampering with Record or Impeding an Official Proceeding
■ Any individual who alters, destroys, mutilates, or conreals a document (record) with the intent to
modify the document and its integrity or the availability of the document in an official proceeding shall
be fined and/or subject to not more than 20 years in prison.

○ Temporary Freeze Authority for the SEC

■ If during an investigation pertaining to potential violations of federal securities laws by an issuer (or a
director, officer, or employee acting on its behalf), the SEC determines it is likely that the issuer will be
required to make penalty payments, the SEC may petition a federal district court to require the issuer
to escrow the payments in an interest-bearing account for 45 days.

○ Authority of the SEC to Prohibit Persons from Serving as Officers or Directors

■ For any cease-and-desist proceedings, the SEC may issue an order to conditionally or unconditionally
prohibit an individual from serving as an officer or director of the issuer for a stipulated period (or
permanently) if that individual has violated securities rules and regulations and the SEC determines
that this individual is unfit to serve as an officer or director of an issuer.

○ Retaliation Against Informants

■ Any individual who knowingly takes any harmful action against another person with the intent to
retaliate for that person providing truthful information to the SEC regarding a possible federal offense
shall be fined and/or imprisoned for not more than 10 years.

Page 337 of 350

Independence Requirements of the SEC and PCAOB
● Principles of Independence
○ Rule 2-01 of the SEC Regulation S-X outlines the independence rules that apply to auditors of SEC
registrants.
○ The SOX independence rules have been incorporated into these rules and the PCAOB has adopted
independence standards to conform to these rules.
○ Classes:
■ Covered member:

● The audit engagement team, the audit chain of command, anyone who provided more than 10
or more hours of non-audit services, anyone back at the offices of the firm who could influence
the engagement partner.
● Should be “squeaky clean” → no direct or material indirect interest in the client now or
committed to in the future.
■ Immediate Family

● All direct investments and material indirect investments in audit clients during the period of
professional engagement by the firm, any covered person in the firm, or any member of his or
her immediate family may impair auditor independence.
● Basically have to abide by the same rules as covered members, with a few exceptions.

■ Close Relatives

● Independence is impaired if a close relative has a financial interest in the attest client that the
covered member knows or has a reason to believe is material to the close relative or enabled
the close relative to exercise significant influence over the attest client.
○ When considering whether a circumstance raises independence concerns, the SEC looks to whether a client
relationship or a service provided to an audit client:
■ Creates a mutual or conflicting interest between the auditor and client.

■ Results in the auditor acting as management or an employee of the audit client, such as an:

● Officer;

● Director;

● IT designer; or

● Individual involved in hiring, firing, or supervising personnel.

■ Places the auditor in a position to audit their own work (e.g., preparing source documents).

Page 338 of 350

 ■ Places the auditor in a position of being an advocate for the audit client (e.g., promoting their
securities).

● Circumstances that Impair Auditor Independence

○ Rule 2-01 states that an accountant is not independent with respect to an audit client if the accountant is
not, or a reasonable, knowledgeable investor would conclude that the accountant is not capable of
exercising objective and impartial judgment on all issues related to the accountant’s engagement.
■ Essentially, not independent in fact or appearance (see A6:M7 definitions).
○ The following is a non-exhaustive list of circumstances that impair auditor independence:
■ Financial relationships

■ Employment relationships

■ Business relationships

● Independence Impaired - Financial Relationships

○ All direct investments and material indirect investments in audit clients during the period of professional
engagement by the firm, any covered person in the firm, or any member in his or her immediate family
impair auditor independence.
○ Such investments include:
■ Direct investments in stocks, bonds, notes, options, or other securities of the audit client, including
direct investments held through an intermediary.
■ Beneficial ownership of more than 5 percent of an audit client’s equity securities.

■ Service as a voting trustee of a trust or executor of an estate containing securities of the audit client,
unless there is no authority to make investment decisions for the trust or estate.
■ Material indirect investment in the audit client.
○ The following financial interests in the audit client by the firm, any covered person in the firm, or any
member of their immediate family impair auditor independence:
■ Loans to or from an audit client, or an audit client’s officers, directors, or beneficial owners with
significant influence over the client.
● Exception → this rule excludes loans obtained from financial institutions under normal lending
circumstances, such as:
○ Automobile loans or leases;
○ Loans fully collateralized by the cash surrender value of life insurance;
○ Loans fully collateralized by cash deposits at the financial institution; and
○ Student loans and mortgage loans (on a primary residence) obtained BEFORE the covered
person was a covered person (e.g., hiring a college student).
■ Savings and checking account balances that exceed the amount insured by the FDIC.

Page 339 of 350

 ○ Other financial interests in audit clients may include:
■ Broker-dealer accounts if the account includes assets other than cash or securities, or the amount in
the account exceeds the insured amount.
■ Future commission merchant accounts.

■ Consumer loans in excess of $10,000 on a current basis.

■ Insurance products issued by an audit client.

■ Financial interest in an investment company complex that includes an audit client.

○ Investments or other financial interests in an audit client will NOT impair independence in the following
circumstances:
■ The financial interest is received through an unsolicited gift or inheritance and is disposed of as soon as
practicable, no later than 30 days after the person has knowledge of and the right to dispose of it.
■ In a new audit engagement, any person with a financial interest that would impair audit independence
disposes of the financial interest before the earlier of:
● The signing of the engagement letter or other agreement; or

● The commencement of any audit, review, or attestation services.

■ An immediate family member of a covered person has a financial interest that would impair
independence as an unavoidable consequence of participation in his or her employer’s employee
compensation or benefits program and the financial interest is disposed of as soon as practicable, no
later than 30 days after the person has knowledge of and the right to dispose of the financial interest.
○ The following financial relationships of the audit client impair auditor independence:
■ Investment by the audit client in the accounting firm.

■ Engagement of the accounting firm by the audit client to act as an underwriter, broker dealer, market-
maker, promoter, or analyst.

● Independence Impaired - Employment Relationships

○ Employment relationships between the accountant and the audit client during the engagement period that
impair auditor independence include:
■ Employment of a covered person by the audit client or service on the board of directors or other
management or governing body of the audit client.
■ Employment of a close family member of a covered person in an accounting or financial reporting role
at the audit client.
○ Employment at the audit client of a former member of the audit engagement team in an accounting role or
a financial oversight role, unless the individual:
■ Does not influence the accounting firm’s operations or financial policies;

Page 340 of 350

 ■ Has no capital balances in the accounting firm; and

■ Has no financial arrangement with the accounting firm, other than one providing regular payment of a
fixed dollar amount (not dependent on firms revenues, profits, or earnings) that is either:
● From a fully funded retirement plan or similar vehicle; or

● Immaterial to the former professional employee (only in the case of a former employee who
was not a partner, principal, or shareholder and who has been disassociated from the firm for
more than 5 years).
○ Employment at the audit client of a former member of the audit engagement team in a financial oversight
role, if the individual was a member of the engagement team during the one-year period preceding the
commencement of audit procedures (the “cooling-off” period).
■ Engagement team → lead partner, concurring partner, and others who provide more than 10 hours of
service during the audit period.
○ Employment at the accounting firm of a former employee of the audit client, unless the individual:
■ Does not participate in the audit engagement; and

■ Is not in a position to influence the financial statement audit of the audit client covering any period in
which the individual was employed by or associated with the audit client.

● Independence Impaired - Business Relationships

○ Direct or material indirect business relationships between the firm or any covered person in the firm and an
audit client or persons participating in decision making of an audit client (officers, directors, substantial
stockholders) impair independence.

● Independence Impaired - Non-Audit Services

○ Auditor independence is impaired if any of the following non-audit services are provided during the audit
and professional engagement period (“Prohibited Services”):
■ Bookkeeping or other services related to the accounting records or financial statements of the client.

■ IT systems design and implementation.

■ Appraisal and valuation services, fairness opinions, or contribution-in-kind reports.

■ Actuarial services.

■ Internal audit outsourcing services.

■ Management functions or HR services (hiring, firing, etc.)

■ Broker or dealer, investment adviser, or investment banking services.

■ Legal services (including representing an audit client before a court).

Page 341 of 350

 ■ Expert services unrelated to the audit.

● Independence Impaired - Contingent Fees and Commissions

○ Independence is impaired by contingent fees or commission arrangements in which the accountant:
■ Provides any service or product to the audit client for a contingent fee or a commission; or

■ Receives a contingent fee or commission from an audit client.

● Independence Impaired - Partner Rotations

○ Partner rotation situations that impair independence include:
■ Failure of the lead audit partner and the concurring partner to rotate off after 5 years; or

■ Failure of other audit partners to rotate off after no more than 7 years.

● Required “time-out” period → lead partners and concurring partners are subject to 5 year
period before returning to an engagement, other audit partners are subject to 2 year period.
● Small firms → firms with fewer than 5 clients and fewer than 10 partners, are exempt from this.

● Independence Impaired - Audit Committee

○ Auditor independence is impaired when the audit committee fails to administer the engagement.
○ Audit committees are required to preapprove:
■ All audit, review, or other attest engagements.

■ All permissible non-audit services, including tax compliance, tax planning, and tax advice.

■ Preapproval is not required for non-audit services that do not exceed 5 percent of total revenues from
the audit client during the fiscal year, as long as the non-audit services are promptly brought to the
audit committee's attention and approved before the completion of the audit.
○ Required Auditor Reporting to the Audit Committee → the auditor of an issuer is required to report certain
matters to the audit committee, including:
■ The critical accounting policies and practices to be used;

■ Alternative accounting treatments discussed with the corporation’s management, the ramifications of
the alternatives, and the treatment the firm prefers; and
■ Material written communications between the audit firm and management including a schedule of
unadjusted audit differences and any management letter.

● Independence Impaired - Compensation

○ Auditor’s independence is impaired if an audit partner earns or receives compensation based on selling
engagements to an audit client for services other than audit, review, and attest services.
○ Audit partner’s include:

Page 342 of 350

 ■ The lead audit partner;

■ The concurring audit partner;

■ Other audit partners who have responsibility for decision making on significant auditing, accounting, or
reporting matters, or who maintain regular contact with management and the audit committee.

● Additional Independence Requirements of the PCAOB

○ The PCAOB’s interim independence standards, as adopted from the AICPA Code of Professional Conduct,
have been amended to align with the standards as outlined in Rule 2-01 of Regulation S-X.
○ Additionally, the PCAOB has adopted certain permanent independence rules that impose incremental
obligations on registered public accounting firms.

● PCAOB Independence Standards

○ The following independence standards have been issued by the PCAOB.
○ The collective PCAOB standards apply to all audits of issuers by registered firms.

○ Responsibility Now to Knowingly or Recklessly Contribute to Violations

■ A person associated with a registered public accounting firm should not take or omit to take an action,
knowing, or recklessly not knowing, that the action or omission would contribute to a violation by the
registered public accounting firm of the SOX Act, the rules of the PCAOB, securities laws, rules of the
SEC, or professional standards.
○ Auditor Independence
■ A registered public accounting firm and its associated persons must be independent of the firm’s audit
client throughout the audit and professional engagement period.
○ Contingent Fees
■ A registered public accounting firm may not:

● Provide services or products for a contingent fee (i.e., those in which the amount of the fee
depends on the results of the service performed) or a commission; or
● Receive from the audit client a contingent fee or commission.
○ Tax Transactions
■ Registered public accounting firms may not provide to audit clients any tax services related to certain
confidential or aggressive tax transactions.
○ Tax Services for Persons in Financial Reporting Oversight Roles
■ Registered public accounting firms may not provide any tax services to:

● Corporate officers of audit clients; or

● Immediate family members of corporate officers.

Page 343 of 350

 ■ Corporation’s tax returns are ok.
○ Audit Committee Preapproval of Certain Tax Services
■ Proposed tax services and related fees must be communicated to the audit committee in writing.

■ The potential effects of the services on the firm's independence should also be discussed with the audit
committee, and this discussion must be documented.
○ Audit Committee Preapproval of Non-Audit Services Related to internal Control Over Financial Reporting
■ Non-audit services related to internal control over financial reporting must be communicated to the
audit committee in writing.
■ The potential effects of the services on the firm's independence should also be discussed with the audit
committee, and this discussion must be documented.
○ Communication With the Audit Committee Concerning Independence
■ Before accepting an initial engagement with an issuer and at least annually for each issuer audit client,
a registered public accounting firm must:
● Describe in writing to the audit committee of the issuer all relationships that may reasonably
be thought to bear on independence.
● Discuss the potential effects of those relationships on the audit firm’s independence; and

● Document the discussion.

■ As part of the annual communication, the audit firm must affirm, in writing, that the audit firm is
independent as of the date of the communication.

● Notes from MCQs

○ The statute of limitations for most criminal charges is 7 years, which is why audit documentation should be
kept for 7 years.
○ Someone who actively supervises or assesses the performance of a financial position, such as those listed
as a financial expert criteria, is allowed to be labeled as a financial expert.
■ Ex) someone who supervises or assesses the preparation, auditing, or evaluation of financial
statements can be a financial expert for an audit committee.
■ Simply serving on another audit committee does NOT mean that person can be a financial expert.
○ A registered public accounting firm is able to prepare an organizational chart of the accounting department
for an audit client and still maintain independence.

Page 344 of 350

 M9: Ethical and Independence Requirements: Part 2
● The Government Accountability Office (GAO)
○ The Government Accountability Office (GAO) includes the following ethical principles.
○ Serving the Public Interest
■ Collective well-being of the community served by the auditor.
○ Integrity
■ Objective, fact-based, nonpartisan, and nonideological.
○ Objective
■ Independence of mind and appearance.
○ Proper Use of Government Information, Resources, and Positions
■ Provide services without taking advantage of any insider information for personal gain.
○ Professional Behavior
■ Conduct in a manner that is appropriate and does not bring discredit to the audit profession.

● General Standards Under GAGAS

○ Independence
■ Independence of Mind → auditor’s state of mind should permit the performance of an audit without
being affected by influences that compromise professional judgment.
■ Independence in Appearance → auditor’s should avoid circumstances that would cause a reasonable
third party to conclude that independence has been compromised.
○ Professional Judgment
■ Planning and performing audits

■ Exercising reasonable care

■ Professional skepticism
○ Competence
■ Adequate professional competence

■ Technical knowledge

■ Skills

■ Experience
○ Quality Control and Assurance

Page 345 of 350

 ■ Establish and maintain a system of quality control to provide reasonable assurance that the
organization and its personnel comply with professional standards and applicable legal and regulatory
requirements.
■ Have an external peer review at least once every three years.

● Introduction to GAGAS Conceptual Framework for Independence

○ Similar to the AICPA Code of Conduct, GAGAS independence guidance includes a conceptual framework for
making independence determinations.
○ The conceptual framework requires the auditor to:
1. Identify threats to independence.
2. Evaluate the significance of the threats identified, both individually and in the aggregate.
3. Apply safeguards as necessary to eliminate the threats or reduce them to an acceptable level.

● Step 1: Threats to Independence

1. Self-Interest Threat
■ The threat that a financial or other interest will inappropriately influence an auditor’s judgment or
behavior.
2. Self-Review Threat
■ The threat that an auditor or audit organization that has provided non-audit services will not
appropriately evaluate the results of previous judgments made or services performed as part of the
non-audit services when forming a judgment significant to an audit.
■ Ex) Thinking “that control worked in the past… so it must be ok now too”
3. Bias Threat
■ The threat that an auditor will, as a result of political, ideological, social, or other convictions, take a
position that is not objective.
■ Similar to the Adverse Interest threat of the AICPA framework.

■ Ex) the governmental agency is involved in something such as gun control, abortion, etc.
4. Familiarity Threat
■ The threat that aspects of a relationship with management or personnel of an audited entity, such as a
close or long relationship or that of an immediate or close family member, will lead an auditor to take a
position that is not objective.
5. Undue Influence Threat
■ The auditor’s ability to make independent and objective judgments are impacted by external influences
or pressures.
6. Management Participation Threat
■ The threat that results from an auditor’s taking on the role of management or otherwise performing
management functions on behalf of the entity undergoing an audit.
Page 346 of 350
 7. Structural Threat
■ The threat that an audit organization’s placement within a government entity, in combination with the
structure of the government entity being audited, will impact the audit organization’s ability to perform
work and report results objectively.

● Step 2: Evaluate Significance

○ Professional judgment is used to evaluate the significance of threats to independence.
○ If a reasonably prudent businessperson was aware of all facts and circumstances, what would the
businessperson conclude?
■ Is the auditor no longer objective?

■ Can the auditor no longer exercise professional skepticism?

● Step 3: Safeguards
○ Safeguards are controls designed to eliminate or reduce threats to independence to an acceptable level.
○ Examples of safeguards include:
■ Consulting an independent third party, such as a professional organization, a professional regulatory
body, or another auditor;
■ Involving another audit organization to perform or reperform part of the audit;

■ Having a professional staff member who was not a member of the audit team review the work
performed; and
■ Removing an individual from an audit team when that individual’s financial or other interests or
relationships pose a threat to independence.

● Evaluation of Non-Audit Services

○ The auditor should determine whether providing such a non-audit service would create a threat to
independence, either by itself or in aggregate with other non-audit services provided, with respect to any
GAGAS audit the auditor performs.
○ A critical component of the determination process is consideration of management’s ability to effectively
oversee the non-audit service to be performed.
■ The auditor should determine whether:

● The audited entity possesses suitable skill, knowledge, or experience; and

● The individual understands the services to be performed sufficiently to oversee them.

■ The individual is not required to possess the expertise to perform or reperform the services.

■ The auditor should document consideration of management’s ability to effectively oversee non-audit
services to be performed.

Page 347 of 350

 ○ Auditors performing non-audit services for entities for which they perform audits should obtain assurance
that audited entity management performs the following functions in connection with non-audit services:
■ Assumes all management responsibilities;

■ Oversees the service;

■ Evaluates the adequacy and the results of the services performed; and

■ Accepts the responsibility for the results of the services.

● Management Participation Threat

○ The management participation threat impairs the auditor’s independence.
○ Duties performed when participating in management:
■ Making decisions

■ Hiring people

■ Supervising staff
○ If an auditor were to assume management responsibilities for an audited entity, the management
participation threat created would be so significant that no safeguards could reduce the threat to an
acceptable level.
○ Other responsibilities of management include:
■ Leading and directing the entity

■ Making decisions regarding the acquisition, deployment, and control of:

● Human resources

● Financial resources

● Physical resources

● Intangible resources
○ More examples of activities that are considered management responsibilities and would therefore impair
independence if performed for an audited entity include:
■ Setting policies and strategic direction.

■ Directing and accepting responsibility for the actions of the audited entity’s employees’ performance.

■ Having custody of an audited entity’s assets.

● Documentation of Independence
○ Independence standards require the auditor to document:

Page 348 of 350

 ■ The threats to independence that require the application of safeguards, along with the safeguards
applied, in accordance with the conceptual framework for independence.
■ The safeguards if an audit organization is structurally located within a government entity and is
considered independent based on those safeguards.
■ The audited entity management’s ability to effectively oversee a non-audit service to be provided by
the auditor.
■ The auditor’s understanding with an audited entity for which the auditor will perform a non-audit
service.

● Department of Labor
○ The U.S. Department of Labor (DOL) has established guidelines for determining when a qualified public
accountant is independent for the purpose of rendering an opinion on an employee benefit plan under the
Employee Retirement Income Security Act of 1974 (ERISA).
○ Auditor independence is required when auditing and rendering an opinion on the financial information
required to be submitted to the Employee Benefits Security Adminiations of the DOL.

● Impairment of Independence (DOL/ERISA)

○ Any direct financial interest or a material indirect financial interest in the plan or the plan sponsor.
○ An interest was held during the period of the engagement, at the date of the opinion, or during the period
covered by the financial statements.
○ Connection to the plan or the plan sponsor as a promoter, underwriter, investment advisor, voting trustee,
director, officer, or employee.
○ An accountant or a member of the accounting firm maintaining financial records for the employee benefit
plan.

● Independence NOT Impaired (DOL/ERISA)

○ A former officer or employee of the plan or plan sponsor is employed by the firm and is completely
disassociated from the plan or plan sponsor and does not participate in auditing the financial statements.
○ An actuary associated with the accountant or the accountant’s firm rendered services to the plan.

● Summary of Independence for Each of AICPA, SOX/PCAOB/SEC, and DOL/ERISA

Page 349 of 350

● Notes from MCQs
○ Safeguards to threats to independence identified by the GAGAS conceptual framework are generally not
effective to mitigate a management participation threat.

Page 350 of 350