PDF

Auditing in CIS Environment 1
Module 1 – Auditing in CIS Environment

Prerequisite Skills: Accounting Information System/ System Analysis and Design/Database
Management
Instructors: Villardo A. Parocha
Level: 4
Allotted Time: __ hours
Overview
In this module, it complements the course in auditing. It discusses information technology (IT) – related
risks, security and control mechanisms and techniques that may be employed to address the risks, and
the impact of computer use on the audit. It also introduces computer assisted audit techniques and
tools.
Objectives
Upon completion of this module, you should be able to:

a. Gain appreciation of particular features and understanding of the risks involved in auditing in a
CIS environment.
b. CIS controls they would expect to find in this particular area.
c. How auditors use CAATS (computer Assisted Audit Techniques)
d. Gain hands-on experience in the use of computers in performing audits.
Pretest
Self-Assessment
True or False Questions

Indicate in the space provided if the following statements are true or false.
___ 1. Auditors may be independent in fact but not independent in appearance.
___ 2. Standards for accountants in public practice are limited to auditing services.
___ 3. The attestation standards provide guidance for a wide variety of attestation engagements.
___ 4. The AICPA’s Generally Accepted Auditing Standards consist of three standards.
___ 5. The three general standards relate to quality criteria for conducting an audit.
___ 6. Auditors cannot effectively satisfy the general standards requiring due professional care if they have not
also satisfied the standards of field work.
___ 7. Auditing procedures are quality guides that are less specific than auditing standards.
___ 8. Auditing procedures are the same as auditing standards.
___ 9. The concept of due professional care requires auditors to observe all the standards of field work and
standards of reporting.
___ 10. Attestation standards require the practitioner to obtain a sufficient understanding of the client’s internal
control.
___ 11. The standards of field work set forth quality criteria for conducting an audit.
SCHOOL OF BUSINESS AND ACCOUNTANCY

___ 12. Auditors of entities registered with the Securities and Exchange Commission are required to register with
the Public Company Accounting Oversight Board (PCAOB).
___ 13. Control risk is the probability that a material misstatement (error or fraud) could occur and not be
prevented or detected on a timely basis by the entity’s external auditors.
___ 14. Evidence that is considered “appropriate” in auditing means that all underlying accounting data and
corroborating information must be absolutely compelling to auditors.
___ 15. Even in the audit of historical cost financial statements, auditors make many inferences about the future.
___ 16. The auditors’ report is guided by three AICPA standards of reporting.
___ 17. The auditors’ standard report should always make direct reference to consistency and disclosure.
___ 18. The auditors’ standard report should either contain an expression of opinion on the financial statements
taken as a whole or an assertion to the effect that an opinion cannot be expressed.
___ 19. Evidence is appropriate when it is both valid and relevant.
___ 20. The quality control standard of engagement performance includes hiring people who can perform
competently.
Learning Focus
A. Auditing and Assurance Services
User Demand for Reliable Information
 Today’s information
 More complex
 Demanded by remote users
 Demanded in a more timely manner
 Has far reaching consequences
 Information risk
 the risk (probability) that the information (mainly financial) disseminated by a company will
be materially false or misleading.
 users demand an independent third party assessment of the information

Exhibit 1.2
Overview of Financial Statement Auditing
Definition of Auditing
Auditing is a systematic process of objectively obtaining and evaluating evidence regarding

assertions about economic actions and events to ascertain the degree of correspondence between
the assertions and established criteria and communicating the results to interested users.
Financial statements GAAP

(including footnotes) Auditor's Report/
Other Reports Persons who rely on
the financial reports
 Creditors
 Investors

The Relationships Among Auditing, Attestation, and Assurance Engagements
Assurance Services
 Assurance services are independent professional services that improve the quality of
information, or its context, for decision makers.
Examples
 Consumer reports
 Underwriters laboratories
 CPA WebTrust
 Performance View
 PrimePlus Services
Attestation Engagements
 An attestation engagement - a practitioner is assesses and reports on “subject matter or an
assertion about the subject matter that is the responsibility of another party.”
 Some financial attestation engagements (other than audits)
 Supplementary financial statistics
 Pro forma financial information
 Financial forecasts and projections
 Some non-financial attestation engagements
 Compliance with contractual requirements
 Effectiveness of internal control systems
 Inventory quantities and locations

Sarbanes-Oxley Act of 2002
 In response to several accounting related corporate scandals Congress passed the Sarbanes-
Oxley Act
 The Act’s major provisions include:
 Requirement of CEO/CFO certification of financial statements
 Requirement of auditor examination of company internal controls
 Creation of the Public Company Accounting Oversight Board (PCAOB) to serve as an
auditing profession “watchdog.”
 Prohibition of certain client services by firms conducting a client’s audit.
Sarbanes-Oxley: Management’s Responsibility For Financial Reporting
 One of its most important provisions (Section 302) states that the key company officials must
certify the financial statements.
 The company CEO and CFO must sign a statement indicating:
1. They have read the financial statements.
2. They are not aware of any false or misleading statements (or any key omitted disclosures).
3. They believe that the financial statements present an accurate picture of the company’s
financial condition.
Source: U.S. Congress, Sarbanes-Oxley Act of 2002, Pub. L. 107-204, 116 Stat/ 745 (2002).
PCAOB Management Assertions
 Existence or occurrence – Assets included in accounts exists and events that give rise to
transactions have taken place
 Rights and obligations- Entity has a legal claim on all assets and revenues reported and has
a legal responsibility for all liabilities and expenses
 Completeness - All transactions have been recorded
 Valuation or allocation – Transactions are recorded at the correct amount in the proper period
 Presentation and disclosure – All accounts are presented in the appropriate place and all
information required has been disclosed in the statements and footnotes.
Management Assertions (SAS 106)
- Transaction Assertions
 Occurrence – Events giving rise to transactions have taken place

 Completeness and cutoff - All transactions have been recorded and are recorded in the
appropriate period
 Accuracy – Transactions are recorded at the correct amount
 Classifications – Transactions have posted to the proper account

- Balance Assertions
 Existence – Balances include only assets exist

 Rights and obligations
 Entity has legal claim on all assets and revenues reported
 Entity has a legal responsibility for all liabilities and expenses
 Completeness – Balances include all items
 Accuracy and valuation – Balances included items recorded in the proper period at the
proper amount
- Presentation and Disclosure Assertions
 Occurrence and rights and obligations – items presented include information regarding
ownership
 Completeness - All accounts are included
 Classification and understandability
 All accounts are appropriately grouped
 Users can comprehend statements and disclosures
 Accuracy and valuation – Statements include proper measurements
Exhibit 1.5 Example Assertions and their Relationships to the Financial Statements

Professional Skepticism
 Professional skepticism - auditor’s questioning, evaluative, attitude toward evidence
 Management’s assertions without sufficient corroboration.
 Financial trends need investigation
 Documents are checked for authenticity or alteration
 Ask questions, get answers, then verify the answers.
 A potential conflict of interest always exists between the auditor and the client.
 Management wants to portray the company and its operations in the best possible
light.
 Auditors want to portray the company and its operations fairly.
Professional Service Firm Organization
The Public Accounting Profession

 Assurance services
 Audit engagements
 Assurance engagements
 Attestation engagements
 Compilations
 Reviews
 Tax consulting services
 Consulting services

Prohibited Services to Audit Clients

 Sarbanes-Oxley and the PCAOB prohibit professional service firms from providing any of the
following services to an audit client:
1. bookkeeping and related services

2. design or implementation of financial information systems
3. appraisal or valuation services
4. actuarial services
5. internal audit outsourcing
6. management or human resources services
7. investment or broker/dealer services
8. legal and expert services (unrelated to the audit)
 Professional service firms may provide client tax services (with some restrictions) and other
non-prohibited services to audit clients if the company’s audit committee has approved them in
advance.
 In summary, Sarbanes-Oxley prohibits professional service firms from performing any client
services in which the auditors may find themselves making management decisions or auditing
their own firm’s work.
Types of Audits and Auditors
 Financial (External Auditors/CPAs)
 Ensure that financial statements are accurate.
 Operational (Internal and Governmental Auditors/CIAs)
 Improve operational economy
 Improve operational efficiency
 Compliance (Internal and Governmental Auditors)
 Ensure compliance with company and/or governmental rules and regulations
 Forensic (Fraud Auditors/CFEs)
 Most audits are a combination of financial, operational, and compliance audits.
Organization of the Profession
 “Big Four” Accounting Firms
 D&T, E&Y, KPMG, PwC
 National
 Grant Thornton, BDO Seidman
 Local/Regional
 Melton & Melton (Houston)
 Plante Moran (Michigan/Illinois/Wisconsin)
 Goodman & Company (Virginia)
 Sole Proprietor

Become Certified!
 Education
 Examination
 Experience
 State Certificate and License for CPA
 Skills sets and your education
The CPA Exam
 Computerized
 Four parts
 Auditing and attestation—4.5 hrs
 Financial accounting and reporting—4 hrs
 Regulation—3 hrs.
 Business environment—2.5 hrs
 Skill sets—research, communication, analysis, judgment and understanding
Engagement Overview
B. PROFESSIONAL STANDARDS
Practice Standards

Generally Accepted Auditing Standards

 Measures of the quality of auditors’ performance
 Same from audit to audit
 Auditing standards versus auditing procedures
Exhibit 2.1 Generally Accepted Auditing Standards
Engagement Overview and GAAS
General Standards
Affect all phases of audit
1. Training and proficiency
 Experience and expertise
2. Independence
 Independence in fact vs. independence in appearance
 Financial and managerial relationships
3. Due professional care

 Observe standards of field work and standards of reporting.

Standards of Field Work
Affect conduct of the audit
1. Planning and supervision

 Use of audit program
 Interim and year-end work
2. Understanding of entity and environment (including I/C)
 Assess risk of material misstatement
 Determine effectiveness of substantive procedures
3. Sufficient appropriate evidence
 Sufficient = quantity
 Appropriate = quality (relevance, reliability)
Sufficient evidence
 Related to quantity (number of transactions or components examined)
 Influenced by effectiveness of entity’s internal control
Appropriate Evidence
 Relates to the quality of evidence
 Reliability (from highest to lowest)
 Auditors’ direct personal knowledge
 External documentary evidence
 External-internal evidence
 Internal documentary evidence
 Verbal and written representations
Examples of Evidence
 Auditors’ direct personal knowledge
 Observe PPE, inventories
 External documentary evidence
 A/R confirmations, bank confirmations
 External-internal evidence
 Vendor invoices for purchases
 Internal documentary evidence
 Client sales invoices
 Verbal and written representations
 Management representations (SAS 85)
Standards of Reporting
Identify contents of auditors’ reports
1. Are F/S in conformity with GAAP?
2. Have GAAP been consistently applied (implicit reporting)?

3. Are disclosures adequate (implicit reporting)?

4. Report must express or disclaim an opinion
Independent Auditors’ Report (AS 5)
Types of Audit Opinions

 Unqualified
 F/S are in conformity with GAAP
 Qualified
 Except for one (limited) item, F/S are in conformity with GAAP
 Can issue for GAAP departure and scope limitation
 Adverse
 F/S are not in conformity with GAAP
 Can issue for GAAP departure (more serious)
 Disclaimer
 Auditors do not express an opinion
 Can issue for scope limitation (more serious)
Attestation Standards
 Cover a broader range of engagements than GAAS
 Differences from GAAS
 Subject matter must be evaluated against reasonable criteria
 No requirement to assess risk of material misstatement (unless attestation engagement
involves risk of material misstatement)
 May have limited distribution of report
Quality Control Standards for Accounting Firms
 Guide the performance of firm-wide services
 Categories
 Independence, integrity, objectivity
 Personnel management
 Acceptance and continuance of clients

 Engagement performance
 Monitoring
The Public Company Accounting Oversight Board (PCAOB)
 Establishes standards (Auditing Standards)
 Auditors’ reports (AS 1)
 Audit documentation (AS 3)
 Material weaknesses in internal control (AS 4)
 Audits of internal control over financial reporting (AS 5)
 Standards must be approved by SEC
 ASB and AICPA standards prior to April 16, 2003 are Interim Auditing Standards
 May be modified or amended by Auditing Standards
 Monitors accounting firms through inspections
 Firms auditing > 100 public entities: annual
 Firms auditing < 100 public entities: every 3 years
 Inspection reports list deficiencies in audits conducted by registered firms
(http://www.pcaob.org/Inspections/Public_Reports/index.aspx)
C. MANAGEMENT FRAUD AND AUDIT RISK
Exhibit 3.1 Management Fraud Overview
Financial Statements: Errors, Frauds and Illegal Acts

 Errors are unintentional misstatements or omissions of amounts or disclosures in financial
statements.
 Management Fraud is intentional misstatements or omissions of amounts or disclosures in
financial statements.
 Direct-effect illegal acts are violations of laws or government regulations by the company or
its management or employees that produce direct and material effects on dollar amounts in
financial statements.
 "Illegal acts" (far‑removed) are violations of laws and regulations that are far removed from
financial statement effects (for example, violations relating to insider securities trading,
occupational health and safety, food and drug administration, environmental protection,
and equal employment opportunity).

Overview of Auditors’ and Other Professionals’ Responsibilities

 External Auditors (CPAs)
 SAS 99: Consideration of Fraud in a Financial Statement Audit
 Design audit to provide reasonable assurance of detecting fraud that could have a
material effect on the financial statements.
 Perform fraud-related procedures
 SAS 54: Illegal Acts
 Focused primarily is on direct-effect illegal acts
 SAS 114: “The Auditor’s Communication with Those Charged with Governance”
 Other Professional’s Responsibilities (Discussed later in Module D)
 Internal Auditors (CIAs)
 Internal auditors support management's efforts to establish a culture that embraces
ethics, honesty, and integrity. They assist management with the evaluation of internal
controls used to detect or mitigate fraud, evaluate the organization's assessment of
fraud risk, and are involved in any fraud investigations.
 Governmental Auditors
 Focus on laws and regulations (compliance), design audit to detect abuse and illegal
acts, report to the appropriate authority
 Certified Fraud Examiners (CFEs)
 Assignments begin with predication (probable cause)
Exhibit 3.2 Considering the Risk of Fraud (SAS 99)
 Step 1: Audit team discussion (“brainstorming”)

 Required procedure
 Objectives
 Gain understanding of
Previous experiences with client
How a fraud might be perpetrated and concealed in the entity
Procedures that might detect fraud
 Set proper tone for engagement

 Discussions should be ongoing throughout the engagement
 Step 2: Obtain Information to Identify Risks

 Inquiries
 Management
 Audit committee
 Internal auditors
 Others
 Planning analytical procedures
 Net income to cash flows (total accruals to total assets)
 Days sales in receivables
 Gross margin
 Asset quality index (non current assets- p,p&e to total assets)
 Sales growth index
 Step 3a: Identify Risk Factors Related to Fraudulent Financial Reporting

 Management’s characteristics and influence
 Industry conditions
 Operating characteristics and financial stability
 Risk Factors: Management’s Characteristics and Influence

 Management has a motivation to engage in fraudulent reporting.
 Management decisions are dominated by an individual or a small group.
 Management fails to display an appropriate attitude about internal control.
 Managers’ attitudes are very aggressive toward financial reporting.
 Managers place too much emphasis on earnings projections.
 Nonfinancial management participates excessively in the selection of accounting
principles or determination of estimates.
 The company has a high turnover of senior management.
 The company has a known history of violations.
 Managers and employees tend to be evasive when responding to auditors’ inquiries.
 Managers engage in frequent disputes with auditors.
 Risk Factors: Industry conditions

 Company profits lag the industry.
 New requirements are passed that could impair stability or profitability.
 The company’s market is saturated due to fierce competition.
 The company’s industry is declining.
 The company’s industry is changing rapidly.
 Risk Factors: Operating Characteristics

 A weak internal control environment prevails.
 The company is not able to generate sufficient cash flows to ensure that it is a going
concern.
 There is pressure to obtain capital.
 The company operates in a tax haven jurisdiction.
 The company has many difficult accounting measurement and presentation issues.
 The company has significant transactions or balances that are difficult to audit.
 The company has significant and unusual related-party transactions.
 Company accounting personnel are lax or inexperienced in their duties.

 Step 3b: Assess Fraud Risks

 Type of risk
 Significance of risk
 Likelihood of risk
 Pervasiveness of risk
 Assess controls and programs
 Required Risk Assessments

 Presume that improper revenue recognition is a fraud risk.
 Identify risks of management override of controls.
Examine journal entries and other adjustments.
Review accounting estimates for biases.
Evaluate business rationale for significant unusual transactions.
 Step 4: Respond to Assessed Risks

 Overall effect on audit
 Assignment of personnel
 Choice of accounting principles
 Predictability of auditing procedures
 Examination of journal entries and other adjustments
 Retrospective review of prior year accounting estimates
 Extended procedures
 Surprise inventory counts
 Contract confirmations
 More Examples of Extended Procedures
 Step 5: Evaluate Audit Evidence

 Discrepancies in the accounting records.
 Conflicting or missing evidential matter.
 Problematic or unusual relationships between the auditor and management.
 Results from substantive of final review stage analytical procedures.
 Vague, implausible or inconsistent responses to inquiries.
 Step 6: Communicate Fraud Matters

 SAS 99: Evidence that fraud may exist must be communicated to appropriate level of
management.

 Sarbanes Oxley: Significant deficiencies must be communicated to those charged with

governance.
 Any fraud committed by management (no matter how small) is material.
 Step 7: Document Fraud Matters

 Discussion of engagement personnel.
 Procedures to identify and assess risk.
 Specific risks identified and auditor response.
 If revenue recognition not a risk—explain why.
 Results of procedures regarding management override.
 Other conditions causing auditors to believe additional procedures are required.
 Communication to management, audit committee, etc.
 Illegal Acts
 Illegal acts are violations of laws or government regulations by the company or its
management or employees.
 Direct-effect illegal acts produce direct and material effects on the financial
statements (e.g., income tax evasion).
 Indirect-effect illegal acts are far removed from financial statement (e.g., violations
relating to insider securities trading, occupational health and safety, food and drug
administration, environmental protection, and equal employment opportunity).
 Red Flags of Potential Illegal Acts

 Unauthorized transactions.
 Government investigations.
 Regulatory reports of violations.
 Payments to consultants, affiliates, or employees for unspecified services.
 Excessive sales commissions and agents’ fees.
 Unusually large cash payments.
 Unexplained payments to government officials.
 Failure to file tax returns or to pay duties and fees.
 Exhibit 3.4 Auditor Responsibility for Detecting Errors, Frauds, and Illegal Acts

 The AUDIT RISK MODEL (ARM)

 Audit risk (AR) is the risk (likelihood) that the auditor may unknowingly fail to modify the
opinion on financial statements that are materially misstated (e.g., an unqualified opinion
on misstated financial statements.)
 The AUDIT RISK MODEL decomposes overall audit risk into three components: inherent
risk (IR), control risk (CR), and detection risk (DR):
AR = IR x CR x DR
(IR x CR = Risk of Material Misstatement (RMM))
 Exhibit 3.4 Inherent, Control and Detection Risk
 ARM Concepts
 The auditor cannot affect inherent risk or control risk. The auditor can only ASSESS them.
 The auditor can only affect detection risk—generally by examining more evidence.
 Detection risk is inversely related to control risk and inherent risk.
 Detection risk is inversely related to competence and reliability of evidence.
 Inherent Risk
 Inherent Risk (IR) is the likelihood that, in the absence of internal controls, a material
misstatement could occur. In other words, it is a measure of the susceptibility of an
account to misstatement.
 Factors affecting account inherent risk include:
 Dollar size of the account
 Liquidity
 Volume of transactions
 Complexity of the transactions
 New accounting pronouncements
 Subjective estimates
 Other Factors Affecting Overall Inherent Risk

 Competition
 Economy
 Nature of Industry

 Management Style
 Leverage
 Inherent Risk: General Categories of Errors and Frauds

 Invalid transactions are recorded.
 Valid transactions are omitted from the accounts.
 Unauthorized transactions are executed and recorded.
 Transaction amounts are inaccurate.
 Transactions are classified in the wrong accounts.
 Transaction accounting and posting is incorrect.
 Transactions are recorded in the wrong period.
 Control Risk
 Control Risk (CR) is the likelihood that a material misstatement would not be caught by
the client’s internal controls.
 Factors affecting control risk include:
 The environment in which the company operates (its “control environment”).
 The existence (or lack thereof) and effectiveness of control procedures.
 Monitoring activities (audit committee, internal audit function, etc.).
 Detection Risk
 Detection risk (DR) is the risk that a material misstatement would not be caught by audit
procedures.
 Factors affecting detection risk include:
 Nature, timing, and extent of audit procedures
 Sampling risk
Risk of choosing an unrepresentative sample.
 Nonsampling risk
Risk that the auditor may reach inappropriate conclusions based upon available
evidence.

 Detection Risk and the Nature, Timing, and Extent of Audit Procedures
 Example of the Audit Risk Model
 Exhibit 3.8 Matrix Approach to Detection Risk Determination
 More Examples

 Materiality
 Materiality refers to an amount (or transaction) that would influence the decisions of users
(i.e., an amount (or event) that would make a difference). The emphasis is on user, rather
than management or the audit team.
 Materiality Criteria:
 Ultimately, materiality is a matter of professional judgment.
 Exhibit 3.9 Materiality Table
Source: AICPA Audit Sampling Guide, AICPA (New York, New York), 2001.
 General Audit Procedures

 Inspection of records and documents
 Vouching
 Tracing
 Scanning
 Inspection of tangible assets
 Observation
 Inquiry
 Confirmation
 Recalculation
 Reperformance
 Analytical Procedures

 Vouching/Tracing
 Audit Programs
 A list of the audit procedures the auditors need to perform
to gather sufficient appropriate evidence on which to
base their opinion on the financial statements.
 Each audit program is based, in part, on the output of
Audit Risk Model.
 Generally one for each major cycle or group of related
accounts.
 Revenue and collection (Chapter 7)
 Acquisition and expenditure (Chapter 8)
 Production (Chapter 9)
 Financing and investing (Chapter 10)
 Signed off as procedures are performed.
D. Engagement Planning
 Goals of Planning
 Obtain (or update) an understanding of important events
that have affected the client and its operations
 Identify areas of the engagement that may represent
special risks to the public accounting firm.
 Ensure that the engagement can be completed in a timely
fashion
 Pre-Engagement Arrangements
 Client selection and retention
 Communication between predecessor and
successor auditors
 Engagement letters
 Staff assignment
 Time budget

 Communication between Predecessor and Successor Auditors (SAS 84)

 Attempt to communicate required
 If client permits, issues to discuss
 Disagreements about accounting principles or audit procedures.
 Communications the predecessor auditors gave the former client about fraud, illegal
acts, and internal control recommendations.
 The predecessor auditors’ understanding about the reasons for the change of auditors
(particularly about the predecessor auditors’ termination).
 Understanding the Client’s Business

 Methods and sources of information
 Inquiry, including prior year working papers
 Observation
 Study
 Other aspects of planning
 Materiality and planning
 First-time audits
 Internal auditors
 Identification of related parties
 Specialists
 Analytic procedures
 Enterprise Risk Management Framework
 Planning Memorandum
 Summary of planning procedures
 Considerations
1. Investigation or review of the prospective or continuing client relationship.
2. Provision of special services or reports and needs for special technical or industry
expertise.
3. Staff assignment and timing schedules.
4. Assessed level of control risk.
5. Significant industry or company risks.

6. Computer system control environment.

7. Utilization of the company’s internal auditors.
8. Identification of unusual accounting principles problems.
9. Schedules of work periods, meeting dates with client personnel, and completion dates.
 Basis for audit program
 Preliminary Analytic Procedures (SAS 56)
 Attention directing
 Identify potential problem areas
 An organized approach
 A standard starting place to start examining the financial statements
 Describe the financial activities
 Identify unusual changes in relationships in the data
 Ask relevant questions
 What could be wrong?
 What legitimate reasons are there for these results?
 Cash flow analysis
 Analytic Procedure Steps

1. Develop an expectation.
2. Define a significant difference.
3. Calculate predictions and compare them with the recorded amount.
4. Investigate significant differences.
5. Document each of the above steps.
 Analytic Procedures: Sources of Information

 Analytic Procedures: Stages of Use

 Preliminary planning-- required
 Substantive testing -- optional
 Final review – required
 Effect of Electronic Environment on Audit Engagement

 The definition of auditing is not changed.
 The purposes of auditing are not changed.
 The generally accepted auditing standards are not changed.
 The assertions of management embodied in financial statements are not changed.
 The requirement to gather sufficient competent evidence is not changed.
 The independent auditor's report on financial statements is not changed.
 What has changed?

 The auditor must evaluate the impact of technology on the client’s operations.
 The auditor must evaluate computer controls implemented by the client in the auditor’s
study and evaluation of the client’s internal controls.
 The auditor can use the computer’s speed and accuracy to assist in the audit.
 Effect of Computer Processing on Transactions

 Transaction trails
 Uniform processing of transactions
 Segregation of duties
 Potential for fraud
 Potential for increased management supervision
 Initiation or subsequent execution of transactions by computer
 Planning considerations
 Extent to which computers are used
 Complexity of computer operations
 Organizational structure of computer processing
 Availability of data
 Use of CAATs- the use of software to perform audit procedures
 Need for specialized skills
 Computer Assisted Audit Tools and Techniques (CAATs)

 With CAATS, the auditor is able to access and extract client information without disrupting
data processing.
 Some CAATs Procedures:
 Calculate field statistics (totals, high, low and average value)
 Perform complex recalculations
 Join, concatenate and compare different files
 Perform detailed analysis
Stratification
Gap and duplicate key detection
Sample selection
 Audit Documentation (AS 3)

 Definition
 The written record of the basis for the auditor’s conclusions that provides the support

for the auditor's representations, whether those representations are contained in the
auditor's report or otherwise.
 Objectives
 Improve audit quality
 Enhance public confidence
 Contents
 Planning and performance of the work
 Procedures performed
 Evidence obtained
 Conclusions reached by the auditor
 Purposes of Audit Documentation

 Integral part of audit quality
 Documents the nature, timing and extent of work performed
 Evidence of due professional care
 Basis for conclusion
 Facilitates planning, performance and supervision
 Provides basis for review
 Audit Documentation Files

 Current files
 Permanent files
 Prior year files
 Exhibit 4.6 Current Audit Documentation File

 Exhibit 4.7 Illustrative Audit Documentation
 Information on Workpaper
 Name, date, purpose, page number
 Procedures performed and conclusions
reached by the auditor
 Evidence that auditor followed
general standards and standards of
field work
 Audit Mark Legend
 Reviewers’ initials
 Audit Documentation Requirements

 Audit documentation should be prepared in sufficient detail to enable an experienced
auditor having no previous connection with the engagement to:
 Understand the nature timing, extent and results of procedures, evidence obtained and
conclusions reached.
 Determine who performed the work, date of work, reviewer and date of review.
 Audit documentation should provide a clear link to significant findings or issues and
 Demonstrate compliance with PCAOB standards.
 Support basis for conclusions on every relevant assertion.
 Document that accounting records agree with financial statements.
 Significant Findings or Issues

 Selection, application and consistency of accounting principles, including disclosures
 Results of procedures that indicate need for significant modification of procedures,
existence of material misstatements, significant deficiencies in controls
 Audit adjustments
 Disagreements
 Circumstances that cause significant difficulty
 Significant changes in assessed audit risk
 Matters that could result in report modification
 Specific Audit Documentation Matters

 Should include identification of items inspected, confirmed or tested.
 Satisfied by indicating source and selection criteria.
 Documentation of inspected agreements should include abstracts or copies.
 Should include contradictory information found
 Information the auditor has identified relating to significant findings or issues that is
inconsistent with or contradicts the auditor’s final conclusions.
 Procedures performed in response.
 Records documenting consultation on or resolutions of differences among team and
with others consulted.

 Engagement Completion Document (AS 3)

 Must include all significant findings or issues.
 Must include items identified during interim review.
 Must have completed all necessary procedures and obtained sufficient evidence before
report release date.
 Documentation should be complete (documentation completion date) no more than 45
days after report release date.
 Documentation Retention (AS 3)

 Documentation must be retained seven years from report release date.
 If no report—from last day of fieldwork
 Additions/Amendments
 Documentation may not be deleted or discarded after report release date.
 Additions must indicate
Date the information was added
Name of preparer
Reason
 Specific Documentation Retention Requirements (AS 3)
 Audit Documentation Review

 Hierarchical review process
 Reviewers include
 New auditors
 Supervisory personnel
 Engagement supervisors and quality reviewers
 Successor auditor
 Inspection teams
 Others including advisors engaged by the audit committee or parties to an acquisition
 Other Issues Related to Audit Documentation

 Ownership
 Auditors maintain ownership, even after auditor-client relationship is over.
 Confidentiality
 Only can be made public with permission, or if subpoenaed, or as part of a peer review

of firm practices, or as part of an ethics investigation of firm personnel.
E. Risk Assessment: Internal Control Evaluation
 Responsibility for Internal Control

 Management responsibility
 Management has primary responsibility for internal control
 Sarbanes-Oxley Act of 2002 (publicly traded companies)
 Auditor responsibility
 Second standard of fieldwork
 PCAOB Auditing Standard No. 5 (AS 5): An Audit of Internal Control over Financial
Reporting That Is Integrated with an Audit of Financial Statements
 Management’s Responsibility for Internal Control (Sarbanes-Oxley)

 In addition to certifying the company’s financial statements (Section 302), management
must also report on the company’s internal control over financial reporting (Section 404).
 Specifically, the company’s annual report must include:
 A statement that management is responsible for establishing and maintaining
adequate internal control over financial reporting.
 A statement identifying the framework (usually COSO) management uses to evaluate
the effectiveness of the company’s internal control.
 A statement providing management's assessment of the effectiveness of the
company’s internal control.
 AS 5: An Audit of Internal Control over Financial Reporting That Is Integrated with an

Audit of Financial Statements
 Auditors must provide their opinion on the effectiveness of client’s internal control.
 Not a separate engagement
 Integrated audit of internal control and financial statements
 COSO
 Committee of Sponsoring Organizations of the National Commission of Fraudulent
Financial Reporting (Treadway Commission)
 FEI, AAA, IIA, IMA, AICPA
 Why Assess Control Risk?

 Determine nature, timing, and extent of audit procedures.
 Trade-off between testing of controls and substantive procedures.
 Note: Control testing required for public companies (AS 5), but not for private companies
and not-for-profit organizations.
 Exhibit 5.2 Trade-off Between Tests of Controls and Substantive Testing

 Internal Control – An Integrated Framework (COSO)

 Internal Control
A process, effected by an entity's board of directors, management, and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives in the
following categories:
(1) Reliability of financial reporting,
(2) Compliance with applicable laws and regulations,
(3) Effectiveness and efficiency of operations.
 Exhibit 5.3 Internal Control—Integrated Framework
 Exhibit 5.4 Interrelated Components of Internal Control

 Control Environment
 Sets the tone of an organization, influencing the control

consciousness of its people.
 It is the foundation for all other components.
 Risk Assessment
 The entity's identification and analysis of
relevant risks to achievement of its
objectives.
 COSO's Enterprise risk management (ERM)
framework
 Control Procedures
 The policies and procedures that help ensure management directives are carried out.
 Physical controls over the security of assets
 Segregation of duties
 Information Processing
Approvals and authorization
Verifications and reconciliations
 Performance reviews
 Exhibit 5.5 Separation of Duties

 Information Processing Controls

 Information technology general controls (ITGC)
 Physical security
 Hardware controls
 Segregation of IT duties
 Documentation
 Back-up procedures
 Information technology application controls (ITAC)
 Input controls
 Processing controls
 Output controls
 Spreadsheet controls
 Information and Communication

 The identification, capture, and exchange of information in the form and time frame that
enables people to carry out their responsibilities.
 Monitoring
 Management’s process that assesses the quality of the internal control's performance over
time.
 Internal auditing
 Follow-up of reporting errors
 General Phases of Internal Control Evaluation

 Phase 1: Understand and document
 Understand the client’s internal control
 Document the understanding of internal control
Internal Control questionnaire
Narrative
Accounting and control system flowcharts
 Phase 2: Assess control risk (Preliminary)
 Phase 3: Testing and reassessment
 Perform test of controls audit procedures
 Re-assess control risk
 Exhibit 5.10 Payroll System Flowchart

 Exhibit 5.11 Bridge Workpaper
 Exhibit 5.12 Assertions about Class Transactions and Events for the Period: Payroll
Cycle

 Exhibit 5.13 Dual Direction Test of Payroll Controls
 AS 5: An Audit of Internal Control over Financial Reporting That Is Integrated with an

Audit of Financial Statements (for Publicly Traded Companies)
 Phases of the engagement
1. Plan the engagement
2. Use a top-down approach to gain an understanding
a) Identify entity-level controls
b) Walkthroughs
3. Testing internal control effectiveness
a) Design effectiveness
b) Operating effectiveness
4. Evaluating control deficiencies
a) Deficiencies
b) Significant deficiencies
c) Material weaknesses
5. Wrapping up: Forming an opinion on the effectiveness of internal control over financial
reporting
6. Reporting on internal control
 Step 1: Plan the Audit

 Consider knowledge of industry
 Consider knowledge of business
 Consider extent of changes in operations
 Consider extent of changes in internal control
 Evaluation must be done for all relevant assertions for all significant accounts or
disclosures. Thus, significant accounts, locations, and assertions must be identified.
 The key to determining whether an account, location, or assertion is significant is whether
there is a more-than-reasonable possibility that a material misstatement could be
associated with it.
 Just as control risk is used to determine the nature, timing, and extent of substantive
procedures, inherent risk is used to determine the nature, timing, and extent of tests of
controls.
 Step 2: Use a top-down approach to gain an understanding

 Identify entity-level controls
 Perform walkthroughs
 Auditor must perform work related to:
 Company-wide anti-fraud programs

 Controls that have a pervasive effect

 Auditor must obtain “principal evidence,” but can incorporate work of internal auditors and
others
 Must assess competence and objectivity
 Limited reliance
 Can’t reduce work on control environment
 Exhibit 5.8 Entity-Level Controls

 Controls related to the control environment.
 Controls related to management override.
 Centralized processing and controls including shared service environments.
 Controls to monitor results of operations.
 Controls to monitor other controls.
 Management’s risk assessment.
 Period-end financial reporting process
 Policies that address significant business control and risk management practices
 Test Controls: Design Effectiveness

 Design effectiveness determines whether the controls over financial reporting, if operating
effectively, would be expected to prevent or detect errors or fraud that could result in a
material misstatement in the financial statements.
 After an understanding of internal controls is gained through inquiry, inspection, and
observation, the controls are evaluated for the possibility that the controls would not
prevent or detect a misstatement.
 Test Controls: Operating Effectiveness

 Operating effectiveness is whether the control is operating as designed and whether the
person performing the control possesses the necessary authority and qualifications to
perform the control effectively.
 A sample of transactions is examined using inquiry, observation, inspection, and
reperformance.
 Tests of controls are not performed if design is not effective.
 Step 4a: Evaluate control deficiencies

 Whether the result of a design deficiency or an operating deficiency, an internal control
deficiency exists when the design or operation of a control does not allow the entity’s
management or employees to detect or prevent misstatements in a timely fashion.
 A design deficiency is a problem relating to either a necessary control that is missing
or an existing control that is so poorly designed that it fails to satisfy the control’s
objective.
 An operating deficiency, on the other hand, occurs when a properly designed control
is either ignored or inappropriately applied (possibly because employees are poorly
trained).
 More serious internal control deficiencies can be categorized into one of two groups,
significant deficiencies or material weaknesses, depending on their severity.
 Step 4b: Identify significant deficiencies

 Significant deficiencies are defined as conditions, or combinations of conditions, that
could adversely affect the organization’s ability to initiate, record, process, and report
financial data in the financial statements.

 While not material, they are important enough to bring to the attention of those charged
with governance (usually the audit committee).
 Absence of appropriate separation of duties.
 Absence of appropriate reviews and approvals of transactions.
 Evidence of failure of control procedures.
 Step 4c: Identify Material Weaknesses

 A material weakness in internal control is defined as a deficiency, or combination of
deficiencies, that results in a reasonable possibility that a material misstatement would not
be prevented or detected on a timely basis.
 Restatement of previously issued financial statements to reflect the correction of a
misstatement.
 Evidence of material misstatements (caught by the audit team) that were not prevented
or detected by client’s internal controls.
 Ineffective oversight of financial reporting process by entity’s audit committee.
 Indication of fraud (either material or immaterial) by senior management.
 Summary of Internal Control Deficiencies

 Three categories
 Internal control deficiency
 Significant deficiency
 Material weaknesses
 The difference between a significant deficiency and a material weakness is the
(1) likelihood and (2) materiality that a potential (or actual) misstatement would not be
detected on a timely basis.
 Step 5: Wrapping up: Forming an opinion on the effectiveness of internal control over
financial reporting
 Auditors can issue one of three types of opinions on internal control over financial
reporting:
 Unqualified. No material weaknesses found.
 Disclaimer of opinion. The audit team cannot perform all of the procedures
considered necessary.
 Adverse opinion. One or more material weaknesses found.
 Step 6: Reports on Internal Control

 Separate report on internal control
 Opinion on financial statements contained in separate audit report
 Extra paragraph added to report on internal control referencing opinion on financial
statements.
 Integrated audit report and report on internal control
 Includes auditor’s opinions on 1) internal control effectiveness, and 2) the fairness of
the company’s financial statements.
 Reporting to Audit Committee on Internal Control Related Matters

 Sarbanes-Oxley requires that the report be in writing.
 The auditor may communicate during or after audit.
 Communications with management is not required; however, communications with
management or other individuals within the entity who may, in the auditor's judgment,
benefit from the communications are not precluded.

 Limitations of Internal Control

 Human error
 Collusion
 Management override
 Cost/benefit analysis
 There is often a trade-off between the cost and the effectiveness of internal controls.
 The concept of reasonable assurance recognizes that the cost of an entity’s internal
control should not exceed the benefits that are expected to be derived.
F. Employee Fraud and the Audit of Cash
 Fraud Opportunities Revisited
 Definitions Related to Employee Fraud

 White collar crime is fraud perpetrated by people who work in offices and steal with a
pencil or a computer terminal. The contrast is violent street crime.
 Employee fraud is the use of fraudulent means to take money or other property from an
employer. It consists of three phases: (1) the fraudulent act, (2) the conversion of the
money or property to the fraudster's use and (3) the cover-up.
 Embezzlement is a type of fraud involving employees' or nonemployees' wrongfully taking
money or property entrusted to their care, custody, and control, often accompanied by false
accounting entries and other forms of lying and cover-up.
 Larceny is simple theft of an employers property that is not entrusted to an employee's
care, custody or control.
 Defalcation is another name for employee fraud and embezzlement.
 Exhibit 6-1 Fraud Elements

 Motive
 A motive is some kind of pressure a person experiences and believes unshareable with
friends and confidants
 Actual or perceived need for money (Economic motive)
 “Habitual criminal” who steals for the sake of stealing (Psychotic motive)
 Committing fraud for personal prestige (Egocentric motive)
 Cause is morally superior, justified in making others victims (Ideological motive)
 Opportunity
 An opportunity is an open door for solving the unshareable problem by violating a trust.
 Weak internal controls
 Circumvention of internal controls
 The greater the position, the greater the trust and exposure to unprotected assets.
 Rationalization
 When people do things that are contrary to their personal beliefs – outside their normal
behavior – they provide an argument to make the action seem like it is in line with their
moral and ethical beliefs.
 Some of the most frequent rationalizations are:
I need it more than the other person.
I’m borrowing the money and will pay it back.
Everybody does it.
The company is big and will never miss it.
Nobody will get hurt.
I am underpaid, so this is due compensation
I need to maintain a lifestyle and image.
 Red Flags: Employee Fraud
 Fraud Prevention
 Managing people pressures in the workplace
 Counseling services
 Hotlines
 Control procedures and employee monitoring
 Integrity by example and enforcement

 Cash Collections and Disbursements

 Cash is highly liquid, easily transportable, and not easily identifiable, and therefore is a
primary target for employee thieves.
 Some strong internal controls:
 Dual custody of cash at all times
 Lockbox arrangement
 Fidelity bonds
 Exhibit 6.2 Processing Cash Receipts
 Cash Collections: Typical Activities

 Receive cash and REMITTANCE ADVICE in mail.
 Prepare REMITTANCE LISTING.
 Enter total from REMITTANCE LISTING (or REMITTANCE ADVICE) in CASH RECEIPTS
JOURNAL.
 Prepare DEPOSIT SLIP and deposit cash receipts in bank (INTACT and DAILY).
 Record update to SUBSIDIARY ACCOUNTS RECEIVABLE using REMITTANCE ADVICE.
 Reconcile REMITTANCE LISTING, SUBSIDIARY ACCOUNTS RECEIVABLE , and
DEPOSIT SLIP daily
 Cash Collections and Disbursements: Key Control Activities

 INFORMATION PROCESSING
 Voucher packet (Purchase requisition, purchase order, receiving report, invoice)
matched prior to cash disbursement authorization
 Deposits reconciled to amounts credited to accounts receivable ledger
 Bank reconciliation
 PHYSICAL CONTROLS OVER THE SECURITY OF ASSETS
 Deposit cash and checks daily and intact

 Lock box account

 EDI transactions
 Dual custody over cash
 Unused checks secured
 Check imprinting machine
 SEGREGATION OF DUTIES
 Separate custody, authorization, recording, execution
 PERFORMANCE REVIEWS
 RECONCILIATIONS
 Cash Disbursements: Control Risk Assessment

 Control considerations
 Proper separation of duties
 Detail control (error-checking) activities
 Internal control questionnaires (ICQs)
 Transaction process “walkthrough”
 Detail test of controls audit procedures (Exhibit 6.4)
 Exhibit 6.4 Tests of Controls Over Cash Disbursements
 Audit Evidence in Management Reports and Data Files

 Cash receipts journal
 Cash disbursements journal
 Bank reconciliations
 Cancelled checks
 Bank statements
 The audit team will often request that a CUTOFF BANK STATEMENT be sent directly
to the auditor prior to subsequent month-end in order to verify deposits-in-transit and
cleared checks on a timely basis.

 Exhibit 6.5 How to Read a Cancelled Check and Endorsement

 Exhibit 6.6 Small Business Bank Statement
 Audit of Cash
 Cash on hand
 Count SIMULTANEOUSLY with other liquid assets
 Count in presence of client employee
 Undeposited receipts
Trace to cash receipts journal (CRJ)
Vouch to subsequent deposit in bank statement
 Cash on Deposit
 Audited mainly through the client’s BANK RECONCILIATION.
 Bank Reconciliation
 Balance per bank
 CONFIRM (STANDARD BANK CONFIRMATION) directly with bank
 Agree to CUTOFF BANK STATEMENT
 Add Deposits-in-transit
 TRACE to cash receipts journal
 VOUCH to CUTOFF BANK STATEMENT
 Subtract Outstanding Checks

 VOUCH to cash disbursements journal

 TRACE checks cleared from cutoff bank statement
 Add/Subtract Debit/Credit Memos
 Inspect bank credit/debit memo
 Balance per books
 FOOT Reconciliation
 TRACE to trial balance
 Exhibit 6.7 Bank Reconciliation
 Standard Bank Confirmation

 In addition to corroborating cash and loan balances, a STANDARD BANK
CONFIRMATION INQUIRY also requests information about contingent liabilities and
secured transactions

 Exhibit 6.8 Bank Confirmation
 Check Kiting
 KITING is a fraud that occurs by reporting cash simultaneously in two different bank
accounts.
 A Schedule of Interbank Transfers (Exhibit 6-10) is generally useful in detecting KITING.
 Exhibit 6.9 Illustrative Check Kiting Transactions

 Exhibit 6.10 Illustration of Interbank Transfer Schedule
 Proof of Cash
 A PROOF OF CASH is used when controls over cash are weak.
 It essentially combines two bank reconciliations, reconciling all transactions that occurred
during the period to the client’s Cash Receipts Journal and Cash Disbursements Journal.
 Exhibit 6.11 Illustration of Proof of Cash—First National Bank
 Fraud Detection Procedures for Cash

 Count the petty cash twice in one day
 Examine endorsements on canceled checks
 Audit general journal entries
 Retrieve customer checks
 Use marked coins and currency

 Measure deposit lag time

 Examine documents (bank statements) for alteration (See Exhibit 6.6)
 Inquiry, ask questions
 Covert surveillance
G. Revenue and Collection Cycle
 Overall Audit Approach
 Inherent Risks
 Improper Revenue Recognition
 Cut-off
 Bill and Hold
 Channel Stuffing
 Returns and Allowances
 Collectability of Receivables
 Revenue Recognition
 Must be (1) realized or realizable and (2) earned
 SEC guidance (SAB 104)
 Persuasive evidence of an arrangement exists,
 Delivery has occurred or services have been rendered,
 The seller's price to the buyer is fixed or determinable, and
 Collectability is reasonably assured

 Exhibit 7.1 Revenue Recognition Rogues
 Exhibit 7.2 Revenue and Collection Cycle

 REVENUE AND COLLECTION CYCLE: Key Control Procedures

 SEGPARATION OF DUTIES
 Separate functions for recording, authorization, custody
 AUTHORIZATION OF TRANSACTIONS
 Write-offs
 EDI transactions
 Credit checks prior to approval of sale
 Pricing
 ACCESS TO ASSETS
 Shipping department
 Lock box account
 ADEQUATE DOCUMENTS AND RECORDS
 Pre-numbered sales orders, shipping documents (bills of lading), sales invoices
 Remittance advice
 INDEPENDENT CHECKS ON PERFORMANCE
 A/R subsidiary ledger to general ledger
 Monthly statement to customer

 Pending order master file
 Credit check files
 Price list master file
 Sales detail file (sales journal)
 Sales analysis report
 Accounts receivable aged trial balance
 Cash receipts listing
 Customer Statements
 Other Controls
 No sales order without customer order.
 Credit-check authorization.
 Restricted access to inventory.
 Restricted access to terminals and invoices.
 All documentation in order to record sales.
 Proper dating.
 Invoices compared to BOLs and orders.
 Pending order files reviewed.

 Exhibit 7.4 Assertions about Classes of Transactions and Events for the Period
 Exhibit 7.5 Dual Direction of Test Audit Sample
 AUDITING ACCOUNTS RECEIVABLE

 Test Aged Listing of Accounts Receivable
 Confirm balances.
 Perform analytical procedures
 Test sales cut-off

 Exhibit 7.6 Assertions and Substantive Procedures in the Revenue and Collection Cycle
 Exhibit 7.7 Accounts Receivable Aged Trial Balance
 USING CONFIRMATIONS
 Especially useful for verifying EXISTENCE.
 Factors likely to affect the reliability of confirmations
 Previous audit experience
 Intended recipient of the confirmation
 Type of information being confirmed
The auditor may confirm entire BALANCES or individual TRANSACTIONS.
 Type of confirmation being sent

 TYPES OF CONFIRMATIONS
 Positive Confirmations
 small number of accounts are involved
 large number of errors are anticipated
 Negative Confirmations
 the combined assessed level of inherent and control risk is low
 a large number of small balances is involved
 the auditor has no reason to believe that the recipients of the requests are unlikely to
give them consideration.
 Blank Confirmations should be used if the recipient is likely to return a positive confirmation
without verifying the accuracy of the information.
 Exhibit 7.8 Positive Confirmation Letter

 Exhibit 7.9 Negative Confirmation Letter
 CONFIRMATION CONSIDERATIONS
 Responses to positive and blank confirmations provide more reliable evidence than
negative non-responses.
 Recipients of accounts receivable confirmations might not report understatements
 Non-response to Positive/blank confirmation requests
 Follow up with second and sometimes third requests.
 A lower than expected response rate could be indicative of fictitious customer
accounts.
 Alternative procedures.
 Non-response to negative confirmation requests
 Only limited evidence concerning financial statement assertions.
 Alternative procedures are not necessary for unreturned negative confirmation
requests.
 Follow-up on all exceptions

 Exhibit 7.10 Responses to Positive Confirmations
 ALTERNATIVE PROCEDURES
 Vouch subsequent cash collections
 usually sufficient evidence of existence, valuation.
 Examine shipping documents
 Examine client-generated supporting documentation, such as invoices.
 Depends on internal controls
 Inspect correspondence files
 Other Matters Related to Confirmation

 There are three sets of circumstances that could justify the omission of the confirmation of
a client's accounts receivable.
 Not material to the financial statements.
 If the RISK OF MATERIAL MISSTATEMENT is low, and the assessed level of
evidence from analytical procedures and other tests of details is sufficient to reduce
audit risk to an acceptably low level, confirmation of accounts receivable may be
inefficient.
 Confirmation of accounts receivable is expected to be ineffective (based on previous
years' audit experience).
 UNCOLLECTIBLE ACCOUNTS
 Inspect customer files for collectibility
 Recalculate ALLOWANCE and BAD DEBT EXPENSE
 Verify reasonableness of ALLOWANCE and BAD DEBT EXPENSE
 Verify appropriateness of accounts written off
 Verify attempts to collect receivable
 Verify authorization is appropriate.
 ANALYTICAL PROCEDURES
 Sales Revenue
 Comparisons with previous periods
 Comparisons with industry

 Allowance for Doubtful Accts, Bad Debt Expense

 Bad Debt Expense as a percentage of Sales
 Allowance for Doubtful Accounts as a percentage of Gross Receivables
 Accounts Receivable
 Days Sales in Accounts Receivable
 Accounts Receivable Turnover
 SALES CUTOFF PROCEDURES

 Used to verify whether Sales/Revenues recorded in the CORRECT ACCOUNTING
PERIOD.
 Examine SALES INVOICES and SHIPPING DOCUMENTS shortly prior to and after year-
end.
 Examine returns after year-end.
H. Acquisition and Expenditure Cycle
 Inherent Risks
 Unrecorded liabilities
 Noncancelable purchase agreements
 Capitalizing expense
 Exhibit 8.1 Cost and Expense Capers

 Exhibit 8.2 Acquisition and Expenditure Cycle
 Acquisition and Expenditure Cycle: Typical Activities

 Purchase Goods and Services
 Department requesting purchase of item(s) prepares a PURCHASE REQUISITION
 Purchase is approved by preparation of a PURCHASE ORDER
 May be done electronically by EDI
 Receiving the Goods or Services
 After vendor approval, goods are received by company and evidenced by preparing a
RECEIVING REPORT
 Recording the Asset or Expense and Related Liability
 Vendor bills company for goods using a VENDOR'S INVOICE
 Paying the invoice through the cash disbursement process
 Control Procedures
 Information processing controls
 Compare quantities against receiving report and purchase order
 Compare prices against quoted price or catalog listing
 Mathematically verify vendor's invoice
 Determine when to pay invoice and prepare VOUCHER
 Separation of duties
 AUTHORIZATION of the purchase is done by the purchasing department.
 CUSTODY of the inventory item(s) is held by the receiving department and, ultimately,
the requesting department.
 Transactions are RECORDED by general accounting (control account) and accounts
payable department (subsidiary accounts).
 RECONCILE liabilities to customer statements and general ledger account.
 Physical controls
 Prepare a receiving report upon initial receipt of inventory
 Count and verify inventory quantities upon delivery to the inventory warehouse
 Restrict access to inventories by keeping them in a secured location

 Performance reviews
 Compare purchases data to data from previous years or expected purchases data

 Open purchase orders
 Unmatched receiving reports
 Unmatched vendor invoices
 Accounts (vouchers) payable trial balance
 Purchases journal
 Fixed asset reports
 Exhibit 8.3 Assertions about Classes of Transactions and Events for the Period:
Acquisition and Expenditure Cycle

 Exhibit 8.4 Direction of Tests
 Substantive Procedures
 Exhibit 8.5 Assertions about account balances at the period end and substantive
procedures: Acquisition and Expenditure Cycle
 The Completeness Assertion

 Search for Unrecorded Liabilities
 Inquire of client about their procedures
 Scan open purchase order file
 Examine all UNMATCHED VENDOR STATEMENTS/INVOICES
 Examine all UNMATCHED RECEIVING REPORTS occurring near year-end
 TRACE from unpaid VOUCHERS in A/P
 Confirm A/P with NORMAL SUPPLIERS (even those with zero balances)
 Review CASH DISBURSEMENTS occurring after year-end
 Purchase Cutoffs
 Verify CUT-OFFs for purchases
 Examine Receiving Reports and Vendor Sales Invoices occurring around year-end to
ensure inventory received is included in the appropriate period.

 Other Accounts in Cycle

 Prepaid Expenses
 Accrued Liabilities
 Expenses
 Inventory
 Property Plant and Equipment
 Exhibit 8.6 Account Analysis for Prepaid Expenses
 Accrued Liabilities
 Major differences between ACCRUED Liabilities and ACCOUNTS PAYABLE
 Examples include INTEREST, PROPERTY TAXES, WAGES, and INCOME TAXES
PAYABLE
 These payables are not normally INVOICED or EVIDENCED by the RECEIPT OF
GOODS
 These differences may make it more difficult to detect UNRECORDED ACCRUALS
 Auditing Accrued Liabilities and Prepaid Expenses

 Agree balances to PRIOR YEAR WORKPAPERS
 Verify PAYMENTS
 Examine UNDERLYING AGREEMENTS
 RECALCULATE amounts
 Agree EXPENSE ACCOUNTS to trial balance
 Search for UNRECORDED ACCRUALS
 Review CASH DISBURSEMENTS at year-end
 Look for expected accruals at other stages of the audit (BONDS, NOTES, employees
paid on 15th, etc.)
 ANALYTICAL PROCEDURES
 Income Taxes Payable

 Extremely complex area
 Usually requires tax specialist
 Vouch payments

 Examine correspondence with government agencies

 Follow standard for auditing estimates
 AUDITING PROPERTY, PLANT, AND EQUIPMENT

 GENERAL APPROACH
 Small number of transactions
 Relatively high dollar transactions
 Authorization of Transactions (Board of Directors) takes on added importance.
 Less concern for ACCESS to ASSETS
 More concerned with UNRECORDED DISPOSALS
 Agree balances to prior year documentation
 PURCHASES OF PP&E
 VOUCH to INVOICE or COST RECORDS
 Inspect TITLE
 VOUCH to BOARD MINUTES
 EXPENDITURES SUBSEQUENT TO ACQUISITION
 VOUCH to INVOICE and WORK DESCRIPTIONS
 Consider propriety of classification (EXPENSE or CAPITALIZE)
 DISPOSAL OF PP&E
 VOUCH from PP&E to BOD MINUTES
 Vouch to cash receipts journal and validated deposit slip
 Recalculate gain/loss
 TRACE from BOD MINUTES to PP&E for disposals (COMPLETENESS)
 Look for unrecorded disposals
 Agree balances to PRIOR YEAR WORKPAPERS
 Examine insurance policies, property tax records, etc.
 PHYSICALLY INSPECT or CONFIRM fixed assets
Both existing and newly-acquired items
Confirm assets LEASED to others under capital leases
 DEPRECIATION EXPENSE
 Recalculate using USEFUL LIFE, SALVAGE VALUE, COST, and METHOD
 Evaluate REASONABLENESS of USEFUL LIFE, SALVAGE VALUE, etc.
 Is depreciation consistent with COMPANY POLICY (half year conventions)?
 LEASE AGREEMENTS
 Verify proper treatment (Capitalized or Operating)
 Ensure disclosure in footnotes is appropriate

 Exhibit 8.7 Sample PP&E and Depreciation Documentation
 Auditing Cost and Expense Accounts

 Analytical procedures (e.g. sales commissions)
 Agree to related balance sheet account (depreciation)
 Substantive tests of transactions (e.g. purchases)
 Vouch detail (e.g. legal expense)
 Fraud Signs
I. Production Cycle
 Importance of Inventory
 Major component of current assets on the balance sheet.
 Significant effect on net income.
 Valuation is usually very subjective.
 Potential obsolescence
 Goods have not been sold, so marketability may be uncertain.

 Inherent Risks in Production Cycle

 Complexity (e.g. dollar value LIFO)
 Susceptibility to theft
 Lower-of-Cost-or-Market valuation
 Effects on gross profits
 Typical Activities
 Planning
 Production plan
 Production
 Bill of materials
 Requisitions
 Cost Accounting
 Standard costs
 Overhead allocation
 Exhibit 9.2 Production Cycle
 Production Cycle: Control Considerations

 Production runs are authorized.
 Raw Materials should be counted, and inspected
 As production is undertaken, materials and labor quantities should be summarized.
 Use of TRANSFER tickets
 Count/inspect the items and compare quantities

 The cost accounting department reviews

 Quantity of raw materials to materials requisition
 Quantity of direct labor to time sheets and labor distribution report
 Cost accounting applies overhead costs to production using OVERHEAD TICKETS
 Cost summary
 Production Cycle: Control Procedures

 Physical Controls
 Production Order and Materials Requisition.
 Physical inventories reconciled to perpetual inventory records.
 Restrict access to inventories
 Transfer Tickets
 Separation of Duties
 Authorization
 Recording
 Custody
 Reconciliation
 Performance Reviews
 Scrap reports
 Variance analysis
 Management Reports
 Sales Forecasts
 Inventory reports
 Items on hand
 Production plans and reports
 Test of Controls
 Observe separation of duties
 Vouch costs to labor and material reports
 Time tickets
 Receiving reports
 Transfer tickers
 Check proper authorizations
 Examine review of cost reports
 Substantive Procedures
 Observation of inventory count
 Tests of pricing and compilation
 Analytical procedures
 Physical Inventory Observation

 “…it will always be necessary for the auditor to make, or observe, some physical counts of
the inventory and apply appropriate tests of intervening transactions" (AU 331.12).
 May make test counts at a time other than year-end.
 test roll-forward.
 Review client instructions
 Stop flow of goods
 Make TEST COUNTS
 From INVENTORY LISTING

 From WAREHOUSE FLOOR

 Record some counts in working papers
 Client Count Instructions

 Names and dates
 Instructions for descriptions and counts
 Noting obsolete or worn items
 Tag control—compilation of counts
 Shutting down production
 Controlling movement
 Supervisory approval
 Making changes and corrections
 Exhibit 9.7 Inventory Count Sheet
 Listen to instructions provided to count teams

 Understand the use of control tags, count sheets, scanners, or RFID
 Be wary of "hollow squares" and "empty boxes”
 Tour shipping and receiving areas
 Watch for OBSOLETE and SLOW-MOVING inventory
 CONFIRM inventory on CONSIGNMENT and at other locations
 Consider the use of SPECIALISTS
 Confirm inventory in transit.

 Inventory Count and Measurement Challenges
 Pricing and Compilation Tests

 Valuation (Price Tests)
 VENDOR INVOICES
 COST FLOW ASSUMPTION (FIFO, LIFO, average, specific identification)
 LOWER OF COST OR MARKET for inventory
 Check Extensions and Footings.
 Agree to G/L
 Purchase Cutoffs
 Verify CUT-OFFs for purchases and sales
 Examine Receiving Reports and Vendor Sales Invoices occurring around year-end.
 Examine bills of lading and sales invoices
 Agree to inclusion/exclusion from inventory
 Analytic Procedures
 Verify REASONABLENESS of COGS
 Gross Profit Margin
 Compare to prior year, industry averages
 Verify REASONABLENESS of ending inventory
 Days Sales in Inventory
 Inventory Turnover
 Fraud Detection Procedures

 Focus on high-dollar items.
 Unpredictable counts.
 Be skeptical of large differences.
 Be alert for signs of damage, obsolescence or excess quantities.
 Ensure interplant transfers are kept to a minimum.

J. Finance and Investment Cycle
 INVESTING AND FINANCING CYCLE

 Concerned with transactions related to the use of the organization's funds (investing) and
sources of those funds (financing) other than operations.
 Accounts affected by investing and financial cycle transactions include investments in
securities; notes and bonds payable; and, stockholders' equity accounts
 Inherent Risks
 Lease Accounting
 Loan covenants
 Related party transactions
 Complex transactions
 Impairments
 Investment and Finance Activities

 Financial Planning
 Raise capital
 Operate business (all other cycles)
 Mergers and acquisitions
 Invest excess funds

 Exhibit 10.2 Finance and Investment Cycle
 Control Considerations
 Transactions authorized by BOARD OF DIRECTORS
 Documentation:
 Investments in securities: BROKER'S ADVICE
 Property, plant and equipment: VENDOR'S INVOICE (for purchased PPE) or
INTERNAL COST RECORDS (for manufactured PPE)
 Bonds and notes payable: Documentation from DEBTHOLDERS
 Stockholders' Equity: Documentation from REGISTRAR
 CASH RECEIPTS/DISBURSEMENTS JOURNALS
 Finance and Investment Cycle: Control Procedures

 Physical Controls
 Securities numbered and in the client's name
 Securities held by an independent custodian or in a secure location
 Access to safe-deposit box requires the presence of more than one employee
 Physical items periodically compared to detail records
 Cash receipts from Investing and Financing cycle transactions deposited intact and
daily
 Separation of Duties
 Transactions AUTHORIZED by the Board of Directors
 General Accounting RECORDS transactions
 A separate function or external custodian has CUSTODY
 Performance Reviews
 Compare current investing and cycle transaction data against prior-year data or

expected data
 Compare revenue and expenses against organization standards or expectations.
 CONTROL OVER ACCOUNTING ESTIMATES

 Communication of need for estimate
 Accumulate data
 Qualified personnel
 Review and approval
 Comparison to results
 Compare with plans
 SUBSTANTIVE TESTS–INTEREST-BEARING LIABILITIES

 Agree to BEGINNING BALANCE and CONFIRM with holders or makers.
 LOAN PROCEEDS
 VOUCH to cash receipts
 Recalculate Discount/Premium
 Confirm IBL, examine note
 LOAN PAYOFF
 Recalculate Interest Expense
 Recalculate Gain/Loss on Retirement
 Verify cash disbursements
 INTEREST-BEARING LIABILITIES
 INTEREST PAYMENTS
 Recalculate Interest Expense
 Search for UNRECORDED liabilities
 Inquiry of management
 Bank confirmations
 Unusual amounts of interest expense
 Large receipts of cash during the year
 Ensure DEBT COVENANTS are met.
 Inspect loan agreements.
 Consider GOING CONCERN implications if not met.
 Ensure proper presentation and disclosure.
 Exhibit 10.4 Audit Documentation

 AUDITING STOCKHOLDER'S EQUITY

 Overview of audit approach
 EXTERNAL PARTIES involved in record keeping
 Transactions must be authorized by the BOARD OF DIRECTORS
 Transactions must be consistent with the client's ARTICLES OF INCORPORATION
 PAID-IN CAPITAL
 Agree balances to prior year documentation
 Examine issuances and repurchases of capital stock
Verify distribution of proceeds between CAPITAL STOCK and ADDITIONAL PAID-
IN CAPITAL
Examine CASH RECEIPTS and CASH DISBURSEMENTS records
Determine that all transactions are RECORDED (TRACE from BOD minutes)
Verify that all transactions are PROPERLY AUTHORIZED
 RETAINED EARNINGS
 Agree beginning balance with prior year documentation
 Verify the appropriateness of prior-period adjustment treatment
 Trace net income/loss to INCOME STATEMENT
 Ensure that DIVIDENDS are properly authorized by BOARD OF DIRECTORS
 Auditing Investments: Substantive Procedures

 Agree balances to Prior Year Documentation
 Purchases of investments
 VOUCH to BROKER'S ADVICE (Statement)
 Examine BOARD MINUTES for authorization
 Sales of investments
 VOUCH to BROKER'S ADVICE, CASH RECEIPTS RECORDS, and BOARD
MINUTES
 Recalculate gain or loss on sale
 Read minutes for sales of Investments and trace to recording
 Determine MARKET VALUE (SFAS 115)
 Obtain 12/31 market price from Wall Street Journal or other sources
 Evaluate for possible PERMANENT DECLINES
 PHYSICALLY INSPECT or CONFIRM securities Verify Certificate Numbers to ensure that
there were no unrecorded sales and subsequent repurchases
 Made in company name
 Can inspect at interim, if safe-deposit box
 Verify DIVIDEND REVENUE
 Examine CASH RECEIPTS records
 Compare to external sources (Moody's, Standard & Poor's)
 Evaluate presentation in BALANCE SHEET (short-term vs. long-term asset)
 Trouble Spots in Audits of Investments

 Valuation of investments at cost, market, or value impairment that is other than temporary.
 Propriety, effectiveness, and risk disclosure of derivative securities used as a hedges
 Determination of the fair value of derivatives and securities, including valuation models and
the reasonableness of key assumptions.
 Determination of significant influence relationship for equity method investments.
 Derivative Investments, Hedging Activities, and Investments in Securities (SAS 92)

Inquiries about the nature of investments and the reasons for holding them, especially

hedging activities.
 The classification affects the accounting treatment of market values and the unrealized
gains and losses on investments.
 Due to the complexity of SFAS 133 (Accounting for Derivative Securities and Hedging
Activities), auditors may need special skills or knowledge to understand client hedging
transactions, to ensure that effective controls are in place to monitor them, and to audit the
transactions.
 Auditing Fair Value Measurements (SAS 101)

 Management’s responsibility.
 Market-based values preferred
 If not available—use assumptions market would have used.
 If not known—management can use their own assumptions
 if no contrary data
K. Completing the Audit
 Considerations in Completing the Audit
 Major Activities in Audit
 Activities Between End of Year and Audit Completion Date

 Revenue and expense accounts
 Attorney letters
 Management representations
 Subsequent events

 Audit documentation review
 Revenue and Expense Accounts

 Substantive procedures for related balance sheet accounts
 Analytical procedures
 Scan accounts for large and unusual entries
 Be aware of “miscellaneous,” “other,” and “clearing” accounts – “earnings
management”
 Procedures for Litigation, Claims, and Assessments

 Inquiry of clients
 Review minutes of meetings of stockholders, directors, and committees
 Review contracts, loan agreements, and correspondence from taxing and
governmental agencies
 Obtain information concerning guarantees from bank confirmations
 Review documentation related to legal services
 Attorney Letters: Responsibilities

 Auditors
 Initiate request for attorney letter
 Client
 Prepare listing, description, and evaluation of litigation, claims, and assessments
for letter
 Send letter to attorney including information related to litigation, claims, and
assessments
 Attorney
 Respond to auditors regarding client’s description of litigation, claims, and
assessments contained in attorney letter
 Attorney Letters: Contents

 Listing of pending litigation, claims, and assessments
 Description of each item or case included in the listing
 Evaluation of the likelihood of an unfavorable outcome
 Estimate of the range of potential loss
 Understanding regarding unasserted claims
 Management Representations
 Provided by management to auditors
 Dated using audit completion date
 Broad purpose
 Impress upon management its primary responsibility for the financial statements
 May establish auditors’ defense if a question related to inquiries subsequently
arises
 Qualify or disclaim an opinion if not provided by the client
 Required without regard to materiality:
 Management responsibility for the fairness of the financial statements
 Availability of all financial records and data
 Management responsibility for design and implementation of programs and
controls related to fraud
 Disclosure of significant deficiencies in internal control

 Information concerning fraud involving the client
 Representations Related to I/C

 If subject to requirements of AS 5
 Management has performed as assessment of I/C
 Management’s conclusion with respect to the operating effectiveness of its I/C
 No subsequent changes in I/C that significantly affect I/C
 No control deficiencies from prior engagements have not been properly resolved
 Adjusting Journal Entries

 Accumulate proposed entries on “score sheet”
 Consider pre tax and after tax effects
 Require adjustment for all material entries
 Require adjustment for proposed entries totaling a material amount
 Require adjustment for “qualitatively material” entries
 Recommend adjustment for all other items
 Evaluating Materiality
 Rollover method considers the current period income effect(s) of misstatements
 Iron curtain method considers the aggregate effect of the adjustments on the entity’s
balance sheet
 SAB 108 requires adjustments to be proposed if material under either approach
 Subsequent Period
 Procedures in Subsequent Period

 Review latest interim financial statements
 Inquire of officers and other executives
 Read minutes of meetings of shareholders, directors, and committees
 Obtain responses to attorney letters
 Obtain management representations
 Subsequent Events
 Type I
 Provide new information about conditions existing at balance sheet date
 Adjust financial statements to reflect new information
 Type II
 Involve events occurring after balance sheet date

 Disclose in financial statements

 Prepare pro forma financial statements
 When are Subsequent Events Identified?

 Prior to audit completion date
 Perform audit procedures and ensure proper disclosure
 Following audit completion date but prior to audit report release date
 Dual date audit report
 Following audit report release date
 “Subsequent discovery of facts”
 Audit Documentation Review

 Audit supervisor
 Have all steps in audit program been performed?
 Is referencing among documentation clear?
 Are explanations understandable?
 Audit manager and partner
 Is the overall scope of the audit adequate?
 Do overall conclusions support the opinion?
 Reviewing partner
 Are the quality of audit work and reporting consistent with quality standards of the
firm?

 Activities Following Audit Report Release Date
 Subsequent discovery of facts
 Omitted procedures
 Communication with audit committee (or those charged with governance)
 Management letters
 Subsequent Discovery of Facts

 Require disclosure of events if:
 Facts are reliable and existed at report date
 Facts affect financial statements and auditors’ reports
 Persons are continuing to rely on financial statements and auditors’ reports
 If client refuses disclosure, auditors should inform board that he or she will notify regulatory
agencies and others relying on the reports
 Omitted Procedures
 Perform procedures if:
 Omitted procedures are important
 Individuals are currently relying on financial statements and auditors’ reports
 If previous opinion can be supported, no further action necessary
 If previous opinion cannot be supported
 Withdraw the original report
 Issue revised reports
 Inform persons currently relying on the financial statements

 Communication with Individuals Charged with Governance
 Management Letters
 Not required under GAAS
 Are prepared as a by-product of procedures performed in audit
 Provide recommendations to client for improving effectiveness and efficiency of operations
 Delivered by auditors to client following audit engagement
 Summary of Audit Communications
L. Reports on Audited Financial Statements
 Reports Accompanying Financial Statements

 Prepared by Auditor
 Opinion on financial statements and related disclosures: Are they presented per
GAAP?
 Opinion on internal control over financial reporting: Is it effective?
 Prepared by Management
 Opinion on internal control over financial reporting: Is it effective?

 The Purpose of the Auditors’ Report

 Are F/S in conformity with GAAP?
 Provide indication of what the F/S would be like if GAAP were followed
 Provide any entity-omitted disclosures
 Any unusual aspects of the audit examination?
 Scope limitations
 Division of responsibility
 Any unusual matters related to the entity?
 Going-concern uncertainty
 Consistency
 Emphasis of a matter
 Types of Auditors’ Reports

 Standard report
 Expresses an unqualified opinion
 Unqualified opinion with modified wording
 F/S are in conformity with GAAP
 Difference between this and standard report is that additional matters are disclosed in
report
 Qualified opinion
 “Except for” some matter, F/S are in conformity with GAAP
 Adverse opinion
 F/S are not in conformity with GAAP
 Disclaimer of opinion
 No opinion is issued by auditors
 The Standard Report (Paragraphs)

 Introductory
 F/S and years examined
 Responsibility of auditors and management
 Scope
 Audit conducted in accordance with PCAOB standards
 Description of an audit (specific references to “test basis,” “materiality,” and “significant
estimates”)
 Audit provides reasonable assurance
 Opinion
 Are F/S presented in conformity with GAAP?
 Internal Control
 References examination, report, and opinion on internal control
 The Standard Report (Other Elements)

 Title includes the word “independent”
 Addressed to the client (normally, shareholders and board)
 Dated on the audit completion date
 Signed by the accounting firm

 Independent Auditors’ Report (AS 5)
 Reporting Options
 Separate reports on F/S and I/C
 Each of the reports would reference other report
 Combined report on F/S and I/C
 Reasons to Issue an Other than Standard Report

 Departure from GAAP
 Qualified or adverse opinion, depending upon materiality and pervasiveness.
 Unable to conduct the audit in accordance with GAAS (PCAOB Standards)
 Scope limitation: Qualified or disclaimer of opinion, depending upon materiality and
pervasiveness
 Auditors wish to bring matters to readers’ attention (unqualified with additional explanation)
 Consistency
 Going-concern uncertainty
 Rule 203 departures from GAAP
 Division of responsibility
 Emphasis of a matter
 GAAP Departures

 Qualified (“Except for ...”) Opinion

Issued when departure is material, yet not pervasive
Report Modifications:
Introductory and scope paragraphs remain the same
Add explanatory paragraph preceding the opinion paragraph explaining departure
and detailing $ amounts involved
Modify opinion paragraph (“In our opinion, except for the matter discussed in the
preceding paragraph,….”)
 Adverse Opinion
Issued when statements are “so lacking in fairness” that a qualified opinion would
be misleading (i.e., a serious, pervasive departure from GAAP).
o Report Modifications:
o Introductory and scope paragraphs remain the same
o Add explanatory paragraph preceding the opinion paragraph explaining the
departure and detailing $ amounts involved
o Change opinion paragraph (“financial statements do not present fairly”)
 Scope Limitation: Qualified (“Except for ...”) Opinion

Issued when scope limitations are material, but not pervasive
o Introductory paragraph remains the same
o Scope paragraph: “Except as discussed in the following paragraph [the scope
limitation], we conducted our audit…”
o Add explanatory paragraph preceding the opinion paragraph describing the
scope limitation
o Modify opinion paragraph (“In our opinion, except for”)
 Key is the inability of auditors to identify potential misstatements because
of the scope limitation, not the limitation itself
 Scope Limitation: Disclaimer of Opinion

Pervasive scope limitation, usually client-imposed
o Significance of the limitation is such that auditors cannot gather sufficient
appropriate evidence to form an opinion
o Introductory paragraph: (“We were engaged to audit ….”; omit auditors’
responsibility)
o Omit scope paragraph
o Add explanatory paragraph describing scope limitation
o Change opinion paragraph (“…we do not express an opinion….”)
May still issue opinion on internal control if no scope limitation on that examination
 Lack of Independence
Scenario: Auditors begin engagement but independence subsequently
compromised
Report
Single paragraph
Indicates auditors are not independent
Does not indicate why independence lacking

 Unqualified Opinion with Explanatory Language

Consistency
Going-Concern Uncertainties
Rule 203: Justified Departures from GAAP
Division of Responsibility
Emphasis of a matter
 Consistency
Relates to the changes in:
o Accounting principles (GAAP to GAAP)
o Form of reporting entity
o Accounting principles (non-GAAP to GAAP)
o Accounting principle inseparable from changes in estimates
o Presentation and definitions in Statement of Cash Flows
Add explanatory paragraph following the opinion paragraph
May issue a qualified opinion (GAAP departure) if:
o Change is not justified
o Change is not accounted for in conformity with GAAP
 Going-Concern Uncertainties
Auditors are responsible to evaluate whether substantial doubt exists about ability
of entity to continue in existence for one year beyond date of F/S
Options
o Add explanatory paragraph following opinion paragraph (still unqualified
opinion)
o If serious uncertainty, may issue disclaimer of opinion
o Modified language must include the words substantial doubt and going
concern
 Rule 203 Report

Rule 203 allows for unqualified opinions on F/S that are not in conformity with
GAAP if GAAP would be misleading
Add explanatory paragraph either preceding or following the opinion paragraph
 Division of Responsibility

 Reference to Other Auditors

 Principal auditors should
 Verify other auditors’ reputation and independence
 Communicate and coordinate with other auditors
 Options
 Take responsibility for work: Standard report
 Name other auditors
Present report of other auditors, only with their permission
 Refer to other auditors
Modify introductory, scope, and opinion paragraphs of report
Still express unqualified opinion
 Emphasis of a matter
 Call user attention to important matters
 Add explanatory paragraph after opinion paragraph discussing the matter
 Other Issues Affecting Auditors’ Report

 Association with unaudited F/S
 Comparative F/S
 Information accompanying F/S
 Condensed F/S
 “Other information”
 Quarterly and supplemental information
 Association with Unaudited F/S

 Auditors permit use of name in communication
 Issue disclaimer of opinion (one paragraph)
Do not mention auditing procedures performed
Must identify any known departures from GAAP in the report
Should cover all unaudited prior-years’ financial statements
 Comparative F/S
 Continuing Auditors
Update opinion by considering if previously-issued opinions still appropriate
If previously-issued opinions not appropriate, revise opinion in current report
 Predecessor auditors
With permission, successors may present reissued report on prior-years’ F/S along
with their report on current F/S
If predecessors’ report not presented, successors’ report must reference
predecessors’ report and opinion on prior-years’ F/S
 Information Accompanying F/S

 Types
Condensed F/S
“Other information” presented by management
Quarterly and Supplemental
 Determine whether information is inconsistent with F/S, misstated, or omitted
 Reporting
Issues with information do not affect opinion on F/S
Expand auditors’ report to discuss issues

 Reporting Summary
M. Additional Topics (see attached powerpoint presentation)
Learning Activities:
REVIEW QUESTIONS
1. What is the purpose of an IT audit?

2. Discuss the concept of independence within the context of a financial audit. How is
independence different for internal auditors?
3. What are the conceptual phases of an audit? How do they differ between general auditing and
IT auditing?
4. Distinguish between the internal and external auditors.
5. What are the four primary elements described in the definition of auditing?
6. Explain the concept of materiality.
7. How does the Sarbanes-Oxley Act of 2002 affect management’s responsibility for internal
controls?
8. What are the four broad objectives of internal control?
9. What are the four modifying assumptions that guide designers and auditors of internal control
systems?
10. Give an example of a preventive control.
11. Give an example of a detective control.
12. Give an example of a corrective control.
13. What is the objective of SAS No. 78?
14. What are the five internal control components described in the Statement on Auditing
Standards No. 78?
15. What are the four broad classes of control activities defined by SAS No. 78?
16. How do automated authorization procedures differ from manual authorization procedures?
17. Explain why certain duties that are deemed incompatible in a manual system may be combined
in an IT environment. Give an example.
18. Explain how the audit trail differs between a manual system and a computer system.
19. What risks do data consolidation in an IT environment pose?

20. Give some examples of independent verifications in an IT environment.

21. Differentiate between general and application controls. Give two examples of each.
22. Distinguish between tests of controls and substantive testing.
23. Define audit risk.
24. Distinguish between errors and irregularities. Which do you think concern auditors the most?
25. Distinguish between inherent risk and control risk. How do internal controls affect inherent risk
and control risk, if at all? What is the role of detection risk?
26. What is the relationship between tests of controls and substantive tests?
DISCUSSION QUESTIONS
1. Discuss the differences between the attest function and assurance services.
2. A CPA firm has many clients. For some of its clients, it relies very heavily on the work of the
internal auditors, while for others it does not. The amount of reliance affects the fees charged.
How can the CPA firm justify the apparent inconsistency of fees charged in a competitive
marketplace?
3. Accounting firms are very concerned that their employees have excellent communication skills,
both oral and written. Explain why this requirement is so important by giving examples of where
these skills would be necessary in each of the three phases of an audit.
4. Discuss how the process of obtaining IT audit evidence is inherently different than it is in a
manual system.
5. Explain the audit objectives of existence or occurrence, completeness, rights and obligations,
valuation or allocation, and presentation and disclosure.
6. How has the Foreign Corrupt Practices Act of 1977 had a significant impact on organization
management?
7. Discuss the concept of exposure and explain why firms may tolerate some exposure.
8. If detective controls signal errors, why shouldn’t they automatically make a correction to the
identified error? Why are separate corrective controls necessary?
9. Most accounting firms allow married employees to work for the firm. However, they do not allow
an employee to remain working for them if he or she marries an employee of one of their
auditing clients. Why do you think this policy exists?
10. Discuss whether a firm with fewer employees than there are incompatible tasks should rely
more heavily on general authority then specific authority.
11. An organization’s internal audit department is usually considered to be an effective control
mechanism for evaluating the organization’s internal structure. The Birch Company’s internal
auditing function reports directly to the controller. Comment on the effectiveness of this
organizational structure.
12. According to SAS No. 78, the proper segregation of functions is an effective internal control
procedure. Comment on the exposure (if any) caused by combining the tasks of paycheck
preparation and distribution to employees.
13. Explain whether authorizations are necessary in a computer environment.
14. Explain how an IT environment affects the segregation of functions.
15. Explain how an IT environment affects supervision.
16. Explain how an IT environment affects the firm’s obligation to maintain adequate accounting
records.
17. Explain how an IT environment affects access control.
18. Explain how an IT environment affects independent verification.
19. How has the Sarbanes-Oxley Act affected internal controls?

PROBLEMS
1. Audit Committee (CMA 6898 3-3)
Micro Dynamics, a developer of database software packages, is a publicly held company whose
stock is traded over the counter. The company recently received an enforcement release
proceeding through an SEC administrative law judge that cited the company for inadequate internal
controls. In response, Micro Dynamics has agreed to establish an internal audit function and
strengthen its audit committee.
A manager of the internal audit department has been hired as a result of the SEC enforcement
action to establish an internal audit function. In addition, the composition of the audit committee has
been changed to include all outside directors. Micro Dynamics has held its initial planning meeting
to discuss the roles of the various participants in the internal control and financial reporting process.
Participants at the meeting included the company president, the chief financial officer, a member of
the audit committee, a partner from Micro Dynamics’ external audit firm, and the newly appointed
manager of the internal audit department. Comments by the various meeting participants are
presented below.
President: “We want to ensure that Micro Dynamics complies with the SEC’s enforcement release,
and that we don’t find ourselves in this position again. The internal audit department should help to
strengthen our internal control system by correcting the problems. I would like your thoughts on the
proper reporting relationship for the manager of the internal audit
department.”
CFO: “I think the manager of the internal audit department should report to me since much of the
department’s work is related to financial issues. The audit committee should have oversight
responsibilities.”
Audit committee member: “I believe we should think through our roles more carefully. The
Treadway Commission has recommended that the audit committee play a more important role in
the financial reporting process; the duties of today’s audit committee have expanded beyond the
rubber-stamp approval. We need to have greater assurance that controls are in place and being
followed.”
External audit firm partner: “We need a close working relationship among all of our roles. The
internal audit department can play a significant role in monitoring the control systems on a
continuing basis and should have strong ties to your external audit firm.”
Internal audit department manager: “The internal audit department should be more involved in
operational auditing, but it also should play a significant monitoring role in the financial reporting
area.”
Required:
a. Describe the role of each of the following in the establishment, maintenance, and evaluation of
Micro Dynamics’ system of internal control.
i. Management
ii. Audit committee
iii. External auditor
iv. Internal audit department
b. Describe the responsibilities that Micro Dynamics’ audit committee has in the financial reporting
process.

2. Role of Internal Auditor (CMA 1290 4-Y8)

Leigh Industries has an internal audit department consisting of a director and four staff auditors.
The director of internal audit, Diane Bauer, reports to the corporate controller, who receives copies
of all internal audit reports. In addition, copies of all internal audit reports are sent to the audit
committee of the board of directors and the individual responsible for the area of activity being
audited.
In the past, the company’s external auditors have relied on the work of the internal audit
department to a substantial degree. However, in recent months, Bauer has become concerned that
the objectivity of the internal audit function is being affected by the nonaudit work being performed
by the department. This possible loss of objectivity could result in more extensive testing and
analysis by the external auditors. The percentage of nonaudit work performed by the internal
auditors has steadily increased to about 25 percent of the total hours worked. A sample of five
recent nonaudit activities follows.
• One of the internal auditors assisted in the preparation of policy statements on internal control.
These statements included such things as policies regarding sensitive payments and the
safeguarding of assets.
• Reconciling the bank statements of the corporation each month is a regular assignment of one
of the internal auditors. The corporate controller believes this strengthens the internal control
function because the internal auditor is not involved in either the receiptor the disbursement of
cash.
• The internal auditors are asked to review the annual budget each year for relevance and
reasonableness before the budget is approved. At the end of each month, the corporate
controller’s staff analyzes the variances from budget and prepares explanations of these
variances. These variances and explanations are then reviewed by the internal audit staff.
• One of the internal auditors has been involved in the design, installation, and initial operation of
a new computerized inventory system. The auditor was primarily concerned with the design
and implementation of internal accounting controls and conducted the evaluation of these
controls during the test runs.
• The internal auditors are sometimes asked to make the accounting entries for complex
transactions as the employees in the accounting department are not adequately trained to
handle such transactions. The corporate controller believes this gives an added measure of
assurance to the accurate recording of these transactions.
Required:
a. Define objectivity as it relates to the internal audit function.
b. For each of the five nonaudit activities presented, explain whether the objectivity of Leigh
Industries’ internal audit department has been materially impaired. Consider each situation
independently.
c. The director of internal audit reports directly to the corporate controller. Does this reporting
relationship affect the objectivity of the internal audit department? Explain your answer.
d. Would your evaluation of the five situations in Question b change if the director of internal audit
reported to the audit committee of the board of directors? Explain you answer.
Post Test:
Completion Questions
Fill in the blank spaces with the word or words that complete the statement.

1. The _____________________________ standards are a general set of standards to guide attestation

engagements in areas other than audits of financial statements.
2. Audits of historical financial statements are guided by a broad set of principles referred to as
_____________________________ _____________________________
_____________________________ _____________________________.
3. Attestation reporting is different because attestation engagements related to nonfinancial information do not
require information to be presented in accordance with
_____________________________ _____________________________
_____________________________ _____________________________.
4. The AICPA’s generally accepted auditing standards are classified in three categories:
_____________________________ standards, standards of _____________________________
_____________________________, and standards of _____________________________.
5. A(n) _____________________________ _____________________________ is a list of auditing procedures that

will be performed during the engagement to gather sufficient appropriate evidence.
6. The first general standard of the GAAS relates to the _____________________________ and
_____________________________ of auditors.
7. The three aspects of practical independence are _____________________________ independence,

_____________________________ independence, and _____________________________ independence.
8. The concept of independence in fact indicates that auditors are expected to be

_____________________________ and __________________________ with respect to the financial statements
they audit.
9. The exercise of _____________________________ _____________________________

_____________________________ requires auditors to observe the standards of field work and standards of
reporting.
10. Since audit samples are used, audit evidence is considered to be _____________________________,
rather than _____________________________.
11. The auditors’ report must state whether the financial statements are presented in accordance with
_____________________________ _____________________________
_____________________________ _____________________________.
12. Under the third standard of reporting, if _____________________________ _____________________________

are not adequate, the auditor must so state in the opinion on the financial statements.
13. The report will contain either an expression of _____________________________ regarding the financial
statements, taken as a whole, or an assertion to the effect that an opinion cannot be expressed.
14. An overall opinion that the financial statements present the financial condition, results of operations, and cash
flows according to generally accepted accounting principles is a(n)
_____________________________ opinion.
15. If a material departure from GAAP is noted, auditors can choose between a(n)
_____________________________ opinion or a(n) _____________________________ opinion.
16. Auditors’ indication that no opinion is given is referred to as a(n)

_____________________________ _____________________________
_____________________________.
17. The _____________________________ paragraph of the auditors’ report declares that the audit was conducted
in accordance with generally accepted _____________________________ _____________________________.

18. A(n) _____________________________ _____________________________ is a study of an accounting firm’s

quality control policies and procedures, followed by a report on the firm’s quality of audit practice in accordance
with the quality control standards.
19. The _____________________________ _____________________________ Act of 2002 created the Public

Company Accounting Oversight Board (PCAOB).
20. The PCAOB has two primary roles: _____________________________ and _____________________________.
Multiple Choice Questions

Select the best answer for each of the following questions and enter the appropriate letter in the space provided.
___ 1. The attestation standards are a general set of standards intended to guide work in
a. audits of financial statements.
b. financial forecasts and prospective financial information.
c. areas other than audits of financial statements.
d. understanding internal control.
___ 2. Statements on Auditing Standards (SASs) are considered to be

a. specialized to obtain evidence to render an opinion.
b. interpretations of the 10 generally accepted auditing standards.
c. standards for preparation of financial statements.
d. standards to govern the quality of a firm’s audit practice.
___ 3. Which of the following is not the subject of one of the GAAS standards of field work?
a. Risk of material misstatement
b. Planning and supervision
c. Sufficient, appropriate evidential matter
d. Due professional care
___ 4. Which of the following statements is true for attestation standards, but not for generally accepted auditing
standards?
a. The engagement shall be performed by a practitioner or practitioners having adequate knowledge in the
subject matter of the assertions.
b. The work shall be adequately planned and assistants, if any, are to be properly supervised.
c. Due professional care shall be exercised.
d. A sufficient understanding of the internal control is to be obtained.
___ 5. The quality control of personnel management includes which of the following?
a. Supervision appropriate for the competencies of the personnel assigned to the work is important.
b. Professional development continuing education should be provided so that personnel will have the
knowledge required to enable them to fulfill their responsibilities.
c. People at all organizational levels must maintain independence in fact and appearance.
d. When accepting and continuing client relationships, firms should consider their own competence.
___ 6. Which of the following is not an implicit message in the opinion paragraph in the auditors’ unqualified opinion?
a. The accounting principles in the financial statements have general acceptance.
b. The accounting principles used by the entity are appropriate in the circumstances.
c. The audit was performed in accordance with generally accepted auditing standards.
d. The financial statements are accurate within practical materiality limits.
___ 7. Auditors’ opinions on statements “taken as a whole” would not include

a. disclaimers of opinion.
b. adverse opinions.
c. qualified opinions.
d. unqualified opinions.
___ 8. The opinion paragraph of the auditors’ standard report includes a statement that

a. the financial statements are the responsibility of management.

b. the audit was conducted in accordance with generally accepted auditing standards.
c. the audit provides a reasonable basis for an opinion.
d. the financial statements are presented in conformity with generally accepted accounting principles.
___ 9. The auditors’ standard report should be dated with the date
a. the report was delivered to the client.
b. when all significant procedures have been completed and auditors have gathered sufficient appropriate
evidence.
c. when the client’s fiscal year ended.
d. when the audit was completely reviewed by supervisory personnel.
___ 10. To ensure that an accounting firm is providing services that conform to professional standards, the firm should
follow
a. generally accepted auditing standards (GAAS).
b. quality control standards.
c. generally accepted accounting principles
d. international auditing standards.
Problems
Using I (introductory), S (scope), O (opinion), A (additional), or N (none), indicate the paragraph in which the following
statements or topics would be included in the auditors’ report.
___ 1. The titles of the financial statements examined by the auditors.
___ 2. A description of any scope limitation(s) encountered during the audit.
___ 3. A statement that auditors were independent with respect to the entity.
___ 4. The auditors’ conclusion with respect to the fairness of the entity’s financial statements.
___ 5. A statement that an audit was conducted in accordance with generally accepted auditing standards.
___ 6. A statement that the entity’s management is responsible for the fairness of the financial statements.
___ 7. A description of an audit, which includes examining evidence in support of the financial statements.
___ 8. Reference to generally accepted accounting principles.
___ 9. A description of any specific departures from GAAP noted during the audit that were material.
___ 10. A statement that the financial statements were consistently prepared compared to those of prior period(s).

PDF

Uploaded by

Copyright:

Available Formats

PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PDF

Uploaded by

Copyright:

Available Formats

Auditing in CIS Environment 1

Module 1 – Auditing in CIS Environment

Upon completion of this module, you should be able to:

True or False Questions

___ 1. Auditors may be independent in fact but not independent in appearance.

___ 8. Auditing procedures are the same as auditing standards.

SCHOOL OF BUSINESS AND ACCOUNTANCY

___ 19. Evidence is appropriate when it is both valid and relevant.

A. Auditing and Assurance Services

User Demand for Reliable Information

SCHOOL OF BUSINESS AND ACCOUNTANCY

Overview of Financial Statement Auditing

Auditing is a systematic process of objectively obtaining and evaluating evidence regarding

Financial statements GAAP

SCHOOL OF BUSINESS AND ACCOUNTANCY

The Relationships Among Auditing, Attestation, and Assurance Engagements

SCHOOL OF BUSINESS AND ACCOUNTANCY

Sarbanes-Oxley Act of 2002

PCAOB Management Assertions

Management Assertions (SAS 106)

 Occurrence – Events giving rise to transactions have taken place

SCHOOL OF BUSINESS AND ACCOUNTANCY

 Existence – Balances include only assets exist

- Presentation and Disclosure Assertions

SCHOOL OF BUSINESS AND ACCOUNTANCY

The Public Accounting Profession

SCHOOL OF BUSINESS AND ACCOUNTANCY

Prohibited Services to Audit Clients

1. bookkeeping and related services

SCHOOL OF BUSINESS AND ACCOUNTANCY

SCHOOL OF BUSINESS AND ACCOUNTANCY

Generally Accepted Auditing Standards

Engagement Overview and GAAS

SCHOOL OF BUSINESS AND ACCOUNTANCY

 Observe standards of field work and standards of reporting.

1. Planning and supervision

SCHOOL OF BUSINESS AND ACCOUNTANCY

3. Are disclosures adequate (implicit reporting)?

Types of Audit Opinions

SCHOOL OF BUSINESS AND ACCOUNTANCY

Financial Statements: Errors, Frauds and Illegal Acts

SCHOOL OF BUSINESS AND ACCOUNTANCY

Overview of Auditors’ and Other Professionals’ Responsibilities

Exhibit 3.2 Considering the Risk of Fraud (SAS 99)

 Step 1: Audit team discussion (“brainstorming”)

SCHOOL OF BUSINESS AND ACCOUNTANCY

 Discussions should be ongoing throughout the engagement

 Step 2: Obtain Information to Identify Risks

 Step 3a: Identify Risk Factors Related to Fraudulent Financial Reporting

 Risk Factors: Management’s Characteristics and Influence

 Risk Factors: Industry conditions

 Risk Factors: Operating Characteristics

SCHOOL OF BUSINESS AND ACCOUNTANCY

 Step 3b: Assess Fraud Risks

 Required Risk Assessments

 Step 4: Respond to Assessed Risks

 Step 5: Evaluate Audit Evidence

 Step 6: Communicate Fraud Matters

SCHOOL OF BUSINESS AND ACCOUNTANCY