Auditing is a systematic process of objectively obtaining and

evaluating evidence regarding assertions about economic actions and

events to ascertain the degree of correspondence between the assertions
and established criteria and communicating the results to interested
users.

Sarbanes-Oxley Act of 2002

• Requirement of CEO/CFO certification of financial statements
- Key company officials must certify the financial statements.
That is, the company CEO and CFO must sign a statement
indicating:
1. They have read the financial statements.
2. They are not aware of any false or misleading statements
(or any key omitted
disclosures).
3. They believe that the financial statements present an
accurate picture of the company’s
financial condition.
• Requirement of auditor examination of company internal controls
• Creation of the Public Company Accounting Oversight Board
(PCAOB) to serve as an auditing profession “watchdog.”
• Prohibition of certain client services by firms conducting a client’s
audit.

Audit Process
Client Acceptance
- read the client’s annual report, consider the need for specific
expertise or a specialist, and make sure that the auditor is
independent.
- speak with the predecessor auditor about the integrity of the
client’s management
- The relationship between the auditor and the client is
formalized through a written contract called the engagement
letter.
o 1. states the objectives (e.g., to perform an audit)
o 2. defines management’s responsibilities (management is
responsible for the financial statements, not the auditor)
 o 3. defines the auditor’s responsibilities
o 4. lists the limitations of the engagement (e.g., the auditor
cannot provide a guarantee or absolute assurance, but can
only provide reasonable assurance that the financial
statements are free from material misstatement
o 5. Lists any additional services the auditor will provide
Engagement Planning
Risk Assessment
Substantive Procedures/Evidence Gathering
Reporting

OPINION
• An unqualified opinion, or clean opinion - the financial statements
are free of material misstatements.
- Issued when departure is material, yet not pervasive
- Add paragraph preceding the opinion paragraph explaining
departure and detailing $ amounts involved
- Modify opinion paragraph (“In our opinion, except for the
matter discussed in the preceding paragraph,….”)
• A qualified opinion - the financial statements are free of material
misstatements, except for a single issue of improper accounting or a
single issue in which the scope of the audit was limited.
- Issued when departure is material, yet not pervasive
- Add paragraph preceding the opinion paragraph explaining
departure and detailing $ amounts involved
- Modify opinion paragraph (“In our opinion, except for the
matter discussed in the preceding paragraph,….”)
• An adverse opinion - the financial statements do contain material
misstatements.
- Issued when F/S do not present fairly according to GAAP (i.e.,
a serious, pervasive departure from GAAP).
- Add paragraph preceding the opinion paragraph explaining the
departure and detailing $ amounts involved
- Change opinion paragraph (“financial statements do not present
fairly”)
• Finally, a disclaimer of opinion - the auditor cannot provide an
opinion as to whether the financial statements are fairly presented. (the
independence of the auditor has been compromised, the scope of the
audit has been severely limited, or there are significant uncertainties
surrounding the company's financial statements)

The objective of a financial statement audit is to obtain sufficient

appropriate audit evidence to conclude on whether the financial
statements present fairly, in all material respects, the financial
position of a company and the results of its operations and cash
flows. In developing that conclusion, the auditor evaluates whether
audit evidence corroborates or contradicts financial statement
assertions.

• Business risks result from significant conditions, events,

circumstances or actions that could adversely
affect the entity’s ability to achieve its objectives and execute its
strategies.
• Inherent Risk (IR) is the likelihood that, in the absence of internal
controls, a material misstatement could
occur. In other words, it is a measure of the susceptibility of an account
to misstatement.
Factors affecting account inherent risk include Dollar size of the
account, Liquidity, Volume of transactions, Complexity of the
transactions , New accounting pronouncements, Subjective
estimates

• Control Risk (CR) is the likelihood that a material misstatement will

not be caught by the client’s internal controls
its “control environment”.control procedures, Monitoring
• Detection risk is the risk that the auditor will fail to catch a material
misstatement that is not caught by the
client’s internal controls. When the risk of material misstatement is
high, the auditor should set the
detection risk to a low level to ensure that audit risk remains low.
Detection risk is a function of the
effectiveness of an auditing procedure and of its application by the
auditor
 Nature, timing, and extent of audit procedures, Sampling risk
(risk of choosing an unrepresentative sample), Non-sampling risk
(risk that the auditor may reach inappropriate conclusions based
upon available evidence.)

Professional skepticism
• Refers to an auditor’s questioning mindset (or attitude) towards
representations made by management and evidential matter gathered
• Inquiry alone is never enough. The auditor must obtain sufficient
corroborative evidence.
• Unusual financial trends need investigation
• Documents are always checked for authenticity or possible
alteration
• Ask questions, get answers, then verify the answers.
• Must be skeptical because a potential conflict of interest always
exists between the auditor and the client.
- Process
o • Clarify the issues and objectives
o • Consider the possible alternatives
o • Gather and evaluate the relevant evidence
o • Reach an audit conclusion
o • Carefully document rationale for the professional
judgment reached

Materiality refers to an amount (or transaction) that would influence

the decisions of users (i.e., an amount (or event) that would make a
difference).
- • As a guide to planning substantive procedures—directing
attention and audit work to those items or accounts that are
important, uncertain, or susceptible to errors or frauds.
- • As a guide to evaluation of the evidence. Auditors use
performance materiality to make sure that the aggregate of
uncorrected and undetected immaterial misstatements does not
exceed materiality for the financial statements as a whole.
- • As a guide for making decisions about the audit report.
Inherent Risk (IR) is the likelihood that, in the absence of internal
controls, a material misstatement could occur. In other words, it is a
measure of the susceptibility of an account to misstatement.

Control Risk (CR) is the likelihood that a material misstatement would

not be caught by the client’s internal controls.

Detection risk (DR) is the risk that a material misstatement would not
be caught by audit procedures

ARM Concepts
•The auditor cannot affect inherent risk or control risk. The auditor can
only ASSESS them.
•The auditor can only affect detection risk—generally by examining
more evidence.
•Detection risk is inversely related to control risk and inherent risk.
•Detection risk is inversely related to competence and reliability of
evidence

Items that must be documented include:

• Discussions with engagement personnel.
• Procedures to identify and assess risk.
• Significant decisions during discussion.
• Specific risks identified and audit team responses.
• Explanation of why improper revenue recognition is not a risk.
• Results of audit procedures, particularly procedures regarding
management override
• Other conditions causing auditors to believe that additional
procedures are required.
• Communications with management and those charged with
governance, such as the audit committee.
Responsibilities Principle
(Affects all phases of an audit)
1. Competence and capabilities (Training and proficiency)
– Experience and expertise
2. Independence
– Independence in fact vs. independence in appearance
– Financial and managerial relationships
3. Due care
– Must observe performance and reporting principles
– Level of performance by reasonable auditor in similar circumstances
4. Professional skepticism and professional judgment
– Skepticism: Appropriate questioning and critical assessment of
evidence
– Judgment: Application of training, knowledge, and experience in
making informed decisions during audit

Performance Principle
(Affects the conduct of an audit)
Goal is to provide reasonable assurance that financial statements do
not contain material misstatements
1. Planning and supervision
– Preparation of audit plan
2. Materiality
– Influences decisions of financial statement users
– Considered throughout the audit
3. Risk assessment
– Understand entity and environment (including I/C)
– Assess risk of material misstatement
– Determine necessary effectiveness of substantive procedures
4. Audit evidence
– Sufficient = quantity (How many transactions or components?)
– Appropriate = quality (What level of reliability needed? Source?)

Management’s Financial Statement Assertions (PCAOB)

• Existence or occurrence – Assets and liabilities included in the
accounts exist and recorded transactions are valid and have actually
occurred.
• Rights and obligations- Entity has a legal claim on all assets and
revenues reported and has a legal responsibility for all liabilities and
expenses
• Completeness - All balances and transactions have been recorded in
the financial statements
• Valuation or allocation – Assets, liabilities and recorded transactions
have been valued in accordance with GAAP (and in the proper period)
• Presentation and disclosure – All accounts are presented in the
appropriate place and all information required has been disclosed in the
statements and footnotes.

• Errors are unintentional misstatements or omissions of amounts or

disclosures in
financial statements.
• Management Fraud is intentional misstatements or omissions of
amounts or
disclosures in financial statements.
• Direct-effect illegal acts are violations of laws or government
regulations by the
company or its management or employees that produce direct and
material effects on
dollar amounts in financial statements.

(1) Incentive - Incentive is a financial need that a

person perceives to be unshareable
(2) Opportunity - Opportunity occurs when internal
controls are weak or nonexistent
(3) rationalization. Rationalization is the attitude that it
is okay for the person to commit the fraud
General Categories of Errors and Frauds
• Invalid transactions are recorded.
• Valid transactions are omitted from the accounts.
• Unauthorized transactions are executed and recorded.
• Transaction amounts are inaccurate.
• Transactions are classified in the wrong accounts.
• Transaction accounting and posting is incorrect.
• Transactions are recorded in the wrong period.

Risk Factors Related to Fraudulent Financial Reporting

• Management’s Characteristics and Influence
• Management has a motivation to engage in fraudulent reporting.
• Management decisions are dominated by an individual or a small
group.
• Management fails to display an appropriate attitude about
internal control.
• Managers’ attitudes are very aggressive toward financial
reporting.
• Managers place too much emphasis on earnings projections
• Industry Conditions
• Company profits lag the industry.
• New requirements are passed that could impair stability or
profitability.
• The company’s market is saturated due to fierce competition.
• The company’s industry is declining.
• The company’s industry is changing rapidly.
• Operating Characteristics and Financial Stability
• A weak internal control environment prevails.
• There is pressure to obtain capital.
• The company operates in a tax haven jurisdiction.
• The company has many difficult accounting measurement and
presentation issues.
 • The company has significant transactions or balances that are
difficult to audit.
• Company accounting personnel are lax or inexperienced in their
duties.

Segregation of duties is an internal control whereby no employee is

allowed to have two or more of the following duties:
(1) custody of assets,
(2) authorization of transactions,
(3) recording of transactions,
(4) reconciliation of existing assets to recorded amounts.

Internal Control
A process, effected by an entity's board of directors, management, and
other personnel, designed to provide reasonable assurance regarding
the achievement of objectives in the following categories:
(1) Reliability of financial reporting,
(2) Effectiveness and efficiency of operations.
(3) Compliance with applicable laws and regulations,

Responsibility for Internal Control

• Management’s responsibility
– Responsibility for establishing and maintaining adequate internal
control over financial reporting
– Assess and report on the effectiveness of internal control over
financial reporting
• Auditors’ responsibility
– For public companies, must audit and issue an opinion about the
effectiveness of the internal control over financial reporting. (Integrated
Audit Process)
– For each fraud risk, must evaluate whether controls are in place to
mitigate the fraud risk
– Must assess control risk to determine the nature, timing and extent of
substantive procedures to be performed

Internal Control Components (COSO)

• Control Environment
• Integrity and ethical values
• Board of directors
- Audit Committee
o • 3-6 “outside” members of Board.
o • Provides a buffer between the audit team and
o operating management.
o • Members must be “financially literate.”
o • One “financial expert”
• Management’s philosophy and operating style
• Organizational Structure
• Financial reporting competencies
• Authority and responsibility
• Human resources
• Risk Assessment
• Management’s identification and analysis of relevant risks to
achievement of its objectives.
• Quite possibly using COSO's Enterprise Risk Management
(ERM) framework
Management assesses risks as part of designing and operating the
internal control system to minimize errors and irregularities.
• identify the essential resources of the business and
determine which are most at risk;
• identify possible liabilities which may arise;
• review the risks that have arisen in the past;
• consider any additional risks imposed by new objectives or
new external factors; and
• seek to anticipate change by considering problems and
opportunities on a continuing basis.

• Control Activities
• The policies and procedures that help ensure management
directives are carried out.
– Performance reviews
– Separation of duties
– Physical controls over the security of assets
– Information Processing
 • Approvals and authorization
• Verifications and reconciliations
• Monitoring
• Management’s process that assesses the quality of the internal
control's performance over time.
– Periodic evaluation by internal auditing
– Supervisory review of controls
– Follow-up of reporting errors
– Follow up of customer complaints
– Audit committee inquiries
• Monitoring Principles
– Ongoing and separate evaluations
– Reporting deficiencies
• Information and Communication
• The identification, capture, and exchange of information in the
form that enables people to carry out their responsibilities
• Must understand the information systems that are relevant to
financial reporting
• Information systems produces a trail of activities from data
identification to financial reports. This is known as the “audit
trail”

Internal Control Evaluation

• Phase 1: Understand and document
– Understand the client’s internal control
– Document the understanding of internal control on every audit
• Internal Control questionnaire
• Narrative
• Accounting and control system flowcharts
• Phase 2: Assess control risk (Preliminary)
– Consider cost effectiveness of reliance/testing.
• Phase 3: Identify Controls to Test and Perform Test of
Controls
– Perform test of controls audit procedures
– Re-assess control risk
Common documentation techniques
 narrative descriptions
➢a written description of a client's internal control structure
 internal control questionnaire (Exhibit 5.11)
➢a series of questions about the controls in each audit area – mostly
require “yes” or “no”
 check lists
➢ a list of controls that should normally be in place
 flow charts
➢a symbolic, diagrammatic representation of the clients documents
and their sequential flow in the organization.

Assessing Control Risks

• Determine financial statement assertion about significant account
balances and transactions.
➢E.g., completeness of payables balance
• Based on the assertions, determine audit objectives
➢E.g., 'all accounts payable are recorded'
• For each of these audit objective determine if you can rely on internal
controls
➢E.g.,is the initial recording of purchase orders reviewed
• Identify the relevant internal controls for the most material financial
statement assertion or audit objective
➢E.g., completeness – review cash disbursements after balance
sheet date for unrecorded liabilities

Evidence-gathering techniques:
 Inquiry of client personnel
 Observation
 Inspection (examination of documents)
 Reperformance (recalculation)
3 Audit Test
- Risk Assessment test – understanding the ris of material
misstatements
o Inquiries of Management
o Observation
o Inspection
o Analytical Procedures
- Test of Controls – Asses client’s internal controls effectiveness /
assess control risk
o Inquiry of client personnel: The least effective in terms of
evidence. Ask questions
o Reperforming the control
o Inspection of documents indicating whether the control was
applied
o Observing the control being applied
- Substantive Procedures – detect material misstatements
o Test of details
▪ Tests of transactions: Purchase recorded in the journal
entries
▪ Tests of ending balances: Confirmation of the Account
Receivable ending balance amount
o Substantive Analytical Procedures
▪ Analyzing trend and relationships for financial and non-
financial data
o (1) inquiry - Interview the client, obtain written representation,
ask client personnel about accounting events, complete an
internal control questionnaire
o (2) confirmation - Obtain a representation from a 3rd party,
obtain accounts receivable confirmations, obtain client’s
lawyer’s letter.
o (3) inspection of records or documents (vouching and
tracing)
▪ Tracing is from the source document to the ledger or
journal. This tests completeness (e.g., was the sale
recorded?) Forward Movement
▪ The vouching is from the the ledger or the journal to the
source document. This tests existence or occurrence (e.g.,
did the sale actually occur?). Backward movement
o (4) inspection of tangible assets - Verify the existence of PPE
and inventory by locating them.
o (5) observation, - Watch the client performing an activity
(counting the inventory).
o (6) recalculation, - Check the mathematical accuracy of
depreciation, bad debt expense, interest expense...etc
o (7) reperformance, - Broader than recalculation by
reperforming any client procedure (Aging account receivables
by due date for example)
o (8) analytical procedures Study of relationships among
financial and nonfinancial data
 ▪ Evaluate the plausibility of financial information (compare
current gross profit to last’s year gross profit of competing
firms’ gross profit.
▪ Compare financial information with budgets and forecasts.
Study predictable financial information patterns (e.g., ratio
analysis).
▪ Compare financial information to industry statistics.
▪ Study financial information in relation to nonfinancial
information.
o (9) scanning - Searching for unusual items to investigate (Why
expense accounts are credited?)

Issues in IT environment
1. Input errors
2. Systematic vs. random processing errors
3. Lack of an audit trail
4. Inappropriate access to computer files and programs
5. Reduced human involvement in processing transactions
Automated Transaction Processing on the Evaluation of IT
Controls
Types of Computer Controls
General Controls
o • Relate to all applications of an accounting
information system (pervasive)
o • Deficiencies will affect processing of various types
of transactions
o Categories
▪ 1. Program development controls (Examine
documentation related to development of
programs)
• • Acquisition and development of new
programs is properly authorized and
conducted in accordance with policies
• • Appropriate users participate in process
• • Programs and software are tested and
validated prior to use
• • Programs and software have appropriate
documentation
▪ 2. Program change controls (Examine
documentations related to authorization
procedures for program changes and the
implementation)
• • Modifications to existing programs are
properly authorized and conducted in
accordance with policies
• • Appropriate users participate in process
 • • Programs are tested and validated prior to
use
• • Programs have appropriate documentation
• • Additional controls related to
“emergency” change requests and migrating
new programs into operations
▪ 3. Computer operations controls (Observe
separation of duties & Examine documentary
evidence regarding use of backup and file
reconstruction technique)
• • Relate to processing of transactions and
backup and recovery of data
o Methods of resolving processing
failures
• • Processing environments
o • Batch processing: Similar
transactions collected and processed
simultaneously
o • Real-time processing: Transactions
processed as they occur without delay
• • Labels to ensure use of appropriate file
• • Storage in remote, protected locations
(disaster recovery)
• • Grandfather-father-son backup is a
common rotation scheme for backup data,
in which there are three or more backup
cycles, such as daily, weekly and monthly.
▪ 4. Access to programs and data controls
(Examine documentary evidence related to
authorization procedures for accessing
programs & Observe use of password to access
programs and data)
• • Relate to restricting use of programs and
data to authorized users
 o • Passwords
o • Automatic terminal logoff
o • Review access rights and compare to
usage (through logs)
o • Report and communicate security
breaches

- • Automated IT Application Controls

o • Relate to specific business activities
o • Directly address management assertions
Assessing Control Risk
- 1. Identify specific types of misstatement that could occur
- 2. Identify points where misstatements could occur
- 3. Identify control procedures designed to prevent or detect
misstatements
o General controls and automated application controls
- 4. Evaluate design of control procedures
o Are tests of controls cost-effective?
Testing computer Controls (Processing and Accounts)
- Inquiry
- Observation
- Inspect
- Reperformance
o • Test processing of actual transactions
o • Test processing of simulated transactions
Test data : Simulated transactions containing known errors to test the
client’s controls
Computer abuse and fraud :
- • Prevention: Stop fraud from entering system
- • Detection: Identify fraud when it enters system
- • Damage-limiting: Reduce monetary impacts of fraud and
control to specified levels

Procedures Performed During Fieldwork

• Completing substantive procedures
• Attorney’s letters
• Written representations
• Going-concern assessment
 • Adjusting entries
• Audit documentation review
• Subsequent events
• Subsequently discovered facts
Procedures for Litigation, Claims, and Assessments
• Inquiry of clients
• Review minutes of meetings of stockholders, directors, and
committees
• Review contracts, loan agreements, and correspondence from
taxing and governmental agencies
• Obtain information concerning guarantees from bank
confirmations
• Review documentation related to legal services
• Attorney’s letters

Written Representations
• Impress upon management its primary responsibility for the
financial statements. May establish auditors’ defense if a question
related to inquiries subsequently arises
• Provided by management to auditors
• Dated using date of auditors’ reports (audit completion date)
• Qualify or disclaim an opinion if not provided by the client
• Content
o Information related to financial statements
 ▪ • Management’s responsibility for F/S and internal
control over financial reporting
▪ • Appropriate disclosure, presentation, and
reasonableness of items
▪ • Statement that uncorrected misstatements are
immaterial
o Information provided to auditors by management
o Internal control over financial reporting (for public entities)
Going Concern - Auditors required to consider whether evidence
obtained during audit raises questions about ability to continue as a
going concern.
- If concerns exist, evaluate management’s plans to mitigate
o If concerns do not remain: No effect on report or
financial statements
o If concerns remain: Disclose in F/S and modify
auditors’ report
Audit Documentation Review
• Audit supervisor
o Have all steps in audit plan been performed?
o Is referencing among documentation clear?
o Are explanations understandable?
• Audit manager and partner
o Is the overall scope of the audit adequate?
o Do overall conclusions support the opinion?
• Reviewing partner
o Is the quality of audit work and reporting consistent with
quality standards of the firm?
o Engagement quality review
Subsequent Events
• Procedures
 o • Obtain understanding of procedures management
performs to identify subsequent events
o • Inquire of management and those charged with
governance
o • Read minutes of meetings of owners, management, and
those charged with governance
o • Review entity’s interim financial statements
• Types
o Provide new information about conditions existing at date of
the financial statements = Adjust financial statements to
reflect new information
o Involve events that arose following the date of the financial
statements = Disclose in financial statements
• Actions
o If discovered prior to audit report release date, perform
procedures related to items
▪ • Revise date of auditors’ reports to reflect new
completion date
▪ • Dual date auditors’ reports
o Following audit report release date: If facts would result in
revision of auditors’ report or F/S and individuals are relying
on F/S
▪ • Notify individuals relying on F/S
▪ • Issue revised F/S which provide disclosure of fact
Management letters
• Not required under GAAS
• Are prepared as a by-product of procedures performed in audit
• Provide recommendations to client for improving effectiveness
and efficiency of operations
• Delivered by auditors to client following audit engagement
Departures from GAAP
Qualified opinion – when departures is material but not pervasive
- • Add paragraph preceding the opinion paragraph explaining
departure and detailing $ amounts involved
- • Modify opinion paragraph (“In our opinion, except for the
matter discussed in the preceding paragraph”
Adverse opinion – when departures is material and pervasive
• Add paragraph preceding the opinion paragraph explaining the
departure and detailing $ amounts involved
• Change opinion paragraph (“financial statements do not present
fairly”)
Scope Limitations
• Type
o Circumstances Imposed
▪ Situation in which matters are beyond auditors’ and
client’s control limit procedures performed by auditors
o Client Imposed
▪ Situation in which client specifically limits auditors’
procedures
• Opinion
o Qualified Opinion
▪ Issued when scope limitations are material, but not
pervasive
▪ Add paragraph preceding the opinion paragraph
describing the scope limitation
▪ Modify opinion paragraph (“In our opinion, except for”)
o Disclaimer of Opinion
▪ Pervasive scope limitation, usually client-imposed
 ▪ Significance of the limitation is such that auditors
cannot gather sufficient appropriate evidence to form
an opinion
▪ • Introductory paragraph: (“We were engaged to audit
….”)
▪ • Modify Auditor’s Responsibility section:
• Note that auditors were not able to obtain
sufficient appropriate evidence
• Delete paragraphs describing an audit and
indicating that the audit provides a basis for the
opinion
▪ • Add paragraph preceding the opinion paragraph
describing the scope limitation
▪ • Modify opinion paragraph (“…we do not express an
opinion….”)
Audit of Group Financial Statements
• Group financial statements: Financial statements comprised of
more than one division/subsidiary/segment/component
• Group auditors: Conduct audit of material portion of the entity
• Component auditors: May be engaged by group auditors to audit
divisions, subsidiaries, or components
• Effect on report
o • Group auditors should
▪ • Verify component auditors’ reputation and
independence
▪ • Communicate and coordinate with component
auditors
o • Options
▪ • Take responsibility for work: Standard (unmodified)
report
▪ • Name component auditors
 • • Present report of component auditors, only with
their permission
▪ • Refer to component auditors
• • Modify Auditor’s Responsibility section
• • Modify opinion paragraph
• • Still express unqualified opinion, if appropriate

Other matters
• Issue unqualified opinion but add paragraph to report to discuss
the matter
o Emphasis-of-matter paragraphs provide information related
to users’ understanding of F/S
o Other-matter paragraphs provide information related to
users’ understanding of audit, auditors’ responsibility, or
auditors’ report
• Situations
o Consistency
▪ Relates to Change in accounting principles &
Adjustments to correct misstatements in previously
issued F/S
▪ Effects
• • Add emphasis-of-matter paragraph following the
opinion paragraph
 • • May issue a qualified opinion (GAAP departure)
if:
o • Change is not justified
o • Change is not accounted for in accordance
with GAAP
o Going-concern
▪ • Auditors are responsible to evaluate whether
substantial doubt exists about ability of entity to
continue in existence for one year beyond date of F/S
▪ • Options
• Add emphasis-of-matter paragraph following
opinion paragraph (still unmodified opinion)
• If serious uncertainty, may issue disclaimer of
opinion
• Modified language must include the words
substantial doubt and going concern
o Emphasis of a matter
▪ • Call user attention to important matters
▪ • Add emphasis-of-matter paragraph after opinion
paragraph discussing the matter