630 likes | 1.43k Views
Objectives of This Course: . Outline the PPC audit risk assessment processUnderstand how to use PPC practice aids to perform and document risk assessmentProvide an overview of the AICPA's clarified risk assessment standards. What is Risk Assessment?. Risk AssessmentObtain an understanding of the
E N D
1. Understanding Audit Risk Assessment
2. Objectives of This Course: Outline the PPC audit risk assessment process
Understand how to use PPC practice aids to perform and document risk assessment
Provide an overview of the AICPAs clarified risk assessment standards
Key Points:
This presentation will help you understand the current audit risk assessment standards (and the PPC risk assessment process) and how to implement them in your audits using the practice aids in PPCs Guide to Audits of Nonpublic Companies and PPCs industry audit guides.
The risk assessment standards are in SAS Nos. 104111. Risk assessment also encompasses SAS 99 on fraud consideration in a financial statement audit.
This presentation also provides a brief overview of the AICPAs clarified risk assessment standards that will be effective for audits of 2012 calendar-year ends.
Key Points:
This presentation will help you understand the current audit risk assessment standards (and the PPC risk assessment process) and how to implement them in your audits using the practice aids in PPCs Guide to Audits of Nonpublic Companies and PPCs industry audit guides.
The risk assessment standards are in SAS Nos. 104111. Risk assessment also encompasses SAS 99 on fraud consideration in a financial statement audit.
This presentation also provides a brief overview of the AICPAs clarified risk assessment standards that will be effective for audits of 2012 calendar-year ends.
3. What is Risk Assessment? Risk Assessment
Obtain an understanding of the client, including internal control
Identify and assess risks of material misstatement of the financial statements
Evaluate both overall risks and risks that affect only specific assertions
Audit Procedures
Concentrate audit effort in high risk areas
Inherent risk
Control risk
Perform less extensive procedures in low risk areas
Key Points:
An audit approach based on risk assessment provides methods to identify higher-risk areas and assertions so that audit effort can be focused on those areas. By focusing efforts in higher-risk areas and limiting procedures in lower-risk areas, you will perform a more effective and focused audit.
The risk assessment emphasizes linkage between assessed risks and resulting audit procedures, that is, overall responses that address risks of material misstatement at the financial statement level as well as procedures that are clearly linked to assessed risks of material misstatement at the relevant assertion level.
Presentation Tip:
Assertions are mentioned several times in the presentation. Explain that assertions are what management is saying, either explicitly or implicitly, about the recognition, measurement, presentation, and disclosure of information in the financial statements and related disclosures.
Assertions about transaction classes relate to the entire period under audit and consist of:
Occurrence. Transactions and events that have been recorded have occurred and pertain to the entity.
Completeness. All transactions and events that should have been recorded have been recorded.
Accuracy. Amounts and other data relating to the recorded transactions and events have been recorded
appropriately.
Cutoff. Transactions and events have been recorded in the correct accounting period.
Classification. Transactions and events have been recorded in the appropriate accounts.
Assertions about account balances relate to the period end and consist of:
Existence. Assets, liabilities, and equity interests exist.
Rights and Obligations. The entity holds or controls the rights to assets, and liabilities are the obligations of the entity.
Completeness. All assets, liabilities, and equity interests that should have been recorded have been recorded.
Valuation and Allocation. Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded.
According to SAS 106 relevant assertions are assertions that have a meaningful bearing on whether the account is fairly stated.
For More Information: Financial statement assertions are discussed in section 302.Key Points:
An audit approach based on risk assessment provides methods to identify higher-risk areas and assertions so that audit effort can be focused on those areas. By focusing efforts in higher-risk areas and limiting procedures in lower-risk areas, you will perform a more effective and focused audit.
The risk assessment emphasizes linkage between assessed risks and resulting audit procedures, that is, overall responses that address risks of material misstatement at the financial statement level as well as procedures that are clearly linked to assessed risks of material misstatement at the relevant assertion level.
Presentation Tip:
Assertions are mentioned several times in the presentation. Explain that assertions are what management is saying, either explicitly or implicitly, about the recognition, measurement, presentation, and disclosure of information in the financial statements and related disclosures.
Assertions about transaction classes relate to the entire period under audit and consist of:
Occurrence. Transactions and events that have been recorded have occurred and pertain to the entity.
Completeness. All transactions and events that should have been recorded have been recorded.
Accuracy. Amounts and other data relating to the recorded transactions and events have been recorded
appropriately.
Cutoff. Transactions and events have been recorded in the correct accounting period.
Classification. Transactions and events have been recorded in the appropriate accounts.
Assertions about account balances relate to the period end and consist of:
Existence. Assets, liabilities, and equity interests exist.
Rights and Obligations. The entity holds or controls the rights to assets, and liabilities are the obligations of the entity.
Completeness. All assets, liabilities, and equity interests that should have been recorded have been recorded.
Valuation and Allocation. Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded.
According to SAS 106 relevant assertions are assertions that have a meaningful bearing on whether the account is fairly stated.
For More Information: Financial statement assertions are discussed in section 302.
4. PPC Audit Approach Key Points:
PPCs practical approach to the audit process addresses the requirements for risk assessment and is designed to be flexible and adaptable, allowing you to better leverage your knowledge of the client to tailor your audit procedures.
This chart may suggest a sequential process, but the audit is a continuous process of gathering, updating, and analyzing information about the fairness of presentation of amounts and disclosures in the clients financial statements. The audit process is an iterative, nonlinear process, whereby the required procedures may be performed concurrently with other procedures. Also, risks should be evaluated continuously throughout the audit.
This course covers steps 15 of the PPC Audit Approach.Key Points:
PPCs practical approach to the audit process addresses the requirements for risk assessment and is designed to be flexible and adaptable, allowing you to better leverage your knowledge of the client to tailor your audit procedures.
This chart may suggest a sequential process, but the audit is a continuous process of gathering, updating, and analyzing information about the fairness of presentation of amounts and disclosures in the clients financial statements. The audit process is an iterative, nonlinear process, whereby the required procedures may be performed concurrently with other procedures. Also, risks should be evaluated continuously throughout the audit.
This course covers steps 15 of the PPC Audit Approach.
5. Preliminary Engagement Activities Key Points:
The next few slides address Step 1 of the PPC Audit Approach: Perform Preliminary Engagement Activities, which consists of client acceptance/continuance (including evaluating independence) and establishing an understanding with the client.
For More Information: Preliminary engagement activities are discussed in section 201.Key Points:
The next few slides address Step 1 of the PPC Audit Approach: Perform Preliminary Engagement Activities, which consists of client acceptance/continuance (including evaluating independence) and establishing an understanding with the client.
For More Information: Preliminary engagement activities are discussed in section 201.
6. Client Acceptance/Continuance Consider: Document Nature and purpose of engagement
Clients reputation, integrity, and competence
Communication with predecessor
Compliance with ethical requirements, including independence
Adequacy of accounting records
Firm resources and competence
Engagement economics
Other risk concerns
CX-1.1: Engagement Acceptance and Continuance Form
CX-7.1: Risk Assessment Summary Form (if risks are identified)
Key Points:
The engagement acceptance or continuance decision generally focuses on factors that increase overall financial statement risk, such as increased risks due to indications of pressures, opportunities, or incentives for fraudulent financial reporting on the part of management, the companys precarious financial position that creates a likelihood of bankruptcy, etc. Consideration of this information might cause the firm to decline to accept the engagement; terminate the client relationship; or plan and perform the audit in a different manner, such as by using more experienced personnel.
The acceptance or continuance decision is documented using CX-1.1, Engagement Acceptance and Continuance Form.
If any risks are identified when making the acceptance or continuance decision that could result in a material misstatement of the financial statements, those risks should be added to CX-7.1, Risk Assessment Summary Form.
Often, CX-1.1 may be completed well before the engagement begins. In that case, the form should be reviewed during risk assessment for consideration of any risks that need to be added to CX-7.1.
Presentation Tips:
Review a blank copy of CX-1.1 with the participants. Point out that the form is designed so that any Yes answers represent areas of possible concern when making the acceptance or continuance decision. Therefore, a quick review of the form for Yes answers will identify areas that might present risks for the engagement.
When CX-7.1, Risk Assessment Summary Form, is first introduced, point out that this is the key form used in the PPC approach to capture identified risks, assess them, and decide and document how the engagement team plans to respond to them.Key Points:
The engagement acceptance or continuance decision generally focuses on factors that increase overall financial statement risk, such as increased risks due to indications of pressures, opportunities, or incentives for fraudulent financial reporting on the part of management, the companys precarious financial position that creates a likelihood of bankruptcy, etc. Consideration of this information might cause the firm to decline to accept the engagement; terminate the client relationship; or plan and perform the audit in a different manner, such as by using more experienced personnel.
The acceptance or continuance decision is documented using CX-1.1, Engagement Acceptance and Continuance Form.
If any risks are identified when making the acceptance or continuance decision that could result in a material misstatement of the financial statements, those risks should be added to CX-7.1, Risk Assessment Summary Form.
Often, CX-1.1 may be completed well before the engagement begins. In that case, the form should be reviewed during risk assessment for consideration of any risks that need to be added to CX-7.1.
Presentation Tips:
Review a blank copy of CX-1.1 with the participants. Point out that the form is designed so that any Yes answers represent areas of possible concern when making the acceptance or continuance decision. Therefore, a quick review of the form for Yes answers will identify areas that might present risks for the engagement.
When CX-7.1, Risk Assessment Summary Form, is first introduced, point out that this is the key form used in the PPC approach to capture identified risks, assess them, and decide and document how the engagement team plans to respond to them.
7. Establish an Understanding with the Client Establish an understanding about:
Objectives of the engagement
Managements responsibilities
Auditors responsibilities
Limitations of the engagement
Communicate the understanding in a written engagement letter
CL-1.1: Audit Engagement Letter
Key Points:
An engagement letter does not, by itself, result in the identification of risks that may result in a misstatement of the financial statements, but the understanding with the client may reduce the firms business risk by clarifying responsibilities of each party and the objectives and limitations of the engagement.
A written engagement letter is required for all audits.
The Audit Engagement Letter (CL-1.1) can be used to draft an engagement letter for the audit.Key Points:
An engagement letter does not, by itself, result in the identification of risks that may result in a misstatement of the financial statements, but the understanding with the client may reduce the firms business risk by clarifying responsibilities of each party and the objectives and limitations of the engagement.
A written engagement letter is required for all audits.
The Audit Engagement Letter (CL-1.1) can be used to draft an engagement letter for the audit.
8. Planning and Risk Assessment Procedures Key Points:
The next few slides address Step 2 of the PPC Audit Approach: Perform Planning and Risk Assessment Procedures, which consists of holding an engagement team discussion, determining materiality, performing risk assessment procedures, and obtaining an understanding of the entity and its environment, including internal control.
For More Information: Planning and risk assessment procedures are discussed in section 201.Key Points:
The next few slides address Step 2 of the PPC Audit Approach: Perform Planning and Risk Assessment Procedures, which consists of holding an engagement team discussion, determining materiality, performing risk assessment procedures, and obtaining an understanding of the entity and its environment, including internal control.
For More Information: Planning and risk assessment procedures are discussed in section 201.
9. Engagement Team Discussion Discuss the susceptibility of the financial statements to material misstatement
Consider fraud risks and risks of error
Include:
Critical issues and areas of significant audit risk
Areas susceptible to management override of controls
Unusual accounting practices
Important control systems
Materiality considerations
Need to exercise professional skepticism
Business risks
Fraud considerations Key Points:
SAS 109 requires the members of the audit team to discuss the susceptibility of the entitys financial statements to material misstatements. SAS 99 requires an open exchange of ideas, or brainstorming among audit team members about how and where they believe the entitys financial statements might be susceptible to material misstatement due to fraud, how management could perpetuate and conceal fraudulent financial reporting, and how assets of the entity could be misappropriated.
These discussions can be held concurrently, that is, one meeting can cover the susceptibility of the financial statements to material misstatements from both error and fraud. However, it is important to consider the susceptibility to fraud as a distinct part of this combined discussion to avoid potentially diluting that critical consideration.
The focus should be on the individual members gaining a better understanding of the potential for material misstatements resulting from error or fraud in the specific areas assigned to them, and understanding how the results of audit procedures they perform affect other aspects of the audit. The more experienced team members can share their insights based on their cumulative knowledge of the entity, its industry, and its environment.
Participants should maintain an attitude of professional skepticism throughout the discussion and should not be influenced by past favorable experience with the integrity of management. In fact, SAS 99 states that the engagement team should abandon neutrality and any preconceptions about managements and employees honesty, but instead presume the possibility of dishonesty at various levels of management.
Presentation Tips:
Tailor the list of engagement team discussion items based on your firms practice for the engagement team discussion.
Consider reviewing Exhibit 2-7, Sample Questions for Engagement Team Discussion, with participants.
For More Information: The engagement team discussion is discussed at paragraph 201.55.Key Points:
SAS 109 requires the members of the audit team to discuss the susceptibility of the entitys financial statements to material misstatements. SAS 99 requires an open exchange of ideas, or brainstorming among audit team members about how and where they believe the entitys financial statements might be susceptible to material misstatement due to fraud, how management could perpetuate and conceal fraudulent financial reporting, and how assets of the entity could be misappropriated.
These discussions can be held concurrently, that is, one meeting can cover the susceptibility of the financial statements to material misstatements from both error and fraud. However, it is important to consider the susceptibility to fraud as a distinct part of this combined discussion to avoid potentially diluting that critical consideration.
The focus should be on the individual members gaining a better understanding of the potential for material misstatements resulting from error or fraud in the specific areas assigned to them, and understanding how the results of audit procedures they perform affect other aspects of the audit. The more experienced team members can share their insights based on their cumulative knowledge of the entity, its industry, and its environment.
Participants should maintain an attitude of professional skepticism throughout the discussion and should not be influenced by past favorable experience with the integrity of management. In fact, SAS 99 states that the engagement team should abandon neutrality and any preconceptions about managements and employees honesty, but instead presume the possibility of dishonesty at various levels of management.
Presentation Tips:
Tailor the list of engagement team discussion items based on your firms practice for the engagement team discussion.
Consider reviewing Exhibit 2-7, Sample Questions for Engagement Team Discussion, with participants.
For More Information: The engagement team discussion is discussed at paragraph 201.55.
10. Engagement Team Discussion (cont.) Attendance:
Auditor with final responsibility
Key members of engagement team
Document:
How the discussion occurred, the subject matter, who participated, and decisions about planned responses
CX-3.2: Engagement Team Discussion
CX-7.1: Risk Assessment Summary Form (if risks are identified)
Key Points:
In addition to the audit partner and key members of the engagement team, it may be appropriate to include specialists in the discussion, such as IT specialists, assigned to the engagement team.
SAS 109 requires that the following items be documented regarding the discussion among the audit team:
How and when the discussion occurred.
Subject matter discussed.
Participating audit team members.
Significant decisions reached concerning planned responses at the financial statement and relevant assertion levels.
These requirements are similar to the documentation requirements of SAS 99 regarding the fraud discussion.
CX-3.2, Engagement Team Discussion, provides for documentation of the items listed and includes a list of required discussion topics to help keep the discussion focused and ensure important topics are not overlooked. If risks are identified that could result in material misstatement of the financial statements, they should be added to CX-7.1, Risk Assessment Summary Form.
Presentation Tips:
Review a blank copy of CX-3.2 with the participants. Point out how the questions on the form match the documentation requirements of the standard.
A completed CX-3.2 is illustrated in Case Study 1 at Appendix A-6. The engagement team discussion is illustrated in a memo in Case Study 2 at Appendix B-4. Consider reviewing these documents, or one of the firms completed practice aids, with participants.Key Points:
In addition to the audit partner and key members of the engagement team, it may be appropriate to include specialists in the discussion, such as IT specialists, assigned to the engagement team.
SAS 109 requires that the following items be documented regarding the discussion among the audit team:
How and when the discussion occurred.
Subject matter discussed.
Participating audit team members.
Significant decisions reached concerning planned responses at the financial statement and relevant assertion levels.
These requirements are similar to the documentation requirements of SAS 99 regarding the fraud discussion.
CX-3.2, Engagement Team Discussion, provides for documentation of the items listed and includes a list of required discussion topics to help keep the discussion focused and ensure important topics are not overlooked. If risks are identified that could result in material misstatement of the financial statements, they should be added to CX-7.1, Risk Assessment Summary Form.
Presentation Tips:
Review a blank copy of CX-3.2 with the participants. Point out how the questions on the form match the documentation requirements of the standard.
A completed CX-3.2 is illustrated in Case Study 1 at Appendix A-6. The engagement team discussion is illustrated in a memo in Case Study 2 at Appendix B-4. Consider reviewing these documents, or one of the firms completed practice aids, with participants.
11. Materiality Materiality for the financial statements as a whole
Materiality for particular items of lesser amounts
Tolerable misstatement Key Points:
The preliminary judgment about materiality for the financial statements as a whole is generally referred to as planning materiality.
The need to establish planning materiality is directly related to the audit objective of obtaining reasonable assurance of detecting misstatements that could be large enough, individually or in the aggregate, to be quantitatively material to the financial statements.
SAS 107 requires the auditor to consider whether, in the specific circumstances of the entity, misstatements of particular items of lesser amounts than planning materiality could be expected to influence economic decisions of users. In other words, in addition to determining materiality at the financial statement level, you should determine whether there are particular financial statement items for which a lower planning materiality amount is appropriate based on user perceptions of the particular items.
SAS 107 defines tolerable misstatement as the maximum error in a population (for example, the class of transactions or account balance) that the auditor is willing to accept. SAS 107 states that the auditor should determine one or more levels of tolerable misstatement, and that such levels are normally lower than the materiality levels. In other words, tolerable misstatement should be lower than the materiality level for the financial statements taken as a whole. If you need a lower planning materiality amount for particular financial statement items, you should also determine a separate tolerable misstatement level for those items. Tolerable misstatement is ordinarily set at 5075% of the related planning materiality to allow for the possibility of uncorrected detected misstatements.
Presentation Tips:
Consider reviewing Example 2-3 of the Guide with participants, which illustrates determining planning materiality for particular items of lesser amounts.
Consider reviewing Example 2-4 of the Guide with participants, which illustrates determining planning materiality and tolerable misstatement.
For More Information: Planning materiality is discussed in section 206. Tolerable misstatement is discussed in section 301.Key Points:
The preliminary judgment about materiality for the financial statements as a whole is generally referred to as planning materiality.
The need to establish planning materiality is directly related to the audit objective of obtaining reasonable assurance of detecting misstatements that could be large enough, individually or in the aggregate, to be quantitatively material to the financial statements.
SAS 107 requires the auditor to consider whether, in the specific circumstances of the entity, misstatements of particular items of lesser amounts than planning materiality could be expected to influence economic decisions of users. In other words, in addition to determining materiality at the financial statement level, you should determine whether there are particular financial statement items for which a lower planning materiality amount is appropriate based on user perceptions of the particular items.
SAS 107 defines tolerable misstatement as the maximum error in a population (for example, the class of transactions or account balance) that the auditor is willing to accept. SAS 107 states that the auditor should determine one or more levels of tolerable misstatement, and that such levels are normally lower than the materiality levels. In other words, tolerable misstatement should be lower than the materiality level for the financial statements taken as a whole. If you need a lower planning materiality amount for particular financial statement items, you should also determine a separate tolerable misstatement level for those items. Tolerable misstatement is ordinarily set at 5075% of the related planning materiality to allow for the possibility of uncorrected detected misstatements.
Presentation Tips:
Consider reviewing Example 2-3 of the Guide with participants, which illustrates determining planning materiality for particular items of lesser amounts.
Consider reviewing Example 2-4 of the Guide with participants, which illustrates determining planning materiality and tolerable misstatement.
For More Information: Planning materiality is discussed in section 206. Tolerable misstatement is discussed in section 301.
12. Materiality Apply professional judgment
Consider user needs and expectations
Use appropriate benchmarks, such as % of assets or revenue
Re-evaluate materiality as the audit progresses. If lower, reconsider:
Level of tolerable misstatement
Adequacy of procedures
Key Points:
It is important to use professional judgment when determining planning materialitythe calculation should not be rote.
The reference to user needs and expectations is based on the definition of materiality in FASB Statement of Financial Accounting Concepts 8 as: Information is material if omitting it or misstating it could influence decisions that users make on the basis of the financial information of a specific reporting entity.
Conceptually, materiality should be established based on the auditors understanding of users needs and expectations since an item is material if it would have influenced users judgments. For many nonpublic companies, total assets or revenue often provide a sound benchmark for determining materiality because they are stable, predictable, and representative of entity size.
Base amounts (such as assets or revenues) used in the benchmark come from the financial statements to be audited or the trial balance from which those financial statements will be prepared. If those amounts are not available, annualized amounts from the most recent interim financial statements are used. For revenue, an annualized amount is used even if the audit period is shorter than a year. When current amounts are unavailable, significant audit adjustments are expected, or significant changes in the entity's circumstances indicate that current amounts are not representative of the entity's results of operations or financial position, historical averages based on the past two or three years can be used.
Planning materiality judgments should be reconsidered as the audit progresses. Because the calculation made during initial planning often uses interim financial information, the amounts in the annual audited financial statements might differ. If planning materiality based on interim amounts is too large, then audit scope might not have been sufficient. If planning materiality based on interim amounts was too small, then the audit would be less efficient than would have been possible because the auditor will have done more audit work than was necessary. Thus, if you become aware of changes that would have affected the determination of planning materiality, adjustments should made. At the conclusion of the audit, you should consider whether the scope of the audit has been adequate in the circumstances. Key Points:
It is important to use professional judgment when determining planning materialitythe calculation should not be rote.
The reference to user needs and expectations is based on the definition of materiality in FASB Statement of Financial Accounting Concepts 8 as: Information is material if omitting it or misstating it could influence decisions that users make on the basis of the financial information of a specific reporting entity.
Conceptually, materiality should be established based on the auditors understanding of users needs and expectations since an item is material if it would have influenced users judgments. For many nonpublic companies, total assets or revenue often provide a sound benchmark for determining materiality because they are stable, predictable, and representative of entity size.
Base amounts (such as assets or revenues) used in the benchmark come from the financial statements to be audited or the trial balance from which those financial statements will be prepared. If those amounts are not available, annualized amounts from the most recent interim financial statements are used. For revenue, an annualized amount is used even if the audit period is shorter than a year. When current amounts are unavailable, significant audit adjustments are expected, or significant changes in the entity's circumstances indicate that current amounts are not representative of the entity's results of operations or financial position, historical averages based on the past two or three years can be used.
Planning materiality judgments should be reconsidered as the audit progresses. Because the calculation made during initial planning often uses interim financial information, the amounts in the annual audited financial statements might differ. If planning materiality based on interim amounts is too large, then audit scope might not have been sufficient. If planning materiality based on interim amounts was too small, then the audit would be less efficient than would have been possible because the auditor will have done more audit work than was necessary. Thus, if you become aware of changes that would have affected the determination of planning materiality, adjustments should made. At the conclusion of the audit, you should consider whether the scope of the audit has been adequate in the circumstances.
13. Materiality Document:
The levels of planning materiality and tolerable misstatement, basis on which they were determined, and any changes as the audit progresses
CX-2: Financial Statement Materiality Worksheet for Planning Purposes Key Points:
Document the levels of planning materiality and tolerable misstatement (for the financial statements as a whole as well as for particular items of lesser amounts), the basis on which they were determined (for example, the benchmark and why it is considered appropriate), and any changes in materiality as the audit progresses.
CX-2, Financial Statement Materiality Worksheet for Planning Purposes, is used to document materiality.
Presentation Tips:
Review a blank copy of CX-2 with the participants. Point out how the questions on the form match the requirements of the standard.
Point out that CX-2 is also used to document that amount of a misstatement that is considered trivial (one that does not require posting to the misstatement summary). Be careful to remind participants that any misstatement greater than the trivial amount should be posted to the misstatement schedule. It is not appropriate to dispose of misstatements at the workpaper level unless they are below the trivial amount.
Discuss any firm policies for computing materiality or the amount that is considered trivial.
A completed CX-2 is illustrated in Case Study 1 at Appendix A-4. Consider reviewing that document, or one of the firms completed practice aids, with participants.Key Points:
Document the levels of planning materiality and tolerable misstatement (for the financial statements as a whole as well as for particular items of lesser amounts), the basis on which they were determined (for example, the benchmark and why it is considered appropriate), and any changes in materiality as the audit progresses.
CX-2, Financial Statement Materiality Worksheet for Planning Purposes, is used to document materiality.
Presentation Tips:
Review a blank copy of CX-2 with the participants. Point out how the questions on the form match the requirements of the standard.
Point out that CX-2 is also used to document that amount of a misstatement that is considered trivial (one that does not require posting to the misstatement summary). Be careful to remind participants that any misstatement greater than the trivial amount should be posted to the misstatement schedule. It is not appropriate to dispose of misstatements at the workpaper level unless they are below the trivial amount.
Discuss any firm policies for computing materiality or the amount that is considered trivial.
A completed CX-2 is illustrated in Case Study 1 at Appendix A-4. Consider reviewing that document, or one of the firms completed practice aids, with participants.
14. Risk Assessment Procedures Two categories of audit procedures:
Risk assessment procedures
Further audit procedures
Key Points:
SAS 106 indicates the role of risk assessment procedures within the audit process as follows: The auditor must perform risk assessment procedures to provide a satisfactory basis for the assessment of risks at the financial statement and relevant assertion levels.
Risk assessment procedures are performed to obtain an understanding of the entity and its environment, including its internal control.
The understanding obtained and assessed risks are used to design and perform further audit procedures. Further audit procedures include substantive procedures and tests of controls performed in response to the assessed risks to reduce the overall audit risk to an appropriately low level, as well as other procedures sometimes referred to as general procedures.
Both types of procedures provide audit evidence that supports the auditors opinion on the financial statements.
Key Points:
SAS 106 indicates the role of risk assessment procedures within the audit process as follows: The auditor must perform risk assessment procedures to provide a satisfactory basis for the assessment of risks at the financial statement and relevant assertion levels.
Risk assessment procedures are performed to obtain an understanding of the entity and its environment, including its internal control.
The understanding obtained and assessed risks are used to design and perform further audit procedures. Further audit procedures include substantive procedures and tests of controls performed in response to the assessed risks to reduce the overall audit risk to an appropriately low level, as well as other procedures sometimes referred to as general procedures.
Both types of procedures provide audit evidence that supports the auditors opinion on the financial statements.
15. Risk Assessment Procedures Key Points:
Types of risk assessment procedures include:
Inquiries of management and others.
Observation and inspection.
Analytical procedures.Key Points:
Types of risk assessment procedures include:
Inquiries of management and others.
Observation and inspection.
Analytical procedures.
16. Risk Assessment Procedures Performed to obtain an understanding of the entity and its environment, including internal control, for the purpose of assessing risks
All of the procedures should be performed
Inquiry alone is not sufficient to understand internal control
Provide audit evidence
Key Points:
Risk assessment procedures are performed to obtain an understanding of the entity and its environment, including its internal control, for the purpose of assessing the risks of material misstatement at the financial statement and relevant assertion levels.
SAS 109 requires that all of the risk assessment procedures (that is, inquiry, observation and inspection, and analytical procedures) be performed when obtaining an understanding of the entity and its environment. However, there is no requirement that each of those procedures be performed for every component of the required understanding.
Performing all of the risk assessment procedures is usually accomplished by:
Making inquiries of client personnel to update information in the PPC planning forms.
Observing and inspecting documents and records, including performing walkthroughs of transaction processing systems, to corroborate responses to inquiries.
Performing preliminary analytical procedures.
The standards explicitly indicate that inquiry alone is not sufficient to evaluate the design and implementation of internal control. Therefore, observation and inspection will most likely be coupled with inquiry procedures when obtaining the understanding of internal control.
The standards view risk assessment procedures as part of a process that provides audit evidence that ultimately supports the auditors opinion on the financial statements. This is the notion that the assessed level of risk itself provides audit evidence, rather than being only a means of determining the audit evidence that is necessary.Key Points:
Risk assessment procedures are performed to obtain an understanding of the entity and its environment, including its internal control, for the purpose of assessing the risks of material misstatement at the financial statement and relevant assertion levels.
SAS 109 requires that all of the risk assessment procedures (that is, inquiry, observation and inspection, and analytical procedures) be performed when obtaining an understanding of the entity and its environment. However, there is no requirement that each of those procedures be performed for every component of the required understanding.
Performing all of the risk assessment procedures is usually accomplished by:
Making inquiries of client personnel to update information in the PPC planning forms.
Observing and inspecting documents and records, including performing walkthroughs of transaction processing systems, to corroborate responses to inquiries.
Performing preliminary analytical procedures.
The standards explicitly indicate that inquiry alone is not sufficient to evaluate the design and implementation of internal control. Therefore, observation and inspection will most likely be coupled with inquiry procedures when obtaining the understanding of internal control.
The standards view risk assessment procedures as part of a process that provides audit evidence that ultimately supports the auditors opinion on the financial statements. This is the notion that the assessed level of risk itself provides audit evidence, rather than being only a means of determining the audit evidence that is necessary.
17. Inquiries Management
Other employees
External parties (maybe) Key Points:
Inquiry of management and others is used extensively throughout the audit planning process. In many cases, it serves as a foundation for the performance of other risk assessment procedures in that the responses obtained drive the need for additional or corroborating procedures.
Inquiry consists of:
Posing a question or requesting information on a matter,
Evaluating the response, and
Following up to obtain additional information as needed.
Inquiry can be an extremely effective procedure in identifying risks. For example, an auditor might ask management about the level of technology for the entitys products as compared to the industry. The auditor would then evaluate the response obtained and determine if a potential risk exists. In this case, the auditor might be concerned about potential inventory obsolescence and, if so, a possible writedown. If the auditor deems that there is an indication of this risk, additional inquiries might be posed to further identify the risk and determine whether other risk assessment procedures are necessary.
Inquiries of parties outside the entity are not required by the risk assessment standards, but are identified as procedures that might be helpful.
For More Information: Parties that might be subject to inquiry are discussed in paragraphs 201.24.25.Key Points:
Inquiry of management and others is used extensively throughout the audit planning process. In many cases, it serves as a foundation for the performance of other risk assessment procedures in that the responses obtained drive the need for additional or corroborating procedures.
Inquiry consists of:
Posing a question or requesting information on a matter,
Evaluating the response, and
Following up to obtain additional information as needed.
Inquiry can be an extremely effective procedure in identifying risks. For example, an auditor might ask management about the level of technology for the entitys products as compared to the industry. The auditor would then evaluate the response obtained and determine if a potential risk exists. In this case, the auditor might be concerned about potential inventory obsolescence and, if so, a possible writedown. If the auditor deems that there is an indication of this risk, additional inquiries might be posed to further identify the risk and determine whether other risk assessment procedures are necessary.
Inquiries of parties outside the entity are not required by the risk assessment standards, but are identified as procedures that might be helpful.
For More Information: Parties that might be subject to inquiry are discussed in paragraphs 201.24.25.
18. Required Fraud Inquiries Inquire about suspicions or actual knowledge of fraud:
Management
Other employees
Internal auditors
Those charged with governance
Document the inquiries:
CX-3.3, Fraud Risk Inquiries Form
CX-7.1, Risk Assessment Summary Form (if risks are identified) Key Points:
SAS 99 requires auditors to make fraud-related inquiries of management or the owner/manager, other employees, internal auditors (if applicable), and those charged with governance (if separate from management) to identify whether anyone has suspicions or actual knowledge of fraud. These include inquiries about:
Their knowledge or awareness of any alleged, suspected, or actual fraud affecting the company.
Managements understanding of the risks of fraud within the company, including any specific fraud risks the company has identified or account balances or transaction classes that may be susceptible to fraud.
How management communicates to employees the importance of ethical behavior and appropriate business practices.
Programs and controls the company has implemented (put in place) to address identified fraud risks or otherwise help prevent, deter, and detect fraud and how those programs and controls are monitored.
Whether management has reported to those charged with governance about how the companys internal control serves to prevent, deter, and detect material misstatements due to fraud.
Internal auditors views about the risks of fraud, whether they have performed procedures to identify or detect fraud during the year, and whether management responded satisfactorily to any findings.
The views of those charged with governance about the risks of fraud, whether the audit committee plays an active role in overseeing the entitys fraud risk assessment and the implementation of programs and controls to mitigate risk, and how the committee exercises its oversight responsibility.
SAS 99 requires documentation of the procedures performed (including inquiries) to identify and assess the risks of material misstatement of the financial statements due to fraud. When documenting inquiries, SAS 103 generally requires documentation of the date of inquiry, name and title of individual, the inquiry, and responses
.
CX-3.3, Fraud Risk Inquiries Form, provides for documentation of fraud inquiries and includes a list of required inquiries to ensure important topics are not overlooked. If risks are identified that could result in material misstatement of the financial statements, they should be added to CX-7.1, Risk Assessment Summary Form.
Presentation Tips:
Review a blank copy of CX-3.3 with the participants. Point out how the questions on the form match the requirements of the standard. Also point out that this form is also used to document required inquiries about illegal acts and inquiries about unusual or improper journal entry activity.
A completed CX-3.3 is illustrated in Case Study 1 at Appendix A-7 and in Case Study 2 at Appendix B-5. Consider reviewing one of these documents, or one of the firms completed practice aids, with participants.Key Points:
SAS 99 requires auditors to make fraud-related inquiries of management or the owner/manager, other employees, internal auditors (if applicable), and those charged with governance (if separate from management) to identify whether anyone has suspicions or actual knowledge of fraud. These include inquiries about:
Their knowledge or awareness of any alleged, suspected, or actual fraud affecting the company.
Managements understanding of the risks of fraud within the company, including any specific fraud risks the company has identified or account balances or transaction classes that may be susceptible to fraud.
How management communicates to employees the importance of ethical behavior and appropriate business practices.
Programs and controls the company has implemented (put in place) to address identified fraud risks or otherwise help prevent, deter, and detect fraud and how those programs and controls are monitored.
Whether management has reported to those charged with governance about how the companys internal control serves to prevent, deter, and detect material misstatements due to fraud.
Internal auditors views about the risks of fraud, whether they have performed procedures to identify or detect fraud during the year, and whether management responded satisfactorily to any findings.
The views of those charged with governance about the risks of fraud, whether the audit committee plays an active role in overseeing the entitys fraud risk assessment and the implementation of programs and controls to mitigate risk, and how the committee exercises its oversight responsibility.
SAS 99 requires documentation of the procedures performed (including inquiries) to identify and assess the risks of material misstatement of the financial statements due to fraud. When documenting inquiries, SAS 103 generally requires documentation of the date of inquiry, name and title of individual, the inquiry, and responses
.
CX-3.3, Fraud Risk Inquiries Form, provides for documentation of fraud inquiries and includes a list of required inquiries to ensure important topics are not overlooked. If risks are identified that could result in material misstatement of the financial statements, they should be added to CX-7.1, Risk Assessment Summary Form.
Presentation Tips:
Review a blank copy of CX-3.3 with the participants. Point out how the questions on the form match the requirements of the standard. Also point out that this form is also used to document required inquiries about illegal acts and inquiries about unusual or improper journal entry activity.
A completed CX-3.3 is illustrated in Case Study 1 at Appendix A-7 and in Case Study 2 at Appendix B-5. Consider reviewing one of these documents, or one of the firms completed practice aids, with participants.
19. Observation and Inspection Inspect documents and records
Read internal reports and minutes
Read external information
Visit premises and plant facilities
Trace transactions through the system (walkthroughs)
Key Points:
Observation and inspection may include inspecting documents and records, reading internal reports and minutes, reading external information, visiting premises and plant facilities, or tracing transactions through the system (walkthroughs).
Performance of observation and inspection procedures is required when obtaining an understanding of the entity and its environment, including its internal control, to assess risk. The standards effectively mandate the performance of observation and inspection when obtaining an understanding of internal control by explicitly stating that inquiry alone is not sufficient to understand the design of controls and determine that they have been implemented. One of the best ways to supplement inquiry is to perform a walkthrough of significant transaction processing systems.
Observation and inspection are frequently used to corroborate or follow-up on the results of inquires made of management and others. For example, when evaluating the design and implementation of the entitys system of internal control, members of management might tell you that they communicate the importance of ethical values to employees through a written code of conduct and by example. You might corroborate this response by examining the written code.
When obtaining an understanding of the entity and its environment, observation or inspection might be the key procedure that enables the auditor to fully obtain pertinent information and identify related risks. For example, in order to gain an understanding of the clients financing arrangements and underlying covenants, the auditor might decide to review the clients loan agreements and other related documents. That procedure, coupled with a review of the clients financial statements, might be the key procedure that helps the auditor identify risks related to potential noncompliance with loan covenants.
Presentation Tips:
Consider discussing some examples of the use of observation and inspection procedures, such as:
Inspecting documents and records (business plans and strategies, internal control manuals, etc.)Recent business plan might reveal a shift in marketing and sales strategy during the year to concentrate on one industry dominated by three competitors, which indicates increased risk related to unrecognized sales discounts and rebates.
Reading internal reports and minutesInternal audit reports might cite significant deficiencies in controls over revenue recognition, which indicates increased risk of revenues recorded in incorrect periods or at improper amounts.
Reading external informationTrade journals might indicate that one of the clients key products will soon be outdated due to the recent introduction of a technologically superior product by a competitor, which indicates an increased risk of improper inventory valuation.
Visiting premises and plant facilitiesWhile touring client production facilities, you might observe significant damage to uninsured machinery and equipment due to a recent storm, which indicates an increased risk of impairment.
Performing walkthroughsA walkthrough of the billing cycle might reveal that control procedures to follow-up on unbilled transactions have not been implemented, which indicates an increased risk of unrecorded revenues and receivables.Key Points:
Observation and inspection may include inspecting documents and records, reading internal reports and minutes, reading external information, visiting premises and plant facilities, or tracing transactions through the system (walkthroughs).
Performance of observation and inspection procedures is required when obtaining an understanding of the entity and its environment, including its internal control, to assess risk. The standards effectively mandate the performance of observation and inspection when obtaining an understanding of internal control by explicitly stating that inquiry alone is not sufficient to understand the design of controls and determine that they have been implemented. One of the best ways to supplement inquiry is to perform a walkthrough of significant transaction processing systems.
Observation and inspection are frequently used to corroborate or follow-up on the results of inquires made of management and others. For example, when evaluating the design and implementation of the entitys system of internal control, members of management might tell you that they communicate the importance of ethical values to employees through a written code of conduct and by example. You might corroborate this response by examining the written code.
When obtaining an understanding of the entity and its environment, observation or inspection might be the key procedure that enables the auditor to fully obtain pertinent information and identify related risks. For example, in order to gain an understanding of the clients financing arrangements and underlying covenants, the auditor might decide to review the clients loan agreements and other related documents. That procedure, coupled with a review of the clients financial statements, might be the key procedure that helps the auditor identify risks related to potential noncompliance with loan covenants.
Presentation Tips:
Consider discussing some examples of the use of observation and inspection procedures, such as:
Inspecting documents and records (business plans and strategies, internal control manuals, etc.)Recent business plan might reveal a shift in marketing and sales strategy during the year to concentrate on one industry dominated by three competitors, which indicates increased risk related to unrecognized sales discounts and rebates.
Reading internal reports and minutesInternal audit reports might cite significant deficiencies in controls over revenue recognition, which indicates increased risk of revenues recorded in incorrect periods or at improper amounts.
Reading external informationTrade journals might indicate that one of the clients key products will soon be outdated due to the recent introduction of a technologically superior product by a competitor, which indicates an increased risk of improper inventory valuation.
Visiting premises and plant facilitiesWhile touring client production facilities, you might observe significant damage to uninsured machinery and equipment due to a recent storm, which indicates an increased risk of impairment.
Performing walkthroughsA walkthrough of the billing cycle might reveal that control procedures to follow-up on unbilled transactions have not been implemented, which indicates an increased risk of unrecorded revenues and receivables.
20. Analytical Procedures Preliminary analytical procedures
Analytical procedures related to revenue required by SAS 99
To enhance understanding of the business and identify potential risk areas
Documented by completing a step on AP-1, Audit Program for General Planning Procedures
Add risks to CX-7.1, Risk Assessment Summary Form
Key Points:
Analytical procedures should be applied to some extent in all audits of financial statements to assist in planning the nature, timing, and extent of other auditing procedures. Other than the analytical procedures performed to comply with SAS 99, analytical procedures used in the planning stage only need to be designed to point out audit areas that may be indicative of potential risks and, thus, need special emphasis. Professional standards do not require the use of any particular analytical procedures.
Analytical procedures may consist of reviewing changes in account balances from the prior year to the current year using the general ledger or the preliminary or unadjusted working trial balance.
Other preliminary analytical procedures may consist primarily of analysis of ratios or trends related to profitability, liquidity, solvency, and activity combined with inquiries of financial and operating management.
In the audit of a small business, simple comparisons and ratios are ordinarily effective.
SAS 99 specifically requires performance of preliminary analytical procedures relating to revenue in order to identify unusual or unexpected relationships that may indicate fraudulent financial reporting (that is, improper revenue recognition). Comparison of current and prior-period account balances for revenue accounts ordinarily will not be sufficient to identify potential fraudulent financial reporting. Preliminary analytical procedures related to revenue should typically be performed at a more disaggregated level than other preliminary analytics, such as by comparing sales by month or by location to comparable prior-year sales. Those procedures should be updated during the final review stage of the audit, that is, they should be performed through the end of the reporting period.
Documentation of preliminary analytical procedures can be limited, but it should be sufficient to provide support for the auditor's risk assessment. The results of the preliminary analytical review ordinarily are documented using a narrative memorandum, comparative carryforward schedule, or other form of workpaper referenced from a step on the planning program.
If risks are identified, they should be added to CX-7.1, Risk Assessment Summary Form.
Presentation Tip:
Consider reviewing Exhibit 2-5, Unusual or Unexpected Relationships and Potential Risks, with participants.
For More Information: Preliminary analytical procedures are discussed at paragraph 201.31.Key Points:
Analytical procedures should be applied to some extent in all audits of financial statements to assist in planning the nature, timing, and extent of other auditing procedures. Other than the analytical procedures performed to comply with SAS 99, analytical procedures used in the planning stage only need to be designed to point out audit areas that may be indicative of potential risks and, thus, need special emphasis. Professional standards do not require the use of any particular analytical procedures.
Analytical procedures may consist of reviewing changes in account balances from the prior year to the current year using the general ledger or the preliminary or unadjusted working trial balance.
Other preliminary analytical procedures may consist primarily of analysis of ratios or trends related to profitability, liquidity, solvency, and activity combined with inquiries of financial and operating management.
In the audit of a small business, simple comparisons and ratios are ordinarily effective.
SAS 99 specifically requires performance of preliminary analytical procedures relating to revenue in order to identify unusual or unexpected relationships that may indicate fraudulent financial reporting (that is, improper revenue recognition). Comparison of current and prior-period account balances for revenue accounts ordinarily will not be sufficient to identify potential fraudulent financial reporting. Preliminary analytical procedures related to revenue should typically be performed at a more disaggregated level than other preliminary analytics, such as by comparing sales by month or by location to comparable prior-year sales. Those procedures should be updated during the final review stage of the audit, that is, they should be performed through the end of the reporting period.
Documentation of preliminary analytical procedures can be limited, but it should be sufficient to provide support for the auditor's risk assessment. The results of the preliminary analytical review ordinarily are documented using a narrative memorandum, comparative carryforward schedule, or other form of workpaper referenced from a step on the planning program.
If risks are identified, they should be added to CX-7.1, Risk Assessment Summary Form.
Presentation Tip:
Consider reviewing Exhibit 2-5, Unusual or Unexpected Relationships and Potential Risks, with participants.
For More Information: Preliminary analytical procedures are discussed at paragraph 201.31.
21. Risk Assessment Procedures Document the procedures performed
SAS 103 provides guidance on documenting procedures
For inquiries, document the date, name and title of individual, inquiry, and response
For observation, document what was observed, where, when, and entity personnel involved
For inspection, document the identifying characteristics, for example, document name or number and date Key Points:
Standards require documentation of the risk assessment procedures performed, but do not provide specific guidance about what should be documented. Follow the general requirements of SAS 103 for documenting inquiries, observation and inspection, and analytical procedures.
As previously discussed, CX-3.3, Fraud Risk Inquiries Form, is used to document fraud inquiries, and a step on AP-1, Audit Program for General Planning Procedures, is used to document preliminary analytical procedures.
The following PPC practice aids used for documenting the understanding of the entity and its environment, including internal control, provide space to document procedures performed to obtain or update that understanding:
CX-3.1Understanding the Entity and Identifying Risks
CX-4.1Understanding the Design and Implementation of Internal Control
CX-4.2.1Financial Reporting System Documentation FormSignificant Transaction Classes
CX-4.2.2Financial Reporting System Documentation FormIT Environment and General Computer Controls
CX-4.3Walkthrough Documentation Table
Presentation Tips:
Review blank copies of the listed forms with the participants. Point out the questions on the forms that are used to document procedures performed.
Completed versions of the listed forms are illustrated in Case Study 1 at Appendixes A-5, A-8, A-9, A10, and A-11; in Case Study 2 at Appendix B-3; and in Case Study 3 at Appendixes C-2, C-4, C-5, C-7, C-8, and C-10. Consider reviewing documentation of the procedures performed on one of these documents, or one of the firms completed practice aids, with participants.Key Points:
Standards require documentation of the risk assessment procedures performed, but do not provide specific guidance about what should be documented. Follow the general requirements of SAS 103 for documenting inquiries, observation and inspection, and analytical procedures.
As previously discussed, CX-3.3, Fraud Risk Inquiries Form, is used to document fraud inquiries, and a step on AP-1, Audit Program for General Planning Procedures, is used to document preliminary analytical procedures.
The following PPC practice aids used for documenting the understanding of the entity and its environment, including internal control, provide space to document procedures performed to obtain or update that understanding:
CX-3.1Understanding the Entity and Identifying Risks
CX-4.1Understanding the Design and Implementation of Internal Control
CX-4.2.1Financial Reporting System Documentation FormSignificant Transaction Classes
CX-4.2.2Financial Reporting System Documentation FormIT Environment and General Computer Controls
CX-4.3Walkthrough Documentation Table
Presentation Tips:
Review blank copies of the listed forms with the participants. Point out the questions on the forms that are used to document procedures performed.
Completed versions of the listed forms are illustrated in Case Study 1 at Appendixes A-5, A-8, A-9, A10, and A-11; in Case Study 2 at Appendix B-3; and in Case Study 3 at Appendixes C-2, C-4, C-5, C-7, C-8, and C-10. Consider reviewing documentation of the procedures performed on one of these documents, or one of the firms completed practice aids, with participants.
22. Understanding the Entity and Its Environment Perform risk assessment procedures (inquiry, analytics, observation, and inspection) to gather information about:
Industry, regulatory, and other external factors
Nature of the entity
Objectives, strategies, and related business risks
Measurement and review of the entitys financial performance
Key Points:
Matters relating to industry, regulatory, or other external factors include:
Industry conditions
Legal and regulatory environment
Government policies
General economic conditions
Matters relating to the nature of the entity include:
Structure, ownership, and governance
Business operationsrevenues, products or services, and markets
Major assets and liabilities
Expenses
Workforce considerations
Investments
Financing
Financial reporting
Matters relating to objectives, strategies, and related business risks include future trends, expectations, objectives, and strategies in areas such as:
Products and services
Marketing and sales
Research and development
Technology
Business expansion or restructuring
Workforce or compensation
Information used by management for measurement and review of the entitys financial performance might include:
Key financial and nonfinancial performance indicators
Trends
Key ratios and other operating and financial statistics
Forecasts, budgets, and variance analyses
Period-on-period financial performance
Comparisons to competitors performance (i.e., benchmarking)
Information prepared by external parties, such as analyst reports and credit rating agency reports
For More Information: Understanding the entity and its environment is discussed in section 202.Key Points:
Matters relating to industry, regulatory, or other external factors include:
Industry conditions
Legal and regulatory environment
Government policies
General economic conditions
Matters relating to the nature of the entity include:
Structure, ownership, and governance
Business operationsrevenues, products or services, and markets
Major assets and liabilities
Expenses
Workforce considerations
Investments
Financing
Financial reporting
Matters relating to objectives, strategies, and related business risks include future trends, expectations, objectives, and strategies in areas such as:
Products and services
Marketing and sales
Research and development
Technology
Business expansion or restructuring
Workforce or compensation
Information used by management for measurement and review of the entitys financial performance might include:
Key financial and nonfinancial performance indicators
Trends
Key ratios and other operating and financial statistics
Forecasts, budgets, and variance analyses
Period-on-period financial performance
Comparisons to competitors performance (i.e., benchmarking)
Information prepared by external parties, such as analyst reports and credit rating agency reports
For More Information: Understanding the entity and its environment is discussed in section 202.
23. Understanding the Entity and Its Environment Obtain an understanding of the clients selection and application of accounting policies
Are accounting policies appropriate for the entity and consistent with the industry?
Are there any changes in accounting policies?
Are any new standards effective? 23 Key Points:
Accounting policies include the accounting principles as prescribed by relevant accounting pronouncements as well as the methods adopted to apply those principles in the circumstances. When an accounting pronouncement permits an alternative in the way an accounting principle is applied or does not dictate a specific method of application, management has to adopt a method that is most appropriate in the circumstances.
Obtain an understanding of managements selection and application of accounting policies and evaluate whether the policies are appropriate for the entitys business and consistent with policies used in the industry. This understanding is important for considering the risks of material misstatement at both the financial statement and relevant assertion levels, including both misstatements due to fraud and those due to error. It is an important element in determining what can go wrong in the preparation of financial statements and, hence, in assessing risks of material misstatement.
An understanding of managements selection and application of accounting policies also includes:
Changes in the entitys policies, including the reasons for changes and whether they are appropriate and consistent with GAAP (or an OCBOA).
Financial reporting standards and regulations that are new to the entity and managements plans to adopt those requirements, including new accounting standards.
Presentation Tip:
Consider reviewing Exhibit 2-21, Questions to Consider When Evaluating Accounting Policies, with participants.
For More Information: The selection and application of accounting policies is discussed at paragraph 202.42.Key Points:
Accounting policies include the accounting principles as prescribed by relevant accounting pronouncements as well as the methods adopted to apply those principles in the circumstances. When an accounting pronouncement permits an alternative in the way an accounting principle is applied or does not dictate a specific method of application, management has to adopt a method that is most appropriate in the circumstances.
Obtain an understanding of managements selection and application of accounting policies and evaluate whether the policies are appropriate for the entitys business and consistent with policies used in the industry. This understanding is important for considering the risks of material misstatement at both the financial statement and relevant assertion levels, including both misstatements due to fraud and those due to error. It is an important element in determining what can go wrong in the preparation of financial statements and, hence, in assessing risks of material misstatement.
An understanding of managements selection and application of accounting policies also includes:
Changes in the entitys policies, including the reasons for changes and whether they are appropriate and consistent with GAAP (or an OCBOA).
Financial reporting standards and regulations that are new to the entity and managements plans to adopt those requirements, including new accounting standards.
Presentation Tip:
Consider reviewing Exhibit 2-21, Questions to Consider When Evaluating Accounting Policies, with participants.
For More Information: The selection and application of accounting policies is discussed at paragraph 202.42.
24. Understanding the Entity and Its Environment Consider the presence of fraud risk factors
Update information obtained in prior years by performing risk assessment procedures to determine if the information has changed
Key Points:
When obtaining information about the entity and its environment, consider whether the information indicates that fraud risk factors are present. That is, consider the existence of fraud risk factors while performing other audit planning procedures. There is no need to specifically look for fraud risk factors during planning, but consider, based on your knowledge of the entity and its environment, whether fraud risk factors exist.
Fraud risk factors are conditions or events that indicate:
Incentives/pressure to perpetrate fraud (such as conditions that indicate excessive pressure on management or the owner/manager to meet the requirements or expectations of third parties),
Opportunities to carry out the fraud (such as deficiencies in internal control or ineffective monitoring of management), or
Attitudes/rationalizations to justify a fraudulent action (such as dissatisfaction with the entity on the part of employees with access to assets susceptible to theft).
Fraud risk factors may be related to fraudulent financial reporting or misappropriation of assets.
Previous experience with the entity contributes to the understanding of the entity and its environment. Audit procedures performed in previous audits typically provide useful audit evidence about:
The entitys organizational structure, business, and controls.
Past misstatements and whether they were corrected on a timely basis, which assists the auditor in assessing risks of material misstatement in the current audit.
However, before using information obtained in prior periods, determine whether changes have occurred that may affect its relevance in the current audit. According to SAS 109, The auditor should make inquiries and perform other appropriate audit procedures, such as walkthroughs of systems, to determine whether changes have occurred that may affect the relevance of such information. Changes may change the clients inherent or business risk or the auditors assessment of risks of material misstatement.Key Points:
When obtaining information about the entity and its environment, consider whether the information indicates that fraud risk factors are present. That is, consider the existence of fraud risk factors while performing other audit planning procedures. There is no need to specifically look for fraud risk factors during planning, but consider, based on your knowledge of the entity and its environment, whether fraud risk factors exist.
Fraud risk factors are conditions or events that indicate:
Incentives/pressure to perpetrate fraud (such as conditions that indicate excessive pressure on management or the owner/manager to meet the requirements or expectations of third parties),
Opportunities to carry out the fraud (such as deficiencies in internal control or ineffective monitoring of management), or
Attitudes/rationalizations to justify a fraudulent action (such as dissatisfaction with the entity on the part of employees with access to assets susceptible to theft).
Fraud risk factors may be related to fraudulent financial reporting or misappropriation of assets.
Previous experience with the entity contributes to the understanding of the entity and its environment. Audit procedures performed in previous audits typically provide useful audit evidence about:
The entitys organizational structure, business, and controls.
Past misstatements and whether they were corrected on a timely basis, which assists the auditor in assessing risks of material misstatement in the current audit.
However, before using information obtained in prior periods, determine whether changes have occurred that may affect its relevance in the current audit. According to SAS 109, The auditor should make inquiries and perform other appropriate audit procedures, such as walkthroughs of systems, to determine whether changes have occurred that may affect the relevance of such information. Changes may change the clients inherent or business risk or the auditors assessment of risks of material misstatement.
25. Using the PPC Approach CX-3.1: Understanding the Entity and Identifying Risks
Key elements of the understanding
The consideration of fraud risk factors
Sources of information
Risk assessment procedures performed
CX-7.1: Risk Assessment Summary Form (if risks are identified)
CX-6.1: Entity Risk Factors and CX-6.2: Fraud Risk Factors (memory joggers)
25 Key Points:
SAS 109 indicates that auditors should document:
Key elements of the understanding obtained for each of the aspects of the entity and its environment to assess the risks of material misstatement in the financial statements.
Sources of the information from which the understanding was obtained.
Risk assessment procedures that were performed.
SAS 99 requires auditors to document their consideration of fraud risk factors.
The practice aid, Understanding the Entity and Identifying Risks (CX-3.1), can be used to document the auditor's understanding of the entity. Part I of the form is divided into the following sections for obtaining the understanding:
Structure, ownership, and governance
Industry, regulatory, and other external factors
Nature of the entity
Objectives and strategies and related business risks
Measurement and review of the entitys financial performance
Other considerations and risks, including the consideration of fraud risk factors
Within each section of Part I, space is provided to document risk considerations.
Part II of the form is used to document the sources of information used and procedures performed to obtain or update the understanding of the entity and its environment.
Part III of the form is used to synthesize the risk considerations documented throughout the form, that is, to consider the potential risks both individually and in combination to identify matters that represent risks of material misstatement of the financial statements. If risks are identified that could result in material misstatement of the financial statements, they should be added to CX-7.1, Risk Assessment Summary Form.
CX-6.1, Entity Risk Factors, and CX-6.2, Fraud Risk Factors, provide lists of risk factors to consider when identifying financial statement risks. However, the risk factors listed are only examples and may serve as memory joggers to spark the consideration of additional or different risks relevant to the client. These forms are not intended to be included in the final audit documentation.
Presentation Tips:
Review a blank copy of CX-3.1 with the participants. Point out how the headings on the form match the requirements of the standard. Point out the places on the form that can be used to document risk considerations. Remind participants that it is not important how they categorize a risk (for example, whether it relates to the regulatory environment or the nature of the entity); it is more important that they get it documented if they think it is important for the audit. Also, there is no need to document a risk consideration in more than one place on the form.
Review and discuss the synthesis of risks in Part III of CX-3.1.
A completed CX-3.1 is illustrated in Case Study 1 at Appendix A-5. Case Study 2 illustrates the process of understanding the entity and risk identification in a memo at Appendix B-3. Consider reviewing these documents, or one of the firms completed practice aids, with participants.
Review a copy of CX-6.1 (Entity Risk Factors) and CX-6.2 (Fraud Risk Factors) with the participants. Encourage them to use these forms as memory joggers to help translate the information they obtain about the entity and its environment into potential risks that could affect the financial statements.Key Points:
SAS 109 indicates that auditors should document:
Key elements of the understanding obtained for each of the aspects of the entity and its environment to assess the risks of material misstatement in the financial statements.
Sources of the information from which the understanding was obtained.
Risk assessment procedures that were performed.
SAS 99 requires auditors to document their consideration of fraud risk factors.
The practice aid, Understanding the Entity and Identifying Risks (CX-3.1), can be used to document the auditor's understanding of the entity. Part I of the form is divided into the following sections for obtaining the understanding:
Structure, ownership, and governance
Industry, regulatory, and other external factors
Nature of the entity
Objectives and strategies and related business risks
Measurement and review of the entitys financial performance
Other considerations and risks, including the consideration of fraud risk factors
Within each section of Part I, space is provided to document risk considerations.
Part II of the form is used to document the sources of information used and procedures performed to obtain or update the understanding of the entity and its environment.
Part III of the form is used to synthesize the risk considerations documented throughout the form, that is, to consider the potential risks both individually and in combination to identify matters that represent risks of material misstatement of the financial statements. If risks are identified that could result in material misstatement of the financial statements, they should be added to CX-7.1, Risk Assessment Summary Form.
CX-6.1, Entity Risk Factors, and CX-6.2, Fraud Risk Factors, provide lists of risk factors to consider when identifying financial statement risks. However, the risk factors listed are only examples and may serve as memory joggers to spark the consideration of additional or different risks relevant to the client. These forms are not intended to be included in the final audit documentation.
Presentation Tips:
Review a blank copy of CX-3.1 with the participants. Point out how the headings on the form match the requirements of the standard. Point out the places on the form that can be used to document risk considerations. Remind participants that it is not important how they categorize a risk (for example, whether it relates to the regulatory environment or the nature of the entity); it is more important that they get it documented if they think it is important for the audit. Also, there is no need to document a risk consideration in more than one place on the form.
Review and discuss the synthesis of risks in Part III of CX-3.1.
A completed CX-3.1 is illustrated in Case Study 1 at Appendix A-5. Case Study 2 illustrates the process of understanding the entity and risk identification in a memo at Appendix B-3. Consider reviewing these documents, or one of the firms completed practice aids, with participants.
Review a copy of CX-6.1 (Entity Risk Factors) and CX-6.2 (Fraud Risk Factors) with the participants. Encourage them to use these forms as memory joggers to help translate the information they obtain about the entity and its environment into potential risks that could affect the financial statements.
26. Understanding Internal Control 26 Key Points:
SAS 109 requires auditors to obtain an understanding of the five components of internal control that is sufficient to assess the risks of material misstatement of the financial statements due to error or fraud and design the nature, timing, and extent of further audit procedures.
The control environment encompasses how the attitudes, awareness, and actions of management, as well as those charged with governance, demonstrate its commitment to accurate accounting and financial reporting. It also includes the conditions and circumstances that exist within the entity that demonstrate managements attitude about controls and other indicators of managements integrity.
Risk assessment encompasses what management does to identify and respond to business or operations risks that may affect accounting or financial reporting. It also includes how management identifies potential areas of misstatement in the financial statements and implements control activities or takes other steps to prevent, or detect and correct, misstatements. (This process may be informal with little or no documentation.)
Information encompasses the overall availability and timeliness of information necessary for internal controls and the financial reporting system to function properly. It involves determining how the right information is made available to the right people at the right time. It also includes the financial reporting system. Communication encompasses how management provides employees with an understanding of their responsibilities related to internal control and how exceptions are brought to the attention of persons at the appropriate level to take corrective action. (Communication may be written, electronic, oral, or through the direct actions and involvement of management.)
The monitoring process encompasses how management monitors the operation of internal control to make sure (1) controls are operating as intended and (2) changes to controls are made when necessary. An important aspect of monitoring is the reports or other information (such as budget variances, reconciliations, or monthly financial reports) management uses for that purpose and whether that information is reliable.
Control activities are the policies and procedures that help ensure that management directives are carried out. Control activities and processes operate at the assertion level rather than at the overall financial statement level. Control activities are directly related to initiating, authorizing, recording, processing, and reporting the entitys transactions. Consequently, the understanding of control activities directly supports the auditors risk assessment at the relevant assertion level for account balances, transaction classes, and disclosures.
Auditors generally begin by obtaining an understanding of the control environment, risk assessment, information and communication, and monitoring components, typically obtaining an understanding of the control environment first. The understanding of control activities is not needed until planning the nature, timing, and extent of further audit procedures at the assertion level. As a practical matter, however, auditors often obtain an understanding of control activities while obtaining an understanding of the other control components.
For More Information: Obtaining an understanding of internal control is discussed in section 203.Key Points:
SAS 109 requires auditors to obtain an understanding of the five components of internal control that is sufficient to assess the risks of material misstatement of the financial statements due to error or fraud and design the nature, timing, and extent of further audit procedures.
The control environment encompasses how the attitudes, awareness, and actions of management, as well as those charged with governance, demonstrate its commitment to accurate accounting and financial reporting. It also includes the conditions and circumstances that exist within the entity that demonstrate managements attitude about controls and other indicators of managements integrity.
Risk assessment encompasses what management does to identify and respond to business or operations risks that may affect accounting or financial reporting. It also includes how management identifies potential areas of misstatement in the financial statements and implements control activities or takes other steps to prevent, or detect and correct, misstatements. (This process may be informal with little or no documentation.)
Information encompasses the overall availability and timeliness of information necessary for internal controls and the financial reporting system to function properly. It involves determining how the right information is made available to the right people at the right time. It also includes the financial reporting system. Communication encompasses how management provides employees with an understanding of their responsibilities related to internal control and how exceptions are brought to the attention of persons at the appropriate level to take corrective action. (Communication may be written, electronic, oral, or through the direct actions and involvement of management.)
The monitoring process encompasses how management monitors the operation of internal control to make sure (1) controls are operating as intended and (2) changes to controls are made when necessary. An important aspect of monitoring is the reports or other information (such as budget variances, reconciliations, or monthly financial reports) management uses for that purpose and whether that information is reliable.
Control activities are the policies and procedures that help ensure that management directives are carried out. Control activities and processes operate at the assertion level rather than at the overall financial statement level. Control activities are directly related to initiating, authorizing, recording, processing, and reporting the entitys transactions. Consequently, the understanding of control activities directly supports the auditors risk assessment at the relevant assertion level for account balances, transaction classes, and disclosures.
Auditors generally begin by obtaining an understanding of the control environment, risk assessment, information and communication, and monitoring components, typically obtaining an understanding of the control environment first. The understanding of control activities is not needed until planning the nature, timing, and extent of further audit procedures at the assertion level. As a practical matter, however, auditors often obtain an understanding of control activities while obtaining an understanding of the other control components.
For More Information: Obtaining an understanding of internal control is discussed in section 203.
27. Understanding Internal Control Understand design and implementation
Perform inquiry, observation, and inspection
Inquiry alone is not sufficient to understand the design and implementation of controls 27 Key Points:
SAS 109 requires auditors to perform risk assessment procedures to (a) evaluate the design of controls that are relevant to the audit and (b) determine whether they have been implemented. A key consideration is whether and how the entitys internal control prevents, or detects and corrects, material misstatements in relevant assertions related to transaction classes, account balances, or disclosures.
It is not enough to simply determine whether a control as described or documented is effective in design. Implementation means determining that the control, as documented or described, actually exists and the entity is using it. This involves performing observation and inspection in addition to inquiry.
Professional standards explicitly indicate that inquiry alone is not sufficient to evaluate the design and implementation of internal control. Some observation and inspection procedures must be performed.Key Points:
SAS 109 requires auditors to perform risk assessment procedures to (a) evaluate the design of controls that are relevant to the audit and (b) determine whether they have been implemented. A key consideration is whether and how the entitys internal control prevents, or detects and corrects, material misstatements in relevant assertions related to transaction classes, account balances, or disclosures.
It is not enough to simply determine whether a control as described or documented is effective in design. Implementation means determining that the control, as documented or described, actually exists and the entity is using it. This involves performing observation and inspection in addition to inquiry.
Professional standards explicitly indicate that inquiry alone is not sufficient to evaluate the design and implementation of internal control. Some observation and inspection procedures must be performed.
28. Understanding Internal Control Evaluate the design and implementation of controls
Related to significant risks
Related to risks that cannot be tested effectively using substantive procedures alone
Understand
How the incorrect processing of transactions is resolved
How detail is reconciled to the general ledger for material accounts 28 Key Points:
Significant risks generally relate to nonroutine transactions (that is, transactions that are unusual due to their size or nature) and complex or judgmental matters. Examples of matters that often involve significant risks include:
Significant nonroutine transactions, that is, transactions that are unusual due to their size or nature.
Accounting estimates for which there is significant measurement uncertainty, such as certain fair value estimates.
Transactions that involve complex calculations or the application of complex accounting principles, such as self-constructed property with capitalized interest or revenue recognition for software that is tailored for the customer.
Significant related-party transactions.
Transactions that require a large degree of manual intervention in data collection and processing.
Unusual or infrequent transactions that by their nature make effective controls difficult to implement, such as major litigation.
Transactions that involve a relatively large degree of management intervention in specifying the accounting treatment.
Fraud risks are always considered to be significant risks.
After completing your risk assessment procedures to evaluate internal control design and implementation, you should consider whether a sufficient understanding has been obtained of controls that would prevent, or detect and correct, material misstatements related to fraud risks or other significant risks. If not, you should perform additional risk assessment procedures directed at gaining an understanding of controls relating to those risks.
When you believe substantive procedures alone will not be sufficient, testing of internal controls is required. This tends to occur in highly automated processing environments in which a significant amount of information is initiated, authorized, recorded, processed, or reported electronically. If you have not obtained a sufficient understanding of controls related to risks that cannot be addressed with substantive procedures alone, you should perform additional risk assessment procedures directed at gaining an understanding of controls relating to those risks.
You should obtain an understanding of how the incorrect processing of transactions is resolved. For example, some systems use suspense accounts or files to capture failed transactions. For such situations, the auditor would understand the procedures for suspense accounting including how suspended transactions are researched and cleared.
Another specific requirement of the auditing standards is to understand the process for reconciling detail records to the general ledger. For example, for the accounts receivable general ledger account, you should understand the process of reconciling the account to the subsidiary accounts receivable ledger. This understanding is typically obtained when obtaining an understanding of significant transaction processing systems and the financial close and reporting process.Key Points:
Significant risks generally relate to nonroutine transactions (that is, transactions that are unusual due to their size or nature) and complex or judgmental matters. Examples of matters that often involve significant risks include:
Significant nonroutine transactions, that is, transactions that are unusual due to their size or nature.
Accounting estimates for which there is significant measurement uncertainty, such as certain fair value estimates.
Transactions that involve complex calculations or the application of complex accounting principles, such as self-constructed property with capitalized interest or revenue recognition for software that is tailored for the customer.
Significant related-party transactions.
Transactions that require a large degree of manual intervention in data collection and processing.
Unusual or infrequent transactions that by their nature make effective controls difficult to implement, such as major litigation.
Transactions that involve a relatively large degree of management intervention in specifying the accounting treatment.
Fraud risks are always considered to be significant risks.
After completing your risk assessment procedures to evaluate internal control design and implementation, you should consider whether a sufficient understanding has been obtained of controls that would prevent, or detect and correct, material misstatements related to fraud risks or other significant risks. If not, you should perform additional risk assessment procedures directed at gaining an understanding of controls relating to those risks.
When you believe substantive procedures alone will not be sufficient, testing of internal controls is required. This tends to occur in highly automated processing environments in which a significant amount of information is initiated, authorized, recorded, processed, or reported electronically. If you have not obtained a sufficient understanding of controls related to risks that cannot be addressed with substantive procedures alone, you should perform additional risk assessment procedures directed at gaining an understanding of controls relating to those risks.
You should obtain an understanding of how the incorrect processing of transactions is resolved. For example, some systems use suspense accounts or files to capture failed transactions. For such situations, the auditor would understand the procedures for suspense accounting including how suspended transactions are researched and cleared.
Another specific requirement of the auditing standards is to understand the process for reconciling detail records to the general ledger. For example, for the accounts receivable general ledger account, you should understand the process of reconciling the account to the subsidiary accounts receivable ledger. This understanding is typically obtained when obtaining an understanding of significant transaction processing systems and the financial close and reporting process.
29. Understanding Internal Control Document the following:
Understanding of internal control components
Sources of information
Procedures performed
Controls evaluated related to significant risks and risks for which substantive procedures alone are not effective
Key Points:
SAS 109 requires documentation of the understanding of internal control. The auditor is required to document the understanding obtained for the five components of internal control, the sources of information used and risk assessment procedures performed to obtain the understanding, and the controls related to significant risks and risks for which substantive procedures alone will not be sufficient.
Professional standards permit flexibility in the manner of documentation. Possible documentation methods include:
Narratives or memorandum documents.
Internal control questionnaires.
Checklists.
Flowcharts.
The form and extent of documentation is influenced by factors such as the complexity, size, and nature of the entity and the use of technology. Some auditors supplement their documentation with existing documentation of control systems prepared by the entity. Consider inquiring of the client about the existence of such documentation along with any supporting evaluation of the effectiveness of controls. When client documentation is available, the auditor may gain additional audit efficiencies and a better understanding of the client's internal control.Key Points:
SAS 109 requires documentation of the understanding of internal control. The auditor is required to document the understanding obtained for the five components of internal control, the sources of information used and risk assessment procedures performed to obtain the understanding, and the controls related to significant risks and risks for which substantive procedures alone will not be sufficient.
Professional standards permit flexibility in the manner of documentation. Possible documentation methods include:
Narratives or memorandum documents.
Internal control questionnaires.
Checklists.
Flowcharts.
The form and extent of documentation is influenced by factors such as the complexity, size, and nature of the entity and the use of technology. Some auditors supplement their documentation with existing documentation of control systems prepared by the entity. Consider inquiring of the client about the existence of such documentation along with any supporting evaluation of the effectiveness of controls. When client documentation is available, the auditor may gain additional audit efficiencies and a better understanding of the client's internal control.
30. Using the PPC Approach Entity-level controls
Control environment
Risk assessment
Information and communication
Monitoring
Activity-level controls
Financial reporting system
Control activities
IT environment and general computer controls Key Points:
Using the PPC approach, the internal control components of the control environment, risk assessment, information and communication (excluding the financial reporting system), and monitoring are referred to as entity-level controls. These controls typically have a pervasive effect on the entity's system of internal control.
The internal control component of control activities, along with the detailed aspects of the financial reporting system, are referred to as activity-level controls. Activity-level controls and processes operate at the assertion level rather than at the overall financial statement level. Activity-level controls are directly related to initiating, authorizing, recording, processing, and reporting the entity's transactions. Consequently, the understanding of activity-level controls directly supports the auditor's risk assessment at the relevant assertion level for account balances, transaction classes, and disclosures.
Controls throughout the system may be either manual or automated and may be significantly affected by IT. Therefore, the auditor should also obtain an understanding of the entity's IT environment and general computer controls
The auditor ordinarily obtains an understanding of entity-level controls first because the pervasive nature of those controls can potentially influence the design and operating effectiveness of other controls. Also, the auditor generally accumulates a significant amount of knowledge about activity-level controls through the understanding of entity-level controls.
After obtaining an understanding of entity-level controls, the auditor focuses on obtaining an understanding of the financial reporting system, which is part of the information and communication component of internal control. Obtaining an understanding about how the entity initiates, authorizes, records, processes, and reports transactions through the financial reporting system typically also provides a significant amount of information about control activities. After obtaining an understanding of those aspects of transaction processing, the auditor considers whether it is necessary to devote additional attention to obtaining an understanding of control activities.
Devoting additional attention to obtaining an understanding of control activities would typically only be necessary if:
The auditor does not understand what controls, if any, the entity has implemented to prevent, or detect and correct, material misstatements related to fraud risks or other significant risks.
The auditor plans or is required to test controls for one or more assertions but has not identified which controls to test (that is, which manual or automated controls are most likely to prevent or detect and correct material misstatements in that assertion).
For More Information: Obtaining an understanding of entity-level controls is discussed in section 204. Obtaining an understanding of activity-level controls is discussed in section 205.Key Points:
Using the PPC approach, the internal control components of the control environment, risk assessment, information and communication (excluding the financial reporting system), and monitoring are referred to as entity-level controls. These controls typically have a pervasive effect on the entity's system of internal control.
The internal control component of control activities, along with the detailed aspects of the financial reporting system, are referred to as activity-level controls. Activity-level controls and processes operate at the assertion level rather than at the overall financial statement level. Activity-level controls are directly related to initiating, authorizing, recording, processing, and reporting the entity's transactions. Consequently, the understanding of activity-level controls directly supports the auditor's risk assessment at the relevant assertion level for account balances, transaction classes, and disclosures.
Controls throughout the system may be either manual or automated and may be significantly affected by IT. Therefore, the auditor should also obtain an understanding of the entity's IT environment and general computer controls
The auditor ordinarily obtains an understanding of entity-level controls first because the pervasive nature of those controls can potentially influence the design and operating effectiveness of other controls. Also, the auditor generally accumulates a significant amount of knowledge about activity-level controls through the understanding of entity-level controls.
After obtaining an understanding of entity-level controls, the auditor focuses on obtaining an understanding of the financial reporting system, which is part of the information and communication component of internal control. Obtaining an understanding about how the entity initiates, authorizes, records, processes, and reports transactions through the financial reporting system typically also provides a significant amount of information about control activities. After obtaining an understanding of those aspects of transaction processing, the auditor considers whether it is necessary to devote additional attention to obtaining an understanding of control activities.
Devoting additional attention to obtaining an understanding of control activities would typically only be necessary if:
The auditor does not understand what controls, if any, the entity has implemented to prevent, or detect and correct, material misstatements related to fraud risks or other significant risks.
The auditor plans or is required to test controls for one or more assertions but has not identified which controls to test (that is, which manual or automated controls are most likely to prevent or detect and correct material misstatements in that assertion).
For More Information: Obtaining an understanding of entity-level controls is discussed in section 204. Obtaining an understanding of activity-level controls is discussed in section 205.
31. Using the PPC Approach CX-4.1: Understanding the Design and Implementation of Internal Control
Evaluate entity-level controls
Identify significant transaction classes
CX-4.2.1: Financial Reporting System Documentation FormSignificant Transaction Classes
Document the processing of transactions for each significant transaction class
Document the financial close and reporting process Key Points:
Using the PPC approach, the following forms are used to document the understanding of internal control, including the evaluation of design and implementation:
Understanding the Design and Implementation of Internal Control (CX-4.1). This form is used to document the understanding of entity-level controls, along with the sources of information used and procedures performed to obtain or update the understanding, and to evaluate the design and implementation of those controls. This form is also used to identify significant transaction classes that will be documented using CX-4.2.1.
Financial Reporting System Documentation FormSignificant Transaction Classes (CX-4.2.1). This form is used to document the processing of transactions for significant transaction classes, evaluate whether the controls are properly designed and implemented, and document the sources of information used and procedures performed to obtain or update the understanding. This form is also used to document the financial close and reporting process. A narrative is prepared and documented on CX-4.2.1 for each significant transaction class identified on CX-4.1.
Presentation Tips:
Review a blank copy of CX-4.1 with the participants. Point out how the control objectives listed on the form for each entity-level control component match COSO. Remind participants that they may document their responses for each objective or document their responses in the first blank provided for all of the objectives combined.
Review a blank copy of CX-4.2.1 with the participants. Point out that a narrative should be written on CX-4.2.1 for each significant transaction class identified on CX-4.1. A narrative should also be written for the financial close and reporting process.
A completed CX-4.1 is illustrated in Case Study 1 at Appendix A-8 and in Case Study 3 at Appendix C-2. Case Study 2 illustrates the process of understanding the design and implementation of internal control in a memo at Appendix B-6. Consider reviewing these documents, or one of the firms completed practice aids, with participants.
A completed CX-4.2.1 is illustrated in Case Study 1 at Appendix A-9 and in Case Study 3 at Appendixes C-4 and C-7. Consider reviewing these documents, or one of the firms completed practice aids, with participants.Key Points:
Using the PPC approach, the following forms are used to document the understanding of internal control, including the evaluation of design and implementation:
Understanding the Design and Implementation of Internal Control (CX-4.1). This form is used to document the understanding of entity-level controls, along with the sources of information used and procedures performed to obtain or update the understanding, and to evaluate the design and implementation of those controls. This form is also used to identify significant transaction classes that will be documented using CX-4.2.1.
Financial Reporting System Documentation FormSignificant Transaction Classes (CX-4.2.1). This form is used to document the processing of transactions for significant transaction classes, evaluate whether the controls are properly designed and implemented, and document the sources of information used and procedures performed to obtain or update the understanding. This form is also used to document the financial close and reporting process. A narrative is prepared and documented on CX-4.2.1 for each significant transaction class identified on CX-4.1.
Presentation Tips:
Review a blank copy of CX-4.1 with the participants. Point out how the control objectives listed on the form for each entity-level control component match COSO. Remind participants that they may document their responses for each objective or document their responses in the first blank provided for all of the objectives combined.
Review a blank copy of CX-4.2.1 with the participants. Point out that a narrative should be written on CX-4.2.1 for each significant transaction class identified on CX-4.1. A narrative should also be written for the financial close and reporting process.
A completed CX-4.1 is illustrated in Case Study 1 at Appendix A-8 and in Case Study 3 at Appendix C-2. Case Study 2 illustrates the process of understanding the design and implementation of internal control in a memo at Appendix B-6. Consider reviewing these documents, or one of the firms completed practice aids, with participants.
A completed CX-4.2.1 is illustrated in Case Study 1 at Appendix A-9 and in Case Study 3 at Appendixes C-4 and C-7. Consider reviewing these documents, or one of the firms completed practice aids, with participants.
32. Using the PPC Approach CX-4.2.2: Financial Reporting System Documentation FormIT Environment and General Computer Controls
Understand the effect of IT
CX-4.3: Walkthrough Documentation Table
For each walkthrough
CX-5: Activity and Entity-level Control Forms (optional)
Key Points:
Financial Reporting System Documentation FormIT Environment and General Computer Controls (CX-4.2.2). This form is used to document the understanding of the entitys IT environment (including consideration of controls at a service organization) and general computer controls, as well as the decision about whether to use an IT specialist. It is also used to evaluate whether general controls are properly designed and implemented and document the sources of information used and procedures performed to obtain or update the understanding.
Walkthrough Documentation Table (CX-4.3). This form is used to document the performance of a walkthrough. A walkthrough confirms the understanding of the design and implementation of controls by tracing a transaction through the entitys system from its initiation to inclusion in the general ledger and financial statements. A separate CX-4.3 is prepared for each walkthrough performed.
Activity and Entity-level Control Forms (CX-5). These forms are optional source lists of control activities and entity-level controls by transaction class (for each audit area) or by objective (for entity-level controls). The forms provide a list of common key controls that are applicable for many nonpublic entities. The forms can be used as a memory jogger to assist in identifying and describing the entitys controls or as a supplement to narratives or flowcharts to further document the understanding of controls and to indicate which controls are being tested.
Presentation Tips:
Review a blank copy of CX-4.2.2 with the participants.
Review a blank copy of CX-4.3 with the participants. Point out that a walkthrough documentation table should be completed for each walkthrough performed.
Review a blank copy of a CX-5 form. Discuss the firms approach for using these forms.
A completed CX-4.2.2 is illustrated in Case Study 1 at Appendix A-10 and in Case Study 3 at Appendix C-10. Consider reviewing these documents, or one of the firms completed practice aids, with participants.
A completed CX-4.3 is illustrated in Case Study 1 at Appendix A-11 and in Case Study 3 at Appendixes C-5 and C-8. Consider reviewing these documents, or one of the firms completed practice aids, with participants.
A completed CX-5 is illustrated in Case Study 3 at Appendixes C-3, C-6, and C-9. Consider reviewing these documents, or one of the firms completed practice aids, with participants.Key Points:
Financial Reporting System Documentation FormIT Environment and General Computer Controls (CX-4.2.2). This form is used to document the understanding of the entitys IT environment (including consideration of controls at a service organization) and general computer controls, as well as the decision about whether to use an IT specialist. It is also used to evaluate whether general controls are properly designed and implemented and document the sources of information used and procedures performed to obtain or update the understanding.
Walkthrough Documentation Table (CX-4.3). This form is used to document the performance of a walkthrough. A walkthrough confirms the understanding of the design and implementation of controls by tracing a transaction through the entitys system from its initiation to inclusion in the general ledger and financial statements. A separate CX-4.3 is prepared for each walkthrough performed.
Activity and Entity-level Control Forms (CX-5). These forms are optional source lists of control activities and entity-level controls by transaction class (for each audit area) or by objective (for entity-level controls). The forms provide a list of common key controls that are applicable for many nonpublic entities. The forms can be used as a memory jogger to assist in identifying and describing the entitys controls or as a supplement to narratives or flowcharts to further document the understanding of controls and to indicate which controls are being tested.
Presentation Tips:
Review a blank copy of CX-4.2.2 with the participants.
Review a blank copy of CX-4.3 with the participants. Point out that a walkthrough documentation table should be completed for each walkthrough performed.
Review a blank copy of a CX-5 form. Discuss the firms approach for using these forms.
A completed CX-4.2.2 is illustrated in Case Study 1 at Appendix A-10 and in Case Study 3 at Appendix C-10. Consider reviewing these documents, or one of the firms completed practice aids, with participants.
A completed CX-4.3 is illustrated in Case Study 1 at Appendix A-11 and in Case Study 3 at Appendixes C-5 and C-8. Consider reviewing these documents, or one of the firms completed practice aids, with participants.
A completed CX-5 is illustrated in Case Study 3 at Appendixes C-3, C-6, and C-9. Consider reviewing these documents, or one of the firms completed practice aids, with participants.
33. Identifying Significant Transaction Classes Transaction classes that present a reasonable possibility of material misstatement of the financial statements or disclosures based on:
Volume of activity
Size and composition of accounts
Types of transactions
Presence of fraud risks or other significant risks
Changes from the prior period
Key Points:
The auditor should identify significant transaction classes and obtain an understanding of the flow of information (including electronic information) through the entity's financial reporting system for each of those classes. That is, the auditor should obtain an understanding of how transactions are processed from initiation through inclusion in the general ledger. Significant transaction classes are identified and listed on CX-4.1, Understanding the Design and Implementation of Internal Control.
Significant transaction classes are those classes of transactions in the entity's operations that are significant to the financial statements, generally because of the volume or risk characteristics of transactions processed.
When selecting significant transaction classes, focus on transaction classes that present a reasonable possibility of material misstatement of the financial statements or disclosures, including those that involve significant or fraud risks. Qualitative and quantitative factors such as the following should be considered:
Volume of activity.
Size and composition of the related accounts.
Susceptibility to misstatement due to errors or fraud.
Nature of the transactions, related account balances, or disclosures.
Accounting and reporting complexities.
Exposure to losses in the related accounts.
Possibility of significant contingent liabilities arising from the activities being processed.
Existence of related party transactions.
Changes from the prior period in the characteristics of the transactions, related account balances, or disclosures.
Presentation Tip:
Review the list of transaction classes provided at Exhibit 2-44, and discuss which are generally significant for the firms clients.
For More Information: Identifying significant transaction classes is discussed at paragraph 205.9.Key Points:
The auditor should identify significant transaction classes and obtain an understanding of the flow of information (including electronic information) through the entity's financial reporting system for each of those classes. That is, the auditor should obtain an understanding of how transactions are processed from initiation through inclusion in the general ledger. Significant transaction classes are identified and listed on CX-4.1, Understanding the Design and Implementation of Internal Control.
Significant transaction classes are those classes of transactions in the entity's operations that are significant to the financial statements, generally because of the volume or risk characteristics of transactions processed.
When selecting significant transaction classes, focus on transaction classes that present a reasonable possibility of material misstatement of the financial statements or disclosures, including those that involve significant or fraud risks. Qualitative and quantitative factors such as the following should be considered:
Volume of activity.
Size and composition of the related accounts.
Susceptibility to misstatement due to errors or fraud.
Nature of the transactions, related account balances, or disclosures.
Accounting and reporting complexities.
Exposure to losses in the related accounts.
Possibility of significant contingent liabilities arising from the activities being processed.
Existence of related party transactions.
Changes from the prior period in the characteristics of the transactions, related account balances, or disclosures.
Presentation Tip:
Review the list of transaction classes provided at Exhibit 2-44, and discuss which are generally significant for the firms clients.
For More Information: Identifying significant transaction classes is discussed at paragraph 205.9.
34. Understanding Significant Transaction Classes How are transactions initiated and authorized?
How are transactions recorded and processed?
How are transactions reconciled?
What reports are generated and how are they used?
Key Points:
The following questions are related to understanding how transactions are initiated and authorized:
How and by whom are transactions initiated and authorized?
What source documents (or electronic means) are used to capture information for entry in the accounting system?
How and by whom are transactions originally entered in the accounting system for processing?
The following questions are related to understanding how transactions are recorded and processed:
What are the accounting processing steps, both automated and manual, from original entry to inclusion in the general ledger and who performs them?
What accounting records and supporting documents are used or created when processing transactions?
What subsidiary journals or ledgers are involved?
How is the incorrect processing of transactions resolved?
The following questions are related to understanding how transactions are reconciled:
What procedures are used to enter transaction totals into the general ledger?
What is the entitys process for reconciling account detail to the general ledger for material accounts?
Consider what management reports or other information are generated from the system and how they are used by management or the owner/manager in managing and controlling the entitys activities.
Throughout the process of obtaining the understanding, consider the effect of IT on the way the entity's control activities are designed and implemented. Also identify and evaluate the controls, if any, the entity has implemented to prevent or detect and correct material misstatements related to fraud risks or other significant risks. And be alert for areas where controls must be tested because substantive procedures alone will not be sufficient to address assessed risks.
Key Points:
The following questions are related to understanding how transactions are initiated and authorized:
How and by whom are transactions initiated and authorized?
What source documents (or electronic means) are used to capture information for entry in the accounting system?
How and by whom are transactions originally entered in the accounting system for processing?
The following questions are related to understanding how transactions are recorded and processed:
What are the accounting processing steps, both automated and manual, from original entry to inclusion in the general ledger and who performs them?
What accounting records and supporting documents are used or created when processing transactions?
What subsidiary journals or ledgers are involved?
How is the incorrect processing of transactions resolved?
The following questions are related to understanding how transactions are reconciled:
What procedures are used to enter transaction totals into the general ledger?
What is the entitys process for reconciling account detail to the general ledger for material accounts?
Consider what management reports or other information are generated from the system and how they are used by management or the owner/manager in managing and controlling the entitys activities.
Throughout the process of obtaining the understanding, consider the effect of IT on the way the entity's control activities are designed and implemented. Also identify and evaluate the controls, if any, the entity has implemented to prevent or detect and correct material misstatements related to fraud risks or other significant risks. And be alert for areas where controls must be tested because substantive procedures alone will not be sufficient to address assessed risks.
35. Understanding Significant Transaction Classes Consider control objectives:
Completeness: All transactions are recorded
Occurrence: All recorded transactions occurred and pertain to the entity
Accuracy: Transactions are recorded in the proper amount
Classification: Transactions are recorded in the proper account
Cutoff: Transactions are recorded in the proper period Key Points:
When obtaining an understanding of internal control, many auditors consider control objectives during the process of identifying controls and evaluating their design and implementation. A control objective states the purpose of a control in relation to risks and what could go wrong in the financial statements. For example, All property, plant, and equipment additions are recorded, might be a control objective that addresses a risk of fixed asset transactions not being properly tracked and recorded (i.e., completeness). Failure to achieve that control objective could potentially result in understatement of fixed assets and depreciation expense, as well as misstatements in other income statement accounts.
Control objectives for transaction processing typically relate to the assertions of completeness (all transactions are recorded), occurrence (all recorded transactions occurred and pertain to the entity), accuracy (transactions are recorded in the proper amount), classification (transactions are recorded in the proper account), and cutoff (transactions are recorded in the proper period).
By considering control objectives and how they relate to risks and what can go wrong at the relevant assertion level, an auditor might find it easier to identify existing controls and evaluate their design effectiveness. For example, an auditor might tailor inquiries of client personnel to focus on how certain control objectives are achieved within the entity when trying to identify the controls that address a particular risk of material misstatement. Likewise, when existing controls are identified, the auditor can evaluate whether those controls, if operating effectively, would fully achieve the objective or whether deficiencies exist because of improper design or missing controls.
The auditor is not required to understand all controls and control activities that might exist in an entity. The auditor typically focuses attention on those controls that are most important in achieving particular control objectives related to identified risks. Often, an entity has multiple controls that contribute to achieving its control objectives. However, certain of those controls, referred to as key controls, are considered primary to achieving the objectives. When identifying controls, evaluating design effectiveness, determining implementation, and testing operating effectiveness, it is often most efficient and effective for the auditor to focus on key controls. Many times, these are the controls that the client believes are the most effective and reliable in operation to fully address a control objective.Key Points:
When obtaining an understanding of internal control, many auditors consider control objectives during the process of identifying controls and evaluating their design and implementation. A control objective states the purpose of a control in relation to risks and what could go wrong in the financial statements. For example, All property, plant, and equipment additions are recorded, might be a control objective that addresses a risk of fixed asset transactions not being properly tracked and recorded (i.e., completeness). Failure to achieve that control objective could potentially result in understatement of fixed assets and depreciation expense, as well as misstatements in other income statement accounts.
Control objectives for transaction processing typically relate to the assertions of completeness (all transactions are recorded), occurrence (all recorded transactions occurred and pertain to the entity), accuracy (transactions are recorded in the proper amount), classification (transactions are recorded in the proper account), and cutoff (transactions are recorded in the proper period).
By considering control objectives and how they relate to risks and what can go wrong at the relevant assertion level, an auditor might find it easier to identify existing controls and evaluate their design effectiveness. For example, an auditor might tailor inquiries of client personnel to focus on how certain control objectives are achieved within the entity when trying to identify the controls that address a particular risk of material misstatement. Likewise, when existing controls are identified, the auditor can evaluate whether those controls, if operating effectively, would fully achieve the objective or whether deficiencies exist because of improper design or missing controls.
The auditor is not required to understand all controls and control activities that might exist in an entity. The auditor typically focuses attention on those controls that are most important in achieving particular control objectives related to identified risks. Often, an entity has multiple controls that contribute to achieving its control objectives. However, certain of those controls, referred to as key controls, are considered primary to achieving the objectives. When identifying controls, evaluating design effectiveness, determining implementation, and testing operating effectiveness, it is often most efficient and effective for the auditor to focus on key controls. Many times, these are the controls that the client believes are the most effective and reliable in operation to fully address a control objective.
36. Documenting Significant Transaction Classes Narrative description
Focus on key controls and control objectives related to identified risks
How are control objectives achieved?
What controls are in place to address significant or fraud risks?
Are controls properly designed and implemented? Key Points:
Using the PPC approach, the auditor writes a narrative description on CX-4.2.1, Financial Reporting System Documentation FormSignificant Transaction Classes, about how transactions are processed for each significant transaction class and for the financial close and reporting process.
When preparing the narratives, attention should be focused on the control objectives and key controls related to the relevant assertions and risks that were identified when performing other risk assessment procedures. Before writing the narrative, review your identified risks related to the transaction class and consider the related control objectives. For example, if the transaction class is sales order processing, and you identified a risk related to the completeness of sales transactions, address in your narrative the controls that are in place to ensure that all sales transactions are processed (completeness).
Be sure the narrative specifically addresses controls the entity has implemented to prevent or detect and correct material misstatements related to fraud risks, other significant risks, and risks for which substantive procedures alone are not sufficient. For example, if you identify a risk related to fraudulent cash disbursements, make sure your narrative describing the processing of cash disbursements addresses the controls that are in place to prevent or detect fraudulent disbursements.
The narrative should enable you to conclude whether controls over the transaction class are properly designed and implemented to achieve the significant control objectives.
The narrative is intended to assist in assessing the magnitude of identified risks and deciding whether to respond to them with substantive procedures alone or a combination of substantive procedures and tests of controls. Key Points:
Using the PPC approach, the auditor writes a narrative description on CX-4.2.1, Financial Reporting System Documentation FormSignificant Transaction Classes, about how transactions are processed for each significant transaction class and for the financial close and reporting process.
When preparing the narratives, attention should be focused on the control objectives and key controls related to the relevant assertions and risks that were identified when performing other risk assessment procedures. Before writing the narrative, review your identified risks related to the transaction class and consider the related control objectives. For example, if the transaction class is sales order processing, and you identified a risk related to the completeness of sales transactions, address in your narrative the controls that are in place to ensure that all sales transactions are processed (completeness).
Be sure the narrative specifically addresses controls the entity has implemented to prevent or detect and correct material misstatements related to fraud risks, other significant risks, and risks for which substantive procedures alone are not sufficient. For example, if you identify a risk related to fraudulent cash disbursements, make sure your narrative describing the processing of cash disbursements addresses the controls that are in place to prevent or detect fraudulent disbursements.
The narrative should enable you to conclude whether controls over the transaction class are properly designed and implemented to achieve the significant control objectives.
The narrative is intended to assist in assessing the magnitude of identified risks and deciding whether to respond to them with substantive procedures alone or a combination of substantive procedures and tests of controls.
37. Performing Walkthroughs Select one or a few transactions
Trace from initial creation of the source document to final posting in the general ledger
Inspect documents and records used in processing, make inquiries, and observe procedures being performed Key Points:
A common method of obtaining an understanding of the processing of transactions for a significant transaction class is to trace a transaction through the various processing steps from initiation to inclusion in the general ledger. This is commonly referred to as a walkthrough. Walkthroughs may be used to confirm information obtained by inquiry or from prior years' audits. Walkthroughs are also commonly used in gaining an understanding of control activities.
Walkthroughs of transactions usually involve document inspection, inquiry, and observation. The auditor judgmentally selects one or a few transactions from each of the major classes of transactions and walks those transactions and related controls through the system from cradle to grave, that is, from initial creation of a source document to final posting in the general ledger and inclusion in the financial statements. The auditor inspects the documents and accounting records used in processing, talks to the personnel involved, and observes the handling of records and related assets.
In performing a walkthrough, the auditor should follow the same transaction through all of the processing steps in the system. A walkthrough may not be effective if a different transaction is used to test each control or processing step separately rather than walking a single transaction through the entire process or if the auditor does not use the same documents and IT that client personnel use.
Even though SAS 109 allows the auditor to rely on audit evidence obtained in prior periods, the auditor is still required to perform audit procedures to determine the continued relevance of that evidence. In many cases, the auditor can establish the continued relevance of information about internal control through the performance of a walkthrough. Indeed, a walkthrough may be helpful in determining whether and how internal control design and implementation have changed since the prior period. Thus, walkthroughs are ordinarily performed in each audit period for significant transaction classes.
For More Information: Walkthroughs are discussed at paragraph 205.20.Key Points:
A common method of obtaining an understanding of the processing of transactions for a significant transaction class is to trace a transaction through the various processing steps from initiation to inclusion in the general ledger. This is commonly referred to as a walkthrough. Walkthroughs may be used to confirm information obtained by inquiry or from prior years' audits. Walkthroughs are also commonly used in gaining an understanding of control activities.
Walkthroughs of transactions usually involve document inspection, inquiry, and observation. The auditor judgmentally selects one or a few transactions from each of the major classes of transactions and walks those transactions and related controls through the system from cradle to grave, that is, from initial creation of a source document to final posting in the general ledger and inclusion in the financial statements. The auditor inspects the documents and accounting records used in processing, talks to the personnel involved, and observes the handling of records and related assets.
In performing a walkthrough, the auditor should follow the same transaction through all of the processing steps in the system. A walkthrough may not be effective if a different transaction is used to test each control or processing step separately rather than walking a single transaction through the entire process or if the auditor does not use the same documents and IT that client personnel use.
Even though SAS 109 allows the auditor to rely on audit evidence obtained in prior periods, the auditor is still required to perform audit procedures to determine the continued relevance of that evidence. In many cases, the auditor can establish the continued relevance of information about internal control through the performance of a walkthrough. Indeed, a walkthrough may be helpful in determining whether and how internal control design and implementation have changed since the prior period. Thus, walkthroughs are ordinarily performed in each audit period for significant transaction classes.
For More Information: Walkthroughs are discussed at paragraph 205.20.
38. Assessing Risks and Developing Responses Key Point:
The next few slides address Step 3 of the PPC Audit Approach: Assess Risks and Develop Responses, which consists of assessing risks at the financial statement level, developing the overall audit strategy, assessing risks at the relevant assertion level, and developing the detailed audit plan.
For More Information: Assessing risks and developing responses is discussed in Chapter 3.Key Point:
The next few slides address Step 3 of the PPC Audit Approach: Assess Risks and Develop Responses, which consists of assessing risks at the financial statement level, developing the overall audit strategy, assessing risks at the relevant assertion level, and developing the detailed audit plan.
For More Information: Assessing risks and developing responses is discussed in Chapter 3.
39. Assess Risks at the Financial Statement Level Identify risks that are pervasive to the financial statements and potentially affect many assertions
Assess the risk of material misstatement at the financial statement level
Develop overall responses
Document the risk assessment and the responses
CX-7.1: Risk Assessment Summary Form (Part I)
39 Key Points:
The auditor must consider audit risk for the financial statements taken as a whole. When considering audit risk at the overall financial statement level, the auditor identifies risks of material misstatement that relate pervasively to the financial statements taken as a whole and potentially affect many relevant assertions. (These risks are also referred to as overall risks.)
The risk assessment standards establish a requirement to assess and document the risks of material misstatement at the financial statement level. Risks of material misstatement at the financial statement level often relate to the entitys control environment and are not necessarily identifiable with specific relevant assertions at the class of transaction, account balance, or disclosure level. These overall risks are often especially relevant to the auditors consideration of the risks of material misstatement arising from fraud, for example, through management override of internal control.
Overall responses to address risks of material misstatement at the financial statement level may include:
Emphasis to the audit team to use professional skepticism.
Assigning staff with higher experience levels or specialized skills.
Increasing the level of supervision.
Using a greater degree of unpredictability in selecting audit procedures.
Changing the nature, timing, and extent of substantive procedures (for example, instead of interim testing shift testing to period end or modify the nature of the audit procedures to obtain more persuasive evidence).
SAS 109 requires documentation of the assessment of risks of material misstatement at the financial statement level and the basis for the assessment, and SAS 110 requires documentation of overall responses to such risks.
Auditors can document the overall risks and responses on Part I of the Risk Assessment Summary Form (CX-7.1).
Presentation Tips:
Review a blank copy of CX-7.1 (Part I) with the participants.
A completed CX-7.1 is illustrated in Case Study 1 at Appendix A-12 and in Case Study 2 at Appendix B-7. Consider reviewing these documents, or one of the firms completed practice aids, with participants.Key Points:
The auditor must consider audit risk for the financial statements taken as a whole. When considering audit risk at the overall financial statement level, the auditor identifies risks of material misstatement that relate pervasively to the financial statements taken as a whole and potentially affect many relevant assertions. (These risks are also referred to as overall risks.)
The risk assessment standards establish a requirement to assess and document the risks of material misstatement at the financial statement level. Risks of material misstatement at the financial statement level often relate to the entitys control environment and are not necessarily identifiable with specific relevant assertions at the class of transaction, account balance, or disclosure level. These overall risks are often especially relevant to the auditors consideration of the risks of material misstatement arising from fraud, for example, through management override of internal control.
Overall responses to address risks of material misstatement at the financial statement level may include:
Emphasis to the audit team to use professional skepticism.
Assigning staff with higher experience levels or specialized skills.
Increasing the level of supervision.
Using a greater degree of unpredictability in selecting audit procedures.
Changing the nature, timing, and extent of substantive procedures (for example, instead of interim testing shift testing to period end or modify the nature of the audit procedures to obtain more persuasive evidence).
SAS 109 requires documentation of the assessment of risks of material misstatement at the financial statement level and the basis for the assessment, and SAS 110 requires documentation of overall responses to such risks.
Auditors can document the overall risks and responses on Part I of the Risk Assessment Summary Form (CX-7.1).
Presentation Tips:
Review a blank copy of CX-7.1 (Part I) with the participants.
A completed CX-7.1 is illustrated in Case Study 1 at Appendix A-12 and in Case Study 2 at Appendix B-7. Consider reviewing these documents, or one of the firms completed practice aids, with participants.
40. Develop the Overall Audit Strategy Characteristics of the engagement that define its scope
Reporting objectives of the engagement
Important factors that determine audit focus 40 Key Points:
The overall audit strategy is the operational approach to achieving the objectives of the audit. It is a high level determination of the audit approach. It includes the identification of overall risks, the overall responses to those risks, and the general approach to each audit area as being substantive procedures or a combination of substantive procedures and tests of controls.
SAS 108 provides that in establishing the overall audit strategy the auditor should:
Determine the characteristics of the engagement that define its scope.
Ascertain the reporting objectives of the engagement to plan the timing of the audit and the nature of communications required.
Consider the important factors that will determine the focus of the audit teams efforts.
The scope of the engagement may be defined by the following types of characteristics:
The basis of reporting, for example, GAAP or an OCBOA.
Industry-specific, statutory, or regulatory reporting requirements.
The availability of the work of internal auditors and the auditors potential reliance on that work.
Planned reliance on the work of other auditors.
The entitys use of service organizations.
The number of entity locations and nature of procedures to be performed at each.
Whether it is an initial versus a continuing engagement.
Reporting objectives include:
Deadlines for interim and final reporting.
Key dates for expected communications with management and those charged with governance, for example, concerning internal control related matters.
The expected nature and timing of communications among audit team members, including the nature and timing of review of work performed.Key Points:
The overall audit strategy is the operational approach to achieving the objectives of the audit. It is a high level determination of the audit approach. It includes the identification of overall risks, the overall responses to those risks, and the general approach to each audit area as being substantive procedures or a combination of substantive procedures and tests of controls.
SAS 108 provides that in establishing the overall audit strategy the auditor should:
Determine the characteristics of the engagement that define its scope.
Ascertain the reporting objectives of the engagement to plan the timing of the audit and the nature of communications required.
Consider the important factors that will determine the focus of the audit teams efforts.
The scope of the engagement may be defined by the following types of characteristics:
The basis of reporting, for example, GAAP or an OCBOA.
Industry-specific, statutory, or regulatory reporting requirements.
The availability of the work of internal auditors and the auditors potential reliance on that work.
Planned reliance on the work of other auditors.
The entitys use of service organizations.
The number of entity locations and nature of procedures to be performed at each.
Whether it is an initial versus a continuing engagement.
Reporting objectives include:
Deadlines for interim and final reporting.
Key dates for expected communications with management and those charged with governance, for example, concerning internal control related matters.
The expected nature and timing of communications among audit team members, including the nature and timing of review of work performed.
41. Factors That Determine Audit Focus Materiality levels
Overall risks and responses
Preliminary identification of high risk audit areas
Preliminary identification of material locations and accounts
Whether you plan to test controls
Composition and deployment of the audit team
41 Key Points:
The overall audit strategy includes and is significantly influenced by the auditors judgments about materiality and the risks of material misstatement at the financial statement level. Factors that determine the focus of the audit teams efforts generally include:
Materiality considerations, including planning materiality and materiality for auditors of other locations.
Overall risks and responses at the financial statement level.
Preliminary identification of areas where there may be higher risks of material misstatement, including those due to fraud.
Preliminary identification of material locations and account balances.
Plans to obtain audit evidence about the operating effectiveness of controls, i.e., whether the auditor plans to use substantive procedures alone or a combination of substantive procedures and tests of controls, and whether control tests will be performed in the current year or reliance placed on tests performed in a prior year.
Composition of the audit team and assignment of work to audit team members.
Auditing standards do not require all of the matters that affect audit strategy to be documented in one place, such as in a separate audit strategy memo. However, a brief memo that outlines key components of the audit strategy can serve as the basis for planning the current engagement. Subsequent changes in the strategy, if any, can be documented on the original memo, which satisfies the requirement to document changes in the audit strategy.
Establishing the overall audit strategy for an entity need not be complex or time consuming. Many of the matters that relate to the overall audit strategy are document in the normal course of completing the audit planning program and related practice aids.Key Points:
The overall audit strategy includes and is significantly influenced by the auditors judgments about materiality and the risks of material misstatement at the financial statement level. Factors that determine the focus of the audit teams efforts generally include:
Materiality considerations, including planning materiality and materiality for auditors of other locations.
Overall risks and responses at the financial statement level.
Preliminary identification of areas where there may be higher risks of material misstatement, including those due to fraud.
Preliminary identification of material locations and account balances.
Plans to obtain audit evidence about the operating effectiveness of controls, i.e., whether the auditor plans to use substantive procedures alone or a combination of substantive procedures and tests of controls, and whether control tests will be performed in the current year or reliance placed on tests performed in a prior year.
Composition of the audit team and assignment of work to audit team members.
Auditing standards do not require all of the matters that affect audit strategy to be documented in one place, such as in a separate audit strategy memo. However, a brief memo that outlines key components of the audit strategy can serve as the basis for planning the current engagement. Subsequent changes in the strategy, if any, can be documented on the original memo, which satisfies the requirement to document changes in the audit strategy.
Establishing the overall audit strategy for an entity need not be complex or time consuming. Many of the matters that relate to the overall audit strategy are document in the normal course of completing the audit planning program and related practice aids.
42. Assess Risks at the Relevant Assertion Level Identify risks of material misstatement (due to error or fraud) for specific
Account balances
Transaction classes
Disclosures
Consider what can go wrong at the relevant assertion level 42 Key Points:
In addition to being required to assess the risk of material misstatement at the financial statement level, the auditor is also required to assess the risk of material misstatement of the financial statements whether due to error or fraud at the assertion level for specific account balances, transaction classes, and disclosures. For the purpose of assessing the risks of material misstatement at the relevant assertion level, the auditor should do the following:
Identify risks throughout the process of obtaining an understanding of the entity and its environment, including relevant controls that relate to the risks.
Relate the identified risks to what can go wrong at the relevant assertion level.
The auditor uses information gathered to identify risks that may result in material misstatement of the financial statements. The auditor's identification of risks is a matter of professional judgment. It is more than reviewing a checklist of risk factors or red flags. It encompasses all of the auditor's knowledge of the client, including knowledge obtained about the entity and its environment, its management, the industry in which it operates, its internal control, and risk factors.
Risks are articulated in terms of what can go wrong in the financial statements at the assertion level. This is done, in part, because the presence of risks may only become evident when information from different sources is combined. That is, when analyzed in combination or as a whole, seemingly unrelated information might indicate a potential risk. In addition, it is difficult to link risks with responses unless the risks are stated in terms of their potential effects on the financial statements.
For More Information: Identifying risks of material misstatement at the relevant assertion level is discussed in section 303.Key Points:
In addition to being required to assess the risk of material misstatement at the financial statement level, the auditor is also required to assess the risk of material misstatement of the financial statements whether due to error or fraud at the assertion level for specific account balances, transaction classes, and disclosures. For the purpose of assessing the risks of material misstatement at the relevant assertion level, the auditor should do the following:
Identify risks throughout the process of obtaining an understanding of the entity and its environment, including relevant controls that relate to the risks.
Relate the identified risks to what can go wrong at the relevant assertion level.
The auditor uses information gathered to identify risks that may result in material misstatement of the financial statements. The auditor's identification of risks is a matter of professional judgment. It is more than reviewing a checklist of risk factors or red flags. It encompasses all of the auditor's knowledge of the client, including knowledge obtained about the entity and its environment, its management, the industry in which it operates, its internal control, and risk factors.
Risks are articulated in terms of what can go wrong in the financial statements at the assertion level. This is done, in part, because the presence of risks may only become evident when information from different sources is combined. That is, when analyzed in combination or as a whole, seemingly unrelated information might indicate a potential risk. In addition, it is difficult to link risks with responses unless the risks are stated in terms of their potential effects on the financial statements.
For More Information: Identifying risks of material misstatement at the relevant assertion level is discussed in section 303.
43. Assess Risks at the Relevant Assertion Level 43 Key Points:
SAS 106 states that the auditor may use the relevant assertions as they are described in the auditing standards or may express them differently provided aspects described therein have been covered. For example, the auditor may choose to combine the assertions about transactions and events with the assertions about account balances.
Using the PPC approach, the following combined categories of assertions are used to facilitate the assessment of risks at the assertion level:
Existence or Occurrence
Completeness
Rights or Obligations
Valuation or Allocation
Accuracy or Classification
Cutoff
These categories cover all of the assertions for transactions and events and account balances provided in the auditing standards, as well as those aspects of presentation and disclosure that are considered in the audit programs for individual audit areas. PPC uses the following audit objective in the general audit program to encompass the remaining assertions about presentation and disclosure that are generally considered in the process of preparing the financial statements: Financial statements are presented in accordance with GAAP. Required disclosures are complete, clearly expressed and understandable, and contain financial and other information that is fairly disclosed at appropriate amounts.Key Points:
SAS 106 states that the auditor may use the relevant assertions as they are described in the auditing standards or may express them differently provided aspects described therein have been covered. For example, the auditor may choose to combine the assertions about transactions and events with the assertions about account balances.
Using the PPC approach, the following combined categories of assertions are used to facilitate the assessment of risks at the assertion level:
Existence or Occurrence
Completeness
Rights or Obligations
Valuation or Allocation
Accuracy or Classification
Cutoff
These categories cover all of the assertions for transactions and events and account balances provided in the auditing standards, as well as those aspects of presentation and disclosure that are considered in the audit programs for individual audit areas. PPC uses the following audit objective in the general audit program to encompass the remaining assertions about presentation and disclosure that are generally considered in the process of preparing the financial statements: Financial statements are presented in accordance with GAAP. Required disclosures are complete, clearly expressed and understandable, and contain financial and other information that is fairly disclosed at appropriate amounts.
44. Assess Risks at the Relevant Assertion Level Assessing risks at the assertion level
Are the risks of a magnitude that could result in material misstatement?
What is the likelihood that the risks could result in material misstatement?
Likelihood is a function of:
Inherent risk
Control risk
Need a basis for the assessment 44 Key Points:
After identifying risks and relating them to what can go wrong in the financial statements at the relevant assertion level, the auditor should:
Consider whether the risks are of a magnitude that could result in a material misstatement of the financial statements.
Consider the likelihood that the risks could result in a material misstatement of the financial statements.
Inherent risk is the susceptibility of a relevant assertion to a misstatement that could be material, either individually or when aggregated with other misstatements, assuming that there are no related controls.
Control risk is the risk that a misstatement that could occur in a relevant assertion and that could be material, either individually or when aggregated with other misstatements, will be not prevented or detected on a timely basis by the entitys internal control.
The risk assessment procedures performed to obtain an understanding of the entity and its environment, including internal control, provide a basis for making the risk assessment.
For More Information: Assessing risks of material misstatement at the relevant assertion level is discussed in section 304.Key Points:
After identifying risks and relating them to what can go wrong in the financial statements at the relevant assertion level, the auditor should:
Consider whether the risks are of a magnitude that could result in a material misstatement of the financial statements.
Consider the likelihood that the risks could result in a material misstatement of the financial statements.
Inherent risk is the susceptibility of a relevant assertion to a misstatement that could be material, either individually or when aggregated with other misstatements, assuming that there are no related controls.
Control risk is the risk that a misstatement that could occur in a relevant assertion and that could be material, either individually or when aggregated with other misstatements, will be not prevented or detected on a timely basis by the entitys internal control.
The risk assessment procedures performed to obtain an understanding of the entity and its environment, including internal control, provide a basis for making the risk assessment.
For More Information: Assessing risks of material misstatement at the relevant assertion level is discussed in section 304.
45. Assess Risks at the Relevant Assertion Level Identify significant risks that require special audit consideration
Fraud risks
Other significant risks
Significant risks often relate to:
Significant economic, accounting, or other developments
Complex, nonroutine, or judgmental matters
Transactions with related parties
45 Key Points:
The auditor should determine which of the risks identified by risk assessment procedures are risks that require special audit consideration, that is, significant risks. One or more significant risks normally arise on most audits. Furthermore, significant risks are likely to exist even when there are no new or unusual circumstances at the client.
The determination of significant risks should be based primarily on the consideration of inherent risk, that is, it should be before consideration of the effect of identified controls related to the risk. A significant risk is generally one where the inherent risk is higher than the usual 'high' and therefore it requires special audit consideration. The auditor should determine whether the risk is such that it requires special audit consideration by focusing on the following:
The nature of the risk.
The magnitude of the potential misstatement, including the possibility of multiple misstatements.
The likelihood of the risk occurring.
Each of these aspects of the auditor's consideration need attention in determining whether special audit consideration is required, but the nature of the risk is particularly important. The nature of the risk should be evaluated by considering the following:
Is the risk a risk of fraud or theft?
Is the risk related to recent significant economic, accounting, or other developments?
Are the transactions complex?
Does the risk involve significant transactions with related parties?
Is there a relatively large degree of subjectivity in the measurement of the financial information related to the risk?
Does the risk involve significant nonroutine transactions outside the normal course of business or that otherwise appear unusual?
Hypothetically, if the auditor had a time constraint to perform the audit, would the risk be one that would absolutely need to be addressed through substantive tests of details?
An affirmative answer to any of these questions is likely to indicate the need for a specific audit response and, thus, a determination that the risk is a significant risk because it requires special audit consideration.
Fraud risks are always considered to be significant risks.Key Points:
The auditor should determine which of the risks identified by risk assessment procedures are risks that require special audit consideration, that is, significant risks. One or more significant risks normally arise on most audits. Furthermore, significant risks are likely to exist even when there are no new or unusual circumstances at the client.
The determination of significant risks should be based primarily on the consideration of inherent risk, that is, it should be before consideration of the effect of identified controls related to the risk. A significant risk is generally one where the inherent risk is higher than the usual 'high' and therefore it requires special audit consideration. The auditor should determine whether the risk is such that it requires special audit consideration by focusing on the following:
The nature of the risk.
The magnitude of the potential misstatement, including the possibility of multiple misstatements.
The likelihood of the risk occurring.
Each of these aspects of the auditor's consideration need attention in determining whether special audit consideration is required, but the nature of the risk is particularly important. The nature of the risk should be evaluated by considering the following:
Is the risk a risk of fraud or theft?
Is the risk related to recent significant economic, accounting, or other developments?
Are the transactions complex?
Does the risk involve significant transactions with related parties?
Is there a relatively large degree of subjectivity in the measurement of the financial information related to the risk?
Does the risk involve significant nonroutine transactions outside the normal course of business or that otherwise appear unusual?
Hypothetically, if the auditor had a time constraint to perform the audit, would the risk be one that would absolutely need to be addressed through substantive tests of details?
An affirmative answer to any of these questions is likely to indicate the need for a specific audit response and, thus, a determination that the risk is a significant risk because it requires special audit consideration.
Fraud risks are always considered to be significant risks.
46. Assess Risks at the Relevant Assertion Level Identify risks for which substantive procedures alone are not adequate
Revise the risk assessment and reconsider planned audit procedures if audit evidence contradicts the original risk assessment
Key Points:
When substantive procedures alone are not adequate, you will need to evaluate the design and implementation of controls and perform tests of controls, and also document the risks and related controls.
An audit is a continuous process of gathering, updating, and analyzing information about the fairness of presentation of amounts and disclosures in the clients financial statements, and thus, risks should be evaluated continuously throughout the audit.
The Audit Program for General Auditing and Completion Procedures (AP-2) includes a step to evaluate whether the risk assessments made during planning remain appropriate and, where necessary, to revise the assessment and related responses documented on the Risk Assessment Summary Form (CX-7.1).
Key Points:
When substantive procedures alone are not adequate, you will need to evaluate the design and implementation of controls and perform tests of controls, and also document the risks and related controls.
An audit is a continuous process of gathering, updating, and analyzing information about the fairness of presentation of amounts and disclosures in the clients financial statements, and thus, risks should be evaluated continuously throughout the audit.
The Audit Program for General Auditing and Completion Procedures (AP-2) includes a step to evaluate whether the risk assessments made during planning remain appropriate and, where necessary, to revise the assessment and related responses documented on the Risk Assessment Summary Form (CX-7.1).
47. Assess Risks at the Relevant Assertion Level Document the following:
Risk assessment at the relevant assertion level
Basis for the assessment
Significant risks
Risks for which substantive procedures alone are not adequate
CX-7.1: Risk Assessment Summary Form (Part II)
47 Key Points:
Part II of the Risk Assessment Summary Form (CX-7.1) has been designed to assist the auditor in documenting the specific risk assessment at the assertion level and the planned response. The steps to be performed to complete Part II of the form are as follows:
Identify any general risk assessment factors from CX-3.1, Understanding the Entity and Identifying Risks (including consideration of the Entity Risk Factors at CX-6.1 and Fraud Risk Factors at CX-6.2), and Part I of the Risk Assessment Summary Form at CX-7.1, that affect the risk of material misstatement for particular account balances, transaction classes, or disclosures.
Determine the audit areas that are significant.
Describe the specific risks of material misstatement that affect the account balance, transaction class, or disclosure; identify the financial statement assertion affected; and consider the significance of the risks.
Determine the documentation approach to be used when assessing the risk of material misstatement (that is, by audit area or by assertion).
Make a qualitative assessment of inherent risk as high, moderate, or low.
Make a qualitative evaluation of control risk as high, moderate, or low.
Make a qualitative assessment of the remaining or combined risk of material misstatement as high, moderate, or low based on the prior evaluations of inherent risk and control risk.
Determine the response to the risk assessment by selecting an audit approach that includes sufficient further audit procedures to adequately respond to the risk assessment.
Provide any relevant comments on audit approach, including any modifications of audit procedures made in response to fraud risks or other significant risks.
Presentation Tips:
Review a blank copy of CX-7.1 (Part II) with the participants. Point out that the form lists common audit areas and provides additional space to add audit areas unique to the particular client.
A completed CX-7.1 is illustrated in Case Study 1 at Appendix A-12 and in Case Study 2 at Appendix B-7. Consider reviewing these documents, or one of the firms completed practice aids, with participants.
For More Information: Documenting the risk assessment using CX-7.1 is discussed in section 305.Key Points:
Part II of the Risk Assessment Summary Form (CX-7.1) has been designed to assist the auditor in documenting the specific risk assessment at the assertion level and the planned response. The steps to be performed to complete Part II of the form are as follows:
Identify any general risk assessment factors from CX-3.1, Understanding the Entity and Identifying Risks (including consideration of the Entity Risk Factors at CX-6.1 and Fraud Risk Factors at CX-6.2), and Part I of the Risk Assessment Summary Form at CX-7.1, that affect the risk of material misstatement for particular account balances, transaction classes, or disclosures.
Determine the audit areas that are significant.
Describe the specific risks of material misstatement that affect the account balance, transaction class, or disclosure; identify the financial statement assertion affected; and consider the significance of the risks.
Determine the documentation approach to be used when assessing the risk of material misstatement (that is, by audit area or by assertion).
Make a qualitative assessment of inherent risk as high, moderate, or low.
Make a qualitative evaluation of control risk as high, moderate, or low.
Make a qualitative assessment of the remaining or combined risk of material misstatement as high, moderate, or low based on the prior evaluations of inherent risk and control risk.
Determine the response to the risk assessment by selecting an audit approach that includes sufficient further audit procedures to adequately respond to the risk assessment.
Provide any relevant comments on audit approach, including any modifications of audit procedures made in response to fraud risks or other significant risks.
Presentation Tips:
Review a blank copy of CX-7.1 (Part II) with the participants. Point out that the form lists common audit areas and provides additional space to add audit areas unique to the particular client.
A completed CX-7.1 is illustrated in Case Study 1 at Appendix A-12 and in Case Study 2 at Appendix B-7. Consider reviewing these documents, or one of the firms completed practice aids, with participants.
For More Information: Documenting the risk assessment using CX-7.1 is discussed in section 305.
48. The Detailed Audit Plan The nature, timing, and extent of further audit procedures to respond to the risk assessment (i.e., the audit program)
Provides linkage between the risk assessment and the responses at the assertion level 48 Key Points:
The objective of the risk assessment at the relevant assertion level is the development of a detailed audit plan (including the nature, timing, and extent of planned further audit procedures) that adequately responds to the identified risks. The detailed audit plan is also referred to as the audit program.
The individual audit programs in the PPC approach list each audit procedure and the related assertions. The assessment of the risk of material misstatement by assertion assists the auditor when deciding on an appropriate audit response by providing linkage between the risks and related audit program procedures.
Linkage means developing procedures that are clearly linked to assessed risks of material misstatement at the relevant assertion level.Key Points:
The objective of the risk assessment at the relevant assertion level is the development of a detailed audit plan (including the nature, timing, and extent of planned further audit procedures) that adequately responds to the identified risks. The detailed audit plan is also referred to as the audit program.
The individual audit programs in the PPC approach list each audit procedure and the related assertions. The assessment of the risk of material misstatement by assertion assists the auditor when deciding on an appropriate audit response by providing linkage between the risks and related audit program procedures.
Linkage means developing procedures that are clearly linked to assessed risks of material misstatement at the relevant assertion level.
49. Tailoring the PPC Audit Programs Key Points:
The PPC audit programs for individual audit areas include the following sections:
Basic Procedures, which include primarily substantive analytical procedures and certain tests of details, most of which are required by the SASs (such as confirmation of receivables, inventory observation, and tests to address the risk of improper revenue recognition).
Extended Procedures (Procedures for Additional Assurance), which include procedures from which the auditor can choose one or more steps as necessary to supplement the basic procedures in response to the auditor's risk assessment at the relevant assertion level.
Other Audit Procedures, which include procedures that may be warranted due to the specific circumstances of the engagement. (Other audit procedures are considered Extended Procedures when completing the Risk Assessment Summary Form.)
The purpose of the risk assessment is to determine the nature, timing, and extent of further audit procedures to be performed. PPC refers to the overall decision of which further audit procedures to perform as the selection of an audit approach. The approach may consist of one of the following:
Limited: Perform only limited procedures and do not develop a separate audit program
Basic: Perform basic procedures from the audit program
Basic + Extended: Perform basic procedures plus certain extended procedures from the audit program
When no separate specific audit program is needed for an audit area because the procedures for preliminary analytics, other risk assessment procedures, and final analytics are sufficient, that approach is referred to as the Limited approach. The Limited approach is generally appropriate only for audit areas that are not significant and have a low combined risk of material misstatement.
Auditors decide whether to apply a Basic or Basic + Extended approach based on the risk assessment at the relevant assertion level. Usually, a low or moderate risk of material misstatement in a significant audit area means that a Basic approach may be appropriate for those assertions. If risk is higher, a Basic + Extended approach may be chosen. The decision about whether to use a Basic + Extended approach considers the following factors:
Whether the audit area is significant.
Whether the audit area contains any specifically identified risks.
Whether an identified risk is considered to be a fraud risk or other significant risk.
The assessed level of the risk of material misstatement.
The extended procedures section of the audit programs provides a source list of possible audit procedures. The auditor selects procedures from the list that are needed to supplement the basic procedures to adequately respond to the risk assessment.
The particular tests selected, whether they are basic or extended, should be tailored to the nature, cause, and direction of potential misstatements at the relevant assertion level. It may also be appropriate to alter the extent or timing of the procedures to adequately respond to the risk assessment. When a Basic + Extended approach is used, extended procedures will normally be performed only for those assertions that are of concern to the auditor based on the risk assessment.
Presentation Tip:
Review a PPC audit program with the participants and point out the sections of basic, extended, and other procedures. Also point out how the assertions for each procedure provide linkage to the risk assessment.
For More Information: Selecting an audit approach and tailoring the PPC audit programs are discussed in section 305.Key Points:
The PPC audit programs for individual audit areas include the following sections:
Basic Procedures, which include primarily substantive analytical procedures and certain tests of details, most of which are required by the SASs (such as confirmation of receivables, inventory observation, and tests to address the risk of improper revenue recognition).
Extended Procedures (Procedures for Additional Assurance), which include procedures from which the auditor can choose one or more steps as necessary to supplement the basic procedures in response to the auditor's risk assessment at the relevant assertion level.
Other Audit Procedures, which include procedures that may be warranted due to the specific circumstances of the engagement. (Other audit procedures are considered Extended Procedures when completing the Risk Assessment Summary Form.)
The purpose of the risk assessment is to determine the nature, timing, and extent of further audit procedures to be performed. PPC refers to the overall decision of which further audit procedures to perform as the selection of an audit approach. The approach may consist of one of the following:
Limited: Perform only limited procedures and do not develop a separate audit program
Basic: Perform basic procedures from the audit program
Basic + Extended: Perform basic procedures plus certain extended procedures from the audit program
When no separate specific audit program is needed for an audit area because the procedures for preliminary analytics, other risk assessment procedures, and final analytics are sufficient, that approach is referred to as the Limited approach. The Limited approach is generally appropriate only for audit areas that are not significant and have a low combined risk of material misstatement.
Auditors decide whether to apply a Basic or Basic + Extended approach based on the risk assessment at the relevant assertion level. Usually, a low or moderate risk of material misstatement in a significant audit area means that a Basic approach may be appropriate for those assertions. If risk is higher, a Basic + Extended approach may be chosen. The decision about whether to use a Basic + Extended approach considers the following factors:
Whether the audit area is significant.
Whether the audit area contains any specifically identified risks.
Whether an identified risk is considered to be a fraud risk or other significant risk.
The assessed level of the risk of material misstatement.
The extended procedures section of the audit programs provides a source list of possible audit procedures. The auditor selects procedures from the list that are needed to supplement the basic procedures to adequately respond to the risk assessment.
The particular tests selected, whether they are basic or extended, should be tailored to the nature, cause, and direction of potential misstatements at the relevant assertion level. It may also be appropriate to alter the extent or timing of the procedures to adequately respond to the risk assessment. When a Basic + Extended approach is used, extended procedures will normally be performed only for those assertions that are of concern to the auditor based on the risk assessment.
Presentation Tip:
Review a PPC audit program with the participants and point out the sections of basic, extended, and other procedures. Also point out how the assertions for each procedure provide linkage to the risk assessment.
For More Information: Selecting an audit approach and tailoring the PPC audit programs are discussed in section 305.
50. Performing Further Audit Procedures 50 Key Points:
The next few slides address Step 4 of the PPC Audit Approach: Perform Further Audit Procedures.
Further audit procedures include tests of controls and substantive procedures.
Substantive procedures include tests of details and substantive analytical procedures.
For More Information: Performing further audit procedures is discussed in Chapter 4.
Key Points:
The next few slides address Step 4 of the PPC Audit Approach: Perform Further Audit Procedures.
Further audit procedures include tests of controls and substantive procedures.
Substantive procedures include tests of details and substantive analytical procedures.
For More Information: Performing further audit procedures is discussed in Chapter 4.
51. Tests of Controls Perform tests of controls if:
Relying on them to reduce the risk assessment
Substantive tests alone are not adequate
Inquiry alone is not sufficient for testing controls 51 Key Points:
Unlike the evaluation of control design and implementation (which is required in every audit), tests of controls, which are categorized as further audit procedures, are not required in every audit. Tests of controls are performed when the auditor plans to rely on their operating effectiveness when designing substantive procedures.
Tests of controls are also performed when substantive procedures alone are not effective, such as when an entitys accounting data and corroborating evidence are available only in electronic form that is not retrievable after a period of time. Also, some auditors believe that in small business audits, the risk of theft of cash is such that it is usually necessary to test controls over cash receipts and disbursements.
When controls are tested, controls would not generally be tested for every significant class of transactions, account balance, disclosure, or relevant assertion, but only for those with respect to which you plan to limit substantive procedures in reliance on the related controls.
In some circumstances, testing controls would be unnecessary or inefficient. Only effectively designed controls should be tested for operating effectiveness. There is no benefit to testing the operating effectiveness of a control that is inappropriately designed to prevent, or detect and correct, a material misstatement in a relevant assertion or that has not been properly implemented.
Since inquiry alone is not sufficient, you need to use a combination of procedures, such as:
Inquiries of appropriate personnel
Observation of the control being performed
Inspection of documents, reports, or electronic files
Walkthroughs
Reperformance of the control
Review of reconciliations/bookkeeping routines
Presentation Tip:
Consider reviewing Exhibit 4-6, Efficiency Opportunities in Testing Controls, with participants.Key Points:
Unlike the evaluation of control design and implementation (which is required in every audit), tests of controls, which are categorized as further audit procedures, are not required in every audit. Tests of controls are performed when the auditor plans to rely on their operating effectiveness when designing substantive procedures.
Tests of controls are also performed when substantive procedures alone are not effective, such as when an entitys accounting data and corroborating evidence are available only in electronic form that is not retrievable after a period of time. Also, some auditors believe that in small business audits, the risk of theft of cash is such that it is usually necessary to test controls over cash receipts and disbursements.
When controls are tested, controls would not generally be tested for every significant class of transactions, account balance, disclosure, or relevant assertion, but only for those with respect to which you plan to limit substantive procedures in reliance on the related controls.
In some circumstances, testing controls would be unnecessary or inefficient. Only effectively designed controls should be tested for operating effectiveness. There is no benefit to testing the operating effectiveness of a control that is inappropriately designed to prevent, or detect and correct, a material misstatement in a relevant assertion or that has not been properly implemented.
Since inquiry alone is not sufficient, you need to use a combination of procedures, such as:
Inquiries of appropriate personnel
Observation of the control being performed
Inspection of documents, reports, or electronic files
Walkthroughs
Reperformance of the control
Review of reconciliations/bookkeeping routines
Presentation Tip:
Consider reviewing Exhibit 4-6, Efficiency Opportunities in Testing Controls, with participants.
52. Tests of Controls Rotational tests of controls are permitted:
Obtain evidence about whether the controls have changed using inquiry, observation, and inspection
If controls have changed, rotation is not appropriate
Test a control at least once every three years
If several controls are rotationally tested, test some controls each year
If relying on controls for significant risks, controls must be tested in the current year
CX-10.1: Test of Controls Form
52 Key Point:
SAS 110 allows the use audit evidence about the operating effectiveness of controls obtained in prior audits subject to the conditions listed on this slide. If these conditions are met, the audit practice of rotating tests of controls over a three year cycle might be used.
Presentation Tips:
Review a blank copy of CX-10.1, Test of Controls Form, with the participants. Point out how it allows for rotational control tests.
A completed CX-10.1 is illustrated in Case Study 1 at Appendix A-13. Consider reviewing that document, or one of the firms completed practice aids, with participants.Key Point:
SAS 110 allows the use audit evidence about the operating effectiveness of controls obtained in prior audits subject to the conditions listed on this slide. If these conditions are met, the audit practice of rotating tests of controls over a three year cycle might be used.
Presentation Tips:
Review a blank copy of CX-10.1, Test of Controls Form, with the participants. Point out how it allows for rotational control tests.
A completed CX-10.1 is illustrated in Case Study 1 at Appendix A-13. Consider reviewing that document, or one of the firms completed practice aids, with participants.
53. Substantive Procedures Test all relevant assertions for material account balances, transaction classes, and disclosures
Perform procedures specifically to address significant risks
Substantive analytical procedures alone are not sufficient for significant risks
53 Key Points:
SAS 110 requires performance of substantive procedures for all relevant assertions related to each material class of transactions, account balance, and disclosure because:
The assessment of risk is judgmental and might not be sufficiently precise to identify all risks of material misstatement.
There are inherent limitations to internal control, including management override, and even effective internal controls generally reduce, but do not eliminate, the risk of material misstatement.
In other words, even if you conclude that the risk of material misstatement is low for a particular assertion related to a material account balance, transaction class, or disclosure, based on performing risk assessment procedures and tests of controls, some substantive procedures are still required.
Audit procedures in PPCs audit programs are linked to assertions to provide assurance that all relevant assertions have been tested.
Significant risks are risks that require special audit attention in the form of substantive procedures. When the audit approach to significant risks consists only of substantive procedures (that is, you do not plan to rely on controls), the substantive procedures should be tests of details only or a combination of tests of details and substantive analytical procedures. The use of only substantive analytical procedures is not permitted.
For More Information: Substantive procedures are discussed in section 403.Key Points:
SAS 110 requires performance of substantive procedures for all relevant assertions related to each material class of transactions, account balance, and disclosure because:
The assessment of risk is judgmental and might not be sufficiently precise to identify all risks of material misstatement.
There are inherent limitations to internal control, including management override, and even effective internal controls generally reduce, but do not eliminate, the risk of material misstatement.
In other words, even if you conclude that the risk of material misstatement is low for a particular assertion related to a material account balance, transaction class, or disclosure, based on performing risk assessment procedures and tests of controls, some substantive procedures are still required.
Audit procedures in PPCs audit programs are linked to assertions to provide assurance that all relevant assertions have been tested.
Significant risks are risks that require special audit attention in the form of substantive procedures. When the audit approach to significant risks consists only of substantive procedures (that is, you do not plan to rely on controls), the substantive procedures should be tests of details only or a combination of tests of details and substantive analytical procedures. The use of only substantive analytical procedures is not permitted.
For More Information: Substantive procedures are discussed in section 403.
54. Substantive Procedures Perform the following substantive procedures in all audits:
Agree the financial statements and notes to the accounting records
Examine material journal entries and other adjustments made when preparing the financial statements
Procedures required by SAS 99 to address the risk of management override of controls
Required procedures are on AP-2, Audit Program for General Auditing and Completion Procedures 54 Key Points:
Because of the judgmental nature of the auditor's risk assessments and the inherent limitations of internal control, particularly the risk of management override, the auditing standards prescribe certain substantive procedures that should be performed in every audit.
SAS 110 requires that the auditor perform the following substantive procedures in every audit:
Agreeing the financial statements, including the accompanying notes, to the underlying accounting records.
Examining material journal entries and other adjustments made during the course of preparing the financial statements.
SAS 99 also requires certain substantive procedures in all audits to address the risk of management override of controls. These required procedures are as follows:
Examining journal entries and other adjustments for evidence of possible material misstatement due to fraud.
Reviewing accounting estimates for bias that could result in material misstatement due to fraud.
Evaluating the business rationale for significant unusual transactions.
Both SAS 110 and SAS 99 require examining journal entries and other adjustments, but the requirement of SAS 99 is focused on identifying fraudulent journal entries. Thus, the nature, timing, and extent of procedures required by SAS 99 are different from those required by SAS 110. SAS 110 focuses on journal entries made during the course of preparing the financial statements and SAS 99 requires the auditor to consider reviewing journal entries made throughout the year. Auditors should ensure that their audit procedures satisfy both requirements.
Using the PPC approach, these procedures are included in the Audit Program for General Auditing and Completion Procedures (AP-2).Key Points:
Because of the judgmental nature of the auditor's risk assessments and the inherent limitations of internal control, particularly the risk of management override, the auditing standards prescribe certain substantive procedures that should be performed in every audit.
SAS 110 requires that the auditor perform the following substantive procedures in every audit:
Agreeing the financial statements, including the accompanying notes, to the underlying accounting records.
Examining material journal entries and other adjustments made during the course of preparing the financial statements.
SAS 99 also requires certain substantive procedures in all audits to address the risk of management override of controls. These required procedures are as follows:
Examining journal entries and other adjustments for evidence of possible material misstatement due to fraud.
Reviewing accounting estimates for bias that could result in material misstatement due to fraud.
Evaluating the business rationale for significant unusual transactions.
Both SAS 110 and SAS 99 require examining journal entries and other adjustments, but the requirement of SAS 99 is focused on identifying fraudulent journal entries. Thus, the nature, timing, and extent of procedures required by SAS 99 are different from those required by SAS 110. SAS 110 focuses on journal entries made during the course of preparing the financial statements and SAS 99 requires the auditor to consider reviewing journal entries made throughout the year. Auditors should ensure that their audit procedures satisfy both requirements.
Using the PPC approach, these procedures are included in the Audit Program for General Auditing and Completion Procedures (AP-2).
55. Documenting Further Audit Procedures Document the following:
Nature, timing, and extent
Linkage
Results
Conclusion about relying on tests of controls performed in a prior audit 55 Key Points:
The nature, timing, extent, and results of substantive procedures are documented using an audit program. In addition, the Risk Assessment Summary Form (CX-7.1) combined with the audit programs provides documentation of the linkage of substantive procedures with assessed risks at the assertion level.
The Test of Controls Form (CX-10.1) provides for documentation of procedures performed to determine that controls tested in a prior audit have not changed, and guidance on the form indicates that (1) controls should be retested at least once every three years; (2) when a number of controls are rotationally tested, some controls should be tested each year; and (3) controls related to fraud risks or other significant risks should be tested each year.Key Points:
The nature, timing, extent, and results of substantive procedures are documented using an audit program. In addition, the Risk Assessment Summary Form (CX-7.1) combined with the audit programs provides documentation of the linkage of substantive procedures with assessed risks at the assertion level.
The Test of Controls Form (CX-10.1) provides for documentation of procedures performed to determine that controls tested in a prior audit have not changed, and guidance on the form indicates that (1) controls should be retested at least once every three years; (2) when a number of controls are rotationally tested, some controls should be tested each year; and (3) controls related to fraud risks or other significant risks should be tested each year.
56. Evaluating Audit Findings Accumulate misstatements:
Known
Likely, including differences in estimates and projected misstatements
Evaluate misstatements 56 Key Points:
The next few slides address Step 5 of the PPC Audit Approach: Evaluate Audit Findings, which is the final step addressed by the risk assessment standards.
SAS 107 requires the evaluation of whether the financial statements taken as a whole are free of material misstatement. It requires that both the individual and aggregate effects of all uncorrected misstatements (known and likely) be considered to evaluate whether the financial statements are fairly stated.
Known misstatements are specific misstatements identified by performing audit procedures. Known misstatements arise from the incorrect selection or misapplication of accounting principles or the overlooking or misinterpretation of facts, such as mistakes in gathering or processing data.
Likely misstatements are misstatements that:
Arise from differences between managements and the auditors judgments concerning accounting estimates that the auditor considers unreasonable or inappropriate (for example, because an estimate included in the financial statements by management is outside of the range of reasonable outcomes the auditor had determined).
The auditor considers likely to exist based on an extrapolation from audit evidence obtained (for example, the amount obtained by projecting known misstatements identified in an audit sample to the entire population from which the sample was drawn).
Known misstatements are observed directly by the auditor when performing audit procedures. For example, a sales transaction recorded in the wrong accounting period is a known misstatement. Likely misstatements are the auditors best estimate or projection, as a result of applying audit procedures, of the misstatement for a balance or class of transactions. Likely misstatements are not actually observed by the auditor, but are based on the results of audit tests, such as the projected misstatement from a sampling application.
Evaluation of audit differences should include consideration of:
Nature. For example, goods shipped but not billed, accounts payable not recorded, and assets expensed instead of capitalized.
Cause. For example, arithmetic or mechanical mistake, inappropriate application of an accounting principle because of misunderstanding, intentional use of an accounting principle that is not generally accepted, and whether misstatements are isolated or related to a common cause.
Amount. The dollar amount of the difference and whether the difference is an overstatement or understatement.
Effect. The financial statement components affected by the difference (for example, income before taxes and working capital). (Also, consider the effect on compliance with loan covenants, such as maintaining certain operating ratios, or similar issues.)
Misstatements should be combined in a way that enables you to consider whether, in relation to individual amounts, subtotals, or totals in the financial statements, the misstatements materially misstate the financial statements taken as a whole. That simply means that you need to consider not only the materiality of individual misstatements, but also their combined effect on important financial statement totals or subtotals (for example, current assets, current liabilities, or gross profit).
For More Information: Evaluating audit findings is discussed in section 404.Key Points:
The next few slides address Step 5 of the PPC Audit Approach: Evaluate Audit Findings, which is the final step addressed by the risk assessment standards.
SAS 107 requires the evaluation of whether the financial statements taken as a whole are free of material misstatement. It requires that both the individual and aggregate effects of all uncorrected misstatements (known and likely) be considered to evaluate whether the financial statements are fairly stated.
Known misstatements are specific misstatements identified by performing audit procedures. Known misstatements arise from the incorrect selection or misapplication of accounting principles or the overlooking or misinterpretation of facts, such as mistakes in gathering or processing data.
Likely misstatements are misstatements that:
Arise from differences between managements and the auditors judgments concerning accounting estimates that the auditor considers unreasonable or inappropriate (for example, because an estimate included in the financial statements by management is outside of the range of reasonable outcomes the auditor had determined).
The auditor considers likely to exist based on an extrapolation from audit evidence obtained (for example, the amount obtained by projecting known misstatements identified in an audit sample to the entire population from which the sample was drawn).
Known misstatements are observed directly by the auditor when performing audit procedures. For example, a sales transaction recorded in the wrong accounting period is a known misstatement. Likely misstatements are the auditors best estimate or projection, as a result of applying audit procedures, of the misstatement for a balance or class of transactions. Likely misstatements are not actually observed by the auditor, but are based on the results of audit tests, such as the projected misstatement from a sampling application.
Evaluation of audit differences should include consideration of:
Nature. For example, goods shipped but not billed, accounts payable not recorded, and assets expensed instead of capitalized.
Cause. For example, arithmetic or mechanical mistake, inappropriate application of an accounting principle because of misunderstanding, intentional use of an accounting principle that is not generally accepted, and whether misstatements are isolated or related to a common cause.
Amount. The dollar amount of the difference and whether the difference is an overstatement or understatement.
Effect. The financial statement components affected by the difference (for example, income before taxes and working capital). (Also, consider the effect on compliance with loan covenants, such as maintaining certain operating ratios, or similar issues.)
Misstatements should be combined in a way that enables you to consider whether, in relation to individual amounts, subtotals, or totals in the financial statements, the misstatements materially misstate the financial statements taken as a whole. That simply means that you need to consider not only the materiality of individual misstatements, but also their combined effect on important financial statement totals or subtotals (for example, current assets, current liabilities, or gross profit).
For More Information: Evaluating audit findings is discussed in section 404.
57. Evaluating Audit Findings Request management to
Correct known misstatements
Examine and correct the population when likely misstatements are identified by sampling
Review assumptions and methods when likely misstatements involve differences in estimates 57 Key Points:
The auditor should ask management to correct all known misstatements, other than trivial ones, the auditor has identified, and to examine the account balance, transaction class, or disclosure in which the auditor identified a material likely misstatement from a sample in order to identify and correct misstatements.
When the auditor has identified a likely misstatement involving a difference in an estimate, the auditor should ask management to review the assumptions and methods used in developing its (management's) estimate. After management has reviewed and challenged the assumptions and methods, the auditor should reevaluate the amount of likely misstatement and, if necessary, perform further audit procedures.
If management does not correct some or all of the known or likely misstatements that were identified, the auditor should obtain an understanding of the reasons and implications for the audit report. The auditor must consider the effects, both individually and in the aggregate, of misstatements that are not corrected. Key Points:
The auditor should ask management to correct all known misstatements, other than trivial ones, the auditor has identified, and to examine the account balance, transaction class, or disclosure in which the auditor identified a material likely misstatement from a sample in order to identify and correct misstatements.
When the auditor has identified a likely misstatement involving a difference in an estimate, the auditor should ask management to review the assumptions and methods used in developing its (management's) estimate. After management has reviewed and challenged the assumptions and methods, the auditor should reevaluate the amount of likely misstatement and, if necessary, perform further audit procedures.
If management does not correct some or all of the known or likely misstatements that were identified, the auditor should obtain an understanding of the reasons and implications for the audit report. The auditor must consider the effects, both individually and in the aggregate, of misstatements that are not corrected.
58. Evaluating Audit Findings Document the following:
A summary of uncorrected misstatements
The conclusion about whether the financial statements are materially misstated and the basis for that conclusion
Known and likely misstatements that have been corrected by management
CX-12.2: Audit Difference Evaluation Form Key Points:
In order to evaluate the combined effect of various uncorrected misstatements, it is necessary to summarize them in one place in the workpapers. SAS 107 states that the auditor should document the following:
A summary of uncorrected misstatements, other than trivial ones, related to known and likely misstatements.
The auditor's conclusion as to whether uncorrected misstatements, individually or in the aggregate, do or do not cause the financial statements to be materially misstated, and the basis for that conclusion.
All known and likely misstatements identified by the auditor during the audit, other than trivial ones, that have been corrected by management.
The documentation of uncorrected misstatements should allow the auditor to do the following:
Separately consider the effects of known and likely misstatements, including uncorrected misstatements identified in prior periods.
Consider the aggregate effect of misstatements on the financial statements.
Consider the qualitative factors that are relevant to the auditor's consideration of whether misstatements are material.
A variety of workpaper formats could be used to summarize audit differences for consideration of their combined effect on the financial statements. The important point is that the summary should address the documentation requirements. The summary should allow for the materiality of misstatements to be evaluated both individually and in combination. The Audit Difference Evaluation Form (CX-12.2) provides a suggested format for accumulating and evaluating misstatements.
Presentation Tips:
Review a blank copy of CX-12.2, Audit Difference Evaluation Form, with the participants.
A completed CX-12.2 is illustrated in Case Study 1 at Appendix A-14. Consider reviewing that document, or one of the firms completed practice aids, with participants.Key Points:
In order to evaluate the combined effect of various uncorrected misstatements, it is necessary to summarize them in one place in the workpapers. SAS 107 states that the auditor should document the following:
A summary of uncorrected misstatements, other than trivial ones, related to known and likely misstatements.
The auditor's conclusion as to whether uncorrected misstatements, individually or in the aggregate, do or do not cause the financial statements to be materially misstated, and the basis for that conclusion.
All known and likely misstatements identified by the auditor during the audit, other than trivial ones, that have been corrected by management.
The documentation of uncorrected misstatements should allow the auditor to do the following:
Separately consider the effects of known and likely misstatements, including uncorrected misstatements identified in prior periods.
Consider the aggregate effect of misstatements on the financial statements.
Consider the qualitative factors that are relevant to the auditor's consideration of whether misstatements are material.
A variety of workpaper formats could be used to summarize audit differences for consideration of their combined effect on the financial statements. The important point is that the summary should address the documentation requirements. The summary should allow for the materiality of misstatements to be evaluated both individually and in combination. The Audit Difference Evaluation Form (CX-12.2) provides a suggested format for accumulating and evaluating misstatements.
Presentation Tips:
Review a blank copy of CX-12.2, Audit Difference Evaluation Form, with the participants.
A completed CX-12.2 is illustrated in Case Study 1 at Appendix A-14. Consider reviewing that document, or one of the firms completed practice aids, with participants.
59. Summary Completed risk assessment consists of:
AP-1: Audit Program for General Planning Procedures
CX-1.1: Engagement Acceptance and Continuance Form
CX-2: Financial Statement Materiality Worksheet for Planning Purposes
CX-3.1: Understanding the Entity and Identifying Risks
CX-3.2: Engagement Team Discussion
CX-3.3: Fraud Risk Inquiries Form Key Points:
The next two slides summarize the PPC practice aids that constitute a completed risk assessment. Ask participants if they have any questions about the use of these forms.
If the firm uses alternative methods of documentation instead of using one or more of these forms, audit team members need to make sure that the requirements of the practice aids are addressed in the alternative documentation.Key Points:
The next two slides summarize the PPC practice aids that constitute a completed risk assessment. Ask participants if they have any questions about the use of these forms.
If the firm uses alternative methods of documentation instead of using one or more of these forms, audit team members need to make sure that the requirements of the practice aids are addressed in the alternative documentation.
60. Summary Completed risk assessment (cont.)
CX-4.1: Understanding the Design and Implementation of Internal Control
CX-4.2.1: Financial Reporting System Documentation FormSignificant Transaction Classes (for each significant transaction class and financial close and reporting)
CX-4.2.2: Financial Reporting System Documentation FormIT Environment and General Computer Controls
CX-4.3: Walkthrough Documentation Table (for each walkthrough)
CX-7.1: Risk Assessment Summary Form
61. Summary Other PPC practice aids related to risk assessment standards
CX-5: Activity and Entity-level Control Forms (optional)
CX-6.1: Entity Risk Factors (memory jogger)
CX-6.2: Fraud Risk Factors (memory jogger)
CX-10.1: Test of Controls Form (if controls are tested)
CX-12.2: Audit Difference Evaluation Form
AP-2: Audit Program for General Auditing and Completion Procedures
Tailored audit programs for individual audit areas Key Point:
This slide lists other practice aids discussed in this course. Ask participants if they have any questions about the use of these forms.Key Point:
This slide lists other practice aids discussed in this course. Ask participants if they have any questions about the use of these forms.
62. AICPA Clarity Project All risk assessment standards will be redrafted and reissued effective for 2012 calendar year-end audits
Changes will be made in the format of the standards and to converge with International Standards on Auditing
No significant changes in risk assessment are expected
Revised definition of fraud
New term: performance materiality Key Points:
The Clarity Project is the AICPAs response to growing concerns about the complexity of auditing standards and its effort to converge U.S. generally accepted auditing standards with International Standards on Auditing. The Clarity Project includes revision of the format of all existing standards, including the risk assessment standards.
The revised standards will be issued as one SAS and effective for audits of financial statements for periods ending on or after December 15, 2012 (i.e., 2012 calendar year-ends).
No significant changes in risk assessment requirements are expected. Some requirements of the risk assessment standards will be moved to other auditing standards; however, the requirements are not eliminated. The following changes will also occur:
As part of the Clarity Project, a clarified SAS will revise the current definition of fraud to converge with international standards. This change is not expected to affect audit practice.
As part of the Clarity Project, a clarified SAS will replace the term tolerable misstatement with the term performance materiality. Performance materiality is an amount, set by the auditor, less than materiality to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements taken as a whole. The term tolerable misstatement will be reserved for concepts related to the application of materiality in audit sampling. This change is not expected to affect audit practice.Key Points:
The Clarity Project is the AICPAs response to growing concerns about the complexity of auditing standards and its effort to converge U.S. generally accepted auditing standards with International Standards on Auditing. The Clarity Project includes revision of the format of all existing standards, including the risk assessment standards.
The revised standards will be issued as one SAS and effective for audits of financial statements for periods ending on or after December 15, 2012 (i.e., 2012 calendar year-ends).
No significant changes in risk assessment requirements are expected. Some requirements of the risk assessment standards will be moved to other auditing standards; however, the requirements are not eliminated. The following changes will also occur:
As part of the Clarity Project, a clarified SAS will revise the current definition of fraud to converge with international standards. This change is not expected to affect audit practice.
As part of the Clarity Project, a clarified SAS will replace the term tolerable misstatement with the term performance materiality. Performance materiality is an amount, set by the auditor, less than materiality to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements taken as a whole. The term tolerable misstatement will be reserved for concepts related to the application of materiality in audit sampling. This change is not expected to affect audit practice.
63. Questions?